DEVELOPMENT OF A METHOD FOR ANALYZING CYBERSECURITY RISKS USING THE EXAMPLE OF CRITICAL FACILITIES OF A TRANSPORT COMPANY

This study describes a comprehensive methodology for analyzing cybersecurity risks in critical information systems of a transport company, with an emphasis on Supervisory Control And Data Acquisition (SCADA) systems, transport management platforms, and ticketing solutions. The proposed risk assessment approach complies with international standards and recommendations of the National Institute of Standards and Technology. The framework uses a multi-step process including asset identification, multi-criteria system criticality assessment, determination of system vulnerabilities, threat impact, threat likelihood assessment, risk assessment, countermeasure identification, and residual risk assessment. A case study involving a transportation operator demonstrates the effectiveness of the method by showing that SCADA systems, despite having a moderate attack probability, exhibit high risk levels due to severe operational impacts, while ticketing systems present lower risks but still require measures, such as monitoring, protection, and control. The results highlight the model’s ability to more accurately prioritize mitigation efforts than traditional methods by capturing subtle interactions between threat likelihood and impact. This approach not only addresses current infrastructure challenges but also adapts to emerging threats, making it a scalable solution for protecting critical systems.

1. Alanazi M. SCADA vulnerabilities and attacks: A review of the state‐of‐the‐art and open issues / M. Alanazi, A. Mahmood, M.J.M. Chowdhury // Computers & Security. – 2023. – Vol. 125.

2. Information Security and Privacy in Railway Transportation: A Systematic Review / P. LópezAguilar et al // Sensors. – 2022. – № 22. – Р. 7698. https://doi.org/10.3390/s22207698.

3. Badawi H. Cyber Security Challenges in the Transportation Industry: A Comprehensive Analysis and Recommendations / H. Badawi // Journal of Management and Training for Industries. – 2024. – № 11(2). – Р. 16-41.

4. Kalinin M. Cybersecurity Risk Assessment in Smart City Infrastructures / M. Kalinin, V. Krundyshev, P. Zegzhda // Machines. – 2021. – № 9. – Р. 78. https://doi.org/10.3390/machines9040078.

5. Cybersecurity Risk Assessments within Critical Infrastructure Social Networks / А. Aktayeva et al // Data. – 2023. – № 8. – Р. 156. https://doi.org/10.3390/data8100156.

6. Fuzzy Logic and Its Application in the Assessment of Information Security Risk of Industrial Internet of Things / S. Kerimkhulle et al // Symmetry. – 2023. – № 15. – Р. 1958. https://doi.org/10.3390/sym15101958.

7. Cheimonidis P. A Dynamic Risk Assessment and Mitigation Model / P. Cheimonidis, K. Rantos // Appl. Sci. – 2025. – № 15. – Р. 2171. https://doi.org/10.3390/app15042171.

8. Merola F. A Risk Assessment Framework Based on Fuzzy Logic for Automotive Systems / F. Merola, C. Bernardeschi, G. Lami // Safety. – 2024. – № 10(2). – Р. 41. https://doi.org/10.3390/safety10020041.

9. Saaty T.L. The Analytic Hierarchy Process / T.L. Saaty // The Journal of the Operational Research Society. – 1980. – Vol. 41 Issue 11. – Р. 1073-1076.

10. Zadeh L.A. Fuzzy sets / L.A. Zadeh // Information and Control. – 1965. – № 8(3). – Р. 338-353