A.V. Davydiuk
Èlektron. model. 2021, 44(1):107-117
https://doi.org/10.15407/emodel.44.01.107
ABSTRACT
Critical malfunctions can result in significant material and non-material damage. With the development of information technology, an important aspect of the stability of such systems has become the cybersecurity of critical information infrastructure. The legislation of Ukraine provides for the protection of information to build comprehensive information security systems and information security management systems. However, with critical systems, such approaches are general and can be effectively used in providing cyber security for individual segments of such systems. When designing critical systems, considerable attention is paid to meeting the requirements for reliability and quality, in particular the artefacts of each stage. At the same time, the influence of internal and external context on the functioning of such systems and their probabilistic characteristics are sometimes left without proper attention. Given the possible consequences of malfunctioning such systems, to take into account the possible impact of uncertainty on the performance of such systems (risk), it is proposed to define the risk management model as an artefact of the process of designing critical systems. It is the detection of artefacts at the design stage that avoids most errors and minimizes the risk of malfunctioning such systems.
KEYWORDS
critical systems, automated process control systems, cybersecurity, cybersecurity, risk, artefact, critical information infrastructure.
REFERENCES
- Law of Ukraine (2017), “On the basic principles of cybersecurity of Ukraine”, available at: https://zakon.rada.gov.ua/laws/show/2163-19#Text.
- Draft Law of Ukraine (2021), “On Critical Infrastructure”, available at: http://w1.c1.rada.gov.ua/pls/zweb2/webproc4_1?pf3511=71355.
- GOST 34.003-90 (1992), “Information Technology A set of standards for automated systems Automated systems Terms and definitions”, available at: https://docs.cntd.ru/document/
- GOST 34.201-89 (1990), “Types, completeness and designation of documents when creating automated systems”, available at: https://www.swrit.ru/doc/gost34/34.201-89.pdf.
- GOST 34.320-96 (1996), “Concepts and terminology for the conceptual scheme and information base”, available at: https://www.swrit.ru/ doc/gost34/34.320-96.pdf.
- GOST 34.321-96 (2001), “Information technology. Database standards system. Reference management model”, available at: https://www.swrit.ru/ doc/gost34/34.321-96.pdf.
- GOST 34.601-90 (1992), “Automated systems. Stages of creation”, available at: https:// swrit.ru/doc/gost34/34.601-90.pdf.
- GOST 34.602-89 (1990), “Terms of reference for the creation of an automated system” (Instead of GOST 24.201-85), available at: https://www.swrit.ru/doc/gost34/34.602-89.pdf.
- GOST 34.603-92 (1993), “Information technology. Types of tests of automated systems”, available at: https://www.swrit.ru/doc/gost34/34.603-92.pdf.
- RD 50-34.698-90 (1992), “Automated systems. Requirements for the content of documents”, available at: https://www.swrit.ru/doc/gost34/50_34_698_90.pdf.
- List of documents of the system of technical protection of information (ND TZI) (2021), available at: https://cip.gov.ua/ua/news/perelik-dokumentiv-sistemi-tekhnichnogo- zakhistu-informaciyi-nd-tzi.
- ND TZI 3.7-003-2005 (2005), “Procedure for creating a comprehensive information security system in the information and telecommunications system”, order DSTSZI SB of Ukraine from 08.11.2005 № 125 (Change № 1 order of the State Special Communications Administration from 28.12.2012 № 806), available at: https://tzi.com.ua/downloads/3.7-003-2005.pdf.
- ND TZI 1.4-001-2000 (2000), “Standard regulations on information protection service in automated systems”, order DSTSZI SBU from 04.12.2000 № 53 (Change № 1 order of the State Special Communications Administration from 28.12.2012 № 806), available at: https://tzi.com.ua/downloads/1.4-001-2000.pdf.
- DSTU ISO/IEC 27005 (2015), “Information technologies. Methods of protection. Information security risk management” (ISO/IEC 27005: 2011, IDT), SE "UkrNDNC", available at: http://online.budstandart.com/ua/catalog/doc-page.html?id_doc=66912.
- DSTU ISO 31000 (2018), “Risk management. Principles and guidelines” (ISO 31000: 2018, IDT), available at: http://online.budstandart.com/ua/catalog/doc-page.html?id_doc=80322.
- DSTU ISO/IEC 27000 (2018), “Information technologies. Methods of protection. Information security management systems. Review and glossary” (ISO/IEC 27000: 2018, IDT), available at: http://online.budstandart.com/ua/catalog/doc-page.html?id_doc=85795.
- Cabinet of Ministers of Ukraine (2019), Resolution of June 19, 2019 № 518 “On approval of the General requirements for cyber protection of critical infrastructure”, available at: https://zakon.rada.gov.ua/laws/show/518-2019-%D0%BF#Text.
- Law of Ukraine (1994), “On Information Protection in Information and Telecommunication Systems”, available at: https://zakon.rada.gov.ua/laws/show/80/94-%D0%B2%D1%80#Text.
- Cabinet of Ministers of Ukraine (2006), Resolution of March 29, 2006 № 373 “On approval of the Rules for ensuring the protection of information in information, telecommunications and information and telecommunications systems”, available at: https://zakon.rada.gov.ua/laws/show/373-2006-%D0%BF#Text.
- Order of the State Special Communications Administration (2021), № 601 of October 6, 2021 “On approval of the Guidelines for improving the level of cyber protection of critical information infrastructure”, available at: https://cip.gov.ua/ua/docs/nakaz-administraciyi-derzhspeczv-yazku-vid-06-zhovtnya-2021-roku-601-pro-zatverdzhennya-metodichnikh-rekomendacii-shodo-pidvishennya-rivnya-kiberzakhistu-kritichnoyi-informaciinoyi-infra-
- Stouffer, K., Pillitteri, V., Abrams, M. and Hahn, A. (2015), Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, № 2, NIST.
https://doi.org/10.6028/NIST.SP.800-82r2 - Understanding IEC 62443 (2021), available at: https://www.iec.ch/blog/understanding-iec-62443.
- DSTU ISO/IEC 27001 (2015), “Information technology. Methods of information security management system protection” (ISO/IEC 27001: 2013; Cor 1: 2014, IDT) Requirements, available at: http://online.budstandart.com/ua/catalog/doc-page?id_doc=66910.
- Order of the Administration of the State Service for Special Communications and Information Protection of Ukraine (2007), “On approval of the Regulations on state examination in the field of technical protection of information” from 16.05.2007 № 93, available at: https://zakon.rada.gov.ua/laws/show/z0820-07#Text.
- The Syntax of Predicate Logic (2008), LX 502, Semantics, available at: https://www.bu.edu/linguistics/UG/course/lx502/_docs/lx502-predicate%20logic%201. pdf.