Publication date: 05.06.2024
lawyer, 23 years of experience in enforcement.
Legal principles of cyber protection of the enterprise as a critical infrastructure object.
Today, information in any field of business is becoming more and more important, goals and methods of production are used. In this regard, it is extremely important to protect information. Several recent global epidemics that have negatively affected many organizations and individuals also support this theory. These incidents not only reaffirmed the importance of cyber-protecting their assets, but also inspired new efforts to improve the relevant legislation.
It is extremely important to consider state regulation of national cyber security, given that critical infrastructure facilities can include companies, institutions and organizations regardless of ownership (so-called critical infrastructure facilities). Legislation covers entities that have a significant impact on the economy and public safety, and the disruption or lack of disruption of which may:
- - negatively affect the state of national security and defense, the surrounding natural environment;
- cause property damage and/or create a threat to life or health of people.
There are different cyber security rules for critical infrastructure objects, these objects are cyber protected:
- - Avoiding cyber attacks.
- detection and prevention of cyber attacks, elimination of their consequences.
- Restoration of stability and reliability of technological communication systems.
In fact, critical infrastructure facilities can include enterprises, institutions and organizations of any form of ownership, which:
- 1) participate in activities and provide services in the fields of energy, chemical engineering, transport, information and communication, electronic banking and financial services.
2) provide services in the spheres of life support of the population, in particular in the spheres of centralized water supply, drainage, electricity and gas production, food production, agriculture, health care and other services.
3) intended for communal emergency and rescue services, as well as services providing emergency assistance to the population.
4) included in the list of enterprises significant for the economy and security of the state.
5) are objects that may be dangerous for technology or production.
The main legal source in this matter is the Law "On the Basics of Ensuring Cybersecurity in Ukraine" (hereinafter - the Law), which describes the main principles of ensuring cyberspace security, as well as state and national interests in the digital sphere. The law also describes the main goals, methods and principles of the state policy of cyber security, the respective powers of legal entities and individuals, as well as the main principles used to coordinate their actions in order to achieve cyber security.
The law contains the following regarding cyber protection:
1) all forms of ownership, including national information resources, these forms are used by state bodies, local self-government bodies, law enforcement agencies and military organizations.
2) objects that are critical for information infrastructure (for example, communication or technological systems that are connected to a critical infrastructure object, and which have a cyber attack that directly affects the ability to support the object).
3) communication systems that are designed to meet public demands and/or fulfill legal agreements in the fields of e-government, e-services, e-commerce and electronic document management.
The law covers critical infrastructure facilities, as well as all individuals or organizations that engage in activities or provide services related to national information resources. These actors are part of a circle of actors that take direct action to promote cybersecurity within their sphere of influence. information services, electronic transactions, information protection and cyber security.
As a result, the provisions of the Act are implemented by many individual companies, covering a wide range of critical infrastructure industries and cyber defense mechanisms. The procedure and criteria for classifying objects as critical infrastructure objects, the list of these objects and general requirements for their cyber security, including the use of cyber threat indicators, are approved by the government. Additionally, in the banking system of the NBU
As of the beginning of 2019, only relevant and progressive legal acts are being implemented. In particular, the list of critical infrastructure objects has not yet been approved, so it is not possible to make assumptions about the inclusion of private companies in this list, as well as about the specifics of their cyber protection and relevant audits.
In addition, the Law contains legal, institutional, financial and technical components related to cyber security. In this regard, companies that will be included in the list of critical infrastructure must, among other things, to:
Establishing mandatory requirements for the security of critical information infrastructure objects during their creation, installation, operation and maintenance, taking into account international standards and the specifics of the industry to which the information relates.
- - conducting virtual events in case of emergency situations and incidents in cyberspace.
- Information security audits;
- improvement and improvement of the technical and cryptographic system of information protection.
– implementation of a single (universal) system of cyber threat indicators that takes into account international standards for cyber security and cyber protection;
- the cooperation of the public and private sectors in preventing cyber threats to critical infrastructure objects, responding to cyber attacks and incidents and eliminating their consequences, in particular in the conditions of emergency situations, emergency and martial law, is special.
In addition, the company is obliged to provide assistance to cyber security actors, report information about known dangers of cyberspace or any other form of cyberspace, information about cyberattacks and their prevention, detection and termination, as well as the company's efforts to fight cybercrime and minimize the consequences associated with it.
The recommended actions are listed within the legally defined methods of ensuring the proper functioning of the national cyber security system.
Instead, enterprises that have cyber protection facilities will have access to practical and theoretical assistance in preventing, detecting and eliminating the consequences of cyber incidents regarding these facilities from the State Computer Emergency Response Group of Ukraine CERT-UA.
In addition, the process of forming a list of information and communication systems of critical infrastructure objects is currently underway. The document states that the critical information infrastructure of the critical infrastructure objects of the list is the critical information infrastructure of the state, which is primarily (in priority order) protected from cybernetic penetration. Protection against cyberattacks is delegated to the owner (manager) of the system in accordance with regulations on information protection and cyber security. In addition, the list does not include information and telecommunication systems that do not have access to the restricted access zone through electronic means of communication.
Companies that are considered critical infrastructure should monitor the work of government agencies in the preparation of official regulations on cybersecurity. Some of these documents are currently in the public domain.
Legal service "Consultant" provides all types of legal services, including online legal services. Specialists of our service will make a legal analysis of the situation for the rehabilitation procedure and help collect the necessary documents and, if necessary, accompany the court proceedings.
