deVelopment of the approaCh for desIgnIng , modellIng and

The object of research is a critical IT infrastructure. One of the most problematic places in the study of critical IT infrastructures is the complete lack of approaches, methodology and tools for designing, modeling and researching critical IT infrastructures that could be used in the form in which they are offered. On the basis of expanded open hybrid automata, an approach is proposed that will allow to compactly describe the components, critical IT infrastructure systems and their interrelations, both internal and external. Its peculiarity is the use of an extended set of parameters, which makes it possible to provide probabilistic and qualitative features to models of components and systems of a critical IT infrastructure. In the course of the research, the Matlab software package is used, which allows to check the proposed approach and models for workability. The resulting models are fairly compact and completely reflect the necessary logic of the work of the relevant components and critical IT infrastructure systems. It is shown that this is achieved due to the flexibility of the proposed mathematical apparatus, namely the possibility of creating compositions from simple models for the formation of more complex ones. In the future, the proposed approach and the creation of a library of models for all major systems and critical IT infrastructure components will provide a convenient tool for a wide range of researchers whose work is related to all aspects of researching critical IT infrastructures.


Introduction
To date, the creation of critical IT infrastructures is an integral part of the development of key industries that are vital for ensuring the safety and functioning of the society.
The existence of a critical IT infrastructure is closely related to the notion of a critical infrastructure -an infrastructure critical for the state, the abandonment or destruction of which can have a materially negative impact on national security.
Currently, Ukraine is only beginning to develop such global management complexes, although some industries already have developed IT infrastructure, for example, dispatching systems for transport management, energy facilities.
That is why the development of new approaches, methods and algorithms for creating, analyzing, monitoring, ensuring the quality and reliability of operation, the security of critical IT infrastructures is a very urgent problem.

the object of research and its technological audit
The object of research is a critical IT infrastructure.The draft law [1] specifies that a critical IT infrastructure is a set of information and telecommunications systems of the public and private sector that ensure the functioning and security of government strategic institutions, systems and facilities (central and local government bodies, energy, transport, communications systems, banking sector, enterprises, during which activities are used and/or produced hazardous substances, etc.) and the safety of citizens (law enforcement management system and defensive sector, etc.), unauthorized intervention in the operation of which may endanger the economic, environmental, social and other types of security or harm the international image of the state.Critical infrastructures include the financial and energy sectors of the state, the food industry, medicine, manufacturing, transport, water supply, public administration and others.
A critical IT infrastructure must: -ensure the functioning of environmentally hazardous and socially significant production and techno-logical processes, the violation of the regular mode of which can lead to an emergency situation of anthropogenic nature; -perform the functions of an information system, the violation (stoppage) of which may lead to negative consequences in the political, economic, social, information, environmental and other fields; -ensure the provision of a significant amount of information services, partial or complete suspension of which can lead to significant negative consequences for national security in many sectors.
Although each critical IT infrastructure is usually seen as a separate system, all of its systems are strongly interlinked with different levels of interdependence between them.As an example, for the work of the information and telecommunications system (ITS) at the level of the declared quality of service, the uninterrupted operation of the power supply system is required, while the quality of the power supply system itself depends on the stable operation of the ITS information transmission channels.These bi-directional relationships between critical IT infrastructure systems increase their overall performance, but at the same time increase its complexity and sensitivity to various types of attacks [2,3].
The main problem in this industry is the complete absence of ready-made solutions, methodologies, tools that are suitable for modeling, designing and researching critical IT infrastructures.

the aim and objectives of research
The aim of research is development of an approach to designing, modeling and researching critical IT infrastructure.
To achieve this aim, it is necessary to perform the following tasks: 1. To improve the existing mathematical apparatus of open hybrid automata for the study of critical IT infrastructures.
2. To build a simplified model of critical IT infrastructure and explore with its help the proposed approach.Technology audiT and producTion reserves -№ 5/2(37), 2017 ISSN 2226-3780

research of existing solutions of the problem
Modeling of interdependence of systems is a new scientific direction, which includes several innovative approaches to modeling.Existing models are analyzed in [4,5].Among the most popular are input-output methods, agent modeling and network approaches.
Methods of input-output are based on the V. Leontief theory of economic equality and allow to estimate the integral level of disability (percentage of failure) of infrastructures by using the dependency coefficients (Leontief coefficients).However, these coefficients are difficult to determine correctly, and therefore, as a rule, they are an approximation of a higher level, proceeding from the assumption that the interdependence of infrastructures is related to their economic interaction [6].
Agent modeling (AM) methods consider critical infrastructures as flexible adaptive systems (FAS), that is, as a complex of interacting components, the state of which can change in the learning process.AM methods use a bottom-up design strategy, and therefore various components of the IT infrastructure are represented as standalone agents with their attributes, behavior and decision rules, while the interdependencies arise between them in their interaction [7,8].
Network approaches usually assume that each infrastructure consists of a number of network components (usually represented as nodes) that form a network, and any existing dependencies are represented as relationships between nodes belonging to different networks [9].Using of network models to investigate critical interconnected infrastructures makes it possible to perform topological analysis quite easily (i.e., qualitatively describe the existing relationships for any set of components).The disadvantage of these models is a fairly small amount of information for conducting functional analysis.As a rule, such models make it possible to investigate only simplified hypotheses and obtain only basic characteristics of networks and completely lack the ability to investigate complex effects associated with technological aspects of their implementation [10].
There are also a number of other approaches to modeling the interdependence of critical infrastructures.For example, [11][12][13] presents methods based on Petri nets, stochastic activity networks and Bayesian networks.
At the moment, the approaches presented in the literature are used for various purposes, have their own strengths and weaknesses, but as such, there is no single approach to solving the problem.In addition, the difficulties associated with accessing data through their security and privacy, coupled with the fact that the structure of the critical IT infrastructure becomes more diverse and more complex, makes the problem of checking the interdependence of its components and systems a very nontrivial problem.So, there is a need for further development of approaches to research the interdependence of components, systems and entire infrastructures, and therefore the topic of work is promising.

methods of research
Let critical IT infrastructure C be represented as a set of systems and components Ω .Then, let's present our Ω in the form of extended open cellular automata (EOCA) [14]: , , , , , , , , , , , , ,  -SP -set of specifications; -P -set of policies; -R -set of security requirements; -V -set of vulnerabilities.The transition is deterministic and occurs under the condition G in the case when, l L ∈ \{ †} or probabilistic, in the case when l = †.The state value in this case is formed randomly according to the distribution F .
Interactive participants in this model are: -components (telecommunication, industrial, etc.); -systems; -infrastructures; -operators of critical IT infrastructure systems; -opponents; -environment.Their operation logic is described by sets of specifications SP, policies P and security requirements R.
The environment controls the temporal and spatial aspects of all events in the model and dispatches all changes in states according to τ, using distributions F for this.Distribution provides the ability to create strategies for the failure of available components and is used to solve the problems of simultaneous occurrence of events in critical IT infrastructure and processing.
It is very convenient to represent such model in the form of a directed graph (Fig. 1).Each vertex of such graph represents a discrete state d D ∈ .The edges of a directed graph represent discrete transitions between states.For example, an edge ( , ) d d L ( , ), then the state change occurs instantaneously, and the value of the continuous state is determined by the ratio T .
Each critical IT infrastructure can be represented as a composition of various EOCAs.Fig. 2 shows the composition of two EOCAs.
ITS EOCA consists of a composition of two elements: -network operation center; -network.Let's describe the model of the network operations center in EOCA terms.The model contains 5 discrete states: -«Normal» -the state of the normal operation of the network operation center (NOC); -«Uninterruptible power supply» -the NOC operation state on uninterruptible power supplies in case of absence of current in the electrical network; -«Cooling errors» -the NOC operation state on in the event of accidents in the cooling system of the equipment; -«Critical» -the NOC operation state in the event of simultaneous failure of power and cooling systems; -«Accident» -the NOC operation state, in which further work is impossible due to a failure that occurred.The model has the following inputs (Fig. 3): -i ps NOC -NOC power; -i cl NOC -NOC cooling; -f tech NOC -availability of technical failures in the NOC.The occurrence of technical failures is controlled by the distribution F or the system itself.
The transition from the «Normal» state to other states occurs under the following conditions: -if there is a technical failure f tech NOC = 1; -if the level of power supply has fallen below the level of the NOC requirements i R ps NOC < 0 ; -if the level of coolant supply has fallen below the level of the NOC requirements i R cl NOC < 0 .As the time managers in the system are the values of continuous states s ups and s cl .In the case of a power failure, an uninterruptible power system can support the NOC operation s T ups u ps = .In the case of a failure of the cooling system, the NOC operation is maintained for some time, equal to s T cl cl = .The model also has three outputs: -NOC operation state z NOC (z NOC takes 2 values: 1 -NOC performs its functions, 0 -accident in the NOC); -NOC demand for power supply r ups ; -NOC demand for cooling r cl .Let's consider the following model -the network operation model, which is a variant of the model from [15].The model has three discrete operating states (Fig. 4): -«Normal» -the network operates in normal mode; -«Data transmission failure» -failure of one or more data transmission channels; -«Accident» -the network has completely refused.
The network model has the following inputs: -i l NET -the network operates in normal mode, if there are no failures of data transmission channels, that is i l NET = 0; -i noc NET -the network operates in the normal mode, if the NOC also operates in the normal mode, that is i noc NET = 1; -i ps NET -input receives data from the power supply system; -i cl NET -input receives data from the cooling system; -i pct NET -input receives data on the number of incoming packets that enter the network.While the network is operating in normal mode, the data transmission rate is calculated by the formula: where i ps NET -the number of packets entering the net work; T p -propagation delay; q -the queue size; Bnetwork bandwidth in pack/s.
According to [14], the queue size q is described by the following equation of dynamics: Data from the power supply and cooling systems are fed into the system with a delay: where P P ps cl , -the number of packets co ming from a particular system.
Thus, the more network traffic, the greater the propagation delay.In the case of a failure of data transmission channels, the network capacity is reduced by the formula: where a -the number of refused data transmission channels.
In the case when the NOC is in an inop erative state, that is i noc NET = 0, the transition to the «Accident» state occurs and at all outputs of the system have the value NaN.

Research results
To simulate NOC, a model is built in the Simulink/State flow package (Fig. 5).This model is very simplistic, but sufficient to demonstrate the proposed approach for the design and study of complex interconnected systems with the EOCA help.
The state diagram of the NOC model in StateFlow looks like this (Fig. 6).
The following values of parameters are set for the model: -T ups = 20 s -the time that NOC can operate using uninterruptible power supplies; -T cl = 10 s -the time that NOC can operate without a cooling system; -R 0 3000 = W⋅h -the minimum level of electricity required for the NOC operation; -C 0 2000 = BTU/hour -the minimum level of cooling power required for the NOC operation.The time diagrams show the values of the parameters that are fed to the inputs of the constructed model (Fig. 7-9).The diagram in Fig. 10 indicates that the NOC operates in a given mode, passes the corresponding states depending on the input parameters coming from other subsystems of the model.

sWot analysis of research results
Strengths.When working with critical IT infrastructures, scalability is one of the problems faced by all methods that are used to model interdependence.The proposed approach is both modular and scalable in the sense that it has sufficient flexibility in selection and use of both high-precision and simple models for critical IT infrastructure.Modularity is achieved through the use of composition elements, whereas scalability is presented in two forms: scalability in building the model (topology and functionality) of the critical IT infrastructure and scalability in terms of the processing power required to run the models.From the point of view of modeling, the proposed approach allows creating model compositions that can be further used as top-level components, which in turn can be used to create components of an even higher level and the like.Thus, the approach allows to accumulate a portfolio of components for multiple use.For example, an electrical substation can be represented as a set of several generators.Thus, it is possible to build a model of a single generator, and then reuse it to create a model of an electrical substation.And if add uninterruptible power supplies to this set of, it is possible to obtain the model of the electrical infrastructure as part of a more complex critical IT infrastructure.From the point of view of the necessary computational power for the launch of the model, the approach provides the same possibility of forming the necessary level of abstraction.
The approach is based on the use of extended open hybrid automata (EOHA) and provides all the necessary tools for building, planning, researching, managing, evaluating, etc. critical IT infrastructures.
Weaknesses.At this stage of the approach development, the only weakness is the availability of very simplified models of subsystems and critical IT infrastructure components.
Opportunities.In the future, it is planned to use the proposed approach for developing models with different levels of abstraction for various components and subsystems of the critical IT infrastructure, with the ultimate aim of creating a library of models that will allow them to be selected and easily used for various studies.Also, the future aim is investigation of the ways of generating scenarios for constructing compositions in order to create large and super-large models.
The proposed approach and modeling library for Simulink/Stateflow will allow researchers to model any relationships between systems, components of critical IT infrastructure.Threats.It is now difficult to predict the negative risks of the developed approach.But it is possible to say for sure that no additional costs are necessary will be for developer of critical IT infrastructure that will use the proposed approach and the library of models developed in the future.⊆ × allow the creation of marked transitive systems of components and systems of critical IT infrastructure for further investigation of them for the reach and safety of states.The distribution F allows to add a probabilistic character in the behavior of the elements, and the sets SP, P, R, Vprovide the components and systems of the critical IT infrastructure with quality characteristics.

Conclusions
2. The simplified models of some critical IT infrastructure components are constructed and investigated using them to use the proposed approach.This approach allows to create patterns of models based on interdependence, existing between them, combining them into more complex models, and thus, to form the following levels of model abstraction.The operability of the proposed approach is tested for simple models -several models are created in the Matlab package, their work is studied, and the expected results are obtained.

1 2 ∈ 1 2∈
starts at the vertex d D 1 ∈ and ends at the vertex d D 2 ∈ .Each transition occurs when the condition G d d ( , ) 1 2 is met or accidentally if L d d ( , ) = †.The ratio T is reset at the end of the transition, when the value of the continuous state changes.Технологічний аудиТ Та резерви виробницТва -№ 5/2(37), 2017 ISSN 2226-3780 The simple path (EOCA triggering) consists of a sequence of intervals τ of continuous evolution, which are changed by discrete transitions.The execution begins with some initial state ( The model remains in a discrete state d i while the continuous state s S i ∈ and/or the input value i I ∈ have valid values Z .At the same time, the output value o O ∈ is defined as ϕ( , , ). s d i i i If s S i ∈ and/or the input value i I ∈ reaches the transition condition G d d i j

fig. 1 .
fig. 1.The model in the form of a directed graph

Fig. 5 .
Fig. 5. Model of the network operation center in Simulink

fig. 7 .
fig. 7. The cooling capacity diagram at the input of the network operation center

fig. 6 .
fig. 6. Model of the network operation center in Stateflow

fig. 9 .
fig. 9. Distribution diagram of the occurrence of technical failures at the input of the network operation center
), D S S I O LG T F SP P R V 0 τ where D