Document from CIS Legislation database © 2003-2020 SojuzPravoInform LLC

It is registered

Ministry of Justice

Russian Federation

On June 30, 2014 No. 32919

ORDER OF FEDERAL SERVICE FOR TECHNICAL AND EXPORT CONTROL OF RUSSIA

of March 14, 2014 No. 31

About approval of Requirements to ensuring information protection in automated control systems for production and engineering procedures on crucial objects, potentially dangerous objects, and also the objects posing the increased hazard to life and human health and for the surrounding environment

(as amended on 14-03-2014)

According to the Regulations on the Federal Service for Technical and Export Control approved by the Presidential decree of the Russian Federation of August 16, 2004 No. 1085 (The Russian Federation Code, 2004, No. 34, Art. 3541; 2006, No. 49, Art. 5192; 2008, No. 43, Art. 4921; No. 47, Art. 5431; 2012, No. 7, Art. 818; 2013, No. 26, Art. 3314; to No. 52, of the Art. 7137), I order:

Approve the enclosed Requirements to ensuring information protection in automated control systems for production and engineering procedures on crucial objects, potentially dangerous objects, and also the objects posing the increased hazard to life and human health and for the surrounding environment.

Director of Federal Service for Technical and Export Control of Russia

V. Selin

Approved by the Order of Federal Service for Technical and Export Control of Russia of March 14, 2014, No. 31

Requirements to ensuring information protection in automated control systems for production and engineering procedures on crucial objects, potentially dangerous objects, and also the objects posing the increased hazard to life and human health and for the surrounding environment

I. General provisions

1. Requirements to ensuring information protection which processing is performed by automated control systems for production and engineering procedures on crucial objects, potentially dangerous objects, objects posing the increased hazard to life and human health and for the surrounding environment (further - automated control systems), from illegal access, destruction, modifying, blocking, copying, provision, distribution, and also other wrongful acts concerning such information, including from destructive information impacts (the computer attacks) which consequence violation of functioning of automated control system can turn out to be are hereunder established.

Safety of the automated control systems which are significant objects of critical information infrastructure of the Russian Federation is performed according to the Safety requirements of significant objects of critical information infrastructure of the Russian Federation approved by the order of the Federal Service for Technical and Export Control of December 25, 2017 No. 239, and also the Requirements to creation of security systems of significant objects of critical information infrastructure of the Russian Federation and ensuring their functioning approved by the order of the Federal Service for Technical and Export Control of December 21, 2017 No. 235 (registration No. 50118) is registered by the Ministry of Justice of the Russian Federation on February 22, 2018.

These Requirements are applied in case of acceptance by the owner of automated control system of the decision on ensuring information protection which processing is performed by this system and which violation of safety can lead to violation of functioning of automated control system.

In case of need application of cryptographic methods of information protection and the cryptographic (cryptographic) information security products is performed in accordance with the legislation of the Russian Federation.

2. These Requirements are aimed at providing functioning of automated control system in the normal mode in case of which observance of project limits of parameter values of accomplishment of target functions of automated control system in the conditions of impact of safety hazards of information is provided, and also on decrease in risks of illegal intervention in processes of functioning of automated control systems of the crucial objects, potentially dangerous objects, objects posing the increased hazard to life and human health and for the surrounding environment, including hazardous production facilities (further - the managed (controlled) objects) which safety is ensured in accordance with the legislation of the Russian Federation about safety of objects of fuel and energy complex, about transport safety, about use of atomic energy, about industrial safety of hazardous production facilities, about safety of hydraulic engineering constructions and other legal acts of the Russian Federation.

3. Action of these requirements extends to the automated control systems providing control and management of technology and (or) production equipment (actuation mechanisms) and implemented on it technological and (or) production processes (including systems of supervisory control, system of collection (transfer) of data, the systems constructed on the basis of programmable logical controllers, distributed control systems, management systems by machines with numerical control).

4. These Requirements are intended for persons establishing security requirements of information in automated control systems (further - the customer), persons providing operation of automated control systems (further - the operator), and also persons involved in accordance with the legislation of the Russian Federation in work on creation (designing) of automated control systems and (or) their systems of protection (further - developer).

5. When processing in automated control system of information which is the state secret, its protection is provided in accordance with the legislation of the Russian Federation about the state secret.

6. Information protection in automated control system is provided by accomplishment by the customer, operator and developer of requirements to the organization of information protection in automated control system and requirements to information measures of protection in automated control system.

II. Requirements to the organization of information protection in automated control system

7. The automated control system, as a rule, has layered design:

level of operator (dispatching) management (top level);

level of automatic control (average level);

level of input (output) of data, actuation mechanisms (bottom (field) level).

The automated control system can include:

a) at the level of operator (dispatching) management:

operator (dispatching offices), the engineering automated workplaces, industrial servers (SCADA servers) with established on them general-system and application software, the telecommunication equipment (switches, routers, firewalls, other equipment), and also communication links;

b) at the level of automatic control:

the programmable logical controllers, other technical means with installed software obtaining the data from the bottom (field) level transferring data to the top level for decision making on management of object and (or) process and forming the managing teams (control (command) data) for actuation mechanisms and also industrial data communication network;

c) at the level of input (output) of these (actuation mechanisms):

sensors, executive mechanisms, other hardware devices with the microprograms and machine controllers established in them.

The number of levels of automated control system and its structure on each of levels depends on purpose of automated control system and target functions performed by it. At each level of automated control system on functional, territorial or other signs additional segments can be selected.

In automated control system for subjects to protection are:

information (data) on parameters (condition) of the managed (controlled) object or process (input (output) information, control (command) data, control and measuring information, other crucial (technological) information);

the software and hardware complex which is turning on technical means (including the automated workplaces, industrial servers, the telecommunication equipment, communication links, programmable logical controllers, actuation mechanisms), the software (including microprogram, general-system, applied), and also information security products.

8. Information protection in automated control system is component of works on creation (upgrade) and operation of automated control system and is provided at all stages (stages) of its creation and during operation.

Information protection in automated control system is reached by acceptance within system of protection of automated control system of set of the organizational and technical measures of protection of information directed to blocking (neutralization) of safety hazards of information which realization can lead to violation of the normal mode of functioning of automated control system and the managed (controlled) object and (or) process, on localization and minimization of effects from possible realization of safety hazards of information, recovery of the normal mode of functioning of automated control system in case of realization of safety hazards of information.

The taken organizational and technical measures of protection of information:

shall provide availability of information (exception of illegal blocking of information) processed in automated control system, its integrity (exception of illegal destruction, modifying of information), and also, if necessary, confidentiality (exception of illegal access, copying, provision or distribution of information);

shall correspond to measures for industrial, physical, fire, ecological, radiation security, other measures for safety of automated control system and the managed (controlled) object and (or) process;

shall not exert negative impact on the normal mode of functioning of automated control system.

9. Work on information protection according to these Requirements during creation (upgrade) and operation of automated control system is performed by the customer, the operator and (or) the developer independently and (or) if necessary with involvement in accordance with the legislation of the Russian Federation of the organizations having the license for activities for technical confidential information protection according to the Federal Law of May 4, 2011 No. 99-FZ "About licensing of separate types of activity" (The Russian Federation Code, 2011, No. 19, Art. 2716; No. 30, Art. 4590; No. 43, Art. 5971; No. 48, Art. 6728; 2012, No. 26, Art. 3446; No. 31, Art. 4322; 2013, No. 9, Art. 874; No. 27, Art. 3477).

10. For ensuring information protection in automated control system for the operator the structural division or the official (worker) responsible for information protection is assigned.

Warning!!!

This is not a full text of document! Document shown in Demo mode!

If you have active License, please Login, or get License for Full Access.

With Full access you can get: full text of document, original text of document in Russian, attachments (if exist) and see History and Statistics of your work.

Get License for Full Access Now

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info

Effectively work with search system

Database include more 40000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system

Get help

If you cannot find the required document, or you do not know where to begin, go to Help section.

In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.

You also may open the section Frequently asked questions. This section provides answers to questions set by users.

Search engine created by SojuzPravoInform LLC. UI/UX design by Intelliants.