<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">kaz44</journal-id><journal-title-group><journal-title xml:lang="ru">Вестник Университета Шакарима. Серия технические науки</journal-title><trans-title-group xml:lang="en"><trans-title>Bulletin of Shakarim University. Technical Sciences</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">2788-7995</issn><issn pub-type="epub">3006-0524</issn><publisher><publisher-name>«Шәкәрім университеті» КеАҚ</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.53360/2788-7995-2025-3(19)-6</article-id><article-id custom-type="elpub" pub-id-type="custom">kaz44-1991</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>АВТОМАТИЗАЦИЯ И ИНФОРМАЦИОННЫЕ ТЕХНОЛОГИИ (ОРИГИНАЛЬНАЯ СТАТЬЯ)</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>AUTOMATION AND INFORMATION TECHNOLOGY (ORIGINAL ARTICLE)</subject></subj-group></article-categories><title-group><article-title>РАЗРАБОТКА МЕТОДА АНАЛИЗА РИСКОВ КИБЕРБЕЗОПАСНОСТИ НА ПРИМЕРЕ КРИТИЧЕСКИ ВАЖНЫХ ОБЪЕКТОВ ТРАНСПОРТНОЙ КОМПАНИИ</article-title><trans-title-group xml:lang="en"><trans-title>DEVELOPMENT OF A METHOD FOR ANALYZING CYBERSECURITY RISKS USING THE EXAMPLE OF CRITICAL FACILITIES OF A TRANSPORT COMPANY</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0001-5407-7191</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Нурушева</surname><given-names>А. М.</given-names></name><name name-style="western" xml:lang="en"><surname>Nurusheva</surname><given-names>A.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Асель Муратовна Нурушева – PhD, и.о.доцента кафедры информационной безопасности</p><p> 010008, Республика Казахстан, г. Астана, ул. Сатпаева, 2 </p></bio><bio xml:lang="en"><p>Assel Nurusheva – PhD, Acting Associate Professor of the Department of Information Security</p><p>010008, Republic of Kazakhstan, Astana, Satpayev Street, 2</p></bio><email xlink:type="simple">asselnurusheva7@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0003-0291-4685</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Сатыбалдина</surname><given-names>Д. Ж.</given-names></name><name name-style="western" xml:lang="en"><surname>Satybaldina</surname><given-names>D.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Дина Жагыпаровна Сатыбалдина – ассоциированный профессор, кандидат физико-математических наук, директор Научно-исследовательского института информационной безопасности и криптологии</p><p>010008, Республика Казахстан, г. Астана, ул. Сатпаева, 2 </p></bio><bio xml:lang="en"><p>Dina Satybaldina – Associate Professor, Candidate of Physical and Mathematical Sciences, Director of the Research Institute of Information Security and Cryptology</p><p>010008, Republic of Kazakhstan, Astana, Satpayev Street, 2</p></bio><email xlink:type="simple">satybaldina_dzh@enu.kz</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0001-6006-4813</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Шайханова</surname><given-names>А. К.</given-names></name><name name-style="western" xml:lang="en"><surname>Shaikhanova</surname><given-names>A. K.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Айгуль Кайрулаевна Шайханова – PhD, профессор кафедры информационной безопасности</p><p>010008, Республика Казахстан, г. Астана, ул. Сатпаева, 2 </p></bio><bio xml:lang="en"><p>Aigul Kairulaevna Shaikhanova – PhD, Professor of the Department of Information Security</p><p>010008, Republic of Kazakhstan, Astana, Satpayev Street, 2</p></bio><email xlink:type="simple">aigul.shaikhanova@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0009-0003-1469-455X</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Кусаинов</surname><given-names>А. Р.</given-names></name><name name-style="western" xml:lang="en"><surname>Kussainov</surname><given-names>A.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Альнур Рамашевич Кусаинов – докторант кафедры информационной безопасности</p><p>010008, Республика Казахстан, г. Астана, ул. Сатпаева, 2 </p></bio><bio xml:lang="en"><p>Alnur Kussainov – PhD student of the Department of Information Security</p><p>010008, Republic of Kazakhstan, Astana, Satpayev Street, 2</p></bio><email xlink:type="simple">alnur97@mail.ru</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru">Евразийский национальный университет имени Л.Н. Гумилева<country>Казахстан</country></aff><aff xml:lang="en">L.N. Gumilyov Eurasian National University <country>Kazakhstan</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2025</year></pub-date><pub-date pub-type="epub"><day>03</day><month>11</month><year>2025</year></pub-date><volume>0</volume><issue>3(19)</issue><fpage>48</fpage><lpage>54</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Нурушева А.М., Сатыбалдина Д.Ж., Шайханова А.К., Кусаинов А.Р., 2025</copyright-statement><copyright-year>2025</copyright-year><copyright-holder xml:lang="ru">Нурушева А.М., Сатыбалдина Д.Ж., Шайханова А.К., Кусаинов А.Р.</copyright-holder><copyright-holder xml:lang="en">Nurusheva A., Satybaldina D., Shaikhanova A.K., Kussainov A.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://tech.vestnik.shakarim.kz/jour/article/view/1991">https://tech.vestnik.shakarim.kz/jour/article/view/1991</self-uri><abstract><p>В этом исследовании описана комплексная методология анализа рисков кибербезопасности в критически важных информационных системах транспортной компании с упором на системы диспетчерского управления и сбора данных (Supervisory Control and Data Acquisition, SCADA-системы), платформы управления транспортом и решения по продаже билетов. Предложенный подход оценки рисков соответствует международным стандартам и рекомендациям Национального института стандартов и технологий. В структуре используется многоэтапный процесс, включая идентификацию объектов, оценку критичности систем на базе многокритериального метода, определение наличия уязвимостей в системе, влияния угроз, определение вериятности реализации угрозы, оценку риска, определение контрмер и оценка остаточного риска. Исследование случая с участием транспортного оператора демонстрирует эффективность метода, показывая, что SCADA-системы, несмотря на умеренную вероятность атаки, демонстрируют высокие уровни риска из-за серьезных эксплуатационных воздействий, в то время как системы продажи билетов представляют меньшие риски, но все же требуют принятия мер, в частности мониторинга, защиты и контроля. Результаты подчеркивают способность модели более точно расставлять приоритеты в усилиях по смягчению последствий, чем традиционные методы, фиксируя тонкие взаимодействия между вероятностью угрозы и последствиями. Этот подход не только решает текущие проблемы инфраструктуры, но и адаптируется к возникающим угрозам, что делает его масштабируемым решением для защиты критически важных систем.</p></abstract><trans-abstract xml:lang="en"><p>This study describes a comprehensive methodology for analyzing cybersecurity risks in critical information systems of a transport company, with an emphasis on Supervisory Control And Data Acquisition (SCADA) systems, transport management platforms, and ticketing solutions. The proposed risk assessment approach complies with international standards and recommendations of the National Institute of Standards and Technology. The framework uses a multi-step process including asset identification, multi-criteria system criticality assessment, determination of system vulnerabilities, threat impact, threat likelihood assessment, risk assessment, countermeasure identification, and residual risk assessment. A case study involving a transportation operator demonstrates the effectiveness of the method by showing that SCADA systems, despite having a moderate attack probability, exhibit high risk levels due to severe operational impacts, while ticketing systems present lower risks but still require measures, such as monitoring, protection, and control. The results highlight the model’s ability to more accurately prioritize mitigation efforts than traditional methods by capturing subtle interactions between threat likelihood and impact. This approach not only addresses current infrastructure challenges but also adapts to emerging threats, making it a scalable solution for protecting critical systems.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>риск</kwd><kwd>информационная безопасность</kwd><kwd>уязвимость</kwd><kwd>угроза</kwd><kwd>кибербезопасность</kwd><kwd>транспортная компания</kwd></kwd-group><kwd-group xml:lang="en"><kwd>risk</kwd><kwd>information security</kwd><kwd>vulnerability</kwd><kwd>threat</kwd><kwd>cybersecurity</kwd><kwd>transportation company</kwd></kwd-group><funding-group xml:lang="ru"><funding-statement>Работа выполнена в рамках проекта гранатового финансирования Комитета науки Министерства науки и высшего образования Республики Казахстан AP19175746 «Разработка программного инструментария для оценки рисков кибербезопасности систем критической инфраструктуры».</funding-statement></funding-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Alanazi M. SCADA vulnerabilities and attacks: A review of the state‐of‐the‐art and open issues / M. Alanazi, A. Mahmood, M.J.M. Chowdhury // Computers &amp; Security. – 2023. – Vol. 125.</mixed-citation><mixed-citation xml:lang="en">Alanazi M. SCADA vulnerabilities and attacks: A review of the state‐of‐the‐art and open issues / M. Alanazi, A. Mahmood, M.J.M. Chowdhury // Computers &amp; Security. – 2023. – Vol. 125.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Information Security and Privacy in Railway Transportation: A Systematic Review / P. López-Aguilar et al // Sensors. – 2022. – № 22. – Р. 7698. https://doi.org/10.3390/s22207698.</mixed-citation><mixed-citation xml:lang="en">Information Security and Privacy in Railway Transportation: A Systematic Review / P. LópezAguilar et al // Sensors. – 2022. – № 22. – Р. 7698. https://doi.org/10.3390/s22207698.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Badawi H. Cyber Security Challenges in the Transportation Industry: A Comprehensive Analysis and Recommendations / H. Badawi // Journal of Management and Training for Industries. – 2024. – № 11(2). – Р. 16-41.</mixed-citation><mixed-citation xml:lang="en">Badawi H. Cyber Security Challenges in the Transportation Industry: A Comprehensive Analysis and Recommendations / H. Badawi // Journal of Management and Training for Industries. – 2024. – № 11(2). – Р. 16-41.</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Kalinin M. Cybersecurity Risk Assessment in Smart City Infrastructures / M. Kalinin, V. Krundyshev, P. Zegzhda // Machines. – 2021. – № 9. – Р. 78. https://doi.org/10.3390/machines9040078.</mixed-citation><mixed-citation xml:lang="en">Kalinin M. Cybersecurity Risk Assessment in Smart City Infrastructures / M. Kalinin, V. Krundyshev, P. Zegzhda // Machines. – 2021. – № 9. – Р. 78. https://doi.org/10.3390/machines9040078.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Cybersecurity Risk Assessments within Critical Infrastructure Social Networks / А. Aktayeva et al // Data. – 2023. – № 8. – Р. 156. https://doi.org/10.3390/data8100156.</mixed-citation><mixed-citation xml:lang="en">Cybersecurity Risk Assessments within Critical Infrastructure Social Networks / А. Aktayeva et al // Data. – 2023. – № 8. – Р. 156. https://doi.org/10.3390/data8100156.</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Fuzzy Logic and Its Application in the Assessment of Information Security Risk of Industrial Internet of Things / S. Kerimkhulle et al // Symmetry. – 2023. – № 15. – Р. 1958. https://doi.org/10.3390/sym15101958.</mixed-citation><mixed-citation xml:lang="en">Fuzzy Logic and Its Application in the Assessment of Information Security Risk of Industrial Internet of Things / S. Kerimkhulle et al // Symmetry. – 2023. – № 15. – Р. 1958. https://doi.org/10.3390/sym15101958.</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Cheimonidis P. A Dynamic Risk Assessment and Mitigation Model / P. Cheimonidis, K. Rantos // Appl. Sci. – 2025. – № 15. – Р. 2171. https://doi.org/10.3390/app15042171.</mixed-citation><mixed-citation xml:lang="en">Cheimonidis P. A Dynamic Risk Assessment and Mitigation Model / P. Cheimonidis, K. Rantos // Appl. Sci. – 2025. – № 15. – Р. 2171. https://doi.org/10.3390/app15042171.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Merola F. A Risk Assessment Framework Based on Fuzzy Logic for Automotive Systems / F. Merola, C. Bernardeschi, G. Lami // Safety. – 2024. – № 10(2). – Р. 41. https://doi.org/10.3390/safety10020041.</mixed-citation><mixed-citation xml:lang="en">Merola F. A Risk Assessment Framework Based on Fuzzy Logic for Automotive Systems / F. Merola, C. Bernardeschi, G. Lami // Safety. – 2024. – № 10(2). – Р. 41. https://doi.org/10.3390/safety10020041.</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Saaty T.L. The Analytic Hierarchy Process / T.L. Saaty // The Journal of the Operational Research Society. – 1980. – Vol. 41 Issue 11. – Р. 1073-1076.</mixed-citation><mixed-citation xml:lang="en">Saaty T.L. The Analytic Hierarchy Process / T.L. Saaty // The Journal of the Operational Research Society. – 1980. – Vol. 41 Issue 11. – Р. 1073-1076.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Zadeh L.A. Fuzzy sets / L.A. Zadeh // Information and Control. – 1965. – № 8(3). – Р. 338-353.</mixed-citation><mixed-citation xml:lang="en">Zadeh L.A. Fuzzy sets / L.A. Zadeh // Information and Control. – 1965. – № 8(3). – Р. 338-353</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
