DEVELOPMENT OF METHODOLOGICAL FOUNDATIONS FOR DESIGNING A CLASSIFIER OF THREATS TO CYBERPHYSICAL SYSTEMS

The emergence of a full-scale quantum computer questions the stability of almost all symmetric and asymmetric cryptography algorithms. At the same time, the rapid growth of computing resources of IT and “G” technologies contributes to an increase in attacks on information and communication (ICS) and cyber-physical systems (CPS). These systems are the core of modern critical cybernetic information systems (CCIS). In such conditions, the primary task of maintaining the required level of security is the classification of modern threats that are integrated with social engineering methods and acquire signs of synergy and hybridity. The paper proposes a synergistic model of threats to ICS/CPS, which takes into account the focus of threats on synergy and hybridity, and the combined impact of security components: information security (IS), cybersecurity (CS), security of information (SI). This approach allows developing methodological foundations for building a unified classifier of threats to cyber-physical systems, forming sets of critical threats, critical points in the ICS/CPS infrastructure elements, based on minimal computing, human and economic costs. The developed methodology for determining the category of an attacker allows systematizing an attacker and, based on the analysis of weighting factors, forming a matrix of correspondence between the capabilities of attackers of various categories and technical means of information security (TMIS). These actions significantly reduce the risk of an attack by certain categories of attackers and allow for planning in the formation of both the IS policy and the corresponding protection profiles.


В умовах появи повномасштабного квантового комп'ютера ставиться пiд сумнiв стiйкiсть практично всiх алгоритмiв симетричної i несиметричної криптографiї. При цьому бурхливе зростання обчислювальних ресурсiв IТ i технологiй "G" сприяє збiльшенню зростання атак на iнформацiйно-комунiкацiйнi (ICS) i кiберфiзiчнi системи (CPS). Цi системи є ядром сучасних iнформацiйно-критичних кiбернетичних систем (CCIS). В таких умовах першочерговим завданням пiдтримки необхiдного рiвня безпеки є класифiкацiя сучасних загроз, якi комплексируются з методами соцiальної iнженерiї i набувають ознак синергiї i гибридности. У роботi пропонується синергетична модель загроз на ICS/CPS, яка враховує спрямованiсть загроз на синергiю i гибридность, i комплексiрований вплив складових безпеки: iнформацiйну безпеку (IБ), кiбербезпеку (КБ), безпеку iнформацiї (БI). Такий пiдхiд дозволяє розробити методологiчнi основи побудови унiфiкованого класифiкатора загроз кiберфiзичних систем, забезпечити формування множин критичних загроз, критичних точок в елементах iнфраструктури ICS/CPS, на основi мiнiмальних обчислювальних, людських i економiчних витрат. Розроблена методика визначення категорiї зловмисника дозволяє систематизувати зловмисника i на основi аналiзу вагових коефiцiєнтiв сформувати матрицю вiдповiдностi мiж можливостями зловмисникiв рiзних категорiй i технiчними засобами захисту iнформацiї (ТСЗI). Цi дiї iстотно знижують рiвень ризику реалiзацiї атаки певними категорiями зловмисникiв i дозволять забезпечити плановiсть у формуваннi як полiтики IБ, так i вiдповiдних профiлiв захисту.
Ключовi слова: синергетична модель загроз, класифiкатор загроз кiберфiзичних систем, iнформацiйна безпека, кiбербезпека UDC 681.32:007.5 DOI: 10.15587/1729-4061.2020.205702 used to monitor and control objects of a physical nature (the physical world) is given in [1]. These systems are perceived as a new generation of embedded control systems. In addition, systems in which networks of sensors and actuators are integrated are also considered cyberphysical systems [2]. Due to the dependence on IT systems, cyber-physical systems can be defined as IT systems that are integrated into applications of the physical world [3]. This integration is the result of advances in information and communication technology (ICT) to improve interaction with physical processes. All these definitions emphasize the constant and intense interaction between the cyber and physical worlds. However, their development also determined a new direction in the development and/or modification of old threats, which is not only manifested in the possibility of hacking and unauthorized access to confidential (personal) information of users, but also in the possibility of conducting an "energy apocalypse". This approach allows cybercriminals to use cyberphysical systems to obtain a synergistic effect from the implementation of threats in cyberspace as a whole. There are many tasks that dictate the need for a unified approach based on the construction of classification of threats. These tasks include analyzing deviations from the normal operation of the security circuit in cyberphysical systems, ensuring the stable operation of the security circuit in cyberphysical processes, and preventing hacking of the security system. The construction of a classifier of threats should be carried out taking into account their synergy and hybridity for all security components, namely, information security (IS), cybersecurity (CS) and security of information (SI). The classifier should reflect the need to integrate security components with social engineering methods and take into account the lack of funds to ensure the required level of security.

Literature review and problem statement
Publications dealing with the development of methodological foundations for constructing classifiers of threats to cyberphysical systems can be divided into three groups. The first group combines publications describing various cyberphysical systems and their features and characteristics that make them vulnerable to various kinds of threats. The second group includes publications on a variety of threats and attacks directed specifically at cyber-physical systems. The publications of the third group describe various approaches to the construction of taxonomy and classification, which, ultimately, lead to the construction of threat classifiers for cyberphysical systems.
The most significant work of the first group is [1], in which existing studies on the safety of cyber physical systems (CPS) are collected and systematized within a single structure. The proposed structure is a three-dimensional system of orthogonal coordinates. The first axis corresponds to the well-known classifications (taxonomies) of threats, vulnerabilities, attacks and security controls. The second axis corresponds to the components and subsystems in terms of their nature, namely, cybernetic (computer information), physical and cyberphysical. The latter exhibits synergistic properties that were not possessed by the elements or subsystems of the first two. And finally, the third axis corresponds to the reflection of the integral (synergetic) functions of cyberphysical systems, as well as their manifestation in various typical cyberphysical systems (for example, intelligent networks, medical CPS and intelligent machines, and mechanisms). In Fig. 1, the relationship of the proposed structure with critical cybernetic information systems (CCIS) is proposed, using the banking sector as an example.
It is noted that the designed CPS model can be either abstract to show the general interactions of the CPS application, or specific to capture any details when necessary. This representation allows you to build a model that is abstract enough to be applicable to various heterogeneous CPS applications and to obtain a modular representation of closely related and interacting CPS components. In this case, the formation and manifestation of synergistic properties in the process of functioning are provided. This abstract separation allows you to build a systematic understanding of CPS security and highlight potential attack sources and defenses. The paper argues that identifying differences between traditional IT systems and cyberphysical systems is key in understanding CPS security issues and the subsequent construction of threat classifiers for such systems. Four specific cyberphysical systems are specifically considered, namely, power supply networks, medical systems, smart cars and industrial facilities control systems. For these systems, the issues of communication in these systems and their safety are discussed in detail. It is emphasized that security control is usually associated with mechanisms such as cryptography, access control, intrusion detection and many other solutions commonly used in IT systems. These mechanisms are very important for protecting the infrastructure of information and communication technologies. It is noted that security solutions require solutions that take into account cyber-physical aspects, and they can be supplemented by IT security solutions.
Ensuring the security of CPS is associated with various problems, one of which is an understanding of potential threats [4]. Knowing who/from what CPS protection is organized is equally important for understanding existing vulnerabilities and attack mechanisms. A security threat is defined as "a set of circumstances that could lead to loss or harm" [5].
In [1], five factors are identified for each threat: source, target, motive, attack vector and potential consequences. The source of the threat is the initiator of the attack.
Sources of threats are divided into three types [6][7][8][9][10]: -warring threats (intentions of individuals, group organizations or states/nations); -random threats (threats that were caused by accident or using CPS components); -environmental threats, including natural disasters (floods, earthquakes), man-made disasters (fires, explosions) and interruptions in the supporting infrastructure (power outages or loss of communication).
Goals are CPS applications, their components, or users. CPS attackers usually have one or more reasons to launch an attack: criminal, spyware, terrorist, political, or cyber warfare [10]. A threat can perform one or more of the four mechanisms of a successful attack: interception, interruption, modification, or fabrication [5]. The consequences of an attack may be a violation of the confidentiality, integrity, availability, confidentiality or security of the CPS.
Potential threats and vulnerabilities are investigated for the selected four applications of cyber-physical systems. The work contains summary tables reflecting the influence of each of the five factors noted on a particular type of cyberphysical system, as well as a list of characteristic attacks undertaken against such systems. Despite the fact that the listed factors can be considered as the foundation for constructing a classifier of threats to cyberphysical systems, the issues of taking into account the synergistic effects of the functioning of such systems have not been considered.
In general, the contribution of the mentioned work to the problem of constructing CPS threat classifiers can be formulated as follows: 1) the CPS security system, designed to distinguish between cyber, cyberphysical and physical components in this system is proposed; 2) the potential sources of threats and their motives are investigated; 3) existing vulnerabilities are presented and significant reasons for their occurrence are highlighted using real examples; 4) a review of recorded attacks on CPS was conducted to identify the main vulnerabilities and components susceptible to threats; 5) a comparative analysis of existing control mechanisms has been carried out and unresolved problems and problems in various CPS applications have been identified.
In [4], three key issues for protecting cyber physical systems are discussed: understanding the threats and possible consequences of attacks, identifying the unique properties of cyber physical systems and their differences from traditional IT security, and discussing security mechanisms applicable to cyber physical systems. In particular, security mechanisms are analyzed for: prevention, detection and recovery, resilience and deterrence of attacks.
A distinctive feature of the work is the development of an adversary model as a way to understand the extent of the problem and assess the risks. The work contains descriptions of some potential attackers, their motives and resources. An analysis of the behavioral aspects of attackers was made in [11,12].
The work notes that the goal of cybercriminals is to compromise computers wherever they can be found (even in control systems). Attacks by cybercriminals may not necessarily be targeted. Cybercriminals may not have the intent to harm control systems, but their actions can cause negative side effects. For example, control systems infected with malware may not work properly.
Insiders are currently the main source of targeted computer attacks on control systems [13]. These attacks are important from a security point of view, because they are caused by persons with authorized access to computers and networks used by management systems. Therefore, even if control networks are completely isolated from public networks (and the Internet), insider attacks will still be possible. Since disgruntled employees tend to act alone, the potential consequences of their attacks may not be as devastating as the potential damage done by larger organized groups.
Terrorists, activists and organized crime groups are another potential threat to control systems. Attacks on extortion control systems are not new. Cyber attacks are a natural development of physical attacks: they are cheaper, less dangerous for an attacker, not limited by distance, they are easier to copy and coordinate.
States can also be a potential threat to governance systems. In general, it is not surprising that most military powers learn the technology of future attacks, including cyber attacks against the physical infrastructure of other countries.
The work emphasizes that the main objective of the research is to identify and classify a new type of attacks that are possible in control systems, and to study their possible consequences. For example, attackers can launch unique attacks on control systems (that is, attacks that are not possible in traditional IT systems). One possible example would be resonant attacks. In a resonant attack, an attacker who compromises some sensors or controllers will cause the physical system to oscillate at its resonant frequency. In [14], based on the definition of a cyberphysical system as a distributed control system with strict time constraints consisting of physical and cyber components, the differences between the IT system and the cyberphysical system are formulated. Physical Interface: Having a physical interface is what makes CPS security especially difficult. Unlike a standalone IT system, a security breach in a CPS system has disastrous consequences. An attacker can use a physical interface to undermine the security of CPS without the need to violate the access control mechanism. In traditional IT security, this can only happen if data is transmitted over an open network.
Control system: CPS is based on one or more core control networks, which are often integrated with a physical sensor/actuator, which differs markedly from the traditional point of view of IT security. Supervisory control and data acquisition systems (SCADA) are an integral part of modern industrial infrastructure. Unsurprisingly, vulnerabilities in this management network remain an attractive place for cyber attacks that continue to grow due to SCADA systems connected to the Internet [15]. A feature of the analyzed work is not only the classification of attacks, but also its connection with security standards. In addition, modern hybrid attacks on state-level computer systems do not just damage an isolated machine or disrupt the operation of a single corporate system [16]. Instead, new attacks target infrastructure, which is an integral part of the economy, national defense, and everyday life [17]. Studies of cyberphysical systems have shifted the focus from developing the optimization task of these computing components to the interaction involved between physical media and the computing elements with which they interact [18]. A classification consisting of four dimensions was proposed in [19], which allows one to simultaneously consider issues of both the functioning of the network and issues related to computer attacks. The first dimension of the classification covers the attack vector and the main scenario of the attack. The second dimension of classification identifies an attack by its primary purpose. Vulnerabilities are classified in the third dimension of the classification, and payloads in the fourth taxonomy. Similarly, the authors present an information security risk analysis methodology that links the assets, vulnerabilities, threats and controls of an organization. The approach uses a sequence of matrices that reflect the correlation of various elements in a risk analysis. The data are aggregated and cascaded by matrices in order to correlate assets with controls in such a way as to obtain priority ranking of controls based on the assets of the organization [20].
In addition, cyber-physical incidents were discussed and classified in [21] based on sectors, sources and impacts of incidents. This document provides an example of how organizing the process of collecting information about cyber incidents can be used by victims of cyber attacks. In addition, an attempt is described to help understand the threat of cyber incidents for various purposes, which may be useful to increase organizational focus from the point of view of cyber incident. In addition, the security ontology for investigating incident analysis [22] allows one to organize a classification similar to that presented in [23].
In the proposed classification, the stages of incidents were investigated taking into account additional extensions that reflect various categories of the entity involved in attacks and attack relationships. So, the authors distinguished the following classes of entities: an attacker, a vulnerability, a tool, a target, an action, goals, and an unauthorized result. Attackers use tools to perform actions that exploit target vulnerabilities. In [24], models of virtual control system environments (VCSE) are presented, which illustrates the corresponding parts of CPS and their threats. They are designed to analyze the influence of physical factors. Models were built from real, simulated and emulated components that were vulnerable to actual, simulated malicious and other hostile activities. In addition to the dynamic basis of cyber terrorism, a structure was proposed in [25] that describes the main components of cyber terrorism. Cyber terrorism was defined by a structure reflecting six points of view: mo-tivation, goal, attack method, subject area, criminal actions and attack effects.
The classification of cyber attack and defense mechanisms for emergency management networks aims to support a common understanding of the associated cyber attack and defense mechanisms. Attack mechanisms are classified according to three aspects, according to the network, according to the attacked functions and attack factors, while the defense mechanism is determined by the type of protection, the degree of distribution and organizational elements [26]. In addition, the problems of cybersecurity in emergency management are divided into three groups determined by the criticality of time (refers to emergency situations), when decisions must be made and quickly transmitted. The National Institute of Standards and Technology (NIST) [27] presented a framework focused on using business drivers to guide cybersecurity activities and address cybersecurity risks as part of the organization's risk management processes. The classification structure is represented by three parts: the core of the structure, the profile of the structure, and the levels of implementation of the structure. The core of the structure is a set of cybersecurity measures, outcomes and information guides that are common to critical infrastructure sectors, providing detailed guidance for developing organizational personality profiles. Using the profile, the structure is designed to help the organization bring its cybersecurity activities in line with business requirements, acceptable risks and resources. Tiers provide a methodology for organizations to understand and consider the characteristics of a cybersecurity risk management approach. In addition, a threat-based mathematical quantitative structure is used in [28], which is used to evaluate and design the security of CPS.
To counter each element of the threat, it is proposed to be guided by the following three principles: -principle 1: focusing on a critical system should include only basic functions; -principle 2: the movement of key elements of the assets necessary for the mission, and security control, which is difficult for an attacker to achieve physically and logically (to reduce accessibility); -principle 3: responding, detecting, adapting and misleading attackers by introducing system elements with dynamic response technologies (to counter the attacker's capabilities) [28].
The fundamental work in Ukraine, devoted to the construction of classification systems and classifiers of threats in the field of cybersecurity, is undoubtedly the work [29]. The paper presents the results of the analysis of modern protection of state information resources (SIR) in information and telecommunication systems. At the same time, the emphasis in the work is placed on the regulatory support for the SIR, the legal aspects of the formation of the SIR are described in detail, and new terms and definitions of the problems of their protection are introduced. A significant drawback is the lack of communication of threats with the OSI model, which allows you to identify critical penetration points.
In [30], the authors propose an improved version of the classifier of threats to banking information as one of the resources of critical cybernetic information systems (CCIS) of the state, taking into account their synergies and synergies of security components. Fig. 2 shows a block diagram of the proposed solution.
Thus, the analysis showed that the approaches considered do not take into account the combination of modern threats that are hybrid and synergistic with the elements of the cyberspace infrastructure of companies/organizations. Existing approaches practically do not take into account the economic aspects of ensuring security, which limits the minimization of economic costs for the construction of a comprehensive information protection system. It is the neglect of the economic aspects of security in the construction of the classifier of threats that makes the proposed study relevant.

The aim and objectives of the study
The aim of the study is to develop methodological foundations for constructing a unified classifier of threats to cyber systems based on a synergistic approach. This will allow taking into account the criticality of threats, taking into account the category of the attacker, identifying its category, the relationship between threats and infrastructure elements of the security chain of business processes to determine critical points of impact. This approach provides the economic costs of both the attacker and the comprehensive defense, which allows you to find a critical point of resistance and form a lot of critical attacks, taking into account the categories of the attacker.
To achieve the aim, the following objectives were set: -consider the synergies of threats to the security components of cyber systems; -develop a block diagram of a unified classifier taking into account the synergetic model of threats and economic costs to ensure the required level of security; -develop models of the "danger" of the intruder based on their classification and the degree of protection of the cyber system; -develop a methodology for determining the category of violator based on the proposed classifier.

Synergetic threat model for security components of cyber systems
To create a threat model, they usually use the adapted CIA triad model (confidentiality, integrity, availability), which is the basis for its further modifications in practical models (Hexad Parker model, 5A model, STRIDE model, etc.). However, in the conditions of post-quantum cryptography (in the context of the emergence of a fullscale quantum computer), US NIST experts question the provision of the required level of security with modern symmetric and asymmetric cryptosystems [31]. In addition, the rapid growth and use of "G" technologies can significantly change the vector of the use of cyberspace as the main channel for transmitting information between cyber systems and information and communication systems. Such changes significantly reduce the level of security and can practically reduce it to zero. Under such conditions, it is necessary to consider the complex of threats -their combination and hybridity, leading to the appearance of a synergistic effect with a subsequent increase in the likelihood of a threat based on a synthesis with social engineering methods. In [32], the authors proposed a fundamentally new approach to the methodology for constructing security systems based on the synergetic threat model, which provides the formation of methodological foundations for constructing a classifier of modern threats to cyberphysical systems. In Fig. 3, a block diagram of the synergetic model of synthesis threats to information-critical cybernetic systems (on the example of banking sector organizations) and CFS is proposed.
In accordance with ISO/IEC 27001:2013, threats are classified as intentional, incidental and/or environmental. Typical examples include technical failures, unauthorized actions, software interference, physical damage, compromised functions, etc. However, the standard, like other normative international acts, does not consider the synergy and hybridity of modern threats, their combination with social engineering methods, which significantly increases the risk of the threat.
Determination of the probability of the impact of IS, CS, and SI threats on the security of a BIR based on the threat classifier Step 1. Formation of classifier metrics -coefficient metric value; N -number of threats; K -number of experts.
Step 2. Formation of a digital identifier of the threat identifier Step 3. Selection of weighting coefficients α i , determining the conditions for the manifestation of the i-th threat Step 4. Determining the implementation of each i-th threat, taking into account the likelihood of attacks 1 1 .
Step 5. Determining the implementation of the occurrence of multiple threats to the selected service: Step 6. Determination of the total threat by security components: Step 7. Determination of the generalized synergetic threat of BIR:  The proposed approach takes into account the possibilities of modern threats, their synergy and hybridity, the possibility of integration with social engineering methods.

Development of a block diagram of a unified classifier
To design a classifier of threats to cyberphysical systems, Fig. 4 provides a block diagram of the methodological foundations of a unified classifier taking into account the synergetic model of threats and economic costs of ensuring the required level of security.
Let us consider in more detail the proposed approach to the formation of a classifier of threats.
At the first stage, experts are invited, using their experience, to form tuples of a threat classifier based on 5 platforms.
The first platform determines the criticality level of the threat (critical, high, medium, low, very low), which allows you to calculate the economic "profitability" of critical threats in step 5.
The second platform defines the attitude towards the security component (information security (IS), cybersecurity (CS), security of information (SI)), which allows you to get an assessment of the synergistic effect on one of the threat components in step 5.
The third platform determines the direction of the threat to security services (integrity, confidentiality, accessibility, authenticity and involvement), which allows you to get an assessment of the impact of several threats on security services in step 4 and determine the direction vector of the impact on infrastructure elements.
The fourth platform determines the nature of the directions of the impact of threats (regulatory, organizational, engineering).
The fifth platform provides an assessment of focus on infrastructure elements and allows you to "identify" critical points in an integrated information security system (IISS).
Moreover, for the objectivity of expert judgments, we use the weighting coefficients of expert competence (k k ), presented in Table 1. The total score of the i-th threat is determined by the number of experts according to the expression: where x k is the assessment of the of the i-th threat by the k-th expert; k k -expert competency level; K is the number of experts.
A measure of the consistency of expert assessments is the variance, which is determined by the expression: The statistical probability of the obtained results 1-α i , will be: where the quantity x i is distributed according to the normal law with center  i x and dispersion 2 X σ . Then ∆ is determined by the expression: where t is the value according to the Student distribution for K-1 degrees of freedom.
To form metric (weighting) threat factors (Fig. 4) and their impact on security services, we introduce the following notation: j is a security service for both ICS and CPS.   To evaluate the hybrid and synergetic components of the impact of modern threats, we use the following sequence of actions: 1st step. Determination of the average expert rating for all threats to a particular security service: 1 1 1 , is the value of the metric coefficient set by the k-th expert for the i-th threat of the j-th security service for ICS, is the value of the metric coefficient set by the k-th expert for the i-th threat of the j-th security service for CPS.
2nd step. Formation of weighting factors for the threat manifestation conditions for ICS and CPS (  1 , are the expert weights of the security services: confidentiality, integrity, availability, authenticity and involvement; , -weighting factor of the security service: confidentiality, integrity, availability, authenticity and authenticity of the manifestation of the i-th threat attack. 2) for CРS: are the expert weights of the security services: confidentiality, integrity, availability, authenticity and involvement; α , -weighting factor of the security service: confidentiality, integrity, availability, authenticity and authenticity of the manifestation of the i-th threat attack.
4th step. Determining the implementation of several threats to a security service: 1 1 where M is the number of several threats that are selected by the expert from the set { } , M i i which is a subset of the entire set of threats of the classifier, that is, M≤N.
When forming metric coefficients, it is believed that the results obtained are independent threats, in case of their dependence (coincidence of tuples of threats), it is necessary to use the expression for determining the total probability of dependent events: ( ) ( ) ( ) ( ).

P AB P A P B P AB
= + − 5th step. Determination of the total threat by security components, taking into account the expression (6): To determine the generalized synergistic threat: The introduction of cost indicators of threats allows implementing an algorithm for constructing a rating of potential threats and the importance of information resources to be protected.
The algorithm proposed in [36] implements the following actions. Both sides of the attack are determined by the importance (rating) of the attacks that are economically feasible.
1st step. Determination of attacks, the effect of which exceeds the costs of their implementation: where A R Tr -a set of the potential threats, the implementation of which is effective for the attacker; i Tr -threat to the i-th information resource; A i P -cost assessment of the success of the attack on the i-th resource by the attacker; A i C -the cost of an attack on the i-th resource by the attacker.
2nd step. Determining the direction of protection, which provides an effect higher than the cost of their provision.
where D C Tr -a set of the threats against which it is economically feasible to build protection; D i P -assessment of the cost of the loss of the i-th information resource for the defense; D i C -the cost of protecting the i-th information resource for the protection side; 3rd step. Determination of importance factors for attackers. Defined as a share of the winnings of the total winnings that can be obtained potentially when implementing the entire range of threats to attackers: where A i K is the rating coefficient (importance) of the threat to the i-th information resource; M is the power of a set of selected potentially effective threats to the attacking side.
4th step. Determination of importance factors for defenders. Defined as the share of the winnings of the total winnings that can be obtained potentially when implementing the entire range of protective measures where D j K is the rating coefficient (importance) of building the protection of the j-th information resource.
5th step. The selection of critical threats based on the evaluation of the product of the importance coefficients of the attacker and the attacker is maximum: arg max . Thus, the main difference of the proposed approach is the ability to take into account not only the opinion of experts, but also to form an objective assessment and integration of threats, which allows forming their synergistic effect and hybridity. In addition, the use of the ISO model in the classifier allows you to "identify" critical places in the infrastructure not only of cyberphysical systems, but also in synthesis with Internet technologies of cyberspace and "G" technologies. This approach intuitively allows you to focus on the weak points of comprehensive protection, taking into account economic costs in the face of low funding and the "profitability" of an attack by attackers.

Development of a model of "danger" of the intruder based on their classification and the degree of protection of the cyber system
Assessing the level of threats is impossible without assessing the capabilities of the attackers themselves (attackers, cybercriminals, etc.). The possibility of implementing a threat largely depends on their "competence", computing resources, time characteristics, and motivation. Thus, an integral part of the threat analysis is the development of a "danger" model of the intruder. This approach allows you to generate many threats, depending on the capabilities of the attackers, to form many possible impacts, to assess the state of preventive protection. It is proposed to use the following classification of violators to form weight coefficients of "danger" of violators, Fig. 5, while CCIS can be both part of the CPS and make up a separate cyberphysical system. The basis of category 5 (Fig. 5) is the taxonomy in [35].
Thus, the classification allows you to introduce elements of many categories of attackers We define the formal model of the "danger" of the violator taking into account the authors' suggestions [32][33][34]: is the weighting coefficient of the capabilities of the CPS violator, T is the time of successful implementation of the threat, p rj is the probability of implementation of at least one threat to the j-th asset, i is the threat, , i n ∀ ∈ n is the number of threats, j -information resource (asset), , j m ∀ ∈ m -number of assets; r motiv -the probability of the attacker's motivation to implement the threat.
Analysis of the classification of attackers allows you to form an expert assessment and obtain a weight coefficient of the possibility of threats (i-th threat).

Fig. 5. Classification of attackers
The weight coefficient of the "danger" of the attacker is determined by the formula: 1 1 ,   Table 3 shows the initial data of the criteria and indicators of the expert assessment of its location. Table 3 Initial data of the criteria and indicators of the expert assessment of the weight coefficient of the "danger" of the offender

Development of methods for determining the category of violator
Analysis of Table 3 allows you to create a table of correspondence between the category of cybercriminals and the infrastructure elements of ICS, CPS, and allows you to reversely determine the category of cybercriminals.
Analysis of the classification of attackers allows you to create a set {H j } that determines the levels of impact on ICS (CPS): -level of technical channels (Н 0 ); -physical layer of the TCP/IP protocol stack (Н 1 ); -link layer of the TCP/IP protocol stack (Н 2 ); -network layer of the TCP/IP protocol stack (Н 3 ); -transport layer of the TCP/IP protocol stack (Н 4 ); -level of harmful effects (Н 5 ); -level of embedded devices (Н 6 ); -application layer of the TCP/IP protocol stack (Н 7 ); -level of the information security system (Н 8 ).
In Table 4, the correlation of categories of violator and levels of their impact is determined. Table 4 Correlation of categories of violator and levels of their impact Category Impact levels Н 0 Н 1 Н 2 Н 3 Н 4 Н 5 Н 6 Н 7 Н 8 Thus, to determine the category of the attacker based on the analysis of ( Table 4) the threat classifier, a methodology for determining the category of intruder is proposed, which boils down to the following algorithm: 1) a classification attribute is selected from the set {H}, which determines the levels of impact on ICS (CPS); 2) the threat tuple is determined by the proposed classifier; 3) the vector V ij is formed on the basis of the tuple and the generated set of critical threats (based on the evaluation of the product of the importance coefficients of the attacker); 4) using the vector V ij , the maximum category of the intruder is determined in accordance with Table 4, starting with the offender of the first category ( ) 1 . del L Thus, on the basis of the proposed methodology, a list of critical threats for each category of violators is built.
If the subjects of attacks are excluded from the list of potential violators, the maximum category of the violator can be reduced, and, consequently, the number of critical threats.

Discussion of the results of the study assessing the degree of "danger" of an attacker
To assess indicators of the degree of "danger" of attackers and the degree of implementation of protective measures, we define sets of weighted metrics that acquire a value in the range [0; 1]. Each metric characterizes the degree to which a particular trait of an attacker or a defensive means corresponds to a given target value.
To assess the degree of "danger" of the attacker, we use the proposed model ICS To describe the set of characteristics, we use the index h: Then the average value of all experts' ratings over the entire set of characteristics of all attackers for the j-th security service will be: where CPS j ICS kih γ is the weight coefficient of the h th metric of the i-th attacker for the j-th service. Rationing weights:  We denote by j kg w the value of the estimate of the g th characteristic of the TMIS by the k th expert for the j th security service in the case when the degree of system security and the destructive actions of the attackers are independent.
Then the average value of all experts' estimates of the degree of implementation of protective measures for the j-th security service will be: A graphical representation of the current level of security when changing the capabilities of the parties to the cyber conflict (relative values) is shown in Fig. 6.
Thus, the above expressions (19)-(23) allow, on the basis of the proposed classifier of threats, the "danger" model of the attacker, and the methodology for determining the intruder category, determining: -many critical threats; -critical points of ICS/CPS infrastructure elements (CCIS); -preventive measures; -system security in conditions of underfunding of the security field, taking into account the synergy and hybridity of modern threats.
The proposed approach has certain limitations that should be taken into account in the practical use of the research results. The main limitation follows from the fact that the application of the security level assessment formula assumes that the attacker uses all the resources to organize an attack on a single resource. In addition, it is necessary to take into account the category of the attacker, which allows you to determine its capabilities (computing and financial resources, economic interest). Then the attack is determined by a comprehensive criterion that takes into account the cost of the conduct and the computing capabilities available to the attacker. There is no doubt that all attacks with a lower cost can be implemented. In the case of simultaneous implementation of several attacks of lower cost, the maximum threshold of threats from the attacker will be lower. Similar reasoning can be applied to the defense side. In this case, protection of several less valuable resources can be organized at the same time, rather than a single but more expensive resource. Formed restrictions allow you to identify a group of resources that will not be targeted by a certain category of attackers, whereby exempted funds can be used to organize the protection of other resources. On the other hand, resources can be defined whose protection cannot be ensured due to the limited funding of the security system. From these limitations, the direction for further research follows. Namely, how the decision to simultaneously protect several less valuable resources instead of protecting a single more expensive resource will affect the overall level of system security. It is also necessary to develop approaches to assessing the level of security while simultaneously implementing several critical threats aimed at various resources and for different categories of users, while taking into account the synergy and hybridity of threats, as well as their integration with social engineering methods.

Conclusions
1. The analysis of threats in the context of the rapid growth of computing resources, both of cyber technolo-gies and "G" technologies, showed their vector of focus on the integration with social engineering methods to obtain new characteristics, such as synergy and hybridity. Humanity's entry into the era of post-quantum cryptography (the emergence of a full-scale quantum computer) puts forward more stringent security requirements in both ICS and CPS, which form the core of CCIS. In the conditions of possible security chaos (hacking by of symmetric and asymmetric cryptosystems by quantum algorithms), the synergetic threat model is put first in the analysis of the current security state, which allows for the integration of threats by security components: IS, CS, SI. The proposed synergetic model allows one to take into account threats not only to ICS, but also their synergy with CPS threats, which greatly simplifies its use in security assessment methods in general.
2. The paper proposes a scheme of a unified classifier, taking into account the synergetic model of threats and economic costs of ensuring the required level of security. This approach allows us to formulate the methodological foundations of its construction and confirms its unification. The proposed classifier provides an intuitive approach to understanding its structure, allows you to generate critical threats, identify critical points in the construction of the ICS/CPS (CCIS) infrastructure. At the same time, the formation of preventive measures in the context of cost savings on TMIS is ensured at low computational and human costs.
3. The proposed model of the "danger" of the intruder based on their classification and degree of cyber system protection allows for the formation of the required security profiles based on the analysis of identified attempts to implement threats and/or to identify deviations from normal operation. This approach allows us to take into account the growth in the computing resources of attackers, the possibility of their motivation and the economic potential for implementing threats in a timely manner. It allows, in the context of the synergy and hybridity of modern threats, to respond in a timely manner to the formation of preventive measures to eliminate critical points in the infrastructure elements, to conduct a planned policy to increase the level of security based on the analysis of simulation results.
4. The developed methodology for determining the category of the intruder on the basis of the proposed classifier and the model of the "danger" of the attacker allows you to generate sets of critical threats, to model the identification of critical points based on the analysis of modeling the "danger" of various categories of attackers. Such an approach without significant computational, human, and economic costs significantly reduces many critical threats, allows to systematize them, and to form profiles of preventive protection measures.