Method of instrumental estimation of critical information infrastructure under information technology interference

. The Aim of the paper is to develop a method enabling quantitative estimation of stability indicators of critical information infrastructure (CII) facilities under information technology interference (ITI) using testbed experimental research data. CII facilities include information and telecommunication networks (ITCN), information systems (IS), automated systems (AS) and telecommunication systems that are used as part of computer-based systems in transportation, energy, communications, navigation, manufacturing and other domains. For the purpose of this paper, the stability of CII operation shall be understood as the ability of CII facility elements to maintain operating parameter values within the specified limits within the specified time period when affected by intruders’ ITI. Intruders’ ITI is understood as intentional hardware and software interference that cause disruptions (blocking, distortion) of information computation processes in CII facilities within a specified period of time. The developed method is based on experimental research, accelerated testing methods and computational methods of estimation of CII facilities operational stability that were applied subject to the specificity of system analysis of the process of ITCN, IS and ACS operation under simulated intruder ITI. The method uses two primary types of indicators, i.e. the probability of faults and additional (artificial) faults in the course of data communication between CII facility elements caused by ITI, and the probability of faults and additional faults as the result of ITI in the course of information processing in CII facilities. The inclusion in the method of indicators for estimating additional faults due to ITI enables a priori analysis of rare and sudden events of CII facility operational stability disruptions. Subject to the obtained estimates, technical and organizational measures are substantiated for the purpose of neutralizing ITI against CII facilities. Applying the method requires the availability of trial sites for the purpose of estimating the stability and actual security of CII facilities that host the functional equivalents of CII facilities, ITI simulators, information security tools (IST) and computer incident recovery tools. The developed method enables estimating the values of stability indicators, i.e. probability of successful transmission of data between CII facility elements and probability of successful processing of information in CII facility elements affected by faults based on instrumental estimation of system elements’ operation processes assessment under simulated ITI.


Method of instrumental estimation of critical information infrastructure under information technology interference Introduction
The development of critical information infrastructure (CII) facilities is characterized by fast deployment of new information technology of distributed collection, processing, storage and communication of significant amounts of heterogeneous data for the purpose of efficient management of industrial and manufacturing processes in various domains of human activities [13,14].
A significant share of network protocols and data in CII facilities, standard settings of information security tools (IST) objectively cause a lot of vulnerabilities. The potential vulnerabilities in CII facility elements include the parameters of software vulnerability, dataware, telecommunication equipment, as well as the parameters of functional and network vulnerabilities.
The vulnerabilities in CII facility elements enable potential internal and external information technology interference (ITI) that reduces the operational stability of CII facilities [1,2,6,12].
The paper examines ITI threats that are intentional hardware and software interferences that cause the disruption of the operational stability of CII facilities. An ITI is implemented by an intruder in the form of interrelated and multi-stage actions by means of fuzzing, Denial-of-Service attacks (DDoS attacks) and traffic load [7].
The consequences of a successful ITI against CII facilities are characterized by the following: • unauthorized access to protected information in CII facilities; • disruption of operational stability; • faults and failures in the performance of information processing tasks; • reduced rate of transfer of process-related information on the status of CII facility elements; • blocking (disruption) of CII facilities networking; • possible distortion of information critical for CII facilities application; • initiation of undocumented features for the purpose of launching mass ITI against SMF CII facilities that are comparable to technological catastrophes in terms of their consequences.
In accordance with the existing requirements for information security, the protection of information in CII facilities is to involve operational stability under an intruder's ITI [10,11,13,14].
Improving the operational stability of CII facilities under ITI requires prior experimental assessment of their actual security and stability using testbeds or trial sites [3,4,9].
Bed testing and actual security and stability assessment of CII facilities under ITI will ensure the preparation, selection of substantiated organizational and technical information security measures aimed at eliminating any vulnerabilities reducing the probability of ITI, which will allow improving the operational stability of CII facilities through the implementation of such measures.
Thus, the development of the method enabling improved operational stability of CII facilities under ITI by means of a priori assessment and multiple selection of organizational and technical information security measures, vulnerability elimination is relevant and of practical interest.

Problem definition
For the purpose of substantiating the instrumental estimation of CII stability under ITI and when affected by faults, the following assumptions were made: • increased structural complexity, list, number of active tasks, simultaneous operation of subsystems of various generations, organization of information interaction between remote elements of CII facilities under ITI en able possible faults and require estimation for the purpose of maintaining the required level of stability of CII facilities; • the random nature of detection of vulnerabilities by an intruder and ITI penetration of CII facilities causes the requirement for multivariate simulation of ITI threats; • assessing CII facilities resilience against faults caused by ITI through analytical means only is complicated; a full-scale simulation of significant CII elements is required under conditions similar to actual processes of operation; • instrumental estimation of CII facilities stability under simulated ITI is, in its nature, a verification, subject to the results of which it is established that the values of the probabilistic stability indicators in the presence of faults are not below the targets; • in the course of instrumental estimation, accelerated testing of CII facilities is conducted at the trial site with the simulation of information loading modes that precipitate faults; • given the CII facility information security measures taken, the values of the probability indicators of stable operation in the presence of low-intensity faults may be so low as to require significant system testing time, which underlines the importance of calculated prediction based on the instrumental estimation [8,11,13]; • the duration of instrumental prediction equals to the time required for an accurate estimation of the probabilistic indicators of CII facility stability under allowable values of time to fault [14]; • the use of an ITI simulator enables accelerated testing of CII facilities as part of instrumental estimation, as the testbed imitates factors of increased intensity of artificial faults (their increased probability) under CII facility overloading.
In a general way, the problem of CII facility stability estimation under ITI is defined as follows: It is given: w ac , the number of actual faults in data transfer between CII facilities; h ac , the number of actual faults in information processing systems in CII facilities; Δt DCM , is the mean time of data transfer between CII facilities; Δt HSS , the mean time of information processing in CII facilities.
It is required: to find such values of actual fault parameters in CII facilities: number of additional faults in the data communication network (DCN) , number of additional faults in the data processing system (DPS), time of fault in the DCN and time of fault in the DPS whereas the required values of the probability of stable operation are preserved subject to limited characteristic of data transmission and processing features in CII facilities: , .
The problem was defined on the assumption that the CII operation is represented by Markovian processes, while the ITI processes that cause additional faults are described by a Poisson distribution. Figure 1 shows the diagram of the instrumental estimation of CII facility stability under ITI. A fault in CII facilities will be understood as a short (from several seconds to 60 minutes accounting for the restoration time) disruption of the parameters of operation [1,8,14]. Due to the fact that the categorized CII facilities are of hazard to life and their disruption causes significant damage, the research assumes that in CII facilities failure is unacceptable. In other words, in case of ITI, events of disrupted CII facility operability of more than 60 minutes are neutralized by means of organizational and technical information security measures, operability restoration facilities and redundant elements.
Essentially, the presented method ensures confirmation of the compliance of the stability indicators of planned or upgraded CII facilities affected by faults caused by ITI with the customer's technical requirements.
For the purpose of collecting evidence of the compliance of the actual indicators of CII facility stability when The method involves a step-by-step sequence of indicator identification as part of instrumental estimation of the operational stability of CII facilities affected by faults that includes two primary stages: I. Instrumental estimation of CII stability under simulated ITI.
II. Estimation of CII stability indicators under faults. First, the requirements for stable operation of CII facilities affected by ITI are to be substantiated. Such requirements are to be included in the performance specifications for research and development activities regarding the CII facility (prototype, trial site of the CII facility) or taken into consideration while upgrading the CII facility's elements.
Then, in accordance with the method, the indicators are calculated for the instrumental estimation of CII facilities stability when affected by ITI.
Due to the fact that the operation of a CII facility is characterized by two primary processes: data communication between elements of a CII facility and information processing, it is proposed to use two indicators as part of the method: 1. Probability of successful data transfer between CII facilities.
2. Probability of successful information processing by a CII facility.
The instrumental estimation of the operational stability of a CII facility under simulated ITI is conducted using a test bed and consists in the following: 1. Full-scale simulation of the CII facility elements' operation processes on the test bed or at the trial site, including data communication between elements, as well as data processing in local area networks with hardware and software systems (HSS) in CII facilities.
2. Selection of information security tools in accordance with the requirements for the security class of automated systems (AS), computer technology, data security tools, intrusion detection tools, virus protection tools, firewalls, cryptographic tools, as well as the trust level of AS software [5].
3. Identification of vulnerabilities in a wide area computer network and HSS for model-based CII facility information processing [8].
4. Selection of ITI simulation and implementation tools using the method [9].
Output statistical data of the stage of instrumental estimation of CII facilities' stability under simulated ITI are the input parameters for the estimation of their stability in the presence of faults.
At the stage of estimation of the operation process stability of CII facilities under simulated ITI using the method of accelerated testing [14] the following assumptions were made: a) CII facilities include two primary types of elements: 1) j-th data communication features of a CII facility, in which over time t DCFj with the probability actual faults w acj occur, and with the probability additional (artificially created) faults w adj occur in case of ITI; 2) i-th data processing features of a CII facility, in which over time t HSSi with the probability actual faults h aci occur, and with the probability additional (artificially created) faults h adi occur in case of ITI; b) in the course of data communication and processing in a CII facility, each element performs a process-related operation in the course of which a fault may occur; c) the probability of a fault in elements of a CII facility in the course of process-related operations is normally geometrically distributed that is approximated by the exponential distribution law [14]; d) the flow of fault events in data communication and processing elements of a CII facility is interpreted as a continuous Poisson flow.
The estimation of a CII facility's stability when affected by faults caused by ITI using the method of acceleration testing consists of the following steps: Step 1. Collection of data subject to the results of CII facility ITI simulation, required and sufficient parameters for the estimation of CII facility stability when affected by faults.
Step 2. Calculation of the probability of faults in data transfer between CII facilities: a) calculation of the probability w acj of actual faults in the course of data transmission between CII facilities during time t DCNj in the j-th data transmission facility:

Table 1. Initial data for the estimation of the probability of successful transmission of data between elements of standard TCP/IP data communication features of CII facilities
Name of the characteristic of the processes of data transfer between elements of standard CII facility data communication assets affected by faults Value of characteristic where is the number of actual faults in the j-th data transmission facilities; is the duration of a fault in the j-th data transmission facility; is the probability of actual fault in the j-th data transmission facility; is the mean time of data transfer between CII facilities; k is the number data transmission facilities. b) calculation of the probability of w adj additional ( artificially created) faults in the course of data transmission between CII facilities during time t DCNj in the j-th data transmission facility: , where is the number of additional faults in the j-th data transmission facility; is the probability of additional fault in the j-th data transmission facility.
Step 3. Estimation of the probability of successful data transfer between CII facilities. , (3) where N w is the number of instrumental assessments done at the trial site with realization of fault vectors and ; is the indicator function that takes on the value of 1 if the event corresponds to indicator P SDCN , and 0 if otherwise.
Step 4. Calculation of the probability of faults in information processing in a CII facility: a) calculation of the probability of h aci actual faults in the course of information processing in a CII facility over time t HSSi in the i-th HSS: , (4) where is the number of actual faults in the information processing facilities; is the duration of a fault in the i-th data processing facility; is the probability of actual fault in the i-th data processing facility; is the mean time of information processing in CII facilities; l is the number of the information processing facilities. b) calculation of the probability of h adi additional (artificially created) faults in the course of information processing in a CII facility over time t HSSi in the i-th HSS: , (5) where is the number of additional faults in the information processing facilities; is the probability of additional fault in the i-th data processing facility; Step 5. Evaluation of the probability of successful information processing by a CII facility: , (6) where N h is the number of instrumental assessments done at the trial site with realization of fault vectors and ; is the indicator function that takes on the value of 1 if the event corresponds to indicator P SHSS , and 0 if otherwise.
Upon completion of steps 1 to 5 of the method, the set of estimates is prepared of indicators of CII facility stability when affected by faults.
As part of the research, a preliminary estimation was conducted of the probability of successful transmission of data between elements of standard TCP/IP data communication features of CII facilities (initial data shown in Table 1). The estimates of the effect of faults caused by ITI on the stability of elements of standard TCP/IP data communication features of CII facilities are shown in Figure 2.
The analysis of the values of the probability of successful data communication between elements of standard TCP/IP data communication features of CII facilities affected by faults under varying mean time of data communication and number of additional faults shows the following: • the probability of successful data communication between elements of standard data communication features of CII facilities reaches 0.9 within 8 seconds under the minimal number of additional faults when affected by an intruder's ITI (1 fault per a 24-hour work period); • the probability of successful data communication between elements of standard data communication features of CII facilities becomes 0.8 within 10 seconds under the average number of additional faults when affected by an intruder's ITI through the use of redundancy and recovery (5 faults per a 24-hour work period); • the probability of successful data communication between elements of standard data communication features of CII facilities reaches only 0.6 within 16 seconds under the maximum number of additional faults when affected by an intruder's ITI even if computer incident recovery facilities are used (10 faults per a 24-hour work period).
In cases when an intruder's ITI are identified in a timely manner and neutralized by ISS at a CII facility, the functional stability of data communication facilities affected by additional faults is ensured.

Conclusion
The suggested method of instrumental estimation of CII facilities stability under an intruder's ITI allows estimating the values of stability indicators, i.e. probability of successful transmission of data between CII facilities and probability of successful processing of information in CII facilities affected by faults based on instrumental estimation of system elements' operation processes assessment under simulated ITI.