IMPROVEMENT OF THE SECURITY POLICY OF INFORMATION SYSTEMS OF CRITICAL INFRASTRUCTURE OBJECTS OF UKRAINE BASED ON THE ZERO TRUST CONCEPT
DOI: 10.31673/2412-4338.2025.038702
Abstract
The paper addresses the improvement of security policy for information systems of Ukraine’s critical infrastructure (CI) amid digitalization and hybrid warfare. It substantiates a shift from perimeter-centric models to the Zero Trust architecture, in which every access request is continuously validated by context. We propose an integrated methodology that combines attribute-based access control (ABAC), PKI-based cryptographic key management, threshold secret sharing, network micro-segmentation, and continuous monitoring. A threat-informed model is developed for representative CI systems (SCADA/ICS, ERP, SIEM/SOC, situational awareness platforms, and eHealth), covering external and insider attack scenarios. The security policy is formalized through three interlinked components: (1) an attribute- and context-driven access decision function; (2) threshold control of secrets for critical operations; and (3) real-time risk scoring of access requests. We show alignment with international and national requirements (ISO/IEC 27001:2023, IEC 62443, NIS2, NIST SP 800-207/800-207A, national TZI rules), which streamlines auditing and practical deployment in Ukrainian environments. The contribution’s novelty lies in coupling ABAC with PKI/threshold cryptography as “cryptographic trust markers” together with dynamic micro-segmentation, thereby minimizing privileges, preventing lateral movement, and increasing resilience to account compromise and supply-chain abuse. Practical value is demonstrated by the target policy architecture and application scenarios in energy, transport, and healthcare. The results can underpin governmental and sectoral guidance, harmonize CI cyber defence with European standards, and inform a national roadmap for transitioning to Zero Trust across public and corporate systems in Ukraine.
Keywords: critical infrastructure, information security, Zero Trust, cryptographic keys, secret sharing, access management, cyber resilience.
