ENSURING INFORMATION SECURITY OF AUTOMATED CONTROL SYSTEMS AT CRITICAL INFRASTRUCTURE FACILITIES
DOI:
https://doi.org/10.28925/2663-4023.2026.32.1047Keywords:
information security; automated control system; critical infrastructure; SCADA systems; cyber threats; risk assessment; network segmentation; industrial protocols.Abstract
The article addresses the problem of ensuring information security of automated control systems at critical infrastructure facilities in Ukraine under conditions of increasing cyber threats, which grew by 87% globally and by 48% in Ukraine during 2024. The theoretical and regulatory foundations of critical infrastructure protection, classification of facilities, and current trends in cyber threats are analyzed. Both national and international cybersecurity legislation are examined. The procedure for establishing a comprehensive information security system in accordance with ISO standards is outlined. The international experience of the United States and EU countries in ensuring the security of critical systems is analyzed. An algorithm for determining the relevance of threats and a methodology for improving the level of information security based on five core functions—identify, protect, detect, respond, and recover—are developed. A SCADA system of the energy enterprise LLC “EnergoSystem,” which manages transformer substations with a capacity of 180 MVA, is analyzed. Critical vulnerabilities were identified, including the absence of network segmentation, unencrypted Modbus TCP/IP and IEC 60870-5-104 protocols, and weak authentication mechanisms. Risk assessment based on the NIST SP 800-82 methodology confirmed one critical and four high-level risks. Nine areas of recommendations were developed: network segmentation, cryptographic protection of communication channels, two-factor authentication, intrusion detection systems and SIEM monitoring, patch management, automation of backup processes, personnel training, development of security policies, and strengthening of physical protection. The economic feasibility of investments in the amount of UAH 4–6 million is substantiated, as a single day of downtime may result in losses exceeding UAH 50 million. The results have practical applicability for enterprises in the energy, transport, and defense sectors.
Downloads
References
Fortinet. (2025). Global threat landscape report 2025. https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report-2025.pdf
Cybersecurity and Infrastructure Security Agency. (n.d.). Cyber-attack against Ukrainian critical infrastructure. https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01
SecurityWeek. (n.d.). Industroyer ICS malware linked to Ukraine power grid attack. https://www.securityweek.com/industroyer-ics-malware-linked-ukraine-power-grid-attack/
Kozachok, V. A., Kyrychok, R. V., Skladannyi, P. M., Buriachok, V. L., & Hulak, H. M. (2016). Problems of ensuring security control of corporate networks and ways to solve them. Scientific Notes of the Ukrainian Research Institute of Communications, 3(43), 48–61.
Mashtaliar, Ya. R., Kozachok, V. A., Brzhevska, Z. M., & Bohdanov, O. M. (2023). Research on the development and innovations of cybersecurity at critical infrastructure facilities. Cybersecurity: Education, Science, Technique, 2(22), 156–167.
Kozachok, V. A., & Drapatyi, M. V. (2024). Analysis of security incident investigation technologies at critical infrastructure facilities. Cybersecurity: Education, Science, Technique, 2(26), 374–391.
International Electrotechnical Commission. (n.d.). IEC 62443: Security for industrial automation and control systems. https://tk185.appau.org.ua/downloads/IEC_62443_2_1_ukr_draft.pdf
International Organization for Standardization. (n.d.). ISO/IEC 27001: Information security management systems—Requirements. https://www.iso.org/standard/27001
National Institute of Standards and Technology. (2015). Guide to industrial control systems (ICS) security (NIST SP 800-82 Rev. 2). https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-82r2.pdf
Verkhovna Rada of Ukraine. (2006). Law of Ukraine “On critical infrastructure”. https://zakon.rada.gov.ua/laws/show/1882-20#Text
Verkhovna Rada of Ukraine. (2017). Doctrine of information security of Ukraine. https://zakon.rada.gov.ua/laws/show/47/2017#Text
Positive Technologies. (2019). ICS vulnerabilities research. https://global.ptsecurity.com/en/research/analytics/ics-vulnerabilities-2019
ResearchGate. (n.d.). Conceptual model of information protection of critical information infrastructure objects of Ukraine. https://www.researchgate.net/publication/357456211_Conceptual_model_of_information_protection_of_critical_information_infrastructure_objects_of_Ukraine
U.S. Department of Homeland Security. (n.d.). National strategy for the physical protection of critical infrastructure and key assets. https://www.dhs.gov/xlibrary/assets/Physical_Strategy.pdf
European Commission. (2004). Critical infrastructure protection in the fight against terrorism. https://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2004:0702:FIN:EN:PDF
Verkhovna Rada of Ukraine. (n.d.). Automated control and monitoring systems (definition). https://zakon.rada.gov.ua/laws/term/319/sp:max15
Verkhovna Rada of Ukraine. (n.d.). Information security management system (definition). https://zakon.rada.gov.ua/laws/term/66349
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Вадим Остапчук, Вікторія Осадча, Валерій Козачок, Віталій Стрельніков, Дмитро Бодненко
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
