The student Xabier Etxezarreta Argarate obtained an EXCELLENT CUM LAUDE grade with mention International Doctorate
The student Xabier Etxezarreta Argarate obtained an EXCELLENT CUM LAUDE grade with mention International Doctorate
The student Xabier Etxezarreta Argarate obtained an EXCELLENT CUM LAUDE grade with mention International Doctorate
- Thesis title: Software-Defined Networking Approaches for Intrusion Response in Industrial Control Systems
Court:
- Presidency: Per Magnus Almgren (Chalmers University of Technology)
- Vocal:Roberto Magán Carrión (Universidad de Granada)
- Vocal: Cristina Alcaraz Tello (Universidad de Málaga)
- Vocal: Jon Matías Fraile (Keynetic Technologies)
- Secretary:Urko Zurutuza Orteaga (Mondragon Unibertsitatea)
Abstract:
Since the introduction of the first Programmable Logic Controllers (PLCs) in the 1960s, Industrial Control Systems (ICSs) have evolved vastly. From the primitive isolated setups, ICSs have progressively become more interconnected, forming the complex networked environments known today as industrial networks. These systems are responsible for a wide range of physical processes, including those belonging to Critical Infrastructures (CIs). As a result, securing industrial networks is critical to the well-being of modern societies.
Traditional network architectures pose significant challenges in securing industrial networks due to several reasons. Firstly, they exhibit limited automation, heavily relying on manual configuration processes which are slow to adapt and prone to human error, thereby hindering dynamic security adjustments in ICS environments. Secondly, these architectures employ device-centric management, leading to intricate configurations and restricted visibility across the entire network, complicating the identification and isolation of security threats. Thirdly, they lack centralized control, as the control plane and data plane are tightly coupled within network devices, impeding a holistic security posture and making it complex to enforce consistent network-wide configurations.
To overcome these limitations, Software-Defined Networking (SDN) emerges as a solution to address the challenges faced by traditional network architectures in industrial networks. SDN transforms network management by separating the control plane (network intelligence) from the data plane (data forwarding). This separation enables centralized, programmatic control over the network, offering an opportunity to enhance ICS security. In addition, this centralized approach provides real-time and network-wide visibility and programmability, which is useful for network monitoring, threat detection, and threat response capabilities.
The main objective of this thesis is to demonstrate the feasibility of using SDN to develop intrusion response strategies specifically tailored to the ICS domain. This thesis aims to fill this gap by presenting two main contributions: (1) a proactive network packet attribute randomization approach against reconnaissance attacks, and (2) a proactive and adaptive network packet replication approach that mitigates False Data Injection (FDI) attacks. We experimentally validate the approaches by building ICS networks in test environments and analyzing the data generated by them. Based on this need to conduct ICS security research in a rigorous and reproducible environment, we analyze the feasibility of the MiniCPS framework for this purpose.