‘The field of cybersecurity in Russia is one of the most mature’
What is missing for Russian industrial software developers and why the withdrawal of Western vendors has become a boon for them
“If it wasn’t for bad luck, I wouldn’t have no luck at all” This idea was broadcast in one format or another by the participants of the round table discussion dedicated to import substitution in matters of information security in industry in the realities of today. The event was held by Realnoe Vremya as part of TatOilExpo 2022. The dialogue was attended by representatives of the Ministry of Finance of the Republic of Tatarstan, various industries and specialists from IT companies. The interlocutors outlined the main sore points of import substitution of industrial software in terms of cybersecurity, expressed their hopes and fears, but most importantly, they reported that there was no catastrophe. After all, cybersecurity is traditionally very developed in Russia, and domestic developers offer a wide range of software for enterprises of various profiles. And now they get a full-fledged “green light”.
Number of cyber attacks has increased, but the industry is ready for it
The trend towards import substitution and digitalisation reigns today on the agenda of industrial production throughout Russia. At the same time, the issue of cybersecurity is becoming more acute. Until now, most of the hardware and software came from abroad, and today this is becoming a new challenge — both for industrial enterprises and for software developers and technical solutions in this area. This is what the audience discussed:
- Aleksey Bychkov, head of the Information Security Department of the Ministry of Finance of the Republic of Tatarstan;
- Andrey Sharonov, head of the Information Security Department of Technological Systems ICL ST;
- Ildar Lukmanov, Deputy Director for Information Technologies at JSC Tatspirtprom;
- Aleksey Indeykin, SearchInform Project Manager;
- Marat Khamidullin, Chief Specialist at TAIF JSC;
- Ayrat Mukhametzyanov, Director General of RTSIM PLC.
Tatarstan has 14 largest enterprises belonging to the I and II classes of technogenic danger. Therefore, the government of the republic began to work on the issue of cybersecurity long before the February events. On March 14 as well, at the meeting of the Security Council of the Republic of Tatarstan, President of the Republic of Tatarstan Rustam Minnikhanov gave a number of instructions to state authorities and enterprises of the republic. The task of the Ministry of Finance is to cover as many enterprises of the republic as possible with organisational work. Aleksey Bychkov reported:
“The president's instructions have been fulfilled on time. The exchange of information between enterprises and the Ministry of Finance has been established, an operational headquarters has been created. All the recommendations of the regulators have been implemented. If any questions arise, we try to solve them together.”
For their part, industry representatives invited to the round table discussion confirmed the official's words. For example, Ildar Lukmanov explained that all basic security systems had been implemented at the enterprises of Tatspirtprom JSC long before February 2022. Then they only had to be partially adapted, employees were additionally trained, and a number of tests were carried out. The tests showed that the percentage of vulnerabilities is small and they managed to cope with them.
Marat Khamidullin also looks at the issue with optimism. First of all, he drew the attention of those present to that the field of cybersecurity in Russia is one of the most mature, unlike development, for example. And this is not to mention that TAIF Group has always cultivated the principle of defense in depth — here it has never been built only on imported or, on the contrary, only on domestic solutions.
“Yes, after the withdrawal of imported vendors, questions arose, but again, defense is in depth, and our funds were able not to miss the threats. However, the number of cyberattacks has increased, as elsewhere. I think all colleagues are working in this paradigm today and have already learned how to react," Khamidullin argues.
Automated control systems — a stumbling block
Andrey Sharonov from ICL confirmed that by February 24 the majority of enterprises had already been ready for enhancing cybersecurity. Since 2018, the categorisation and implementation of various security projects have already been carried out at many industrial enterprises of the republic — so few were caught by surprise. However, by now the request for vulnerability analysis has grown, and this has become a new trend: enterprises want to understand where their security weaknesses are, to test their infrastructure for hacking. But the development of automated process control systems (ASU TP) — this is where import substitution is sagging.
“Facile optimism ia also inappropriate now," Sharonov warned. “After large vendors of automated control systems have left, some large projects do not understand what to do next. It's no secret that Russia lagged behind in this area more than in information security products. It is at the moment of creation and modernisation of the automated process control system that some enterprises have problems. Because these are large, very serious events, and it's not so easy to do it on our solutions. But after all, the security of critical information infrastructure (CII) goes in conjunction with the automated process control systems! Accordingly, the introduction of cybersecurity in such cases is postponed until this moment: “Guys, we will solve the issue with the automated control system, and then we will call you and do everything that is necessary.”
Indeed, now the withdrawal of Western vendors of automated control systems is becoming a great incentive for Russian developers. We need to develop new solutions, but what will they be? Marat Khamidullin from TAIF Group suggests: maybe government agencies need to be more closely involved in this issue?
“Colleagues will not let me lie: periodically in the spring, enterprises received requests from various ministries and regulators: what automated control systems are installed at your production facilities and what can be offered in return? The companies sent their data and suggestions, but there was no response. And we still don't know: what kind of plan did they have, what kind of roadmap?"
Alexey Bychkov, as the only official at the round table discussion, replied: the Ministry of Finance of the Republic of Tatarstan collected the data and sent them to the federal authorities, in whose depths further work is already underway. However, in defense of government agencies, he recalled: since March, detailed recommendations have already been sent to enterprises on what to do if a particular vulnerability is detected. This, according to the Ministry of Finance, should be enough until Russian developers present working solutions for the long-suffering automated process control systems. Besides, Bychkov drew attention to another difficulty: some enterprises, due to their specialisation, use very specific automated control systems, software for which it is very difficult to find.
“Russian software manufacturers see what is happening as an amazing once-in-a-lifetime chance”
Ayrat Mukhametzyanov from RTSIM, on the contrary, does not see a big problem in the current situation. On the contrary, he sees ample opportunities: developers of Russian software receive only advantages from the withdrawal of foreign vendors. After all, for many years, large customer companies did not pay attention to domestic solutions, choosing large vendors with large budgets and a huge credit of trust.
“What is happening now, Russian software manufacturers consider as an amazing once-in-a-lifetime chance!” Mukhametzyanov says. “We see that the niches traditionally occupied by foreign companies are opening as great opportunities for us. We are receiving requests from all over the country, from different companies. And our colleagues are receiving the same requests. You just need to be patient. There have always been a lot of smart people in the country. “If it wasn’t for bad luck, I wouldn’t have no luck at all” — the situation should be perceived in this context, too. Therefore, our dear customers need to be patient and trust the Russian developer.”
Aleksey Turkin echoed him:
“There have been more and more domestic developments in various fields recently. The question is really about trust. Large enterprises primarily focus on imported suppliers, often quite wrongly believing that their product is better. They treated domestic developers with a sufficient degree of suspicion. Although our IT specialists have long reached the level that was provided by import organisations. And in some areas they even surpassed foreign ones. For example, in the field of information security. There are no analogues of security systems developed by our colleagues and us anywhere in the world. There are not even approximately similar systems!”
If we talk about specific products, then Russian solutions are not inferior to Western ones. But despite the general optimism, the audience recognised that there are also failures: for example, network security is among the main challenges for Russian developers. Our companies in this matter are still far short of the best foreign analogues. And demand for this is unusually high today, for obvious reasons.
The specialist from SearchInform believes that within one and a half to two years the most popular and necessary software for industrial enterprises in Russia will be fully developed. The only question is the trust on the part of customers and the support from the state (and it is unprecedented now).
Will complex integrators save everyone?
The participants also discussed how to solve an important problem facing the development of integrated security systems at enterprises today: if earlier one large vendor covered almost 90% of the needs of one enterprise, today it is necessary to “cross” the products of several domestic companies to assemble a high-quality system. Andrey Sharonov said:
“There is not a single Russian manufacturer of information security tools that can close all information security subsystems at a high level. We choose two, three, or even four solutions. And you always have to make a compromise between security, usability, and price. The big four vendors have always sought to close all issues over their products. I think this work in Russia will go on for at least a couple of years — before, none of our vendors will be able to cover all the needs by 80-90% at one enterprise.”
How can an enterprise be able to assemble a comprehensive industrial automation and security system at the enterprise, how to find everything necessary, choose it correctly and, most importantly, be able to “make friends” with products developed by different vendors, bringing them into a single trouble-free network? Ayrat Mukhametzyanov advises to rely on large engineering integrator companies in this, which will close the complex issues of combining individual technological solutions into common systems, which will then allow industrial enterprises to get the quality they are used to. Such companies already have experience in bringing together different products, they know the market perfectly, have already tested all possible solutions for compatibility with each other and will be able to set up complex industrial automation, including a security system, at the request of the enterprise. Thus, the integrator engineering company should act as a kind of “subcontractor”, which will be responsible for the quality of the assembled security system at the enterprise.
“Mono-companies should integrate with a contractor who solves a set of tasks. Integrators are the lifeline that will help the whole industry to live now," Mukhametzyanov is sure (by the way, a representative of one of these “monocompanies”).
At the same time, it is impossible to create a single integrated solution for automation and information security, this is a utopia. It is always necessary to refine the elements of all systems for a specific enterprise, it can only be a customised product for a specific task. Therefore, the creation and further support of such a product should be based solely on the tasks set by the enterprise: IT specialists in their work proceed from the feedback they receive," Aleksey Turkin drew attention to this.
“If we take someone else's development as an example, then we initially find ourselves in a catching-up position”
Marat Khamidullin drew the attention of colleagues to the issue of finding vulnerabilities in domestic software. Until now, Russian companies, like the rest of the world, have used the most popular systems (for example, the same Windows). And the entire global cybersecurity market was at their service: if one person found a vulnerability, the vendor was immediately notified about it, he released an update, and the vulnerability was removed for users around the world.
“And now it turns out that we will have, for example, an operating system that only we will have. And hackers from all over the world will attack it. Personally, I have doubts that our developers will be able to cope with all these attacks alone. In the future, we will have to prepare updates for all our systems ourselves. And whether they will be able to withstand global attacks is the big question.”
The participants of the round table discussion talked about that now a huge knowledge base on foreign solutions is also being closed for Russian developers: they are consistently denied access to world developments. It turns out that you have to move in complete darkness, focusing solely on your own ideas and hypotheses. The participants expressed a polar attitude to this. If Andrey Sharonov believes that stewing in one's own juice is not very good, then Aleksey Indeykin sees positive aspects in such immersion in a vacuum:
“But we won't be behind. If we take someone else's development as an example, then we initially find ourselves in a catching-up position. Those who catch up will never become leaders because they pay attention to the development of other analogues. There are both pros and cons there. Lack of experience on the other side is a drawback. But the advantage is that we ourselves can achieve great success by following our own path. Naturally, there are many difficulties. There are also concerns about the personnel issue, it is difficult to find professionals, high-class system architects. . Again, it all comes down to trust and money. If there is funding and trust from the end user, we will quickly achieve results!”
“We need to roll up our sleeves and work”
As for the personnel shortage, the participants noted that there are not enough high-level specialists, the so-called “seniors”. There is a shortage of system architects. A number of high-class programmers who left Russia have been washed out of the market. However, there are no special problems in this either: all participants point to an unprecedented rise in education in the field of industrial automation.
“Nurturing new specialists is not such a big problem," Aleksey Indykin is sure. “IT sphere today enjoys subsidies from the state, and it is interesting and promising for young people to go into the field of software development now. In my opinion, there is no global problem in this.
Ayrat Mukhametzyanov hopes for the global project “Advanced Engineering Schools”, in which 30 Russian universities participate (including KNRTU, a partner of RTSIM under this programe). This project is designed to create a new type of engineers — those people who understand the subject area well, know how to change certain industries.
“In our country, the understanding of the industry has begun to change through education. My deep conviction is that in the long run this will lead to the emergence of new products, new engineers who understand how to integrate different tools with each other. It is necessary to rely on young people, now there are all prerequisites for this.
Andrey Sharonov summed up everything in an optimistic way to his colleagues:
“I think the Russian IT sector has already received everything it needed. The February events also gave it a market. Overdemand is now everywhere — both Russian automated control systems, and the first and second echelon of companies engaged in information security. Now no one is suffering from a lack of interest in their product. Today everyone has a chance! It is necessary to stop there and digest the huge demand of the market. We need to roll up our sleeves and work together!