Up-to-date information and communication technologies (ICT) implementation in various industries, on the one hand, increases the efficiency of different business processes and, on the other hand, generates new threats and vulnerabilities in ICT. Critical infrastructures (CI) need principal new effective methods and means for cybersecurity ensuring. In the situation with limited resources, CI objects defining and ranking is an important task. To rank objectively, CI objects should be assessed using some criteria. Previously, authors have proposed a FMECA-based method to assess importance level for state critical information infrastructure, which allows ranking and evaluating the importance of CI objects using both quantitative and qualitative parameters. This paper presents a complex experimental study of the proposed method using the aviation industry as an example. An experimental technique was introduced and using it, the adequacy of method response to changing input data was checked. It confirmed the possibility of importance level assessment of critical aviation information systems related to various categories: information systems for air navigation services; on-board information systems for aircraft; information systems for airlines and airports.
Information and communication technologies (ICT) rapid development has led to significant and sometimes revolutionary changes in all spheres of people’s lives in most states of the world. This has significantly increased the vulnerability of various Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). networks, systems and ICT objects and has made it difficult to ensure their protection and security. All these factors have caused the world's leading states to pay significant attention to the protection of critical facilities, systems and resources, as well as to the identifying critical infrastructures (CI) [1-2], assessing their criticality level and impact of possible functional interruptions (failures). However, today there is no universal method that could be used to assess the criticality level of CI in different industries using both quantitative and qualitative parameters. 2
Increasing concentration of means and resources for protecting CI of different types necessitated the ranking of CI objects, the selection of the most important ones and the emergence of the CI concept [3-4]. ICT is important part of CI called critical information infrastructure (CII). In order to protect the most important CII objects, it is necessary to first identify these objects by certain criteria [5] and then determine the criticality (assess the importance) of the identified objects [6]. Particular attention needs to be given to aviation, where, in accordance with the guidance documents [7], so-called critical aviation information systems (CAIS) need to be identified and protected against various cyberthreats. In works [8-10] the FMECA-based (Failure Mode, Effects and Criticality Analysis) approach for assessing CII objects in different industries of CI was presented and studied. 3
In the study [1] authors have proposed a FMECA-based method of assessing the importance level of CII objects in aviation, which makes it possible to evaluate the importance level and to rank the CAIS [10]. This method uses the introduction of a basic set of systems and corresponding sets of subsystems, components, functions, violations of continuity of work (interruption of work, loss of functionality), their features and consequences, as well as the construction of a three-dimensional criticality matrix.
The main results of the implementation of the proposed method are presented in the form of a report, which summarizes such information as: a list of system components, their functions, types of interruptions for each component of the system; information on the causes and consequences of interruptions for each component of the system; calculations of criticality rankings, ranking results are a list of the most significant (critical) interruptions of work, which are displayed in a formalized and convenient for experts form. Other output data was obtained at different stages of the method implementation: criticality matrix, which according to the collected preliminary data graphically reflects the criticality of the system components (stage 7); Pareto diagram which shows the level of criticality inside the system and makes it possible to compare several different systems (stage 9); Ishikawa's cause and effect diagram that allows to identify priority areas for developing appropriate corrective measures (stage 10).
The previously proposed method by authors in [1] is implemented in the following stages: 1) identification of system components and setting the level of detail; 2) defining the functions of each detected system component; 3) determining the list of possible interruptions of each system component; 4) determining the consequences of each possible work interruption; 5) identification of interruption detection signs; 6) identification of methods for detecting work interruptions; 7) construction of a threedimensional criticality matrix; 8) calculation of the criticality rank of probable interruptions; 9) selection of the list of the most significant (critical) work interruptions; 10) forming a list of corrective measures; 11) report generation.
The main task of this work is experimental study of method for importance level assessing of the CII objects in aviation (CAIS). This method was proposed by authors before [1] and it is based on FMECA technique with proposed improvements for effective quantitative and qualitative assessment. 4 A.
The first step of experimental research is the creation of an experimental program, which contains the following components:
1. The purpose and objectives of the experiment. The purpose of the experiment is to investigate the adequacy of the developed method.
Objectives: 1.1. Investigate the proposed method of assessing the importance of CII objects in aviation (by modeling its operation using developed software).
1.2. Check the adequacy of the developed method’s response to changing the input data.
1.3. Check the adequacy of the developed severity weight coefficients of the interruption consequences for the developed method.
2. Selection of input and output parameters: 2.1. Input parameters for solving problem 1.1. are: structural and functional diagrams of the analyzed system and its components; information on the functioning of each process or system component; a detailed description of all the parameters that may affect the functioning of the system; information about the results of work interruption; chronological work interruption data, including available work interruption intensity data. Output parameters: a report listing the types of interruptions for each system component; information on the causes and consequences of interruptions for each system component; criticality matrix; Pareto diagram; Ishikawa's cause and effect diagram; a list of corrective measures to reduce the criticality of the most significant work interruptions.
2.2. Input parameters for solving problem 1.2. are: a list of all types of system component interruptions and their estimated criticality level. Output parameters: summarized results of the study of each system interruptions.
2.3. Input parameters for solving problem 1.3 are: metrics tables B1i , B2i , B3i , and calculated values for the weighting coefficients of work interruption consequences. Output parameters: results of the study of the developed weight coefficients of work interruption consequences.
3. The order of actions: 3.1. Determining the set of system C components with the help of set of classes of systems S , set of systems Si , set of subsystems Sij , and setting of level of detail Detmin (using accordingly (6), (1), (2) and (4) in [1]).
3.2. Determining the set of functions F , and the set of work interruptions D (using accordingly (7) and (8) in [1]).
3.3. Determining the set of consequences E , signs of detection O , ways of detecting work interruptions W (using accordingly (9), (10) and (12) in [1]) and building a three-dimensional criticality matrix.
3.4. Calculating of the set of criticality ranks of possible interruptions R , with the help of sets B1, B2 , B3, selecting the list of most significant work interruptions criticality (Di ) , (using accordingly (13) – (18) in [1]), of set VK (see stage 8 of experimental research) and construction of the Pareto diagram.
3.5. Constructing a cause-and-effect diagram of Ishikawa, determining the set of corrective measures K and evaluating the effectiveness of implementing corrective measures by recalculating the criticality ranks R (using accordingly (19), (14) in [1]).
3.6. Systematizing data in a form of a report for all levels of analysis.
4. Choosing a factor change step.
Sijk (i 1, n , j 1, mi , k 1, rij ) according to (4) in [1]; Ci (i 1, b) according to (6) in [1]; Fi (i 1,l) according to (7) in [1]; Di (i 1, p) according to (8) in [1]; Ei (i 1, q) according to (9) in [1]; Oi (i 1, r) according to (10) in [1]; Wi (i 1, s) according to (12) in [1]; Ri (i 1, w) according to (13) in [1]; B1 j ( j 1, z) according to (15) in [1]; B2 j ( j 1, x) according to (16) in [1]; B3 j ( j 1, c) according to (17) in [1]; VKij (i 1, n , j 1, mi ) , (see stage 8 of experimental research); Ki (i 1, g) according to (19) in [1].
5. Analyzing results.
The second step after the approval of the research plan is to determine the amount of experimental research and the necessary software.
The third step is the direct conduct of the experiment; the fourth step is the processing of experimental data, the systematization of all numerical data, the construction of matrices, diagrams and tables.
Let`s consider in detail step by step of implementation of the proposed method study (one CAIS from each of the categories defined in work [12] are selected): Stage 1. Identifying system components and setting the level of detail Step 1.1 For CAIS according to [12], with n 3 considering (1) in [13] we define the complete set of classes of CAIS systems as follows:
SCАІS { i1 where S1 SІSАО is set of information systems of air navigation services; S2 SBSPS is set of onboard aircraft information systems; S3 SІSАА is set of airline and airport information systems, according to [12].
Step 1.2. For example, with n 1, m 5 while using (2) in [13], we present the 1 set of systems of class S1 in the following way:
5 S1 = SІSАО {
S1j} S1.1, S1.2 , S1.3 , S1.4 , S1.5 SSAE , SRZZP , SSSP , SSOD , SSMZ , (2) j1 where S1.1 = SSAE are aviation telecommunication systems; S1.2 = SRZZP are radio navigation aids; S1.3 = SSSP are surveillance systems; S1.4 = SSOD are data processing systems; S1.5 = SSMZ are meteorological support systems [12].
Similarly for sets of classes S2 and S3 , with n 2, m2 7 and with n 3, m 4 respectively, while using (2) in [13], we will present the set of systems, where 3 S2.1 = SSPS are air signal system; S2.2 = SSZV are communication systems; S2.3 = SNAVS are navigation systems; S2.4 = SSSPZ are collision monitoring and prevention systems; S2.5 = SOSL are computing systems of aviation; S2.6 = SSVI are information display systems; S2.7 = SABSK are automatic onboard control systems; S3.1 = SCRS is computer reservation system; S3.2 = SGDS is global reservation system (reservation); S3.3 = SBSP is mutual calculations system; S3.4 = SDCS are dispatch management systems [12].
The sets of CAIS classes and systems according to [12], with n 1, n 2, n 3 and m1 5, m2 7, m3 4 taking into account (1) - (2) and (1) in [13] were determined in the following way:
S1.1,S1.2,S1.3,S1.4,S1.5,S2.1,S2.2 ,S2.3,S2.4 ,S2.5,S2.6 ,S2.7,S3.1,S3.2,S3.3,S3.4,S3.5 SSAE ,SRZZP,SSSP,SSOD,SSMZ,SSPS,SSZV,SNAVS,SSSPZ,SOSL,SSVI,SABSK,SCRS,SGDS,SIDS,SBSP ,SDCS.
Step 1.3. To determine subsystem sets, we arbitrarily select one set of systems from each class, for example SSOD , SSSPZ , SGDS and according to (3) in [13] we present subsystem sets with r1.4 5, r2.4 4, r3.2 18, and record the obtained data in table 1, where S1.4.1 SASYPR are automated air traffic control systems (AATCS); S1.4.2 SSPPP are automated airspace use planning systems; S1.4.3 SESAN are centralized surveillance and distribution systems for the surveillance data of the European Aviation Safety Organization Eurocontrol; S1.4.4 SSOPD are flight data processing and transmission systems; S1.4.5 SSOAD are aeronautical information processing and transmission systems; S2.4.1 STRA are transponders; S2.4.2 STCAS are onboard collision avoidance systems (TCAS); S2.4.3 SSRPZ are early warning systems for dangerous land rapprochement; S2.4.4 SBMR is airborne radar onboard; S3.2.1 SAMDS is Amadeus; S3.2.2 STGDS is Travelport GDS; S3.2.3 SSAB is Sabre; S3.2.4 STRES is TameliaRES; S3.2.5 SAPSS is Avantik PSS; S3.2.6 SABCS is Abacus; S3.2.7 SACA is AccelAero; S3.2.10 SKUI
S3.2.8 SAXS is
Axess;
S3.2.9 SIBE is
Internet is
KIU;
S3.2.11 SMER is
Mercator;
S3.2.12 SNAV
Booking is
Engine; Navitaire; S3.2.13 SPATH is Patheo; S3.2.14 SRAD is Radixx; S3.2.15 SAKF is Akeflite; S3.2.16 STTI is Travel Technology Interactive; S3.2.17 SWSMS is WorldTicket Sell-More-Seats;
System SSOD SSSPZ SGDS
Value rij
Name of subsystems set SASYPR , SSPPP, SESAN, SSOPD, SSOAD
STRA, STCAS, SSRPZ, SBMR SAMDS, STGDS, SSAB, STRES, SAPSS, SABCS,
SACA , SAXS, SIBE , SKUI , SMER , SNAV , SPATH , SRAD , SAKF, STTI , SWSMS, SSIR
Step 1.4. To determine the set of components, we arbitrarily select one subsystem from each set of subsystems (Table 1), for example SSOAD , STCAS , SAMDS .
For system SSOAD , with b = 7 , while using (4) in [13], we present the set of components in the following way:
7 СSOAD = {
Ci } C1, C2 ,..., C7 СODSS , СОPD , СMKS , СZVI , СKGZ , СPPR , СZBP , i1 where C1 СODSS is data processing of the surveillance system; C2 СОPD is flight data processing; C3 СMKS is system monitoring and control; C4 СZVI is recording and reproduction of information; C СKGZ is commutation of voice communication; 5 C6 СPPR is decision support; C7 СZBP is ensuring the safety of flights.
Similarly for systems STCAS according to [14], and SAMDS according to [15-16], with b = 5 та b = 4 while using (4) in [13] respectively, we present the set of components (Table 2), where C8 САNT are antennas; C9 СBLO is calculator unit; C10 СVRS is respondent mode S; C11 СIND are indicators (installed in the cockpit); C12 СPYL is control panel; C13 САTIM is Amadeus Timetable; C14 СAAV is Amadeus availability; C15 СASCH are Amadeus schedules; C16 СADA is Amadeus direct access.
SSOAD STCAS SAMDS
Step 1.5. Let us set the minimum level of detail Detmin to describe and decompose the system. The purpose of the analysis Sij / Sijk is to determine the level of criticality of possible types of components interruptions that cause loss of their functionality, to find out their causes, consequences, methods of detection and recommendations for reducing their criticality.
Therefore, the description and decomposition are limited by level “system class” / “system” / “subsystem” / “component” (Si / Sij / Sijk / Ci ) and concern only the effects of possible interruptions of certain components Ci . Meaning that Detmin = Ci , however, a more detailed study of the more complex components (subsystems) of CAIS may consider the case of Detmin = Cij , where Cij are parts of components Ci Detmin = Sij Sijk Ci / Cij etc.
The selected systems are limited by level
і and concern only the SBSPS / SSSPZ / STCAS / СTCAS ; SІSАА / SGDS / SAMDS / CAMDS effects of possible interruptions of certain components Ci .
Stage 2. Defining the functions of each detected system component. For system SSOАD , containing a set of components CSOАD , with l = 15 , while using (5) in [13], we present the set of functions in the following way:
15 FSOАD = {
Fi } F1, F2 ,..., F15 i1 FOSG , FPОІ , FVОІ , FОPD , FKPOL , FPPAT , FVYІ , FDVI , F ZDGZ, FAPR , FPZIT , FVPI , FVVKS, FPAP , FZBP, where F1 FOSG is signal processing; F2 FPОІ is primary information processing; F3 FVОІ is secondary information processing; F4 FОPD is flight data processing; F5 FKPOL is flight control; F6 FPPAT is air patrol; F7 FVYІ is display and management of information;
F8 FDVI is documentation and reproduction of information; F9 FZDGZ is providing air traffic controllers with land and voice communications; F10 FAPR is automation of decision making; F11 FPZIT is collision prevention; F12 FVPI is use of planned information; F13 FVVKS is identifying and resolving potential conflict situations; F14 FPAP is aviation events warning; F15 FZBP is ensuring the safety of flights [12].
Similarly for systems STCAS according to [14] and SAMDS according to [16], sets of components СTCAS and CAMDS , with l = 14 and l = 4 , while using (5) in [13], we present sets of functions (Table 3), where F16 FPPR are receiving and transmitting radio waves; F17 FZIL is request of other aircraft responders; F18 FOMRL is calculating the location of aircraft; F19 FVTL is aircraft trajectory tracking; F20 FPPRD is transmitting warnings and recommendations on the VSI / TRA display or other indicators; F21 FPMPP is the transmission of voice messages to the pilot through the airplane located in the cockpit of the sound notification system; F22 FVNZ is responding to requests in Mode-A, Mode-C and Mode-S from radar systems of the air traffic control service, as well as from other aircraft equipped with TCAS; F23 FODSS is data exchange with compatible systems; F24 FVPZ is establish a direct connection using a unique address assigned; F25 FPDBV is transfer of data from the barometric height sensor and from the control panel to the TCAS computer unit; F26 FVVI is display of vertical speed indicator (VSI) information with the display of air-condition warnings and recommendations for conflict resolution (TRA); F27 FYRT is setting TCAS mode and responding mode-S; F28 FYKV is setting the UPR radar response codes; F29 FPRS is system operation check; F30 FPIZ is providing (general) flight information on all airlines during the week; F31 FFIPP is generating flight information that has at least one available class for sale or a waiting list; F32 FVGVR is display all scheduled flights; F33 FMODI is the ability to access specific airline information for sale or to complete a waitlist.
Stage 3. Determining the list of possible interruptions of each system component. For system SSOАD set of components CSOАD , with p = 9 , while using (6) in [13], we present the set of work interruptions in the following way:
9 DSOАD = {
Di } D1, D2 ,..., D9 DVNIS , DNOPS , DPFOD , DPNI , DVZZ , DNSD , DVRTZ , DVPKS , DVAF, where D1 DVNIS is detecting a nonexistent signal; D2 DNOPS is incorrect estimation of signal parameters; D3 DPFOD is data processing and distribution breaches; D4 DPNI is suspension of receipt of information on flights of aircraft; D5 DVZZ is loss or destruction of a recording device; D6 DNSD is unauthorized access to the recording device; D7 DVRTZ is loss of radio or telephone communication with crews, related dispatch points and other traffic participants; D8 DVPKS is the occurrence of potential conflict situations of the PCC; D9 DVAF is detection of an emergency factor [14].
Similarly for systems STCAS according to [14] and SAMDS according to [15-16], set of components СTCAS and СAMDS , with p = 9 and p = 17 respectively, while using (6) in [13], we present the set of work interruptions (Table 4), де D10 DVNA is directional antenna failure; D11 DVOBS is failure of the system computing unit; D12 DTCF is “TCAS FAIL”, if there is a failure of the equipment that is the minimum required for the operation of the TCAS system; D13 DXPF is “XPNDR FAIL” failure of the respondant mode-S, occurs in the event of termination of the receipt of reliable data on the altitude from the barometric altimeter on the respondant mode-S; D14 DTCO is “TCAS OFF” (TCAS system is disabled, or problems occur inside the system; D15 DVSF is “VSI FAIL” (failure of the vertical speed indicator), when the vertical speed arrow is not displayed on the VSI display; D16 DTDF is “TD FAIL” (failure of air condition indicator) appears when the system TCAS-2000 is unable to display air warnings; D17 DRAF is “RA FAIL” (refusal to issue RA messages) appears when TCAS system is unable to display recommendations for resolving a conflict situation; D18 DNPY is malfunction or failure of the control panel; D19 DZSD is failure to update dates (periods); D20 DNIPA is incompleteness of information about airlines; is providing outdated information;
D21 DNZI D22 DNNI is unreliability of the information provided; D23 DNIMP is failure to provide landing information (only schedule is displayed, regardless of availability); D24 DVMPK is the inability to buy a ticket unless the airline has an agreement to sell with Amadeus; D25 DNZD is inability to find airline information to alert you to potential threats or to obtain necessary information.
System / Subsystem
SSOAD STCAS SAMDS
Еi } E1, E2 ,..., E10 ENPR , EPRSY , EVVPS , EVRLP , ENODD , EVRTZ , EPRVZ , EVNM , EZPS , EPRS, i1 where E1 ENPR is wrong decision-making, due to incorrect analysis of the air situation; E2 EPRSY is malfunction of control systems, power supply, communication, piloting, lack of fuel, interruptions in the life support of the crew and passengers, failure of engines, destruction of individual aircraft structures; E3 EVVPS is lack of ability to track aircraft; E4 EVRLP is loss of opportunity to investigate a flight incident FI; E5 ENODD is inability to evaluate the actions of the operator; E6 EVRTZ is no radio or telephone connection; E7 EPRVZ is violation of recommendations on solving the collision threat; E8 EVNM is choosing the wrong maneuver; E9 EZPS are aircraft collisions; E10 EPRS is malfunction of control systems, power supply, communication, piloting, lack of fuel, interruptions in the life support of the crew and passengers, failure of engines, destruction of individual aircraft structures [14].
Similarly, for each possible work interruption of sets DTCAS according to [14] and DAMDS according to [16], with q = 3 and q = 6 respectively, while using (7) in [13], we present the set of work interruptions (Table 5), where E11 ENVVP is TCAS 2000 system may be temporarily unable to determine the relative bearing of the conflicting aircraft due to the large roll angle, which causes the directional antenna to shade; E12 ENVP is inability to display recommendations for conflict resolution; E13 ENVPY is inability to use the control panel accordingly; E14 ENRS is system inability to work in real time; E15 EVIA is lack of information on airlines; E16 ENOOI is inability to get online flight booking information; E17 EMZGP is a possible malfunction in the flight schedule or the need to reformat it; E18 EVPZD are problems with refueling, the possibility of a collision threat; E19 ENSP is lack of awareness of employees, which could lead to the wrong decision.
Stage 5. Identifying signs of work interruption detection. For possible work interruptions DSOАD , while using (8)-(9) in [13], with r = 0 (the selected set of interruptions of work did not show any sign Oi ), and for the set DTCAS , according to [14] and DAMDS , according to [15-16], with r = 1 and r = 3 respectively, while using (8)-(9) in [13], we present the set of signs of work interruption detection (Table 6) in the following way (3):
4 O {
Oi } O1, O2 ,..., O4 OVSI , OTIM , OAUS , OSCH , (3)
Wi } W1,W2 ,W3 ,W4 ,W5 ,W6 ,W7 ,W8 ,W9 where W1 WSAZS is automatic dependent surveillance systems; W2 WSOPD is flight data processing system (FDPS); W3 WASAZ are automated aviation security systems; W4 WBBRP are on-board multi-channel “black box” flight recorders; W5 WSGZ are voice communication systems; W6 WAZS are automated surveillance, communications, information processing and on-board collision avoidance systems; W7 WSZBP are flight safety systems; W8 WTCAS are TCAS system; W8 WAAIR is Amadeus AIR. (4)
Stage 7. Construction of a three-dimensional criticality matrix. For the system SSOАD we form a criticality table according to such parameters as “probability – weight – number of interruptions of system operation” and construct a threedimensional criticality matrix (Fig. 1 a). Similarly, for systems STCAS and SAMDS we form a criticality table and construct a three-dimensional matrix (Fig. 1 b and Fig. 1 c, respectively).
Stage 8. Calculation of the criticality rank of probable interruptions Step 8.1. For the SSOАD system, work interruptions D1 DVNIS , let’s define an indicator B1 j (frequency assessment) as (13) in [13], where value of z is going to be found according to table 5 in [1]. Thus let’s define an indicator B1 5. Similarly, for every possible work interruption of SSOАD , STCAS and SAMDS systems, let’s define an indicator B1 j as (13) in [13], table. 5 in [1] and add obtained figures to the report (stage 11, table 11). c) Fig. 1. Three-dimensional criticality matrix for SSOАD (a), STCAS (b) and SAMDS (c)
Step 8.2. For the SSOАD system, work interruptions D1 DVNIS , let’s define an indicator B2 j (probability assessment of Di component detection of Ci before it’s appearance) as (14) in [13], where x value is found similarly according to table 7 in [1]. Therefore, let’s define an indicator B2 4. Similarly, for every possible interruption of systems SSOАD , STCAS and SAMDS , let’s define an indicator B2 j as (14) in [13], table 7 in [1] and add obtained figures to the report (stage 11, table 11).
Step 8.3. For the SSOАD system, work interruptions D1 DVNIS , let’s define an indicator B3 j (weight assessment of Di component of Ci ) as (15) in [13], where c value is found similarly according to table 9 in [1]. Therefore, let’s define an indicator B3 7. Similarly, for every possible interruption of SSOАD , STCAS and where VK1 VKKZG is number of citizens involved (health and social consequences); VK2 VKEKON is economic effect; VK3 VK VNNS is impact on the environment; VK4 VK POLN is political implications; VK5 VK MZT is territorial reach; VK6 VKTRV is duration; VK7 VKVSKI is interdependence of sectors CI (the consequence of the destruction of one is the destruction of the others) according to [18].
It also should be noted that, criteria of weighting coefficients of work interruption consequences are placed from most important – “7” to least important – “1”.
Step 8.4.2. For example, if n 1, m1 5 using (17) in [13], let’s represent the set of coefficients VK1 as follows:
5 VK1 = VK KZG {
VK1j} VK1.1,VK1.2 ,VK1.3 ,VK1.4 ,VK1.5 j1 VK05 ,VK620 ,VKD100 ,VKD499 ,VKB500, where VK1.1 = VK05 is 0-5 deceased; VK1.2 = VK620 is 6-20 deceased; VK1.3 = VKD100 is 21-100 deceased; VK1.4 = VKD499 according to [18].
Similarly, for
is 101-499 deceased; VK1.5 = VKВ500 is ≥ 500 sets of coefficients VK2 , VK2 ,..., VK7 , if n 2, 7 and m2 = m3 m4 m5 5 accordingly, using (17) in [13] let’s represent all sets of coefficients and add them to the table 8, where VK2.1 = VKD100M is < 100 mil.; VK2.2 = VKD499M is 100-499 mil.;
VK2.3 = VKD2,9M is 500 mil. – 2,9 bil.; VK2.4 = VKD6,9M is 2,9 bil. – 6,9 bil.; VK2.5 = VKB7M is > 7 bil.; VK3.1 = VKM1G is <1 ha. or 0,0001% of water resources; VK3.2 = VKD10G is 1-10 ha, or 0,0001-0,001 % of water resources; VK3.3 = VKD100G is 10-100 ha, or 0,001-0,01 % of water resources; VK3.4 = VKD1000G is 100-1000 ha, or 0,01 - 0,1 % of water resources; VK3.5 = VKB1000G is > 1000 ha, or > 0,1 % of water resources; VK4.1 = VKMIN is minimal; VK4.2 = VKSOCN VK4.4 = VKMASZ is social discontent;
VK4.3 = VKMITG are rallies, protests; are riots; VK4.5 = VKREV are revolutions, wars; VK5.1 = VKOBYD is separate building; VK5.2 = VKSEL is village; VK5.3 = VKRGN is district, city; VK5.4 = VKOBL is region; VK5.5 = VKDER is country; VK6.1 = VKDGOD is less than an hour; VK6.2 = VKDOBA is day; VK6.3 = VK3DOB are 3 days; VK6.4 = VK5DOB are 5 days; VK6.5 = VK10DIB are 10 days; VK7.1 = VKMVID is almost no; VK7.2 = VKNVR are causes no destruction; VK7.3 = VKVR1S are causes destruction of one sector; VK7.4 = VKVR2S are causes destruction of two sectors; VK7.5 = VKVR3S are causes destruction of three and more sectors [18].
Names’ of sets of coefficients
VK05 ,VK620 ,VKD100 ,VKD499 ,VKВ500 VKD100M ,VKD499M ,VKD2,9M ,VKD6,9M ,VKB7M VKM1G ,VKD10G ,VKD100G ,VKD1000G ,VKB1000G
VKMIN ,VKSOCN ,VKMITG ,VKMASZ ,VKREV
VKOBYD ,VKSEL ,VKRGN ,VKOBL ,VKDER VKDGOD ,VKDOBA ,VK3DOB,VK5DOB,VK10DIB
VKMVID ,VKNVR ,VKVR1S ,VKVR2S ,VKVR3S
Step 8.5. Assessment of criticality rank of Ri each of work interruption types listed Di according to (12) in [13]. For example, for the SSOАD system, work interruption D1 DVNIS , let’s calculate the criticality rank R1 5 4 5 100 and add obtained figures to the report (stage 11). Similarly, for every possible work interruption of systems SSOАD , STCAS and SAMDS , let’s calculate interruptions criticality rank and add obtained figures to the report (stage 11, Table 11).
Stage 9. Selection of the list of the most significant (critical) work interruptions. For the system, work interruptions D1 DVNIS , calculated interruptions
SSOАD criticality rank R1 5 4 5 100 , according to the criticality determination rule (20) in [13], D1 DVNIS reffers to the Middle level, requires the development of corrective measures to reduce criticality rank. Obtained figures are highlighted in the report (stage 11, Table 11) with the help of various colours, if Di , according to (20) in [13], refers to the High criticality level, then Ri in Table 11 is highlighted in black, if Di refers to the Middle level – in grey, if Di refers to the Low level – in light grey.
Similarly, for every possible work interruption of SSOАD , STCAS and SAMDS systems, let’s rank calculated values of criticality level as (20) in [13] and add obtained figures to the report (stage 11, Table 11). Moreover, on this stage a Pareto bar chart (Fig. 2) is used to spot the list of most significant (critical) Di . c) Fig. 2. Calculation results of Ri for SSOАD (a), STCAS (b) and SAMDS (c) The diagram is created separately for each Sij (to rank the most significant (critical) Di , hence Di are placed on the horizontal axis, and calculated values Ri are ont the vertical axis (like (12) in [13]), if Ri R , then Di is highlighted in black on the k diagram, if R0 Ri Rk – then Di is highlighted in grey, if Ri R0 – then Di is highlighted in light grey. Patero bar charts help spot the list of most significant (critical) work interruptions. They also make it possible to compare separate systems by the calculated criticality rank and to identify the system which is the most critical among CAIS. For the SSOАD system, the most critical work interruption is D7 , rank criticality calculations, carried out by (12) in [13], revealed the following result: R7 3 6 7 126 Rk 125. For the STCAS system the most critical work interruption are values D12 – D16 , rank criticality calculations, carried out by (12) in [13], revealed the following result: R12 R13 R14 R15 126 Rk 125; R16 144 Rk 125. For the SAMDS system most critical work interruptions are D19 , D22 , D25 rank criticality calculations, carried out by (12) in [13], revealed the following result: R19 126 Rk 125 ; R22 R25 144 Rk 125 . Patero bar charts also made it possible to compare the number of critical work interruptions of studied systems and found out that STCAS system is the most critical. Fig. 3. Ishikawa cause and effect diagram for SSOАD (a), SSOАD (b) and SAMDS (c)
Stage 10. Forming a list of corrective measures. To make a a list of corrective measures for SSOАD , STCAS and SAMDS systems let’s create Ishikawa cause and effect diagrams [17, 19] (Fig. 3), that graphically reflect the characteristics that cause work interruptions Di and increase the effectiveness of corrective measures development.
Ishikawa cause and effect diagrams for selected systems has devided all identified Di by the main causes of their occurrence, namely due to errors of: users (а), software (b), hardware (c), network technologies (d). Therefore, priority areas for developing corrective measures for SSOАD and SAMDS systems are elimination of software errors causes and user errors (b and а on Fig. 3 a and Fig. 3 c), for STCAS system – elimination of hardware and software related causes (b and c on Fig. 3 b).
Whereafter for every possible work interruption of SSOАD , STCAS and SAMDS systems, if g 3, g 2, g 1 accordingly, using (21) in [13], let’s represent a set of methods to detect interruptions (that corrsespond to High and Middle according to rule (20) in [13],) as follows:
6 K = {
Ki } K1, K2 ,..., K6 KPONA , KOROB , KOKPD , KZRTO , KPOBR , KVOAA , (6) i1 where K1 KPONA is directional antenna inspection and repair; K2 KOROB is inspection and repair of system’s computer unit, K3 KOKPD are scheduled review and repair of data transmission channels; K4 KZRTO is change of maintenance and repair regulations; K5 KPOBR is scheduled review of flight recorders; K6 KVOAA are Amadeus AIR components update as scheduled. D21 D22 D23 D24 D25 Fi F1 F2 F3 F4 F5 F6 F7 F8
Di D1 D2 D3 D4 D5 D6 D7 D8 144 98 126 120 144 120 96 144 Ei
SAMDS Si / Sij / Sijk S1.4.5
Ci С1 С2 С3 С4 С5 С6 С7
KOROB KVOAA KVOAA KVOAA KVOAA KVOAA KVOAA
The list of necessary corrective measures for SSOАD , STCAS and SAMDS systems, is presented in Table 10. The effectiveness of corrective measures assessment is carried out by recalculation of Ri (stage 8). Next, we use the initial value Rbegin ( Ri before the Ki implementation) and final Rfinish ( Ri after the implementation of Ki ): if Rfinish Rk then corrective measures aimed to reduce the rank of criticality can be recommended for use to provide cybersecurity [20].
In Table 10 we can see which corrective measures can be implemented and for how much they reduce criticality rank ( Di highlighted in grey are those that became insignificant Low , while Di highlighted in light grey are those that shifted from High to Middle criticality rank as a result of corrective measures implementation).
Stage 11 – Report generation. At this stage, data obtained in the previous stages ( Si ,Sij ,Ci , Fi , Di , Ei , Oi ,Wi та Ri ) is systematized, visualization of qualitative and calculation of quantitative values of CAIS criticality is carried out. The stage involves the systematization of all information in the form of a table. An example of report creation for SSOАD , STCAS and SAMDS systems is presented in Table 11. D11 D12 D13 D14 D15 D16 D17 D18 D19 D20 D21 D22 D23 D24 D25 E10 E11 E12 E13 E14 E15 E16 E17 E18 E19 W8 W8 W8 W8 W8 W8 W8 W8 W8 W9 W9 W9 W9 W9 W9 W9
Thereby, Table 11 summarizes such information results of the proposed method as: a list of system components, their functions, types of interruptions for each component of the system; information on the causes and consequences of interruptions for each component of the system; calculations of criticality rankings, anking results are a list of the most significant (critical) interruptions of work, which are displayed in a formalized and convenient for experts form. Other output data was obtained at different stages of the method implementation: criticality matrix, which according to the collected preliminary data graphically reflects the criticality of the system components (stage 7); Pareto diagram which shows the level of criticality inside the system and makes it possible to compare several different systems (stage 9); Ishikawa's cause and effect diagram that allows to identify priority areas for developing appropriate corrective measures (stage 10).
Experimental study gives a possibility to determine the importance level of SSOАD (aeronautical information processing and transmission system), STCAS (onboard collision avoidance system, TCAS) and SAMDS (system Amadeus) systems in aviation and defined componetnts of these CAIS particularly: system SSOАD has one critical component С7 with one functional interruption D7 ; system
STCAS has three critical components С10 , С11 and С12 with five functional interruptions D12 D16 ;
system SAMDS has two critical components С13 and С16 with three functional interruptions D19 , D22 , D25 .
Three-dimensional criticality matrix and Patero bar charts shows that STCAS system is the most critical among selected CAIS (5 critical interruptions).
Ishikawa cause and effect diagrams shows that priority areas for developing corrective measures for SSOАD and SAMDS systems are elimination of software errors causes and user errors, for STCAS system – elimination of hardware and software related causes.
In this paper experimental study of proposed by authors FMECA-based method for importance level assessing of the CII objects in aviation was carried out. It was selected three CAIS from different categories (air navigation systems, aircraft onboard information systems as well as airlines and airports systems): (aeronautical information processing and transmission system), STCAS collision avoidance system, TCAS) and SAMDS (Amadeus system).
Three-dimensional criticality matrix as well as Patero bar charts shows that STCAS system is the most critical among selected CAIS (5 critical interruptions and 3 critical components). Ishikawa cause and effect diagrams shows that priority areas for developing corrective measures for SSOАD and SAMDS systems are elimination of software errors causes and user errors, but for STCAS system – elimination of hardware and software related causes.
In the future research study it is planned to develop software that, based on the proposed method, will allow to conduct an experimental research and confirm the possibility of determining the importance of different categories of CAIS as well as to assess infrastructure in different industries.
SSOАD (onboard