T-Comm Vol.13. #12-2019
35
PRINCIPLES AND TASKS OF ASYMPTOTIC SECURITY MANAGEMENT
OF CRITICAL INFORMATION INFRASTRUCTURES
Sergey D. Erokhin,
Moscow Technical University of Communications and Informatics, rector,
esd@mtuci.ru
Andrey N. Petukhov,
National research University "MIET", associate professor,
anpetukhov@yandex.ru
Pavel L. Pilyugin,
Moscow State University. M. V. Lomonosov, senior research specialist,
paul.pilyugin@gmail.ru
Abstract
The article discusses the features of security management of critical information infrastructures (CII), it is established that the risk of
a security breach of CII is realized, as a rule, outside such infrastructure and its dependence on information processes is not explicitly
provided. CII are defined not through their properties, but through a situation (incident) when something happens to them and as a
result there is damage. This point of view leads to some object and subject duality of ideas about the security of CII. In addition, the
use of damage characteristics in the management process to describe the target safety state of the CII is not defined. The article shows
that an essential role in determining the ideology of CII security management is played by the unprovability of the completeness of the
results of threat modeling. Based on the consideration of the "full overlap" security model, it is concluded that the role of the threat
model in the case of CII is somewhat deformed, in fact, assuming that the threats included in the model (identified threats) constitute
only a part of the actual threats, along with which there is an undetectable part outside the model (unidentified threats). It is established
that an important feature of the formation of such an ideology is the combination of a non-zero probability of occurrence of the inci-
dent, on the one hand, and the impossibility of taking a non-zero permissible residual risk. It is concluded that it is fundamentally impos-
sible to use the calculation of damage as a tool for managing the safety of CII. As the goal of CII safety management is considered not
to achieve a certain level of security, but to exhaust the protection potential, the concept of asymptotic CII safety management is
Introduced, each successive solution of which guarantees the growth of safety characteristics. The priority tasks that need to be solved
within the framework of the described approach are formulated.
Do'stlaringiz bilan baham: