Безопасность информационных технологий (Sep 2022)
On the application of the vulnerability analysis method of the technological process of the production facility to ensure the information security of the automated process control system, taking into account the interrelation of components
Abstract
The purpose of the paper is to analyze the vulnerability of systems that ensure the processes of vital activity of an object of the fuel and energy complex. The application of the shifted ideal method, as well as the method of reduced hierarchy analysis, made it possible to find the most vulnerable elements of technological systems and to identify the dependence of the operability of these elements on the security of information flows in automated process control systems. The need in forming reasonable requirements for the information security policy of the enterprise and focusing on ensuring a sufficient level of protection against threats to the elements of the enterprise information system is demonstrated. The execution of such threats can lead to consequences that cause a huge damage according to the following criteria: the emergency zone, economic damage, the number of victims, the probability of system failure. The analysis of the significance of threats to information systems as well as the analysis of the stability of both individual components and their aggregates are carried out. The nature of the interconnectedness (relationships) of the components of information systems of the enterprise is shown. As part of the consideration of threats to the components of information systems, the hierarchical dependence of the security of complex assets of the information system on the security of the basic components of the lowest level is revealed. A threat model has been developed based on the list of threats approved by the Federal Service for Technical and Export Control in the database of information security threats for information systems. The application of this approach makes it possible to form provisions for the information security policy of the enterprise and to invite information security specialists to develop the software and hardware protection for the enterprise information system.
Keywords