Business met with the State Service for Special Communications and Information Protection of Ukraine

30/ 10/ 2023

The European Business Association took part in a joint meeting with the State Service of Special Communications and Information Protection of Ukraine to discuss the creation of a coordination headquarters, which will include SSSCIP experts and representatives of leading business associations. During the event, Yurii Shchyhol, Head of the State Service of Special Communications and Information Protection of Ukraine, presented the concept of the coordination headquarters, which will become a bridge for dialogue between business and the state. In particular, the EBA can determine the necessary number of representatives who will meet regularly to discuss problems, find solutions, and ensure the involvement of relevant government agencies in resolving the issues raised. The State Service of Special Communications actively cooperates with critical infrastructure entities, both public and private, offering them support and advice. It is important to understand that regardless of whether an enterprise belongs to critical infrastructure or not, businesses must unite to protect the countrys vital assets, as a missile strike can affect any company. This united front is the key to preserving the countrys critical infrastructure, given the challenges of the upcoming winter, said Mr. Shchyhol. Mr. Shchyhol also highlighted two main aspects of critical infrastructure protection. The first is the physical security of critical infrastructure facilities, as exemplified by the use of gabions to protect facilities in the energy sector. Although the need for such measures is evident worldwide, it is thanks to Ukraines experience that the practicality and effectiveness of these solutions have been confirmed. The second dimension of such protection lies in the information infrastructure. The increase in the number of cyberattacks, which has multiplied since the start of the full-scale invasion, has made cybersecurity a top priority. During the war, the state developed regulations that govern the process of transferring data to cloud storage abroad. These rules provide a clear procedure for data transfer. In addition, the state provides relevant advice and recommendations on security standards that cloud service providers must meet. These standards include international information security management standards, such as the ISO 27000 series. Therefore, providers must obtain the necessary certification to guarantee the security of the data transferred for storage. After the end of the war and martial law, there is a procedure for returning this data to the jurisdiction of Ukraine. Work is ongoing to improve the regulatory framework related to cloud service providers in terms of both business services and information security requirements. These requirements are aligned with international and EU standards, in particular. Regarding security passports for critical infrastructure facilities, Mr. Shchyhol confirmed that the CMU has already approved the relevant procedure. The security passports consist of a general part containing an overview of the critical infrastructure facility and a special part that includes plans to protect against specific threats. These threats are both national and industry-specific, and they are adapted to the specific conditions of each facility. Answering the question about facility inspections and security assessments, Shchyhol says that the relevant monitoring has not yet been conducted. The law stipulates that monitoring of critical infrastructure facilities should be conducted by joint groups of sectoral functional bodies every three years. Currently, the focus is on setting up the system and protecting business, and no formal inspections are being conducted at this stage. Oleksandr Potii, the Deputy Chairman of the State Service of Special Communications and Information Protection of Ukraine, emphasized that there are more than a thousand critical infrastructure facilities in Ukraine of only the first or second class. These facilities are required to assess themselves according to established methods and register in the relevant register. The completeness of the registry will provide the government with important information for planning budget allocations, material support, and defense measures against specific threats such as air strikes, cyber-attacks, or epidemic outbreaks. Critical infrastructure facilities included in the register receive priority rights to priority connection to the power grid after emergencies. This priority applies to various aspects - from power substations to production facilities necessary to supply the population of a certain territory. The government allocates funds primarily for their rapid restoration. State-owned and joint-stock companies included in the register can conduct simplified tender procedures. These simplified procedures apply both to public procurement of recovery materials and to companies conducting their own procurement. Overall, the simplified procurement process is intended to support the recovery and sustainable development of these companies. Also, critical infrastructure facilities included in the register will be eligible for risk insurance. However, the specifics of the insurance mechanisms are still being developed in consultation with insurers and business stakeholders. The goal is to create insurance mechanisms that comply with the law and take into account different categories of criticality. We thank the State Service of Special Communications and Information Protection of Ukraine for holding an event aimed at informing business representatives about the risks that arise for certain sectors of life support, about key innovations in the field of critical infrastructure protection, as well as about the available tools that allow entrepreneurs to strengthen both their own resilience during the war and the critical infrastructure on which they depend. We also look forward to further cooperation!

During the event, Yurii Shchyhol, Head of the State Service of Special Communications and Information Protection of Ukraine, presented the concept of the coordination headquarters, which will become a bridge for dialogue between business and the state. In particular, the EBA can determine the necessary number of representatives who will meet regularly to discuss problems, find solutions, and ensure the involvement of relevant government agencies in resolving the issues raised.

The State Service of Special Communications actively cooperates with critical infrastructure entities, both public and private, offering them support and advice. “It is important to understand that regardless of whether an enterprise belongs to critical infrastructure or not, businesses must unite to protect the country’s vital assets, as a missile strike can affect any company. This united front is the key to preserving the country’s critical infrastructure, given the challenges of the upcoming winter,” said Mr. Shchyhol.

Mr. Shchyhol also highlighted two main aspects of critical infrastructure protection. The first is the physical security of critical infrastructure facilities, as exemplified by the use of gabions to protect facilities in the energy sector. Although the need for such measures is evident worldwide, it is thanks to Ukraine’s experience that the practicality and effectiveness of these solutions have been confirmed.

The second dimension of such protection lies in the information infrastructure. The increase in the number of cyberattacks, which has multiplied since the start of the full-scale invasion, has made cybersecurity a top priority. During the war, the state developed regulations that govern the process of transferring data to cloud storage abroad. These rules provide a clear procedure for data transfer.

In addition, the state provides relevant advice and recommendations on security standards that cloud service providers must meet. These standards include international information security management standards, such as the ISO 27000 series. Therefore, providers must obtain the necessary certification to guarantee the security of the data transferred for storage.

After the end of the war and martial law, there is a procedure for returning this data to the jurisdiction of Ukraine. Work is ongoing to improve the regulatory framework related to cloud service providers in terms of both business services and information security requirements. These requirements are aligned with international and EU standards, in particular.

Regarding security passports for critical infrastructure facilities, Mr. Shchyhol confirmed that the CMU has already approved the relevant procedure. The security passports consist of a general part containing an overview of the critical infrastructure facility and a special part that includes plans to protect against specific threats. These threats are both national and industry-specific, and they are adapted to the specific conditions of each facility.

Answering the question about facility inspections and security assessments, Shchyhol says that the relevant monitoring has not yet been conducted. The law stipulates that monitoring of critical infrastructure facilities should be conducted by joint groups of sectoral functional bodies every three years. Currently, the focus is on setting up the system and protecting business, and no formal inspections are being conducted at this stage.

Oleksandr Potii, the Deputy Chairman of the State Service of Special Communications and Information Protection of Ukraine, emphasized that there are more than a thousand critical infrastructure facilities in Ukraine of only the first or second class. These facilities are required to assess themselves according to established methods and register in the relevant register.

The completeness of the registry will provide the government with important information for planning budget allocations, material support, and defense measures against specific threats such as air strikes, cyber-attacks, or epidemic outbreaks.

Critical infrastructure facilities included in the register receive priority rights to priority connection to the power grid after emergencies. This priority applies to various aspects – from power substations to production facilities necessary to supply the population of a certain territory. The government allocates funds primarily for their rapid restoration.

State-owned and joint-stock companies included in the register can conduct simplified tender procedures. These simplified procedures apply both to public procurement of recovery materials and to companies conducting their own procurement. Overall, the simplified procurement process is intended to support the recovery and sustainable development of these companies.

Also, critical infrastructure facilities included in the register will be eligible for risk insurance. However, the specifics of the insurance mechanisms are still being developed in consultation with insurers and business stakeholders. The goal is to create insurance mechanisms that comply with the law and take into account different categories of criticality.

We thank the State Service of Special Communications and Information Protection of Ukraine for holding an event aimed at informing business representatives about the risks that arise for certain sectors of life support, about key innovations in the field of critical infrastructure protection, as well as about the available tools that allow entrepreneurs to strengthen both their own resilience during the war and the critical infrastructure on which they depend. We also look forward to further cooperation!