Rusagro Group of companies and Ural Security System Center have completed an information security audit project for industrial process control systems of Rusagro Group of companies.
The main goal of the project was to assess the overall level of information security (IS) of enterprises belonging to meat and fat–and-oil business areas of Rusagro Group, and to define measures aimed at improving processes of ensuring information security of industrial process control systems.
As of today, an issue regarding the information security of agricultural enterprises has not been settled in Russian legislation, international standards do not pay enough attention to this issue, as well. So, the first key task was set – to develop a suitable method to assess the level of information security, taking into account the specific character of Rusagro Group business. To tackle this issue, USSC specialists offered an adapted approach that takes into account the best international practices for ensuring information security of industrial process-control systems and adapting compliance risks of changes in Russian legislation. As a result, USSC analysts have developed an information security threat assessment method which is a synergy of NIST SP 800-82, CIS Controls and Decree No. 239 issued by FSTEC of Russia.
In addition to the Russian data bank of security threats developed by FSTEC, tactics and techniques catalogue MITRE ATT&CK: Enterprise was also used in threat modelling.
Taking into account the need to ensure a high level of protection for industrial process control systems from unauthorized influence to protect business interests of the holding, USSC expert group has developed an Information Security Strategy for industrial process control systems applied in meat and fat-and-oil business areas for a period of 5 years. The strategy contains a list of activities ranked by importance and complexity of their implementation, and it also specifies deadlines for activities to be done at each facility containing the industrial process control system infrastructure.
It should be noted that the USSC team implemented the project for Rusagro Group enterprises in less than a year.
"Non-availability of mandatory legal requirements in the field of information security for the agricultural sector and the specific character of this industry have become a catalyst for development of a unique individual assessment method of information security indicators. Our specialists worked in close co-operation with Customer's information security specialists.
Due to the developed assessment method, we managed to assess objectively the current and target levels of information security, and to develop an Information Security Strategy for industrial process control systems," Evgeny Baklushin, Head of USSC Audit Analytical Center, noted.