Review of national and international standards for categorizing of critical information infrastructure objects

Ensuring the security of critical information infrastructure facilities is an actual developing area of information security both at the national and global level. Categorization of critical infrastructure objects is an integral part of the common and holistic security process. With a dynamically changing threats level, the process of determining the category of an object is still not optimal enough. Based on the existing requirements both of Russian and International standards, the assessment of critical infrastructure facilities not always be carried out promptly and correctly, in addition, numerical estimates are not formed, the objectivity of the assessment and subsequent reassessment by independent experts is not ensured. This article presents an analysis of the current requirements in the field of categorization of critical infrastructure objects used in the Russian Federation. A comparative analysis of the national regulatory legal acts of the Russian Federation and the system of International standards in the field of IT-security is presented. Regulation of categorization processes of critical infrastructure objects is considered. The necessity of forming numerical values of significance criteria for the correct determination and subsequent independent evaluation (reassessment) of the category of critical infrastructure objects is substantiated. Recommendations for improving the process of categorizing critical infrastructure objects and the formation of numerical estimates are presented. The implementation of the recommendations made will improve the accuracy, objectivity and reliability of the process of creating modern information security systems.

1. Smirnov E. Methodology for assessing the political significance of threats to a CII object on the example of an infocommunication object. Jekonomika i kachestvo sistem svjazi, 2020, no. 2, pp. 49–56. (in Russian)

2. Novikova E.F., Khalizev V.N. The development of a threat model for critical information infrastructure facilities considering social engineering methods. Caspian Journal: Management and High Technologies, 2019, no. 4, pp. 127–135. (in Russian). https://doi.org/10.21672/2074-1707.2019.48.4.127-135

3. Shchelkin K.E., Zvyagintseva P.A., Selifanov V.V. Possible approaches to categorization of critical information infrastructure objects. Interexpo GEO-Siberia, 2019, vol. 6, no. 1, pp. 128–133. (in Russian). https://doi.org/10.33764/2618-981X-2019-6-1-128-133

4. Erokhin S.D., Petukhov A.N., Pilyugin P.L. Principles and tasks of asymptotic security management of critical information infrastructures. T-Comm: Telecommunications in Transport Industry, 2019, vol. 13, no. 12, pp. 29–35. (in Russian). https://doi.org/10.24411/2072-8735-2018-10330

5. Gorelik V.Yu., Bezus M.Iu. About security of critical information infrastructure of the russian federation. StudNet, 2020, vol. 3, no. 9, pp. 1438–1448. (in Russian)

6. Oyun Ch.O., Popantonopulo E.V. Objects of critical information infrastructure. Interexpo GEO-Siberia, 2018, no. 9, pp. 45–49. (in Russian)

7. Livshitc I.I. Economic Support of Information Security. St. Petersburg, ITMO University, 2021, 69 p. (in Russian)

8. Livshitc I.I. Regulatory and Procedural Support of Information Security. St. Petersburg, ITMO University, 2021, 68 p. (in Russian)

9. Konyukhov V.Y., Livshitz I.I., Oparina T.A. Improving the quality of electricity in electrical supply networks of industrial enterprises. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 156–160. https://doi.org/10.1109/itqmis53292.2021.9642875

10. Livshitz I.I., Lontsikh P.A., Lontsikh N.P., Golovina E.Y., Safonova O.M. Industrial Systems Security Assessments study. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 161–164. https://doi.org/10.1109/itqmis53292.2021.9642828

11. Livshitz I.I., Lontsikh P.A., Lontsikh N.P., Golovina E.Y., Safonova O.M. A study of modern risk management methods for industrial safety assurance in the fuel and energy industry. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 165–167. https://doi.org/10.1109/itqmis53292.2021.9642791

12. Lontsikh P.A., Gulov A.E., Livshitz I.I., Koksharov A.V., Golovina E.Y. System-oriented analysis and classification of process control methods for software development. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 174–177. https://doi.org/10.1109/itqmis53292.2021.9642850

13. Breaux T.D., Gordon D.G., Papanikolaou N., Pearson S. Mapping legal requirements to IT controls. Proc. of the 6th International Workshop on Requirements Engineering and Law (RELAW), 2013,pp. 11–20. https://doi.org/10.1109/RELAW.2013.6671341

14. Hale G., Lenzner R. Introducing the National Security Cyber Assistance Program (NSCAP). Journal of Information Warfare, 2014, vol. 13, no. 2, pp. 39–45.

15. Lam D.D., Carayannis E.G. Standard insecurity: How, why and when standards can be a part of the problem. Journal of the Knowledge Economy, 2011, vol. 2, no. 2, pp. 234–248. https://doi.org/10.1007/s13132-010-0029-0

16. Gandhi R.A., Crosby K., Siy H., Mandal S. gauging the impact of FISMA on software security. Computer, 2014, vol. 47, no. 9, pp. 103–107. https://doi.org/10.1109/MC.2014.248

17. Murray A.T., Grubesic T.H. Overview of reliability and vulnerability in critical infrastructure. Critical Infrastructure: Reliability and Vulnerability. Berlin, Springer, 2007, pp. 1–8. https://doi.org/10.1007/978-3-540-68056-7_1

18. Taylor L.P. Categorizing data sensitivity. FISMA Compliance Handbook (Second Edition), 2013, pp. 63–78. https://doi.org/10.1016/B978-0-12-405871-2.00008-7

19. Calder A. NIST Cybersecurity Framework: A Pocket Guide. IT Governance Publishing, 2018, 78 p. https://doi.org/10.2307/j.ctv4cbhfx

20. Livshitz I., Sokolov E. Designing an internationally significant electronic document flow for holding companies. Voprosy kiberbezopasnosti, 2020, no. 5(39), pp. 61–68. (in Russian). https://doi.org/10.21681/2311-3456-2020-05-61-68

21. Basyrova A.A., Livshits I.I. Analyzing the methodology of enterprise cybersecurity audit with the help of outsourcing companies. Journal Automation in Industry, 2020, no. 7, pp. 6–9. (in Rusian). https://doi.org/10.25728/avtprom.2020.07.02