Jolahn VAUDEY

Industrial Control Systems (ICS) are a prime target for cyberattackers nowadays. This rising volume of attacks can be explained by several factors specific to ICS, be it their economic criticality or the introduction of IT (Information Technologies) vulnerabilities as they become increasingly connected. In turn, the development of innovative defense techniques has become a necessity, both to detect intrusions and to limit the damage they may cause. While research in intrusion detection systems (\acrshort{ids}) is a very active field, reaction to detected attacks is comparatively more niche.
    
In this PHD, we present a novel defense mechanism against intrusions, implemented as a reactive loop. This entails two main contributions.
    
First, we leverage the IEC 62443 series of standards, and specifically the Zone/Conduit model they recommend for the development of ICS. As there are no pre-existing formalisms to describe these systems within the literature, we developed a domain-specific modeling language (DSML) to do so. The Zone/Conduit layout's adaptation is discussed, addressing each element of the model, the corresponding grammar, and necessary verifications to run on the abstract syntax tree to meet the standard's requirements. The associated textual and graphical editors are also presented. 
    
Afterwards, leveraging this new ICS description format, the reactive loop itself is implemented. It is started whenever a device in the system is detected as compromised. This device is first isolated from other components in the network. Then, the reconfiguration controller tries to find a new configuration, migrating applications that were executed on the compromised device to other parts of the system. These new configurations aim to maximize the system's availability. Several implementations are presented for this controller. Some solve optimization problems online to find the new configurations, leveraging either integer linear programming (ILP) or constraint programming (CP). Other approaches include pre-solving these optimization problems to decrease reaction time, and the usage of heuristic approach executed in fixed time. Other parts of the reactive loop are presented, such as the automatic instrumentation of industrial programs to allow for reconfiguration ; the associated creation of backup managers, allowing for execution context transfers ; and the reconfiguration of firewall filter rules to enable new dataflows, appearing following the migration of applications. This reconfiguration mechanism is first evaluated on a physical, small-scale plant a Fischertechnik training factory controlled by industrial hardware. This installation allows us to validate our approach on a concrete use case, which is, however, not large enough to evaluate some parts of the reconfiguration process properly. To this end, synthetic ICS models of various sizes and characteristics are created, in particular to check the evolution of the reaction time as the system size scales. The observed results demonstrate the speed of the reconfiguration mechanism on our concrete use case, enabling the system to remain under control as devices are compromised. Large-scale synthetic problems result in resolution times that are too long, preventing real-time reaction. This then motivates the use of heuristic methods or pre-calculated controllers.