Mitigation and Incident Management methodologies for Critical Infrastructure protection

The research in the system field of Developing innovative cybersecurity techniques for the protection of critical infrastructures covers the methodologies for the protection of critical infrastructures that must pursue various objectives in three main phases: Prevention, Detection, and Reaction. In particular, this thesis describes the study, design and implementation of solutions for the Detection and Reaction phases of Critical Infrastructure Protection with a special focus on Mitigation and Incident Management methodologies of reaction. Nowadays, the protection of a critical infrastructure must cover both the physical and the cyber realm. We will propose novel solutions on the latter, while taking into account the necessary iterations between both. After giving an introduction and definition of critical infrastructure, the research is introduced by a critical analysis of the state-of-the-art and proposes new models for the integration of existing technologies under those conditions resulting from the intrinsically distributed and heterogeneous nature of most critical infrastructures. The tools initially described as a reference will be the basis used to bring the reasoning towards the experimental context and then to the innovations proposed in the detection, prevention and reaction phases. Subsequently, the Detection issues are presented through anomaly detection solutions applied to an Intrusion Detection Systems (IDS) supported by a novel system network architecture. This architecture is based on the paradigm of Software Defined Network (SDN) and was experimented in a real ground base station critical infrastructure. During the practical experimentation and the implementation of the prototypes, limitations and trade-offs related to the application of cybersecurity technologies in critical infrastructures have been highlighted. Original solutions for the Mitigation phases are suggested as an innovative HoneyNet integrating a virtualized decoy-system and an accurate fingerprinting of the attackers. Mitigation phases experimentation has also been conducted on the network of the critical infrastructure, a ground base station for satellite communications. The resulting observations of the research on the Detection and Mitigation phases led to original solutions for the an accurate fingerprinting of the attackers as means of an innovative HoneyNet integrating a virtualized decoy-system. The idea is to force each attacker to interact with his own synthetic system thus improving existing solutions that are based on stateless representations of the decoy-system. Our innovative approach proposes to enable a stateful honeypot able to recognize multiple intrusions of the same adversary. Incident Management is one of the most important topic in critical infrastructure protection. The main research results in this field that will be presented are focused on critical transport systems components and published in papers, international technical reports, surveys, and relevant juridical reports. Serious structural problems for the state-of-the-art forensic devices was evidenced by two case studies and led to the description of some novel solutions that exploit cryptographic technologies.