Automated Incident Response and Recovery in ICS (NSoE)

In the current industrial control systems (ICS), response and recovery actions are determined and performed manually by a human operator once an attack has been detected. In this project, we aim to address challenges associated with automated synthesis of defence and incident response in ICS, and answer the following research questions: [RQ1] How to respond to an on-going attack on-the-fly, by performing actions to disable the attacker’s access to the system? [RQ2] How to recover from a successful attack by performing actions to move the system state from an unsafe to a safe state? We will develop a distributed monitoring technique that can coordinate multiple, component-specific monitors with an automatic synthesize protocol. We will also develop a technique for automatically synthesising response and recovery actions in case of an active attacker.