The progressive development of information technology in the world has caused an incredible dependence of the population on services provided by various areas of critical infrastructure. Currently, access to these services and their quality is one of the key characteristics of the country's infrastructure, and the smooth operation and protection of these services is considered a necessary and integral part of state protection of developed countries. The increase in methods and resources for protecting different infrastructures has determined the need to rank critical infrastructure. Taking this into account, the paper analyzes the regulatory framework, global approaches to the identification of critical infrastructure objects and developed a method of identifying critical information infrastructure, which will allow the identification of critical objects of a certain industry and determine the degree of their criticality, which systematizes the objects of critical infrastructure and facilitates the choice of means and ways to protect them from threats. critical infrastructure, critical information infrastructure, identification of critical infrastructure objects, method for identification of critical information infrastructure objects, critical objects To date, natural and man-made threats, the level of terrorism, the scale and complexity of cyberattacks have increased significantly. And the number of cyberattacks aimed at impressing various areas of critical infrastructure is growing steadily. The most famous cyberattack in Ukraine was Petya, which caused considerable damage to the country's financial infrastructure.
2022 Copyright for this paper by its authors.
individual facilities, the destruction or disruption of which will have serious negative consequences for
national security. As world experience shows, the process of formation of the regulatory framework in
the field of critical infrastructure protection is quite time-consuming and lengthy. The laws of different
countries on the protection of critical infrastructure are often inconsistent, and there are some problems
with the mechanisms for classifying facilities as critical infrastructure. Each state determines its critical
infrastructure, taking into account its specifics, the criticality of individual sectors and the importance
of certain services for society and security of the state. Thus, for each country the concept of "critical
infrastructure" has its own meaning and specificity [
Therefore, research in the field of detection and protection of critical infrastructure from cyber threats is relevant and necessary. That is why there is a need to develop a critical information infrastructure identification method, which will allow the identification of critical objects of a particular industry and determine the degree of their criticality, which systematizes critical infrastructure and facilitate the choice of means and ways to protect them from threats .
In Ukrainian legislation, the term critical infrastructure (CI) is understood as a set of state
infrastructure facilities that are most important for the economy and industry, the functioning of society
and public safety and the decommissioning or destruction of which may affect national security and
defense, natural environment, lead to significant financial losses and human casualties. Objects of CI
are enterprises and institutions (regardless of ownership) of such industries as energy, chemical
industry, transport, banks and finance, information technology and telecommunications (electronic
communications), food, health care, utilities, which are strategically important for the functioning of
the economy and security of the state, society and population [
To ensure the protection of the most important critical information infrastructure (CII) objects, it is
necessary, first of all, to identify these objects according to certain criteria or critical parameters. In [
The United States deserves the most attention from the world experience. An important component
of critical infrastructure is its information component - critical information infrastructure, the concept
of protection of which, first developed in the United States, was later developed and adapted in most of
the world's leading countries. As world practice shows, the process of formation of the regulatory
framework in the field of critical infrastructure protection is quite time-consuming and lengthy. Each
state determines its critical infrastructure, taking into account the criticality of individual sectors and
the importance of certain services for the state's economy and the security of its society. Despite all the
differences, there is a common feature of the critical infrastructure of different countries, namely: its
undeniable importance for the security of citizens, society and the state [
Since Ukraine is joining the European Union, it is impossible not to mention the recommended
measures to protect CI, which should be followed by Ukraine:
• develop a national CI protection program;
• ensure a level of health, technological security, socio-economic well-being that would guarantee
the "resilience" of the nation to threats;
• unify efforts aimed at protecting CIs by providing a single state body reporting on this issue to
coordinate the actions of public authorities responsible for individual industries to which CI facilities
belong;
• identify public authorities responsible for CI sectors and relevant private companies;
• create conditions for effective interaction and exchange of information, data and experience
between EU member states, government agencies and the private sector;
• to contribute to the creation of a harmonized methodology of risk analysis [
Examining scientific publications and analytical materials related to international experience in the
formation and implementation of critical infrastructure protection, we can conclude that the
organization of activities for critical infrastructure protection in different countries is implemented
differently. In some countries, the organizational model is defined and forms a certain structure, and
measures - targeted and systemic, and in others it is unsystematic, when activities are carried out
informally [
As for the Ukrainian legislation, there is currently no complete definition of the term "critical
information infrastructure", and as a result, there is no list of objects of this category. It should be noted
that in Ukraine the protection of objects, which according to world practice belong to this category, is
regulated by numerous regulations, which are mainly internal [
With regard to approaches to CII identification, given the work [
• Clausewitz's theory - the meaning of which is to find the "central point" or "central place" of the
enemy's system, where its main forces and powers are concentrated. This theory assumes that the
objects of study have several mandatory parameters - critical capabilities, critical needs, critical
vulnerabilities [
• A. Barabashi's theory - The essence of the approach is that each unstructured network under the
action of a set of known rules and laws, primarily financial and social, after some time perceives the
appropriate structure, without any external influence, organized by a circle of more valuable or
important knots. The centers of gravity in this theory are formed for each of the sectors under the
influence of the laws of economics, evolution, social development and other rules that allow
unstructured networks to become self-organizing [
• Graph theory - in the identification of CI objects, graph theory represents CI as an oriented graph.
The vertices of this graph are critical objects, and the edges of the graph symbolize the relationships
between these objects [
• Priority model - According to [
• Categorization - to identify dangerous objects, it is necessary to determine the criterion of
unacceptable damage - the lower level of damage, after which the object should be classified as
dangerous (critical) [
• CIMS system - is a simulation system that combines geospatial information and four-dimensional
(space-time) effect [
• The Athena model is a software tool designed to analyze large complex systems of strategic scale,
as well as to identify the interdependence and interrelationships of their elements. This model uses the
methods of Barlow and Warden. The Barlow method determines the horizontal correlation of elements
with weights. Warden's method determines the vertical connection of interdependence [
• Methodology of assignment critical important objects (CIO) - In the process of identification of
objects for the purpose of their assignment to the category of CIO the system of criteria of assignment
of objects of the state and non-state property to CIO is used [
As we can see, in the modern world there are enough methods of identification of CI objects, but for their further use it is necessary to evaluate them according to the following criteria: (1) clarity of mathematical calculations, (2) independent evaluation, (3) proximity to exact values, (4) universality, (5) the lack of complexity of implementation, (6) taking into account the architecture of systems and networks and (7) the speed of calculations. Comparison of CI object identification methods are shown in table 1.
After analyzing the data obtained in the table, we can draw reasoned conclusions that most of the methods considered are difficult to implement and do not take into account the architecture of systems and networks. The most successful approaches are those developed on the basis of graph theory and simulation. Also, some results of A. Barabashi's theory and categorization can be used to study CII objects. With this in mind, the aim of the work is to develop a formalized method of identification of critical information infrastructure of the state, which will assess the level of criticality of the elements of the CII.
The proposed method of identification of CII objects of the state is implemented in the following 6 stages: • Stage 1. Selection of research objects. • Stage 2. Assess the importance of the object on the main indicators. • Stage 3. Early analysis of the object attribution to the CI. • Stage 4. Assess the importance of the object on additional indicators. • Stage 5. Final analysis of the object attribution to the CI. • Stage 6. Assess the level of criticality.
The input data of the method are: objects of research and actual values of indicators of the first and second levels. Initial data of the method: a complex indicator of the importance of the object, by which a particular object belongs to the CI of the state. Next, we consider in detail each of the stages of the proposed method of identification of CII objects:
This stage consists in identifying the objects that can be attributed to the CI, and their main and additional indicators. The determination of significance coefficients is based on expert procedures of pairwise comparisons: experts make judgments as to how much one indicator exceeds another in terms , | For matrix (2.1), the eigenvector (EGV) is found В = ( 1, 2, … , ′ , ′ ), the elements of which are the values of the weights of the indicators indicated above. To quantify the consistency of the judgments of one expert on the differences in indicators, the indicator is used (2.2): = ( −1)∙ − , where
− the maximum eigenvalue of the matrix В; k − matrix order В; − random index k. The closer to 0 the value of , the more harmonious are the pairwise comparisons of the expert.
As a result of the expert survey, the relevant coefficients of significance for the main and additional indicators were determined. Significance of indicators in assessing the importance of the object are shown in table 2. Significance of indicators in assessing the importance of the object of influencing the decision to include the object in the list of CI of the state. To determine the weight of the indicators based on the results of pairwise comparisons, a positive asymmetric matrix is formed: № 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Indicators
Coefficient of significance, Kі (2)
P4 P11 P12
P4 P11
P12
Also, the actual values of the indicators of the research objects, which are available in the documentation of the research objects, are determined. Table 3 shows an example of filling in the actual values of indicators of research objects
The values of the coefficient of significance of the main indicators and the actual values of the main indicators of the research objects are transferred to the next stage.
Stage 2. Assess the importance of the object on the main indicators.
This stage is to calculate a comprehensive indicator of the importance of the object on the main indicators. The main indicators are those that can be easily obtained from the documentation available at the site (P1-P4; P11; P12). Let's move on to the step-by-step description of this stage: Step 2.1 Defining the boundaries of key indicators.
This step determines the minimum (Min) and maximum (Max) values of each of the indicators, based on the actual values on the object. That is, if there are 3 objects and 3 values, then by comparing these values is finding the smallest and largest of them. Table 4 shows an example of filling the minimum and maximum values. where Ki – coefficient of significance of the indicator; Xi – actual value of indicators; Min and Max – respectively the lowest and highest value of the indicator.
P1 P2 P3 P4 P11 P12 P1 P2 … P15 P16 34,4 0,5 44,1 4,3 40 20 Minimum value, Min 34,4 0,5 114,6
3,2 153,5 14,1 100 100 Maximum value, Max 114,6 3,2 114,6
3,2 153,5 14,1 100 100 Actual value, Xi 114,6 3,2
This stage allows to assign the object to the CI ahead of schedule, if the assessment of the importance of the object on the main indicators is more than 0.25, ie the condition is met:
> 0,25, where Yзаг – indicators of the importance of the object.
According to these calculations, for each object separately, fill in the table, for example, fill in for the object №1. Tables 5 and 6 provide an example of calculating the importance of an object №1.
Step 2.3 Determine the assessment of the importance of the object.
For each object, the amount of contributions is calculated: № (5)
Using the example of the table data, we will determine whether the objects are suitable for CII ahead of schedule. It is obvious that two of them belong to the CII ahead of schedule. The values of the coefficient of significance of additional indicators and the actual values of additional indicators of the research objects are transferred to the next stage.
Stage 4. Assess the importance of the object on additional indicators.
This stage consists in calculating a complex indicator of the importance of the object on additional indicators and is implemented in three steps.
Step 4.1 Determining the actual values of indicators.
Additional indicators include those that are determined expertly (P5-P10; P13-P16) and are equal to 0 or 1 depending on the expert assessment.
The procedure for determining additional indicators is as follows: the situation is defined as indicators (P5-P10; P13-P16;), which are divided into two groups "no" or "yes": if the emergency at the facility does not lead to the situation, the actual the value of the indicator (Xi) is equal to 0, if the emergency on the object leads to the situation, the actual value (Xi) is equal to 1.
Also, the definition of additional indicators can be represented by an expression: = { 0, 5−10,13−16 = " 1, 5−10,13−16 = " "
, " where Xi – actual value of indicators.
Table 8 shows an example of filling in the actual values of additional indicators of the object №3.
Step 4.2 Determine the contribution of each indicator of the object to the assessment of its importance. This step is identical to step 2.2 in the second stage: the value of the contributions of each indicator is calculated, but for additional indicators:
=1…16 = ∙ Хі, where Ki – coefficient of significance of the indicator; Xi – actual value of indicators Step 4.3 Determine the assessment of the importance of the object.
For each object, the sum of the contributions of all indicators, both basic and additional, is calculated, and this amount is a complex indicator of the importance of the object.
The value of the object's importance indicator is passed to the next stage.
Stage 5. Final analysis of the object attribution to the CI.
At this stage, you can finally determine the affiliation of the object to the CI and the same criteria as in the early analysis: if the assessment of the importance of the object on the main indicators is more Actual value, Xi 0 0 (6) 1 than 0.25, the object belongs to the CI. If this value is less, even after additional calculations, then the object can not be attributed to the CI, which should be protected more. Using the example of the table data, we will determine whether object №3 can be attributed to CII objects after additional calculations. Table 8 shows an example of assessing the importance of specified objects for all indicators.
Obviously, after additional calculations, the latter object cannot be classified as a CI, which should be strongly protected.
At this stage, after the final analysis, it becomes possible to determine the level of criticality of the object of study, which facilitates the choice of methods of protection of the object of CI of the state. Table 10 shows the level of criticality of objects with color gradation.
Criticality levels:
IV-level – critical objects - facilities of national importance, extensive connections and
significant impact on other infrastructure. These facilities are included in the National list of critical
infrastructure facilities, requirements are formed to ensure their protection;
III-level – vital objects, the dysfunction of which will lead to a crisis situation of regional
importance. These facilities are included in the National list of critical infrastructure facilities,
requirements are formed for the delimitation of tasks and powers of public authorities and critical
infrastructure operators, aimed at ensuring their protection and restoration of functioning.;
II-level – important objects, the priority of protection of which is to ensure rapid recovery of
functions through diversification and reserves. Operators are responsible for the stability of the
operation of facilities in accordance with the requirements established by law for interaction with
public authorities;
I-level – objects, the direct protection of which is the responsibility of the operator, which must
have a plan to respond to the crisis [
Thus, in the course of the work the analysis of normative-legal documents in the field of CI of different countries of the world, including the legislation of Ukraine was carried out, as a result of which it was established that Ukraine needs: Improving the regulatory framework in the field of CI, especially the introduction of the law on critical infrastructure and its protection; Creation of a single public authority in the field of CI regulation; Organizations of international cooperation and public-private partnership for the exchange of experience and support for the regulation of the field of CI.
Also, an analysis of some existing methods of assigning objects to the CI was conducted, as a result of which it was found that: The considered methods are difficult to implement and do not take into account the architecture of systems and networks; The sphere of CI requires the creation of a single and formalized method of classifying objects as CI of the state.
In the context of a hybrid war against Ukraine, threats to critical infrastructure have increased
significantly, as evidenced by damage to facilities and cyberattacks on energy infrastructure, which
have shown the vulnerability of critical infrastructure of the state to new types of threats. Creating an
effective system of critical infrastructure protection in Ukraine is an urgent task to be addressed in the
framework of the overall reform of the security and defense sector, taking into account the full range of
threats and ensuring the interconnectedness of different systems [
The result of the work is a developed method of identification of critical information infrastructure of the state, which by assessing the importance of objects by basic and additional indicators, and calculating the level of criticality allows identifying critical infrastructure and determine their degree of criticality. The proposed method of identification of critical information infrastructure objects can be used to study important objects for any branches of critical information infrastructure of the state and determine the degree of their criticality, which allows forming a list of critical infrastructure objects.