Извините, этот техт доступен только в “Американский Английский”. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.
PRINCIPLES AND TASKS OF ASYMPTOTIC SECURITY MANAGEMENT OF CRITICAL INFORMATION INFRASTRUCTURES
Sergey D. Erokhin, Moscow Technical University of Communications and Informatics, rector, esd@mtuci.ru
Andrey N. Petukhov, National research University «MIET», associate professor, anpetukhov@yandex.ru
Pavel L. Pilyugin, Moscow State University. M. V. Lomonosov, senior research specialist, paul.pilyugin@gmail.ru
Abstract
The article discusses the features of security management of critical information infrastructures (CII), it is established that the risk of a security breach of CII is realized, as a rule, outside such infrastructure and its dependence on information processes is not explicitly provided. CII are defined not through their properties, but through a situation (incident) when something happens to them and as a result there is damage. This point of view leads to some object and subject duality of ideas about the security of CII. In addition, the use of damage characteristics in the management process to describe the target safety state of the CII is not defined. The article shows that an essential role in determining the ideology of CII security management is played by the unprovability of the completeness of the results of threat modeling. Based on the consideration of the «full overlap» security model, it is concluded that the role of the threat model in the case of CII is somewhat deformed, in fact, assuming that the threats included in the model (identified threats) constitute only a part of the actual threats, along with which there is an undetectable part outside the model (unidentified threats). It is established that an important feature of the formation of such an ideology is the combination of a non-zero probability of occurrence of the incident, on the one hand, and the impossibility of taking a non-zero permissible residual risk. It is concluded that it is fundamentally impossible to use the calculation of damage as a tool for managing the safety of CII. As the goal of CII safety management is considered not to achieve a certain level of security, but to exhaust the protection potential, the concept of asymptotic CII safety management is Introduced, each successive solution of which guarantees the growth of safety characteristics. The priority tasks that need to be solved within the framework of the described approach are formulated.
Keywords:information security, critical information infrastructures, residual risk, incomplete threat models, asymptotic security management, security event monitoring.
References
1. Rossiyskaya Federaciya (2017) 187-FZ 26.07.2017, Federalniy zakon «O bezopasnosti kriticheskoy infrastrukturi Rossiyskoy Federacii» [Federal law of the Russian Federation 187-FZ «On security of critical information infrastructure of the Russian Federation» dated 26.07.2017], Moscow, Russia
2. Commission Of The European Communities (2005), COM/2005/576 final, CELEX:52005DC0576 Green Paper on a European Programme for Critical Infrastructure Protection. Brussels, Belgium.
3. National Institute of Standards and Technology (2018) Framework for Improving Critical Infrastructure Cybersecurity, USA.
4. Pravitelstvo Rossiyskoy Federacii (2018) No. 127 08.02.2018, Postanovlenie «Ob utverzhdenii Pravil kategorirovaniya ob’ektov kriticheskoy informacionnoy infrastrukturi Rossiyskoy Federacii, a takzhe perechnya pokazateley kriteriev znachimosti ob’ektov kriticheskoy informacionnoy infrastrukturi Rossiyskoy Federacii I ih znacheniy». [Resolution of the Government of the Russian Federation No. 127 of 08.02.2018 «On approval of the rules of categorization of objects of critical information infrastructure of the Russian Federation, as well as the list of indicators of criteria of significance of objects of critical information infrastructure of the Russian Federation and their values»], Moscow, Russia.
5. GusninS.Y. and Petukhov A.N. (2019). Security reference model for critical information infrastructures. SCM 2019 XXII International Conference on Soft Computing and Measurement, 23-25 May, 2019 Saint-Petersburg, Russia.
6. Petukhov A.N. (2017). Cybersecurity management information base for critical infrastructures. XI Mezhdunarodnaya otraslevaya nauchno-tehnicheskaya konferenciya «Tehnologii informacionnogo obschestva» [XI International branch scientific and technical conference «Information and society technologies»], 15-16 March 2017, Moscow, Russia.
7. Hoffman, L.J. (1977). Sovremenniye metodi zazhiti informacii [Modern methods for computer security and privacy] 1980, Sovetskoye radio, Moscow, Russia.
8. Simonov S.V. (1999). Risk analysis, risk management. JetInfo. Vol. 1, pp. 11-17.
9. UspenskiyV.A. (1982). Teorema Gedelya o nepolnote. Populyarnie lekcii po matematike. Vipusk 57 [Godel’s theorem on incompleteness. Popular lectures on mathematics . Issue 5] Nauka, Moscow, Russia.
10. Erokhin S.D., Petukhov A.N. and Pilyugin P.L. Critical Information Infrastructures Security Modeling, available at https://fruct.org/publications/fruct24/files/Ero.pdf, , Accessed 15.11.2019.
11. Kurilo A.P., Miloslavskaya N.G., Senatorov M.Y. and Tolstoy A.I. (2013). Osnovi upravleniya informacionnoy bezopasnostyu [Frameworks for information security management] Goryachaya liniya-Telekom.
12. FSTEK Rossii (2017) № 239 от 25.12.2017, Prikaz «Ob utverzhdenii Trebovaniy k obespecheniyu bezopasnosti znachbmsh ob’ektov kriticheskoy informacionnoy infrastrukturi Rossiyskoy Federacii» [Order of FSTEC of Russia No. 239 dated 25.12.2017 » On approval of requirements for security of significant objects of critical information infrastructure of the Russian Federation»], Moscow, Russia.
13. Petukhov A.N. and Pilyugin P.L. (2019). Normative definition of security events. REDS 2019 Radioelektronnie ustroystva i sistemi dlya infokommunikacionnih tehnologiy [REDS 2019 Radio-electronic devices and systems for info-communication technologies], Moscow, Russia 29-31 May, 2019.
Information about authors:
Sergey D. Erokhin, Moscow Technical University of Communications and Informatics, rector, Moscow, Russia
Andrey N. Petukhov, National research University «MIET», associate professor, Moscow, Russia
Pavel L. Pilyugin, Moscow State University. M. V. Lomonosov, senior research specialist, Moscow, Russia