Challenges and opportunities of cyber-resilience: an interdisciplinary forum to navigate between state-of-the-art and regulation landscapes (in-person event).
The increase in competitiveness leads to a race to digitization. Critical infrastructures become highly connected to the cyber world. This is especially true for Cyber-Physical Systems (CPSs), which combine hardware and software components. However, these complex systems remain vulnerable to cyber attacks. Resilience applied to CPSs aims at protecting these critical systems from cyber adversaries in order to ensure the completion of there missions. However, new questions arise with the arrival of quantum technology. Do the countermeasures and protection mechanisms used for resilience remain valid in the face of an adversary with quantum resources?
Program
8:45am – 9:15am | Welcome coffee
9:15am – 9:25am | Introduction
Gilles Desoblin, Director of the Cybelia Programme (IRT SystemX) and President of the Cyber & Security Hub (Systematic Paris-Région) & Reda Yaich, Head of Cybersecurity and Networks team IRT SystemX
9:25am – 9:55am | Presentation: Sensor Placement in Water Distribution Networks
Rob Kooij, Senior scientist, TNO
Abstract: Water Distribution Networks (WDNs) are often susceptible to either accidental or deliberate contamination which can lead to poisoned water, many fatalities and large economic consequences. In order to protect against these intrusions or attacks, an efficient sensor network with a limited number of sensors should be placed in a WDN. In this talk, we focus on optimal sensor placements in which the imperfection of sensors and multiple objectives can be taken into account. We will show that the optimal placement depends on the extent to which a sensor is imperfect. We will also report experimental results that indicate that imperfection of sensors does occur in the wild.
9:55am – 10:25 am | Keynote #1: Identifying the gaps on cyber-attack detection in converging IT/OT systems
Jan-Paul Konijn, Cyber Security Researcher, TNO
Abstract: Critical infrastructures are used to deliver vital functions to society, such as drink water, or energy generation and distribution. Most of these critical infrastructures make use of Operational Technology (OT), consisting of hardware and software to actuate and monitor physical processes, events and assets. Historically speaking most of the OT functioned in isolation (air-gapped). However, due to recent technological advancements we see a convergence of Information Technology (IT) networks with OT networks. Due to this convergence, critical infrastructures are becoming more susceptible to cyber-attacks. While the IT domain is primarily focusing on Confidentiality, Integrity, and Availability, the OT domain is more concerned with Safety, Reliability, Availability, and Maintainability. Given the importance for economy and society to protect critical infrastructures against cyber-attacks, there is a clear need for appropriate OT intrusion detection methods. In this talk, we first present a mapping of publicly available Industrial Control Systems (ICS) datasets for security research to the ICS Purdue Reference Architecture. Our examination of the available state-of-the-art has revealed various gaps such as the absence of complex cyber-attack strategies in the publicly available datasets, or the insufficiency of data on the different layers of the Purdue Model. Thus, practical methods to achieve full visibility on anomalous behavior in the OT environment, and effectively detect a multi-stage adversary, are missing. To this end, it is essential to have high-quality network and sensor data, something that so far has been lacking. Our first research findings indicate that the combination of these data types enables multi-stage attack detection at an earlier stage than detection based on sensor values only. In addition, it enables the detection of sensor spoofing carried out by an attacker. By monitoring both network traffic and sensor values in an integrated fashion, it is possible to reduce the overall false positives and track an adversary across different layers of the Purdue model. Finally, our research highlights the need to prioritize the collection of high-quality data of both network and sensor data to enhance cyber-attack detection in the OT environment. Overall, this integrated approach has the potential to greatly enhance the resilience of critical infrastructure against multi-stage cyber-attacks.
10:25am – 10:35m | Coffee break
10:35am – 11:05am | Presentation: SOARCA: open-source SOAR for CACAO playbook automation
Jan-Paul Konijn, Cyber Security Researcher, TNO
Abstract: In an ever-changing landscape of organisational cybersecurity, resilience has become of imperative importance. To be better equipped against threat actors and their increasingly more complex tactics, techniques and procedures, organisations must actively engage in the detection, investigation, prevention, mitigation, and remediation of cyber threats in a timely manner. To accomplish this, organisations are increasingly automating threat and incident response via playbook driven approaches. Security playbooks maintain case-specific sequences of actions, workflows, that can detail the execution of security procedures, for instance a response of a detected phishing email, or a compromised asset. These workflows can be expressed in a machine-readable format, and are typically executed by a Security Orchestration, Automation and Response (SOAR) tool. Normally, SOAR tools employ proprietary and closed playbook formats, which strongly limit cybersecurity interoperability and information sharing among different tools, and organisations, thus reducing overall cybersecurity posture. The CACAO playbook format, developed by OASIS Open, introduces a standardised definition of security playbooks, hence advancing the state-of-play in this field.
In this technical talk, we will present, Security Orchestrator for Advanced Response to Cyber Attacks (SOARCA), a TNO developed open-source SOAR , SOARCA is the first open-source SOAR tool to adopt the open CACAO playbook standard. In particular, SOARCA can execute CACAO cybersecurity playbooks for both defensive, as well as offensive, workflows. During the session we will take a technical deep dive by demonstrating the automation capabilities of SOARCA through two hands-on use-cases.
We will showcase its automation capabilities in countering an advanced phishing attack targeting a representative organisation. This will encompass the entire process, from detecting a phishing campaign, to effectively resolving such threats through the use of CACAO playbooks and their execution via SOARCA.
Furthermore, we will delve into the inner workings of our platform, illustrating how the orchestration and automation capabilities of SOARCA can be tailored to meet specific requirements using our SOARCA Fin library , enabling creation of custom functionalities in Python to effectively address unique security challenges.
11:05am – 11:40am | Presentation: Resilience Assessment of Multi-Layered Cyber-Physical Systems
Romain Dagnas, Research Engineer and PhD Student, IRT SystemX
Abstract: Thanks to technological advancements, critical infrastructures integrate many smart technologies and become highly connected to the cyber world. This is especially true for Cyber-Physical Systems (CPSs), which combine hardware and software components. Despite the advantages of smart infrastructures, they remain vulnerable to cyber threats and adversarial events such as cyber-attacks. This talk focuses on quantifying the cyber resilience of complex systems modeled with a multi-layering approach. As a use case, we consider a Secure Water Treatment System (SWaT) testbed subsystem.
11:40am – 12:15pm | Round table : Networks & Communications
12:15pm – 12:45pm I Demo cybersecurity and cyber resilience of critical infrastructures
Frédéric Breussin, AIoTrust
12:45 pm – 1:35pm | Lunch break
1:35 pm – 2:05pm | Presentation: Resilience of cellular networks
Lotte Weedage, PhD Student, Twente University
Abstract: Cellular networks are one of the critical infrastructures, as many services increasingly depend on wireless connectivity. Thus, it is important to quantify the resilience of existing cellular network infrastructures against potential risks such as natural disasters to security attacks. These risks can severely disrupt cellular services. In this talk, we discuss several options to improve resilience, such as multi-connectivity and inter-operator collaboration. Under inter-operator collaboration such as national roaming, mobile network operators (MNOs) work together enabling higher per-user coverage and capacity and thus increasing resilience. We combine cellular network models with public data from national bodies on MNO infrastructure and population distribution in the Netherlands to assess the coverage and capacity of a cellular network at a national scale. However, in the analysis of the benefits of resource sharing among these operators, the important factor of co-location is often overlooked. Often in these networks, different operators co-locate: they place their base stations at the same locations due to cost efficiency. Using a framework of stochastic geometry, we show the effect of co-location on the benefits of infrastructure sharing and quantify the benefits of the current situation with infrastructure sharing.
2:05pm – 2:35pm | Presentation: Enhancing anomaly log detection In 5G networks through Log Folding & Reinforcement Learning
Kévin Yaker, PhD Student, Cybersecurity R&D engineer, Médiane Système
Abstract: In the ever-evolving Industry 4.0 landscape, logs play a critical role in maintaining the reliability and security of complex systems. This is particularly true in 5G networks, where specialized protocols such as CoAP and LwM2M generate vast quantities of log data. Despite the growing implementation of machine learning and deep learning techniques to enhance anomaly detection, challenges remain, including high resource consumption, lack of labeled logs, and excessive log sequence length. Moreover, existing attack datasets often contain only simplistic, noisy attacks that fail to represent the complexities of real-world 5G network threats.
To address these limitations, we propose a novel approach combining sequence log folding and reinforcement learning to enhance anomaly detection in 5G network logs. Our method incorporates a reinforcement learning layer atop a transformer model, optimizing it for unlabeled log data. Additionally, we introduce a log compression technique to manage lengthy sequences more efficiently. Recognizing the inadequacy of current datasets, we created a custom dataset of 5G-specific attacks to better reflect realistic threats.
Our approach was pre-trained using the HDFS and BGL datasets and fine-tuned on this custom dataset. The results demonstrate significant improvements in both detection accuracy and resource efficiency, highlighting the potential of this method to enhance security in 5G-enabled environments.
2:35pm – 3:05pm | Presentation: Quantum Game Theoretical Approach to Cyber Resilience
Iain Burge, Student, Télécom SudParis
3:05pm – 3:45pm | Keynote #2: From existing Quantum Key Distribution systems towards the future Quantum Internet
Ludovic Noirie, Senior researcher, Nokia Bell Labs
Abstract: With the current development of quantum computing, some existing cryptographic protocols may be broken in the future, such as RSA with Shor’s algorithm. To secure the future secret communications, but also the current ones from retrospective decryption, Pre-Shared Keys (PSK) can be used today, and two types of complementary solutions are currently being studied: Post Quantum Cryptography (PQC) and Quantum Key Distribution (QKD). The objective of this talk is to describe the latest, which relies on the laws of quantum physics to secure the sharing of secret keys. Among the current QKD systems, some are already commercially available. Their distance range is limited, generally around 100 km. To overcome this distance limitation, a first solution is currently being deployed in field trials using trusted nodes, with the so-called Quantum Communication Infrastructure (QCI). The problem is that users must trust QCI nodes, in which quantum communication is broken, going back to classical data processing that can be eavesdropped. To overcome this problem, researchers are investigating solutions to build future quantum networks and Quantum Internet (QI), in which the processing in the networks remains quantum, using quantum buffers and entanglement swapping in quantum repeaters to increase the distance range of QKD. We briefly discuss the advantages and disadvantages of QKD versus PQC, with the two actually being complementary
3:45am – 3:55pm | Coffee break
3:55am – 4:30pm | Presentation: Maritime cybersecurity: towards safer seas and more resilient ships
Yvon Kermarrec, Professor, IMT Atlantique
Abstract: The maritime sector is quickly adapting to new technologies to enhance their operations, but these major advancements bring cyber security concerns. Recent attacks on ships, shipping companies, harbor infrastructures and studies highlight these risks. Due to long service lives, ship technologies often do not always integrate ‘state-of-the-art” operating systems, software …., making it hard to address operational risks. Most commercial vessels lack cyber security experts, leaving crews to handle attacks far from shore and alone. Modern ships rely on computerized systems like the Integrated Navigation System (INS), which enhances safety by integrating data from multiple onboard devices.
Cybersecurity concerns and issues have been raised at the EU and international level and the impacts of an incident can be severe.
The objective of the talk is to present the various risks and challenges raised and how they can be addressed and solved for safer and more resilient activities at sea. A focus will be made on research, education and the various stakeholders of the maritime industry.
4:30pm – 5:00pm | Round table : Cyber resilience of industrial systems
Moderator: Reda Yaich, Senior researcher, lead team of the cybersecurity and networks team, IRT SystemX
5:05pm – 5:40pm | Demo, Cyber attacks impact on industrial systems and cyber countermeasures
Cybersecurity & Networks Team (IRT SystemX)
5:40pm – 5:50pm | Conclusion
Registration
Biographies
Robert Kooij (Senior scientist, TNO (Netherlands Organisation of Applied Scientific Research))
Robert Kooij has a background in mathematics: he received both his MSc and PhD degree cum laude at Delft University of Technology, in 1988 and 1993, respectively. From 1997 until 2003 he was employed at the research lab of KPN, the largest telecom operator in the Netherlands. From 2003 until 2018 he was employed at the ICT Unit of TNO, the Netherlands Organization of Applied Scientific Research. In 2011 he became principal scientist, conducting and managing research on Critical ICT Infrastructures. Since 2005 Robert is part-time affiliated with the Delft University of Technology, at the faculty of Electrical Engineering, Mathematics and Computer Science. Since 2010 he is a part-time full professor with the chair “Robustness of Complex Networks”. From 2018 until 2020 professor Kooij lived in Singapore, where he got a position as principal research scientist at the Singapore University of Technology and Design, working on a project related to cyber resilience for critical infrastructures. Currently he is the head of the department of Quantum and Computer Engineering (QCE) at Delft University of Technology. He is also part-time affiliated with the Cyber Security Technologies group at TNO.
Jan-Paul Konijn (Research engineer, TNO (Netherlands Organisation of Applied Scientific Research))
Jan-Paul Konijn is a Dutch Cyber Security Researcher and Engineer at TNO (the Netherlands Organisation for Applied Scientific Research), specializing in IT/OT cyber-security. His current work is focused on blue team operations, including the development of innovative detection algorithms for operational technology (OT) environments and the automation of security operations. His expertise lies in enhancing the resilience of security systems, national cyber safety, and cyber range technologies.
Yvon Kermarrec (Professor, IMT Atlantique)
Yvon Kermarrec is Professor of Computer Science at IMT Atlantique and was a member of the IMT Atlantique Management Committee as Head of Department. He holds a PhD in computer science and a “habilitation à diriger les recherches”. His research and teaching activities focus on distributed systems, security, software engineering and software reliability. He was a researcher at the Courant Institute at New York University (NYU), and a software architect with Raytheon (Vancouver, BC) before joining Telecom ParisTech and then Télécom Bretagne as a teacher-researcher.
Ludovic Noirie (Senior researcher, Nokia Bell Labs)
Ludovic Noirie is a senior researcher within the Network System and Security Research lab in Nokia Bell Labs, in France. He joined Alcatel in 1997 as a researcher on optical networking after receiving his engineer diplomas (Ecole Polytechnique, France, 1995, and Telecom ParisTech, France, 1997). Along his career within Alcatel, Alcatel-Lucent an now Nokia, Ludovic Noirie provided multidisciplinary contributions with technical and scientific content spanning from optical sub-systems and optical networking to general networking solutions and Internet of Things. He is currently working on quantum communications and quantum networks. In 2011, Ludovic Noirie joined the Laboratory of Information, Network and Communication Sciences (LINCS) in Paris, for which he is member of the executive committee representing Nokia Bell Labs. Ludovic Noirie is author of about 80 publications and he is inventor of about 40 patents.
Lotte Weedage, PhD Student, Twente University
Lotte Weedage received her M.Sc. degree in Applied Mathematics in 2020 from the University of Twente, the Netherlands. She currently is a PhD candidate at the University of Twente in the Applied Mathematics department and will defend her thesis in January 2025. Her research is part of the EERI team: Energy-Efficient and Resilient Internet, where she investigates how to improve the performance and resilience of cellular networks.
Kévin Yaker, PhD Student, Cybersecurity R&D engineer, Médiane Système
Kévin Yaker received his License degree in Physics and Mathematics from Sorbonne University (Pierre-et-Marie-Curie) in 2018 and completed a Bachelor’s in Computer Science and Engineering from EFREI Paris, in collaboration with the University of Paris-Est Marne-la-Vallée (UPEM) in 2019. In 2022, he graduated summa cum laude with a Master’s degree in Cybersecurity from EFREI Paris, with a focus on adversarial defense. He is currently pursuing a PhD at Paris-Saclay University, specializing in anomaly detection in private 5G networks using Artificial Intelligence. Kevin is also a Cybersecurity R&D Engineer at Mediane Systeme, where he develops 5G-NR EDGE SA Private Clouds, conducts attack simulations, and implements machine learning models for anomaly detection in industrial IoT environments. He has published research in GIIS on secure private cloud architecture for OT operations and in GLOBECOM on an application function enabling communication between a private cloud and a 5G Core.
Organizers
Romain Dagnas (Research-engineer, Palaiseau, IRT SystemX)
Romain Dagnas received the License degree in mathematics, computer sciences, and physical sciences from the Faculté des Sciences et Techniques de Limoges, France, in 2017, the master diploma degree in computer sciences from 3iL Ingénieurs, France, in 2019, and the master diploma degree in mathematics, cryptology, application coding from CRYPTIS, Faculté des Sciences et Techniques de Limoges, France, in 2019. He is currently a Research-Engineer of the Network and Cybersecurity team at the Technological Research Institute (IRT) SystemX, Palaiseau, France. He works on the PFS project (Ports du Futur Sécurisés), and he is the holder of an exploratory research project launched by SystemX on quantifying the resilience of critical infrastructures. He is currently doing a PhD on the resilience of complex systems.
Michel Barbeau (Professor and Interim Director, School of Computer Science, Carleton University, Ottawa, Canada)
Dr. Barbeau received both his Master’s and Ph.D. from Universite de Montreal. He then returned to Universite de Sherbrooke, where he had completed his undergraduate degree in Computer Science in 1985, to join the faculty as a professor. Teaching at Universite de Sherbrooke from 1991 to 1999, Dr. Barbeau spent his last academic year as a visiting researcher at the University of Aizu, Japan. He joined the School of Computer Science at Carleton University in 2000.Dr. Barbeau’s research specializes in non classical wireless networks. His current research has involved developing an acoustic network for underwater communication to aid in water based surveillance in areas ranging from coastal navigation to environmental monitoring. Working alongside a team of undergraduate, master’s and doctoral students, Dr. Barbeau is testing ways to use mechanical vibrations to send encoded messages between underwater nodes. His team has worked to find ways to deal with challenges like multipath propagation of underwater acoustic waves – when signals are received by more than one path – influenced by reflection at sea surface and seabed, and refraction due to factors like water temperature, depth and surface waves, among other. His team tested their prototype in Ottawa’s Rideau Canal.
Joaquin Garcia-Alfaro (Professor, Institut Polytechnique de Paris, Télécom SudParis, Palaiseau, France)
Joaquin Garcia-Alfaro received a Bachelor, a Master’s and a Ph.D. degree from the Universititat Autònoma de Barcelona (UAB), in collaboration with the University of Rennes and ENST Bretagne (IMT Atlantique). He holds a research Habilitation from Sorbonne Université (Pierre-et-Marie-Curie, faculté des sciences), two engineering awards from UAB, and a doctoral fellowship award from the “la Caixa” savings bank foundation. He is professor and research team leader at Télécom SudParis, SAMOVAR research lab, at Institut Polytechnique de Paris. His work relates to cybersecurity topics, with a special emphasis on adversarial modeling and enforcement of countermeasures. Results are mainly grounded on the use of algorithms, cryptography, formal methods, graph theory and probabilities.
Reda Yaich (Senior researcher, lead team of the cybersecurity and networks team, IRT SystemX)
Reda Yaich is a senior researcher and Cyberseurity Team Leader at IRT SystemX. Reda holds as Phd in Computer Science from the ENS Mines of Saint-Etienne with a focus on Trust Management using Artificial Intelligence technologies. He served as lecturer and/or research assistant in several universities (e.g. University of Saint-Etienne, University of Lyon) and engineering schools (ENS Mines Saint-Etienne, Telecom Bretagne, IMT Atlantique, ENSIBS, Telecom SudParis). Reda has several publications in journals and conferences related to Decentralised Access authorisation and Digital Trust Management. He has also participated in numerous national (e.g. ANR FAROS, PIA IDOLE, Web Intelligence, WinPIC, etc.) and European projects (e.g. H2020 SeCoIIA, H2020 SUPERCLOUD, COST Action AT).
Practical information
IRT SystemX
Centre d’intégration Nano-INNOV
2, Boulevard Thomas Gobert
91120 Palaiseau – France
To visit our site, please bring an ID card.