<div>
	Review of national and international standards for categorizing of critical information infrastructure objects</div>

Ilya I. Livshitz

2023 , VOLUME 23, NUMBER 3 ( March-April )

ISSN 2226-1494 (print), ISSN 2500-0373 (online)

Publications

Editor-in-Chief

Nikiforov
Vladimir O.
D.Sc., Prof.

Partners

doi: 10.17586/2226-1494-2023-23-3-519-529

Review of national and international standards for categorizing of critical information infrastructure objects

I. I. Livshitz

Read the full article

Article in Russian

For citation:

Livshitz I.I. Review of national and international standards for categorizing of critical information infrastructure objects. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2023, vol. 23, no. 3, pp. 519–529 (in Russian). doi: 10.17586/2226-1494-2023-23-3-519-529

Abstract

Ensuring the security of critical information infrastructure facilities is an actual developing area of information security both at the national and global level. Categorization of critical infrastructure objects is an integral part of the common and holistic security process. With a dynamically changing threats level, the process of determining the category of an object is still not optimal enough. Based on the existing requirements both of Russian and International standards, the assessment of critical infrastructure facilities not always be carried out promptly and correctly, in addition, numerical estimates are not formed, the objectivity of the assessment and subsequent reassessment by independent experts is not ensured. This article presents an analysis of the current requirements in the field of categorization of critical infrastructure objects used in the Russian Federation. A comparative analysis of the national regulatory legal acts of the Russian Federation and the system of International standards in the field of IT-security is presented. Regulation of categorization processes of critical infrastructure objects is considered. The necessity of forming numerical values of significance criteria for the correct determination and subsequent independent evaluation (reassessment) of the category of critical infrastructure objects is substantiated. Recommendations for improving the process of categorizing critical infrastructure objects and the formation of numerical estimates are presented. The implementation of the recommendations made will improve the accuracy, objectivity and reliability of the process of creating modern information security systems.

Keywords: critical information infrastructure, categorization of critical information infrastructure objects, significance criteria, information security, information security management system, risks, residual risks

References

Smirnov E. Methodology for assessing the political significance of threats to a CII object on the example of an infocommunication object. Jekonomika i kachestvo sistem svjazi, 2020, no. 2, pp. 49–56. (in Russian)
Novikova E.F., Khalizev V.N. The development of a threat model for critical information infrastructure facilities considering social engineering methods. Caspian Journal: Management and High Technologies, 2019, no. 4, pp. 127–135. (in Russian). https://doi.org/10.21672/2074-1707.2019.48.4.127-135
Shchelkin K.E., Zvyagintseva P.A., Selifanov V.V. Possible approaches to categorization of critical information infrastructure objects. Interexpo GEO-Siberia, 2019, vol. 6, no. 1, pp. 128–133. (in Russian). https://doi.org/10.33764/2618-981X-2019-6-1-128-133
Erokhin S.D., Petukhov A.N., Pilyugin P.L. Principles and tasks of asymptotic security management of critical information infrastructures. T-Comm: Telecommunications in Transport Industry, 2019, vol. 13, no. 12, pp. 29–35. (in Russian). https://doi.org/10.24411/2072-8735-2018-10330
Gorelik V.Yu., Bezus M.Iu. About security of critical information infrastructure of the russian federation. StudNet, 2020, vol. 3, no. 9, pp. 1438–1448. (in Russian)
Oyun Ch.O., Popantonopulo E.V. Objects of critical information infrastructure. Interexpo GEO-Siberia, 2018, no. 9, pp. 45–49. (in Russian)
Livshitc I.I. Economic Support of Information Security. St. Petersburg, ITMO University, 2021, 69 p. (in Russian)
Livshitc I.I. Regulatory and Procedural Support of Information Security. St. Petersburg, ITMO University, 2021, 68 p. (in Russian)
Konyukhov V.Y., Livshitz I.I., Oparina T.A. Improving the quality of electricity in electrical supply networks of industrial enterprises. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 156–160. https://doi.org/10.1109/itqmis53292.2021.9642875
Livshitz I.I., Lontsikh P.A., Lontsikh N.P., Golovina E.Y., Safonova O.M. Industrial Systems Security Assessments study. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 161–164. https://doi.org/10.1109/itqmis53292.2021.9642828
Livshitz I.I., Lontsikh P.A., Lontsikh N.P., Golovina E.Y., Safonova O.M. A study of modern risk management methods for industrial safety assurance in the fuel and energy industry. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 165–167. https://doi.org/10.1109/itqmis53292.2021.9642791
Lontsikh P.A., Gulov A.E., Livshitz I.I., Koksharov A.V., Golovina E.Y. System-oriented analysis and classification of process control methods for software development. Proc. of the 2021 International Conference on Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 2021, pp. 174–177. https://doi.org/10.1109/itqmis53292.2021.9642850
Breaux T.D., Gordon D.G., Papanikolaou N., Pearson S. Mapping legal requirements to IT controls. Proc. of the 6^th International Workshop on Requirements Engineering and Law (RELAW), 2013, pp. 11–20. https://doi.org/10.1109/RELAW.2013.6671341
Hale G., Lenzner R. Introducing the National Security Cyber Assistance Program (NSCAP). Journal of Information Warfare, 2014, vol. 13, no. 2, pp. 39–45.
Lam D.D., Carayannis E.G. Standard insecurity: How, why and when standards can be a part of the problem. Journal of the Knowledge Economy, 2011, vol. 2, no. 2, pp. 234–248. https://doi.org/10.1007/s13132-010-0029-0
Gandhi R.A., Crosby K., Siy H., Mandal S. gauging the impact of FISMA on software security. Computer, 2014, vol. 47, no. 9, pp. 103–107. https://doi.org/10.1109/MC.2014.248
Murray A.T., Grubesic T.H. Overview of reliability and vulnerability in critical infrastructure. Critical Infrastructure: Reliability and Vulnerability. Berlin, Springer, 2007, pp. 1–8. https://doi.org/10.1007/978-3-540-68056-7_1
Taylor L.P. Categorizing data sensitivity. FISMA Compliance Handbook (Second Edition), 2013, pp. 63–78. https://doi.org/10.1016/B978-0-12-405871-2.00008-7
Calder A. NIST Cybersecurity Framework: A Pocket Guide. IT Governance Publishing, 2018, 78 p. https://doi.org/10.2307/j.ctv4cbhfx
Livshitz I., Sokolov E. Designing an internationally significant electronic document flow for holding companies. Voprosy kiberbezopasnosti, 2020, no. 5(39), pp. 61–68. (in Russian). https://doi.org/10.21681/2311-3456-2020-05-61-68
Basyrova A.A., Livshits I.I. Analyzing the methodology of enterprise cybersecurity audit with the help of outsourcing companies. Journal Automation in Industry, 2020, no. 7, pp. 6–9. (in Rusian). https://doi.org/10.25728/avtprom.2020.07.02

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License