Differences between local and international cybersecurity standards

Understanding what is required at the local, national and international level when it comes to cybersecurity standards can reduce confusion.

By Massimiliano Latini and Pavel Kromov June 21, 2021

The Federal Service for Technical and Export Control (FSTEC) is a difficult topic, but it is essential to explore in order to understand how this strict Russian regulation affects cybersecurity tool manufacturers and system integrators.

What is the FSTEC and what does it dictate?

The objective of the Federal Service for Technical and Export Control (FSTEC) is to supervise compliance with cybersecurity requirements for facilities of crucial importance for the Russian economy: banking, telecommunications, healthcare, energy production and distribution, nuclear power stations, and Oil & Gas. These systems fall under the definition of “Critical Infrastructure Facilities” (aka “CIF”) and are covered by Federal Law no. 187, according to which the purpose of the FSTEC service is to govern CIF conformity in terms of industrial cybersecurity.

When Federal Law no. 187 is applicable, the information security tool, which needs to be integrated into a Russian CIF, must be certified according to the FSTEC certification process.

For this scope, FSTEC also establishes the technical measures that must be implemented: identification and authentication (IAF), access control (UPD), antivirus protection (AVZ), information and training of personnel (IPO), and so on.

These measures have actually much in common with the IEC 62443 international standard, in regards to the well-known in-depth defense strategy that the international standard suggests, and that includes plant security, network security and system integrity.

Standard FSTEC vs Standard IEC 62443

To guarantee the safety of a system according to FSTEC requirements, it is very important to consider the international standard IEC 62443 requirements. Such a similar approach to the in-depth defense strategy in compliance with the IEC 62443 helps implement a secure and effective system in accordance with FSTEC as well.

Nevertheless, we should consider that international manufacturers of information security tools are subject to several constraints when approaching the FSTEC certification process.

First of all, it is possible to apply for certification only when the applicant has the FSTEC license for the design and production of information security tools. Such license is restricted just to Russian legal entities with staff and equipment on the Russian territory.

In addition, it is necessary to disclose the open code to Russian laboratories and certification bodies; FSTEC is aiming at reducing the presence of foreign equipment operating in Russian CIFs, forcing the CIF owners to use national information security tools.

Despite all, FSTEC does not totally close the door to international system integrators. As said, the approach is very similar to the IEC 62443, where working according to the standard in-depth defense strategy could help anyway develop a secure system to be integrated in the industrial automation and control system in Russia.

There are many other things to consider when certifying a system in accordance with FSTEC. The topic is specific and difficult: to learn more visit this link.

Massimiliano Latini, ICS cybersecurity & special projects director; Pavel Kromov, oil & gas project engineer, H-On Consulting, a CFE Media content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, cvavra@cfemedia.com.

Author Bio: Massimiliano Latini, ICS cybersecurity & special projects director; Pavel Kromov, oil & gas project engineer, H-On Consulting