Modernization of the Information Protection System of Critical Infrastructure Facilities in the Metallurgical Industry

The article examines an approach to modernizing the security system of an automated process control system (APCS) at a critical information infrastructure (CII) facility of a metallurgical enterprise. The study aims to justify the necessity of modernization even with a high level of existing protection, particularly in the context of implementing new regulatory requirements. The research utilizes input data including threat models, network topology, facility architecture and its protection systems, as well as results of compliance assessments with FSTEC Russia regulatory documents. The methodology employs system analysis, incorporating the "zones and conduits" concept, expert assessment methods, vulnerability scanning tools, and comparisons with real-world cases from related studies, including industrial modernization experience at similar facilities. Key findings include the identification of specific vulnerabilities such as outdated operating systems, lack of access control systems, and insufficient monitoring. Several modernization directions were developed: enhancing control over privileged user actions, implementing logging tools for privileged sessions and users, and segmenting vulnerable network segments that cannot be taken offline due to technological process requirements. The work integrates theoretical foundations, audit results, practical constraints and regulatory frameworks, demonstrating a comprehensive information security process from diagnostics to architectural transformation. The conclusions can be applied to similar industrial facilities with standard infrastructure and industry-specific characteristics. The presented results confirm the relevance of modernization as a strategic process for sustainable CII security management.