Global trends to increase the number and complexity of cyber-attacks have led to the actualization of the issue of protection of information and telecommunication systems (ITS), in particular, sectoral, critical to the functioning of society, socio-economic development of the state, and ensure the information component of national security. Considering the need for national security and the need to introduce a systemic approach to solving the problem of critical infrastructure protection at the national level, creating a security system is one of the priorities in reforming Ukraine's defense and security sector. Thus, there is a need to develop methods and models for the ITS categorization as a critical information infrastructure to ensure the national security of Ukraine. The study presents the method for calculating the criticality level of the sectoral ITS, which, due to the use of a structural-logical and functional model for determining the functional profile of the sectoral ITS security, as well as a functional model for calculating the quantitative criterion for assessing the security of ITS, allow to increase the accuracy of the decision to categorize ITS as critical. Using the developed method makes it possible to classify ITS as critical, considering information properties (such as confidentiality, integrity, availability, and observability). In addition, an experimental study of the proposed method was carried out on the example of the ITS of the National Confidential Communication System (NCCS), which was used to check the adequacy of the method's response to changes in input data. The usage of the method allows to calculate the criticality ranks for functional disruption of the components, subsystems, and systems of the NCCS. Method also helps to calculate the quantitative indicator of the severity of the consequences of the functionality disruption of the NCCS, as well as the quantitative indicator of the ranks of criticality of the NCCS and a conclusion was made regarding the NCCS criticality.
and systems (ITS); critical infrastructure; critical infrastructure object; criticality; criticality rank; functional security profile.
Global trends to increase the number and complexity of cyber-attacks have led to the actualization
of the protection of information and telecommunication systems (ITS) sectoral, which is critical to the
functioning of society, and socio-economic development of the state and ensure the information
component of national security. Considering the need for national security and the need to introduce a
systemic approach to solving the problem of critical infrastructure protection at the national level,
creating a security system is one of the priorities in reforming Ukraine's defense and security sector [
2022 Copyright for this paper by its authors.
It should be noted that the Law of Ukraine “On the Fundamentals of Cybersecurity of Ukraine” [2] determines the need to form a list of critical infrastructure facilities and the need to develop a procedure for attributing facilities to that list. Resolution No. 1109 of the Cabinet of Ministers of Ukraine on certain critical infrastructure issues approves the procedure for classifying facilities as critical infrastructure; the list of sectors (subsectors) and essential services of the state's critical infrastructure; and the methodology for categorizing critical infrastructure facilities [3]. The mentioned methodology describes the mechanism of assigning critical infrastructure to a certain category of criticality, which is determined based on the analysis of the level of possible negative impact. In addition, the Law of Ukraine “On Critical Infrastructure” has recently come into force. [4], which describes in detail the legal and organizational basis for protecting critical infrastructure facilities in the creation and operation of the national critical infrastructure protection system. However, the issue of assessing the effectiveness of critical infrastructure protection of sectoral ITS remains open. At the same time, it is possible to evaluate the effectiveness of protection using risk assessment mechanisms. Thus, the point of protection is an inverse function of the risk assessment indicator.
Methods of risk assessment are classified according to the stages of the risk assessment process in which they have applied [5]: methods of risk identification; methods of risk analysis (consequences analysis); methods of risk analysis (qualitative, semi-quantitative, or quantitative probability assessment); methods of risk analysis (performance evaluation of existing management measures); methods of risk analysis (quantitative assessment of risk level); methods of risk assessment.
The ability to apply the methodology for each stage of the risk assessment process is characterized by the following levels: the method is recommended for usage, or it can be applied (Table 1), where “Rec” means recommended for use, “Can” means can be used, and “Not” is not possible to use.
According to the data presented in Table 1, only the last four techniques are fully recommended to be used. The factors affecting the choice of methods of risk assessment are the following: the complexity of the problem and the methods required for its analysis; the type and level of uncertainty of the risk assessment (based on the amount of information available, etc., which is necessary to achieve the goal); the number of resources required in the ratio of time and skill level, data needs or costs; the possibility of obtaining quantitative input data.
The most appropriate methods in terms of the possibility of obtaining quantitative indicators and the level of uncertainty, as well as complexity, are methods of functional analysis. Let's consider the following methods. Failure mode and effects analysis (FMECA) [6] is a methodology used to determine how functional failures of components or systems occur. In this case, criticality indicators are usually qualitative or semi-quantitative. At the same time, if actual failure rate data are used, the indicators can be expressed quantitatively.
The FMECA method can be used to determine the types and results of human errors; provide a process for scheduling testing and maintenance of systems; obtain qualitative or quantitative information for analysis techniques, such as fault tree analysis. Disadvantages of the method include application to identify individual types of failures, but not their combinations; studies can be time consuming; application for complex systems can be difficult and time-consuming.
Reliability-centered maintenance (RCM) [7] is a method of determining the policies that need to be implemented to manage failures in a way that effectively ensures the necessary safety, availability, and operation of all types of equipment.
The RCM method is based on risk assessment, as the method implements the basic steps of such an assessment. The type of risk assessment is a failure type, consequence, and criticality analysis (FMECA). Risk identification is aimed more at situations in which hypothetical failures can be resolved or their frequency and consequences can be reduced by performing maintenance tasks. Risk identification is performed by identifying functions and standards of performance as well as equipment and component failures that may violate specified functions. Risk analysis consists of quantifying the frequency of each failure without maintenance. Consequences are established by determining the impact of failure. A risk matrix combines the frequency of failure and the consequences and allows the establishment of risk levels. It is assessed by selecting the appropriate failure management policy for each type of failure.
The RCM method has the same drawbacks as the FMEСA.
The method for calculating the criticality level of critical information infrastructure facilities,
based on the FMECA method, which is different by using a three-dimensional criticality matrix, Pareto
diagram, Ishikawa causal diagram, and calculation of additional criticality weighting factors makes it
possible to assess the level of critical infrastructure facilities criticality. [
The method of risk-based criticality analysis proposed by M. Theocharidou is based on risk
analysis. The method can apply it to the calculation of quantitative indicators of the ITS security level
of an individual institution. This method does not apply to a state because it operates with the concept
of criticality to the organization [
The analyzed methods are used to determine the criticality of risk assessment frameworks. A comparison of methods is given in Table 2 according to the following criteria: the number of citizens involved (health and social consequences), economic effect, political consequences, the mutual dependence of critical infrastructure sectors (the result of the destruction of one is the destruction of others), the impact on the environment, the scale by territory, duration.
The conducted analysis of the approaches that can be used to assess the effectiveness of the ITS protection showed that such an assessment is proposed through an evaluation of risks (the lower the risk, the greater the effectiveness of protection). At the same time, the normative document of the system of technical security of information of Ukraine [15] defines the result of evaluation as a rating, representing an ordered series of alphanumeric combinations, denoting the levels of implemented services combined with the level of guarantees. Thus, there is a contradiction between the approaches to assessing the effectiveness of protection. In addition, the recommended methods, which analyze the consequences, probability of occurrence and level of risk, do not identify failures by the characteristics of information, such as confidentiality, integrity, availability, and observability.
The method of calculating the criticality level of the sectoral ITS, rather than the above-mentioned methods [8-11; 13-14], is based on the usage of such properties of information as confidentiality, integrity, availability, observability, and considers the quantitative indicators of the criteria for referring to critical infrastructure [3; 12; 16]. The developed method can be represented as a flowchart (Fig. 1). It uses the results of the structural-logical model of formation of the functional profile of the sectoral ITS security level, the structural-functional method of forming the functional security profile of the sectoral ITS, as well as the model for calculating the quantitative criteria for assessing the security level of the ITS. The method consists of seven steps, each described in detail below.
The following steps should be done to identify the ITS subsystems and their components: 1)
decompose the infrastructure into general and the most critical infrastructure domains; 2) decompose the
critical domains into objects; 3) generate a general list of the ITS; 4) perform decomposition of the ITS
into subsystems and components. The first three steps are described in [
It also should be noted that the list of elements of the ITS of energy infrastructure management includes both means and systems. Therefore, it is advisable to divide the aspects of cyber protection of the ITS systems of energy infrastructure management, having a set of protection means, and having a complete system of information protection [17]. According to the normative documents [18], a complete information protection system is a set of organizational and engineering measures, software, and hardware, providing information protection in the ITS. Complex protection means a collection of software and hardware, ensuring the implementation of an information security policy. In addition, it should be noted that any component of the ITS, which because of any impact can lead to a violation of security policy, should be considered as part of a set of security features [17].
Based on the above, the elements that ensure cyber security of the ITS of the energy infrastructure management systems should include the following: aspects of the telecommunications subsystem, automated control systems of technological processes of energy infrastructure management and information subsystems. In addition, the security requirements will be defined separately to a set of protection tools and a comprehensive system of information protection, depending on the object of study. Let's describe the ITS elements in the form of multiple sets.
The structure of the ITS of critical infrastructure facilities should be as follows (S): n S {USi} S1, S2 ,...Sn, Si S, (i 1, n), (1)
i1 where Si is a class of systems, for example, the ITS of local production control, the ITS of supervisory control and data collection, and n is the total number of classes of systems.
A set of systems included in the ITS (Si): mi Si {USij } Si1, Si2 ,...Sim, Sij Si , (i 1, n, j 1, mi ), (2)
j1 where Sij are the systems of the i-th class, mi is the number of systems of the i-th class, for example, an automated process control system that manages the production of components, the ITS of supervisory control and data acquisition, and n is the total number of system classes.
A set of subsystems for each of the ITS systems (Sij):
rij Sij {USijk } Sij1, Sij2 ,...Sijrij , Sijk Sij , (i 1, n, j 1, mi , k 1, rij ), (3) k1 where Sijk – subsystems of Sij systems, rij – the number of іj-th class subsystems, for example, measuring and control devices and automation, devices which collect data from several sources and change/transform it into other form factors of the ITS local production control system.
A set of components for each subsystem of the ITS system (Sijk):
rijk Sijk {UCijkl } Cijk1,Cijk 2 ,...Cijrij , Cijkl Sijk , (i 1, n, j 1, mi , k 1, rij , l 1, rijk ), (4) l1 where Сijkl is components of the Sijk subsystems, rijk is the number of members of the ijk-th class, e.g., dampers, cutoff valves, electric latches, pressure, temperature, level sensors, gas analyzers, pumps, vacuum extractors.
2. Identification of functions for each detected system component, formation of a list of possible disruptions of each system component, assessment of the consequences of each of the potential violations
In addition to the main functions of the system components, it is necessary to consider the information security requirements for the categories of logical interfaces of domain objects. For this purpose, it is proposed to use the following designations of security requirements [19-21]: SG.AC-12 – Blocking a session. SG.AC-13 – Remote session termination. SG.AC-14 – Allowed unauthenticated and unidentified actions. SG.AC-15 – Remote Access. SG.IA-04 – User identification and authentication. SG.IA-05 – Device identification and authentication. SG.IA-06 – Message Authentication. SG.SC-03 – Secure function isolation. SG.SC-05 – DoS protection. SG.SC-06 – Resource prioritization. SG.SC-07 – Memory protection. SG.SC-08 – Message Integrity (communication line). SG.SC-09 – Confidentiality of messages (communication line). SG.SC-26 – Confidentiality of information in storage. SG.SI-07 – Integrity of software and information.
The function of each detected system component (F):
l F = {UFi} F1, F2 ,..., Fl , Fi F, (i i,l), (5)
i1 where Fi is the functions of the Cijkl component of the Sijk subsystem, and l is the total number of functions of the component, for example: receiving the signal, converting the signal, and performing a specific action. List of possible disruptions of each component of the system (D):
p D = {UDi} D1, D2 ,..., Dp, Di C, (i i, p), (6)
i1 where Di is a disruption of the Cijkl component of the Sijk subsystems, p is the total number of possible disruptions. At the same time, disruption is a violation of confidentiality, integrity, availability, or observability, which can lead to negative consequences.
Consequences of each of the possible disruptions (Е): q E = {UEi} E1, E2,..., Eq, Ei E, (i i,q), (7)
i1 where Ei is the consequences of disruption of the Cijkl component of the Sijk subsystems, q is the total number of consequences. In this case, the consequences are DoS, disclosure of confidential data, and incorrect operation of devices.
3. Determination of the ranks of the criticality of possible disruptions for each consequence and each disruption of a subsystem component
In the third step, the criticality ranks of potential disruptions (R) are determined for each its consequence (Ei) and each disruption (Di) of the Cijkl component of the Sijk subsystems. In the criticality rank determination, tabular values of the indicators should be used [6].
The following formula RE calculates the criticality ranks of the disruption of the Cijkl component: i
REi B1i B2i B3i , (8) where B1i is a tabular value of the indicator, which determines the intensity of the disruption occurrence, B2i is a tabular value of the indicator, which determines the detecting possibility of disruption, B3i is a tabular value of the indicator, which determines the consequences of the occurrence of disruption.
The criticality ranks of the Di component disruption are calculated by the following formula ( RD ): i where REi is a criticality rank, the value of which corresponds to each of the Ei , (i 1, qEi ), qEi is the number of consequences for each disruption.
The criticality ranks of the Di disruption of the Cijkl component are calculated by the following formula: where RDi criticality rank, the value of which corresponds to each of the Di , (i 1, qDi ), qDi is the number of disruptions for each component.
4. Calculation of criticality ranks of possible subsystem disruptions
In the fourth step, the criticality ranks of possible disruptions of the Sijk and Sij subsystems are determined. The arithmetic weighted average rank ( RSijk ), of the Sijk subsystem is as follows: rijk qijkl l1 where RCijkl is the criticality rank, the value of which corresponds to each of the Cijkl , (l 1, rijk ) , qijkl is the number of disruptions for each subsystem component.
The arithmetic weighted average rank of the ( RSij ) disruption of the Sij system is as follows: RDi 1 qEi qEi i1 REi , R
Cijkl 1 qDi qDi i1 RDi , rijk qijkl RCijkl RSijk l1
, pij qijk RSijk RSij j1pij qijk j1 , where RSijk is the criticality rank, the value of which corresponds to each Sijk , ( j 1, pij ) , qijk is the number of disruptions for each system.
5. Criticality rank calculation of possible disruptions of systems and all ITS In the fifth step, the criticality rank of possible disruptions of the Si ( RS ) systems and all ITS S (Rs) i should be calculated as follows: (9) (10) (11) (12)
RSi RSiVKAHPi , (13) where VK AHPi is the ratio of the given FSP to the ratio suggested by the expert in the area for the Si system (1), and the RS is the arithmetic weighted average of the violation rank for the Si system, VK AHPi i is the result of calculation based on the method of hierarchy analysis, using a model for calculating the quantitative criterion for assessing the security of the ITS.
mi RSi k1mpiij RSij , (14) pij k1 where RSij number of disruptions for each Sij system.
is the criticality rank the value of which corresponds to each Sij , (k 1, mi ) , pij is the The criticality rank of the S ( RS ) ITS is calculated by the following formula:
RS RSVK , where VK is a ratio that describes the severity of the consequences of the ITS disruption, RS is an arithmetic weighted average of the disruption rank for the object.
The arithmetic average weighted rank of the object S disruption is calculated by the following formula: where RS is the criticality rank, the value of which corresponds to each Si , (i 1, n) , mi is the number i of disruptions for each system.
The following formula describes the ratio of the severity of the consequences of the disruptions: where VKimjax is the maximum value of the ratio of the i-th criteria, which is calculated as the product of the priority and the highest value of the criteria and varies from 70 to 10 (table value), n is the number of criteria, VKij is the product of the value of the i-th and j-th criteria. n mi RSi RS i1n mi i1
, VK n j1 i1 VVKKimjiajx , 1 mi n (15) (16) (17) 6. Classifying the ITS as critical or non-critical In the sixth step, the ITS (S) should be classified as critical or non-critical:
Criticality S is critical, at Rs Rlow is not critical, at Rs Rlow , where Rlow is the limit value of the criticality rank (equal to 625.0). Rlow is the product of the average value of VK (5.0), VKAHP (1.0), and RS (125.0).
In the seventh step, the values obtained in steps I-III should be recorded in the report: - a list of systems, subsystems, and their components. - a list of the functions of the components, their possible disruptions, and probable consequences. - the value of indicators determining the intensity of the occurrence of disruptions. - the value of indicators determining the possibility of detecting a disruption. - the value of indicators determining the consequences of the occurrence of disruptions. - the value of criticality ranks of the consequences of the component function disruption. - the value of the ranks of the criticality of the consequences of the component's function disruptions. - the value of the ranks of the criticality of the component's performance disruption. - the value of ranks of the criticality of possible disruptions of the component subsystem.
The summarized information is presented in the following form (Table 3):
Based on the proposed in [
- FSPB: CA-2, CE-3, CT-2, CO-1, IA-2, IE-2, IT-1, IR-2, AF-2, AQ-2, AD-2, AR-2, OS-1, OI-2, OC-1, OD-3, OP-2, OT-2, ON-2, OE-2, OR-1.
- FSPE: CA-3, CE-4, CT-3, CO-1, CC-2, IA-4, IE-2, IT-1, IR-2, AQ-2, AD-3, AR-3, OS-1, OI-2, OC-1, OD-3, OP-3, OT-3, ON-5, OE-2, OR-1.
FSPE is a criterion for assessing the security level of information in circulation in the NCCS.
The method for calculating the quantitative criteria for assessing the security of the NCCS, by using
the hierarchy analysis method resulted in the value of VKAHP 0,717 . The result of calculation of the
VK AHP is shown in Fig. 2. In addition, the decomposition of the NСCS into components of sets of
systems and their subsystems was performed in (Table 1 in [
For each component of the subsystem a list of functions Fi , possible disruptions of functioning Di , consequences Ei and ranks of criticality of consequences REi is defined. A fragment of the list is shown in Table 5. The calculation of criticality ranks RDi of the Di component of the Cijkl subsystems, criticality ranks of possible disruptions RCijkl of the Cijkl component, criticality ranks of possible disruptions RSijk and RSij of the Sijk and Sij subsystems, criticality ranks of possible disruptions RSi of the Si systems and the overall of the NCCS (S) was carried out, by applying the method for calculating the criticality level of the sectoral ITS [22-23]. A fragment of the list is shown in Table 6 of the NCCS disruption rank, calculated from (16), is RS 51, 40.
According to the results of the calculation (15) a quantitative index of criticality rank, which is equal to RS 190, 7 and, as a result, it is concluded that the NCCS, at present, is not critical ITS.
In this study, the analysis of methods for calculating the criticality level of the ITS has shown that: the assessment of the effectiveness of the ITS security is carried out through an assessment of the risks that do not meet the requirements of the ND TPI; the methods of risk assessment, that analyze the consequences, probability of occurrence and the level of risk, are not performing identification of failures by the properties of information (confidentiality, integrity, availability, and observability); the main criteria are the number of citizens involved, economic impact, political impact, mutual dependence of critical infrastructure sectors, environmental impact, the scale by territory, the duration. The above criteria must be considered when calculating the criticality level of the sectoral ITS [24-25].
The study also presents an improved method for calculating the criticality level of the sectoral ITS, using the results of the structural-logical model and structural-functional method of the FSP formation of the sectoral ITS, as well as a model of calculation of the quantitative criteria for assessing the security level of the ITS, based on the use of hierarchy analysis. The developed method allows determining the classification of the ITS as critical, considering the properties of information.
In addition, the experimental study of the proposed method was carried out by using the method for calculating the criticality level of the sectoral ITS. The method was used to calculate the ranks of the criticality of the disruption of components, subsystems, and systems of the NCCS, to calculate the quantitative index of the severity of the consequences of disruption of the NCCS, and to calculate the quantitative index of the criticality rank of the NCCS and, based on this, the conclusion about the criticality was made.
This work is carried out within the framework of research grant №АР06851243 “Methods, models and tools for security events and incidents management for detecting and preventing cyber-attacks on critical infrastructures of digital economics” (2020-2022), funded by the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan.
[
Ukraine on November 16, 2021]. [5] ISO/IEC 31010:2009 – Risk management – Risk assessment techniques, The International
Organization for Standardization and The International Electrotechnical Commission, 2009. [6] IEC 60812, Methods of systems reliability analysis. Methods for analyzing the nature and consequences of failure (FMEA). [7] IEC 60300-3-11 Reliability Management, Part 3-11: Application Manual, Maintenance to Assure Reliability. +