RU2640629C1 - Method of functioning performance evaluation of automated control systems under conditions of malicious programs impact - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: method includes selecting a strategy for evaluating management effectiveness; modelling the impact of malicious programs on the structural elements (SE) of automated control systems (ACS) that receive, store, process, issue and display information by introducing samples of malicious code into the memory of these SE of automated control systems by using a malicious programs simulation device, based on information on software and hardware vulnerabilities of the SE of automated control systems obtained from a memory device (MD) of vulnerabilities, memory devices of weight coefficients corresponding to the criticality of each vulnerability and malware code memory device; then the information is automatically read from the sensors through the converters and written to the memory of the read out information of the terminal server in which this information is converted to a form convenient for the current evaluation and then evaluated by the program for evaluating the management efficiency.

EFFECT: expansion of functioning performance evaluation of automated control systems by adding the process of simulating the malicious programs impact on the structural elements of the automated control systems.

1 dwg,1 tbl

Description

The invention relates to the field of automated control systems (ACS) and can be used to assess the effectiveness of automated control of wide class systems regardless of their purpose, goals, tasks and complexity.

The prior art method for determining the health of objects [see Mozgalevsky A.V., Gaskarov D.V. Technical diagnostics. - M.: Higher School, 1975, p. 38-46], including the measurement of parameters and their comparison with the relevant standards (standards).

The disadvantage of this method is its narrow specialization - the diagnosis of relatively simple systems, which does not allow to evaluate the effectiveness of management of complex large technical systems.

There is also a known method [see Automatic control equipment for electronic equipment / Ed. N.N. Ponomareva - M .: Sov. Radio, 1975, p. 5-10 and s. 293-318], which includes selecting parameters using a switch, measuring parameters, converting parameters into digital data convenient for computer processing, recording these data and analyzing them, as well as displaying and documenting the analysis results.

The disadvantage of this known method is the narrow specialization, limited by the capabilities of monitoring, diagnostics and predicting the technical condition of electronic equipment, which is insufficient to assess the effectiveness of managing complex large technical systems, requiring a higher level of computer support with databases and knowledge, which is not in the analogue.

Also known is the unified Chernyakov / Petrushin method for evaluating the effectiveness of large systems [see Russia, patent No. 22010112, G07C 3/08, G06F 17/00, publ. August 10, 2003], which includes a real-time evaluation procedure, in which a representation of a particular complex large technical system in the form of a hierarchy of its structural elements is recorded in the memory of the structural elements of the database in the memory of the parameters of the same drive - private performance indicators that are aligned with each element of the structure of the technical system, in the memory of the standards of the same drive - regulatory values that correspond to each particular performance indicator, and in the memory of the weight coefficients of the same drive - the weight coefficients of importance corresponding to each particular performance indicator, as well as in the memory of the terminal server, record the program for evaluating the effectiveness and, finally, in the memory of the workstation of the knowledge engineer download information obtained during the survey of experts in this field knowledge, then using a workstation of a senior engineer for performance evaluation, a selection of an evaluation strategy is carried out, then using a data entry workstation, controlling the switch, the machine read information from sensors through the converters and write it through the memory of the converted read information in the terminal server to the memory of the read information in the terminal server, in which this information is converted to a form convenient for the current assessment, and write it to the memory of the database server, and then evaluate it according to the program for evaluating the effectiveness of using a terminal server, while the result of the assessment is an assessment of the generalized performance indicator, which is a convolution of private indicators of activity corresponding to the results of the analysis of the measured parameters.

The specified method is the closest in technical essence to the claimed.

The disadvantage of this known method of evaluating the effectiveness is that using this method it is impossible to evaluate the effectiveness of the functioning of the ACS under the influence of malicious programs.

The aim of the invention is to expand the functionality of the method of evaluating the effectiveness of the ACS in the conditions of exposure to malicious programs by adding the function of modeling the impact of malicious programs on the structural elements of the ACS.

The problem is solved due to the fact that in the known method for evaluating the effectiveness of control, which includes a real-time evaluation procedure, in which the representation of a specific ACS in the form of a hierarchy of its structural elements is written to the memory of the structural elements of the database in the memory of the parameters of the same drive - private indicators of management efficiency, in the memory of the standards of the same drive - standard values corresponding to each private indicator of management efficiency, and in the memory of weight ratios cents of the same drive — importance weighting coefficients corresponding to each particular indicator of management efficiency, as well as write a program for evaluating management efficiency in the memory of the terminal server and, finally, in the memory of the workstation for knowledge, download the information obtained during the survey of experts in this field of knowledge, then using a workstation for evaluating the effectiveness of management, a strategy for evaluating the effectiveness of management is selected, then using a workstation for data entry, controlling the switch , automatically read the information from the sensors through the converters and write it through the memory of the converted read information in the terminal server to the memory of the read information in the terminal server, in which this information is converted to a form convenient for the current assessment, and write it to the memory of the database server, and then they evaluate it according to the program for evaluating management efficiency using a terminal server, while the result of the evaluation is an assessment by a generalized indicator of management efficiency, which is the twist of private indicators of control effectiveness corresponding to the results of the analysis of the measured parameters, analyze, display and document the results of the assessment on a video monitor and printer, respectively, the new is that after choosing a strategy for evaluating the effectiveness, immediately before the automatic reading of information from sensors, the effect of malware on the structural elements of the automated control system is simulated that carry out the reception, storage, processing, issuance and display of information by introducing samples into malicious code to the memory of these structural elements of the automated control system using a malware simulation device based on information about vulnerabilities in the software and hardware of the automatic control system structural elements obtained from vulnerability memory, memory of weighting factors corresponding to the criticality of each vulnerability and malicious code samples.

The need to use private indicators of management efficiency arises due to the difficulty of evaluating the ACS performance by any one indicator, in connection with which it is proposed to use a generalized ACS efficiency indicator, which consists of many indicators that reflect individual particular properties of ACS (private indicators of management efficiency) [see IN AND. Kolisnichenko. On assessing the effectiveness of the ACS of the Air Force // Military Thought, 2004, No. 11. - from. 35-40].

At the same time, particular indicators of management effectiveness are performance indicators for the performance of individual functions assigned to ACS and implemented by individual elements of the ACS structure.

,

обробка даних, 2007, Т. 9, № 4. - с. 132-139] (таблица 1):As private indicators characterizing the effectiveness of the performance of individual functions assigned to the ACS, the following indicators are possible [see EAT. Naumenko, N.S. Kozlov. An approach to evaluating the effectiveness of automated systems in the early stages of design //

,

Processing of Danish, 2007, T. 9, No. 4. - p. 132-139] (table 1):

- indicators of efficiency (speed) when performing a separate ACS function;

- indicators of the sustainability of the performance of a separate ACS function;

- indicators of the continuity of the performance of a separate ACS function;

- indicators characterizing the throughput in the implementation of a separate ACS function;

- indicators of the accuracy of the performance of a separate function of ACS.

More simply, the essence of the proposed method lies in the fact that for any complexity ACS, which can always be represented by a hierarchical decomposition of its structural elements and the management functions performed by them, they put in a one-to-one correspondence the structure of management performance indicators of a similar topology. At the same time, a sufficient measure to assess the effectiveness of management carried out by the ACS is, at a minimum, the compliance of its particular indicators with the requirements of the corresponding project documentation or current standards (norms). Then the level of management efficiency in the implementation of all the norms, without exception, is taken as a sufficient level of efficiency. Obviously, to assess the effectiveness of managing complex large technical systems, adequate computing power is needed, including a database, a knowledge base based on an expert system organized in the form of a local computer network based on personal computers that store in their memory, on the one hand, about the topology of the ACS and its indicators (parameters), and on the other hand, the relevant standards (technical specifications, GOST, design documentation requirements, etc.), as well as data on the ulcer ostyah hardware and software used in the construction of the evaluated system. Then, the proposed method for evaluating the effectiveness of ACS is reduced to preparing data before the procedure for evaluating the effectiveness of ACS, including preparing data on vulnerabilities in software and hardware, and then to the procedure itself, during which the modeling of the impact of malicious programs is performed and convolution of private management performance indicators corresponding to the components ACS elements. The result is a generalized indicator of the effectiveness of the ACS functioning under the influence of malicious programs. A similar convolution can be performed for each part of the ACS (subsystems and blocks).

The above distinguishing features of the claimed invention allow to expand the functionality of the method for evaluating the effectiveness of the operation of automated control systems under the influence of malicious programs by providing a simulation of the effects of malicious programs on the system being evaluated.

The proposed technical solutions are new, since the proposed method for assessing the effectiveness of the functioning of automated control systems under the influence of malicious programs is not known from publicly available information.

The proposed technical solutions have an inventive step, since it does not explicitly follow from published scientific data and known technical solutions that the claimed sequence of operations of the method leads to the expansion of the functionality of the method for evaluating the effectiveness of the operation of automated control systems under the influence of malicious programs.

The proposed technical solutions are industrially applicable, as they are based on computer technology and modeling tools that are widely used in modeling control processes in automated control systems.

The claimed invention is illustrated by a specific implementation example, which, however, is not the only possible, but clearly demonstrates the possibility of achieving the above set of features of the required technical result.

In FIG. 1 presents a structural diagram of a device for implementing the proposed method, in which the numbers indicate:

1 - a group of sensors for ACS parameters;

2 - a group of information parameter converters;

3 - a device for modeling the impact of malware;

4 - switch;

5 - data entry workstation;

6 - database drive;

7 - memory of vulnerabilities in software and hardware;

8 - memory of weighting factors of criticality of vulnerabilities of software and hardware;

9 - memory of samples of malicious code;

10 - the memory of the structural elements of the ACS;

11 - memory of parameters;

12 - memory standards;

13 - memory of weight coefficients of importance of performance indicators of ACS;

14 - knowledge workstation;

15 - memory of information from a survey of experts;

16 - terminal server;

17 - memory of a program for evaluating management effectiveness;

18 - memory of read information;

19 - memory transformed read information;

20 - display and documentation devices (video monitor and printer);

21 - database server;

22 - memory of the converted information;

23 - workstation for evaluating the effectiveness of management. The claimed method of evaluating the effectiveness of the operation of automated control systems under the influence of malicious programs is as follows.

The representation of a specific automated control system in the form of a hierarchy of its structural elements is recorded in the memory of the structural elements of the ACS 10 of the database 6; the memory of the parameters of the same drive is recorded in the memory of the parameters 11 of the drive, the normative values corresponding to each particular are recorded in the memory of the standards 12 of the same drive management efficiency indicator, and in the memory of weighting factors of importance of performance indicators 13 of the same drive, weighting factors of importance are recorded, with corresponding to each particular ACS efficiency indicator, in the memory of vulnerabilities of software and hardware 7 of the same drive write data on vulnerabilities of software and hardware of the structural elements of ACS, in the memory of weight criticalities of vulnerabilities of software and hardware of the same drive 8 write weight coefficients of criticality of vulnerabilities, in the memory of samples of malicious code 9 of the same drive, samples of malicious code are recorded, in the memory 17 of terminal server 16 I write program management effectiveness evaluation, in memory of the expert survey data 15, workstation 14 is charged with knowledge information obtained in the course of a survey of experts of this field of knowledge. Next, using a workstation for evaluating the effectiveness of management 23 carry out the selection of strategies for evaluating the effectiveness of management. Then, using a data entry workstation 5, a device for modeling the impact of malicious code 3 is launched for simulation. Based on information from the memory of vulnerabilities of software and hardware 7, information on weighted criticality factors of vulnerabilities from memory 8, and also using samples of malicious code from memory 9 simulate the impact on the automated control system of malicious programs by introducing malicious code into the memory of the structural elements of the automatic control system, which receive, store, process, issue and display information and (operator (dispatch), engineering workstations, industrial servers (SCADA-servers) with system-wide and application software installed on them, programmable logic controllers, other hardware with installed software [see Requirements for ensuring information security in automated control systems for production and technological processes at critical facilities, potentially hazardous facilities, as well as facilities representing increased new danger to the life and health of people and to the environment: approved. etc. FSTEC of Russia dated March 14, 2014 No. 31, p. four]). After that, using a data entry workstation 5, controlling switch 4, information is automatically read from sensors 1.1, 1.2, 1.3, ..., 1.n through converters 2.1, 2.1, 2.3, ..., 2.n to inputs 1, 2, 3 , n of the same switch 4, write it to the memory of the read information 18 in the terminal server 16, in which this information is converted to a form convenient for the current evaluation, and write it through the memory of the converted read information 19 in the terminal server 16 to the memory of the converted information 22 database server 21. Then evaluate it according to the program of evaluation of effectiveness control with the help of the terminal server 16, and the evaluation result is an assessment by a generalized indicator of management efficiency, which is a convolution of private indicators of management efficiency corresponding to the results of the analysis of measured and modeled parameters. Analyze, display and document the results of the assessment using display devices 20.

Sensors 1.1, 1.2, 1.3, ..., 1.n read out information that allows to evaluate particular performance indicators from structural elements of the ACS that implement the performance of individual functions of the ACS. At the same time, to evaluate the indicators characterizing the efficiency, the time characteristics of the ACS structural elements are measured and read out (the time information is displayed on the automated workstations, the reaction time of the system to the operator's control effect from the automated workstation, the time it takes for individual operations to be performed by which the function ACS, in an industrial server or in an industrial logic controller, the processing time of information in an industrial server or industrial logic controller); to evaluate indicators characterizing the stability and continuity of the performance of a separate ACS function, the time characteristics of the ACS structural elements are measured and read out (the operating time before any ACS structural element fails, the operating time of the ACS structural elements that implement individual ACS functions, without failures, system reboot time after a failure), as well as reading information about the technical condition of the structural elements of the ACS (the number of failures and failures for a certain period of time neither); to evaluate the indicators characterizing the throughput, information is measured and read about the amount of received, transmitted and processed data (the amount of data transmitted over communication lines (channels) for a certain time, the amount of data processed in an industrial server for a certain time, the amount of data processed in industrial server at the same time); for indicators characterizing the accuracy of the performance of a separate ACS function, data is measured and read from sensors that read information about the state of objects that are controlled by the ACS and read information about the state of these objects after they are processed in industrial logic controllers or industrial servers, or after displaying information about the state of these objects at workstations, after which, by comparing and processing the obtained data, the accuracy is estimated x performance indicators ACS separate function.

Malicious code embedded in the memory of ACS structural elements that receive, store, process, issue and display information disrupts the functioning of these ACS structural elements (introduces errors into the information processing process; replaces received, processed or issued data; disrupts the processing sequence information in industrial servers and (or) industrial logic controllers; introduces distortions in the information displayed on workstations; loads processors of industrial servers and industrial logic controllers by executing false (garbage) commands; reduces the throughput of communication lines (channels) by introducing false (garbage) information into the transmitted data; disables the structural elements of ACS by distorting or destroying components of system-wide and special software ; generates false messages about errors and failures of structural elements of ACS; makes changes to the processed data, which lead to failures of structural lementov ACS).

These violations of the functioning processes of the structural elements of the ACS lead to a decrease in the efficiency of performing both individual tasks assigned to the ACS and to a decrease in the efficiency of the ACS as a whole, while if the decrease in the efficiency of the ACS is outside the permissible limits, it is necessary to introduce additional mechanisms (means) protection against exposure to malware.

Thus, the proposed method will allow to evaluate the effectiveness of automated control systems in the conditions of exposure to such systems of malware and decide on the need for additional measures to protect automated control systems from malware.

Claims (2)

A method for evaluating the effectiveness of the functioning of automated control systems under the influence of malicious programs, which includes a real-time evaluation procedure in which a representation of a specific automated control system (ACS) is written in the form of a hierarchy of its structural elements into a storage device (memory) of structural elements of a database drive elements, in the memory of the parameters of the same drive write private indicators of management efficiency, in the memory of the standards of the same drive write normative values corresponding to each particular indicator of management efficiency, and weight coefficients of importance corresponding to each particular indicator of management efficiency are recorded in the memory of weight coefficients of the same drive, as well as in the memory of the terminal server, a program for evaluating management efficiency is recorded and, finally, in the memory of the workstation knowledge is loaded with information obtained in the process of interviewing experts in this field of knowledge, then using a workstation to evaluate the effectiveness of OS management They make a choice of a strategy for evaluating the management efficiency and then, using the data entry workstation, controlling the switch, automatically read information from the sensors through the converters and write it to the memory of the read information of the terminal server, in which this information is converted to a form convenient for the current evaluation, and write it through the memory of the converted read information of the terminal server to the memory of the database server, and then evaluate it according to the program for assessing the effectiveness of management using the terminal with rvera, with the result of evaluation is the evaluation of the generalized indicator of management effectiveness, is a convolution of private management indicators, relevant results analysis of the measured parameters, analyze, display and document the results of the assessment on a video monitor and printer, characterized in that after choosing a strategy for evaluating the effectiveness immediately before the automatic reading of information from the sensors, the effect of malicious programs on the structural elements of the automated control system that receive, store, process, issue and displaying information by introducing samples of malicious code into the memory of these structural elements of the automated control system using a device for modeling tviya malware based on information about the vulnerabilities of software and hardware structural elements ACS obtained from the memory vulnerabilities memory weights corresponding criticality of each vulnerability and storage of samples of malicious code.

Images