DEVELOPMENT OF A CONCEPT FOR BUILDING A CRITICAL INFRASTRUCTURE FACILITIES SECURITY SYSTEM

The skyrocketing number of cyber incidents, which are becoming more serious, is driving the need to improve security, especially in the vulnerable area, which is critical infrastructure. One of the security challenges for critical infrastructures is the level of awareness of the impact of cyberattacks. The main reason for the escalation of critical DEVELOPMENT OF A CONCEPT FOR BUILDING A CRITICAL INFRASTRUCTURE FACILITIES SECURITY SYSTEM


Introduction
The skyrocketing number of cyber incidents, which are becoming more serious, is driving the need to improve security, especially in the vulnerable area, which is critical infrastructure. One of the security challenges for critical infrastructures is the level of awareness of the impact of cyberattacks. The main reason for the escalation of critical It can be assumed that control systems of critical infrastructure facilities are the most attractive targets for cyberattacks. Therefore, many works are devoted to the description of the structure, operation and safety of control systems, such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and other configurations, such as programmable logic controllers (PLC) [2][3][4][5][6].
In particular, [2] discusses the security issues of industrial control systems, the solution of which involves considering unique performance, reliability and safety requirements. The document provides an overview of ACS and typical system topologies, identifies typical threats and vulnerabilities for infrastructure (CI) cyberattacks may be that most of the CI control systems no longer use proprietary protocols and software, but use standard solutions. As a result, critical infrastructure systems are more vulnerable and prone to cyber threats than ever before. It is important to understand what types of attacks have occurred as this can help direct cybersecurity efforts to real threats to critical infrastructure.
Cyberspace has expanded significantly to become a large, dynamic and intricate network of computing devices. This situation also affected critical infrastructure systems. Apart from the positive effects of technological expansion, there are also disadvantages. Critical infrastructure is the backbone of everyday life in modern society, so its proper functioning is essential. For a long time, the most important infrastructure systems were considered immune to cyberattacks due to their dependence on proprietary networks and equipment. However, recent experience and cyberattacks show that this is unsustainable -the shift to open standards and web technologies makes critical infrastructure systems more vulnerable.
Unintentional or malicious actions in cyberspace have consequences for critical infrastructures in the physical world. Cyberspace attacks are not limited to government intelligence activities. Any part of critical infrastructure, from the banking system and utilities to the transportation or delivery of essential goods, can be attacked.
Attacks on critical infrastructure are diverse and include direct or anonymous access to secure networks through the Internet and supervisory control and data acquisition (SCA-DA) or employee violation of security procedures. All this leads to the spread of malware inside firewalls.
The problem with critical infrastructure cyberattack analysis is that some cyberattacks go unnoticed. However, some organizations are extremely reluctant to report incidents, believing that this leads to potential difficulties in doing business. One of the problems with cyberspace is that critical infrastructure protection is so imbalanced that it takes enormous resources, and only one infected computer disk is needed to start an attack. Thus, cyber defense has become one of the most important issues in national defense strategies.
Since the scale and nature of critical infrastructures preclude experimentation, the burden of understanding critical infrastructures and their relationships, emerging properties and resilience to malicious activity falls on modeling efforts. An attempt has been made to form the concept of building security systems based on a variety of models describing various aspects of critical infrastructure facilities.

Literature review and problem statement
Critical infrastructure (CI) supports basic services required by a complex modern society. Serious disruptions in the provision of services such as transport and energy can leave large populations vulnerable to shortages of food, electricity and fuel, as well as other necessities. Dependence on timely automated supply chains can also exacerbate the impact. Major natural disasters are good examples of how the destruction or degradation of such services affects populations. Large-scale disruption to these services can be triggered by cyberattacks aimed at undermining confidence in the state and designed to deplete emergency, medical and police services. CIs provide the foundation for the national these systems, and provides recommended security measures to mitigate associated risks. At the same time, the authors emphasize that their recommendations are focused exclusively on stand-alone use. [3] provides specific recommendations for protection against cyberattacks on the UK's national critical infrastructure. An attempt is made to present the approach by outlining the magnitude of the challenges faced by the UK and what actions the government is taking to combat these threats. A number of recommendations aimed at mitigating these threats, increasing cyber resilience, and facilitating recovery plans as needed are offered. Full interaction and partnership with the owners and operators of critical national private sector infrastructure are vital to the success of the government's national cybersecurity strategy. This suggests that national and global actions are needed to ensure the efficient operation and cyber resilience of critical infrastructure facilities. These problems are relevant for all developed and developing countries. These conclusions should be considered the merit of the publication.
The papers [4][5][6] available for analysis are also focused either on the control system of critical infrastructure facilities or on its individual components that require protection from cyberattacks. At the same time, these works lack a unified concept and appropriate methodology for building a cybersecurity system for critical infrastructure facilities.
Of particular concern is the emergence of IoT and IIoT. IIoT consists of several industrial devices controlled by common software. IoT and IIoT have created many new attack vectors that can be exploited by cybercriminals and terrorists [5]. This evolution, combined with rapidly aging software platforms based on legacy CIs and outdated security policies, has made some CIs extremely vulnerable to cyberattacks.
CI has many internal vulnerabilities in its hardware and structure that could be easily exploited by attackers. Given these vulnerabilities, a terrorist organization is likely to attack CI. Specific examples of cyberattacks are presented in [7,8]. The advantage of these works is the description of the so-called cascade effect, when a successful attack on one of the critical infrastructure facilities can cause a cascade effect of failures of other CI facilities.
Attention should be paid to the works devoted to the concept of sustainable development of developing states in an increasingly complex and unstable global world, and the concept of sustainability as a strategy for solving these problems [9]. The inclusion of a variety of new threats (such as economic, environmental and social) on the national security agenda, as well as ensuring the security of critical infrastructure, has created favorable conditions for a flexible approach to national security. In doing so, the nation state must fulfill its core responsibilities according to the traditional approach to national security, which is more preventive and not always consistent with the sustainability approach. Consequently, nation states must find an appropriate balance between proactive (security) and reactive (resilience) approaches that suit their specific needs as well as the values of society.
However, if the resilience of critical infrastructure remains a major national security concern, the government must nevertheless maintain the position that private operators and owners are responsible for the safety and resiliency of critical infrastructures.
The simulated events showed that a cyberattack on an adversary's CI can create an internal crisis situation with possible economic, psychological and physical damage. Such a cyberattack has not yet been fully performed as part of cyberwarfare by any state or non-state actor. Consequently, forecasting and preparing for computer network attacks are particularly difficult.
It should be noted that the description is focused on the situation of preparation or victim of cyberwarfare. However, the description is rather general, the problem is formulated, but solutions are not presented. [10] warns that digital natives in terrorist organizations such as ISIS are likely to choose a cyber-kinetic attack method [11]. Cyber-natives means "young people, who entered the digital world, spend much time in the digital environment and use technological resources in their daily lives". In [10], it is argued that a digital terrorist would prefer to disable a power grid, causing cascading effects on the electricity-dependent CI, rather than conduct a ground attack that could directly endanger the attacker's own life. However, modern terrorist organizations may find martyrdom (suicide attacks) much more attractive, thus preferring the truck bomb to the logical one [12]. However, the ability to have a broader and more powerful impact on adversaries makes CI cyberattacks a powerful incentive to change tactics compared to traditional ground attacks carried out in the name of "martyrdom operations" [11]. Future terrorist operations will likely use cyberspace or a combination of cyber and ground-based attack methods, changing tactics as operational capabilities emerge. Therefore, it is imperative to understand the cyber dependencies built into CI and how vulnerable CIs can be to sophisticated cyber terrorist attacks.
Thus, the analysis of the literature [1][2][3][4][5][6][7][8][9][10][11] showed the lack of a single concept of building a system for protecting critical infrastructure facilities from cyberattacks and terrorist attacks, especially in the context of targeted threats with the manifestation of hybridity and synergy. This is noted in almost all publications. The proposed solutions for creating a holistic concept of protecting such facilities are either absent or local in nature and are aimed at protecting individual parts rather than critical infrastructure facilities as a whole.

The aim and objectives of the study
The aim of this work is to develop a concept for building a security system for critical infrastructure facilities based on a variety of models. The proposed models describe the structure and types of critical infrastructure facilities that reflect the typology of cyber terrorists and variety of their attacks in the form of classifiers. This approach will allow creating an effective security system, ensuring effective counteraction to modern hybrid threats to critical infrastructure elements emanating from cyber terrorists, and increasing the security of critical infrastructure facilities.
To achieve the aim, it is necessary to accomplish the following objectives: -to form a classifier of critical infrastructure threats; -to develop a concept for modeling the structure and functioning of the security system of critical infrastructure facilities; -to develop models of a terrorist act and security of the critical infrastructure facility cybersystem; -to develop a concept for assessing the security of critical infrastructure facilities.

Materials and research methods
Based on the analysis [13][14][15], the following definitions were introduced: Systems of critical infrastructure facilities (CIF) -a set of automated control (dispatching) systems ensuring the interaction of CIF information and communication networks (ICN), destruction/failure of which significantly affects the information and/or cybersecurity of the state.
CIF information resources (IR) -information resources circulating in the CIF ICN, modification and/or destruction of which may lead to partial or complete destruction of CIF.
Confidentiality -protection of CIF IR from passive attacks.
Confidentiality of the CIF system -a property of the information security system (ISS) of CIF ensuring security during transmission.
Integrity -protection of CIF IR during storage and/or modification of CIF IR only by an authorized user (process).
Integrity of the CIF system -a property of the CIF ISS ensuring security during storage and/or modification of CIF IR only by an authorized user (process).
Availability -access of an authorized user to CIF IR.
Availability of the CIF system -a property of the ISS ensuring unlimited access to IR in accordance with the security model.
Authenticity -confirmation of CIF IR authenticity. Authenticity of the CIF system -a property of the ISS ensuring the authenticity of the information source.
Continuity of the business processes of the CIF systema property of the ISS ensuring the formation of a security loop for the business processes of CIF, which makes it possible to resist the blocking of the main functions or destruction of CIF.
Security of CIF IR -the state of the CIF security ensuring security services.
Threats to CIF RI -a set of technogenic and anthropogenic threats, the integration of which can lead to a synergistic effect, which significantly increases the risks of the implementation of threats to CIF elements.
Information threats are expressed in availability, integrity, authenticity and confidentiality violations. Fig. 1 shows a block diagram of a synergistic threat model for the CIF elements.
The presented threat model, using the principles of universality, takes into account not only possible synergistic/emergent features of the integration of modern target threats into security components, but also their hybridity. This approach allows forming a single (unified) classification base of CIF threats, taking into account their categories, goals and possible damage, which greatly simplifies the understanding of potential terrorist attacks on the CIF elements.

1. Development of a critical infrastructure threat classifier
To form a general classifier of threats to the CIF elements, it is proposed to divide the procedure (Fig. 2, 3) into two stages. At the first stage, based on the expert evaluation of threats and their impact on the security services of the CIF ISS, a single base of threat vectors is formed, which can be implemented by attackers at various CIF.
At the second stage, on the basis of the proposed expressions, the probabilities of threats, the possibility of their synergistic and/or hybrid impact on infrastructure elements are calculated. In this case, the synergistic effect is understood as the impact of threats on one of the security components: cybersecurity (CS), information security (IS) or security of information (SI). This approach makes it possible to significantly simplify the classification of threats and/or terrorist acts, to form relationships between threats and security services, to define hybrid threats to be understood as the aggregation of the impact on one of the security services in all security components. The classifier consists of 6 platforms.
The first platform defines the criticality of a threat (terrorist attack) as critical, high, medium, low, very low. The second platform -security components: CS, IS, SI. The third platform determines the focus of the threat on one of the security services, which allows assessing the possibility of a synergistic effect of threats on elements of critical infrastructure facilities.
The fourth platform defines the purpose of the terrorist attack -complete destruction of CIF (01), destruction of individual CIF elements (02), complete blocking of CIF functionality (03), partial blocking of functionality (04)).
The fifth platform allows determining the impact of the threat (terrorist attack) on the CIF elements, such as technical channel layer (H 0 ), ISO/OSI physical layer (H 1 ), data link layer (H 2 ), network layer (H 3 ), transport layer (H 4 ), application layer (H 5 ), layer of physical protection of CIF CPS elements (H 6 ), layer of possible secret intelligence devices (H 7 ).
To verify the expert evaluation, we use the approach proposed in [13]. In the expert evaluation of the objectivity of expert judgments, we use the weight factors of expert competence (k k ) presented in Table 2.    The total estimate of the i-th threat is determined by the number of experts according to the expression: where x k is the k-th expert's estimate of the i-th threat; k k is the expert's competence level; K is the number of experts. A measure of the consistency of expert estimates is the variance, determined by the expression The statistical probability of the results obtained 1α i where the value x i is distributed according to the normal law with the center  i x and variance 2 .
X σ Then ∆ is defined by the expression: where t is the Student's distribution value for K-1 degrees of freedom. This approach allows forming an expert estimate of existing threats to security components (IS, CS, SI), taking into account their focus on hacking/termination of security services. The versatility of the approach lies in the objective assessment of experts' judgments, which allows using this mathematical tool when considering the entire range of threats, the possibility of their integration, synergy and hybridity.
To form metric (weight) factors of threats ( Fig. 4) and their impact on security services, we introduce the following designations and offer the following mathematical tool: 1) j -security service for CIF. Basic security services: To assess the hybrid and synergistic components of threats, we use the following procedure: -Step 1. Assessment of the relationship between threats and security services: Tr P C Tr Tr Tr K K Fig. 3. Threat classifier structure (automatic calculations) is the value of the factor set by the k-th expert for the i-th threat to the j-th security service.
Step 3. Determination of threat implementation: 1 1 , For security services and the i-th threat: -Step 4. Determination of implementation of several threats to the security service: where M is the number of threats selected by the expert from ≤ When forming the metric factors, it is considered that the results refer to independent threats. In the case of their dependence (coincidence of the threat tuples), it is necessary to use the expression for determining the total probability of dependent events: In this case, only tuples of vectors that refer to the threats themselves are evaluated (platforms 1-5). This approach allows forming a common unified base of threats to all CIFs that can lead to terrorist attacks, the likelihood of their implementation and possible damage, without reference to the categories of critical infrastructure facilities.
-Step 5. Determination of a synergistic threat by security components: Step 6. Minimization of financial costs of preventive protection measures (we use the procedure proposed in [13]).
Thus, the main feature of the proposed approach is the possibility of forming a single unified base of threats to critical infrastructure facilities regardless of the CIF category. This makes it possible not only to simplify the formation of the CIF threat base, but also to timely take into account vectors of targeted attacks, the possibility of their integration, synergy and hybridity, as well as identify critical CIF points, their relationship with information resources. In addition, the proposed approach makes it possible to minimize funding for creating a security loop for CIF business processes, as well as timely formulate preventive measures and protection profiles.

2. Development of a concept of modeling the structure and functioning of the security system of critical infrastructure facilities
Understanding and mitigating risks and threats to critical infrastructures highly depend on the ability to create and validate models, often involving physical systems or even human intervention.
The problem space of modeling includes both critical systems in general, such as industrial control systems at critical facilities, and interactions between several sectors of critical systems. Such a range of objects can be effectively described only by an equally wide range of modeling methods corresponding to the studied aspects of the infrastructure.
Formal identification of critical infrastructures has been made relatively recently [16], so the problem of modeling the construction of a CIF security system remains relevant. Such models were designed to solve relatively well-defined physical and engineering problems and therefore amenable to methods such as statistical reliability models for physical systems. These models are focused on designing technical systems with parametric fault tolerance.
However, the current understanding of critical infrastructures has revealed several additional dimensions to be mapped through modeling to ensure adequate reliability of the entire infrastructure. One of the most important aspects is the relationships between infrastructures and their components, as well as failure conditions leading to unavailability of infrastructure elements. This is unlikely to become apparent without a sufficient degree of abstraction allowing for a deeper understanding of such structural properties.
Obtaining such structural properties is a serious problem, since they are not limited only to obvious physical relationships, but must also reflect the information and communication aspects that define logical relationships.
More importantly, however, both information-based mechanisms and traditional physical vectors can be used by adversaries to degrade, damage or destroy infrastructure elements with disproportionate effects. Such hostility models are not common in many critical infrastructure sectors and, therefore, can be a source of serious vulnerabilities when threats are not fully understood and so not properly addressed. Thus, modeling is critical to obtain this information to design more robust infrastructure elements. The problem in any description of critical infrastructure models is a broad scope, as defined in [17,18] and subsequently expanded in [19]. When it comes to critical infrastructure models, this can refer to several levels of abstraction, necessarily also aimed at answering different questions that the modeling concept has to address, as shown in Fig. 4.
In many models, the definition of CIF components was based on the impact of events or chains of events on infrastructure elements [20,21]. This understanding, in particular of risk at different scales, leads to a classification mechanism originally proposed in [22] in the context of technical risk modeling and subsequently refined [23] into an infrastructure scale taxonomy, as shown in Fig. 4.
Verifying the applicability of the presented security analysis models requires significant effort. This is true even if the model takes into account all parameters related to security and reliability analysis.
For lower levels of abstraction, it may be possible to derive and test such models explicitly from the basic principles. At higher levels of abstraction, this leads to uncertainty in the validity of the model.
Such uncertainty is already problematic when it is not easy to determine whether the basic problem is ill-conditioned. Conditionality is defined as a situation where small variations in parameters lead to disproportionate changes in results. Poor conditioning can be a feature of the modeling method. This problem also arises in the context of combining several specialized models or models that address different levels of abstraction [24].
Moreover, in some cases, the same mathematical methods can be applied at different levels of abstraction, which is especially noteworthy for the case of game-theoretic models.
Economic models serve mainly to identify high-level relationships and can also reveal quantitative effects, albeit with a relatively low resolution. Most of the models used in the area of critical infrastructure are input-output models, focusing primarily on aspects driven by demand or supply. However, such models are necessarily limited to the state of equilibrium.
An application to critical infrastructures was originally proposed in [25], where several interrelated systems are considered, including intra-industry relationships. The purpose of the review is to identify inoperability caused by one or more failures. Such failures can be both natural and artificial. In the proposed model, inoperability is defined as the level of system dysfunction, i.e., as part of expected operability level, which is described by the Inoperability Input-Output model (IIM).
To capture the disturbance aspect, IIM extensions include demand reduction IIM, as well as variants of dynamic IIM that seek to reflect the effects of repeated recovery [23]. These models, summarized in [26], are also considered and applied in a variety of quantitative case studies at the regional and sectoral level [27], including [28] and in studies at larger scales, including studies on national economies [29]. The authors [30] applied the IIM to the case of damage caused by industrial espionage. Earlier works [31] sought to apply the modeling method to control systems, studying the effects of inoperability resulting from failures in the supervisory control and data acquisition (SCADA) systems.
Moreover, the IIM approach was applied not only to describe and analyze existing relationships and related risks, but also as a basis for minimizing the relationships of critical infrastructure subsystems [32].
An extension of the IIM model to study the impact of information technology and information security-based relationships is presented in [33]. A significant result of the work is quantitative indicators for identifying intersectoral relationships caused by information security problems.
In [26], a family of models is presented that reflect a decrease in efficiency indicators and economic losses of the system and allow estimating the impact of failures on information provision. However, models are limited to large-scale abstractions and are not suitable for obtaining quantitative data for subsystems or individual blocks. This is reflected in the mechanisms of attacker behavior modeling [34].
The dynamic IIM allows analyzing parameters such as optimization of buffering in the form of stocks to mitigate fluctuations in supply levels [35]. The use of explicit probabilistic vectors of disturbances from the demand side in the IIM increases the reliability of modeling results and the applicability of models for cybersecurity purposes [36][37][38].
Applicability for cybersecurity purposes may require the introduction of a cost metric for disparate facilities included in the critical infrastructure [39][40][41].
In [29], the role of individual infrastructures in the formulation of dynamic IIM is determined, which is of particular interest for understanding the potential of cascade effects. It is proposed to use a qualitative parameter estimate [42] and map it to fuzzy sets with convex membership functions. It is proposed to implement this approach by introducing extensions based on intelligent agents. System-dynamic approaches are considered in [43][44][45][46]. So, [43] considers the relationship between infrastructure facilities and information flows, [44,45] study the structural properties of CIF. System dynamics provides insight into the types of threats to critical infrastructure, in particular, social engineering attacks [46].
Practice shows that it is difficult to avoid internal attacks, including attacks based on social engineering rather than technical measures. Therefore, when developing control mechanisms, it is necessary to focus on the ways in which control and interaction means can cause delays in implementing attackers' goals. In [47], an attempt is made to formalize similar aspects for the more general case of security management.
The systems dynamics approach is applied to both target and large-scale critical infrastructure environments [43,48].
Larger-scale applications of systems dynamics for describing dynamic interactions are often based on simulation to help understand such relationships and cascading effects. These applications can use industry models, which are then combined through a better system dynamics approach.
One example of such a simulation environment is the Critical Infrastructure Protection Decision Support System (CIP/DSS) [49,50]. This environment is based on discrete event modeling, rule-based expert systems and coupled differential equations for sector submodels. The simulation results were used in [51,52] to identify clear economic impacts, their recovery and mitigation.
In [53], a system dynamics model is presented, which used the functional modeling mechanism (IDEF0 [54]) to determine the requirements and mechanisms for information exchange. This allows simulating local loss of function or bandwidth in the infrastructure as a whole, and then applying a decision support system using nonlinear optimization.
For large-scale models, there can be about 100 model elements, which usually requires an understanding of sector-specific aspects [49,53]. System dynamics modeling helps to solve some of these problems using the so-called group model construction [55,56], which seeks to integrate domain expertise into the overall model.
Behavioral and system-game models are proposed in [57][58][59]. Such methods are usually based on a combination of expert estimates and Bayesian statistics [57] or on explicit causal models. This approach may be useless assuming the adaptability of an intelligent adversary [58].
Behavioral and game-theoretic models provide for two or more agents whose interactions can be modeled under various constraints [59]. However, these interactions usually include: -the ability to cooperate or act against the interests of other agents; -the ability to interact with different levels of information about each other; -the possibility of both one-time interaction and interaction over several rounds; -the attainability of agents' solutions both simultaneously and sequentially. This type of model assumes that agents are rational and act to maximize their utility. This is done by evaluating the results and choosing the actions that give the most preferable results, taking into account the actions of other players.
Of particular interest for considering hostile behavior is the assumption of complete information [60,61] and the possibility of cooperation [62], which can be clear with full participation or unclear with varying participation levels. Game-theoretic security modeling, including strategic military models, is presented in [63,64]. In the field of political science, applications are used that include arms control strategies [65], as well as applicability to information warfare [66]. Models of terrorist activities and related resource protection or allocation strategies are presented in [67,69].
The use of game-theoretic models to protect critical information infrastructures is not well represented in the literature. Besides [66], examples include the use of two-player stochastic games [70] to capture the attackers' behavior under the Nash equilibrium. The model in [71] attempts to explicitly map the perception of attackers in the game-theoretic structure, as well as parameters, including resource allocation. Many of the physical security and counter-terrorism problems require careful analysis, taking into account various assumptions, which includes modeling of substitution effects and amount of mutual information [72]. Existing models [67] and subsequent developments [73,74] not only estimate the parameters, but also assume the simultaneous play of attackers and defenders [70,75].
Graph and network models provide rigorous formalization [76] and are easily adaptable to network infrastructures such as telecommunications, pipelines, and power distribution. By assigning a set of properties to nodes and edges and by defining flows along the graph edges, many aspects of critical infrastructures and their relationships for both physical assets and information flows can be covered. One of the main goals of such models is usually to capture the physical and logical relationships between network components, which may belong to several different infrastructure sectors.
Critical infrastructures are often long, and individual infrastructures can contain more than 105 elements. This explains the interest in studying graph-theoretic concepts to understand how a graph or interaction structures can be used to characterize the resilience of a network infrastructure.
Particular attention should be paid to the intensive study of random graphs such as the Erdös-Renyi graphs [76,77].
Empirical research has shown that many networks, both in nature and human-created, are scaleless. To reflect the dynamics of the critical infrastructure, the processes of graph growth and the mechanism of preferential joining of new edges added to the graph are considered [78]. This work has resulted in a number of methods more widely used in statistical mechanics being applied to complex networks, including critical infrastructures and their relationships [79,80]. The paper [81] provides a broader view of complex networks in general.
It is noteworthy that even relatively simple assumptions of graph theory make it possible to study the resistance of graphs to attacks. In [82], a process is described in which a dynamically evolving random graph is expanded using preferred attachment to achieve non-scalable properties and taking into account the adversary's ability to remove some of the vertices.
One of the areas associated with the ability to describe complex networks, of which critical infrastructure networks are only one instance, is the analysis of the resilience of such networks to attacks. The study [83] describes general classes of error vulnerabilities as well as deliberate attacks, while a number of authors analyzed specific infrastructure sectors using network complexity theory methods.
One area of particular interest that, however, has not been fully explored, but is critical for understanding the implications of deliberate attacks on critical infrastructure networks, is the dynamic aspects of such graphs. Although the analysis was carried out on aspects such as individual failures, cascading failures have been investigated by a number of researchers, including early works [84,85]. In [86], cost models for attackers were introduced.
The considered approaches are associated with the need to analyze information flows that can be mediated by human interaction. The study of such networks uses graph-theoretic concepts to understand such relationships and can rely on a large number of modeling methods specially adapted for social network analysis [87].
Agent-based models are often used to analyze the interdependencies of infrastructure facilities. Infrastructures or physical components are modeled as agents, which allows analyzing the performance and physical condition of the infrastructure and also capturing behavioral aspects, including irrational behavior [40]. Such agent-based systems have been widely used in other fields, which allows using the results to capture aspects such as the interaction of physical objects [88]. Descriptions of physical agent interaction were integrated into the model of interacting social agents, for example, to track the behavior of agents in the electricity and natural gas markets [89].
Most research has focused on using fewer explicit agents to describe the behavior of interacting agents in order to identify relationships in infrastructures [90,91]. An example of such an agent-based modeling and simulation environment is [92] as a continuation of [93]. In [92,93], the combined use of relationship analysis and qualitative methods to determine the parameters causing relationships is presented. With this approach, the model is built from composite elements, but with emergent properties of complex adaptive systems. Agents are represented as objects with a geospatial location, a number of domain-specific capabilities, and internal memory.
Obtaining comprehensive and complete datasets can be difficult even with analytical and simulation mechanisms. This has also led to several high-quality models and simulation environments, the main purpose of which is to enable an expert to visualize the relationships between sectors and infrastructure elements, without necessarily providing predictive capabilities. An example of such an environment is presented in [93,94]. The critical infrastructure modeling system (CIMS) uses georeferenced features and graphs to simulate events, such as fires or floods, using a discrete event modeling environment.
Physical and geospatial models are usually designed to solve well-defined problems in a particular sector or for a specific facility. These models exhibit high computational complexity, while significantly varying the level of detail [43] from simple vulnerability analysis and intra-industry relationships to continuous physical models.
Such models are necessary to describe the operation of infrastructures [95], which allows for quantitative risk analysis [96]. External effects on critical infrastructures, such as cyberattacks, must be taken into account and even generated in the model. Spatial proximity is an important parameter in the study of relationships and physical effects, which is not always clear from the analysis of only logical relationships. Therefore, a number of efforts have been aimed at creating models of critical infrastructures and their relationships based on geospatial information systems (GIS) [97,98]. Examples of using GIS functions in the area of critical infrastructure include approaches based on the theory of multi-attribute utility for forecasting.

3. Development of a model of a terrorist act and security of the critical infrastructure facility cybersystem
The formation of complex (echelon) protection of a critical infrastructure facility is based on the hierarchical structure of the synthesis of information security systems of cyber-physical systems, Internet technologies and computer networks, as well as mobile technologies. This approach allows forming a synergistic model of CIF threats, taking into account the impact of terrorists on its elements (Fig. 5).
To form a model of a terrorist act and security of the critical infrastructure facility cybersystem, a mathematical tool has been developed: -classification allows entering elements of a set of attacker categories { } : is the identifier of the terrorist-perpetrator; is the weight factor of the capabilities of the perpetrator of the terrorist attack on CIF; T is the time of successful implementation of the threat; p rj is the probability of implementation of at least one threat to the j-th asset, i is the threat, , i n ∀ ∈ n is the number of threats; j is the information resource (asset); , j m ∀ ∈ m is the number of assets; r motiv is the motivation of the terrorist-perpetrator to carry out a terrorist attack on CIF, T is the time of the terrorist attack. Analysis of the attacker categories allows forming an expert estimate and obtaining a weight factor for the threat implementation probability (the i-th threat); -the weight factor of the terrorist-perpetrator's capabilities is determined by:  [13]). The proposed approach makes it possible to unify the procedure for determining the probability of a terrorist attack on CIF, taking into account the terrorist-perpetrator's capabilities, both financial and computing resources.
The analysis of the CIF infrastructure level and terrorist-perpetrator categories allows forming the set {H j }, which forms the levels of impact on CIF: technical channel layer (H 0 ); ISO/OSI physical layer (H 1 ); ISO/ OSI link layer (H 2 ); ISO/OSI network layer (H 3 ); ISO/ OSI transport layer (H 4 ); ISO/OSI application layer (H 5 ); layer of physical protection of CIF elements (video surveillance, sensors, grilles, locks, etc.) (H 6 ); layer of possible secret intelligence devices (ventilation ducts, power lines, etc.) (H 7 ); -the relationship matrix for the terrorist-perpetrator category and the level of impact on CIF is defined as: Thus, the relationship matrix for the terrorist-perpetrator categories and the levels of impact on CIF allows determining the terrorist-perpetrator category by the threat classifier according to the proposed method: -Stage 1. Determination of the level of impact on CIF from the set {H}; -Stage 2. Determination of the threat according to the CIF threat classifier; -Stage 3. Determination of the relationship matrix for the terrorist-perpetrator category and the level of impact on CIF; -Stage 4. Determination of a possible terrorist-perpetrator from the relationship matrix.
Thus, based on the proposed methodology, a list of critical threats for each attacker category is constructed. Taking into account the modern approaches proposed in [99][100][101][102][103][104][105][106][107][108] for assessing the layer of possible secret intelligence devices (H 7 ), the time and financial costs of preventive protection measures are significantly reduced.

4. of a concept for assessing the security of critical infrastructure facilities
To determine the current state of security, we use the approach proposed in [14], which takes into account the proposed approach to the formation of a synergistic threat model, categories of attackers, their goals and capabilities. Fig. 6 shows the concept of assessing the security of critical infrastructure facilities.
To assess the current state, it is proposed to use the following mathematical tool: -the formally improved model of CIF is defined as:

I Type A A A A A A =
Type is the type of information asset, described by a set of basic values: Тype= ={CI, PD, CD, TS, StR, PubI, ContI, PI}, where CI is confidential information, PD is payment documents, CD is credit documents, TS is trade secret, StR is statistical reports, PubI is public information, ContI is control information, PI is personal information.
-each threat to the CIF elements is formalized by the tuple:   (20) where p rj is the probability of a threat to the j-th asset, i is the threat for all i that belong to n -the number of threats, j is the IR (asset) for all j that belong to m -the number of IR; D potential is the potential damage, risk is the risk expressed in a qualitative form and taking one of the values ( ) from [13]. The formal model of the terrorist-perpetrator is defined as: where L del is the attacker categories; target is the attacker' target, T is the time of successful implementation of the threat; r motiv is the probability of the terrorist-perpetrator's motivation.
-formally, the relationship between the categories of attackers and their impact on the CIF elements is defined by the matrix impact , where T pe is the type of the IS tool, T introducing is the introducing time, C pe is the cost of the IS tool; -formally, the relationship between threats and information security systems: it is concluded that the CIF ISS is not able to protect the IR from the threat, and it is necessary to introduce additional protection means and mechanisms to increase the CIF security; -requirements of international and national standards and legislation: A is the set of information security assessments.
The current state of the CIF IS is determined by the following indicators: -OPZ one -assessment of threat risks and the presence of critical points in the CIF elements; -OPZ 2 -assessment of possible attacks on the CIF elements; -OPZ 3 -assessment of compliance with regulatory requirements. 1 .
The proposed mathematical tool of the concept of assessing the security of critical infrastructure facilities provides a qualitative estimate of the current state of information security: Thus, the proposed approach is understandable to an average person, allows one to intuitively understand the main critical points of CIF, possibilities of a terrorist attack on them, as well as necessary preventive measures, in conditions of minimizing the financial support of the information security system.

Discussion of the results of research on developing a concept of building a security system for critical infrastructure facilities
To assess the likelihood of a terrorist attack and the readiness of protective measures, sets of weighted metrics were determined, which acquire a value in the range of [0; 1]. Each metric characterizes the degree of compliance of a certain attribute of a terrorist-perpetrator or protective agent with a given target value.
To assess the "danger" of the attacker, we use the proposed model To describe the set of characteristics, we use the index h: Then the average estimate of all experts for the entire set of characteristics of all attackers for the j-th security service is as follows:

∑∑ ∑
The level of CIF security can be described in a similar way. To do this, we use the set of characteristics B={cryptographic resistance, strength of ISS mechanisms (С r ), key data amount (K da ), complexity of direct and reverse cryptographic transformation (encryption/decryption of data, O ED )}. Thus, we have a set of ISS characteristics: В={C r , K da , О ED }. To describe the set of characteristics, we use the index w be the value of the k-th expert's estimate of the g-th characteristic of the ISS mechanism for the j-th security service in the case when the system security and the destructive actions of attackers are independent.
Then the average value of all experts' estimates of implementation of protective measures for the j-th security service is as follows: where j kg β is the weight factor of the g-th metric of the j-th security service for the k-th expert. Normalization of weight Expansion of the classifier due to the introduction of economic indicators of the cost of attack/terrorist act and the cost of countermeasures provides an integrated estimate of system security in relative units. Thus, 1 corresponds to the maximum security provided by the security system as a whole, and 0 corresponds to a situation where the security system does not protect any of the resources. An additional indicator can be an integrated indicator of the quality of service of an information and communication network, proposed in [109]. To increase the level of security (basic security services), it is proposed to use post-quantum algorithms based on crypto-code stuctrures proposed in [110][111][112][113][114]. The proposed mechanisms provide the required stability (2 30 -2 35 group operations), efficiency (the speed of cryptographic transformations is comparable to BSC) and re liability (P err 10 -9 -10 -12 ) in the face of growing computing resources.
To assess the current state of IS, complexes of systems for detecting attacks/deviations from normal operation and risk assessment methods are commonly used (Fig. 7), which allow qualitative and/or quantitative assessment of the current state of IS. Table 3 shows a comparative assessment with the proposed approach, which not only unifies the mathematical tool for IS assessment, but also significantly simplifies its implementation, taking into account the minimization of financial costs for IS.
The analysis of Table 3 and Fig. 7 showed the lack of a single approach for assessing the current state. Each of the presented ones consists of a complex of systems and methods that do not have a unified threat classification approach. As a rule, open databases are used, such as KDD-99, CAPEC, CVE, which contain more than a million threats without appropriate classification, which largely does not allow for their prompt analysis. In addition, threats are not classified by security mechanisms, which makes it impossible to take into account their integration, synergy and hybridity, which does not allow for the objectivity of their assessment and possible damage. The methods do not allow determining the relationship between threats, information resources, communication channels between the CIF elements, determining critical points, between threats and information security means, which makes it possible to determine preventive protection measures in a timely manner. None of the considered systems and methods allows determining the attacker's characteristics and capabilities by threats, which greatly increases the risk of unauthorized penetration/hacking of the information security system. The presented conceptual framework, together with the proposed mathematical tool, allows forming a unified base based on the classifier, taking into account the direction of attack vectors, assessing the possibilities of their synergy and hybridity, which allows taking preventive measures in a timely manner, assessing the attacker, and determining his capabilities.
Based on the proposed models, the requirements for computing resources to assess the current state of information security are significantly reduced, taking into account the national and international regulatory requirements. This approach will allow a self-assessment of the information security state, forming preventive measures and ISS based on the analysis of critical points in the CIF elements, taking into account the relevant relationships. The main limitations of the proposed approach are the formation of a unified base of threats, their assessment by cybersecurity and/or information security experts. To ensure objectivity, practical implementation is required, followed by testing in one of the CIF areas, which will provide a practical component and optimize the formation of preventive measures based on the proposed concept.  Fig. 7. Relationship between attack detection and risk assessment methods Table 3 Results of the study of risk assessment methods 1. The basic concepts related to cyber-terrorist attacks on critical infrastructure facilities were identified and formalized. Definitions of the security of information resources of critical infrastructure facilities, basic mechanisms and procedures of building a security model for CIF IR on the basis of a synergistic approach were developed. Security characteristics of critical infrastructure facilities such as availability, integrity, confidentiality and security are detailed. The definitions served as the basis for solving subsequent problems. A threat classifier was developed, which allows systemizing threats, forming a unified base of CIF threats, determining the synergistic effect and hybridity of threats, their impact not only on security components, but also on the infrastructure elements of CIF. This approach makes it possible not only to form preventive measures, but also to determine the terrorist-perpetrator's capabilities.
2. The concept of modeling the structure and functioning of the security system of critical infrastructure facilities was developed. The concept is based on a variety of models of different classes and levels currently used to model both critical infrastructures and the implementation of various threats on critical infrastructure facilities. The basic models of the modeling concept are as follows: economic, system-dynamic, behavioral game-theoretic, graph and network, agent-based, physical and geospatial.
3. Models of a terrorist act and security of the critical infrastructure facility cybersystem were developed. It is proposed to assess the integrated (echelon) security of a critical infrastructure facility on the basis of the hierarchical structure of the synthesis of security systems, Internet technologies and computer networks with information security tools based on mobile technologies. This approach allows forming a synergistic model of threats to critical infrastructure facilities, taking into account the impact of terrorists on the elements. A method for determining the terrorist-perpetrator category was developed based on analyzing the table of the relationship between the terrorist-perpetrator category and infrastructure elements. This allows pre-determining the category of the attacker by the impact on CIF and his ability to conduct a terrorist attack. An analysis of the CIF infrastructure level and terrorist-perpetrator categories allows forming a set of levels of impact on CIF. Based on the proposed method, a list of critical threats is determined for each attacker category. 4. A concept for assessing the security of critical infrastructure facilities was developed. The assessment is based on an approach to forming a synergistic threat model, attacker categories, their goals and capabilities. The CIF security estimate obtained as a result of the audit allows determining the most valuable information assets and effectiveness of protection means. The solutions make it possible to assess the compliance of the CIF ISS with the regulatory security requirements, identify the most vulnerable spots and develop recommendations for increasing the CIF security.