Intrusion detection for industrial control systems

Industrial Control Systems (ICS) are computer systems used for monitoring and controlling industrial facilities such as water treatment facilities, power plants, manufacturing factories. . . . Historically those systems were isolated but for business and management purposes, they got connected to other net- works. This connection brought the vulnerabilities of other networks to ICS which resulted in an increasing number of attacks against those systems. Consequently, the security of ICS has become an active research field. To im- prove the resilience of ICS against cyber-attacks, researchers are focusing on designing protection mechanisms such as Intrusion Detection Systems (IDS). In this thesis, we present two IDS solutions for ICS to consider both the cyber aspect and the physical aspect of ICS. The first solution focuses on the detec- tion of attacks targeting the network infrastructure of the ICS and leverages Software-defined Networking (SDN). SDN is a network paradigm that pro- vides a high-level of flexibility in term of network management. We use this property to improve a technique called Flow-Whitelisting. The second solution focuses on process-oriented attacks, meaning attacks that target physical processes. The IDS learns the temporal properties of a physical process to detect the disruptions caused by an attack. It analyzes the variables defining the physical process and monitors their behavior over time. Any deviation from the learned temporal properties triggers an alert. Each IDS is evaluated with several scenarios and gives interesting results. In addition, we provide a network dataset from a real system but also a tool to generate new datasets that can be used for the evaluation of network IDS. To show the usefulness of the dataset, we evaluate several IDS in the literature.