On the choice of information security measures for automated process control systems

This paper reviews the main domestic and international approaches to the choice of information security measures for automated process control systems. The purpose of the study was to develop a method for selecting security measures at each level of the automated process control system using set theory as part of the analysis of basic sets of security measures. In the framework of the study, the current attacks on industrial infrastructure are considered, an algorithm for selecting the protection measures of the automated process control system is constructed, and assumptions are made about the need to apply protection measures for each level of the system in accordance with an individual assessment of the security class of the corresponding level. In this paper, the authors propose mathematical expressions for the minimum, basic, adapted and refined basic sets of automated process control system protection measures. It is concluded that it is necessary to exclude from the consideration of the stage "refinement of the adapted basic set" the algorithm for selecting the security measures of the automated process control system, if the adapted basic set of information security measures provides blocking of all security threats at the considered system level. The research results are recommended for use in modeling information security threats and developing requirements for information security tools in automated process control systems.

1. Frolov A. V., Frolova E. S. Solarwinds for network monitoring. System Administrator. 2019; (12):93-95.

2. SHIMOL S. B. SolarWinds SUNBURST Backdoor: Inside the Stealthy APT Campaign. Сybersecurity news, Threat research. Varonis. 2020. Available at: https://www.varonis.com/blog/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign (accessed 01.03.2021).

3. Csapko G. P., Verigo A. A. Security risk analysis of automated process control systems. Bulletin of the Eurasian science. 2016;36(5):1-9. Available at: https://cyberleninka.ru/article/n/analiz-riskov-bezopasnosti-avtomatizirovannyh-sistem-upravleniya-tehnologicheskimi-protsessami (accessed 03.03.2021).

4. The Russia FSTEC order dated March 14 2014. № 31 “About the approval of requirements for ensuring the protection of information in automated control systems for production and technological processes at critical facilities, potentially dangerous Facilities, as well as facilities that pose an increased danger to human life and health and to the environment”. 2014. Available at: https://fstec.ru/tekhnicheskaya-zashchita-informatsii/dokumenty/110-prikazy/864-prikaz-fstek-rossii-ot-14- marta-2014-g-n-31 (accessed 04.03.2021).

5. Andreev Yu. S., Dergachev A. M. Information security of automated process control systems. Instrumentation. 2019;(4):221-233.

6. S. V. Gordeychik. Missiocentric approach to the cybersecurity of automated process control systems. Cybersecurity issues. 2015;10(2):56-59.

7. Response to National Institute of Standards and Technology (NIST) [Docket Number 130208119–3119–01] Request for Information. 2013. Available at: https://www.nist.gov/system/files/documents/2017/06/01/040513_cgi.pdf (accessed 03.03.2021).

8. International Society of Automation. The 62443 Series of Standards. 2015. Available at: http://isa99.isa.org/Public/Information/The-62443-Series-Overview.pdf (accessed 03.03.2021).

9. Kulik T., Larsen P. Gorm Towards formal verification of cyber security standards. Proc. ISP RAS. 2018;(4):79-94.

10. Zhukov S. A., Slugin A. G. The problem of cyber threats in industrial automation systems. Ogarev-Online. 2015;61(20):1-5. Available at: https://cyberleninka.ru/article/n/problema-kiberugroz-v-promyshlennyh-sistemah-avtomatizatsii (accessed 08.03.2021).

11. Vasilyev V. I., Vulyvin A. M. Risk analysis of ensuring the integrity of telemetric information using cognitive modeling technology. Vestnik USATU. 2019;86(4):122-131.

12. Bratchenko A. I., Butusov I. V. Application of methods of the theory of fuzzy sets to the assessment of risks of violation of critical properties of protected resources of automated control systems. Cybersecurity issues. 2019; (29)1:18-24.

13. Medvedev N. V., Troickiy I. I. On the use of the fuzzy set theory apparatus in the analysis of information security risks. Vestnik Moskovskogo Gosudarstvennogo Tekhnicheskogo Universiteta imeni N.E. Baumana, seriya “Priborostroenie”. 2011;( special issue):25-30.

14. Nenadovich D. M., Shahtarin B. I. Methods of the theory of fuzzy sets in the security problems of infocommunication networks. Vestnik Moskovskogo Gosudarstvennogo Tekhnicheskogo Universiteta imeni N.E. Baumana, seriya “Priborostroenie”. 2006;(3):88-95.

15. Sarvepalli V. Practical Math for Your Security Operations. Carnegie Mellon University. 2013. Available at: https://insights.sei.cmu.edu/cert/2013/08/practical-math-for-your-security-operations---part-1-of--3.html (accessed 10.03.2021).

16. Vavichkin N. A. Mathematical models in information security. Security of the information space-2017: the XVI All-Russian Scientific and Practical Conference of Students, Postgraduates, Young Scientists. 2018;(1):148-150.

17. Chernov D.V., Sychugov A.A. Mathematical modeling of information security threats of automated process control systems. 2019 International Conference on Electrotechnical Complexes and Systems (ICOECS). 2019;(1):1-4. Available at: https://doi.org/10.1109/ICOECS46375.2019.8950023 (accessed 11.03.2021).