I.I. Livshitz – Ph.D.(Eng.), Associate Professor, ITMO University (Saint Petersburg)
A.A. Zaytseva – Ph.D.(Eng.), Senior Research Scientist, St. Petersburg Institute for Informatics and Automation of RAS
At present, attention to the security of various critical infrastructure facilities, including information security, has increased significantly. It should be taken into account that the objects of critical infrastructure, as a rule, contain components of information technology – in the form of software, controllers, intelligent sensors, etc. All of these components may contain vulnerabilities, the evaluation of which by the end user may not always be performed within known constraints (time, cost, accuracy), and the risks of implementing negative scenarios in distributed cyberphysical systems may have catastrophic consequences. The article deals with the problem of formation of information technology security risk assessment as an important stage of the overall process of ensuring the security of critical industrial facilities. In the aspect of the considered problem, it is important to take into account the presence of a control system, which radically distinguishes a mechanical or electro-mechanical driver from a critical industrial facility. Accordingly, the problem of risk assessment for such a class of critical industrial systems should be addressed using appropriate methods to audit management systems at the appropriate levels. The article considers two main levels of audit for critical industrial facilities – the level of management system and the level of information technology components. Accordingly, this method is based on modern risk-oriented standards ISO/IEC series 27001 and 15408, as well as a number of other standards for the evaluation of information technology and audit of management systems.
The proposed method allows to obtain the calculated results of information technology security risks assessment in the constraints of location and composition of the components of critical industrial facilities in distributed cyberphysical systems. The main difference between the existing methods and the proposed method is that static threat models recommended by documents of regulators in the Russian Federation are currently used, as a rule. These documents do not take into account the risks of either information technology or information security, which does not allow to use for critical industrial facilities modern ISO/IEC standards or their national analogues GOST R. Accordingly, the risks of imported components of information technology and equally – the cumulative risks of integration of all components in the management system of critical industrial facilities can not be assessed. The proposed results can be applied in the formation of an independent assessment of information technology security of complex industrial facilities with the required accuracy.
- Lipatnikov V.A., Shevchenko A.A., Yatskin A.D., Semenova E.G. Upravlenie informatsionnoi bezopasnostyu organizatsii integrirovannoi struktury na osnove vydelennogo servera s konteinernoi virtualizatsiei. Informatsionno-upravlyayushchie sistemy. 2017. № 4(89). S. 59−67. (In Russian).
- Lipatnikov V.A., Shevchenko A.A. Model protsessa upravleniya informatsionnoi bezopasnostyu raspredelennoi informatsionnoi sistemy na osnove vyyavleniya i otsenki uyazvimostei. Informatsionnye sistemy i tekhnologii. 2018. № 1(105). S. 114−123. (In Russian).
- Lipatnikov V.A., Sakharov D.V., Kuznetsov I.A. Upravlenie ASMK organizatsii integrirovannoi struktury s prognozirovaniem sostoyaniya informatsionnoi bezopasnosti. Elektrosvyaz. 2016. № 3. S. 28−36. (In Russian).
- Livshits I.I. Metodika optimizatsii programmy audita integrirovannykh sistem menedzhmenta. Trudy SPIIRAN. 2016. № 5. S. 52−68. (In Russian).
- Livshits I.I., Neklyudov A.V. Gibridnaya metodika otsenki bezopasnosti informatsionnykh tekhnologii. Avtomatizatsiya v promyshlennosti. 2017. № 7. S. 36−41. (In Russian).
- Livshits I.I., Neklyudov A.V. Gibridnaya metodika bezopasnosti informatsionnykh tekhnologii dlya kriticheski vazhnykh obieektov energetiki. Energobezopasnost i energosberezhenie. 2017. № 4. S. 5−11. (In Russian).
- Sokolov B.V., Yusupov R.M. Neokibernetika v sovremennoi strukture sistemnykh znanii. Robototekhnika i tekhnicheskaya kibernetika. 2014. № 3. S. 3−11. (In Russian).
- Zikratov I.A., Shago F.N. Optimizatsiya meropriyatii audita sistemy menedzhmenta informatsionnoi bezopasnosti. Informatsiya i kosmos. 2014. № 2. S. 59−65. (In Russian).
- Zikratov I.A., Shago F.N. Metodika optimizatsii planirovaniya audita sistemy menedzhmenta informatsionnoi bezopasnosti. Nauchno-tekhnicheskii vestnik informatsionnykh tekhnologii, mekhaniki i optiki. 2014. № 2(90). S. 111−117. (In Russian).
- Bandyopadhyay T., Liu D., Mookerjee V.S., Wilhite A.W. Dynamic competition in it security: A differential games approach. Information Systems Frontiers. 2014. № 16(4). P. 643−661.
- Christina Y. Jeong, Sang-Yong Tom Lee and Jee-Hae Lim Information Security Breaches and IT Security Investments: Impacts on Competitors. Information & Management. In Press. 2018.
- Edward A. Morse, Vasant Raval and John R. Wingender Market Price Effects of Data Security Breaches. Information Security Journal: A Global Perspective. 2011. № 20(6). P. 263−273.
- Livshitz I., Neklyudov A., Lontsikh P. Evaluation of IT security – genesis and its state-of-art. IOP Conf. Series: Journal of Physics: Conf. Series 1015 (2018) 042029.
- Matthew P. Barrett Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. 2018.
- Matsukawa Bakuei, Ryan Flores, Vladimir Kropotov and Fyodor Yarochkin Securing Smart Factories: Threats to Manufacturing Environments in the Era of Industry 4.0. The 2019 Study on the Cyber Resilient Organization. Ponemon Institute. April 2019.
- Shane Mcintosh, Yasutaka Kamei, Bram Adams and Ahmed E. Hassan The Impact of Code Review Coverage and Code Review Participation on Software Quality: A Case Study of the Qt, VTK, and ITK Projects. In Proc. of International Working Conference on Mining Software Repositories (MSR 2014). Hyderabad, India. June 2014. P. 192−201.
- Tyler Moore, Scott Dynes and Frederick R. Chang Identifying How Firms Manage Cybersecurity Investment. In Workshop on the Economics of Information Security (WEIS) 2016. P. 1−27.
- URL = https://fstec.ru/component/tags/tag/prikaz.
- URL = cisco.com/c/m/en_au/products/security/offers/cybersecurity-reports.html.