Russia's 187-FZ: critical infrastructure security as a separate agenda

In July 2017 the Russian State Duma passed Federal Law No. 187-FZ "On the Security of Critical Information Infrastructure of the Russian Federation". The law is not yet fully in force and the secondary regulations are still being drafted, but the direction is already clear. For companies in energy, transport, telecommunications, finance, healthcare and manufacturing, this is not another compliance exercise. It is a qualitatively different conversation about responsibility for infrastructure safety.

I want to explain why this law deserves serious attention even from those who are used to treating information security regulation as paperwork.

What CII is and who it covers

Critical information infrastructure means information systems and networks whose disruption or failure could cause severe consequences. The law designates as CII subjects organisations in a defined set of industries: healthcare, science, transport, communications, energy, banking and financial markets, fuel and energy, nuclear industry, defence, aerospace, mining, metallurgy and chemicals.

One important point: designation as a CII subject does not depend on company size. A small regional enterprise in one of these industries can qualify as a CII subject if its information systems are directly involved in the industry process.

The next step after designation is categorisation of CII objects - evaluating how critical each specific object is, based on the social, political and economic consequences of a potential incident. The result is assignment to one of three significance categories, or a finding that the object is not significant.

Why this is a different conversation, not just another standard

Most information security requirements that companies have dealt with until now have focused on data protection: personal data, payment information, corporate secrets. The logic was straightforward: data leaked - bad, but mainly a reputational and financial problem.

187-FZ shifts the focus to infrastructure functionality. An attack on an industrial control system, a power system or a transport network is no longer a story about data leakage. It is a story about production stopping, electricity supply cutting out, transport flow breaking down. The consequences are of a different order entirely.

This is why the law requires mandatory connection to the state system for detecting, preventing and responding to computer attacks (GosSOPKA), and establishes coordination with the FSB. This goes well beyond what the internal information security function of most companies does.

What actually needs to happen now

The secondary regulations setting out specific requirements and timelines are still being finalised. But there are steps that make sense to take now regardless of the final regulatory text.

First - run an inventory. Which information systems and networks in the company are involved in production or industry processes? This is not just corporate IT infrastructure. It includes industrial control systems, telemetry and monitoring systems, process control systems, and dispatch systems.

Second - understand the actual topology. How isolated are these systems from external networks? How do they interact with corporate IT? This often surfaces unexpected connections: an industrial network that was considered isolated turns out to have touchpoints with the corporate network via VPN for remote maintenance.

Third - assess the maturity of security processes specifically for these systems. Industrial and process control systems have their own character: equipment with multi-year refresh cycles, non-standard protocols, requirements for continuous operation. Standard corporate security practices apply only partially.

Questions worth asking yourself now

If your company operates in one of the industries covered by the law:

1. Have we done an initial assessment - do we qualify as a CII subject?
2. Do we have an inventory of all systems involved in production processes, including industrial ones?
3. Who in the company is responsible for the security of industrial and process systems - not only corporate IT?
4. How familiar is our security team with the specifics of industrial control systems and industrial networks?
5. Do we have a response plan for a computer incident specifically in production infrastructure?

The law creates a new agenda. Companies that begin working through these questions now will be in a better position - both for compliance and for genuine security.