Security Of Critical Information Infrastructure Research Articles

ЭФФЕКТИВНОСТЬ АВТОМАТИЗИРОВАННОГО УПРАВЛЕНИЯ ТРАНСПОРТНЫМИ СРЕДСТВАМИ В ТРАМВАЙНЫХ СИСТЕМАХ

The intellectualization of water transport is accompanied by an expansion of the landscape of threats to transport security, caused by the characteristics and weaknesses of the technologies being introduced, which are the convergence of information and telecommunication technologies, automated and automatic control technologies and artificial intelligence. The peculiarity of these technologies is working with large volumes of information. Violation of the security of information processed in intelligent systems of water transport (illegal access, modification, deletion and similar unauthorized influence) causes a violation of transport security and, as a consequence, the security of critical information infrastructure and the country’s critical infrastructure, national security. Convergent technologies used in intelligent transport systems are characterized by multiple and poorly formalized manifestations of the consequences of threats. The article presents a model for assessing the risks of information security of intelligent water transport systems, based on the methods of the theory of fuzzy sets and fuzzy logic, the use of which makes it possible to take into account the above-mentioned features of the technologies being implemented. The hierarchical structure of the model and the use of fuzzy set theory and fuzzy logic methods make it possible to adapt the model to various risk criteria, types of input data and the level of detail of risk analysis. For the presented model, a methodology for assessing information security risks has been developed and an example of risk calculation is given. The developed model and methodology are intended to build an information security risk management system for autonomous shipping, implementing technologies of hybrid (augmented, extended) intelligence, providing for the use of artificial intelligence controlled by people.

НЕЧЕТКАЯ СИСТЕМА ОЦЕНКИ РИСКОВ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ИНТЕЛЛЕКТУАЛЬНЫХ СИСТЕМ ВОДНОГО ТРАНСПОРТА

The intellectualization of water transport is accompanied by an expansion of the landscape of threats to transport security, caused by the characteristics and weaknesses of the technologies being introduced, which are the convergence of information and telecommunication technologies, automated and automatic control technologies and artificial intelligence. The peculiarity of these technologies is working with large volumes of information. Violation of the security of information processed in intelligent systems of water transport (illegal access, modification, deletion and similar unauthorized influence) causes a violation of transport security and, as a consequence, the security of critical information infrastructure and the country’s critical infrastructure, national security. Convergent technologies used in intelligent transport systems are characterized by multiple and poorly formalized manifestations of the consequences of threats. The article presents a model for assessing the risks of information security of intelligent water transport systems, based on the methods of the theory of fuzzy sets and fuzzy logic, the use of which makes it possible to take into account the above-mentioned features of the technologies being implemented. The hierarchical structure of the model and the use of fuzzy set theory and fuzzy logic methods make it possible to adapt the model to various risk criteria, types of input data and the level of detail of risk analysis. For the presented model, a methodology for assessing information security risks has been developed and an example of risk calculation is given. The developed model and methodology are intended to build an information security risk management system for autonomous shipping, implementing technologies of hybrid (augmented, extended) intelligence, providing for the use of artificial intelligence controlled by people.

Edge propagation for link prediction in requirement-cyber threat intelligence knowledge graph

Critical information infrastructure (CII) is a critical component of national socioeconomic systems and one of the primary targets of cyberattacks. Unfortunately, CII's security administration struggles to keep up with the rapidly evolving and complex cyber threats. In this research, we combine cybersecurity threat intelligence (CTI) with management security requirements (SR) data to construct a knowledge graph (KG) named RCTI and predict new knowledge on the heterogeneous graph. In addition, we propose EGNN, a novel GNN-based model that defines the representation of edges and develop an algorithm for propagating edge information. Experiments on three public datasets and the RCTI graph show that the EGNN achieves state-of-the-art performance. Finally, we use the EGNN model to predict new links on the RCTI graph, which by manual analysis achieves a 97% connectivity rate between the CTI and SR entities. Therefore, the EGNN can effectively detect management vulnerabilities and enhance CII's cybersecurity capability in the event of cybersecurity incidents.

УСТОЙЧИВОСТЬ ТЕХНОЛОГИЧЕСКИХ ПРОЦЕССОВ В АСПЕКТЕ БЕЗОПАСНОСТИ КРИТИЧЕСКОЙ ИНФОРМАЦИОННОЙ ИНФРАСТРУКТУРЫ

The purpose of the paper is to study the sustainability of technological processes in the aspect of the security of critical information infrastructure (CII). Cybercrime today brings attackers an income (affecting critical information infrastructure objects) of about $1.5 trillion a year, which means that the security of critical information infrastructure is still requiring due attention. Currently, there is no generally accepted approach to conducting such an assessment and its definition remains an urgent problem. It is also important to understand that the stability of technological (including significant, critical) processes does not always ensure their safety (management safety), as well as ensuring safety does not ensure the execution of technological processes. The object of the study is the objects of the CII. The subject of the study is technological processes in the context of threats to information security. The technological process and its stability at CII facilities in the aspect of information security are studied. The analysis of regulatory legal acts (NPA) and scientific publications on the research topic is carried out. The analysis of the NPA of the CII showed that there are serious problems in this area. In order to formulate specific measures of sustainability of indicators, one can use the given sustainability matrix. The paper formulates the requirements for evaluation indicators. Based on the results of the study, it was found that the assessment of the stability of the functioning of objects can be implemented on real significant objects of the CII, while the stability coefficients of the elements can be detailed in more detail. Definitions and problems are considered, the main sources confirming the importance of the study are presented. The results of the study can be used when considering approaches to assessing the sustainability of technological processes in the context of CII safety.

Information about computer handwriting: The challenges of finding a balance between individual liberty and state security

The present study is devoted to the introduction of biometric identification systems in law enforcement. The author pays special attention to the phenomenon of computer handwriting, examining in detail the constitutional and legal aspects of the use of knowledge about it. For this purpose a wide methodological apparatus is used: comparative-legal method, method of analogy, deduction, method of modelling and others. The Russian practice and potential for further development are compared with the experience of foreign countries both in the regulation of general issues of biometric personal data and in situations of legal regulation of computer handwriting data. The author investigates how to simultaneously solve the problems of detection and investigation of offences in which printed texts act as evidentiary materials, and at the same time preserve human rights to privacy, personal and family secrecy, anonymity on the Internet. It is noted that computer handwriting is a rather young phenomenon for legal science; there is still no in-depth study of it from the perspective of this field of knowledge. This paper is only a beginning in understanding the topic under consideration. It raises basic questions: whether it is permissible to use knowledge about computer handwriting, how it should be protected and where it should be stored, whether it is necessary to limit the existing commercial interest in its use. As a result, the author comes to the following conclusions: it is permissible and necessary to collect information on computer handwriting, as this will reduce infringements on the natural rights of man and citizen. For such collection it is necessary to use a centralised state system in which all the requirements for the security of critical information infrastructure are implemented. However, before such a system is put into operation, it is necessary to support commercial companies in relevant developments and oblige them to provide information about users' computer handwriting at the request of authorised persons.

Нормативно-правовые проблемы безопасности территориально распределенных информационных систем в офтальмологии

Purpose. To consider, characterize and analyze the regulatory framework of the Russian Federation, which determines the use of information technologies in ophthalmology, without which it is now impossible to provide high-tech medical care. Material and methods. The subject of this study is the legislation of the Russian Federation devoted both directly to the health care system in our country and to the requirements for ensuring information security. In accordance with the specifics of the subject under study, general scientific research methods were necessarily used in this work: analysis and synthesis, deduction and induction. Results. The legal system of the Russian Federation is not so specialized in the use of information technologies in medicine that in ophthalmology there would be some special regulatory framework, different from other types of medical activities. The objective basis of this universality is that it is practically the same technological base everywhere in medicine. Conclusion. The presence of all the necessary conditions determining belonging to the status of a subject of critical information infrastructure creates sufficient grounds for the applying of requirements related to the regulation of medical activities based on the Federal law «On the Security of Critical Information Infrastructure of the Russian Federation». Keywords: medicine, information technology, information security, critical information structure of the Russian Federation

Актуальные угрозы безопасности информации в сфере здравоохранения и офтальмологии

Relevance. All healthcare institutions, including ophthalmology, belong to critical information infrastructure, which is described in law on «the security of critical information infrastructure of the Russian Federation» 26.07.2017 No. 187-FL. It is mandatory to carry out the compliance of critical information infrastructure objects with the established criteria and indicators of significance for these institutions. The article deals with the issues of information security risk assessment and categorization in relation to organizations working in the field of ophthalmology. The research was carried out as part of the implementation of the federal project «Information Security» of the national program «Digital Economy of the Russian Federation». Purpose. Analysis of the features of the categorization process for ophthalmology organizations, designing decision-making algorithm for assigning a category of significance. Material and methods. The article deals with the issues of information security risk assessment and categorization in relation to ophthalmology organizations. The study was carried out as part of the implementation of the federal project «Information Security» (the national program «Digital Economy of the Russian Federation»). Results. The consequences of the implementation of attacks on information systems that are significant for specific types of critical information infrastructure objects in the healthcare sector (in the field of ophthalmology) were considered. The choice of significance criteria was substantiated. An algorithm for making a decision on assigning a category of significance was developed. Conclusion. An analysis of current threats to critical information infrastructure facilities in the healthcare sector was explored. It was found that in the proposed methodologies, the detection of the possibility of detecting an object under the first detection is not wide enough, which may seem to be based on unreasonable costs to ensure the necessary level of security for healthcare and ophthalmology facilities. Keywords: critical information infrastructure, healthcare institution, ophthalmology, information security threats, intruder model, actual threats, computer incidents

Типовые офтальмологические информационные системы, являющиеся объектами критической информационной инфраструктуры

Relevance. According to the law « the security of critical information infrastructure of the Russian Federation» 26.07.2017 No. 187-FZ information systems used in ophthalmology can be classified as significant objects of critical information infrastructure if a targeted computer attack can cause serious damage (assessed by five significance indicators). The study considers common objects of critical information infrastructure in the healthcare sector, analyzes typical ophthalmic automated control systems, assesses actual offenders for these systems and the consequences of the implementation of information security threats by them, based on which refined criteria are developed for classifying objects as significant. Purpose. Analysis of typical processes of information systems in the field of ophthalmology. Justification of the choice of systems belonging to the category of «critical». Material and methods. Common objects of critical information infrastructure in automated control systems is carried out. Results. An assessment of actual violators for information systems in the field of ophthalmology was carried out. The consequences of security breaches are identified, based on which refined criteria are developed for classifying objects as significant. Conclusion. The first step in the categorization process is to determine the list of objects (information systems) that are most critical in terms of the consequences of computer attacks for the functioning of a critical infrastructure subject. Not all enterprise information systems provide critical information processes and have signs of a significance category. Keywords: critical information infrastructure, healthcare sector, ophthalmology, information security threats, intruder model, categorization criteria

Radar stations as a means of ensuring the security of critical information infrastructure

Radar stations as a means of ensuring the security of critical information infrastructure

Problems of forming the structure of functions of the information security management system of a significant object of critical information infrastructure

In such a tense geopolitical situation, and as a result, the tightening of the legislation of the Russian Federation regarding the requirements for information protection systems for critical information infrastructure objects, it becomes especially important to ensure the security of critical information infrastructure. Every year, the requirements for the information security system of significant objects of critical information infrastructure become more and more serious. The use of heterogeneous information security tools creates a contradiction, which consists in the presence of such information security tools and the impossibility of their centralized management. Such a contradiction can be resolved by developing an information security management system with a formed structure of the functions of such a system. This article presents the concept of solving the problem of forming the structure of the functions of the information security management system of a significant object of critical information infrastructure, the concept of building an information security management system of a significant object of critical information infrastructure, as well as the concept of checking the effectiveness of such a system.

Issues of formation of risk management of significant objects of critical information infrastructure

With the increasing number of attacks related to information security, enterprises need to review the principles of risk management, to maintain the relevance and increase the reliability of information security management system. The article considers topical issues of risk management of significant objects of critical information infrastructure. International standards on information security ISO/IEC27001-2021, ISO/IEC 27005-2010 and requirements of the Federal Law of July 26, 2017. № 187-FL "On the security of critical information infrastructure of the Russian Federation". In particular, the rules of categorization of critical information infrastructure objects approved by the Government Decree of February 8, 2018. № 127 «On approving the rules of categorizing objects of critical information infrastructure of the Russian Federation, as well as the list of indicators of criteria for the significance objects of critical information infrastructure of the Russian Federation and their values were analyzed» regarding information security risk management are analyzed. A comparative table of the risk management process for an organization that has significant critical information infrastructure facilities and the categorization process for critical information infrastructure facilities is presenting. Developed recommendations for maintaining the relevance of risk management of critical information infrastructure entities.

Axiomatics of infrastructural destructivism on the subject of critical information infrastructure

Currently, one of the topical issues of the scientific community investigating the problems of ensuring the security of critical information infrastructures (CII) is related to the study of the impact of inter-object interaction on the assessment of information security (IS) of CII. This is justified, first of all, by the changes taking place in the operating conditions of CII facilities, confirmed by the increase in the importance of inter-element interaction in ensuring the safety of CII against the background of the lack of regulatory methods and techniques for their identification and evaluation. It is impossible to ignore this issue, since the inter-object interaction, which we consider, under certain conditions, as a destructive impact of infrastructural genesis (DV IG), affects the functionality of the CII and has a multiplicative character. Not taking this into account leads to the effect of infrastructural destructivism –ID) — the destruction of the information infrastructure at the IG. The article presents the axiomatics of the ID, revealing the essence of the issues of the genesis of AI and infrastructure dependencies, identification of the source of the IG and the dynamics of the IG, which allows to form a system of conditions for ensuring information security in the DV IG.

Legal and organizational provision of protection of the critical information infrastructure from cyberattacks

The article considers the legal and organizational aspects of ensuring the protection of the critical information infrastructure from cyberattacks. Attention is drawn to the positive experience of the United States in ensuring the resilience of the objects of critical infrastructure. The provisions of the new Cyber Security Strategy of Ukraine are analyzed, one of the priorities of which is to improve the regulatory framework for cyber security of critical information infrastructure. The shortcomings of the previous Cyber Security Strategy of Ukraine (2016) are noted. Contains a detailed analysis of legislation and initiatives on providing cybersecurity. General requirements for cyber protection of critical infrastructure objects are considered. Based on the analysis of the current legislation on cyber security of Ukraine, ways to improve the legal and organizational support for the protection of the critical information infrastructure from cyber attacks are proposed.

Principles of legal regulation of the institute of information security

The article in the context of methodologies of systematic analysis of legal phenomena reveals the content of the principles of legal regulation of the institute of information security. It is noted that information security is defined as the impossibility of causing harm by means of a security object, due to information and information structure. Principles play an important role in the legal provision of information security. The basic principles of legal regulation of the information sphere are enshrined in the Laws "On Information", "On the Basic Principles of Cyber Security of Ukraine", most of which are key to the development of legal regulation of information security processes. In order to improve the information security system from various challenges and threats, it is proposed to enshrine in information legislation the principle of presumption of security of critical information infrastructure, which establishes that critical information infrastructure is considered protected as long as the organizational and legal security of these facilities requirements set forth in regulations in the field of information security. It is stated that a wide range of problems of information security of the individual, society and state, development of cybersecurity culture, ensuring privacy and protection of access rights, protection of information systems, resources and networks, expanding the use of information technology in public administration, other information problems security needs careful study. The principles of legal regulation in the field of information security are revealed through normative detail. It is emphasized that with the development of scientific and technological progress and the latest forms of processing and use of information, the principles of regulation in the field of information security need to be correlated at the level of regulatory support.

Model of the States of Critical Information Infrastructure Subjects under Destructive Influences in Static Mode

With the introduction of 187-FL "On the security of critical information infrastructure in the Russian Federation", a class of tasks requiring new approaches was determined. This is due to the solution of not only practical problems with the introduction of this law, but also with the development of its scientific and methodological support, which is one of the tasks of regulators. The main regulatory problem in ensuring the security of critical information infrastructure (CII), in our opinion, is associated with the lack of a systematic approach as a methodological basis for developing requirements for the development of CII. This leads to gross errors and errors in the course of making managerial decisions, therefore, to an increase in information security risks. When considering the subject of CII as a system, there is a need to consider inter-object relationships as sources of destructive influences that can lead to the effect of infrastructural "destructivism", i.e. to the self-destruction of infrastructure. To study this issue at the initial stage, it is proposed to build a model of the states of CII subjects in a static mode. In the course of working with this model, it is possible to predict the development of the situation of self-destruction of the infrastructure of the CII subject in a situation of uncertainty.

Issues of Applying of Article 2741 of the Criminal Code of the Russian Federation «Unlawful Influence on Critical Information Infrastructure of the Russian Federation»

A new article was introduced into the Criminal Code of the Russian Federation in 2017, which establishes criminal liability for unlawful impact on the critical information infrastructure of the Russian Federation. However, there is still no developed legal practice of applying this article, despite repeated statements of experts about the significant prevalence of crimes that encroach on the security of critical information infrastructure. The author of the article discovered one criminal case instituted on the grounds of a crime prohibited by Art. 2741 of the Criminal Code. The proposed article contains an analysis of the legal issues of this article, including the consideration of the specifics of qualification under Part 1, Part 2, and Part 3 of Art. 2741 of the Criminal Code. The concept of critical information infrastructure as an object of crime is considered, suggestions are made about the features of qualification of acts that will minimize law enforcement errors.

Condition and Prospects of Legal Regulation of the Security of Critical Information Infrastructure in Russia and in Foreign Countries

The article is devoted to an urgent problem related to the security of critical information infrastructure. The introduction of digital technologies in all spheres of society is in line with the priority policy for the development of the digital industry. At the same time, the number and quality of cyberattacks on significant objects of critical information infrastructure is constantly increasing in the world. But not all subjects of information relations, even understanding the presence of threats, are able to adequately assess and organize an effective security system for these objects. In this regard, ensuring the security of significant objects of critical information infrastructure is currently the primary task of the state - both the Russian Federation and other countries. The article provides a comparative analysis of approaches to ensuring the security of critical information infrastructure in Russia and in foreign countries. The problems of legal regulation of critical information infrastructure in Russia are identified and solutions are proposed to overcome them. There are traced the shortcomings associated with the implementation of legislation on the security of critical information infrastructure in Russia: in the digital industry, it becomes difficult to differentiate information infrastructure objects and classify some of them as critical; not all relevant legal entities have provided information on critical information infrastructure facilities, and therefore the register of facilities was not compiled in full, cyberattacks on which would create dangerous consequences for the country; some subjects of the critical information infrastructure deliberately underestimate the importance of their objects.

МЕТОДИКА ОПРЕДЕЛЕНИЯ КРИТИЧЕСКИХ ПРОЦЕССОВ НА ОБЪЕКТАХ ИНФОРМАЦИОННОЙ ИНФРАСТРУКТУРЫ

. The aim of the study is to develop a methodology for determining critical processes in order to simplify the activities of critical information infrastructure (CII) entities for categorizing information infrastructure objects the example of the chemical industry. The actuality of the problems under consideration is based the fact that the number of cyber attacks in various areas of state activity, including significant objects (ZO) of CII, is not decreasing. To protect the national information resources of the Russian Federation in 2017, the actions have been chosen in the direction of protecting CII objects with the adoption of the Federal law on the security of critical information infrastructure of the Russian Federation, which defined important directions of the Russian state policy in the information sphere for the next decade. Thus during its implementation, many subjects of critical information infrastructure have already had to face difficulties of various levels. The paper analyzes some fragments of solving the tasks set in the development of methods for determining critical processes at information infrastructure facilities, the sustainable functioning of which is regulated by a number of fundamental regulatory legal documents of the Russian Federation. In the course of the study, some features of determining critical processes at CII facilities, for example, in the chemical industry, were established. These features were later used in the development of a unique methodology for determining critical processes in the information infrastructure.

Provision of security of the Unified Federal Information Register Containing Data on the Population of the Russian Federation

The object of this research is the public relations with regards to processing of information in the Unified Federal Information Register Containing Data on the Population of the Russian Federation n. Besides the Federal Law “On the Unified Federal Information Register Containing Data on the Population of the Russian Federation”, the subject of this research is legislation in the area of personal data and legislation on the critical information infrastructure. Based on the main formal and substantive aspects, the author defines the indicated register as a variety of register-based information; substantiates the relevance of application of the principles of framework regulation of information law in the context of creating the register; raises the question on the need to recognize the information system that processes data contained in the register as a valuable object of critical information infrastructure. The novelty of this research consists in the fact that this article is one of the first works dedicated to provision of legal security of the Unified Federal Information Register Containing Data on the Population of the Russian Federation. The following conclusions and proposals on improvement of legislation are formulated: 1) The principles of legal regulation established by legislation with regards to information as the object of legal regulation should be applied to the created register; any unauthorized actions with a separate register entry should be viewed as violation of integrity of the entire object. 2) Due to critical importance of the data contained in the register, it is essential to set confidentiality restrictions, and recognize the federal nformation system that processes data contained in the register as a valuable object of critical information infrastructure. 3) In the text of the Law “On the Unified Federal Information Register Containing Data on the Population of the Russian Federation”, it is necessary to specify the responsibilities of operator of the federal information system who maintains the federal register and compliance with the requirements of legislation on the security of critical information infrastructure. It is also necessary to clarify the provisions of the Decree of the Government of the Russian Federation that establishes a list of criteria of importance of the objects of critical information infrastructure of the Russian Federation and their value.

Critical information infrastructure of the People’s Republic of China: peculiarities of legal regulation in the area of ensuring information security of the financial-banking sector

The object of this research is the legal relations emerging in regulation of critical information infrastructure with regards to ensuring information security of the financial-banking sector of the People’s Republic of China. Characteristic is given to the Law on Cybersecurity, acting and developing draft bills of the People’s Republic of China in the area of security of critical information infrastructure. The author examines the peculiarities of regulation of relations in the sphere of critical information infrastructure and their role in ensuring cybersecurity of financial-banking sector. Factors affecting formation of the national mechanism of ensuring security of critical information infrastructure are determined. For the purpose of acquiring most accurate scientific results, the author applies legal-dogmatic approach, hermeneutic and synergetic methods of scientific cognition. Despite the numerous existing and developing sources of legal regulation of critical information infrastructure, the normative mechanism of ensuring its security is characterized by interrelatedness, and reflects overall character of the regime of China’s digital policy. The Law on Cybersecurity of the People’s Republic of China establishes the general norms, as well as draft bills – special norms; and the standards contain high-tech methodical recommendations that allow clarifying possible ambiguity of general and special norms. However, even within the limits of this mechanism is observed a partial overlap of responsibilities, including in the financial-banking sector, which complicates the process of identification of objects and determination of subjects of critical information infrastructure. Establishment of the mechanism is also perplexed by the need of simultaneous achievement of goals in the spheres of national security and economy, particularly in opposition during talks with the United States, which promotes policy of economic expansion onto China’s market, using tariff and nontariff measures as the levers of pressure.