On certain aspects of standardization and operating conditions of automated systems

Objective. In this paper, the main aspects of the operating conditions of the AS are considered, as well as the issues of standardization of the stages of the life cycle of the AS (creation, commissioning, maintenance, etc.) at the state level. In this subject area, the technological features of building an AS based on various technical architectures are briefly considered, since both foreign processors based on x86-64 architectures and processors of domestic development based on the Advanced RISC Machine architecture are currently applicable. The use of various components of the AS requires additional study in terms of ordering the composition and configuration of specific SPI. Since each processor has a multi-level architecture, this fact objectively complicates the possibilities for full security testing and detection of all vulnerabilities. Method. In the course of the work, the threats and vulnerabilities of individual components of the AS from the point of view of intentional and unintentional threats are considered. The information on the main state standards applied to ensure the protection of information in the AS at the present time is summarized. Result. The main features of the operating conditions of the AS are considered and it is determined that the vulnerabilities of the components are due to the imperfection of the procedures for developing and covering testing of hardware and software. It is determined that in order to protect information in the AS, it is necessary to build a multi-level protection system with state accreditation. Conclusion. Proposals are presented for the application of state standardization for the protection of information in the AS, taking into account the current and prospective threat landscape, including taking into account the design features (undeclared capabilities) of the components. Overcoming threats is possible with the creation of a multi-level information protection system with state accreditation.

1. On the approval of the Manual on the technical operation of communications and automation of territorial bodies of the Ministry of Internal Affairs of the Russia: Order 30.11.2016 No.772 . Information and legal portal of the ConsultantPlus system. – Access mode: http://base.consultant.ru (16.01.2023). (In Russ)

2. On the approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems: Order of the FSTEC of Russia No. 21 dated 02/18/2013. Information and legal portal of the ConsultantPlus system. – Access mode: http://base.consultant.ru (accessed: 16.01.2023). (In Russ)

3. On approval of the Requirements for the protection of information that does not constitute a state secret contained in state information systems: Order of the FSTEC of Russia dated 11.02.2013 No17. Information and Legal portal of the ConsultantPlus system. Access mode: http://base.consultant.ru (date of application: 16.01.2023). (In Russ)

4. FSTEC of Russia. Guidance document. Automated systems. Protection against unauthorized access to information. Classification of automated systems and information security requirements. (In Russ)

5. GOST R 15408-2013. Methods and means of ensuring security. Criteria for assessing the security of information technologies // Moscow: Standartinform. 2014; 152. (In Russ)

6. GOST R 53114-2008. Information protection. Ensuring information security in the organization. Basic terms and definitions. 2008; 22. (In Russ)

7. Guidance document. Information technology security. The concept of assessing the compliance of automated systems with information security requirements: approved by FSTEC of Russia 2004. (In Russ)

8. Guidance document of the State Technical Commission. Information technology security. Criteria for assessing the security of information technologies: approved. By Order of the State Technical Commission No.187. 06/19/2002. (In Russ)

9. Methodology for determining threats to information security in information systems: approved by the FSTEC of Russia Methodology for assessing threats to information security: Methodological Document of the FSTEC of Russia dated 02/05/2021. Information and Legal portal of the ConsultantPlus system. – Access mode: http://base.consultant.ru (accessed: 16.01.2023). (In Russ)

10. Data bank of information security threats: [Electronic resource]. FSTEC of Russia. URL: https://bdu.fstec.ru. (Date of application: 16.01.2023). (In Russ)

11. FSTEC of Russia. Guidance document. Protection against unauthorized access to information. Terms and definitions. 2015. (In Russ)

12. National Vulnerability Database (NVD) CVE-2022-38392: [Electronic resource] URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38392. (Accessed: 16.01.2023)

13. Livshits I.I. Method of assessing the security of cloud IT components according to the criteria of existing standards . Proceedings of SPIIRAN. 2020; 19( 2): 383-411. (In Russ)

14. Livshits I.I., Neklyudov A.V. Sovereign information technologies of Russia. Standards and quality. 2018;.4: 68-72. (In Russ)

15. Livshits I.I., Neklyudov A.V. Sovereign information technologies of Russia Standards and quality. 2018;.5:66-70. (In Russ)

16. GOST R 50922-2006. Information protection. Basic terms and definitions. Moscow: Federal Agency for Technical Regulation and Metrology. 2006;12. (In Russ)

17. GOST R 56546-2015. Information protection. Vulnerabilities of information systems. Classification of vulnerabilities of information systems. 2016;8. (In Russ)

18. Kotsynyak M.A., Kuleshov I.A., Kudryavtsev A.M., Lauta O.S. Cyberstability of ITCS. St. Petersburg, 2015. (In Russ)

19. Catalog of national standards ROSSTANDART: [El.Res.]. Moscow, 2022. URL: https://www.rst.gov.ru/portal/gost/home/standarts/catalognational. (Accessed: 16.01.2023). (In Russ)

20. International Organization for Standardization. [electronic resource]. URL: https://www.iso.org/ru/standards-catalogue/browse-by-ics.html. (Accessed: 16.01.2023).