Search

RU-2861392-C1 - METHOD, SOFTWARE AND HARDWARE COMPLEX AND SYSTEM FOR ENSURING CYBER RESILIENCE OF TELECOMMUNICATION AND TERMINAL EQUIPMENT OF CRITICAL INFORMATION INFRASTRUCTURE

RU2861392C1RU 2861392 C1RU2861392 C1RU 2861392C1RU-2861392-C1

Abstract

FIELD: information security. SUBSTANCE: invention relates to means for ensuring cyber resilience of critical information infrastructure (CII) facilities. Identifying information security events based on firewalls, intrusion detection systems, event logging systems, information security event analysis systems. Transferring the facility to a protected state, taking into account the technical means of physical/logical redundancy of elements of the communication infrastructure of the CII facility. Transferring active impact on identified information security threats based on technical means for branching, slowing down, and impacting. EFFECT: increasing the cyber resilience of a CII facility. 3 cl, 6 dwg, 4 tbl

Inventors

  • VASINEV DMITRIJ ALEKSANDROVICH
  • BOCHKOV MAKSIM VADIMOVICH
  • Plakatin Aleksandr Andreevich
  • ANDREEV SERGEJ YUREVICH
  • TREGUBOV ROMAN BORISOVICH
  • Struev Aleksandr Anatolevich

Dates

Publication Date
20260505
Application Date
20251216

Claims (3)

  1. 1. A method for ensuring cyber resilience of telecommunications and terminal equipment of a critical information infrastructure (CII), which consists in forming a software and hardware complex of a CII as part of technical means of terminal automated systems for sending/receiving protocol data blocks from a CII facility, multi-protocol equipment of a CII facility, multi-protocol equipment of a telecom operator, technical means for testing multi-protocol equipment, checking the operability of the multi-protocol equipment of a CII facility, checking the reception/transmission of protocol data blocks, if protocol data blocks are received, forming a fail-safe cluster of firewalls, classifying the received data (results of event processing), for the “Allowed” threat class, processing protocol data blocks of a CII facility on network and host intrusion detection systems in the event of detection of an information security event, forming logical, physical transport redundancy elements, forming software and hardware logical, physical objects for branching, slowing down, impact, processing protocol data blocks based on logical, physical transport redundancy elements, processing protocol data blocks in software and hardware objects of branching, slowing down, impact, form configurations of multi-protocol equipment, manage the configuration of multi-protocol equipment, process protocol data blocks of the critical information infrastructure object in the multi-protocol equipment of the critical information infrastructure object, after which they check the reception/transmission of protocol data blocks, process the results from the event registration logs of software and hardware, in case of detection of an information security event, they form logical, physical transport elements of redundancy, form software and hardware logical, physical objects for branching, slowing down, impact, process protocol data blocks based on logical, physical transport elements of redundancy, process protocol data blocks in software and hardware objects of branching, slowing down, impact, form configurations of multi-protocol equipment, manage the configuration of multi-protocol equipment, process protocol data blocks of the critical information infrastructure object in the multi-protocol equipment of the critical information infrastructure object, after which they check the reception/transmission of protocol data blocks, process the results of event analysis based on software and hardware means of event analysis in case of detection of an information security event, logical and physical transport elements of redundancy are formed, software and hardware logical and physical objects for branching, slowing down, and impact are formed, protocol data units are processed based on logical and physical transport elements of redundancy, protocol data units are processed in software and hardware objects of branching, slowing down, and impact, configurations of multi-protocol equipment are formed, the configuration of multi-protocol equipment is managed, protocol data units of the critical information infrastructure facility are processed in multi-protocol equipment of the critical information infrastructure facility, after which the reception/transmission of protocol data units is checked, for the threat class: "Forbidden/Other", logical and physical transport elements of redundancy are formed, logical and physical transport elements of redundancy are formed, software and hardware logical and physical objects for branching, slowing down, and impact are formed, protocol data units are processed based on logical and physical transport elements of redundancy, protocol data units are processed in software and hardware objects of branching, slowing down, and impact, configurations of multi-protocol equipment are formed, manage the configuration of multi-protocol equipment, process protocol data units of the critical information infrastructure facility in the multi-protocol equipment of the critical information infrastructure facility, and then check the reception/transmission of protocol data units if protocol data units are sent, form a fail-safe cluster of firewalls, classify the received data (results of event processing), for the "Allowed" threat class, process protocol data units of the critical information infrastructure facility on network and host intrusion detection systems in case of detection of an information security event, form logical, physical transport elements of redundancy, form software and hardware logical, physical objects for branching, slowing down, impact, process protocol data units based on logical, physical transport elements of redundancy, process protocol data units in software and hardware objects of branching, slowing down, impact, form configurations of multi-protocol equipment, manage the configuration of multi-protocol equipment, process protocol data units of the critical information infrastructure facility in the multi-protocol equipment of the critical information infrastructure facility, and then check the reception/transmission of protocol data units, process the results from the event registration logs of the software and hardware, in case of detection of an information security event, form logical and physical transport elements of redundancy, form software and hardware logical and physical objects for branching, slowing down, impact, process protocol data units based on the logical and physical transport elements of redundancy, process protocol data units in software and hardware objects of branching, slowing down, impact, form configurations of multi-protocol equipment, manage the configuration of multi-protocol equipment, process protocol data units of the critical information infrastructure facility in the multi-protocol equipment of the critical information infrastructure facility, after which they check the reception/transmission of protocol data units, process the results of event analysis based on software and hardware of event analysis in case of detection of an information security event, form logical and physical transport elements of redundancy, form software and hardware logical and physical objects for branching, slowing down, impact, process protocol data units based on logical and physical transport elements of redundancy, process protocol data units in software and hardware objects of branching, slowdowns, impacts, form configurations of multi-protocol equipment, manage configuration of multi-protocol equipment, process protocol data units of the critical infrastructure facility in multi-protocol equipment of the critical infrastructure facility, after which they perform a check of reception/transmission of protocol data units, for the threat class: "Forbidden/Other", form logical, physical transport elements of redundancy, form logical, physical transport elements of redundancy, form software and hardware logical, physical objects for branching, slowdowns, impacts, process protocol data units based on logical, physical transport elements of redundancy, process protocol data units in software and hardware objects of branching, slowdowns, impacts, form configurations of multi-protocol equipment, manage configuration of multi-protocol equipment, process protocol data units of the critical infrastructure facility in multi-protocol equipment of the critical infrastructure facility, after which they perform a check of reception/transmission of protocol data units.
  2. 2. A hardware and software complex for ensuring cyber resilience of a critical information infrastructure, comprising a technical means for processing information security events, configured to form a fault-tolerant cluster of firewalls, classify data (results of event processing), process protocol data units on network (host) intrusion detection systems, process events from their event registration logs of software and hardware, process the results of event analysis based on software and hardware for event analysis, a technical means for forming physical/logical elements of redundancy of transport subsystems for transmitting protocol data units in a critical information infrastructure for the class of threats (Prohibited/Other), configured to form logical, physical transport elements of redundancy, processing protocol data units based on logical, physical transport elements of redundancy, a technical means for forming logical, physical objects for branching, slowing down, impact for the class of threats (Prohibited/Other), configured to process protocol data units in software and hardware objects of branching, slowing down, impact, a technical means for forming, storing and managing the configuration of a multi-protocol equipment, designed with the ability to generate a configuration of multi-protocol equipment, manage the configuration of multi-protocol equipment, the outputs of the technical means for processing information security events are connected to the input of the technical means for generating physical/logical elements of redundancy of transport subsystems for transmitting protocol data blocks to critical information infrastructure for the threat class (Prohibited/Other) and to the input of the technical means for generating logical, physical objects for branching, slowing down, and impact for the threat class (Prohibited/Other), the outputs of the technical means for generating physical/logical elements of redundancy of transport subsystems for transmitting protocol data blocks to critical information infrastructure for the threat class (Prohibited/Other) and the technical means for generating logical, physical objects for branching, slowing down, and impact for the threat class (Prohibited/Other) are connected to the inputs of the technical means for generating, storing, and managing the configuration of multi-protocol equipment.
  3. 3. A system for ensuring the cyber resilience of a critical information infrastructure as part of a hardware and software complex of a critical information infrastructure (CII) containing technical means of end-point automated systems for sending/receiving protocol data blocks of a CII facility, multi-protocol equipment of a telecom operator, a technical means of testing multi-protocol equipment, multi-protocol equipment of a CII facility, configured to form a hardware and software complex of a CII as part of technical means of end-point automated systems for sending/receiving protocol data blocks from a CII facility, multi-protocol equipment of a CII facility, multi-protocol equipment of a telecom operator, technical means of testing multi-protocol equipment for testing the operability of multi-protocol equipment of a CII facility, testing the reception/transmission of protocol data blocks, sending/receiving protocol data blocks, a hardware and software complex for ensuring information security of a CII facility, containing a hardware and software fault-tolerant cluster of firewalls for a CII facility, a hardware and software means of a network (host) intrusion detection system, a hardware and software tool for event registration, a hardware and software tool for event analysis, configured to form a fault-tolerant cluster of firewalls, classify data (results of event processing), process protocol data units on network (host) intrusion detection systems, process results from event registration logs of hardware and software, process the results of event analysis based on hardware and software for event analysis, a hardware and software complex for ensuring cyber resilience of a critical information infrastructure facility, containing a technical tool for processing information security events, a technical tool for generating physical/logical elements of redundancy of transport subsystems for transmitting protocol data units (PDUs) in critical information infrastructure for the threat class (Prohibited/Other), a technical tool for generating logical, physical objects for branching, slowing down, impact for the threat class (Prohibited/Other), a technical tool for generating, storing and managing the configuration of multi-protocol equipment, configured to generate logical, physical transport redundancy elements, generate software and hardware logical, physical objects for branching, slowing down, impact, processing protocol data blocks based on logical, physical transport elements of redundancy, processing of protocol data blocks in software and hardware objects of branching, slowing down, influencing, forming the configuration of multi-protocol equipment, managing the configuration of multi-protocol equipment, wherein the output of the software and hardware complex of the critical information infrastructure is connected to the input of the software and hardware complex for ensuring information security of the critical information infrastructure facility, the output of which is connected to the input of the multi-protocol equipment of the software and hardware complex of the critical information infrastructure, as well as to the input of the technical means for processing information security events of the software and hardware complex for ensuring cyber resilience of the critical information infrastructure facility, and the output of the software and hardware complex for ensuring cyber resilience of the critical information infrastructure facility is connected to the input of the multi-protocol equipment of the software and hardware complex of the critical information infrastructure.

Description

Field of technology The invention relates to the field of protecting critical information infrastructure (hereinafter referred to as CII) facilities, taking into account the technological features of the construction and operation of these CII facilities. State of the art For the convenience of describing the method, hardware and software complex, and system for ensuring cyber resilience of telecommunications and terminal equipment of critical information infrastructure, we will introduce a number of definitions. Critical information infrastructure (hereinafter referred to as CII) – critical information infrastructure facilities, as well as telecommunication networks used to organize the interaction of such facilities. (On the security of the Critical Information Infrastructure of the Russian Federation: Federal Law as amended on July 19, 2017, No. 187 // FSTEC: [website]. – URL: https://fstec.ru/component/attachments/download/1906/ (date of access February 27, 2023). Critical information infrastructure objects are information systems, information and telecommunications networks, and automated control systems of critical information infrastructure entities. (Federal Law as amended on July 19, 2017, No. 187). Thus, the term "cyberresilience" is understood as the ability to maintain target behavior (the ability of an object to perform specified functions under the influence of an intruder, the implementation of computer attacks) with a given quality indicator, under the influence of attacks, taking into account the system's ability to rebuild, restore, to counter attacks. (See Zegzhda, D.P. Cybersecurity of the digital industry. Theory and practice of functional resilience to cyberattacks / Edited by Professor of the Russian Academy of Sciences, Doctor of Technical Sciences D.P. Zegzhda. - Moscow: Goryachaya Liniya - Telecom. 2023. - 500 p. - ISBN 978-5-9912-0827-7. The TCP/IP communications protocol stack is a hierarchically organized set of protocols sufficient for organizing internetwork interaction. (Olifer V.G., Olifer N.A., Computer Networks. Principles, Technologies, Protocols; Textbook for Universities. 4th edition. St. Petersburg. – 944 p.: ill.). A protocol is a set of semantic and syntactic rules that determine the operation of functional devices during communication. Virtual private network. (Yakubaitis, E.A. Information Networks and Systems. Reference Book. Moscow: Finance and Statistics, 1996, 368 p.). A protocol data unit (PDU) is an information structure transmitted at a specific level of the OSI model (data link, network, or transport layers). It is a generalized name for a fragment of data at different levels of the OSI model. (Stallings, V. Modern Computer Networks. 2nd ed., Moscow, 2003, 783 p.) Protocol data unit (PDU) is a block of data transmitted between logical objects of the same level (see GOST 24402-88). Multiprotocol equipment is communication equipment, as well as specialized devices that transmit any data along certain lines called communication lines (for example, a switch or a router) (Olifer V.G., Fundamentals of Data Transmission Networks: Lecture Course / Olifer V.G., Olifer N.A., - Moscow: Intuit NOU, 2016. - 219 p. - ISBN 978-5-9556-0035-3 - URL: https://book.ru/book/917944 (date of access: 02/29/2024). A communications operator is a legal entity or individual entrepreneur providing communications services on the basis of an appropriate license (GOST R 53801-2010). "Slowing down" refers to active methods of influencing a dedicated specialized service class associated with increasing the delay in its processing, in the transmitted protocol data units (PDUs) at the link, network, and transport layers, using WANEM class tools (see Wanem Area Network emulator https://wanem.sourceforge.net/; Emulation of network problems using WANem https://habr.com/ru/articles/127274/ (accessed 02.12.2024)) allocated to a specialized software and hardware system for slowing down traffic. An example of such a technical slowing down tool is a software and hardware implementation of an open source operating system with a network adapter on a Raspberry (Orange Pi) PC, based on an open source operating system, for example, Astra Linux, ALTLinux, Debian with the Wanem package installed. "Influence" refers to active methods of influencing transmitted packets, associated with introducing errors into transmitted protocol data units (PDUs) at the data link, network, and transport layers. The technical means of influence is implemented using WANEM class tools (see Wanem Area Network emulator https://wanem.sourceforge.net/; Emulation of network problems using WANem https://habr.com/ru/articles/127274/ (accessed 02.12.2024)), as well as Scapy (see Scapy emulator https://scapy.net/; The process of creating packets (packet crafting) https://habr.com/ru/articles/208786/ (accessed 02.12.2024)). To address the problem of isolating destructive packets into separate, specialized hardware and software traffic man