Метод оцінки ризику інформаційної безпеки кіберфізичних систем на основі взаємозалежності вразливостей
Вантажиться...
Дата
2020
Автори
Лисенко, С.М.
Кондратюк, А.С.
Назва журналу
Номер ISSN
Назва тому
Видавець
Хмельницький національний університет
Анотація
Оцінка ризику - гарантія забезпечення безпечної та стабільної роботи кіберфізичної системи. В даній статті
представлено новий метод оцінки ризику інформаційної безпеки кіберфізичних систем на основі взаємозалежності
вразливостей. В роботі представлено метод оцінки ризику атак на кіберфізичні системи, який уможливлює кількісне
визначення ризиків. Крім того, враховано рівень імовірності успішної атаки обчислюється з урахуванням взаємозалежного
взаємозв'язку між вразливостями, а рівень впливу атаки враховує наслідки на кіберфізичну систему, що спричинюються в
результаті кібератак.
Запропонований метод дозволяє розрахувати потенційний ризик системи та визначити оптимальну мету атаки.
Крім того, він може бути розширений і до аналізу інвестицій в безпеку
Information security has been growing steadily in recent times. Every organization depends on information technology and information security of cyberphysical systems to successfully perform its work. This has become not just a condition for the stability of doing business, but the most important strategic factor for its future development, even in the current, very turbulent environment. Cyberphysical systems can contain a wide variety of entities, ranging from office networks, financial and personnel systems to highly specialized systems. The rapid development of cyber-physical systems has become due to the large number of cyberattacks, which have become one of the most powerful threats to the security of cyber-physical systems. Many studies have been conducted on the risk assessment method, and limited work has been published on quantifying the security risk of cyber-physical systems. In this paper, a technique for the risk assessing of the cyber-physical systems’ information security based on the vulnerabilities’ interconnect is proposed. Technique operates with two indicators to quantify the risk: the probability of attack success and the index of the consequences of the attack based on the graph of the vulnerability. The first indicator - the index of the probability of a successful attack is calculated taking into account the interdependencies between vulnerabilities, the second indicator when calculating the index of the consequences of the attack takes into account the impact on the physical area resulting from cyberattack. A quantitative experimental example showed whether a system risk and an optimal attack target are possible. The proposed method can also be extended for security to investment analysis.
Information security has been growing steadily in recent times. Every organization depends on information technology and information security of cyberphysical systems to successfully perform its work. This has become not just a condition for the stability of doing business, but the most important strategic factor for its future development, even in the current, very turbulent environment. Cyberphysical systems can contain a wide variety of entities, ranging from office networks, financial and personnel systems to highly specialized systems. The rapid development of cyber-physical systems has become due to the large number of cyberattacks, which have become one of the most powerful threats to the security of cyber-physical systems. Many studies have been conducted on the risk assessment method, and limited work has been published on quantifying the security risk of cyber-physical systems. In this paper, a technique for the risk assessing of the cyber-physical systems’ information security based on the vulnerabilities’ interconnect is proposed. Technique operates with two indicators to quantify the risk: the probability of attack success and the index of the consequences of the attack based on the graph of the vulnerability. The first indicator - the index of the probability of a successful attack is calculated taking into account the interdependencies between vulnerabilities, the second indicator when calculating the index of the consequences of the attack takes into account the impact on the physical area resulting from cyberattack. A quantitative experimental example showed whether a system risk and an optimal attack target are possible. The proposed method can also be extended for security to investment analysis.
Опис
Ключові слова
кіберфізична система, інформаційна безпека, вразливість, атака, cyber-physical system, cybersecurity, vulnerability inter-dependency graph, risk assessment
Бібліографічний опис
Лисенко С. М. Метод оцінки ризику інформаційної безпеки кіберфізичних систем на основі взаємозалежності вразливостей / С. М. Лисенко, А. С. Кондратюк // Комп’ютерні системи та інформаційні технології. – 2020. – № 2. – С. 54-58.