Transneft rejected its automated control system equipment.
Transneft decided to reject Schneider Electric equipment, because the French company failed to timely respond to Transneft’s claims to eliminate “numerous critical susceptibilities”. Transneft’s case was the first case, when a Russian company rejected a foreign supplier’s services due to the latter’s delays with elimination of cyber security threats”, the experts state. Schneider Electric says the joint working group is reviewing the problem.
Transneft will not use Schneider Electric equipment because of their systems’ susceptibility, reports Interfax. This information was disclosed by the Company’s Vice President Maxim Grishanin at the Expert Council: Combating Cyberthreats in Safeguarding the Critical Information Infrastructure Facilities.
In 2016–2017, Transneft undertook an in-depth analysis of the protection status of the automated Plant Control Systems and Software and Hardware Control System and discovered “numerous critical susceptibilities”, told Mr. Grishanin. “The respective information was communicated to the manufacturer, but we had to wait for their response too long. We have tried to call them to order for 6 months, after numerous reminders, there was some progress. But now we have prohibited to use this manufacturer’s equipment for Plant Control Systems and Software and Hardware Control System in Transneft,” he specified. “We come across cyber attacks daily, and they are numerous. All this is our major concern. It is a very sensitive topic,” emphasized Nikolay Tokarev, the Company’s President.
“A joint working group deals with the review of susceptibilities and elaboration of the most appropriate technical solutions,” Schneider Electric representative told The Kommersant. “We have no information that our solutions conflict with those of other suppliers. Besides Kaspersky Laboratory, we have been actively and fruitfully working with Infowatch and other Russian cyber security providers. Numerous tests confirm the system work correctly.” Schneider Electric has been collaborating with Transneft “to detect and eliminate any potential susceptibilities in our systems”. “We have been working with Transneft for some 20 years and value this cooperation”, the French company noted.
Transneft has to combine the Russian software with foreign products, because there is no suitable Russian software. Such combined system is suboptimal, expensive and burdensome, but the Russian manufacturers are not mature enough,” stated Maxim Grishanin.
Foreign solutions used at complex production facilities actually often contain non-eliminated susceptibilities, says Anton Yudakov, Head, Operating Area, Center for Cyber Attack Monitoring and Response, Solar JSOC. “The fact is that several years may pass from the time the susceptibilities were discovered to the patch issue, and some more years, to the time the patch is installed at some particular production facilities (even if the manufacturer promptly eliminates the susceptibilities), he explains.
Moreover, foreign manufacturers do not always cooperate with information security software developers, by preferring to manufacture their own solutions that are compatible with their own products. Domestic vendors of Plant Control Systems and Software and Hardware Control System benefit from that, because they response to Russian companies’ requests quicker, in particular, as concerns information security. However, as concerns functionality, they are still lagging behind their foreign peers and do not allow for comprehensive approach to addressing the challenges PCS & SHCS faces,” Mr. Yudakov says.
“Many PCS & SHCS manufacturers have not sufficiently well-defined procedures to respond to the susceptibility related complaints,” noted Andrey Golov, General Director, Security Code, “so we frequently witness the situations when the user or researcher finds a susceptibility, but the vendor is unwilling or unable to close it for a long time”.
The case with Transneft is the first one when a major Russian company rejects services of a foreign manufacturer because the manufacturer fails to respond to the requirement to close the susceptibility, Mr. Golov believes. With the Law on the Security of Russian Critical Information Infrastructure taking effect on January 1, 2018, it will not be the last instance when a Russian company stops cooperation with foreign manufacturers”, he believes. “The products that fail to provide the required security will be substituted for their competitors with a more responsible approach to infrastructure and data protection,” Mr. Golov believes.
Schneider Electric develops and supplies solutions for the power industry, infrastructure, manufacturing enterprises, civil and residential construction facilities, as well as data processing centers, according to the Company’s website.