The practice of assessing IT-security risks of Critical Information Infrastructure (CII) facilities is considered. The methods of Event Tree Analysis (ETA), Fault Tree Analysis (FTA), and the International Standard ISO/IEC 27005:2022, which establishes the principles of risk management, were compared. The ways of supplementing the existing methodological requirements of the Russian Federation in the field of IT-security of CII facilities with modern methods of assessing IT-security risks are shown. A comparison of modern methods for assessing IT-security risks is carried out using the example of a water supply management system. The application of the necessary list of protection measures providing a given level of residual IT-security risks is justified. The possibility of using modern methods for assessing the IT-security risks of CII facilities in addition to the existing methodological requirements of the Russian Federation is demonstrated.
Ilya I. Livshitz (Fri,) studied this question.