The Federation Council has proposed introducing mandatory checks for vulnerabilities in critical information infrastructure (CII) objects.
In an appeal to the Ministry of Digital Development, it is also proposed to establish fines for the untimely elimination of identified problems: up to 50,000 rubles for officials and up to 500,000 rubles for organizations.
CII includes control systems for power plants, telecommunications networks, financial institutions' databases, and other automated complexes in key industries. Their vulnerabilities—gaps in the program code or settings—allow attackers to disrupt the operation of facilities or gain unauthorized access.
The Federation Council believes that the search for such weaknesses should become mandatory, with the involvement of both internal specialists and external researchers through Bug Bounty programs.
Current measures are insufficient: the analysis of the causes of vulnerabilities and their prevention are not regulated. The introduction of fines will encourage CII owners to more actively implement preventive measures, the Federation Council said.
Read more on the topic:
Looking for loopholes: hackers have a sudden interest in online cosmetics stores
16,000 "white hackers" found vulnerabilities in the Russian electronic government
AppSec Solutions: two-thirds of banking applications in Russia are vulnerable
