Analysis of the architecture and functions of protected automated systems installed at internal affairs facilities

Aim. One of the key objectives of the theory and practice of information security is to analyse the functioning of protected automated systems, particularly those operated at computerized facilities of internal affairs bodies. In order to identify potential threats to resources of confidential information, to assess the risk of threat implementation, as well as to form a list of potential threats to automated systems installed at computerized facilities of internal affairs bodies, it is necessary to analyse the composition and architecture of automated systems, identify the features of their protected functioning and determine the vulnerability of software and hardware systems. Methods. A comprehensive analysis of the functioning of protected automated systems during their operation at computerized facilities of internal affairs bodies was conducted. Results. Following an analysis of normative documentation and research publications in the field of protecting information in automated systems, departmental records of the Ministry of Internal Affairs of the Russian Federation, regulations for the protection of information at computerized facilities of internal affairs bodies, the structure and architecture of a protected automated system were defined. Potential threats to the functioning of such a system, including cyber attacks, were identified. On the basis of a survey among experts in the field of information security, the vulnerability (in term of cyber attacks) of the software components of an automated system installed at computerized facilities of internal affairs bodies was analysed. Conclusion. The results can be used in the process of designing and operating information security tools and systems installed at computerized facilities of internal affairs bodies for the purpose of improving their security.

1. GOST 34.003-90. Avtomatizirovannyye sistemy. Terminy i opredeleniya [Elektronnyy resurs]. — URL:http://docs.cntd.ru/document/1200006979 (data obrashcheniya: 24.10.2019). [GOST 34.003-90. Automated systems. Terms and definitions [Electronic resource]. - URL: http: //docs.cntd.ru/document/1200006979 (date of access: 24.10.2019). (In Russ)]

2. Maximizing Uptime of Critical Systems in Commercial and Industrial Applications VAVR-8K4TVA_R1_EN.pdf [Electronic resource]. - URL: https://download.schneider-eletric.com/files?P_Doc_Ref=SPD_VAVR-8K4TVA_EN (date accessed: 24.10.2019).

3. Butusov I.V. Methodology of Security Assessment Automated Systems as Objects Critical Information Infrastructure / I.V. Butusov, A.A. Romanov [Electronic resource]. - URL: fcyberrus.com/wp-content/uploads/2018/05/02-10-125-18_1.-Butusov.pdf (date accessed: 28.10.2019).

4. Xin Z. Research on effectiveness evaluation of the mission-critical system / Z. Xin, M. Shaojie, Z. Fang // Proceedings of 2013 2nd International Conference on Measurement, Information and Control. 2013. P. 869-873.

5. Ob utverzhdenii Kontseptsii obespecheniya informatsionnoy bezopasnosti organov vnutrennikh del Rossiyskoy Federatsii do 2020 goda: prikaz MVD Rossii ot 14.03.2012 № 169 [Elektronnyy resurs]. — URL:http://policemagazine.ru/forum/showthread.php?t=3663 (data obrashcheniya: 21.10.2019). [On the approval of the Concept for ensuring information security of the internal affairs bodies of the Russian Federation until 2020: order of the Ministry of Internal Affairs of Russia dated March 14, 2012 No. 169 [Electronic resource]. - URL: http://policemagazine.ru/forum/showthread.php?t=3663 (date accessed: 21.10.2019). (In Russ)]

6. Security Trends & Vulnerabilities Review Corporate Information Systems // Positive Technologies 2017 [Electronic resource]. - URL: https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Corp-Vulnerabilities-2017-eng.pdf (date accessed: 09.11.2019).

7. Bagayoko D. Understanding the Relativistic Generalization of Density Functional Theory (DFT) and Completing It in Practice / D. Bagayoko // Journal of Information Security. Vol. 7 № 9, May 2016 [Electronic resource]. - URL: https://www.scirp.org/journal/paperinformation.aspx?Paperid=66781 (date accessed: 02.11.2019).

8. Metody i sredstva otsenki zashchishchonnosti avtomatizirovannykh sistem organov vnutrennikh del: monografiya [El-ektronnyy resurs] / I.G. Drovnikova [i dr.]. Voronezh: Voronezh. in-t MVD Rossii, 2017. 88 s. [Methods and tools for assessing the security of automated systems of internal affairs bodies: monograph [Electronic resource] / I.G. Drovnikov [and others]. Voronezh: Voronezh. Institute of the Ministry of Internal Affairs of Russia, 2017.88 p. (In Russ)]

9. YAzov YU.K. Zashchita informatsii v informatsionnykh sistemakh ot nesanktsionirovannogo dostupa: posobiye / YU.K. YAzov, S.V. Solov'yov. Voronezh: Kvarta, 2015. 440 s. [Yazov Yu.K. Protection of information in information systems from unauthorized access: manual / Yu.K. Yazov, S.V. Solovyov. Voronezh: Kvarta, 2015.440 p. (In Russ)]

10. GOST R 50922-2006. Zashchita informatsii. Osnovnyye terminy i opredeleniya // SPS «Konsul'tantPlyus» [GOST R 50922-2006. Data protection. Basic terms and definitions // SPS "ConsultantPlus"(In Russ)]

11. Kresimir S. The information systems' security level assessment model based on an ontology and evidential reasoning approach / S. Kresimir, O. Hrvoje, G. Marin // Computers & Security. 2015. PP. 100-112.

12. Method to Evaluate Software Protection Based on Attack Modeling / H. Wang [et ol.] // 2013 IEEE 10th International Conference on High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing Year. 2013. PP. 837-844.

13. Effectiveness Evaluation on Cyberspace Security Defense System / L. Yun [et ol.] // International Conference on Network and Information Systems for Computers (IEEE Conference Publications). 2015. PP. 576-579.

14. FSTEK Rossii. Metodicheskiy dokument. Metodika opredeleniya ugroz bezopasnosti informatsii v informatsionnykh sistemakh [Elektronnyy resurs]. — URL:http://https://fstec.ru/component/attachments/download/812 (data obrashcheniya: 21.10.2019). [FSTEC of Russia. Methodical document. Methods for determining threats to information security in information systems [Electronic resource]. - URL: http://https://fstec.ru/component/attachments/download/812 (date of access: 21.10.2019). (In Russ)]

15. YAzov YU.K. Organizatsiya zashchity informatsii v informatsionnykh sistemakh ot nesanktsionirovannogo dostupa: monografiya / YU.K. YAzov, S.V. Solov'yev. — Voronezh: Kvarta, 2018. — 588 s. [Yazov Yu.K. Organization of information protection in information systems from unauthorized access: monograph / Yu.K. Yazov, S.V. Soloviev. - Voronezh: Quarta, 2018. 588 p. (In Russ)]

16. Rogozin Ye.A. Proyektirovaniye sistem zashchity informatsii ot nesanktsionirovannogo dostupa v avtomatizirovannykh sistemakh OVD / Ye.A. Rogozin, A.D. Popov, T.V. Shagirov // Vestnik Voronezh. in-ta MVD Rossii. 2016. № 2. S. 174-183. [Rogozin E.A. Design of information protection systems against unauthorized access in automated ATC systems / E.A. Rogozin, A.D. Popov, T.V. Shagirov // Bulletin Voronezh. Institute of the Ministry of Internal Affairs of Russia. 2016. No. 2. pp. 174-183. (In Russ)]

17. Popov A.D. Modeli i algoritmy otsenki effektivnosti sistem zashchity informatsii ot nesanktsionirovannogo dostupa s uchetom ikh vremennykh kharakteristik v avtomatizirovannykh sistemakh orga-nov vnutrennikh del: dis. ... kand. tekhn. nauk: 05.13.19 / Popov Anton Dmitriyevich. — Voronezh, 2018. — 163 s. [Popov A.D. Models and algorithms for assessing the effectiveness of information protection systems from unauthorized access, taking into account their time characteristics in automated systems of internal affairs bodies: dis. ... Cand. tech. Sciences: 05.13.19 / Popov Anton Dmitrievich. Voronezh, 2018 . 163 p. (In Russ)]

18. Rad'ko N.M. Proniknoveniya v operatsionnuyu sredu komp'yutera: modeli zloumyshlennogo uda-lennogo dostupa: ucheb. posobiye / N.M. Rad'ko, YU.K. YAzov, N.N. Korneyeva. — Voronezh: Voronezh. gosud. tekhnich. un-t, 2013. — 265 s. [Rad-ko N.M. Penetration into the operating environment of a computer: models of malicious remote access: textbook. manual / N.M. Radko, Yu.K. Yazov, N.N. Korneeva. - Voronezh: Voronezh. state technich. un-t, 2013 . 265 p. (In Russ)]

19. GOST R ISO/MEK 7498-1-99. Informatsionnaya tekhnologiya. Vzaimosvyaz' otkrytykh sistem. Bazovaya etalonnaya model'. Chast' 1. Bazovaya model' [Elektronnyy resurs]. — URL:https://files.stroyinf.ru/Data2/1/4294818/4294818276.pdf (data obrashcheniya: 04.11.2019). [GOST R ISO / IEC 7498-1-99. Information technology. Interconnection of open systems. Basic reference model. Part 1. Basic model [Electronic resource]. - URL: https://files.stroyinf.ru/Data2/1/4294818/4294818276.pdf (date of access: 04.11.2019). (In Russ)]

20. GOST R 51583-2014. Poryadok sozdaniya avtomatizirovannykh sistem v zashchishchennom ispolnenii [Elektronnyy resurs]. — URL: http://docs.cntd.ru/document/1200108858 (data obrashcheniya: 04.11.2019). [GOST R 51583-2014. The order of creation of automated systems in a protected version [Electronic resource]. - URL: http://docs.cntd.ru/document/1200108858 (date of access: 04.11.2019). (In Russ)]

21. Rogozin Ye.A. Klassifikatsiya ugroz informatsionnoy bezopasnosti v avtomatizirovannykh informatsionnykh sistemakh / Ye.A. Rogozin, A.D. Popov, D.I. Korobkin // Pribory i sistemy. Upravleniye, kontrol', diagnostika. 2017. № 7. S. 22-26. [Rogozin E.A. Classification of threats to information security in automated information systems / E.A. Rogozin, A.D. Popov, D.I. Korobkin // Devices and Systems. Management, control, diagnostics. 2017. No. 7.P. 22-26. (In Russ)]

22. Rukovodyashchiy dokument Gosudarstvennoy tekhnicheskoy komissii ot 30 iyunya 1992 goda. Zashchita ot nesanktsionirovannogo dostupa k informatsii. Terminy i opredeleniya. [Elektronnyy resurs]. — URL:https://fstec.ru/component/attachments/download/29 [Guidance document of the State Technical Commission dated June 30, 1992. Protection against unauthorized access to information. Terms and Definitions. [Electronic resource]. - URL:https://fstec.ru/component/attachments/download/298 (In Russ)]

23. Rogozin Ye.A. Osnovnyye etapy i zadachi razrabotki sistem zashchity informatsii OVD v avtomatizirovannykh sistemakh / Ye.A. Rogozin, Ye.YU. Nikulina, A.D. Popov // Vestnik Voronezh. in-ta FSIN Rossii. 2016. № 4. S. 94-98 [Rogozin E.A. The main stages and tasks of developing ATS information protection systems in automated systems stemakh / E.A. Rogozin, E.Yu. Nikulina, A.D. Popov // Bulletin Voronezh. Institute of the Federal Penitentiary Service of Russia. 2016. No. 4. рр 94-98. (In Russ)]

24. Sistema pokazateley kachestva funktsionirovaniya pri sozdanii sistemy informatsionnoy bezopasnosti na ob"yekte informatizatsii OVD / A.M. Kadnova [i dr.] // Pribory i sistemy, upravleniye, kontrol', diagnostika. 2019. № 1. S. 26- 33 [The system of performance indicators for the creation of an information security system at the object of informatization of the internal affairs department Kadnova [et al.] // Devices and systems, control, monitoring, diagnostics. 2019. No. 1. рр 26-33 (In Russ)]