Cyber-attacks on critical infrastructure such as electricity, gas, and water distribution, or power plants, are more and more considered to be a relevant and realistic threat to the European society.
Whereas mature solutions like anti-malware applications, intrusion detection systems (IDS) and even intrusion prevention or self-healing systems have been designed for classic computer systems, these techniques have only been partially adapted to the world of Industrial Control Systems (ICS).
This is most notably due to the fact that these industrial systems have been deployed several decades ago, when security was not such a big issue, and have not been replaced since. As a consequence, organizations and nations fall back upon risk management to understand the risks that they are facing. Today’s trend is to combine risk management with real-time monitoring to enable prompt reactions in case of attacks. This thesis aims at providing techniques that assist security managers in migrating from a static risk analysis to a real-time and dynamic risk monitoring platform.
Risk monitoring encompasses three steps, each being addressed in detail in this thesis: the collection of risk-related information, the reporting of security events, and finally the inclusion of this real-time information into a risk analysis. The first step consists in designing agents that detect incidents in the system. They can either interpret the output of existing security appliances (such as firewalls), or monitor (part of) the system on their own. In this thesis, an intrusion detection system is developed to this end, which focuses on an advanced persistent threat (APT) that particularly targets critical infrastructures.
The second step copes with the translation of the obtained technical information in more abstract notions of risk, which can then be used in the context of a risk analysis. In the final step, the information collected from the various sources is correlated so as to obtain the risk faced by the entire system.
A novel dependency model ties all parts together and thus constitutes the core of the risk monitoring framework developed in this thesis. The model is loosely based on attack trees, and can be intuitively visualized with boxes and arrows. Despite its visual simplicity, it allows risk assessors to encode the interdependencies of complex risk scenarios, and to quantify the risk originating from the former. While calculations in the model are computationally infeasible, this thesis presents a novel algorithm that provides approximative values for the risk in a very efficient way. The said algorithm opens an entire spectrum of possibilities for computing dynamic risk, which was not possible before.
Members of the defense committee:
- Dr. Jacques Klein, Université du Luxembourg, Chairman
- A-Prof. Dr. Romaric Ludinard, IMT Atlantique, Deputy Chairman
- A-Prof. Dr. Valérie Viet Triem Tong, Centrale Supelec, Member
- Prof. Dr. Jean-Marie Flaus, Université Grenoble Alpes, Member
- Prof. Dr. Jean-Marie Bonnin, IMT Atlantique, Member
- Prof. Dr. Yves Le Traon, Université du Luxembourg, Member