Regulation of CyberSecurity of Ukraine's Critical Infrastructure: Legal Aspects and Standards of Sustainable Protection
Article Sidebar
Main Article Content
Abstract
This article addresses the regulatory and legal frameworks for protecting critical infrastructure facilities and civilian objects during armed conflicts, which is a key aspect of national stability and the survival of the state in the face of hybrid threats. The purpose of the study is to analyze the regulation of cybersecurity in relation to the country's critical infrastructure to ensure sustainable protection. The study employs comparative analysis of foreign cybersecurity regulations, such as NIST and ISO standards, and examines their adaptation to the conditions in Ukraine. Additionally, the study utilizes financial analysis methods, including assessments of budgetary expenditures on cybersecurity in Ukraine, as well as international aid and grants. The research established that thousands of infrastructure facilities, including networks for water, heat, gas, and electricity supply, as well as water and drainage systems, have been damaged or destroyed during the hostilities. Social and cultural infrastructure, such as schools, kindergartens, healthcare facilities, and cultural and historical monuments, have also been affected. The study highlights the key problems and obstacles within the existing cybersecurity legislation and examines international cybersecurity standards for their adaptation to the Ukrainian context. It also analyzes the coordination among various state institutions, including the Security Service of Ukraine (SBU), the State Service of Special Communications, and the Ministry of Digital Transformation. The results indicate an urgent need to improve the regulatory and legal framework for cybersecurity, enhance coordination between state bodies and the private sector, and integrate international experience and standards.
Downloads
| Abstract views: 549 | PDF Downloads: 194 |
Article Details
This work is licensed under a Creative Commons Attribution 4.0 International License.
References
Ablon, L., & Institute for Civil Justice (U.S.). (2016). Consumer attitudes toward data breach notifications and loss of personal information. Rand Corporation. https://www.jstor.org/stable/10.7249/j.ctt1bz3vwh
Alcaraz, C., & Lopez, J. (2012). Analysis of requirements for critical control systems. International Journal of Critical Infrastructure Protection, 5(3-4), 137–145. https://doi.org/10.1016/j.ijcip.2012.08.003
Alcaraz, C., & Zeadally, S. (2015). Critical infrastructure protection: Requirements and challenges for the 21st century. International Journal of Critical Infrastructure Protection, 8, 53–66. https://doi.org/10.1016/j.ijcip.2014.12.002
Almuhammadi, S., & Alsaleh, M. (2017). Information security maturity model for NIST Cybersecurity Framework. Computer Science & Information Technology (CS & IT), 7, 29–37. https://doi.org/10.5121/csit.2017.70305
Ani, U. P. D., He, H., & Tiwari, A. (2016). Review of cybersecurity issues in industrial critical infrastructure: Manufacturing in perspective. Journal of cybersecurity Technology, 1(1), 32–74. https://doi.org/10.1080/23742917.2016.1252211
Anttila, J., Jussila, K., Kajava, J., & Kamaja, I. (2012). Integrating ISO/IEC 27001 and other managerial discipline standards with processes of management in organizations. In 2012 Seventh International Conference on Availability, Reliability and Security (pp. 425–436). IEEE. https://doi.org/10.1109/ARES.2012.93
Bakalinska, O., & Bakalynskyi, O. (2019). Pravove zabezpechennia kiberbezpeky v Ukraini [Legal support of cybersecurity in Ukraine]. Pidpryiemnytstvo, hospodarstvo i pravo, 9, 100–108. https://doi.org/10.32849/2663-5313/2019.9.17 [In Ukrainian].
Banerjee, J., Basu, K., & Sen, A. (2018). On hardening problems in critical infrastructure systems. International Journal of Critical Infrastructure Protection, 23, 49–67. https://doi.org/10.1016/j.ijcip.2018.08.001
Biener, C., Eling, M., & Wirfs, J. H. (2015). Insurability of cyber risk: An empirical analysis. School of Finance, University of St. Gallen. https://doi.org/10.2139/ssrn.2577286
Biryukov, D. S., & Kondratov, S. I. (2012). Zakhyst krytychnoyi infrastruktury: problemy ta perspektyvy vprovadzhennya v Ukrayini [Protection of critical infrastructure: Problems and prospects for implementation in Ukraine]. Kyiv: National Institute for Strategic Studies. https://niss.gov.ua/sites/default/files/2013-02/Sots_zahust-86178.pdf [In Ukrainian].
Boyko, V., Vasylenko, M., & Kukharenko, S. (2019). cybersecurity in the EU and member countries: Genesis and problems of its enhancement. Information Security of a Person, Society, State, 3(27), 57–69. https://journals.uran.ua/ispss/article/view/196117
Brown, C., Seville, E., & Vargo, J. (2017). Measuring the organizational resilience of critical infrastructure providers: A New Zealand case study. International Journal of Critical Infrastructure Protection, 18, 37–49. https://doi.org/10.1016/j.ijcip.2017.05.002
Cabinet of Ministers of Ukraine. (2019). Pro kritychnu infrastrukturu ta yii zakhyst, Proekt Zakonu No. 10328 [On critical infrastructure and its protection, Draft Law No. 10328]. Retrieved March 28, 2021, from http://w1.c1.rada.gov.ua/pls/zweb2/webproc4_1?pf3511=65996 [In Ukrainian].
CSIS. (2014). Net losses: Estimating the global cost of cybercrime. Center for Strategic and International Studies.
Dawson, M., Bacius, R., Gouveia, L. B., & Vassilakos, A. (2021). Understanding the challenge of cybersecurity in critical infrastructure sectors. Land Forces Academy Review, 26(1), 69–75. https://doi.org/10.2478/raft-2021-0011
Denysov, A. I., Bershov, H. Y., Krykun, V. V., & Zhydovtseva, O. (2022). Protection of critical infrastructure facilities as a component of the national security. Cuestiones Políticas, 39(71), 789–799. https://doi.org/10.46398/cuestpol.3971.48
Diorditsa, I. V. (2017). Cybersecurity system: Essence and purpose. Entrepreneurship, Economy and Law, 109–116.
Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 04(02), 92–100. https://doi.org/10.4236/jis.2013.42011
Gordon, L. A., Loeb, M. P., & Zhou, L. (2020). Integrating cost–benefit analysis into the NIST Cybersecurity Framework via the Gordon–Loeb model. Journal of Cybersecurity, 6(1), Article tyaa005. https://doi.org/10.1093/cybsec/tyaa005
Groš, S. (2021). A critical view on CIS controls. In 2021 16th International Conference on Telecommunications (ConTEL)(pp. 1–6). IEEE. https://doi.org/10.23919/ConTEL52528.2021.9495982
Hnatiuk, S. O., Riabyi, M. O., & Liadovska, V. M. (2014). Vyznachennia krytychnoi informatsiinoi infrastruktury ta yii zakhystu: Analiz pidkhodiv [Critical information infrastructure definition and protection: Approach analysis]. Zv’iazok, 4, 3–7. [In Ukrainian].
Hobby, Y. (2020). The human right to cybersecurity: Problems of definition and guarantee. Legal Bulletin, 2, 37–43. https://doi.org/10.32837/yuv.v0i2.1701
Horbachenko, S. (2020). cybersecurity as a component of economic security of Ukraine. Galician Economic Journal, 66(5), 180. https://doi.org/10.33108/galicianvisnyk_tntu2020.05.180 [In Ukrainian].
ISO/IEC 27001:2013.Information security management. International Organization for Standardization. Retrieved September 10, 2024, from https://www.iso.org/isoiec-27001-information-security.html
Jamar Kattel, P., & Aros-Vera, F. (2020). Critical infrastructure location under supporting station dependencies considerations. Socio-Economic Planning Sciences, 70, 100726. https://doi.org/10.1016/j.seps.2019.07.002
Jirásko, D., Vaníček, I., & Vaníček, M. (2017). Interaction of landslide with critical infrastructure. In Mikoš, M., Arbanas, Ž., Yin, Y., & Sassa, K. (Eds.), Advancing Culture of Living with Landslides. WLF 2017 (pp. 439–445). Springer. https://doi.org/10.1007/978-3-319-53487-9_64
Karchefsky, S., & Rao, H. R. (2017). Toward a safer tomorrow: Cybersecurity and critical infrastructure. In H. Ellermann, P. Kreutter, & W. Messner (Eds.), The Palgrave handbook of managing continuous business transformation (pp. 415–433). Palgrave Macmillan. https://doi.org/10.1057/978-1-137-60228-2_15
Kitagawa, K., Preston, J., & Chadderton, C. (2016). Preparing for disaster: A comparative analysis of education for critical infrastructure collapse. Journal of Risk Research, 20(11), 1450–1465. https://doi.org/10.1080/13669877.2016.1178661
Lewis, T. G. (2006). Critical infrastructure protection in homeland security: Defending a networked nation. John Wiley & Sons.
Liu, W., & Song, Z. (2020). Review of studies on the resilience of urban critical infrastructure networks. Reliability Engineering & System Safety, 193, 106617. https://doi.org/10.1016/j.ress.2019.106617
National Institute of Standards and Technology (NIST). (2014). Framework for improving critical infrastructure cybersecurity. https://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
National Police of Ukraine. (2015). Nakaz pro zatverdzhennia Polozhennia pro Departament kiberpolitsii Natsionalnoi politsii Ukrainy, Nakaz No. 85 [On Approval of the Regulation on the Cyber Police Department of the National Police of Ukraine, Order No. 85 (2015)]. Retrieved March 28, 2021, from http://tranzit.ltd.ua/nakaz/ [In Ukrainian].
Orlov, O. V., & Onyshchenko, Y. M. (2013). International cooperation in the fight against cybercrime. Theory and Practice of Public Administration, 4, 17–23.
Pescaroli, G., & Alexander, D. (2016). Critical infrastructure, panarchies and the vulnerability paths of cascading disasters. Natural Hazards, 82(1), 175–192. https://doi.org/10.1007/s11069-016-2186-3
Robertson, J., & Reilly, M. (2014). The map that shows why a pipeline explosion in Turkey matters to the U.S. Bloomberg. Retrieved May 14, 2015, from http://www.bloomberg.com/news/2014-12-10/the-map-that-shows-why-a-pipeline-explosion-in-turkey-matters-to-the-u-s-.html
Romanosky, S. (2016). Examining the costs and causes of cyber incidents. Journal of Cybersecurity, tyw001. https://doi.org/10.1093/cybsec/tyw001
Saenko, M. I., Savela, E. A., & Topolyansky, Y. Y. (2021). International experience against cyber crime and cyber crime. Uzhhorod National University Herald, Series: Law, 64, 386–391. https://doi.org/10.24144/2307-3322.2021.64.71
Semenemko, O., & Lavreniuk, I. (2019). Khmarnitekhnolohii yak odyn z naiperspektyvnishykh napriamkiv rozvytku suchasnykh informatsiinykh tekhnolohii [Cloud technologies as one of the most promising directions of development of modern information technologies]. Materialy Ⅳ Mizhnarodnoi naukovo-tekhnichnoi konferentsii "Teoretychni ta prykladni aspekty radiotekhniky, pryladobuduvannia i komp’iuternykh tekhnolohii", 59–61. [In Ukrainian].
Sheikhpour, R., & Modiri, N. (2012). An approach to map COBIT processes to ISO/IEC 27001 information security management controls. International Journal of Security and Its Applications, 6(2), 13–28.
Slipachuk, L., Toliupa, S., & Nakonechnyi, V. (2019). The process of the critical infrastructure cybersecurity management using the integrated system of the national cybersecurity sector management in Ukraine. IEEE. https://doi.org/10.1109/AIACT.2019.8847877
Sopilko, І. (2021). Information security and cybersecurity : Comparative and legal aspect. Scientific Works of National Aviation University. Series: Law Journal "Air and Space Law, 2(59), 110–115. https://doi.org/10.18372/2307-9061.59.15603
Stine, K., Quill, K., & Witte, G. (2014). Framework for improving critical infrastructure cybersecurity. ITL Bulletin, National Institute of Standards and Technology, Gaithersburg, MD. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=915476
Sussy, B., Wilber, C., Milagros, L., & Carlos, M. (2015). ISO/IEC 27001 implementation in public organizations: A case study. In 2015 10th Iberian Conference on Information Systems and Technologies (CISTI) (pp. 1–6). IEEE. https://doi.org/10.1109/CISTI.2015.7170355
Tkachenko, O., & Tkachenko, K. (2018). Cyberspace and cybersecurity: Problems, perspectives, technologies. Digital Platform: Information Technologies in Sociocultural Sphere, 1, 75–86. https://doi.org/10.31866/2617-796x.1.2018.147257
Trofymenko, O., Prokop, Y., Loginova, N., & Zadereyko, O. (2019). Cybersecurity of Ukraine: Analysis of the current situation. Ukrainian Information Security Research Journal, 21(3). https://doi.org/10.18372/2410-7840.21.13951
Verkhovna Rada of Ukraine. (2016). Pro Natsionalnyi koordynatsiinyi tsentr kiberbezpeky [On the National cybersecurity Coordination Center] (Ukraine), 07.06.2016, No. 242/2016. Retrieved March 28, 2021, from https://zakon.rada.gov.ua/laws/show/242/2016#Text [In Ukrainian].
Verkhovna Rada of Ukraine. (2017). Pro osnovni zasady zabezpechennia kiberbezpeky Ukrainy, Zakon Ukrainy vid 05.10.2017 № 2163-VIII [On the Basic Principles of Cybersecurity in Ukraine, Law of Ukraine on October 5, 2017 № 2163-VIII]. Retrieved March 28, 2021, from https://zakon.rada.gov.ua/laws/show/2163-19/ed20211215#Text [In Ukrainian].
Verkhovna Rada of Ukraine. (2021). Stratehiia voiennoi bezpeky Ukrainy "Voienna bezpeka – vseokhopliuiucha oborona" [Military Security Strategy of Ukraine "Military Security – Comprehensive Defense"], 25.03.2021, No. 121/2021. Retrieved March 28, 2021, from https://zakon.rada.gov.ua/laws/show/121/2021#n2
White, G. B., & Sjelin, N. (2022). The NIST Cybersecurity Framework. In Research Anthology on Business Aspects of Cybersecurity (pp. 17). IGI Global. https://doi.org/10.4018/978-1-6684-3698-1.ch003
Zavgorodnya, Y. (2021). cybersecurity as an innovative protection in the political space of Ukraine. National Technical University of Ukraine Journal. Political Science. Sociology. Law, 4(52), 33–38. https://doi.org/10.20535/2308-5053.2021.4(52).248130