Studies on the Disasters Criticality Assessment in Aviation Information Infrastructure Sergiy Gnatyuk1,2,3 [0000-0003-4992-0564], Viktoriia Sydorenko1 [0000-0002-5910-0837], Oleh Polihenko1 [0000-0002-2427-4976], Yuliia Sotnichenko4 [0000-0002-1281-9238] and Olena Nechyporuk1 [0000-0001-8203-7998] 1 National Aviation University, Kyiv, Ukraine 2 State Scientific and Research Institute of Cybersecurity Technologies and Information Protection, Kyiv, Ukraine 3 Yessenov University, Aktau, Kazakhstan 4 Kyiv College of Communication, Kyiv, Ukraine s.gnatyuk@nau.edu.ua Abstract. Information and communication technologies (ICT) implementation in various industries, on the one hand, increases the efficiency of different business processes and, on the other hand, generates new threats and vulnerabilities in ICT. Critical infrastructures (CI) need principal new effective methods and means for cybersecurity ensuring. In the situation with limited resources, CI objects defining and ranking is an important task. To rank objectively, CI objects should be assessed using some criteria. Previously, authors have proposed a FMECA-based method to assess importance level (disasters criticality) for state critical information infrastructure, which allows ranking and evaluating the importance of CI objects using both quantitative and qualitative parameters. This paper presents a complex experimental study of the proposed method using the aviation industry as an example. An experimental technique was introduced and using it, the adequacy of method response to changing input data was checked. It confirmed the possibility of disaster criticality and importance level assessment of critical aviation information systems related to various categories: information systems for air navigation services; on-board information systems for aircraft; information systems for airlines and airports. Keywords: critical information infrastructure, criticality, risk, disaster, critical aviation information systems, experimental study, cybersecurity, aviation. 1 Introduction Information and communication technologies (ICT) rapid development has led to significant and sometimes revolutionary changes in all spheres of people’s lives in most states of the world. This has significantly increased the vulnerability of various networks, systems and ICT objects and has made it difficult to ensure their protection Copyright © 2020 for this paper by its authors. This volume and its papers are published under the Creative Commons License Attribution 4.0 International (CC BY 4.0). and security. All these factors have caused the world's leading states to pay significant attention to the protection of critical facilities, systems and resources, as well as to the identifying critical infrastructures (CI) [1-2], assessing their criticality level and im- pact of possible functional interruptions (failures). However, today there is no univer- sal method that could be used to assess the criticality level of CI in different industries using both quantitative and qualitative parameters. 2 Related papers analysis and problem statement Increasing concentration of means and resources for protecting CI of different types necessitated the ranking of CI objects, the selection of the most important ones and the emergence of the CI concept [3-4]. In order to protect the most important CII objects, it is necessary to first identify these objects by certain criteria [5] and then determine the criticality (assess the importance) of the identified objects [6]. Particular attention needs to be given to aviation, where, in accordance with the guidance documents [7], so-called critical aviation information systems (CAIS) need to be identified and protected against various cyberthreats. In works [8-10] the FMECA-based (Failure Mode, Effects and Criticality Analysis) approach for assessing CII objects in different industries of CI was presented and studied. In general, FMECA requires the identification of the following basic information: Item, Function, Failure, Effect of Failure, Cause of Failure, Current Control fn the Recommended Actions. In the study [1] authors have proposed a FMECA-based method of assessing the importance level of CII objects in aviation, which makes it possible to evaluate the importance level and to rank the CAIS [10]. This method uses the introduction of a basic set of systems and corresponding sets of subsystems, components, functions, violations of continuity of work (interruption of work, loss of functionality), their features and consequences, as well as the construction of a three-dimensional criticali- ty matrix. The main results of the implementation of the proposed method are presented in the form of a report, which summarizes such information as: a list of system components, their functions, types of interruptions for each component of the system; information on the causes and consequences of interruptions for each component of the system; calculations of criticality rankings, ranking results are a list of the most significant (critical) interruptions of work, which are displayed in a formalized and convenient for experts form. Other output data was obtained at different stages of the method implementation: criticality matrix, which according to the collected preliminary data graphically reflects the criticality of the system components (stage 7); Pareto diagram which shows the level of criticality inside the system and makes it possible to compare several different systems (stage 9); Ishikawa's cause and effect diagram that allows to identify priority areas for developing appropriate corrective measures (stage 10). The main purpose of this work is experimental study of method for importance level assessing of the CII objects in aviation (CAIS) based on criticality analysis of systems (subsystems) disaster risks. This method was proposed by authors before [1] and it is based on FMECA technique with proposed improvements for effective quantitative and qualitative assessment. 3 Proposed method description Let`s consider in detail step by step of implementation of the proposed method study. One CAIS from each of the categories defined in [12] were selected, these are: one air navigation system; one aircraft onboard information system; one airlines and airports system. Stage 1. Identifying system components and setting the level of detail Step 1.1-1.2 The sets of CAIS classes and systems according to [12], with =n 1,=n 2,= n 3 and= m1 5,= m2 7,= m3 4 taking into account (1) - (2) and (1) in [13] were determined in the following way: =S CАІS = {S1 , S 2 , S3 } = {S ІSАО , S BSPS , S ІSАА } {{= S1.1 , S1.2 , S1.3 , S1.4 , S1.5 } , {S 2.1 , S 2.2 , S 2.3 , S 2.4 , S 2.5 , S 2.6 , S 2.7 } , {S3.1 , S3.2 , S3.3 , S3.4 , S3.5 }} = {{SSAE , S RZZP , SSSP , SSOD , SSMZ } , {SSPS , SSZV , S NAVS , SSSPZ , S OSL , SSVI , S ABSK } , {S CRS , S GDS , S IDS , S BSP , S DCS }} . where S1 = S ІSАО is set of information systems of air navigation services; S 2 = S BSPS is set of onboard aircraft information systems; S3 = S ІSАА is set of airline and airport information systems, S1.1 = SSAE are aviation telecommunication systems; S1.2 = S RZZP are radio navigation aids; S1.3 = SSSP are surveillance systems; S1.4 = SSOD are data processing systems; S1.5 = SSMZ are meteorological support systems , S 2.1 = SSPS are air signal system; S 2.2 = SSZV are communication systems; S 2.3 = S NAVS are navigation systems; S 2.4 = SSSPZ are collision monitoring and prevention systems; S 2.5 = S OSL are computing systems of aviation; S 2.6 = SSVI are information display systems; S 2.7 = S ABSK are automatic onboard control systems; S3.1 = S CRS is computer reservation system; S3.2 = S GDS is global reservation system (reservation); S3.3 = S BSP is mutual calculations system; S3.4 = S DCS are dispatch management systems. Step 1.3. To determine subsystem sets, we arbitrarily select one set of systems from each class, for example SSOD , SSSPZ , S GDS and according to (3) in [13] we present subsystem sets with= r1.4 5,= r2.4 4,= r3.2 18, where S1.4.1 = S ASYPR are automated air traffic control systems (AATCS); S1.4.2 = SSPPP are automated airspace use planning systems; S1.4.3 = S ESAN are centralized surveillance and distribution systems for the surveillance data of the European Aviation Safety Organization Eurocontrol; S1.4.4 = SSOPD are flight data processing and transmission systems; S1.4.5 = SSOAD are aeronautical information processing and transmission systems; S 2.4.1 = STRA are transponders; S 2.4.2 = STCAS are onboard collision avoidance systems (TCAS); S 2.4.3 = SSRPZ are early warning systems for dangerous land rapprochement; S 2.4.4 = S BMR is airborne radar onboard; S3.2.1 = S AMDS is Amadeus; S3.2.2 = STGDS is Travelport GDS; S3.2.3 = SSAB is Sabre; S3.2.4 = STRES is TameliaRES; S3.2.5 = S APSS is Avantik PSS; S3.2.6 = S ABCS is Abacus; S3.2.7 = S ACA is AccelAero; S3.2.8 = S AXS is Axess; S3.2.9 = S IBE is Internet Booking Engine; S3.2.10 = S KUI is KIU; S3.2.11 = S MER is Mercator; S3.2.12 = S NAV is Navitaire; S3.2.13 = S PATH is Patheo; S3.2.14 = S RAD is Radixx; S3.2.15 = S AKF is Akeflite; S3.2.16 = STTI is Travel Technology Interactive; S3.2.17 = S WSMS is WorldTicket Sell-More-Seats; S3.2.18 = SSIR is Siren according to [12]. Step 1.4. To determine the set of components, we arbitrarily select one subsystem from each set of subsystems, for example SSOAD , STCAS , S AMDS . For system SSOAD , with b = 7 , while using (4) in [13], we present the set of components in the following way: 7 СSOAD = { Ci } {= = C1 , C2 ,..., C7 } {СODSS , СОPD , СMKS , СZVI , СKGZ , СPPR , СZBP } , i =1 where C1 = СODSS is data processing of the surveillance system; C2 = СОPD is flight data processing; C3 = СMKS is system monitoring and control; C4 = СZVI is recording and reproduction of information; C5 = СKGZ is commutation of voice communication; C6 = СPPR is decision support; C7 = СZBP is ensuring the safety of flights. Similarly for systems STCAS according to [14], and S AMDS according to [15-16], with b = 5 та b = 4 while using (4) in [13] respectively, where C8 = САNT are antennas; C9 = СBLO is calculator unit; C10 = СVRS is respondent mode S; C11 = СIND are indicators (installed in the cockpit); C12 = СPYL is control panel; C13 = САTIM is Amadeus Timetable; C14 = СAAV is Amadeus availability; C15 = СASCH are Amadeus schedules; C16 = СADA is Amadeus direct access. Step 1.5. Let us set the minimum level of detail Detmin to describe and decompose the system. The purpose of the analysis Sij / Sijk is to determine the level of criticality of possible types of components interruptions that cause loss of their functionality, to find out their causes, consequences, methods of detection and recommendations for reducing their criticality. Therefore, the description and decomposition are limited by level “system class” / “system” / “subsystem” / “component” (Si / Sij / Sijk / Ci ) and concern only the effects of possible interruptions of certain components Ci . Meaning that Detmin = Ci , however, a more detailed study of the more complex components (subsystems) of CAIS may consider the case of Detmin = Cij , where Cij are parts of components Ci ( Det min = Sij ∨ Sijk ∨ Ci / Cij ) etc. The selected systems are limited by level S ІSАО / SSOD / SSOАD / CSOАD ; S BSPS / SSSPZ / STCAS / СTCAS ; S ІSАА / S GDS / S AMDS / CAMDS і and concern only the effects of possible interruptions of certain components Ci . Stage 2. Defining the functions of each detected system component. For system SSOАD , containing a set of components CSOАD , with l = 15 , while using (5) in [13], we present the set of functions in the following way: 15 = FSOАD = { Fi } {= F1 , F2 ,..., F15 } i =1 = { FOSG , FPОІ , FVОІ , FОPD , FKPOL , FPPAT , FVYІ , FDVI , F ZDGZ , FAPR , FPZIT , FVPI , FVVKS , FPAP , FZBP } , where F1 = FOSG is signal processing; F2 = FPОІ is primary information processing; F3 = FVОІ is secondary information processing; F4 = FОPD is flight data processing; F5 = FKPOL is flight control; F6 = FPPAT is air patrol; F7 = FVYІ is display and management of information; F8 = FDVI is documentation and reproduction of information; F9 = FZDGZ is providing air traffic controllers with land and voice communications; F10 = FAPR is automation of decision making; F11 = FPZIT is collision prevention; F12 = FVPI is use of planned information; F13 = FVVKS is identifying and resolving potential conflict situations; F14 = FPAP is aviation events warning; F15 = FZBP is ensuring the safety of flights [12]. Similarly for systems STCAS according to [14] and S AMDS according to [16], sets of components СTCAS and CAMDS , with l = 14 and l = 4 , while using (5) in [13], where F16 = FPPR are receiving and transmitting radio waves; F17 = FZIL is request of other aircraft responders; F18 = FOMRL is calculating the location of aircraft; F19 = FVTL is aircraft trajectory tracking; F20 = FPPRD is transmitting warnings and recommendations on the VSI / TRA display or other indicators; F21 = FPMPP is the transmission of voice messages to the pilot through the airplane located in the cockpit of the sound notification system; F22 = FVNZ is responding to requests in Mode-A, Mode-C and Mode-S from radar systems of the air traffic control service, as well as from other aircraft equipped with TCAS; F23 = FODSS is data exchange with compatible systems; F24 = FVPZ is establish a direct connection using a unique address assigned; F25 = FPDBV is transfer of data from the barometric height sensor and from the control panel to the TCAS computer unit; F26 = FVVI is display of vertical speed indicator (VSI) information with the display of air- condition warnings and recommendations for conflict resolution (TRA); F27 = FYRT is setting TCAS mode and responding mode-S; F28 = FYKV is setting the UPR radar response codes; F29 = FPRS is system operation check; F30 = FPIZ is providing (general) flight information on all airlines during the week; F31 = FFIPP is generating flight information that has at least one available class for sale or a waiting list; F32 = FVGVR is display all scheduled flights; F33 = FMODI is the ability to access specific airline information for sale or to complete a waitlist. Stage 3. Determining the list of possible disasters for each system component. For system SSOАD set of components CSOАD , with p = 9 , while using (6) in [13], we present the set of work interruptions (disasters) in the following way: 9 DSOАD = { Di } = { D1 , D2 ,..., D9 } = { DVNIS , DNOPS , DPFOD , DPNI , DVZZ , DNSD , DVRTZ , DVPKS , DVAF } , i =1 where D1 = DVNIS is detecting a nonexistent signal; D2 = DNOPS is incorrect estimation of signal parameters; D3 = DPFOD is data processing and distribution breaches; D4 = DPNI is suspension of receipt of information on flights of aircraft; D5 = DVZZ is loss or destruction of a recording device; D6 = DNSD is unauthorized access to the recording device; D7 = DVRTZ is loss of radio or telephone communication with crews, related dispatch points and other traffic participants; D8 = DVPKS is the occurrence of potential conflict situations of the PCC; D9 = DVAF is detection of an emergency factor [14]. Similarly for systems STCAS according to [14] and S AMDS according to [15-16], set of components СTCAS and СAMDS , with p = 9 and p = 17 respectively, while using (6) in [13], were D10 = DVNA is directional antenna failure; D11 = DVOBS is failure of the system computing unit; D12 = DTCF is “TCAS FAIL”, if there is a failure of the equipment that is the minimum required for the operation of the TCAS system; D13 = DXPF is “XPNDR FAIL” failure of the respondant mode-S, occurs in the event of termination of the receipt of reliable data on the altitude from the barometric altimeter on the respondant mode-S; D14 = DTCO is “TCAS OFF” (TCAS system is disabled, or problems occur inside the system; D15 = DVSF is “VSI FAIL” (failure of the vertical speed indicator), when the vertical speed arrow is not displayed on the VSI display; D16 = DTDF is “TD FAIL” (failure of air condition indicator) appears when the system TCAS-2000 is unable to display air warnings; D17 = DRAF is “RA FAIL” (refusal to issue RA messages) appears when TCAS system is unable to display recommendations for resolving a conflict situation; D18 = DNPY is malfunction or failure of the control panel; D19 = DZSD is failure to update dates (periods); D20 = DNIPA is incompleteness of information about airlines; D21 = DNZI is providing outdated information; D22 = DNNI is unreliability of the information provided; D23 = DNIMP is failure to provide landing information (only schedule is displayed, regardless of availability); D24 = DVMPK is the inability to buy a ticket unless the airline has an agreement to sell with Amadeus; D25 = DNZD is inability to find airline information to alert you to potential threats or to obtain necessary information. Stage 4. Determining the consequences of each possible disasters. For each possible work interruption (disaster) of the set DSOАD with q = 10 , while using (7) in [13], we present the set of interruption consequences in the following way: 10 ESOАD = { Еi } = {E1 , E2 ,..., E10 } = {ENPR , EPRSY , EVVPS , EVRLP , ENODD , EVRTZ , EPRVZ , EVNM , EZPS , EPRS } , i =1 where E1 = ENPR is wrong decision-making, due to incorrect analysis of the air situation; E2 = EPRSY is malfunction of control systems, power supply, communication, piloting, lack of fuel, interruptions in the life support of the crew and passengers, failure of engines, destruction of individual aircraft structures; E3 = EVVPS is lack of ability to track aircraft; E4 = EVRLP is loss of opportunity to investigate a flight incident FI; E5 = ENODD is inability to evaluate the actions of the operator; E6 = EVRTZ is no radio or telephone connection; E7 = EPRVZ is violation of recommendations on solving the collision threat; E8 = EVNM is choosing the wrong maneuver; E9 = EZPS are aircraft collisions; E10 = EPRS is malfunction of control systems, power supply, communication, piloting, lack of fuel, interruptions in the life support of the crew and passengers, failure of engines, destruction of individual aircraft structures [14]. Similarly, for each possible work interruption of sets DTCAS according to [14] and DAMDS according to [16], with q = 3 and q = 6 respectively, while using (7) in [13], where E11 = ENVVP is TCAS 2000 system may be temporarily unable to determine the relative bearing of the conflicting aircraft due to the large roll angle, which causes the directional antenna to shade; E12 = ENVP is inability to display recommendations for conflict resolution; E13 = ENVPY is inability to use the control panel accordingly; E14 = ENRS is system inability to work in real time; E15 = EVIA is lack of information on airlines; E16 = ENOOI is inability to get online flight booking information; E17 = EMZGP is a possible malfunction in the flight schedule or the need to reformat it; E18 = EVPZD are problems with refueling, the possibility of a collision threat; E19 = ENSP is lack of awareness of employees, which could lead to the wrong decision. Stage 5. Identifying signs of work interruption detection. For possible work interruptions DSOАD , while using (8)-(9) in [13], with r = 0 (the selected set of interruptions of work did not show any sign Oi ), and for the set DTCAS , according to [14] and DAMDS , according to [15-16], with r = 1 and r = 3 respectively, while using (8)-(9) in [13], we present the set of signs of work interruption detection in the following way (3): 4 =  Oi } {O1 , O2 ,..., O {= i =1 = O4 } {OVSI , OTIM , OAUS , OSCH } , (3) where O1 = OVSI is VSI/TRA display; O2 = OTIM is Timetable (general schedule screen); O3 = OAUS is Amadeus Access Update/Amadeus Access Sell; O4 = OSCH is Schedule (schedule screen). Taking into account (9) in [13], E= (OVSI , Di ) E= (OTIM , Di ) E=(OAUS , Di ) E=(OSCH , Di ) 1. Stage 6. Identifying ways of detecting work interruptions. For each possible work interruption of the set DSOАD according to [13], DTCAS according to [14] and DAMDS according to [15], while using (10) in [13], with s = 7 , s = 1 , s = 1 respectively, we present the set of ways of detecting work interruptions in the following way: 9 =WSOАD = {Wi } {= W1 , W2 , W3 , W4 , W5 , W6 , W7 , W8 , W9 } i =1 (4) = {WSAZS , WSOPD , WASAZ , WBBRP , WSGZ , WAZS , WSZBP , WTCAS , WAAIR } where W1 = WSAZS is automatic dependent surveillance systems; W2 = WSOPD is flight data processing system (FDPS); W3 = WASAZ are automated aviation security systems; W4 = WBBRP are on-board multi-channel “black box” flight recorders; W5 = WSGZ are voice communication systems; W6 = WAZS are automated surveillance, communica- tions, information processing and on-board collision avoidance systems; W7 = WSZBP are flight safety systems; W8 = WTCAS are TCAS system; W8 = WAAIR is Amadeus AIR. Stage 7. Construction of a three-dimensional criticality matrix. For the system SSOАD we form a criticality table according to such parameters as “probability – weight – number of interruptions of system operation” and construct a three-dimensional criticality matrix (Fig. 1 a). Similarly, for systems STCAS and S AMDS we form a criticality table and construct a three-dimensional matrix (Fig. 1 b and Fig. 1 c, respectively). a) b) c) SSOАD STCAS SAMDS Fig. 1. Three-dimensional criticality matrix for (a), (b) and (c) Stage 8. Calculation of the criticality rank of probable disasters Step 8.1-8.3. For the SSOАD system, work interruptions D1 = DVNIS , let’s define an indi- cator B1 j , B2 j , B3 j as (13)-(15) in [13], where value of z , x , c is going to be found ac- cording to tab. 5,7,9 in [1]. Similarly, for every possible work interruption of SSOАD , STCAS and S AMDS systems, let’s define an indicator B1 j , B2 j , B3 j as (13)-(15) in [13], tab.. 5,7,9 in [1] and add obtained figures to the report (stage 11, Table 1). Stage 8.4. Calculation of values for the weighting coefficients of work interruption consequences. Mentioned coefficients are introduced according to [18]. Step 8.4.1. For example, for the weighting coefficients of work interruption conse- quences according to [18], having n = 7 considering (16) in [13], let’s define a com- plete set of criteria of weighting coefficients as follows (5): 7 VK = { VK i } = {VK1 , VK 2 ,..., VK 7 } = {VK KZG , VK EKON , VK VNNS , VK POLN , VK MZT , VK TRV , VK VSKI } , (5) i=1 where VK1 = VK KZG is number of citizens involved (health and social consequences); VK 2 = VK EKON is economic effect; VK 3 = VK VNNS is impact on the environment; VK 4 = VK POLN is political implications; VK 5 = VK MZT is territorial reach; VK 6 = VK TRV is duration; VK 7 = VK VSKI is interdependence of sectors CI (the consequence of the destruction of one is the destruction of the others) according to [18]. It also should be noted that, criteria of weighting coefficients of work interruption consequences are placed from most important – “7” to least important – “1”. Step 8.4.2. For example, if n = 1, m1 = 5 using (17) in [13], let’s represent the set of coefficients VK1 as follows: 5 VK1 = VK KZG = {VK1j} = {VK1.1 ,VK1.2 ,VK1.3 ,VK1.4 ,VK1.5 } = {VK 0 − 5 ,VK 6 − 20 ,VK D100 ,VK D499 ,VK B500 } , j =1 where VK1.1 = VK 0 − 5 is 0-5 deceased; VK1.2 = VK 6 − 20 is 6-20 deceased; VK1.3 = VK D100 is 21-100 deceased; VK1.4 = VK D499 is 101-499 deceased; VK1.5 = VK В500 is ≥ 500 ac- cording to [18]. Similarly, for sets of coefficients VK 2 , VK 2 ,..., VK 7 , if n = 2, 7 and m2 = m=3 m= 4 m= 5 5 accordingly, using (17) in [13] let’s represent all sets of coef- ficients, where VK 2.1 = VK D100M is < 100 mil.; VK 2.2 = VK D499M is 100-499 mil.; VK 2.3 = VK D2,9M is 500 mil. – 2,9 bil.; VK 2.4 = VK D6,9M is 2,9 bil. – 6,9 bil.; VK 2.5 = VK B7M is > 7 bil.; VK 3.1 = VK M1G is <1 ha. or 0,0001% of water resources; VK 3.2 = VK D10G is 1-10 ha, or 0,0001-0,001 % of water resources; VK 3.3 = VK D100G is 10-100 ha, or 0,001-0,01 % of water resources; VK 3.4 = VK D1000G is 100-1000 ha, or 0,01 - 0,1 % of water resources; VK 3.5 = VK B1000G is > 1000 ha, or > 0,1 % of water resources; VK 4.1 = VK MIN is minimal; VK 4.2 = VKSOCN is social discontent; VK 4.3 = VK MITG are rallies, protests; VK 4.4 = VK MASZ are riots; VK 4.5 = VK REV are revolutions, wars; VK 5.1 = VK OBYD is separate building; VK 5.2 = VKSEL is village; VK 5.3 = VK RGN is district, city; VK 5.4 = VK OBL is region; VK 5.5 = VK DER is country; VK 6.1 = VK DGOD is less than an hour; VK 6.2 = VK DOBA is day; VK 6.3 = VK 3DOB are 3 days; VK 6.4 = VK 5DOB are 5 days; VK 6.5 = VK10DIB are 10 days; VK 7.1 = VK MVID is almost no; VK 7.2 = VK NVR are causes no destruction; VK 7.3 = VK VR1S are causes de- struction of one sector; VK 7.4 = VK VR 2S are causes destruction of two sectors; VK 7.5 = VK VR 3S are causes destruction of three and more sectors [18]. Step 8.4.3. For the SSOАD system, work interruptions D1 = DVNIS , indicator B3 = 7, and value of weighting coefficient as (19) in [13], is calculated as follows: 1  28 18 5 16 15 4 5  24 VKVNIS =  + + + + + + = ≈ 0,7, 7  35 30 25 20 15 10 5  35 hence, according to (18) in [13] B3′ = 0,7 ⋅ 7= 4,9 ≈ 5. Similarly, for every possible work interruption of SSOАD , STCAS and S AMDS sys- tems, let’s calculate values B3′ taking into account weighting coefficients VK i , and add obtained figures to the Table 1 and report (stage 11, Table 1). Step 8.5. Assessment of criticality rank of Ri each of work interruption types listed Di according to (12) in [13]. For example, for the SSOАD system, work interruption D1 = DVNIS , let’s calculate the criticality rank R1 = 5 ⋅ 4 ⋅ 5 = 100 and add obtained figures to the report (stage 11). Similarly, for every possible work interruption of systems SSOАD , STCAS and S AMDS , let’s calculate interruptions criticality rank and add obtained figures to the report (stage 11, Table 1). Stage 9. Selection of the list of the most significant (critical) disasters. For the SSOАD system, work interruptions D1 = DVNIS , calculated interruptions criticality rank R1 = 5 ⋅ 4 ⋅ 5 = 100 , according to the criticality determination rule (20) in [13], D1 = DVNIS reffers to the Middle level, requires the development of corrective measures to reduce criticality rank. Obtained figures are highlighted in the report (stage 11, Table 1) with the help of various colours, if Di , according to (20) in [13], refers to the High criticality level, then Ri in Table 1 is highlighted in black, if Di refers to the Middle level – in grey, if Di refers to the Low level – in light grey. Similarly, for eve- ry possible work interruption of SSOАD , STCAS and S AMDS systems, let’s rank calculated values of criticality level as (20) in [13] and add obtained figures to the report (stage 11, Table 1). Moreover, on this stage a Pareto bar chart (Fig. 2) is used to spot the list of most significant (critical) Di . a) b) c) Ri SSOАD STCAS SAMDS Fig. 2. Calculation results of for (a), (b) and (c) The diagram is created separately for each Sij (to rank the most significant (critical) Di , hence Di are placed on the horizontal axis, and calculated values Ri are ont the vertical axis (like (12) in [13]), if Ri > Rk , then Di is highlighted in black on the diagram, if R0 < Ri ≤ Rk – then Di is highlighted in grey, if Ri ≤ R0 – then Di is highlighted in light grey. Patero bar charts help spot the list of most significant (critical) work interrup- tions. They also make it possible to compare separate systems by the calculated criticality rank and to identify the system which is the most critical among CAIS. For the SSOАD system, the most critical work interruption is D7 , rank criticality calculations, carried out by (12) in [13], revealed the following result: R7 = 3 ⋅ 6 ⋅ 7 = 126 > Rk = 125 . For the STCAS system the most critical work interruption are values D12 – D16 , rank criticality calculations, carried out by (12) in [13], revealed the following result: R= 12 R= 13 R= 14 R15 = 126 > Rk = 125; R16 = 144 > Rk = 125. For the SAMDS system most critical work interruptions are D19 , D22 , D25 rank criticality calculations, carried out by (12) in [13], revealed the following result: R19 = 126 > Rk = 125 ; R22 = R25 = 144 > Rk = 125 . Patero bar charts also made it possible to compare the number of critical work interrup- tions of studied systems and found out that STCAS system is the most critical. Stage 10. Forming a list of corrective measures. To make a a list of corrective measures for SSOАD , STCAS and SAMDS systems let’s create Ishikawa cause and effect diagrams [17, 19] (Fig. 3), that graphically reflect the characteristics that cause work interruptions Di and increase the effectiveness of corrective measures development. a) b) c) Fig. 3. Ishikawa cause and effect diagram for SSOАD (a), SSOАD (b) and SAMDS (c) Ishikawa cause and effect diagrams for selected systems has devided all identified Di by the main causes of their occurrence, namely due to errors of: users (а), software (b), hardware (c), network technologies (d). Therefore, priority areas for developing corrective measures for SSOАD and SAMDS systems are elimination of software errors causes and user errors (b and а on Fig. 3 a and Fig. 3 c), for STCAS system – elimination of hardware and software related causes (b and c on Fig. 3 b). Whereafter for every possible work interruption of SSOАD , STCAS and SAMDS systems, if = g 3,= g 2,= g 1 accordingly, using (21) in [13], let’s represent a set of methods to detect interruptions (that corrsespond to High and Middle according to rule (20) in [13],) as follows: 6 K = { K i } = { K1 , K 2 ,..., K 6 } = { K PONA , K OROB , K OKPD , K ZRTO , K POBR , K VOAA } , (6) i =1 where K1 = K PONA is directional antenna inspection and repair; K 2 = K OROB is inspection and repair of system’s computer unit, K 3 = K OKPD are scheduled review and repair of data transmission channels; K 4 = K ZRTO is change of maintenance and repair regulations; K 5 = K POBR is scheduled review of flight recorders; K 6 = K VOAA are Amadeus AIR components update as scheduled. The list of necessary corrective measures for SSOАD , STCAS and SAMDS systems, is presented in [1]. The effectiveness of corrective measures assessment is carried out by recalculation of Ri (stage 8). Next, we use the initial value Rbegin ( Ri before the K i implementation) and final R finish ( Ri after the implementation of K i ): if R finish < Rk then corrective measures aimed to reduce the rank of criticality can be recommended for use to provide cybersecurity [20]. Also, we can see which corrective measures can be implemented and for how much they reduce criticality rank. Stage 11 – Report generation. At this stage, data obtained in the previous stages is systematized, visualization of qualitative and calculation of quantitative values of CAIS criticality is carried out. An example of report creation for SSOАD , STCAS and SAMDS systems is presented in Table 1. Novelty of the paper defines by proposed improvements of the FMECA technique (set- theoretical approach, criticality matrix, Pareto diagram, Ishikawa's cause and effect diagram etc.). The practical values of this study define by verification of the ability of different CAIS assessment and potential efficiency to assess criticality of infrastructures in different industries. Table 1. Report for all levels of analysis Si / Sij R Ci Fi Di Ei Oi Wi / Sijk B1 B2 B3 Ri S1.4.5 С1 F1 D1 E1 0 W1 5 4 5 100 С2 F2 D2 E2 0 W1 3 5 6 90 С3 F3 D3 E3 0 W2 3 4 6 72 С4 F4 D4 E4 0 W3 3 6 6 108 С5 F5 D5 E5 0 W4 2 8 5 80 С6 F6 D6 E6 0 W4 3 6 6 108 С7 F7 D7 E7 0 W5 3 6 7 126 F8 D8 E8 0 W6 3 4 6 72 F9 D9 E9 0 W7 2 5 5 50 … E10 F15 S2.4.2 С8 F16 D10 E11 О1 = 1 W8 3 4 6 72 С9 F17 D11 E12 О1 = 1 W8 3 6 6 108 С10 F18 D12 E13 О1 = 1 W8 3 7 6 126 С11 F19 D13 О1 = 1 W8 3 7 7 126 С12 F20 D14 О1 = 1 W8 3 6 7 126 F21 D15 О1 = 1 W8 3 7 6 126 F22 D16 О1 = 1 W8 4 6 6 144 F23 D17 О1 = 1 W8 2 7 7 98 F24 D18 0 W8 2 4 6 48 … F29 S3.2.1 С13 F30 D19 E14 О2 = 1 W9 3 7 6 126 С14 F31 D20 E15 О2 = 1 W9 3 5 3 45 С15 F32 D21 E16 О2 = 1 W9 5 6 4 120 С16 F33 D22 E17 О3 = 1 W9 4 6 6 144 D23 E18 О4 = 1 W9 5 6 4 120 D24 E19 0 W9 4 6 4 96 D25 О3 = 1 W9 6 6 4 144 4 Conclusions In this paper experimental study of proposed by authors FMECA-based method for importance level assessing of the CII objects in aviation based on criticality analysis of systems (subsystems) disaster risks was carried out. It was selected three CAIS from different categories (air navigation systems, aircraft on-board information systems as well as airlines and airports systems): SSOАD (aeronautical information processing and transmission system), STCAS (onboard collision avoidance system, TCAS) and S AMDS (Amadeus system). Three-dimensional criticality matrix as well as Pareto bar charts shows that STCAS system is the most critical among selected CAIS (5 critical disasters and 3 critical components). Ishikawa cause and effect diagrams shows that priority areas for developing corrective measures for SSOАD and S AMDS systems are elimination of software errors causes and user errors, but for STCAS system – elimination of hardware and software related causes. In the future research study it is planned to develop software that, based on the pro- posed method, will allow to conduct an experimental research and confirm the possibility of determining the importance of different categories of CAIS as well as to assess infrastructure risks in different industries (power energy, communications etc). References 1. S. Gnatyuk, V. Sydorenko, Yu. Polishchuk and Yu. Sotnichenko, “Determining the Level of Importance for Critical Information Infrastructure Objects”, Proceedings of 2019 Intern. Scientific-Practical Conf. on the Problems of Infocommunications. Science and Technology (PIC S&T 2019), Kyiv, Ukraine, October 08-11, 2019, рр. 829-834, 2019. 2. Oleksiy Yudin, “World experience to determine sectors of critical infrastructure”, Proceedings of 2nd Scientific-Practical Conf. “Prospective directions of information security”, Odesa, ONAT, p. 82, 2016 (in Ukrainian). 3. Oleksiy Yudin, “Analysis of approaches for criteria determinig of objects including to critical infrastructure based on EU example”, Proceedings of 3rd Intern. Scientific- Practical Conf. “Actual Issues of Cybersecurity Ensuring and Information Protection”, Kyiv. European University, p. 187, 2017 (in Ukrainian). 4. S. Gnatyuk, Zh. Hu, V. Sydorenko, M. Aleksander, Yu. Polishchuk and Kh. Yubuzova. “Critical Aviation Information Systems: Identification and Protection”, Cases on Modern Computer Systems in Aviation, USA: IGI Global, pp. 423-448, 2019. 5. Ted G. Lewis, Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation, Wiley; 3 edition, 449 p., 2019. 6. Gnatyuk S., Aleksander M. and Sydorenko V. “Unified data model for defining state critical information infrastructure in civil aviation”, Proceedings of the 9th IEEE International Conference on Dependable Systems, Services and Technologies (DESSERT- 2018), 24-27 May, 2018, Kyiv, рр. 37-42, 2018. 7. Doc 8973 ІСАО “Aviation Security Manual” (Restricted), Edition 11, 818 p., 2019. 8. Komari I.E., Kharchenko V., Babeshko E., Gorbenko A., Siora A. Extended dependability analysis of information and control systems by FME(C)A-technique: Models, procedures, application (2009), Proceedings of 2009 4th International Conference on Dependability of Computer Systems, DepCos-RELCOMEX 2009, art. no. 5261027, pp. 25-32. 9. Babeshko E., Kharchenko V., Gorbenko A. “Applying F(I)MEA-technique for SCADA- based industrial control systems dependability assessment and ensuring”, Proceedings of International Conference on Dependability of Computer Systems, DepCoS - RELCOMEX 2008, art. no. 4573071, pp. 309-315, 2008. 10. Gorbenko A., Kharchenko V., Tarasyuk O., Furmanov A. “F(I)MEA-technique of web services analysis and dependability ensuring”, Rigorous Development of Complex Fault- Tolerant Systems. LNCS, 4157, Springer, Heidelberg, pp. 153-167, 2006. 11. Gnatyuk S., Multilevel Unified Data Model for Critical Aviation Information Systems Cybersecurity, Proceedings of 2019 IEEE 5th International Conference Actual Problems of Unmanned Aerial Vehicles Developments (APUAVD 2019), p. 242-247. 12. Gnatyuk S., “Critical Aviation Information Systems Cybersecurity”, Meeting Security Challenges Through Data Analytics and Decision Support, NATO SPS Series, D: Informa- tion and Communication Security. − IOS Press Ebooks, Vol.47, №3, рр. 308-316, 2016. 13. F. Yanovskiy, Radiolocation systems of aircrafts: study guide, Kyiv, NAU, 688 p., 2012 (in Ukrainian) 14. System for displaying air situation and airplanes collisions preentions TCAS, ACAS II, Manual for pilots, 90 p. 15. Booking the air transportation in AMADEUS system. URL: http://www.amadeus.com/cis/documents/aco/cis/Amadeus_Basic_Course_2011(A5).pdf 16. Austrian Serbian Tourism Programmes Lesson 7 Amadeus AIR. URL: https://www.slideshare.net/AngelinaNjegus/lesson-7-amadeus-air 17. Kharchenko V., Andrashov A., Sklyar V., Kovalenko A., Siora O. Gap-and-IMECA-based assessment of I&C systems cyber security, Advances in Intelligent and Soft Computing, vol. 170, pp.149-164, 2012. 18. Report on Research Project “Infrastructure”, State Scientific and Research Institute of Cybersecurity Technologies and Information Protection, №0114U000038d (Restricted). 19. Т. Yeliseeva, “Analysis of the security for electric isolation valve by AVPKO method”, Izvestia TulGU, Technical Sciences, issue 5, pp. 182-186, 2013 (in Russian). 20. Gnatyuk S., Sydorenko V., Polozhentsev A., Fesenko A., Akatayev N., Zhilkishbayeva G., Method of cybersecurity level determining for the critical information infrastructure of the state, CEUR Workshop Proceedings, vol. 2616, pp. 332-341, 2020.