The Ministry of Digital Transformation announced a tender for the analysis of vulnerabilities of state information systems and their applications for 337.4 million rubles. As part of the contract, strategic information security (IS) risks will be identified, including shortcomings in infrastructure, architectural and organizational solutions, as well as the software used. In addition to the analysis, the ministry will be given recommendations to improve the level of information security and eliminate identified vulnerabilities.
GIS security analysis
The Ministry of Digital Transformation has ordered an analysis of the security of state information systems (GIS). For these purposes, the department allocated 337.4 million rubles. Information about this is published on the public procurement portal.
The future performer is obliged to find vulnerabilities in the perimeter of state systems and their mobile applications, as well as to conduct penetration testing into them. The results of the work must be issued in the form of a report no later than July 1, 2023.
The tender was published on August 3, 2022 in the open tender format. Applications are accepted until August 22. The results will be summed up on August 25. Bids will be evaluated first of all at the proposed contract price (60% of the significance of the criterion) and at 20% the qualifications of the participants and the quality characteristics of the procurement object will be evaluated.
What should the performer reveal?
As part of the work, the strategic risks of GIS information security should be identified. In particular, the performer must detect existing shortcomings in the infrastructure, architectural and organizational solutions of the analyzed systems that affect their security. Within the framework of the contract, the shortcomings of the applied means of protecting information and software of state information systems should also be identified, follows from the tender documentation.
“Given that the security analysis will be carried out for state information systems, the contractor must assess the capabilities of violators, typical for hacker (criminal) groups, terrorist organizations and special services of violators, as well as internal users of the information system who may collude with external violators” , says the specification.
Based on the results of the security analysis of each GIS, the contractor must draw up a report with descriptions of vulnerabilities, their causes, assessments of the degree of criticality, etc. In addition, recommendations should be developed to improve the level of information security and eliminate identified vulnerabilities, as well as to modernize information technologies (including in terms of import substitution policy), the documents say.
Cyber attacks on Russian infrastructure
Increasing information security measures have become a response to a wave of cyber attacks that have swept over Russian infrastructure. So, less than a month after the start of a special military operation in Ukraine, in April 2022, the number of computer attacks on Russian government agencies, critical enterprises and financial organizations sharply increased.. Among the victims of cyberattacks are producers of energy resources and agricultural products, transport companies, executive and judicial authorities.
Cybersecurity CII: from theory to practice
So, for example, in mid-April, emails from the Russian ministry and the governor’s administration of the Tver region leaked into the network. At the end of March with a massive hackRosaviatsia, which lost 65 TB of information. Hackers deleted all mail and document flow, and the department did not have backup copies, which is why the organization had to switch to paper workflow.
As a result, in early May, the President of Russia Vladimir Putin signed a decree on additional information security measures in the country. In accordance with the document, the government agency is prohibited from using information security tools issued in “unfriendly” countries. Also, according to the decree, IT security units should appear in each department, institution and backbone organizations.