International Symposium The University of Texas in Arlington, 28 - 30th July Part 1: Mathematical...
50
International Symposium International Symposium The University of Texas in Arlington, 28 - 30th July The University of Texas in Arlington, 28 - 30th July Part 1 Part 1 : Mathematical modeling : Mathematical modeling of processes in systems life of processes in systems life cycles in compliance with cycles in compliance with standards requirements of standards requirements of ISO/IEC 15288 ISO/IEC 15288 Part 2 Part 2 : : Methodical Approach Methodical Approach for the for the Evaluation of System Evaluation of System Vulnerability Vulnerability in Conditions of Terrorist in Conditions of Terrorist Prof. Kostogryzov Andrey, Prof. Kostogryzov Andrey, Russia, Moscow, Russia, Moscow, [email protected]
-
Upload
melvin-french -
Category
Documents
-
view
214 -
download
0
Transcript of International Symposium The University of Texas in Arlington, 28 - 30th July Part 1: Mathematical...
International SymposiumInternational SymposiumThe University of Texas in Arlington, 28 - 30th JulyThe University of Texas in Arlington, 28 - 30th July
Part 1Part 1: Mathematical modeling of : Mathematical modeling of processes in systems life cycles in processes in systems life cycles in
compliance with standards compliance with standards requirements of ISO/IEC 15288requirements of ISO/IEC 15288
Part 2Part 2: : Methodical Approach for theMethodical Approach for theEvaluation of System VulnerabilityEvaluation of System Vulnerability
in Conditions of Terrorist Threatsin Conditions of Terrorist Threats
Prof. Kostogryzov Andrey, Prof. Kostogryzov Andrey, Russia, Moscow,Russia, Moscow, [email protected]
11. The Role of Mathematical Modeling. Abstract Idea for . The Role of Mathematical Modeling. Abstract Idea for Information Systems ModelingInformation Systems Modeling
2. Offered 2. Offered ModelModels and Software Suites CEISOQ s and Software Suites CEISOQ
3.3. Mathematical Modeling for Process Architectures Mathematical Modeling for Process Architectures AnalysisAnalysis, Examples, Examples
44.. Mathematical Modeling of Items Gathering Mathematical Modeling of Items Gathering , Examples, Examples
55. Mathematical Modeling of Item Content Analysis , . Mathematical Modeling of Item Content Analysis , ExamplesExamples
6. 6. Mathematical Modeling of System Protecting Mathematical Modeling of System Protecting , Examples, Examples
7. 7. MathematicalMathematical Models in Developing Models in Developing , Examples, Examples
Plan (part 1)Plan (part 1)
1.1 The Role of Mathematical Modeling.1.1 The Role of Mathematical Modeling. Abstract Idea for Abstract Idea for Information Systems ModelingInformation Systems Modeling
LIFE CYCLE STAGES
PURPOSE
MODELS CAPABILITIES
CONCEPT Identify stakeholders' needs Explore concepts Propose viable solutions
Substantiation of quantitative system requirements
DEVELOPMENT Refine system requirements Create solution description Build system (including mathematical software models as a system component) Verify and validate system
Requirements analysis, investigations of risks and potential threats, evaluations of proposed solutions and expected hazards. Tests and evaluations of system operation quality
PRODUCTION Produce individually or in quantity Inspect and test
UTILIZATION Operate system to satisfy users’ needs
SUPPORT Provide sustained system capability
Investigations of risks and potential threats. Evaluations of system operation quality, optimization of parameters
RETIERMENT Store, archive or dispose the system
Substantiation of rational modes
PPractice solutions are based onractice solutions are based on system analysis:system analysis: the the fundamentation for providing high quality of system is rational fundamentation for providing high quality of system is rational use ofuse of models and methodsmodels and methods that allowthat allow to evaluate and optimizeto evaluate and optimize different existing processes in life cycledifferent existing processes in life cycle
1.2 The Role of System Analysis and Mathematical Modeling1.2 The Role of System Analysis and Mathematical Modeling- the main actions for the main actions for rational rational achievement system purposesachievement system purposes
For exampleFor example
in Project Process:in Project Process:
-- for Project Assessment Processfor Project Assessment Process - - assess project progress, analyze assess project progress, analyze data and measures to make appropriate recommendations;data and measures to make appropriate recommendations;
-- for Risk Management Processfor Risk Management Process - - evaluate the risks, determine the risk evaluate the risks, determine the risk treatment strategies;treatment strategies;
- - for Information Management Processfor Information Management Process - - define information define information maintenance actionsmaintenance actions
in Technical Processes:in Technical Processes:
--for Requirements Analysis Process for Requirements Analysis Process --define the functional boundary of define the functional boundary of the system, technical and quality in use measures, specify system requirements and the system, technical and quality in use measures, specify system requirements and functions;functions;
-- for Architectural Design Processfor Architectural Design Process - - define appropriate logical define appropriate logical architectural designs, evaluate alternative design solutions;architectural designs, evaluate alternative design solutions;
- - for Operation Processfor Operation Process - - monitor the system operation, introduce monitor the system operation, introduce remedial changes to operating procedures, the operator environment, human-remedial changes to operating procedures, the operator environment, human-machine interfaces and operator training as appropriate when human error machine interfaces and operator training as appropriate when human error contributed to failure etc.contributed to failure etc.
1.3 Abstract Idea for Information Systems Operation 1.3 Abstract Idea for Information Systems Operation ModelingModeling
Interacted systems
Subordinate
systems
SYSTEM
The general purpose of operation:
to meet requirements for providing reliable and timely
producing complete, valid and confidential information
for its following use
Information system
Users
Purposes
Requirements to
information system
Use conditions
Operated objects
Higher systems
Resources
Sources
A totality of system characteristics that bears on ability to satisfy users A totality of system characteristics that bears on ability to satisfy users needs in output information definesneeds in output information defines information systems operation qualityinformation systems operation quality
Used information (real)
non-produced as a result of system's
unreliability
untimelyincomplete
non-confidential
with hidden distortions as a result
of unauthorized accesses
with hidden software distortions
due to random faults of staff and users
due to random faults missed during checking
non-actual
Reliable, timely, complete, valid and confidential information
Required information (ideal)
due to processing intolerable mistakes
doubtful
1.4 Abstract Idea for Information Systems Modeling1.4 Abstract Idea for Information Systems Modeling
required quality
CEISOQCEISOQ wwasas presented presented
on conferenceson conferences:: “Modeling and “Modeling and Certifying of Arms and Military Certifying of Arms and Military Techniques” (1998-2000), on Techniques” (1998-2000), on the International Air-Space the International Air-Space Show MAKS (1999, the town of Show MAKS (1999, the town of Zhukovsky), on the Zhukovsky), on the International Engineering and International Engineering and Technical Management Technical Management Symposium (2000, the USA), on Symposium (2000, the USA), on the International Computation the International Computation and Information Conference and Information Conference (2000, Kuwait), on the (2000, Kuwait), on the International Seminar International Seminar “Mathematical Methods, Models “Mathematical Methods, Models and Architecture for Providing and Architecture for Providing Computer Networks Security” Computer Networks Security” (2001)(2001),, was was awarded be the awarded be the Golden MedalGolden Medal of the of the International Innovation and International Innovation and Investment Salon (Investment Salon (20012001, the , the chairman of chairman of JJury is the Nobel ury is the Nobel Prize Winner Mr. Alfyorov)Prize Winner Mr. Alfyorov) etc., etc., is patented and certified.is patented and certified.
2 Offered 2 Offered Model Models and Software Suites s and Software Suites CEISOQCEISOQ
t3t2+t2
2.2.11 Model of Functions Performance in Conditions of System Unreliability (physics) Model of Functions Performance in Conditions of System Unreliability (physics)Cause 1 Cause 2Cause 2 Cause 3Cause 3
Reliability is providedReliability is not Reliability is not
providedprovided
t
- Failure-free system operation time (operative conditions);- Failure recovery time (inoperative conditions);- Required permanent time of reliable operation.
t1 t1+
An application allows to answer such questions asAn application allows to answer such questions as • what requirements to items (hardware/software units, staff or users) what requirements to items (hardware/software units, staff or users) operation time between failures and to repair time are admissible? operation time between failures and to repair time are admissible?• what operation processes should be duplicated? what operation processes should be duplicated? • what about the reliability of a system architectural design etc.what about the reliability of a system architectural design etc.
2.2 The Models Complex of Calls Processing (physics for information system)2.2 The Models Complex of Calls Processing (physics for information system)
SERVING SYSTEMBUFFER
Users calls for output information producing
Calls for technological operations
Users calls for messages transfer
Users calls for input information
filling
Produced output data
Performed technological operations
Transferred messages
Felt data
An application allows to answer the questions:An application allows to answer the questions: --what processing units should be chowhat processing units should be chooosen from the producing point of view?sen from the producing point of view?-w-whathat calls flows and functional tasks may be main causes for bottle-necks?calls flows and functional tasks may be main causes for bottle-necks? etc. etc.Software tools CEISOQ allows to compare effectiveness of six dispatcher technologies:Software tools CEISOQ allows to compare effectiveness of six dispatcher technologies:
• technology 1 for a calls processing without priorities: in consecutive order for unitasking technology 1 for a calls processing without priorities: in consecutive order for unitasking processing mode; in time-sharing order for multitasking processing mode;processing mode; in time-sharing order for multitasking processing mode;• priority technologies in consecutive processing order:priority technologies in consecutive processing order:
– technology 2 for calls processing with relative priorities “first in - first out”;technology 2 for calls processing with relative priorities “first in - first out”;– technology 3 with absolute priorities;technology 3 with absolute priorities;– technology 4 for calls batch processing with relative priorities;technology 4 for calls batch processing with relative priorities;– technology 5 combined by technologies 2, 3 and 4.technology 5 combined by technologies 2, 3 and 4.
2.3 T2.3 The Model of Entering into System Current Data Concerning New he Model of Entering into System Current Data Concerning New Objects of Application DomainObjects of Application Domain (physics)(physics)
а) Processes of new objects and events (OE) appearance and information delivery:
OE № 1 OE № 2 OE № 3 OE № 4
message № 1 message № 2 message № 3 message № 4
t
- information completeness - information incompleteness
b) Modeling queuing system M/G/Real process:
Formalization:
OE appearance
Calls flow
Information delivery
…
Calls serving
Storage
Served calls
Unit 1
Unit 2
Database
Objects features
. . .
Events parameters
An application allows to answer such question asAn application allows to answer such question as what productivity of preparation, transfer and input units should be what productivity of preparation, transfer and input units should be preferred to provide information completeness? and otherspreferred to provide information completeness? and others
2.4 Models of Items Gathering from Sources (physics)2.4 Models of Items Gathering from Sources (physics)
DB
Items actualityis provided
Items actuality is not provided
-
-
DB- updating moments;
items actuality maintenance after the last updating;
non-actuality for items
DB DB
t
An application allows to answer the question as An application allows to answer the question as what productivity of what productivity of preparation, transfer and input units and what gathering technologies should preparation, transfer and input units and what gathering technologies should be preferred to provide ibe preferred to provide itemstems actuality? actuality?
In difference from Model 2.3 evaluated item’s actuality characterizes updating processes
2.5 Models of Items Gathering from Sources (mathematics)2.5 Models of Items Gathering from Sources (mathematics)
The probability of information actuality maintenance until its use momentThe probability of information actuality maintenance until its use moment (proved on the base of the limit theorem for regenerative processes)(proved on the base of the limit theorem for regenerative processes) is:is: а) for the mode of source information delivery immediately after essential а) for the mode of source information delivery immediately after essential object current state change:object current state change:
b) for updating mode regardless without dependence on object current state b) for updating mode regardless without dependence on object current state is changed or not (for example, when gathering is regulated):is changed or not (for example, when gathering is regulated):
wherewhere C(t)C(t) is the probability definition function (PDF) of time between is the probability definition function (PDF) of time between neighboring essential real station changes, neighboring essential real station changes, – is the mean time; – is the mean time; B(t)B(t) is the PDF of time for information preparing, delivering, and is the PDF of time for information preparing, delivering, and inputting;inputting; Q(t)Q(t) is the PDF of time interval between the neighboring updating, q is the is the PDF of time interval between the neighboring updating, q is the mean timemean time
0
,)](1)[(1 dttCtBP
0 0
,)]()(1)][(1[1 dtdBtCtQq
P
2.6 Model of Items Analysis (physics on example of information checking)2.6 Model of Items Analysis (physics on example of information checking)
Fault lack information (fault detected)
Real information
Fault lack
Fault lack
Fault
Initial information preparation
Formalized checking of fault lack
... ...
Input information
Check-up and fault correction
Attention concentration is restorated
Attention concentration
is OK
Fault lack
Fault lack Fault Fault Fault
lack... ...
A man is the most valuable systems componentA man is the most valuable systems component An application allows to answer the questions:An application allows to answer the questions:
Is a checker able to reveal all existing errors? Moreover, is he Is a checker able to reveal all existing errors? Moreover, is he able to commit no own errors? Is there needed software support able to commit no own errors? Is there needed software support for effective analysis? What about system faultlessness in real for effective analysis? What about system faultlessness in real time operation? etc.time operation? etc.
2.7 Models Complex of Dangerous Influences on a Protected System2.7 Models Complex of Dangerous Influences on a Protected System
(physics on example of computer viruses influences )(physics on example of computer viruses influences )
Validation
result of initial
system is
«purity»Virus
penetrationVirus
activation
The state able to operate
Functional task
perfor-mance
System resources
state diagnostic
System transforma-
tion to «pure» state
Established regulating of diagnostic
Functional task
performance in established
mode
Hidden or
visible
violation
system
operation
Dangerous influences (for example from computer bags Dangerous influences (for example from computer bags viruses or terrorists etc.) define high system vulnerability not only viruses or terrorists etc.) define high system vulnerability not only through a suddenness and incomprehensibility of their influences through a suddenness and incomprehensibility of their influences
but also mainly on account of theirbut also mainly on account of their insufficient studyness.insufficient studyness. AnAn application allows answer the questionsapplication allows answer the questions::
·· what about a danger of influenceswhat about a danger of influences on a protected system on a protected system and wh and whichich safety safety
technologies should be technologies should be preferred for different environment scenariouspreferred for different environment scenarious?? etc. etc.
2.8 Model of an Unauthorized Access to System Resources (physics)2.8 Model of an Unauthorized Access to System Resources (physics)
* * * * * *
. . .
. . .
1-st barrier to be overcome during unauthorized access
k-th barrier to be overcome during unauthorized access
* * * * * *
* * * * * *
* * * * * *
Stored system
resources
Unauthorized actions
Violator
*
*
*
*
*
*
*
*
*
*
*
*
*
*
Unauthorized
access is not realized
Unauthorized access is
realized
An application allowsAn application allows to answer such question to answer such questionss::
- what about the quantity of barriers? - what about the quantity of barriers? - - what protection what protection barriers barriers decoding time is tolerated against unauthorized decoding time is tolerated against unauthorized accesses?accesses? etc. etc.
The core of modeling is barriers overcoming as random processes
2.9 Model with due regard to resources objective value2.9 Model with due regard to resources objective value
(physics on example of information confidentiality)(physics on example of information confidentiality)
. . .
. . .
1-st barrier to be overcome during unauthorized access
k-th barrier to be overcome during unauthorized access
* * * * * *
* * * * * *
* * * * * *
Stored system resources
*
*
*
*
*
*
*
*
*
*
* * * * * *
*
*
*
*
Period of objective value
Violator Unauthorized actions
Information confidentiality is
maintained
Keep one’s patience, please! Just 36,6% after beginning !
The The MModel has the difference from odel has the difference from Model of an Unauthorized Model of an Unauthorized Access Access in considering a period of objective in considering a period of objective valuevalue of kept resourcesof kept resources. . OOne allows to answer the questionne allows to answer the questionss: what about a : what about a probabilityprobability of of unauthorized access with this consideration?unauthorized access with this consideration? Is this period Is this period valueable? etc.valueable? etc.
33 Mathematical Modeling for Process Architectures Analysis Mathematical Modeling for Process Architectures Analysis
- define appropriate logical architectural designs- define appropriate logical architectural designs- define appropriate logical architectural designs- define appropriate logical architectural designs
- analyze the system functions identified in requirements - analyze the system functions identified in requirements analysis and allocate them to elements of system architectureanalysis and allocate them to elements of system architecture
- analyze the system functions identified in requirements - analyze the system functions identified in requirements analysis and allocate them to elements of system architectureanalysis and allocate them to elements of system architecture
- analyze the resulting architectural design to establish - analyze the resulting architectural design to establish design criteriadesign criteria
- analyze the resulting architectural design to establish - analyze the resulting architectural design to establish design criteriadesign criteria
- determine which system requirements are allocated to - determine which system requirements are allocated to operators for the most effective, efficient and reliable operators for the most effective, efficient and reliable
human-machine interactionhuman-machine interaction
- determine which system requirements are allocated to - determine which system requirements are allocated to operators for the most effective, efficient and reliable operators for the most effective, efficient and reliable
human-machine interactionhuman-machine interaction
- evaluate alternative design solutions, modeling them to a - evaluate alternative design solutions, modeling them to a level of detail that permits comparison against the level of detail that permits comparison against the
specifications expressed in the system requirements and the specifications expressed in the system requirements and the performance, costs, time scales and risks expressed in the performance, costs, time scales and risks expressed in the
stakeholder requirementsstakeholder requirements
- evaluate alternative design solutions, modeling them to a - evaluate alternative design solutions, modeling them to a level of detail that permits comparison against the level of detail that permits comparison against the
specifications expressed in the system requirements and the specifications expressed in the system requirements and the performance, costs, time scales and risks expressed in the performance, costs, time scales and risks expressed in the
stakeholder requirementsstakeholder requirements
- specify the selected physical design solution as an - specify the selected physical design solution as an architectural design baseline in terms of its functions, architectural design baseline in terms of its functions,
performance, behavior, interfaces and unavoidable performance, behavior, interfaces and unavoidable implementation constraints etc.implementation constraints etc.
- specify the selected physical design solution as an - specify the selected physical design solution as an architectural design baseline in terms of its functions, architectural design baseline in terms of its functions,
performance, behavior, interfaces and unavoidable performance, behavior, interfaces and unavoidable implementation constraints etc.implementation constraints etc.
For example a system project shall implement the following activities:For example a system project shall implement the following activities:
Example 3.1.Example 3.1. Let an Air Transport System be developed for making intercontinental flights (see Fig. D.1 from ISO/IEC 15288): Aircraft System (subsystem 1); Airport system (subsystem 2); Fuel distribution system (subsystem 3); Air traffic control system (subsystem 4); Ticketing system (subsystem 5). Let from users point of view the mean inoperable technical conditions for a hypothetical Air Transport Systems is equal to 2 hour per year. And it is admissible. It means that admissible availability is equal to 0.99977 (1-2hours/(365days 24hours)). System recovery time after an error equals to 30 minutes. It is required to evaluate the availability and probability of reliable Air Transport System operation during 1 day in considering equal reliability for all subsystems.
Results:Results: 1) for providing required availability the mean time between 1) for providing required availability the mean time between failures for one subsystem should be equal more than 1.3.years and the mean failures for one subsystem should be equal more than 1.3.years and the mean time between failures for whole system will be about 0.26 years;time between failures for whole system will be about 0.26 years;
2) for providing required reliability during one day the mean time between 2) for providing required reliability during one day the mean time between failures for one subsystem should be equal more than 61 years and for the failures for one subsystem should be equal more than 61 years and for the system will be about 12.2 years-system will be about 12.2 years- more in 47 times (!!!)more in 47 times (!!!)
Example 3.2.Example 3.2. An information basis for efficient fighters use is a board radar complex. It weighs about 1% of the whole airplane and its cost varies in the range 10-20% of the whole airplane cost. One of the bottlenecks of any modern fighter is low reliability of radar stations (RS). Mean time between failures equals to 200 hours is still considered as admissible. For assigned admissible probability of reliable performance of a set task not less than 0.95 it is required to define the maximum continuous time of a board RS use.
Solution.Solution. Let’s the mean time of RS repair after its failure is equal Let’s the mean time of RS repair after its failure is equal to 4 hours. The maximum mean time of continuous RS use mustn’t to 4 hours. The maximum mean time of continuous RS use mustn’t exceed 6 hours 15 minutes. It is enough for a certain military task exceed 6 hours 15 minutes. It is enough for a certain military task fulfillment by a fighter. If the mean time between failures equals 200 fulfillment by a fighter. If the mean time between failures equals 200 hours the probability of reliable RS operation while a fighter fulfils a hours the probability of reliable RS operation while a fighter fulfils a military taskmilitary task can’t exceed the level 0.97-0.98 (!!!).can’t exceed the level 0.97-0.98 (!!!).
Example 3.3.Example 3.3. If any Transport System (see Fig.D1 from ISO/IEC 15288) is very large there are hundreds or even thousands of staff members. To solve a given functional system problem there are required efforts of several specialists. Let a problem solution depend on joint but independent actions of 5 people. Let each of 4 specialists make 1 error a month and the 5th inexperienced person makes 1 error a day. System recovery time after an error equals to 30 minutes. It is required to evaluate faultlessness of such a group’s actions within a week.
Results.Results. The probability of faultless joint actions of the first 4 The probability of faultless joint actions of the first 4 specialists within a 40-hours workweek equals to 0.8-0.82 but the specialists within a 40-hours workweek equals to 0.8-0.82 but the low-quality work of the 5low-quality work of the 5thth member mocks the whole group work. member mocks the whole group work. The probability of faultless actions decreases to 0.02 (!!!). The probability of faultless actions decreases to 0.02 (!!!). These results prove the importance of thorough specialists These results prove the importance of thorough specialists
training becausetraining because a man is the main system bottlenecka man is the main system bottleneck..
4. 4. Mathematical Modeling of Items GatheringMathematical Modeling of Items GatheringExample 4.1.Example 4.1. Military aviation effectiveness is caused by intermediate-range ballistic missiles use. Distant air enemy detection and identification is carried out by an onboard radar station (RS).
ABOUTABOUTAll locators are divided into 2 groups: with mechanical air surveillance All locators are divided into 2 groups: with mechanical air surveillance
(3-rd generation) and with electronic scanning (4-th generation). The (3-rd generation) and with electronic scanning (4-th generation). The unavoidable disadvantage of existing mechanical scanning systems is the unavoidable disadvantage of existing mechanical scanning systems is the impossibility of combining two modes: missile guidance on a target and impossibility of combining two modes: missile guidance on a target and surveillance. This means that sequentially surveying air RS sets current surveillance. This means that sequentially surveying air RS sets current positions of several just detected targets. In case of fighting with non-positions of several just detected targets. In case of fighting with non-maneuvering low-speed targets (for example with cruise missiles) this method maneuvering low-speed targets (for example with cruise missiles) this method proves to be correct. When enemy maneuverability is high the achieved proves to be correct. When enemy maneuverability is high the achieved information actuality turns out to be insufficient. information actuality turns out to be insufficient.
To destroy a maneuvering target its data should be fixed 5-10 times To destroy a maneuvering target its data should be fixed 5-10 times per second. The thing is that an aerial with mechanical surveillance may define per second. The thing is that an aerial with mechanical surveillance may define new target’s data only in its next turn, i.e. in a second. In this case a pilot does new target’s data only in its next turn, i.e. in a second. In this case a pilot does not have any ability to survey air, what in fight conditions causes an not have any ability to survey air, what in fight conditions causes an indubitable loss.indubitable loss.
What about information quality for locators of 3-rd and What about information quality for locators of 3-rd and 4-th generation in quantity?4-th generation in quantity?
Example 4.1 Example 4.1 (computation results)(computation results)
Case of fight with non-maneuvering (i=1-4 are RS with electronic scanning, i=5-6 – with mechanical one)
Case of fight with high-maneuvering enemy targets
Input:Input: ii is the mean time between essential changes; is the mean time between essential changes; ii is the mean is the mean
preparing time; preparing time; ii is the mean transfer time; is the mean transfer time; I I is the mean time of entering into a is the mean time of entering into a
system. Dsystem. Di i = D= D
2 2 – it means that information is gathered without any dependencies – it means that information is gathered without any dependencies
on changes, qon changes, qii is the mean time between updating. is the mean time between updating. Output: Output: PPact.i act.i is the probability is the probability
of information actuality on the moment of use.of information actuality on the moment of use.
Computation results show that information gathering process architecture based on RS with mechanical scanning provides information actuality not less than 0.88-0.94. Achieved probability 0.88-0.94 may be considered as standard for effectiveness in fighting with non-maneuvering or low-speed targets. For comparison use of electronic scanning RS allows to increase this probability to 0.96-0.98.
The difference in case of high-maneuvering enemy targets is in the frequency of significant targets positions changes – they happen every 1-2 seconds. Computation results prove that mechanical scanning RS may provide information actuality equal to 0.56-0.74.
Electronic scanning RS may provide used information actuality equal to:
- 0.81 - 0. 85 in case of sharp turn maneuvers within a second;
- 0.90 - 0.92 in case of turn maneuvers within 2 seconds.
Conclusion:Conclusion: actuality increase to the level 0.9 and higheractuality increase to the level 0.9 and higher is a very important and is a very important and
necessary condition for fighting aviation effective opposing of necessary condition for fighting aviation effective opposing of fighting aviation to high-maneuvering targets. Due to such high fighting aviation to high-maneuvering targets. Due to such high
information actuality there is possible for a system to obtain a new information actuality there is possible for a system to obtain a new quality quality (practice “transition from QUANTITY to QUALITY”)(practice “transition from QUANTITY to QUALITY”)
Example 4.1 (summary of modeling)Example 4.1 (summary of modeling)
Example 4.2. Example 4.2. I Information roots in “Wall Mart” success are on the first place. To increase productivity each worker salesclerks were equipped with manual bar-code readers. Information contained in a bar-code is shown on a display. A worker can get a retrospective picture of products sold within a day, a week and 5 weeks. On each article there is everything
what may be necessary for ordering. What may be achieved due to information actuality increase?
Summary.Summary. Actuality of information is not less than Actuality of information is not less than 0.9920.992 (i=1-4). Information read from a bar-code, which is transferred to (i=1-4). Information read from a bar-code, which is transferred to the “Wal-Mart” headquarters.The satellite system is connected the “Wal-Mart” headquarters.The satellite system is connected with more than 4000 company suppliers.with more than 4000 company suppliers. For comparison, other For comparison, other shops, where information is updated hourly, information actuality shops, where information is updated hourly, information actuality equals toequals to 0.3-0.70.3-0.7 (i=5-8), i.e. at a moment of information use it is as (i=5-8), i.e. at a moment of information use it is as true as false.true as false. Feel the difference !!!Feel the difference !!!
5. Mathematical Modeling of Item Content Analysis5. Mathematical Modeling of Item Content AnalysisExample 5.1.Example 5.1. Let an operators’ work order of an air traffic control system (see Fig.D1 from ISO/IEC 15288) be developed. As the main operator’s work is connected with monitors it is required to substantiate time of a continuous operator’s work shift under the condition that the probability of obtaining correct results of information analysis is not less than 0.99.
Data mining for modelingData mining for modelingLet’s the number of simultaneously tracked objects does not
exceed 20. Changes of object states happen every second. During an hour of work there happens not more than 3600 changes of each object state. As a flight is continuous it is critical for an operator if the frequency of object state changes equals to 1 change per 5 seconds.
Let’s assume that among these 20 objects there are not more than 4 significant ones preparing for a take-off or landing. Thus within an hour an operator must analyze up to 14400 objects’ states (3600/520), within 2 hours – 28800 ones, within 4 hours – 57600 ones, within 5 hours – 72000 ones. A fraction of essential information doesn’t exceed 20%. An analysis speed of an experienced analyzer equals 4 objects a second. The frequency of type I and II errors equals to 1 error a week.
Example 5.1. Example 5.1. (summary of modeling) (summary of modeling)
i=1-3 describe one-hour work and i=4-8 – five-hour work. Owing to high qualification of operators the computed correctness of their work is stably high – 0.94-0.98, but less than required one (0.99).
Input: Vi is the content of analyzed information; i is the fraction of information
essential for analysis; i is the information analysis speed; ni is the frequency of type I
errors (when unimportant information is considered as essential); TMTBF i is the mean time
between algorithmic type II errors; Tcont.i is the continuous period of an analyst’s work. Treq.i
is the assigned term (deadline) for analysis. Output: P after i is the probability of correct
analysis results obtaining; after i is the fraction of unaccounted essential information
Result:Result: there are there are no formal solutionsno formal solutions of the problem because of the problem because the assigned probability is almost unachievable, the assigned probability is almost unachievable, the problem the problem can’t be solved due only to the control of a shift’s work timecan’t be solved due only to the control of a shift’s work time
Example 5.2.Example 5.2. An automated monitoring system of a territorially distributed system critical to a safety problem is developed (a pipeline of oil or gas network, communications of a chemical enterprise, stores of nuclear industry waste, a regional energy system etc.). Information from automatic sensors is transferred to an integrating center. Though degree of control is quite high and control itself is continuous the main information gathering and processing functions are performed in an automatic mode. An operator receives integral information, making a decision and developing control actions. It is required to define such minimum speed of data processing that the probability of correct integrated results obtaining is not less than 0.9999.
Result:Result: only if data processing speed in the automatic mode is not less than 199500 symbols a minute and in the manual mode not less than 108 graphical results a minute there may be achieved the required correctness. The obtained results are system engineering requirements for a monitoring subsystemsystem engineering requirements for a monitoring subsystem as well as requirements to qualifications of system staff.requirements to qualifications of system staff.
6.1 6.1 Modeling of System Protecting Modeling of System Protecting FromFrom Unauthorized AccessesUnauthorized Accesses
Example 6.1.Example 6.1. In the end of 1941 allies belonging to the anti-Hitler coalition in the English naval began to form escorts with transport and military vessels, which were sent to northern ports of the USSR. In 1942 an escort PQ-17 was sent to the USSR. Suddenly on half the way the escort was attacked by German submarines and bombers. As a result 24 of 36 vessels were drowned, 3350 trucks, 430 tanks and 100000 tons of freight disappeared on bottom. The matter is the Finnish center of radio interception received a telegram in the Morse code, decoded one and transferred it to the Germans. It is required to substantiate system requirements to cipher complexity for providing latency of transition of a vessels caravan with the probability not less than 0.99.
Result:Result: to provide information confidentiality to provide information confidentiality during 20 daysduring 20 days it it was required to select cipher algorithm for the cipher decoding was required to select cipher algorithm for the cipher decoding more thanmore than 3 years (!!!)3 years (!!!) for complexityfor complexity
Example 6.2.Example 6.2. Once on the competitions there was suggested to solve some problems connected with enciphering. There were compared an algorithm of 97-rate enciphering on the elliptic curve and an RSA algorithm with a 512-digits key. To take part in competitions there were got 195 enthusiasts from 20 countries. For deciphering, which took 40 days, there were used 740 computers. In the end deciphering took about 16 000 machine years on conversion to computers which throughput is 1million operations per second.
6.1 6.1 Modeling of System Protecting Modeling of System Protecting FromFrom Unauthorized AccessesUnauthorized Accesses
It seems that the final results of the competitions are not of practical importance for a specialist (it was only revealed that a cipher may be deciphered in 40 days). But But
in fact in fact the latent results are amazingthe latent results are amazing not in the form not in the form
they were drawn in competitions but they were drawn in competitions but in the form of in the form of cryptographic protection modeling results (!!!).cryptographic protection modeling results (!!!).
Example 6.2. Example 6.2. (system analysis)(system analysis)Let it is required to define maximum admissible period of objective Let it is required to define maximum admissible period of objective
information confidentiality that may characterize protected information to provide information confidentiality that may characterize protected information to provide its confidentiality with the probability not less than 0.995.its confidentiality with the probability not less than 0.995.
If the If the key is changed 1 time a yearkey is changed 1 time a year the enciphering will provide the enciphering will provide confidentiality for information, which period of objective confidentiality confidentiality for information, which period of objective confidentiality equals to more than equals to more than 200 million years (!)200 million years (!) in case of 97-rate encoding on the in case of 97-rate encoding on the
elliptic curve and elliptic curve and not more than not more than 4-5 months (!)4-5 months (!) in case of enciphering with in case of enciphering with the help of the RSA algorithms. the help of the RSA algorithms. If a key is changed If a key is changed once a monthonce a month (practice for today) the encoding by algorithm RSA provides information (practice for today) the encoding by algorithm RSA provides information confidentiality not less than 0.999, and the period of objective information confidentiality not less than 0.999, and the period of objective information confidentiality will also be equal to confidentiality will also be equal to hundreds of millions of years!!!hundreds of millions of years!!!
How may be estimated the following information???How may be estimated the following information??? “…“…The RSA Data Security firm recommends companies to The RSA Data Security firm recommends companies to protect data by more reliable keys, which length exceeds protect data by more reliable keys, which length exceeds
768 digits or better 1028 digits…”768 digits or better 1028 digits…” Brilliant answer (ancient):Brilliant answer (ancient): effective system effective system
engineering decision should be made only on engineering decision should be made only on thorough modeling knowledge for system processesthorough modeling knowledge for system processes
Input for modelingmodeling : j is the frequency of influences for penetrating a danger
source; j is the mean activation time of a penetrated danger source (only for
technologies 1 and 3); T betw.j is the time between the end of diagnostic and the
beginning of the next one; Tdiag.j is the diagnostic time including the time of system
integrity repair; TMTBF j is the mean time between operator’s errors; Treq.j is the
required period of permanent secure system operation. Output: Pinf.j is the
probability of dangerous influence absence in a system within the assigned period Treq.j; Ppen.j is the probability of penetrated danger source absence.
6.2 6.2 Mathematical Modeling of System Mathematical Modeling of System Protecting Against Dangerous InfluencesProtecting Against Dangerous Influences
Technology 3Technology 3 - security monitoring when system integrity
Technology 2Technology 2 - multishift security monitoring
Technology 1Technology 1 – preventive diagnostic of system integrity
Example 6.3.Example 6.3. On the market has appeared a special medical system with sensors built in a man’s clothes, which immediately give warnings of dangerous changes of a man’s physical state. A special portable computer gathers information from sensors and processes it. Let’s evaluate what lifetime without any serious Let’s evaluate what lifetime without any serious illnesses may be provided for people using such clothes.illnesses may be provided for people using such clothes. System analysis.System analysis. Let’s examine 2 variants of a man’s reaction upon signals. The 1-st1-st variant implies a visit to a doctor and taking the necessary treatment within 4 hours after a man has received a signal of danger from the system.
The 2-nd2-nd variant implies an immediate intervention of a personal doctor after first danger symptoms appeared and an organism integrity recovery(reflected ).
Results:Results: the probabilitythe probability of serious illnesses absence is of serious illnesses absence is for for 1-st1-st variant - within a year not les than 0.98, variant - within a year not les than 0.98, within 2 within 2
years – not less than 0.92,years – not less than 0.92, within 10 years – not more than 0.35; within 10 years – not more than 0.35;for the for the 2-nd2-nd variant - variant - within 46 years not less than 0.95. within 46 years not less than 0.95.
. .
7. 7. MathematicalMathematical Models in Developing Models in Developing
In compliance with standards requirements ofIn compliance with standards requirements of ISO/IEC 15288 there are developed:ISO/IEC 15288 there are developed:
- Model for enterprise environment development;- Model for enterprise environment development;- Models of project development;- Models of project development;- Models of systems development in life cycle;- Models of systems development in life cycle;- Models of life cycle process development;- Models of life cycle process development;- Models of customer satisfaction in system life cycle and others- Models of customer satisfaction in system life cycle and others
The models may be applied for solving such system The models may be applied for solving such system problems appearing in a systems life cycle as:problems appearing in a systems life cycle as:
- substantiation of quantitative system requirements to hardware, software, - substantiation of quantitative system requirements to hardware, software, users, staff, technologies; users, staff, technologies; - requirements analysis;- requirements analysis;- evaluation of project engineering decisions and possible danger; - evaluation of project engineering decisions and possible danger; - detection of bottle-necks; - detection of bottle-necks; - investigation of problems concerning potential threats to system operation - investigation of problems concerning potential threats to system operation and information security; and information security; - testing, verification and validation of system operation quality; - testing, verification and validation of system operation quality; - rational optimization of system technological parameters;- rational optimization of system technological parameters;- substantiation of plans, projects and directions for effective system - substantiation of plans, projects and directions for effective system utilization, improvement and developmentutilization, improvement and development
Publications and ImplementationsPublications and Implementations1994 1994
19919966
19919999
2001-2002001-20033
ApplicationsApplications
Summary:Summary: PresentedPresented models and software tools are the metho- models and software tools are the metho- dological and implementation dological and implementation foundation of customers, enterprises, foundation of customers, enterprises, certification bodies, test laboratories and expertscertification bodies, test laboratories and experts in Russia. They in Russia. They support the Russian standard support the Russian standard “GOST RV. Information technology. Set of “GOST RV. Information technology. Set of standards for automated system. The typical requirements and metrics of standards for automated system. The typical requirements and metrics of
information systemsinformation systems operation quality. General principles” operation quality. General principles”.. CEISOQCEISOQ has already found wide application in Universities has already found wide application in Universities for educationfor education
1.1. Approach for EvaluatiApproach for Evaluatingng System System VulnerabilityVulnerability in Conditions in Conditions of Terrorist Threatsof Terrorist Threats. . General General PropositionsPropositions
2. Modeling complex and software suites2. Modeling complex and software suites “VULNERABILITY” “VULNERABILITY”
3. Investigations after September 113. Investigations after September 113.1 3.1 How effective has been the system of flights safety provision before How effective has been the system of flights safety provision before
September 11 (in Russia and the USA) ?September 11 (in Russia and the USA) ?3.2 3.2 How the level of the existing safety may be increased and by what How the level of the existing safety may be increased and by what
measures?measures?
4. Examples for a 4. Examples for a sea gas-and-oil producing systemsea gas-and-oil producing system 4.1 4.1 Risk to become an object of terrorRisk to become an object of terror 4.24.2 Risk of suspicious events non-detection and mistaken analytical Risk of suspicious events non-detection and mistaken analytical
conclusionsconclusions 4.3 Risk of latent penetration and influence4.3 Risk of latent penetration and influence 4.4 4.4 Risk of protection barriers overcomingRisk of protection barriers overcoming
ConclusionConclusion
Plan (Part 2)Plan (Part 2)
1.1 1.1 Approach for EvaluatiApproach for Evaluatingng System System VulnerabilityVulnerability in in Conditions of Terrorist ThreatsConditions of Terrorist Threats. . General General PropositionsPropositions
* There may be no clear requirements and threats (as it was on September, 11 2001) ** For a single terrorist act there may be no feedback as a result of the terrorist impact analysis
2. Search of 2. Search of system system
vulnerabilityvulnerability
4. Latent or 4. Latent or obvious actions obvious actions
concerning concerning system system
vulnerabilityvulnerability
5*. Formulation 5*. Formulation of of
requirements requirements and threatsand threats
6. Realization of 6. Realization of threats by means threats by means of system protec-of system protec-
tion barriers tion barriers overcomingovercoming
7.** Analysis of 7.** Analysis of terrorist terrorist threats threats
realization realization resultsresults
3. Preparation 3. Preparation for terrorist for terrorist
actsacts
1. Choice of a 1. Choice of a terrorist objectterrorist object
General scheme of terrorist threats development
.
1.R1.Risk isk to to
become become an an
object object of terrorof terror
3.Risk of 3.Risk of mistaken mistaken analytical analytical
conclusions conclusions during during
admissible admissible timetime
4.Risk of 4.Risk of dangerous dangerous
influence on influence on system system
during given during given periodperiod
5.Risk of 5.Risk of protection protection barriers barriers
overcoming overcoming during given during given
periodperiod
SSystem vulnerability risk ystem vulnerability risk during during givengiven period period
2. RRisk of isk of suspicious suspicious
events non-events non-detection detection
during during admissible admissible
timetime
1.2 1.2 Approach for EvaluatiApproach for Evaluatingng System System VulnerabilityVulnerability in in Conditions of Terrorist ThreatsConditions of Terrorist Threats. . General General PropositionsPropositions
ССhain of logical dependences for an evaluation of a system vulnerability riskhain of logical dependences for an evaluation of a system vulnerability risk
RRvulnervulner - integral system vulnerability during given period t - integral system vulnerability during given period tgiven given
(P(Psafety safety - integral system safety during given period t- integral system safety during given period tgivengiven), ), depends ondepends on::
PPobject object - risk to become an object of terror, - risk to become an object of terror, RRnon-detnon-det - risk of suspicious events non-detection during admissible time, - risk of suspicious events non-detection during admissible time, RRmist mist - risk of mistaken analytical conclusions during admissible time, - risk of mistaken analytical conclusions during admissible time, RRinflinfl
-- risk of dangerous influence on system during given period,risk of dangerous influence on system during given period,
RRoverover- risk of protection barriers overcoming during given period - risk of protection barriers overcoming during given period
2 Modeling complex and software suites “VULNERABILITY”2 Modeling complex and software suites “VULNERABILITY”
3.1 3.1 How effective has been the system of flights safety How effective has been the system of flights safety provision before September 11 provision before September 11 (in Russia and the USA)(in Russia and the USA)??
System analysis.System analysis. Barriers from the point of view of terrorists: Barriers from the point of view of terrorists:the 1the 1stst barrier is pass and interobject modes in aerodromes and centers of air barrier is pass and interobject modes in aerodromes and centers of air
traffic control;traffic control;the 2the 2ndnd barrier is a preflight examination and control of passengers and their barrier is a preflight examination and control of passengers and their
luggage during the registration;luggage during the registration;the 3the 3rdrd barrier is a preflight examination before boarding; barrier is a preflight examination before boarding;the 4the 4thth barrier is a lock-up door to the cockpit; barrier is a lock-up door to the cockpit;the 5the 5thth barrier is an on-line warning about a highjacking barrier is an on-line warning about a highjacking
Input in case of opposing to Input in case of opposing to inexperienced terrorists in Russiainexperienced terrorists in Russia
The computation resultsThe computation results
3.1 How effective has been the system of flights safety provision before 3.1 How effective has been the system of flights safety provision before September 11? (computation results for September 11? (computation results for trained terrorists trained terrorists ))
in in RussiaRussia
in the USA
Conclusion: Conclusion: I In Russia and the USA the existing before September n Russia and the USA the existing before September 11 11 systems of flights safety were uneffective againstsystems of flights safety were uneffective against planned actions planned actions of of prepared terroristsprepared terrorists (protection in probability measure - about 0.52- (protection in probability measure - about 0.52-0.53). 0.53). TThe bottleneckhe bottleneckss were a weak protection of a cockpit and absence were a weak protection of a cockpit and absence of active opposing measures on board an airplaneof active opposing measures on board an airplane
3.2 How the level of the existing safety may be increased and 3.2 How the level of the existing safety may be increased and by what measures?by what measures?
The first measureThe first measure consists in consists in making a cockpit door a real barrier insuperablemaking a cockpit door a real barrier insuperable for terrorists during a flight.for terrorists during a flight.
As soon as a cockpit door has become insuperable a As soon as a cockpit door has become insuperable a cockpit may be turned into cockpit may be turned into a center of a cabin security telemonitoring and controla center of a cabin security telemonitoring and control. . It is the second measure.It is the second measure. Thus Thus pilots may timely get complete and valid information about situation in the cabin.pilots may timely get complete and valid information about situation in the cabin.
Terrorists who have revealed themselves are in standing positions; the others Terrorists who have revealed themselves are in standing positions; the others remain sitting. The first task of the defended part is to disable these threats subjects at remain sitting. The first task of the defended part is to disable these threats subjects at least for a few minutes. There are needed means and ways of illethal action, i.e. which least for a few minutes. There are needed means and ways of illethal action, i.e. which don’t lead to a fatal end because passengers may also run the danger. don’t lead to a fatal end because passengers may also run the danger. The third The third measuremeasure is a is a use of point means of illethal action on the revealed terroristsuse of point means of illethal action on the revealed terrorists. Such means . Such means may be a soporific gas and/or short-period influences, for example, dazzling (a terrorist is may be a soporific gas and/or short-period influences, for example, dazzling (a terrorist is suddenly dazzled by a light beam), and/or deafening, and/or electro-shocking causing a suddenly dazzled by a light beam), and/or deafening, and/or electro-shocking causing a temporary loss of consciousness. There should be several ways of influence because temporary loss of consciousness. There should be several ways of influence because one way may be easily neutralized (gas masks against gases, sunglasses against one way may be easily neutralized (gas masks against gases, sunglasses against dazzling etc). Thus the revealed terrorists may certainly be disabled.dazzling etc). Thus the revealed terrorists may certainly be disabled.
As in a cabin may be accomplices able to repeat the high-jacking after an As in a cabin may be accomplices able to repeat the high-jacking after an additional preparing there must be provided additional preparing there must be provided ways of compulsory keeping of suspicious ways of compulsory keeping of suspicious passengers on their seats till the emergency landingpassengers on their seats till the emergency landing. . It is the fourth measure,It is the fourth measure, which which may be provided again by soporific actions, jammed belts may be provided again by soporific actions, jammed belts etc.etc.
Result.Result. Owing to active opposing measures Owing to active opposing measures undertaking on board an airliner the probability of flights undertaking on board an airliner the probability of flights safety provision against terrorists may essentially increasesafety provision against terrorists may essentially increase from 0.52-0.53 to 0.98-0.99.from 0.52-0.53 to 0.98-0.99.
Note:Note: the first failures will make terrorists analyze the first failures will make terrorists analyze their causes and find new bottlenecks of the security their causes and find new bottlenecks of the security system thus continuing the counteraction.system thus continuing the counteraction.
And preventive actions should base on modelingAnd preventive actions should base on modeling
3.2 How the level of the existing safety may be increased and by what measures? (computation results)
.
4. Examples for a 4. Examples for a sea gas-and-oil producing systemsea gas-and-oil producing system
Processes of possible terrorist influence and system safety Processes of possible terrorist influence and system safety provision provision (platforms, coastal technological complexes including floating storage and (platforms, coastal technological complexes including floating storage and
offloadingoffloading terminals, terminals, liquefied natural gas liquefied natural gas terminals, pipelines, tubing terminals, pipelines, tubing stations) are evaluated for various stations) are evaluated for various scenariosscenarios and conditions and conditions
Let the mean time of revealing interesting information by terrorists be two days, the Let the mean time of revealing interesting information by terrorists be two days, the mean time of delivering the interesting information to the terroristmean time of delivering the interesting information to the terrorist
analytical center analytical center
be no longer than 1 hour and the mean time of making a decision concerning the be no longer than 1 hour and the mean time of making a decision concerning the system attractiveness from the point of view of its possible choice as an object of system attractiveness from the point of view of its possible choice as an object of terrorterror
be about one month. It is assumed that information gathering doesn’t be about one month. It is assumed that information gathering doesn’t
obviously depend on system state changes and the mean timeobviously depend on system state changes and the mean time between information between information
updates in the terrorist analytical center is forecasted about 1 month.updates in the terrorist analytical center is forecasted about 1 month.
4.1 4.1 Risk to become an object of terrorRisk to become an object of terror
There is an objective danger and high risk for sea There is an objective danger and high risk for sea gas-gas-and-oil producing systemand-oil producing systems to become an object of terrors to become an object of terror
Is it principially possible to solve the problem of detecting suspicious events in Is it principially possible to solve the problem of detecting suspicious events in
time and making correct conclusions from the gathered on-line information?time and making correct conclusions from the gathered on-line information?
Results:Results: The analysis carried out on the basis of the facts concerning FBI activity The analysis carried out on the basis of the facts concerning FBI activity has shown that the has shown that the riskrisk of erroneous analytical conclusions and as a consequence of erroneous analytical conclusions and as a consequence non-undertaking or undertaking inadequate countermeasures is equal non-undertaking or undertaking inadequate countermeasures is equal more than more than 0.998 (!!!).0.998 (!!!).
4. 2 Risk of suspicious events non-detection and mistaken analytical conclusions4. 2 Risk of suspicious events non-detection and mistaken analytical conclusions
Nowadays it is practically Nowadays it is practically impossible to preventimpossible to prevent realization of realization of terrorist acts aimed terrorist acts aimed at any kinds of systems and objects.at any kinds of systems and objects. It is It is necessary to conduct anecessary to conduct a profound purposeful work (based on profound purposeful work (based on modeling)modeling) on radical reduction of risks concerning on radical reduction of risks concerning non-detecting non-detecting of of suspicious events, erroneous analytical conclusionssuspicious events, erroneous analytical conclusions
4.3 Risk of latent penetration and influence4.3 Risk of latent penetration and influenceFor existing safety systems the probability that dangerous influences (For existing safety systems the probability that dangerous influences (explosions explosions
of fuelof fuel-air -air mixes clouds, generation and burning mixes clouds, generation and burning of fire balls, of fire balls, oil spill and burning, separation and oil spill and burning, separation and spread of technological equipment parts and othersspread of technological equipment parts and others ) doesn’t occur ) doesn’t occur within 24 hourswithin 24 hours is above is above 0.999970.99997 , i.e. the risk of emergency realization is about , i.e. the risk of emergency realization is about 0.00003.0.00003. In conditions of daily In conditions of daily failure danger the risk of required failure danger the risk of required safety within a monthsafety within a month increases up to increases up to 0.001.0.001. This high This high level of level of sea gas-and-oil producing systemsea gas-and-oil producing system protection in emergencies is mainly provided protection in emergencies is mainly provided
by application of by application of approved automatic safety technologies (!)approved automatic safety technologies (!)
For similar conditions the risks of terrorist threat realization are For similar conditions the risks of terrorist threat realization are incommensurably higher (within a month risk runs up toincommensurably higher (within a month risk runs up to 0.930.93). Owing ). Owing to insufficient preparedness and technical equipment of operators for to insufficient preparedness and technical equipment of operators for timely and valid recognition of terrorist threats at the background of timely and valid recognition of terrorist threats at the background of other technical threats variety other technical threats variety sea gas-and-oil producing systemsea gas-and-oil producing systems are s are today completely helpless in case of terrorist dangers (!!!)today completely helpless in case of terrorist dangers (!!!)
4.4 4.4 Risk of protection barriers overcomingRisk of protection barriers overcoming
In practice the protection from an unauthorized access is In practice the protection from an unauthorized access is a sequence of barriers after successful overcoming of a sequence of barriers after successful overcoming of which a violator can get an access to system’s resources.which a violator can get an access to system’s resources. Such an access is possible from a special command post Such an access is possible from a special command post when an automated workstation of control service is used.when an automated workstation of control service is used.
BarrierBarrier Change frequency of Change frequency of the barrier parameter the barrier parameter value value
Mean time of Mean time of barrier barrier overcomingovercoming
Possible way of barrier Possible way of barrier overcomingovercoming
1. Protection by a patrol boat Change of guards every 24 hours
10 hours Latent penetration from the air, under the water, fraud of guards
2. System of passes to the platform with a change of security services
Change of guards every 24 hours
10 minutes Documents falsification, conspiracy, fraud
3. the electronic key to get to the GOPS control unit 5 years (time between changes)
1 week Theft, forcible key withdrawal, conspiracy
4. The password to enter the automated GOPS system 1 month. 10 days Spying, compulsory questioning, conspiracy, selection of a password
5. The password to get access to software devices 1 month. 10 days— —
6. The password to get access to the required information 1 month. 10 days— —
7. The registered external information carrier with write access 1 year 24 hours Theft, forced registration, conspiracy
8. Confirmation of a user identity, during a session of work with the computer
1 month. 24 hours Spying, compulsory questioning, conspiracy
9. Telemonitoring of a helipad, a drilling module, energy equipment, a technological module, pipelines and equipment, rescue rooms and boats etc.
Time between changes of software devices)
1 month Simulation of a failure, false films, dressing up as employees, conspiracy
10. Encoding of the most important information Change of keys every month
1 year Decoding, conspiracy
4.4 4.4 Risk of protection barriers overcomingRisk of protection barriers overcoming
1. The first 3 barriers are overcome with the probability about 0.34. Use 1. The first 3 barriers are overcome with the probability about 0.34. Use of alternating passwords once a month for of alternating passwords once a month for the 4the 4thth, 5, 5ththand 6and 6thth barriers barriers allows to increase the protection level allows to increase the protection level from 0.66 to 0.86.from 0.66 to 0.86. 2. Introduction of the 72. Introduction of the 7thth and 8 and 8thth barrier is practically useless. barrier is practically useless. 3. 3. Use of telemonitoringUse of telemonitoring means allows to increase information resource means allows to increase information resource protection from UA protection from UA to 0.998to 0.998 what also doesn’t meet the stated what also doesn’t meet the stated requirements.requirements. 4. 4. Only the use of all 10 barriersOnly the use of all 10 barriers provides the required protection provides the required protection from UA with the required probability from UA with the required probability more than 0.9999more than 0.9999 what practically what practically excludes any risk of terrorist access to system control post excludes any risk of terrorist access to system control post
information resources and essentially reduces system vulnerability.information resources and essentially reduces system vulnerability.
Engineering decisionsEngineering decisions concerning development of concerning development of protection system for preventing terrorist threats protection system for preventing terrorist threats should be should be modeled, quantitatively evaluated and substantiatedmodeled, quantitatively evaluated and substantiated taking taking into account potential scenarios of threats development, into account potential scenarios of threats development, opportunities of protective barrier overcoming during opportunities of protective barrier overcoming during possible acts of terrorism etc. The possible acts of terrorism etc. The offered complex offered complex “Vulnerability” is capable“Vulnerability” is capable for system mathematical for system mathematical modeling, risks analysis and protection measures modeling, risks analysis and protection measures effectiveness investigations.effectiveness investigations.
A good beginning (based on modeling) is half the battle…A good beginning (based on modeling) is half the battle…
Protection technologies from terrorists threats are imperfect Protection technologies from terrorists threats are imperfect and cannot be compensated by approved existing safety and cannot be compensated by approved existing safety technologies. Atechnologies. A whole system and its components whole system and its components (firstly (firstly platforms, coastal complexes including floating storage and platforms, coastal complexes including floating storage and offloading terminals, liquefied natural gas terminals, pipelines, offloading terminals, liquefied natural gas terminals, pipelines, tubing stations) tubing stations) are in fact extremely vulnerable (!)are in fact extremely vulnerable (!)
CONCLUSIOCONCLUSIONN
4.5 Summary result for 4.5 Summary result for sea gas-and-oil producing sea gas-and-oil producing systemssystems
