FSTEC spoke about measures to improve the security of critical IT infrastructure

The Federal Service for Technical and Export Control (FSTEC of Russia) has prepared recommendations for operators of critical information infrastructure facilities to improve the security of serviced systems from cyber attacks.

The analysis of information about threats to information security conducted by the specialists of the FSTEC of Russia in the current situation shows that foreign hacker groups are preparing and carrying out large-scale computer attacks on the information infrastructure of organizations-developers of software developers and equipment of automated control systems for production and technological processes used at the facilities of the critical information infrastructure of the Russian Federation software.

In the document published by the regulator, it is reported about the need to take such measures:

• to carry out an inventory of public information resources (websites, portals) by external scanning of a block of public IP addresses belonging to the organization in order to identify network services open on the perimeter of the information infrastructure, as well as by scanning IP addresses allocated to the organization’s information resources in a rented cloud/hosting, and disable unused services and web services;

• based on the scan results, analyze open ports and block external access to network services for which it is not needed or restrict access by whitelisting IP addresses where possible based on the purpose of the service;

• to interact via the API, if possible, restrict access by whitelisting IP addresses;

• strengthen the requirements for the password policy of administrators and users (consumers) of organizations’ web services, while eliminating the use of default passwords, as well as disable unused accounts;

• to provide two-factor authentication of employees of the organization performing remote connection to the information infrastructure;

• to ensure the implementation of remote access of the organization’s employees to the infrastructure using remote remote work tools (if possible) through secure data transmission channels (using HTTPS, SSH and other protocols) using VPN networks;

• if it is impossible to exclude remote technical support for consumers, ensure the implementation of such technical support using VPN networks and two-factor authentication;

• exclude from public access information and materials containing information on the setup and operation of software and equipment, automated control systems for production and technological processes, distributions and demo versions of software posted on the websites of organizations;

• provide filtering of application-level traffic using application-level firewall (web application firewall (WAF)) installed in the anti-attack mode;

• on network equipment, if it is technically possible to refuse to use unsecured management protocols, such as telnet/http/snm, and allow access to equipment only from trusted networks (management segments, administrators’ workstations);

• activate the functions of protection against denial of service attacks (DDoS attacks) on the means of network shielding and other means of information protection.

Recall that since January 1, 2018, amendments to the Criminal Code of the Russian Federation have come into force, which provide for criminal liability for cyber attacks on the national information infrastructure. The list of CII facilities of the state includes telecommunications and IT systems, as well as automated control systems that are used in government agencies, healthcare, transport and communications, the credit and financial sector, the fuel and energy complex and various industries: nuclear, defense, rocket and space, chemical and others.