Concepts d'analyse de la vulnerabilite des infrastructures essentielles - Prise en compte de la cybernetique

Critical Infrastructures (CIs) are complex systems. For their operations, these infrastructures are increasingly using Supervisory Control And Data Acquisition (SCADA) systems. Management practices are therefore highly dependent on the cyber tools, but also on the data needed to make these tools work. Therefore, CIs are greatly vulnerable to degradation of data.;In this context, this research aims at developing the fundamentals of a method for analyzing the vulnerabilities of CIs towards the use of cyber data. By characterizing cyber vulnerability of CIs, it will be possible to improve the resilience of these networks and to foster a proactive approach to risk management not only by considering cybernetics from a cyber-attack point of view but also by considering the consequences of the use of corrupted data.;The first step of the methodology is to delimitate and define the system that the study should focus on as well as to define the term risk. By considering the risk as a function of hazards, the state of the system and its consequences, it is possible to define the scope of the study. As stated previously, the system studied is a CI. The vulnerability of the system depends on the state of the system itself, on the capacity of a hazard to affect this state and on the undesired consequences the combination of the hazard and the vulnerability will eventually lead to.;The second step is to characterize CIs in terms of their operations, their functions and the resources they use. The idea is to determine the importance of the functions in a context of operational continuity. For this, we rely on expert judgment in order to differentiate the functions that are critical to the good functioning infrastructure and the ones that are supportive. We also characterize how the deterioration of a function can affect the achievement of the mission of the CI.;The third step is to develop the concepts of a methodology for analyzing vulnerability. We here consider an approach based on the consequences (alteration of the mission), and toward the causes considering the variation of the system. For this, it is necessary to define the dependence of each function of the CIs towards the resources they use. We must therefore classify the resources according to their importance for the realization of the functions of the CIs and characterize the level of affectation of these functions whenever a resource is altered or unavailable. For this, we use the principles of endorsement.;The final step consists in looking more specifically the dependence of the CIs towards the use of cyber data. For this, we consider the data as a resource used by the CIs. The objective here is to define the possible states of the data. The criteria used are, among others, the modes of transmission of the data and the time taken to change state.;The principles and concepts developed during this research will complement the works currently done in the field of computer security. Indeed, this research considers cybernetics from a different perspective, the dependence of CIs towards data.