Critical information infrastructure categorization – what it is and why it is needed

Of all the requirements for CII security, the categorization of critical information infrastructure raises the most questions, and this article will focus primarily on that topic.

Critical information infrastructure, its objects and subjects

Critical information infrastructure (CII) is a set of information systems and/or telecommunications networks that are critical to the functioning of key areas of state and society: healthcare, industry, communications, transport, energy, the financial sector, and urban services.

CII objects

IS – INFORMATION SYSTEMS – a set of information contained in databases and the information technologies and technical means that ensure its processing.

ITS – INFORMATION AND TECHNOLOGY SYSTEMS – a technological system designed to transmit information via communication lines, which is accessed using computer technology.

AUTOMATED TECHNOLOGICAL PROCESS CONTROL SYSTEM – AUTOMATED TECHNOLOGICAL PROCESS CONTROL SYSTEM – a set of software and hardware tools designed to monitor technological and/or production equipment (executive devices) and the processes they perform, as well as to control such equipment and processes.

CII entities

These are organizations or companies that own IS, ITS, and ACS in the areas listed below, as well as companies that interact with CII entities (IS, ITS, ACS) in the same industries:

• Healthcare
• Banking and other financial market sectors
• Science
• Transport
• Telecommunications
• Energy
• Rocket and space industry
• Nuclear industry
• Chemical industry
• Fuel and energy complex
• Defense industry
• Military-industrial complex
• Mining industry

How to determine whether an organization is a CII entity

To determine whether an organization is a CII entity, the following steps must be taken:

1. Conduct an inventory of business processes, identify critical ones, and then see which CIIs are associated with them: an organization may have IS, ACS, etc., but they do not necessarily participate in critical processes;
2. If the company does not have IS, ITS, or ACS, it is definitely not a subject.
3. Next, you need to answer the question of whether the organization operates in one of the 13 CII areas. If not, it must provide its IS/ITCS/ACS to other organizations (otherwise, it is not a CII entity).
4. If yes, you need to conduct an inventory of IS/ITCS/ACS and, after determining their purpose, answer the question “Do they operate in the 13 CII areas?”

If all the answers are positive, the organization is a CII entity and must comply with regulatory requirements.

It should also be noted that FSTEC and other authorities cannot assign categories: only the potential entity itself has the authority to identify itself as a critical information infrastructure entity. FSTEC is responsible for monitoring compliance with legislation in this area.

Categorization of CII facilities (OKII)

What is a significance category and why is it needed?

The significance category of a CII facility is the main characteristic of a CII facility that determines what measures need to be taken to protect critical information infrastructure facilities (the protection measures are specified in FSTEC Order No. 239. compliance with Federal Law No. 187).

The practical purpose of categorization is to take into account all threat vectors in the measures specified in FSTEC Order No. 239 (therefore, these measures must be complied with). The implementation of these measures falls on the CII entity and may vary depending on the threat model, business processes, and information infrastructure of the organization.

There are three categories in total: first, second, and third (in descending order of importance). If there are no signs of a CII or if the significance criteria are not met, no category is assigned. The latter must also be documented: information on the results of assigning a CII to one of the significance categories or on the absence of the need to assign it to one of these categories (in accordance with the form from FSTEC Order No. 236) is sent to the regulator.

Reassessment (the category is reviewed or confirmed) must take place at least once every 5 years.

If the entity does not have OKII (this is possible), it is not necessary to send information to the regulatory authorities. At the same time, in case of inspections, it is possible to draw up and store a report on the absence of OKII.

Criteria and principles of categorization

The following factors are assessed when assigning a category:

• Social significance – this assesses the number of people who may be affected in the event of an incident;
• Political significance ( the functioning of state bodies and international treaties);
• Economic significance ( damage to state CII entities, RF budgets, systemically important payment systems);
• Environmental significance ( damage to the environment in terms of the number of victims or territory);
• Significance for ensuring state security and law and order (Russian government bodies, information systems in the field of security, defense orders).

What is subject to categorization

All objects (not entities) of critical information infrastructure, i.e., IS, ITS, and ACS, which provide management, technological, production, financial, economic, and/or other processes within the framework of the activities of CII entities, are subject to categorization.

How the categorization procedure works

The rules for categorization, the indicators of significance criteria, as well as the procedure and timing of the relevant work are established in PP (government decree) No. 127 and clarified in PP No. 452. According to these, the categorization procedure includes:

• The creation of a categorization commission by the head of the organization or an authorized person;
• Determination of the list of CII facilities for categorization (5 days are allocated for this);
• The categorization itself (allotted 1 year);
• Preparation of an OKII categorization report;
• Within 10 days after the results are sent to the FSTEC.

The FSTEC, together with other structures, issues methodological recommendations on categorization in specific industries, such as healthcare or energy.

The assigned category may be revised if the FSTEC identifies a violation in the categorization process or in the form of Order 236. The category must be reviewed in the event of changes in the structure of the organization, changes in infrastructure or critical business processes, or when the SO (significant object) of the CII ceases to meet the criteria, as well as in the event of changes in PP No. 127.

What to expect from CII regulation in the future

Decree of the President of the Russian Federation No. 250 “On Additional Measures to Ensure the Information Security of the Russian Federation” was issued on May 1, 2022, and it already specifies the requirements for import substitution, but the deadlines were then shifted. In January 2025, a bill is planned that will completely ban the use of foreign software at significant CII facilities. It also gives the cabinet of ministers the authority to determine the types of IS that will need to be classified as significant CII.

What other requirements are there for CII security?

In addition to the CII protection measures provided for in the Federal Law and the Presidential Decree, there is a separate set of requirements dedicated to cyberattacks and incidents. To combine efforts to protect against cyberattacks, there is the NCCCI (National Coordination Center for Computer Incidents). Organizations must connect to departmental GosSOPKA or create their own corporate GosSOPKA centers to exchange information about incidents.

Requirements for means of detecting and countering attacks are also specified (FSB Resolutions No. 196, 281), as are requirements for monitoring means (FSB Resolution No. 213). The methodology for determining the causes and eliminating the consequences of cyber attacks and incidents is set out in the methodological recommendations.

CII entities may also be subject to the requirements of Federal Law No. 152-FZ or the Regulations of the Bank of Russia, which also impose an obligation on them to comply with information security requirements.