Ukraine: Overview of developments in critical information infrastructure regulation

The National Cyber Security Index (‘NCSI’) 2020 placed Ukraine in 25th place among 160 countries worldwide. The key problems identified in Ukraine are a weak protection of digital services, as well as the absence of cyber crisis management¹. The State Service of Special Communication and Information Protection in Ukraine (‘SSSCIP’) reported in 2020 that last year became a year of active launching cybersecurity reform. One of the key goals for 2021 is the introduction of protection of critical infrastructure (‘CI’) and critical information infrastructure (‘CII’) through new standards and best practices, performing an audit of protectiveness and continuous monitoring of cybersecurity through sensor infrastructure and 24/7 reacting to cyber incidents². Ario Dehghani and Yuliia Brusko, from Sayenko Kharenko, provide a brief overview of recent legislative updates with regard to the CI and CII areas, as well of upcoming changes expected in 2021.

Despite a rather high ranking in the NCSI, the National Security and Defence Council of Ukraine (‘NSDC’) reported that, as of August 2020, there were approximately 1 million cyberthreats, including network attacks, network scan attempts, WEB-attack attempts, phishing, distributed denial-of-service (‘DDoS’) attacks, and malware distributions.

General regulation of CI objects and CII facilities

In October 2020, the Ukraine Government (‘the Government’) adopted two key resolutions regulating CI objects³ and CII facilities⁴. In order for the object to be classified as CI object, it is assessed as per the methodology summarising the following characteristics of the object:

• social importance
• public importance
• economic importance
• links with other CI objects and
• importance for ensuring national security defence capabilities of the state

The Government categorised CI objects into four criticality levels:

• I Level – particularly important CI objects of national importance impacting other CI objects which malfunction will lead to a crisis on the national level
• II level – vital CI objects which malfunction will lead to a crisis on the regional level
• III level – important CI objects which malfunction will lead to a crisis on the local level and
• IV level – necessary CI objects which malfunction will lead to a crisis on the community level

CI objects of all four levels are included in sectoral lists administered by state authorities responsible for a particular sector (industry). Based on sectoral lists, information about CI objects of I and II criticality level are consolidated in the national list. Sectoral state authorities submit information about CI objects of I and II criticality level once in two years or more frequently if such information is amended. Both national and regional lists are not publicly available in the interests of national security. Similar to the procedure established for CI objects, the CII facilities are to be included in the national and sectoral lists. Sectoral lists are maintained by state authorities responsible for a particular sector. The national list is maintained by SSSCIP office and includes information about CII facilities only at CI objects of I and II criticality level. Both national and sectoral lists are limited in access. Information from the national list is thereafter included in the respective state register, access to which is also limited and can be provided to external users only under conditions specified by law. Information infrastructure facilities are categorised as CII facilities if they fulfil all of the below criteria:

• need of the facility both for: (i) sustainable and continuous operation of the CI object; and (ii) performing by CI object of its key functions and
• cyberattack, cyber incident, information security incident at the information infrastructure facility significantly affects the continuity, and sustainability of the performance of key functions by the CI object and
• in case of violation of the continuity and stability of the performance of key functions by the information infrastructure facility, there is no alternative facility (method) for their performance

Operators of CI objects shall keep information about CII facilities up to date and provide amendments where necessary to the responsible state authorities.

Extended list of CI sectors

The vague description of CI sectors outlined in the Law of 5 October 2017 No. 2163-VIII of Ukraine on the Main Principles of Maintaining Cybersecurity (‘the Cybersecurity Law’) was clarified in the Government resolution of October 2020⁵. Each sector that potentially may have CI objects is divided into subsectors. The resolution also determines the relevant state authorities responsible for each subsector. The identified CI sectors and subsectors correspond to the CI sectors identified in the Proposal for a Directive of the European Parliament and of the Council on the resilience of critical entities (‘the Critical Infrastructure Act’). To a certain extent, the Ukrainian list of CI sectors is even wider than the one proposed in the EU.

Cyber incident reacting system

In December 2020, the Government, by its resolution, identified the procedure of functioning of systems of revealing vulnerabilities and reacting to cyber incidents and cyberattacks⁶. It is mainly aimed at establishing the system of reacting to cyber incidents at state-owned CI objects. However, private companies operating objects subject to cybersecurity can voluntarily apply to the SCC to be included in such a system and install active sensors (see below). The system includes four following elements ensuring timely reaction to cyberthreat and incidents:

• Cyber Security Emergency Response Team of Ukraine (‘CERT-UA’) team responsible for emergency events in Ukraine ensuring centralised collection and accumulation of information on cyberthreats and cyber incidents obtained from different sources
• subsystem of identifying and reacting to cyberattacks at the level of workstations and server stations (‘end points’) ensuring detection of harmful activity, reacting thereto by way of liquidation, minimisation, isolation, and blocking of processes used by malicious software
• subsystem for collecting telemetry from information and telecommunication systems (active sensors) which provides for collecting information on security events, monitoring telecommunication traffic for identifying cyberthreats and incidents, and identifying malware and
• a subsystem of the operational centre for responding to cyber incidents, which is a central component of the system for detecting vulnerabilities and responding to cyber incidents and cyberattacks

Review of status of CII facilities

In November 2020, the Government adopted a procedure for the review of the status of CII facilities⁷. The review is performed by an intergovernmental commission (‘the Commission’) under the general management of the SSSCIP. As a result of the review, the Commission prepares its recommendations on improvements of the national cybersecurity system given the actual and potential threats in cyberspace and financial capabilities of the state. The results of the review are communicated to the state authorities responsible for particular sectors where CII objects are being operated, as well as to the NSDC.

Banking system

In November 2020, the National Bank of Ukraine (‘NBU’) adopted a resolution⁸ by which it identified the CII facilities in the banking system:

• bank automatisation system
• information system of a qualified provider of electronic trust services
• interbank inter-branch payment system
• remote service system and
• depository accounting system of the bank’s securities

Banks are provided with discretionary powers to include other facilities to the CII facilities list of which the NBU must be informed. The list is subject to annual review. Those banks that are identified as CI objects have their CII facilities registered in the national register.

Expected developments in 2021

Cybersecurity strategy

In 2021, the NSDC approved the draft Cybersecurity strategy for 2021-2025⁹ (‘the Strategy’). The key role in ensuring implementation of the Strategy and interaction between different stakeholders will be given to the National Cybersecurity Coordination Center. The key goals set out in the Strategy for the upcoming years are announced to be:

• efficient cyber defence
• capacity building in countering intelligence and subversive activities in cyberspace and cyberterrorism, including counteracting cyberattacks and espionage with regard to CII facilities
• capacity building in the fight against cybercrime
• development of asymmetric containment tools (economic, diplomatic, intelligence, as well as involving non-government sector)
• strengthening national cyber readiness and cyber defence, especially ensuring cyber resilience of CII facilities
• professional development, cyber-knowledge society, and scientific and technical support of cybersecurity
• secure digital services
• strengthening coordination system
• establishment of a new model of relations in the field of cybersecurity (the state will act as a partner and not as a party setting up requirements) and
• practical international cooperation

Among the strategic goals, the NSDC indicated secret checks of CI objects readiness, creating technological capabilities for automatic detection of cyberattacks in real time, the introduction of CI objects audit system, certification of products used for cybersecurity of CII facilities, and regular assessment of CIII facilities protectability, etc. The Strategy must thereafter be adopted by the Ukrainian Parliament (‘the Parliament’) .

Draft laws on CI objects

In 2020, it was announced that until the end of 2020, the law on CI objects had to be adopted. However, this did not happen. Currently, there are two draft laws on CI objects submitted to the Parliament for consideration. The key issues raised in the draft laws cover the following areas:

• identification of and rights and obligations of the state authority in the area of CI – National Commission in Critical Infrastructure Issues
• passporting of CI objects
• different regimes of CI protection system functioning
• mandatory insurance of CI objects
• public-private partnership in CI protection and
• independent audit of national system of CI protection

Given that cybersecurity of CII facilities is one of the main elements of the Strategy and of the state security and defence as a whole, it is expected that this area will be further developed rather rapidly. This is also the opinion of the international partners, in particular, the U.S., that provided Ukraine with funding in the amount of $38 million for the development of an efficient cybersecurity system.