Self-reconfiguration of industrial control systems as a response to cyberattacks

As industrial control systems become increasingly connected, the threat of cyberattacks grows accordingly. Classical IT reactions that prioritize confidentiality, such as device shutdown or network isolation, cannot be directly applied as they compromise availability, which is critical to keep the system safe. This paper explores the concept of self-reconfiguration in Industrial Control Systems (ICS) as a proactive and reactive defense mechanism against cyberattacks. Recognizing the critical importance of availability in OT environments, we propose a system that, upon detection of a compromised component, dynamically reconfigures itself to maintain functionality. Our approach leverages the increasing virtualization of ICS to migrate tasks from compromised devices to healthy ones, ensuring continued operation while containing the attack. We model the reconfiguration problem using the IEC 62443 standard, representing ICS as a network of zones linked by conduits. We present a system model incorporating security levels, device capacities, application dependencies, and communication constraints. Then, we formulate the task migration as an optimization problem solved via constraint programming. We detail several variations of the base reconfiguration program, including the activation of countermeasures or conduits, and the preemptive allocations of applications instances to host devices with memory size constraints. Our approach is evaluated through a combination of a physical training factory use case and generated problem instances with arbitrary sizes. This evaluation concerns the execution time of the reconfiguration process, as well as the resilience, measured in number of devices attacked before a critical application must be stopped.