The article analyzes the concepts of risk and security in a hierarchical automated control system (ACS) of a printing enterprise, presents the main algorithms for assessing the risk of emergencies in the technological process of an enterprise (TPE). Algorithms and methods of building information technologies for automatic determination of risk and security level of information complexes and systems of enterprise technological process control in view of active threats and attacks are substantiated and developed. The information and system technology for countering threats and attacks is proposed and the list of printing house assets in the order of decreasing risk exposure is given on the basis of experimental studies. The proposed approaches for determining the magnitude of risk and, accordingly, the level of security can be used for any enterprise with a hierarchical structure of technological process management.
The analysis of the problem of emergencies in a hierarchical system of technological printing process control, under the influence of active threats and attacks, has shown the importance of building models for assessing the risk of emergencies due to cyber attacks on the hierarchical structure of the system. In the process of printing production, new threats arise related to critical infrastructure, power outages and the supply of necessary materials and tools for prompt system recovery after incidents and emergency production stoppages. All of this places new demands on the implementation of preventive protection measures and analysis of emergency risk situations in real-world conditions of military operations, without stopping the production process. Many works of both domestic and foreign scientists are devoted to the problems of risk assessment in protection systems, but these problems are of the greatest relevance nowadays, when emergency production stoppages can lead to the destruction of the entire infrastructure of critical technogenic energyintensive enterprises.
Paper [
By analyzing the above scientific works, methods and means of protecting automated document management systems with a hierarchical management structure for printing enterprises were developed.
The system of protection of the information complex of printing enterprises is based on the
analysis and assessment of the risk value to build optimal protective measures and operation of the
information system in a stable mode of protection against possible attacks. At the same time, risk
assessment can be carried out using classical methods based on the analysis and identification of
possible threats and vulnerabilities to the assets of a printing enterprise, as well as appropriate
protective measures implemented to counter possible attacks in the security system. However,
among the available literature sources, there is little information on the availability of risk models
that would automate this process of assessing the risk in the information complex security system
for hierarchical enterprises in real time of their operation. Given the relevance of these problems for
building optimal protection systems, especially in our time of increasing cyberattacks on strategic
management objects, the paper proposes new approaches to assessing the risk and level of security
of the printing enterprise in the face of active threats and attacks.
2. Analysis of the concepts of risk and safety in the event of emergencies
in hierarchical management systems of a printing enterprise
In contrast to risk, the security level indicates how dangerous the situation in the relevant
information system or management system is in terms of possible losses. Let's consider some
differences between risk and security that justify the expediency of using the risk value in addition
to the security level (Fig. 1). [
The first difference between the risk parameter and the security parameter is the presence of some forecasting, which characterizes the concept of risk itself. Risk implies an assessment of a certain future, as opposed to a statement of fact, which provides an idea of the level of security.
The second feature of risk is the assessment of an event that should or may occur in the future, and the risk in this case determines what consequences the relevant event may lead to, taking into account its negative effect, and the risk in this case is directly related to the relevant event.
Risk, in terms of its interpretation, is a quantity used to measure losses resulting from the
negative impact of an event. In this regard, risk is usually measured as a relative value, for example,
as a percentage or as the amount of losses that may result from a particular event. [
In view of these features, it should be noted that the amount of risk cannot be precise and its
determination should be based on the use of approximate methods and probable data. Risk is
generally interpreted as an assessment of the negative characteristics of a certain reality. In general,
it can be assumed that risk is used to assess events that may occur and have a negative
interpretation. Therefore, the purpose of risk management is to determine the necessary actions
that lead to its reduction or elimination of the risk in general. Risk is never used if there is no need
to apply negative assessments of some events that should occur in the future. [
Given the above features of the interpretation of the concept of risk, it can be argued that the synthesis of risk models with the information security system is to assess the possibility of reducing the level of security of the system, provided that such a reduction is negative. The need to take this condition into account is determined by the fact that the concept of risk is associated with negative phenomena that are expected to be evaluated. The need to use this condition is based on the fact that the value of the security level can not only increase but also decrease. In the second case of a change in the value of , the interpretation of this change may be positive. This is due to the fact that ensuring a certain level of security of requires appropriate costs, and security, which we will call protection, is required only if there are external attacks on the information management system that reduce the level of security. If there are no such attacks on , it is not advisable to invest in maintaining the security level of = , but it can be reduced to a certain level: = system at the current time. of the system. accept the following conditions: in the risk value ( ) of the functioning process , where
< . At the same time, the reduction of the level cannot be interpreted as a change For the correct implementation of the process of synthesizing ( ) and of the , we
Condition 1. The risk value of ( ) shall be calculated on the basis of statistical data or probable parameters characterizing the factors in relation to which it is calculated.
Condition 2. The calculation of risk should be based on the use of forecasting methods.
Condition 3. The amount of risk should relate to events or changes in the conditions of the facility's operation that may occur in a certain period of time ∆ .
Condition 4. In contrast to forecasting tasks, the risk value should be closely related to a change in a parameter, a factor or other events that directly cause a change in the risk value ( ).
In order to separate the concept of a system's security measure from the concept of risk assessment, we accept the following conditions.
Condition 5. The security measure of the system reflects the security level available in the Condition 6. The security measure is measured on the basis of data that reflects the security Let's accept the following notation for the parameters: • • • • (
)- security level of the management information system; ℎ( ) - safety factor scale [0 ÷ 1]; ( , ) - the effectiveness of a successful attack; ( ) - the effectiveness of any attack on ∈ . value of can be determined according to the ratio:
For the sake of argument, let's assume that the security level of is measured by the ratio of the number of successful attacks to the number of all attacks that were realized against .
The number of successful attacks is determined based on the analysis and detection of anomalies resulting from such attacks and on the audit of the system for which is determined. Thus, the ∀
, ∃ ( ): 〈 = ∑ = ( )
∑ =1 〉 → ↘ min ↗ max where is the effectiveness ratio of a successful attack ; is the number of successful attacks; is the effectiveness of any attack , depending on the type of attack and the type of attack target; is a separate attack, ( ) is a security measure, is an attack countermeasure. The number of neutralized or canceled attacks, which are mostly recorded, is described by the ratio at the interval of the terminal cycle of the attack and when countering threats:
∀ ∈ , ∃ ( ⁄ ): 〈 = ∑ =1 − ∑ =1 〉 → min .
Let's look at the types of security. Each of the security types , , and is caused by the corresponding attacks. For example, is determined by the failure of hardware components, is safety due to control errors, is safety due to emergency shutdowns, and is safety due to emergency situations. On the one hand, the failure of a hardware component can be interpreted as an attack. In this case, the relevant attack is an event that is not caused by external factors. This type of attack can be activated by external factors, but we will not consider this possibility in order to ensure complete unambiguity among the set of attacks. Obviously, such a failure can also occur (1) (2) with respect to software components. While in the first case the failure may be caused by physical processes occurring in the software components, in the second case the failure may occur due to the fact that the program contained an error that was not noticed at the stage of testing the finished software product. In the first case, the attack is described by the reliability parameters of hardware elements, and in the second case, by parameters that characterize the probability that a certain number of errors remain in the program after testing. An example of a model that describes the presence of errors remaining in a program system after testing is the following ratio: 0 = ln( ⁄ ) + ∑ =1 ln + ∑ =1( − )ln ( − ) − ln , (3) where is the total number of errors in the program; is the sum of errors detected by independent tests, and it is assumed that,
< , is the number of errors detected by i [
One method of determining the assessment of the local component of ( ) ∈ ( ) risk ( )
can be used in the following case. Let's assume that TPE uses
, which can be affected by external
and internal factors. To ensure a certain functional stability, the control system
must provide a
given level of safety of . We will not consider other components of the TPE system. If external or
internal reinforcing factors occur by chance, but the estimates of these probable events are stable,
protection means, based on known estimates of the probability of reinforcing factors,
can activate the means of monitoring and counteracting the negative impact of the relevant factors
. If there are known prerequisites for changing such assessments, it is necessary to calculate
the risk of reducing the level of safety , where
< or the risk value described by the ratio:
( ) ≤ − , which means a decrease in the level of security. In order to calculate the value of
( ), the data on the relevant preconditions will be denoted by (ℎ ), where ℎ
are certain
parameters of the precondition . <If such a precondition
were fully known, there would be no
need to calculate the risk ( )>, and new probabilistic parameters of the factors that affect the level
of security could be calculated immediately. Based on such estimates, the discipline of monitoring
the relevant attacks could be modified and the appropriate defenses could be activated, which
determine the components of overall security , , and . Then it is advisable to define a
parameter by which the overall characteristic for all components can be assessed. [
In probability theory, the concept of parameter estimation is used for such purposes. [
The non-displacement of the estimate means that the estimate of the parameter corresponds to the ratio
= , where is the mathematical expectation.
If the unbiased estimate has the smallest variance among all estimates of , then this 3. If the inequality corresponding to the law of large numbers is fulfilled for the estimate of , or the following ratio is available: lim − < = 1 then the estimate of is called reasonable.
One common parameter estimate is a random variable equal to the sum of the squares of independent random variables , each of which follows a normal distribution law with parameters = 0 and 2 = 1 and is called a random variable with distribution ℵ2, and is described by the relation:
n→∞ ℵ2 = ∑ =1 2, (ℵ2) = ( ) ∙ ℵ −2 − 2⁄2, where 2 = ( ⁄ )2, 2 = (ℵ − )2, , are the mathematical expectation and variance, respectively, ℵ is a series of independent observations, each of which follows a normal distribution law. The differential distribution function ℵ2 with - degrees of freedom is written in the form: components of the risk values and . system (ACS and IAS) and type of attack:
where ( ) is a coefficient that depends on the sample size; ℵ is the current variable; - number of items in the sample.
If the parameter c 2 is greater than the accepted limit, it means that it is not permissible to use all the factors that cause the risk increase together, since each of the causes will have a distribution of random values that may dominate other distributions.
, , to do this, it is necessary to calculate the risks of unacceptable situations separately for each of the reasons that lead to deviations from the current values of the safety levels, which were referred to as , ,
and , and which in this case will determine the respective The overall risk of is determined as a function of the above components for each type of (4) (5) (6) ∀ , ∃ ( ⁄ ): 〈 = , , , 〉 → min ∑ .
One of the features of the ( ) risk assessment is the assessment of changes that may be reflected in the system in the event of activation of an event by external factors. At the level of qualitative interpretation, this means that it is necessary to assess the risk that the situation in the system will deteriorate when a particular action is taken on the system. Since the system is affected by external factors that lead to a decrease in the level of security , in the case of using risk assessment, an event and, accordingly, an external factor may occur that differs from the already known negative factors for the security system
. [
In order to distinguish these events from each other, we will introduce the following definitions of situation and event.
Definition 1. Events that adversely affect a certain object, protection against which is realized by means of protection under the control of the security system security system, will be called regular negative factors .
Definition 2. Events that may adversely affect the object of protection, which are one-time in terms of their impact on the relevant system, will be called single negative factors .
Let's define the overall risk of a threat situation through the components of active influence on and are mostly known to the system objects: then, accordingly, the multiplicative model has the form (Fig. 2):
= 〈 ( ∈ , )〉; = , , ,
→⊗ =1 ( ) ∙ , where ( ) is a multiplicative attack operator; - a multiplicative threat operator; - risks of transition to the marginal regime; - risks associated with management errors; - risks of emergency shutdown;
- risks of an emergency situation; ti , t i ,Tm - terminal marker. (7) (8)
Accordingly, the overall level of security is related to the level of risk through the operator ( ), for which we have the corresponding balance.
If max ( ⁄∀ ∈ ) and ( ∈ ) → min , that is, minimizing the active impact of threats on the system through a set of countermeasures leads to an increase in the security of the hierarchical system.
Single negative factors, if they are repeated with frequencies close to the repetitions of then becomes ,
and their effect is assessed by the
the risk ( ). The transition of individual factors from
system, not by means of calculating
to
is not considered, because by
the time of such a transition, the
factors of the
impact on the system. [
system has enough information about the functioning of class, and therefore it makes no sense to talk about the risk of such a factor's
can be formed by the user in such a way that the corresponding factor has a positive effect on the system. Before this factor is activated, it is studied within the system model, so that the nature of its impact on can be determined quite accurately and there is no need to determine the value of ( ).
If some factor such as is formed to act on , but the way it acts may change in the process of its activation and it may become a negative factor , then in such cases it is relevant to determine the risk that the factor will cause negative changes as a result of its action on , which will be interpreted as a decrease in the level of security. determined by the least squares principle described by the following relation: where are the regression coefficients to be determined. Typically, such coefficients are We sequentially differentiate this equation for all -coefficients and get a system of equations: { = ∑[ − ( 0 + 1 1 + ⋯ + )]2} → , 0 + 1 ∑ 1 + 2 ∑ 2 + ⋯ + ∑ = ∑ , 0 ∑ 1 + 1 12 + 2 ∑ 1 2 + ⋯ + ∑ 1 = ∑ 1 , ,
⋯ 0 ∑ + 1 ∑ 1 + 2 ∑ 2 + ⋯ + ∑ 2 = ∑ .
If the active factor yi is dependent on one or a small number of variables 1, … , , then the nature of the impact on
can be determined quite accurately and there is no need to determine the value of risk ( ), which by definition has a negative interpretation.
Therefore, we will set the risk value only for factors yi that are dependent on a significant number of arguments or independent variables.
Definition 3. Let the basic model for determining the value of risk be a multiple linear regression, then we accept the following interpretation of the elements of the linear regression, which is described by the relation:
( ) = 0 + 1 1 + ⋯ + ,
The above system of equations is transformed in such a way that the calculation of regression coefficients is as simple as possible.
For the practical use of this approach, it is necessary to consider the interpretation of all elements of the model that would correspond to acceptable ideas about the risk and the purpose of using the calculated value ( ). Within the system, the protection means are used, which are organized within the = { , … , } security system, and the means of determining the risk of the system .
thesystem is characterized by a security level, which will be further denoted as ( ). The security level, as mentioned above, depends on the total number of attacks and attacks that have been eliminated by the security features of . The more attacks were eliminated, the higher the level of ( ). If the number of attacks initiated against decreases, then the number of attacks that have been prevented by the security features will also decrease. Thus, ( ) remains the same regardless of the number of attacks launched against . Risk, by its interpretation, is the inverse of security. The interpretation of security is as follows. The value of the security level characterizes the current state of
's capabilities in terms of the system's suitability for solving the main application tasks. This means that different classes of tasks that are solved in the environment require different levels of security ( ) = . Therefore, the main task of the security system is to maintain a certain level of security of and, accordingly, , which is equal to ( ) = .
The magnitude of the risk in relation to its interpretation characterizes the possibility of negative changes in the object, and depending on these changes, the risk is measured. Therefore, to determine the risk, it is important to identify the object in which changes are expected and what the risk may be. Let's assume that the risk will be a decrease in the value of the security level ( )
We will not consider further development of the interpretation of this aspect. Obviously, in this case, an increase in the value of the level of security is not a risk. To avoid duplicating the concept of risk with the concept of safety, let us assume that risk determines the amount of decrease in the level of safety ( ). Then we can introduce the following definition: (9) (10) (11) security. represented in a certain form.
Definition 4. Risk is an assessment of the possible magnitude of a negative change in the level of In order to designate a security derivative, the function of changing the security level must be Definition 5. Let us assume that in the process of functioning of and, accordingly, the security management system (
) at each fixed moment of time ti , the value ( ) takes on certain values. This can be represented as the ratio ( ) = .
Accordingly, the level of security can be determined by the following ratio: (12) (13) ( ) = = ∑ =1 ⁄ , where - attacks detected and neutralized during the operation of;
at the time of ti that have been activated against
Using the selected approximation function, you can get an approximate description of the function of changing the value of the security level of ( ) under the influence of threats and attacks: - all attacks possible ( ) = ( , , ), losses caused by activation ( ) changes that will occur in compared to the changes in where t is the time of operation of
Since ( ) predicts the assessment of a negative change in the value of the security level, the event with which the risk is associated may belong to the factors of negative impact on . These factors in this study belong to the category of attacks on risk value is supposed to be determined reduces the level of security of negative single event of the type occurs ( ).
. Therefore, the event for which the , which can occur if a
We define the conceptual system procedures for assessing the level of risk arising in a hierarchical automated control system under the influence of threats and the stages of their implementation. the amount of losses that may result from this event. the management information system and the security management system.
), which is focused on the impact of
( ) on in order to calculate Procedure III - determination based on the synthesis of the forecast result with the amount of Procedure IV - determination of the relationship between , which is affected by ( ) , which should counteract the relevant factor. Based on this analysis, the magnitude of , which, due to the protective functions of , will be smaller that would occur if were not used, is estimated.
Procedure V - the process of systematic formulation of an adequate interpretation of the risk value for as a result of a possible action of ( ) is performed.
An adequate interpretation of the accident risk assessment is to develop a method: • • • determination of the amount of losses resulting from the resulting risk; selection of units of measurement of such losses; determining the probability of losses by combining the above interpretive descriptions.
The method of performing system procedures is implemented in a certain sequence. First, by
applying regression models that use statistical samples of possible attacks, the task of predicting the
occurrence of ( ) is solved. Forecasting provides information on when and under what
conditions the predicted event may occur. [
Subsequently, the ( ) recognition operation is performed based on modeling the effect of a possible attack on the system. The purpose of attack recognition is to determine the appropriate measure of protection for the system. As a result, the negative impact of ( ) on can be reduced.
At the next stage, an assessment is made to determine the possible losses that, for example, can be projected onto the cost of products to be produced by under the control of the system. Thus, with the help of the described methods of solving the problem, it becomes possible to form an adequate interpretation of the value of the risk ( ). In accordance with the definition of the risk, it is necessary to introduce certain protection measures that reduce the vulnerability of assets to various threats and make it impossible to carry out attacks. Thus, on the basis of detecting the magnitude of the risk, the protection system detects weak points in the security system and counteracts possible external attacks on the hierarchical management system.
To assess the risk in automated document management systems (ADMS) used to manage the technological process of printing enterprises, the main vulnerabilities and threats at the stages of the life cycle of both paper and electronic documents were identified, and countermeasures in the security system were investigated.
Identification of ACS vulnerabilities began with an analysis of all security procedures: possible
access points to information (both in electronic and physical form) and systems in the organization.
These procedures include: Internet connection; remote access points; connections to other
organizations; physical access to the organization's premises; user access points; access points via
wireless network. For each point, the cost of information and reliability of the systems were
assessed and access methods were identified. In addition, the list included all known vulnerabilities
in operating systems and applications. The analysis of vulnerabilities and threats to the assets of the
printing enterprise was determined on the basis of surveys conducted among system administrators
of Ukrainian printing enterprises in order to increase the reliability of the assessment of criticality,
probability of implementation and frequency of threats [
A targeted threat is a combination of a specific agent with knowledge, access, and motivation and a specific event aimed at a specific target. Identifying all targeted threats is time-consuming and challenging. An alternative is to determine the overall threat level, which does not require knowledge of the targeted or specific threat addressed to the company's unit the agent is acting on (Figure 3).
When studying existing countermeasures, it is necessary to identify possible attack paths and protective measures when an attacker implements possible threats. Such countermeasures and protective measures include (Figure 3): • • • • 1 - firewalls for all levels of the management hierarchy; 2 - anti-virus software for ACS and ADMS; 3 - access control to prevent intrusion into the system; 4 - a two-factor authentication system for attack indicators; • • • • • • • • • 5 - identification card of the authorized agent; 6 - biometrics for each management agent; 7 - smart card readers at the entrance to the premises; 8 - security - external, internal and systemic; 9 - control of access to files in the database structure of the ACS, ADMS; 10 - encryption of data flows, schemes, and design solutions; 11 - training employees in the organization's security policy; 12 - intrusion detection systems based on attack indicators; 13, 14 - automated receipt of updates from intrusion prevention in the structure and control system.
The study of vulnerabilities and threats conducted in this paper allowed us to determine the complex level of risk for the assets of the ACS in the order of ranking the level of risk for each asset (Table 1). 10. 11. 12.
To assess the risk, we determined the damage caused to the organization if the attack is successful. This took into account the fact that the risk cannot be completely eliminated - it can only be managed to minimize losses from attacks and threats based on an assessment of the level and probability of negative impact { → } for each impact factor.
An analysis of the concepts of risk and security in the face of threats and attacks on the information system of technological processes of enterprise is carried out. On the basis of the category diagram, a scheme of functional relationships of concepts that affect the levels of security and risk in the event of emergencies due to threats and attacks is built, which allows creating models for assessing the magnitude of risk.
The conditions for calculating the amount of risk and differences in approaches to assessing the security of information management systems are determined. It is proved that the measure of security is determined on the basis of the ratio of the number of successful attacks to the total number of attacks on the system at the terminal cycle of technological process control, and the risk assessment should be made when changing the corresponding probabilistic assessment of random processes that lead to a change in the security of the system.
The parameters that affect the risk value and lead to deviations in the current values of the levels of different types of security are identified. The author defines regular negative factors known to the security system and one-time negative factors. In the first case, such factors are assessed by the safety system and do not relate to the concept of risk, and in the second case, they require the introduction of tools for calculating the risk of emergencies.
The value of the security level that characterizes the state of the system to solve the main technological tasks in the face of threats and attacks, and different levels of security must be provided for different stages and technological objects.
To assess the risk, it is important to identify the objects in which changes occur in the terminal control cycle that lead to a decrease in the level of security. According to the above algorithms and procedures, it is possible to develop information technologies for automatic determination of the risk and safety level for information complexes and process control systems.
The results of the research can be implemented in the design of a management and security system not only for printing enterprises, but also for any complex systems with a hierarchical structure in the face of threats and crises.