The development of global information systems creates a wide range of opportunities both for the development of various branches of human activity and for the complication and improvement of conducting cyber conflict methods (disabling critical objects) [ 1, 2 ]. In such an information space, the number of malicious programs and attacks on computer networks is rapidly growing. Antiviruses and firewalls handle the vast majority of them, but some attacks can bypass such protection, causing harm to the user or company. Most often, the existing protection is triggered with a delay, when the system has already been attacked and there has been a loss of data or control over certain network components [3, 4].

Critical information infrastructure protection is a key part of information security defense. The main goal of protecting critical infrastructure facilities is to reduce the risk of losing critical data and increase information confidentiality [5]. Also, an appropriate level of critical infrastructure protection allows for identifying the weakest nodes for malicious interference in an information system or telecommunications network for additional monitoring and research. Cross Technologies, depending on their application, make it possible to organize multifactor systems and data protection using mutual observation and search for anomalies in the actions of the network or user [6].

Key elements for critical information infrastructure protection include: 1. Collecting information about the customer’s business processes. 2. Categorization of service objects of information systems, highlighting important processes. 3. Modeling of situations that threaten information systems, networks, and control systems. Determination of attack directions on important information system objects. 4. Elaboration and coordination of general requirements for the level of information protection. 5. Development of a technical design and a set of working documentation. 6. Updating the existing protection or performing debugging work when setting up a new line of defense for information systems. 7. Testing methods development.

The most advanced security structures are mostly run by commercial rather than government-owned companies. In this case, to improve security, even government agencies need to interact as much as possible (transfer the protection of critical facilities) or adopt the best practices of private firms. Private companies have a comparatively better performance over the state ones since free competition forces them to monitor the quality of their products all the time. 1.2.

In some countries, protocols for the exchange of information and data have been introduced to distribute the work of maintaining security among the relevant structures. This distribution allows us to timely inform the necessary departments about the arrival of important updates or the presence of the threat. Coordination of actions is also improved, which contributes to the efficient use of resources.

This model is implemented in Germany, where mechanisms for the distribution of important data function at the state level, which are the basis for building systems for protecting important infrastructure facilities. Based on this technology, the interaction between the police and special services has been built through the appropriate information centers, which allow unifying and transmitting the necessary information to the necessary agencies [7]. This exchange is built only between government departments, but interaction with private companies has also been set up to establish an exchange of experience in combating intrusions (allowing sharing only noncritical data on the operation of government networks). Information exchange takes place through UP KRITIS and Alliance for Cyber Security [ 8 ]. The first company is responsible for security in the area of Critical Information Infrastructure Protection between private and public structures, focusing on the work of critical sectors. Alliance for Cyber Security is responsible for the area of computer security. For the interconnection of companies, meetings are held on current intrusions into computer networks [ 9– 14 ].

The paper aims to review and comparison of critical object protection methods to identify vulnerable nodes in the used systems.

Risk assessment helps to identify possible intrusions, their consequences, and their probability [15]. Risk analysis is an important part of crisis management. Depending on the scope of the company’s activities, risk assessment can be carried out both on its own and with the involvement of private companies that specialize in working with critical infrastructures.

A typical example of a government risk assessment is Sweden, where an algorithm is used that identified 27 serious intrusions and developed 11 scenarios to counter the emerging risks.

Denmark does not adhere to a national risk assessment plan, allowing its departments to independently manage security, and a Cyber Threat Assessment Unit has been created for the interconnection of departments, through which communication and discussion of anti-intrusion plans and risk assessment for different industries take place.

Switzerland is an example of decentralized risk management. Switzerland takes an approach that places great emphasis on individual responsibility. Sub-sectors independently manage intrusion and attack detection. Sub-industries are believed to have the best knowledge of how their systems work. 2.2.

Dealing with information security crises is about assigning responsibilities to each node in the network. Coordination and decision-making algorithms allow generalizing the experience gained by one node to the entire hierarchy. Crisis management must be coordinated with all elements of the crisis management network [16].

The Netherlands, where the National Manual on Decision-making in Crisis Situations is applied, is an example of well-structured management of this type. With this approach, in the event of an intrusion, the control of the situation is transferred to the National Coordinator for Security and Counterterrorism, so qualified professionals are involved in solving the problem, who can quickly suppress unwanted activity. This structure allows accumulating the maximum possible information about intrusions in one department, which makes it possible to correctly respond to any incidents that arise.

For successful counteraction to crises, it is recommended to work together with outsourcing companies, then during an invasion, a specially created department (Bureau of Rapid Response) is engaged in its solution. This Bureau is formed as a public-private partnership that advises on intrusion handling. Thus, security is organized taking into account all the features of the operation of this system. software and controller systems before any substations can be controlled.

Substation applications include visualization and simulation of distributed power systems, modal power balancing and production analysis, post-event analysis that can trigger a trip-close relay function, timing checks for substations, and flow analysis. One of the most widespread and frequently used tools is threshold meters for normal and abnormal user activity and system performance [11, 12, 18].

Features of intrusions of critical facilities: • Difficulties in ensuring the protection of interconnected critical infrastructure facilities. • Difficulties in ensuring the protection of network nodes that are not accountable to one command center. • According to some characteristics, private information security companies can outperform and respond faster to threats than government ones. • Due to the rapid development of security systems, the number and complexity of new types of attacks is growing. • The complexity of assessing the possible harm to the entire system, when the network nodes are out of order. • The imperfection of legal regulation of information warfare, may not always qualify an attack on critical objects as an attacker.

At this stage, the user has little protection provided by the majority of antivirus companies, since it is often not timely (first, the virus spreads, and only then the antiviruses are engaged in eliminating it), which is enough for an attacker to access the necessary information or damage the existing one. It is the timely notification of the system and the user that would help increase the efficiency of intrusion detection both on locally and on the Internet. When planning protection, it is important to calculate the degree of protection of each network node, which will make it possible to identify possible ways of attacking an intruder and build effective protection.

In the United States, the security of critical facilities that make up critical infrastructure is well-developed and includes: • Agricultural and food supply systems. • Financial and banking system. • • • • •

Transport system.

Water supply system.

Rescue and ambulance services.

Power supply system.

Public administration system.

In the United States, it is customary to subdivide critical facilities into infrastructure facilities associated with international organizations (energy facilities, transport, banking, financial system, communications) and unrelated ones (water supply, rescue services, government). Based on the analysis of the views of the US leadership, three categories of critical facilities are identified:

Vital: • Nuclear plant. • HPP (over 2 Gw). • Hydraulic structures. • Storage facilities for strategic oil and gas reserves. • Harmful chemicals and petrochemical. • Warehouses for storing nuclear materials and ammunition.

Extremely important: • Power supply systems (more than 2 GW). • Subway. • Water supply lines. • Underground sewerage systems. • Main pipelines.

Important: • Seaports. • Treatment facilities. • Trunk structures (in the United States there are about 7 million km of roads, of which more than 80,000 trunks, and more than 600,000 bridges. The length of the railways is about 550,000 km. • Large airports (more than 500 large airports and more than 14,000 small airports and sites. • Large communication centers’.

• Main pipelines. 2.4.

There are 6 main categories of impact: • Destruction or damage. • Economic. • Damage to the environment. • Damage to national defense. • Symbolic. •

Secondary problems of national security.

Each invasion scenario is rated on a five-point threat scale. With this approach, it becomes possible to miscalculate the risks associated with each type of threat, which will make it possible to effectively allocate computing resources when planning the protection of network nodes. For example, if an invasion is possible with a probability of 0.5 (50/50), it can be determined that the chance of using a specific attack (for example, a Synflood attack on a computer network) is 75/25—a probability of 0.75, the success of such an attack is assessed as successful 70/30, i.e. the probability is 0.3. The criterion for a successful attack can be the failure of 25 network nodes and financial losses of up to 15 million euros. This risk is assessed by the formula: = ( ℎ +

) × × × (1) where: is a total loss; ℎ is human losses; is loss of resources; is the probability of attack; is the probability of a certain type of attack; is the probability of a successful attack.

From the above data, it can be concluded that the potential damage will amount to the failure of 2.8 network nodes and economic damage of 1.68 million euros.

With many intrusions into critical systems, a simplified hazard rating system can be used, for example, maximum threat level, medium, or minimum. In these categories, threats will be easier to classify and handle.

The above risk assessment is well suited for multi-vector analysis of possible scenarios of attacks on key nodes of critical systems to identify the weakest or less reliable network elements. Also, this method is good for building a hierarchy of network elements, the failure of which can entail the greatest financial losses (which is especially important for banking structures, interruptions of which entail not only the loss of money but also customers). This approach is also applicable to finding effective solutions for the containment of air traffic [19].

Also, it is important not to allow exceeding the threshold values of the crisis range for a critical facility.

Being able to calculate risk, it becomes possible to assess the effectiveness of protection, which can be made based on an analysis of the corresponding risks and chances. Based on this approach, two types of estimates are possible. The first is an estimate for instantaneous values at which the state variable takes on a certain value. The second is an integral estimate when the state variable belongs to a certain range of values. The integral assessment of the state has several limitations, mainly related to the need to match the result to a certain range of predefined data, which is not always possible to implement. The main difficulties can arise when calculating the possible results and the adequacy of the likely responses to them (machine learning is not applicable here, since the threat of an inadequate response to a threat or its omission will remain, which is not acceptable for critical systems). Therefore, the most appropriate for assessing the effectiveness of protection will be the estimate for instantaneous values, at which the state variable takes on a certain value. These estimates, to a certain extent, will have a predictive nature. This approach is often used in the statistical calculation of possible risks in the operation of closed automated systems [20, 21].

In this case, it is necessary to assess the expected effectiveness based on the ratio of chance and risk: where, is the value of the boundary threshold state on the interval ( , ); ( ) = ( − 1) − ( − 1) is damaged when exceeding the boundary values of the point , of crisis interval ( , ); ( ) = ( − 1) is expected benefit from reaching extreme point values , of crisis interval ( , ); , are safety thresholds within which the odds and risks are assessed; and are parameters of the position and shape of the distribution curve.

Thus, the efficiency at the moment of reaching the critical value , will be: ( ) = (( ))((1−( () ∆ ))) =

µ− (1− − ) ( ) , (3)

µ− µ− − ( ) ( )∆ ) where ∆ is critical state change step.

By calculating efficiency in this way, can be more efficiently allocate computing resources when building protection for critical objects. The process of predicting the effectiveness of protection of an important object, in the context of ensuring protection of state variables, is shown in Fig. 2.

The stability of the social and economic development of the country and its security is directly dependent on the reliability and safety of the operation of critical facilities, therefore it is extremely important to investigate the possible risks arising from unforeseen situations or attacks by intruders. This paper provides an overview and comparison of methods for protecting critical objects to identify vulnerable nodes in the systems used. The basic tools for protecting critical objects and ensuring their performance during emergencies are considered. Identified main security threats in automated control systems and proposed methods for calculating their stability. The ways of assessing the effectiveness of protection, which can be made based on the analysis of the corresponding risks and chances, are proposed.

V. Grechaninov, et al., Formation of Dependability and Cyber Protection Model in Information Systems of Situational Center, in: Workshop on Emerging Technology Trends on the Smart Industry and the Internet of Things, vol. 3149 (2022) 107–117.

V. Grechaninov, et al., Decentralized Access Demarcation System Construction in Situational Center Network, in: Workshop on Cybersecurity Providing in