RU204094U1 - Device for comprehensive monitoring of the security status of automated systems - Google Patents

Abstract

The system of comprehensive monitoring of the security state (SZ) of automated systems (AS) is designed to determine the current SZ of the nuclear power plant based on the analysis of information security events (ISS) provided by authorized sources of ISS (ISIB), assessing the effectiveness of the system, forming the management goal (MC) and implementing optimal control actions (HC). The technical result is to increase the reliability of the results of the analysis of the SZ NPP by determining the degree of legality of the ISIB's rights to provide data on the SZ NPP and reducing the level of false alarms for detecting information security incidents (ISS) by monitoring the current state and assessing the effectiveness of the system units; ensuring the adaptation of the system functioning process due to the possibility of changing the control algorithm of the nuclear power plant through the formation and implementation of optimal HC. The specified technical result is achieved by the fact that when an NIB occurs in the AS, the system control unit authorizes the ISIB, if successful, they are classified and their state is determined. Then the system control unit determines the current state and the degree of functional readiness of the system units to provide reliable data about the SZ NPP and, based on the data coming from the risk assessment unit and the database (DB) of the decisions made, forms the CU, in the form of the states of the system units, which should be seek. Further, the system control unit searches for HCs that satisfy the HC and stored in the HC DB, and if found, implements them, bringing the current state of the system blocks to the required one, in accordance with the MC, and in their absence, synthesizes the optimal HC, with their subsequent storage in the HC DB and implementation. The NIB data collection unit provides information on the AU SZ from the ISIB and transmits them to the data control unit, which processes and stores them. The processed NIB data is sent to the NIB analysis unit, which detects the ISS and transmits them to the risk assessment unit for predicting the AS SZ and to the decision search unit, which, based on the data provided by the decision analysis unit, provides the determination of the current SZ AS and support and decision making to eliminate the consequences of ISS, which are saved in the database of decisions made and visualized by means of the ISS registration unit. 1 ill.

Description

The proposed utility model relates to the field of computer technology, namely, to information security (IS), and can be used to implement the process of monitoring the security state (SZ) of automated systems (AS).

Known analogue "The system of adaptive monitoring of automated control systems for military purposes" by RF patent No. 191293, IPC G06F 21/57 (2013.01), Appl. 07.03.2019, publ. 08/01/2019, which consists in the fact that the system contains a user interaction module, including a parameter setting block and interface blocks; an evaluation unit including an evaluation engine control unit, an evaluation procedure adaptation unit, and an evaluation unit; an information storage unit including an information output unit and an information storage unit; an information collection module, which includes a block for adapting the nomenclature and scope of parameters, a block for collecting general data and a block for selecting possible tests; a testing module, which includes units for testing the topologies of military-purpose automated control systems (ACS VN) and units for testing modules of ACS VN; a monitoring module that includes a block for adapting observation procedures, a block for monitoring parameters of the HV ACS and a block for monitoring network activity of the HV ACS; a data conversion module including data conversion units; a parametric synthesis module including a synthesized data output unit and a parametric synthesis unit. The main feature of this analogue is the optimization of monitoring procedures for assessing the HV ACS HV through sequential multi-level adaptation, including: adaptation of the set and scope of the nomenclature of parameters to be monitored, adaptation of observation procedures and adaptation of assessment procedures, which ensures an increase in the efficiency of decision-making on the degree of security of the ACS VN by minimizing the set of parameters to be monitored.

The disadvantages of this system are:

The process of evaluating the SZ of the HV ACS is implemented according to a strictly specified algorithm, which consists in the initial execution of the procedures for testing the topologies and modules of the HV ACS, and then in the execution of the procedures for monitoring the parameters and network activity of the HV ACS. The indicated drawback indicates that in the analogue there is no possibility of changing the sequence of performing the procedures for evaluating the SZ ACS HV depending on the various operating conditions of the system;

the process of determining the sequence and operating parameters of all analog units is implemented on the basis of previously saved estimates of the SZ ACS VN. This disadvantage indicates that in the analogue, the performance of testing procedures for topologies and modules of the HV ACS, as well as the procedures for monitoring the parameters and network activity of the HV ACS, is carried out without taking into account the probabilistic change in the state of the controlled object over time, which indicates the absence in the analogue of the possibility of predicting the SZ ACS VN and a low level of efficiency of decisions made by the operator.

Known analogue "System for analytical processing of information security events" by RF patent No. 193101, IPC G06F 21/55 (2013.01), Appl. 05/13/2019, publ. 10/14/2019, which consists in the fact that the system contains a block for receiving information security events (ISB); a module for storing and assigning ISS labels and information security incidents (ISS), which includes a unit for storing ISS marks, a unit for storing ISS marks and a unit for assigning ISS marks; a unit for comparing NIB labels with a first-level correlation directive rule; a unit for comparing NIB labels with a second-level correlation directive rule; timer number 1; a module for comparing NIB marks of the third level, including a block for buffering current NIB marks, a unit for calculating the probability of an ISS occurrence and a block for delaying NIB marks; counter of NIB marks; a notification module including an alarm warning unit and an alarm generating unit; module for interaction with an IS specialist, including an interface unit and an ISU label update unit; timer number 2; ISS forecasting unit. The main feature of this analogue is to increase the likelihood of detecting ISS in the nuclear power plant through the implementation of a retrospective analysis of ISS distributed in time, as well as timely warning of a possible ISS onset by predicting its appearance.

The disadvantages of this system are:

the dependence of the efficiency of the analogue functioning process on the decisions made by the operator about the state of the monitored AS and the detection of a new ISS. This disadvantage indicates that the analogue lacks the ability to automatically support and make decisions about the state of the monitored nuclear power plant, as well as to eliminate the consequences of IS;

the process of detecting the ISS in the AS is implemented without taking into account the reliability of the NIB arriving at the NIB receiving unit. This disadvantage indicates that the process of functioning of the analogue can be characterized by a high level of false alarms for the detection of new ISS, as a result of which the safety of the controlled NPP is reduced.

The closest technical solution adopted for the prototype is the useful model "Information security audit device in automated systems", known from the RF patent No. 180789, IPC G06F 21/55 (2013.01), app. 31.10.2017, publ. 06/22/2018 and consisting in the fact that the device contains a data collection unit about the NIB; a data management unit including a normalization module, a filtering module, a classification and clustering module, a correlation module and a triplet repository; NIB analysis unit; risk assessment unit; solution search block; decision analysis unit; ISS registration unit; sources of NIB.

Compared to analogs, the prototype can be used in a wider area and provides an expansion of the spectrum and an increase in the reliability of the detected ISS in a near real time mode, which is achieved by conducting a generalized qualitative analysis of the ISS for the entire AS, which consists in assessing possible IS threats, in carrying out preliminary analysis of known methods for increasing the level of information security and in the implementation of support and decision-making to eliminate the consequences of information security.

The disadvantages of the prototype are:

low reliability of the NPP SZ analysis results due to the lack of control of the current state of the units included in the device, as well as the assessment of the efficiency of their functioning processes.

the implementation of the device operation process is carried out without taking into account changes in the operating conditions that affect the IS audit algorithm in the AS. The indicated drawback indicates that this device is not adaptive enough when assessing the SZ of the nuclear power plant.

The purpose of the proposed utility model is to increase the reliability of the NPP SZ analysis results, as well as to ensure the adaptation of the system functioning process to various operating conditions.

A new approach is proposed based on the creation of an integrated control system (CCS) of the SZ NPP, containing a block for collecting data on the NIB; data management unit, consisting of a normalization module, a filtering module, a classification and clustering module, a triplet repository and a correlation module; NIB analysis unit; risk assessment unit; a solution search unit, including a database (DB) of decisions made; decision analysis unit; ISS registration unit and ISS sources, characterized in that a system control unit is added, consisting of a module for identification and authentication of ISS sources, a module for determining the type and state of ISS sources, a module for evaluating system efficiency, a module for generating control objectives, a module for generating control actions, a determination module optimality of control actions, DB of control actions, a module for implementing control actions and a module for monitoring the state of system blocks. The outputs of the NIB sources are connected to the input of the NIB source identification and authentication module of the system control unit, the output of which is connected to the input of the module for determining the type and state of the NIB sources of the system control unit, the output of which is transmitted through its output to the first input of the system efficiency assessment module of the system control unit, connected through its output to the first input of the module for forming control objectives of the system control unit, interacting through its second input with the first input of the control actions DB of the system control unit. The first output of the module for generating control goals of the system control unit is connected to the input of the module for generating control actions of the system control unit, the output of which is connected to the first input of the module for determining the optimality of control actions of the system control unit, connected through its second input to the second output of the module for generating control goals of the system control unit ... The output of the module for determining the optimality of control actions of the system control unit is connected to the second input of the DB of control actions of the system control unit, the output of which is connected to the input of the module for implementing control actions of the system control unit, connected through its first output to the inputs of the NIB sources and the second output to the first input of the collection unit data on the NIB, interacting through its second input with the inputs of the NIB sources. The first output of the NIB data collection unit is connected to the input of the normalization module of the data control unit, connected through its output to the input of the filtration module of the data control unit, the output of which is transmitted through its output to the first input of the classification and clustering module of the data control unit, which interacts through its second an input with the input of the triplet repository of the data control unit, which through its output is connected to the first input of the decision analysis unit, and connected through its output to the input of the correlation module of the data control unit. The second output of the NIB data collection unit is connected to the first input of the system unit state control module of the system control unit, which through its output is connected to the second input of the system efficiency assessment module of the system control unit. The input of the data control unit is connected to the third output of the module for implementing control actions of the system control unit. The first output of the data control unit is connected to the second input of the module for monitoring the state of the system blocks of the system control unit, and its second output is connected to the first input of the NIB analysis unit, the second input of which is connected to the fourth output of the module for implementing control actions of the system control unit. The first output of the NIB analysis block is connected to the first input of the risk assessment block, the second input of which is connected to the fifth output of the module for implementing control actions of the system control unit, connected through its sixth output to the second input of the decision analysis block, the output of which is connected to the second input of the decision search block. The second output of the NIB analysis unit is connected to the fourth input of the module for monitoring the state of the system blocks of the system control unit, which through its third input is connected to the first output of the risk assessment unit, the second output of which is connected to the third input of the module for generating control objectives of the system control unit. The third output of the NIB analysis unit is connected to the first input of the solution search unit, the second output of which is connected to the fifth input of the module for monitoring the state of the system blocks of the system control unit. The DB output of the decisions made by the decision search unit, the first output of which is connected to the input of the ISU registration unit, is connected to the fourth input of the module for forming the control goals of the system control unit.

This goal is achieved by creating a control unit for the SZ AS SZ, which allows identifying and authenticating the sources of the NIB, assessing the efficiency of the process of functioning of the SZ SZ AS, on the basis of which the management goals and optimal control actions are formed, with their subsequent implementation.

The technical result of the utility model is:

increasing the reliability of the results of the analysis of the SZ NPP by determining the degree of legality of the rights of NIB sources to provide data on the SZ NPP and reducing the level of false alarms for detecting ISS by providing the ability to monitor the current state of the units included in the CCC SZ AS, as well as assessing the efficiency of their functioning processes ;

ensuring the adaptation of the process of functioning of the SZ NPP SCC by providing the possibility of changing the IS audit algorithm in the NPP through the formation and implementation of optimal control actions that take into account the operating conditions affecting the state of the SZ NPP SCC units.

The essence of the utility model is illustrated by the drawing (Fig. 1) "Block diagram of the system for integrated monitoring of the security status of automated systems", which shows the blocks and modules: block for collecting data on the NIB (1); a data control unit (2) containing a normalization module (2.1), a filtering module (2.2), a classification and clustering module (2.3), a triplet repository (2.4), a correlation module (2.5); NIB analysis unit (3); risk assessment unit (4); solution search unit (5), including the decision database (5.1); decision analysis unit (6); ISS registration unit (7); sources of NIB (8); control unit SKK SZ AS (9), containing a module for identification and authentication of NIB sources (9.1), a module for determining the type and state of NIB sources (9.2), a module for monitoring the state of SKK SZ AS units (9.3), a module for evaluating the effectiveness of SKK SZ AS (9.4 ), the module for the formation of control objectives (9.5), the module for the formation of control actions (9.6), the module for determining the optimality of control actions (9.7), the DB of control actions (9.8), the module for the implementation of control actions (9.9).

Blocks (1-7, 9) can be made in the form of memory sections of a computing device and are characterized by their own logical circuit, which ensures the performance of the given functions of the block. SIB sources (8) can be functionally independent.

The SZ NPP integrated control system operates as follows.

When some NIBs appear in the AU that affect its SZ as a whole or its component parts, NIB sources (8) undergo an authorization procedure, which consists in verifying their authenticity and determining the degree of legality of their rights to provide data on the SZ of the AU. For example, the authentication of NIB sources (8) may consist in the implementation of a procedure, as a result of which, for NIB sources (8), their pre-assigned identifiers (for example, the values of their network addresses (IP addresses) and hardware (physical) addresses (MAC -addresses)) that uniquely identify these sources. Also, for example, determining the degree of legality of the rights of NIB sources (8) to provide data on the SZ AS can consist in the implementation of the authentication procedure (Afanasyev, A.A. Authentication. Theory and practice of ensuring secure access to information resources / A.A. Afanasyev, L.T. Vedeniev, A.A. Vorontsov and others - Moscow: Nauka, 2012 .-- 552 p.).

The implementation of the procedure for the authorization of NIB sources (8) is carried out by means of the NIB sources identification and authentication module (9.1), which is designed to prevent the start of the process of functioning of the SCC SZ NPP when the NIB arrives from sources that are not trusted means (sensors).

Further, in the case of successful authorization of NIB sources (8), system data about them through the output of the identification and authentication module of NIB sources (9.1) is transmitted to the input of the module for determining the type and state of NIB sources (9.2), which is designed to classify NIB sources (8) on various grounds (for example, NIB sources installed (deployed) on stationary hardware and software platforms, or on mobile (Methodological document. Information protection measures in state information systems: [approved by the FSTEC of Russia on February 11, 2014]] [Electronic resource] . - Access mode: https://fstec.ru/component/attachments/download/675); to ISS sources that implement a passive method of monitoring the APS SZ (for example, Max Patrol, XSpider security analysis tools (see functionality, for example, on the official website of Positive Technologies [Electronic resource]. - Access mode. - URL: http://www.ptsecurity.ru)), or active (for example, testing tools for and the penetration of the Metasploit Framework (see. functionality, for example, on the official website of the Metasploit company [Electronic resource]. - Access mode. - URL: https://www.metasploit.com/)), etc.), as well as to determine the set of values of characteristics (technical parameters) of NIB sources (8) at a given time, indicating their state (properties).

Note that the system data of the blocks included in the SCC SZ AS is a set of values of technical parameters that characterize certain properties of the corresponding blocks of the system and allow, based on their assessment, to unambiguously determine the state of these blocks. The main properties of the blocks included in the SCC SZ NPP are: system-wide properties, namely, integrity, stability, observability, controllability, determinism, openness, dynamism, etc .; structural properties, namely composition, connectivity, organization, complexity, scale, spatial scope, centralization, volume, etc .; functional (behavioral) properties, namely efficiency, resource intensity, efficiency, activity, power, mobility, productivity, speed, readiness, efficiency, accuracy, efficiency, etc. (Anfilatov, BC System analysis in management / BC Anfilatov, A.A. Emelyanov, A.A. Kukushkin. - M .: Finance and statistics, 2002. - S. 103-112).

Then, the module for determining the type and state of the NIB sources (9.2) through its output transmits the initial data containing information about the types and states of the NIB sources (8) to the first input of the module for evaluating the effectiveness of the NIB SZ AS (9.4), which implements the procedure for evaluating the efficiency of the functioning process CCM, in order to determine the degree of functional readiness of the units that make up its structure, provide reliable data on the NPP.

The degree of adaptability of the CCM units to achieve their goals, determined by the module for evaluating the effectiveness of the CCM SZ AS (9.4), as well as information on the types of NIB sources (8) are transmitted to the first input of the control objectives formation module (9.5), to the third input of which from the second output of the unit risk assessment (4), data is received containing information about the predicted NPP SOC and the corresponding degree of threat, and its fourth input from the output of the DB of decisions made (5.1) receives data containing information about the current SZ of the NPP and the decisions taken to eliminate the consequences of the identified ISS (computer attacks (CA)) in the AU.

The module for the formation of control objectives (9.5), based on the data received at its inputs, determines the states (behavior) of the blocks included in the SCC SZ NPP, which should be aimed at in the process of implementing control actions on them.

Further, the module for the formation of control objectives (9.5), in interaction through its second input with the first input of the DB of control actions (9.8), searches for the corresponding control actions that satisfy the formed control goal. If a correspondence is found between the control goal formed by the module for forming control goals (9.5) and the control actions stored in the DB of control actions (9.8), the data on the necessary control actions through the output of the DB of control actions (9.8) are transmitted to the input of the module for the implementation of control actions (9.9).

In the absence of control actions (9.8) in the DB of data on the necessary control actions aimed at achieving the formed control goal of the SCC SZ AS, the module for generating control objectives (9.5) through its first output transfers to the input of the module for generating control actions (9.6) parameters (characteristics, properties) of the required state (behavior) of the blocks included in the SCC SZ NPP, to which one should strive in the process of implementing control actions on them. Based on the data received from the module for generating control goals (9.5), the module for generating control actions (9.6) synthesizes algorithms (clear unambiguous rules, instructions, instructions) that allow achieving the specified control goal of the SZ NPP SCC in the current operating conditions.

Further, the module for determining the optimality of control actions (9.7) based on the control goal arriving at its second input from the second output of the module for generating control objectives (9.5), and algorithms (rules, instructions, instructions) arriving at its first input from the output of the module for generating controllers impacts (9.6), searches for optimal or close to optimal solutions to ensure the achievement of the necessary parameters (characteristics, properties) that characterize the required state (behavior) of the units included in the SCC SZ NPP under current operating conditions.

Then the optimal control actions through the output of the module for determining the optimality of control actions (9.7) are fed to the second input of the DB of control actions (9.8), in which they are to be stored, and through its output they are transferred to the input of the module for the implementation of control actions (9.9).

The module for the implementation of control actions (9.9) through its first output feeds to the inputs of the NIB sources the optimal control actions aimed at bringing their current state (behavior) to the required one, in accordance with the formed control goal.

In addition, the module for the implementation of control actions (9.9) through its second output sends instructions (instructions) to the first inputs of the NIB data collection unit (1), giving it, through its second input, the right to receive and set the sequence for collecting data on SZ from the inputs of the NIB sources. AC.

Moreover, the block for collecting data on the NIB (1) ensures the receipt of data flow from the NIB sources (8), which can be: file servers, database servers, firewalls, workstations; network attack (intrusion) detection systems, NPP security analysis tools, NPP monitoring systems, penetration testing tools, access control systems, integrity assurance and control systems, anti-virus programs, etc. In this case, the following basic methods can be used:

direct communication (Pull) - the NIB source independently sends data from its logs to the NIB data collection unit (1);

feedback (Push) - the NIB data collection unit (1) independently requests data from the log-logs of the NIB source.

Moreover, the setting of the sequence for collecting data on the SZ NPP from the inputs of the NIB sources depends on the control methods of the SZ NPP implemented by the NIB sources (8) in various operating conditions, namely:

Passive method, which consists in collecting (measuring), processing and evaluating (analyzing) the degree of deviation of the values of the parametric data characterizing the SZ of the nuclear power plant from the preset values describing the normal mode of its operation. In other words, this method implements the process of scanning the AU in order to identify its vulnerabilities;

an active method, which consists in imitating a spacecraft on an AS using its vulnerabilities identified as a result of scanning. In other words, this method implements the process of sounding the speaker.

Note that the system data on the state of the process of functioning of the NIB data collection unit (1) is transmitted through its second output to the first input of the module for monitoring the state of the SCK SZ AS units (9.3), which makes it possible to monitor the current state of the units included in the SCK SZ AS and also evaluates the efficiency of their functioning processes in various operating conditions. The results of the functioning of the module for monitoring the state of the units SCK SZ AS (9.3) are transmitted through its output to the second input of the module for evaluating the effectiveness of the SCK SZ AS (9.4).

Further, the data on the SZ AS through the first output of the data collection unit about the NIB (1) is transmitted to the input of the normalization module (2.1), which ensures the NIB is brought to a uniform form for subsequent centralized processing.

The normalization module (2.1) uses data transformation algorithms for its work, such as sorting, data replacement, quantization, merging, crosstab, column folding, sliding window, final classes (see the description of data transformation algorithms, for example, on the official website of the company BaseGroup ™ Labs [Electronic resource]. - Access mode. - URL: https://basegroup.ru).

The normalized data on the SOC of the nuclear power plant is sent through the output of the normalization module (2.1) to the input of the filtering module (2.2), which provides the required completeness of the presentation of data on all potential critical NIB. The most important thing in filtering the incoming data stream is to ensure the possibility of eliminating duplicate ISS, erroneous and redundant information. This allows you to reduce the load associated with further processing of the ISS, and facilitates the solution of tasks for the detection of ISS. The filtering module (2.2) uses data cleaning algorithms for its work, such as filtering, filling in gaps, editing outliers, spectral processing, correlation and factor analysis, elimination of duplicates and inconsistencies (see the description of data cleaning algorithms, for example, on the official website of BaseGroup ™ Labs [Electronic resource]. - Access mode. - URL: https://basegroup.ru).

At the next stage, the filtered flow of information about the NIB through the output of the filtering module (2.2) goes to the first input of the classification and clustering module (2.3), which ensures the identification of logical connections between the analyzed NIB. The classification and clustering module (2.3) first ensures that each ISS is assigned a special priority attribute that determines the degree (significance) of its threat. The value of the priority assigned by the ISS determines how quickly it will be processed, investigated and what resources will be involved. This procedure takes place on the basis of the signs laid down or determined by the administrator of the CCC SZ AS. Then the module of classification and clustering (2.3) provides a partition of the set of NIBs into clusters. Within each group there should be “similar” NIBs, and the events of different groups should be different. The main feature of the performed clustering procedure is that the list of groups is not clearly specified and is determined during the operation of the algorithm. The boundaries of various categories (clusters) are often indistinct, vague, and usually the NIB category itself is understood not through a formal definition, but only in comparison with other categories (clusters).

The task of the classification and clustering module (2.3) is the formation of generalizing features in the aggregate of the NIB. With an increase in the number of examples of NIB, insignificant, random signs are smoothed out, and frequently encountered ones are amplified, while there is a gradual clarification of the boundaries of categories. The classification and clustering module (2.3) uses hierarchical algorithms for its work, which build not one partition of the sample into disjoint clusters, but a system of nested partitions, that is, the output is a tree of clusters, the root of which is the entire sample, and the leaves are the smallest clusters. The most suitable for the problem of dividing a set of NIB into clusters should be considered ascending algorithms, in which objects (NIB) are combined into larger and larger clusters. The implementation of this approach can be represented by the Lance-Williams agglomerative algorithm (Mandel, ID Cluster analysis. / ID Mandel. - M .: Finance and statistics, 1988, pp. 69-74). At the same time, it is proposed to calculate the distances between clusters based on the Ward distance (Mandel, ID Cluster analysis. / ID Mandel. - M .: Finance and statistics, 1988. - S. 70).

At the same time, the filtered stream of data on the NIB in normalized form through the second input of the classification and clustering module (2.3) is transmitted to the input of the triplet repository (2.4) for storage and subsequent use in decision making. The triplet repository (2.4) can be created on the basis of a relational database management system, an XML-oriented DBMS, or a triplet repository.

In addition, the filtered flow of information about the IS in a normalized form through the output of the repository of triplets (2.4) is transmitted to the first input of the decision analysis block (6), which is a knowledge base about the known methods of countering CAs, methods of closing vulnerabilities and other aspects of measures to increase the level of IS AC.

Further, information about the obtained clusters, their number and their constituent NIBs through the output of the classification and clustering module (2.3) is fed to the input of the correlation module (2.5), which ensures the identification of hidden relationships between different NIBs occurring at different times and on different nodes of the AS , which allows real-time detection of spacecraft graphs, including distributed NIB. Construction of the correlation module (2.5) based on recurrent neural networks of Herolt-Jutten (Osovsky, S. Neural networks for information processing / S. Osovsky, 2nd ed., Revised and enlarged - M .: Finance and statistics, 2017. - P. 343-347) significantly improves the quality of the analysis of the main components, since such networks have an adaptive linear structure that processes signals in real time, and are used precisely in problems with poorly structured information.

Note that the system data on the state of the process of functioning of the data control unit (2) is transmitted through its first output to the second input of the module for monitoring the state of the CCC SZ AS units (9.3), and the corresponding optimal control actions aimed at achieving the formed control goal of the SCC SZ AS, come from the third output of the module for implementing control actions (9.9) to its input, thereby ensuring that the current state (behavior) of the data control unit (2) is brought to the required one.

Then the processed NIB data stream through the second output of the data control unit (2) is sent to the first input of the NIB analysis unit (3), which detects or registers the fact of the ISS occurrence, including by modeling NIB, SC and their consequences, vulnerability analysis and SZ AS, defining the parameters of offenders, risk assessment, forecasting ISS and ISS. The NIB analysis unit (3) provides prioritization, determining the importance and criticality of the NIB based on the rules defined in the system.

In addition, in the general case, the NIB analysis process, implemented in the NIB analysis unit (3), can be based on qualitative and quantitative assessments. The quantitative assessment is more accurate, but it takes much more time, which is not always acceptable. Most often, there is a fairly rapid qualitative analysis, the task of which is to distribute risk factors by groups.

Note that the system data on the state of the process of functioning of the NIB analysis unit (3) is transmitted through its second output to the fourth input of the module for monitoring the state of the SCS SZ AS units (9.3), and the corresponding optimal control actions aimed at achieving the formed control goal of the SZ AS AS SCS, come from the fourth output of the module for implementing control actions (9.9) to its second input, thereby ensuring that the current state (behavior) of the NIB analysis unit (3) is brought to the required one.

The ISS analysis unit (3), through its first output, transmits the detected ISS to the first input of the risk assessment unit (4), the operation of which is aimed at predicting the SZ NPP and determining the corresponding degree of threat based on the analysis of ISS consequences.

The risk assessment unit (4), through its first output, transmits system data about the state of its functioning process to the third input of the module for monitoring the state of the SCK SZ AS units (9.3), and the corresponding optimal control actions that ensure the current state (behavior) of the risk assessment unit (4 ) to the required one, come from the fifth output of the module for implementing control actions (9.9) to its second input.

In addition, the NIB analysis unit (3), through its third output, transmits the detected ISS to the first input of the solution search unit (5), to the second input of which data is received from the output of the decision analysis unit (6) containing information on the preliminary analysis of known methods for increasing the level IS AS based on the triplet repository (2.4).

The decision search unit (5), based on the data received at its inputs, ensures the determination of the current SZ of the nuclear power plant and support and decision-making for eliminating the consequences of the identified ISS (SC) in the automated system, which are stored in the database of decisions made (5.1). Moreover, the solution analysis unit (6) is an auxiliary unit for the solution search unit (5).

System data on the state of the processes of functioning of the decision analysis unit (6) and the solution search unit (5) through the second output of the solution search unit (5) are transmitted to the fifth input of the module for monitoring the state of the SCC SZ AS units (9.3), and the corresponding optimal control actions providing bringing the current state (behavior) of the decision analysis unit (6) and the solution search unit (5) to the required one, come from the sixth output of the control action implementation module (9.9) to the second input of the decision analysis unit (6), thereby achieving the formed control goal SKK SZ AS.

The decisions made to eliminate the consequences of the identified ISS (CA) in the AS and the data on the current SZ of the AS through the first output of the solution search unit (5) are transmitted to the input of the ISU registration unit (7), which provides visualization, that is, the presentation in a graphical form of data characterizing the results the functioning of the SCC SZ AS, namely the results of the analysis of the NIB and SZ AS as a whole and its elements.

Thus, thanks to a new set of essential features in the claimed utility model, an increase in the reliability and adaptability of the control process of the SZ NPP in various operating conditions is ensured by identifying and authenticating NIB sources, assessing the efficiency of the process of functioning of the SZ SZ NPP, as well as forming the control goal and optimal controllers. impacts, with their subsequent implementation.

Claims (1)

A device for comprehensive monitoring of the state of security of automated systems, containing a block for collecting data on information security events; data management unit, consisting of a normalization module, a filtering module, a classification and clustering module, a triplet repository and a correlation module; information security event analysis unit; risk assessment unit; a solution search unit, including a database of decisions made; decision analysis unit; block for registration of information security incidents and sources of information security events, characterized in that a device control unit has been added, consisting of a module for identification and authentication of information security event sources, a module for determining the type and state of information security event sources, a module for evaluating the effectiveness of the system, a module for generating management goals , a module for generating control actions, a module for determining the optimality of control actions, a database of control actions, a module for implementing control actions and a module for monitoring the state of device blocks; outputs of information security event sources are connected to the input of the module for identification and authentication of information security event sources of the device control unit, the output of which is connected to the input of the module for determining the type and state of information security event sources of the device control unit, the output of which is transmitted through its output to the first input of the evaluation module the effectiveness of the device of the device control unit, connected through its output to the first input of the module for generating control targets of the device control unit, interacting through its second input with the first input of the control action database of the device control unit; the first output of the module for generating control targets of the device control unit is connected to the input of the module for generating control actions of the device control unit, the output of which is connected to the first input of the module for determining the optimality of control actions of the device control unit, connected through its second input to the second output of the module for generating control targets of the device control unit ; the output of the module for determining the optimality of control actions of the device control unit is connected to the second input of the database of control actions of the device control unit, the output of which is connected to the input of the module for implementing control actions of the device control unit, connected through its first output to the inputs of information security event sources and the second output to the first the input of the data collection unit on information security events, interacting through its second input with the inputs of information security event sources; the first output of the data collection unit on information security events is connected to the input of the normalization module of the data control unit, connected through its output to the input of the filtering module of the data control unit, the output of which is transmitted through its output to the first input of the classification and clustering module of the data control unit, which interacts through its second input with the input of the triplet repository of the data control unit, which through its output is connected to the first input of the decision analysis unit, and connected through its output to the input of the correlation module of the data control unit; the second output of the unit for collecting data on information security events is connected to the first input of the unit for monitoring the state of the device units of the device control unit, which through its output is connected to the second input of the unit for evaluating the effectiveness of the device of the device control unit; the input of the data control unit is connected to the third output of the module for implementing control actions of the device control unit; the first output of the data control unit is connected to the second input of the module for monitoring the state of the device blocks of the device control unit, and its second output is connected to the first input of the information security event analysis unit, the second input of which is connected to the fourth output of the module for implementing control actions of the device control unit; the first output of the block for analyzing information security events is connected to the first input of the risk assessment block, the second input of which is connected to the fifth output of the module for implementing control actions of the device control unit, connected through its sixth output to the second input of the decision analysis block, the output of which is connected to the second input of the search block decisions; the second output of the block for analyzing information security events is connected to the fourth input of the module for monitoring the state of the device blocks of the device control unit, which through its third input is connected to the first output of the risk assessment unit, the second output of which is connected to the third input of the module for generating control goals of the device control unit; the third output of the block for analyzing information security events is connected to the first input of the decision search block, the second output of which is connected to the fifth input of the module for monitoring the state of the device blocks of the device control unit; the output of the decision database of the decision search unit, the first output of which is connected to the input of the information security incident registration unit, is connected to the fourth input of the module for generating control goals of the device control unit.

Images