Railway Defender Kill Chain to Predict and Detect Cyber-Attacks

Authors

  • Ravdeep Kour Division of Operation and Maintenance Engineering, Luleå University of Technology 97187 Luleå , Sweden
  • Adithya Thaduri Division of Operation and Maintenance Engineering, Luleå University of Technology 97187 Luleå , Sweden
  • Ramin Karim Division of Operation and Maintenance Engineering, Luleå University of Technology 97187 Luleå , Sweden

DOI:

https://doi.org/10.13052/jcsm2245-1439.912

Keywords:

Cybersecurity, cyber kill chain, railway, cyber-attack, OSACBM, predict.

Abstract

Most organizations focus on intrusion prevention technologies, with less emphasis on prediction and detection. This research looks at prediction and detection in the railway industry. It uses an extended cyber kill chain (CKC) model and an industrial control system (ICS) cyber kill chain for detection and proposes predictive technologies that will help railway organizations predict and recover from cyber-attacks. The extended CKC model consists of both internal and external cyber kill chain; breaking the chain at an early stage will help the defender stop the adversary’s malicious actions. This research incorporates an OSA (open system architecture) for railways with the railway cybersecurity OSA-CBM (open system architecture for condition-based maintenance) architecture. The railway cybersecurity OSACBM architecture consists of eight layers; cybersecurity information moves from the initial level of data acquisition to data processing, data analysis, incident detection, incident assessment, incident prognostics, decision support, and visualization. The main objective of the research is to predict, prevent, detect, and respond to cyber-attacks early in the CKC by using defensive controls called the Railway Defender Kill Chain (RDKC). The contributions of the research are as follows. First, it adapts and modifies the railway cybersecurity OSA-CBM architecture for railways. Second, it adapts the cyber kill chain model for the railway. Third, it introduces the Railway Defender Kill Chain. Fourth, it presents examples of cyber-attack scenarios in the railway system.

Downloads

Download data is not yet available.

Author Biographies

Ravdeep Kour, Division of Operation and Maintenance Engineering, Luleå University of Technology 97187 Luleå , Sweden

Ravdeep Kour is a Ph.D. student in the Division of Operation and Maintenance Engineering at Luleå University of Technology, Sweden. She received Bachelor’s degree in Information Technology and Master’s degree in Computer Science Engineering from Jammu University of India and Punjab University of India, in 2004 and 2012 respectively. She worked as Assistant Professor in India from 2004 to 2012 and worked in Luleå Technical University, Lulea, Sweden as Research Engineer from 2012 to 2014. She worked on European Union and Swedish Railway Projects. Her total academic and research work experience is 15 years. Her research interests are machine learning, cybersecurity in the context of IT and OT technologies, security risk assessment, cloud computing, and big data analytics.

Adithya Thaduri, Division of Operation and Maintenance Engineering, Luleå University of Technology 97187 Luleå , Sweden

Adithya Thaduri is working as Associate Senior Lecturer in the Division of Operation and Maintenance Engineering at Luleå University of Technology. He has experience in coordination of four European projects (IN2RAIL, INFRALERT, IN2SMART and FR8RAIL) and three national projects (InfraSweden, Mindi and SKF) in the area of Railways and have worked in collaboration in other seven projects. He recently got funding for one European project for Railways (IN2SMART2) and two national projects; one from Vinnova to Railway and other from Coal India Limited to Mining. He is part of over 35 deliverables/reports within above mentioned projects. He has over 40 research publications (28 after PhD) in journals, book chapters and conference proceedings. He has been teaching Maintenance Engineering course for master’s programme for two years. His areas of research are machine learning and context-aware maintenance decision making within the framework of Maintenance 4.0 in Railways, asset maintenance analytics, prognostics and degradation modelling of railway infrastructure, reliability predictions, maintenance planning and optimization, RAMS, LCC and Risk assessment, predictive analytics of mining machines, and cybersecurity.

Ramin Karim, Division of Operation and Maintenance Engineering, Luleå University of Technology 97187 Luleå , Sweden

Ramin Karim is PhD in the area of Operation and Maintenance Engineering with focus on eMaintenance and Industrial AI. Ramin has over 20 years of industry experiences in computer science and Information and Communication Technologies (ICT), with roles as software developer, systems architect, project manager, multi-project leader, process owner, product manager, responsible for standardization, model developer, and technology business developer. Ramin has over 60 publications in several research areas related to eMaintenance. Ramin is head of the eMaintenance Research Team, focusing on Industrial AI for Operation and Maintenance. He is also founder of a spin-off company from Luleå University of Technology, which develops analytics solutions based on Industrial AI and eMaintenance.

References

U. Espling and U. Kumar, “Benchmarking of the maintenance process

at Banverket (the Swedish National Rail Administration),” in

Complex System Maintenance Handbook, Anonymous: Springer, 2008,

pp. 559–583.

K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams and A. Hahn, “NIST

special publication 800–82, revision 2: Guide to industrial control systems

(ICS) security,” National Institute of Standards and Technology

U. Kumar, R. Kour, P. Tretten and R. Karim, “eMaintenance solution

through online data analysis for railway maintenance decision-making,”

Journal of Quality in Maintenance Engineering 2014.

Shift2Rail. Cybersecurity in the railway sector [Online]. Available: http

s://shift2rail.org/project/cyrail/.

R. Ahmad and S. Kamaruddin, “A review of condition-based maintenance

decision-making,” European journal of industrial engineering,

vol. 6, no. 5, pp. 519–541, 2012.

N. Subramanian and A. Jeyaraj, “Recent security challenges in cloud

computing,” Comput.Electr.Eng., vol. 71, pp. 28–42, 2018.

J.R. Nobles, “Cybersecurity threats & challenges,” 2018.

D. Patel, “Test utility for live and online testing of an anti-phishing

message security system,” 2018.

M. Bromiley, “Incident response capabilities in 2016: The 2016 SANS

incident response survey,” SANS Institute, June 2016.

U.D. Ani, H. He and A. Tiwari, “Human factor security: Evaluating the

cybersecurity capacity of the industrial workforce,” Journal of Systems

and Information Technology, vol. 21, no. 1, pp. 2–35, 2019.

M. Algarni, S. Almesalm and M. Syed, “Towards Enhanced Comprehension

of Human Errors in Cybersecurity Attacks,” in International

Conference on Applied Human Factors and Ergonomics, 2018,

pp. 163–175.

S. Kremer, L. M´e, D. R´emy and V. Roca, “Cybersecurity,” 2019.

Helpsystems. Survey Results: 2018 Top Cybersecurity Risks and

Mitigation Strategies [Online]. Available: https://www.helpsystems.com/

resources/on-demand-webinars/survey-results-2018-top-cybersecurityrisks-

and-mitigation-strategies.

Hackmageddon, “Information security timelines and statistics,”. https:

//www.hackmageddon.com/category/security/cyber-attacks-statistics/.

R. Kour, M. Aljumaili, R. Karim and P. Tretten, “eMaintenance in railways:

Issues and challenges in cybersecurity,” Proc.Inst.Mech.Eng.Pt.F:

J.Rail Rapid Transit, pp. 095440971882291 2019. http://dx.doi.org/10.

/0954409718822915.

Symantec. 2019 Internet Security Threat Report (ISTR): The New Threat

Landscape, California, United States [Online]. Available: https://www.

symantec.com/security-center/threat-report.

J.T. Force and T. Initiative, “Security and privacy controls for federal

information systems and organizations,” NIST Special Publication, vol.

, no. 53, pp. 8–13, 2013.

Lockheed Martin. Cyber Kill Chain

R [Online]. Available: https://ww

w.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.

V. Bukac, V. Lorenc and V. Maty´aˇs, “Red queen’s race: APT win-win

game,” in Cambridge International Workshop on Security Protocols,

, pp. 55–61.

Z. El Mrabet, N. Kaabouch, H. El Ghazi and H. El Ghazi, “Cybersecurity

in smart grid: Survey and challenges,” Comput. Electr. Eng.,

vol. 67, pp. 469–482, 2018.

M.J. Assante and R.M. Lee, “The industrial control system cyber kill

chain,” SANS Institute InfoSec Reading Room, vol. 1 2015.

D.U. Case, “Analysis of the cyber attack on the ukrainian power grid,”

Electricity Information Sharing and Analysis Center (E-ISAC) 2016.

M. Cloppert, “Security intelligence: Attacking the cyber kill chain,”

SANS Computer Forensics 2009.

X. Zhou, Z. Xu, L. Wang, K. Chen, C. Chen and W. Zhang, “Kill chain

for industrial control system,” in MATEC Web of Conferences, 2018,

pp. 01013.

Pandasecurity. Understanding Cyber-Attacks Part I. The Cyber-Kill

Chain, Spain [Online]. Available: http://resources.pandasecurity.co

m/enterprise/solutions/ad360/1704-WHITEPAPER-CKC-EN.pdf.

S. Northcutt. Security Controls. SANS Technology Institute, USA

[Online]. Available: https://www.sans.edu/cyber-research/security-labor

atory/article/security-controls.

Department of Defense. JP 3–13 Information Operations [Online].

E.M. Hutchins, M.J. Cloppert and R.M. Amin, “Intelligence-driven

computer network defense informed by analysis of adversary campaigns

and intrusion kill chains,” Leading Issues in Information Warfare &

Security Research, vol. 1, no. 1, pp. 80, 2011.

Thales. Railway Digitalization: Cybersecurity [Online]. Available:

https://www.thalesgroup.com/en/spain/magazine/railway-digitalizationcybersecurity.

Shift2rail report. CYbersecurity in the RAILway sector D2.1 – Safety

and Security requirements of Rail transport system in multi-stakeholder

environments [Online]. Available: https://ec.europa.eu/research/particip

ants/documents/downloadPublic?documentIds=080166e5b678c2dc&a

ppId=PPGMS.

CSRC. NIST Computer Security Resource Center  [Online].

Available: https://csrc.nist.gov/.

ICS-CERT. Industrial Control Systems Cyber Emergency Response

Teams [Online]. Available: https://ics-cert.us-cert.gov/.

US-CERT. Critical Infrastructure Cyber Community Voluntary Program

(C3) [Online]. Available: https://www.us-cert.gov/ccubedvp.

Anonymous (-02-10T15:19:26-05:00). Information Sharing and Analysis

Organizations (ISAOs) [Online]. Available: https://www.dhs.gov/ci

sa/information-sharing-and-analysis-organizations-isaos.

APTA. American Public Transportation Association. Information Sharing

& Analysis Center (PT-ISAC) [Online]. Available: https://ww

w.surfacetransportationisac.org/.

CIS

R . Center for Internet Security [Online]. Available: https://www.ci

security.org/about-us/.

Minimum Cyber Security Standard. Version 1.0. UK [Online]. Available:

https://assets.publishing.service.gov.uk/government/uploads/syst

em/uploads/attachment data/file/719067/25062018 Minimum Cyber S

ecurity Standard gov.uk 3.pdf.

W. Xu, Y. Tao, C. Yang and H. Chen, “MSICST: Multiple-scenario

industrial control system testbed for security research,”.

H. Kim, H. Kwon and K.K. Kim, “Modified cyber kill chain model

for multimedia service environments,” Multimedia Tools Appl, vol. 78,

no. 3, pp. 3153–3170, 2019.

M. Mohsin and Z. Anwar, “Where to kill the cyber kill-chain: An

ontology-driven framework for iot security analytics,” in 2016 International

Conference on Frontiers of Information Technology (FIT), 2016,

pp. 23–28.

B.D. Bryant and H. Saiedian, “A novel kill-chain framework for remote

security log analysis with SIEM software,” Comput.Secur., vol. 67,

pp. 198–210, 2017.

A. Hahn, R.K. Thomas, I. Lozano and A. Cardenas, “A multi-layered

and kill-chain based security analysis framework for cyber-physical

systems,” International Journal of Critical Infrastructure Protection,

vol. 11, pp. 39–50, 2015.

I. Mihai, S. Pruna and I. Barbu, “Cyber kill chain analysis,” Int’l

J.Info.Sec.& Cybercrime, vol. 3, pp. 37, 2014.

S.Wen, N. He and H. Yan, “Detecting and Predicting APT Based on the

Study of Cyber Kill Chain with Hierarchical Knowledge Reasoning,”

in Proceedings of the 2017 VI International Conference on Network,

Communication and Computing, 2017, pp. 115–119.

S. Wen, Y. Rao and H. Yan, “Information Protecting against APT Based

on the Study of Cyber Kill Chain withWeighted Bayesian Classification

with Correction Factor,” in Proceedings of the 7th International Conference

on Informatics, Environment, Energy and Applications, 2018,

pp. 231–235.

L. Ertaul and M. Mousa, “Applying the Kill Chain and Diamond

Models to Microsoft Advanced Threat Analytics,” in Proceedings of the

International Conference on Security and Management (SAM), 2018,

pp. 252–258.

Garba FA, Junaidu SB, Ahmad I, Tekanyi MS, “Proposed framework for

effective detection and prediction of advanced persistent threats based

on the cyber kill chain,” 2018.

I. Herwono and F.A. El-Moussa, “Automated Detection of the Early

Stages of Cyber Kill Chain.” in ICISSP, 2018, pp. 182–189.

C. Velazquez, “Detecting and preventing attacks earlier in the kill chain,”

SANS Institute Infosec Reading Room, pp. 1–21 2015.

Y. Ayrour, A. Raji and M. Nassar, “Modelling cyber-attacks: A survey

study,” Network Security, vol. 2018, no. 3, pp. 13–19, 2018.

W. Wang, J. Bickford, I. Murynets, R. Subbaraman, A.G. Forte and

G. Singaraju, “Detecting targeted attacks by multilayer deception,”

Journal of Cyber Security and Mobility, vol. 2, no. 2, pp. 175–199, 2013.

R.A. Yadav T, “Technical aspects of cyber kill chain,” in, 2015,

pp. 438–452.

K.E. Heckman, F.J. Stech, R.K. Thomas, B. Schmoker and A.W. Tsow,

“Intrusions, Deception, and Campaigns,” in Cyber Denial, Deception

and Counter Deception, Anonymous: Springer, 2015, pp. 31–52.

A. Marcella Jr and D. Menendez, Cyber forensics: a field manual for

collecting, examining, and preserving evidence of computer crimes,

Auerbach Publications, 2007.

R. Kour, R. Karim and A. Thaduri, “Cybersecurity for railway – A maturity

model,” Proceedings of the Institution of Mechanical Engineers,

Part F: Journal of Rail and Rapid Transit (2019): 0954409719881849.

D. Kuipers and M. Fabro, “No title,” Control systems cyber security:

Defense in depth strategies 2006.

X. Fan, K. Fan, Y. Wang and R. Zhou, “Overview of cyber-security of

industrial control system,” in 2015 international conference on cyber

security of smart cities, industrial control system and communications

(SSIC), 2015, pp. 1–7.

R. Radvanovsky and J. Brodsky, Handbook of SCADA/control systems

security, CRC Press, 2013.

K. Swearingen, W. Majkowski, B. Bruggeman, D. Gilbertson, J. Dunsdon

and B. Sykes, “An open system architecture for condition based

maintenance overview,” in 2007 IEEE Aerospace Conference, 2007,

pp. 1–8.

Kenneth Holmberg et al., “Information and Communication Technologies

Within E-maintenance,” in Emaintenanc, Anonymous: Springer

Science & Business Media, 2010, pp. 39–60.

A. Yokoyama, “Innovative changes for maintenance of railway by

using ICT–to achieve “smart maintenance”,” Procedia CIRP, vol. 38,

pp. 24–29, 2015.

R. Karim, J. Westerberg, D. Galar and U. Kumar, “Maintenance

analytics–the new know in maintenance,” IFAC-PapersOnLine, vol. 49,

no. 28, pp. 214–219, 2016.

J. Reason, E. Hollnagel and J. Paries, “Revisiting the swiss cheese model

of accidents,” J.Clin.Eng., vol. 27, no. 4, pp. 110–115, 2006.

R. Starrett. How to protect data in an IP world [Online]. Available: https:

//www.eetimes.com/document.asp?doc id=1274286.

NSA. Defense in Depth. US National Security Agency [Online].

Available: https://apps.nsa.gov/iaarchive/customcf/openAttachment

.cfm?FilePath=/iad/library/ia-guidance/archive/assets/public/upload/

Defense-in-Depth.pdf&WpKes=aF6woL7fQp3dJimPuJLAvwxazbq3m

DYX6mWmFe.

IndustryWeek. Proactive Protection Through Industrial Networks

[Online]. Available: https://www.industryweek.com/rockwell-automat

ion-connected-industrial-enterprise/proactive-protection-through-indust

rial-networks.

W. Knowles, J.M. Such, A. Gouglidis, G. Misra and A. Rashid, “Assurance

techniques for industrial control systems (ics),” in Proceedings of

the First ACM Workshop on Cyber-Physical Systems-Security and/or

PrivaCy, 2015, pp. 101–112.

C.I.T. Force, “Operational levels of cyber intelligence,” 2013.

I. Tarnowski, “How to use cyber kill chain model to build cybersecurity?”

European Journal of Higher Education IT [Online]. Available:

http://www.eunis.org/download/TNC2017/TNC17-IreneuszTarnowskicybersecurity.

pdf 2017.

S. Malone, “Using an expanded cyber kill chain model to increase attack

resiliency,” Black Hat US 2016.

The Denver Post. SamSam virus demands bitcoin from CDOT, state

shuts down 2,000 computers [Online]. Available: https://www.denver

post.com/2018/02/21/samsam-virus-ransomware-cdot/.

P. Paganini. For the second time in two weeks CDOT shut down

computers after a ransomware infection [Online]. Available: https:

//securityaffairs.co/wordpress/69946/cyber-crime/cdot-second-ran

somware-attack.html.

Downloads

Published

2020-01-01

How to Cite

1.
Kour R, Thaduri A, Karim R. Railway Defender Kill Chain to Predict and Detect Cyber-Attacks. JCSANDM [Internet]. 2020 Jan. 1 [cited 2024 Nov. 17];9(1):47-90. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/1271

Issue

2020: Vol9 Iss 1

Section

Articles