Recommendations for using a methodology for assessing the security of an automated control system for critical information infrastructure from DDoS attacks based on Monte Carlo simulation

Objective. The objective of the research is to develop a methodology for the security of an automated control system of critical information infrastructure from DDoS attacks. The methodology allows the decision-maker to obtain an assessment of the risk of exposure of the computer network (CN) to DDoS attacks and take necessary actions to reduce the risk of this threat.

Method. To achieve the stated objective of the research, simulation modeling based on the Monte Carlo method was used, implemented within the framework of a specialized software environment, as well as a method for calculating integral risk.

Result. A methodology was proposed for assessing the security of an automated control system for critical information infrastructure from DDoS attacks, taking into account the importance of individual nodes of its CN.

Conclusion. Thus, the developed methodology is useful when conducting an information security audit to assess the integral risk of impact implementation of a DDoS attack on a CN and is designed to help an organization achieve global information security goals, as well as to justify the amount of the insurance premium paid when insuring cyber risks.

1. DDoS attacks on banks in Russia. Available at: https://www.tadviser.ru/index.php/Статья:DDoS-атаки_на_банки_в_России (In Russ).

2. GOST R ISO/IEC 27001—2021 Information technology. Methods and means of ensuring safety. Information security management systems. Requirements. Approved and put into effect by Order of the Federal Agency for Technical Regulation and Metrology dated November 30, 2021 No. 1653-st. Moscow Russian Institute of Standardization 2021; 24. (In Russ).

3. Implementing capacity management according to ISO 27001:2013 control A.12.1.3 [Electronic resource]: https://advisera.com/27001academy/blog/2016/02/22/implementing-capacity-management-according-to- iso-270012013-control-a-12-1-3/(In Russ).

4. Standard of the Bank of Russia STO BR IBBS-1.1-2007 “Ensuring information security of organizations of the banking system of the Russian Federation. Information security audit.” Put into effect by order of the Central Bank of Russia dated April 28, 2007;345. (In Russ).

5. GOST R ISO 19011–2021 Guidelines for conducting audits of management systems. Approved and put into effect by Order of the Federal Agency for Technical Regulation and Metrology dated April 21, 2021 N261-Art. M.: Standartinform, 2021; 42. (In Russ).

6. Information security of automated systems / A.V. Solodyannikov - St. Petersburg. : Publishing house of St. Petersburg State Economic University, 2020;108. (In Russ).

7. Makarenko S.I. Information security audit: main stages, conceptual foundations, classification of activities. Management, communication and security systems. 2018;1:1–29. Electronic resource: http://sccs.intelgr.com/archive/2018-01/01-Makarenko.pdf(In Russ).

8. GOST R ISO/IEC 27005-2010 Information technology. Methods and means of ensuring safety. Information security risk management. Approved and put into effect by Order of the Federal Agency for Technical Regulation and Metrology dated November 30, 2010 N 632-st. M.: Standartinform, 2012; 91.

9. Computing systems, networks and telecommunications: textbook. In 2 hours. Part 2. Networks and telecommunications. V. P. Galas; Vladim. state University named after A. G. and N. G. Stoletov. Vladimir: VlSU Publishing House, 2017; 284. (In Russ).

10. Computing systems, networks and telecommunications: a textbook for students. institutions of higher education prof. education. A.I. Guseva, V.S. Kireev. M.: Publishing center “Academy”, 2014 - M.: Publishing center “Academy”, 2014; 288 (Ser. Bachelor’s degree). (In Russ).

11. Gubareva O. Yu. Development of a methodology for assessing the risks of information security of corporate telecommunication networks, specialty 05.12.13 “Networks, systems and devices of telecommunications”: abstract of the dissertation for the degree of candidate of technical sciences. Federal State Budgetary Educational Institution of Higher Education “Volga Region State University of Telecommunications and Informatics”. Samara, 2018; 176. (In Russ).

12. Voevodin V.A., Burenok D.S., Chernyaev V.S. 2021, Program for assessing server security against DDoS attacks, certificate of official registration of the computer program number 2021615403. (In Russ).

13. Voevodin V.A., Chernyaev V.S., Burenok D.S., Vinogradov I.V. Methodology for assessing the security of an automated control system for critical information infrastructure from DDoS attacks based on Monte Carlo simulation. Herald of Daghestan State Technical University. Technical Science. 2023; 50(1):62-74. DOI: 10.21822/2073-6185-2023-50-1-62-74 (In Russ).

14. Voevodin V. A., Markin P. V., Markina M. S., Burenok D. S. Methodology for developing an information security audit program taking into account the weighting coefficients of the significance of audit evidence based on the hierarchy analysis method. Management Systems, Communications and security. 2021; 2. 96–129. DOI: 10.24412/2410-9916-2021-2- 96-129. (In Russ).

15. Voevodin V. A., Karmanyan A. I., Sukhanov E. E., Shtang K. S. On the methodology for assessing the significance of audit certificates of information security. Intelligent systems in information warfare: collection of scientific papers of the Russian scientific conference. 2019; 40-44. (In Russ).

16. Cybersecurity of automated process control systems: news from the front lines / [Electronic resource]. Access mode: https://www.kaspersky.ru/blog/ics-report-2017/17812/(In Russ).