Abstract
Most organizations focus on intrusion prevention technologies, with less emphasis on prediction and detection. This research looks at prediction and detection in the railway industry. It uses an extended cyber kill chain (CKC) model and an industrial control system (ICS) cyber kill chain for detection and proposes predictive technologies that will help railway organizations predict and recover from cyber-attacks. The extended CKC model consists of both internal and external cyber kill chain; breaking the chain at an early stage will help the defender stop the adversary’s malicious actions. This research incorporates an OSA (open system architecture) for railways with the railway cybersecurity OSA-CBM (open system architecture for condition-based maintenance) architecture. The railway cybersecurity OSACBM architecture consists of eight layers; cybersecurity information moves from the initial level of data acquisition to data processing, data analysis, incident detection, incident assessment, incident prognostics, decision support, and visualization. The main objective of the research is to predict, prevent, detect, and respond to cyber-attacks early in the CKC by using defensive controls called the Railway Defender Kill Chain (RDKC). The contributions of the research are as follows. First, it adapts and modifies the railway cybersecurity OSA-CBM architecture for railways. Second, it adapts the cyber kill chain model for the railway. Third, it introduces the Railway Defender Kill Chain. Fourth, it presents examples of cyber-attack scenarios in the railway system.
References
U. Espling and U. Kumar, “Benchmarking of the maintenance process
at Banverket (the Swedish National Rail Administration),” in
Complex System Maintenance Handbook, Anonymous: Springer, 2008,
pp. 559–583.
K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams and A. Hahn, “NIST
special publication 800–82, revision 2: Guide to industrial control systems
(ICS) security,” National Institute of Standards and Technology
U. Kumar, R. Kour, P. Tretten and R. Karim, “eMaintenance solution
through online data analysis for railway maintenance decision-making,”
Journal of Quality in Maintenance Engineering 2014.
Shift2Rail. Cybersecurity in the railway sector [Online]. Available: http
s://shift2rail.org/project/cyrail/.
R. Ahmad and S. Kamaruddin, “A review of condition-based maintenance
decision-making,” European journal of industrial engineering,
vol. 6, no. 5, pp. 519–541, 2012.
N. Subramanian and A. Jeyaraj, “Recent security challenges in cloud
computing,” Comput.Electr.Eng., vol. 71, pp. 28–42, 2018.
J.R. Nobles, “Cybersecurity threats & challenges,” 2018.
D. Patel, “Test utility for live and online testing of an anti-phishing
message security system,” 2018.
M. Bromiley, “Incident response capabilities in 2016: The 2016 SANS
incident response survey,” SANS Institute, June 2016.
U.D. Ani, H. He and A. Tiwari, “Human factor security: Evaluating the
cybersecurity capacity of the industrial workforce,” Journal of Systems
and Information Technology, vol. 21, no. 1, pp. 2–35, 2019.
M. Algarni, S. Almesalm and M. Syed, “Towards Enhanced Comprehension
of Human Errors in Cybersecurity Attacks,” in International
Conference on Applied Human Factors and Ergonomics, 2018,
pp. 163–175.
S. Kremer, L. M´e, D. R´emy and V. Roca, “Cybersecurity,” 2019.
Helpsystems. Survey Results: 2018 Top Cybersecurity Risks and
Mitigation Strategies [Online]. Available: https://www.helpsystems.com/
resources/on-demand-webinars/survey-results-2018-top-cybersecurityrisks-
and-mitigation-strategies.
Hackmageddon, “Information security timelines and statistics,”. https:
//www.hackmageddon.com/category/security/cyber-attacks-statistics/.
R. Kour, M. Aljumaili, R. Karim and P. Tretten, “eMaintenance in railways:
Issues and challenges in cybersecurity,” Proc.Inst.Mech.Eng.Pt.F:
J.Rail Rapid Transit, pp. 095440971882291 2019. http://dx.doi.org/10.
/0954409718822915.
Symantec. 2019 Internet Security Threat Report (ISTR): The New Threat
Landscape, California, United States [Online]. Available: https://www.
symantec.com/security-center/threat-report.
J.T. Force and T. Initiative, “Security and privacy controls for federal
information systems and organizations,” NIST Special Publication, vol.
, no. 53, pp. 8–13, 2013.
Lockheed Martin. Cyber Kill Chain
R [Online]. Available: https://ww
w.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.
V. Bukac, V. Lorenc and V. Maty´aˇs, “Red queen’s race: APT win-win
game,” in Cambridge International Workshop on Security Protocols,
, pp. 55–61.
Z. El Mrabet, N. Kaabouch, H. El Ghazi and H. El Ghazi, “Cybersecurity
in smart grid: Survey and challenges,” Comput. Electr. Eng.,
vol. 67, pp. 469–482, 2018.
M.J. Assante and R.M. Lee, “The industrial control system cyber kill
chain,” SANS Institute InfoSec Reading Room, vol. 1 2015.
D.U. Case, “Analysis of the cyber attack on the ukrainian power grid,”
Electricity Information Sharing and Analysis Center (E-ISAC) 2016.
M. Cloppert, “Security intelligence: Attacking the cyber kill chain,”
SANS Computer Forensics 2009.
X. Zhou, Z. Xu, L. Wang, K. Chen, C. Chen and W. Zhang, “Kill chain
for industrial control system,” in MATEC Web of Conferences, 2018,
pp. 01013.
Pandasecurity. Understanding Cyber-Attacks Part I. The Cyber-Kill
Chain, Spain [Online]. Available: http://resources.pandasecurity.co
m/enterprise/solutions/ad360/1704-WHITEPAPER-CKC-EN.pdf.
S. Northcutt. Security Controls. SANS Technology Institute, USA
[Online]. Available: https://www.sans.edu/cyber-research/security-labor
atory/article/security-controls.
Department of Defense. JP 3–13 Information Operations [Online].
E.M. Hutchins, M.J. Cloppert and R.M. Amin, “Intelligence-driven
computer network defense informed by analysis of adversary campaigns
and intrusion kill chains,” Leading Issues in Information Warfare &
Security Research, vol. 1, no. 1, pp. 80, 2011.
Thales. Railway Digitalization: Cybersecurity [Online]. Available:
https://www.thalesgroup.com/en/spain/magazine/railway-digitalizationcybersecurity.
Shift2rail report. CYbersecurity in the RAILway sector D2.1 – Safety
and Security requirements of Rail transport system in multi-stakeholder
environments [Online]. Available: https://ec.europa.eu/research/particip
ants/documents/downloadPublic?documentIds=080166e5b678c2dc&a
ppId=PPGMS.
CSRC. NIST Computer Security Resource Center [Online].
Available: https://csrc.nist.gov/.
ICS-CERT. Industrial Control Systems Cyber Emergency Response
Teams [Online]. Available: https://ics-cert.us-cert.gov/.
US-CERT. Critical Infrastructure Cyber Community Voluntary Program
(C3) [Online]. Available: https://www.us-cert.gov/ccubedvp.
Anonymous (-02-10T15:19:26-05:00). Information Sharing and Analysis
Organizations (ISAOs) [Online]. Available: https://www.dhs.gov/ci
sa/information-sharing-and-analysis-organizations-isaos.
APTA. American Public Transportation Association. Information Sharing
& Analysis Center (PT-ISAC) [Online]. Available: https://ww
w.surfacetransportationisac.org/.
CIS
R . Center for Internet Security [Online]. Available: https://www.ci
security.org/about-us/.
Minimum Cyber Security Standard. Version 1.0. UK [Online]. Available:
https://assets.publishing.service.gov.uk/government/uploads/syst
em/uploads/attachment data/file/719067/25062018 Minimum Cyber S
ecurity Standard gov.uk 3.pdf.
W. Xu, Y. Tao, C. Yang and H. Chen, “MSICST: Multiple-scenario
industrial control system testbed for security research,”.
H. Kim, H. Kwon and K.K. Kim, “Modified cyber kill chain model
for multimedia service environments,” Multimedia Tools Appl, vol. 78,
no. 3, pp. 3153–3170, 2019.
M. Mohsin and Z. Anwar, “Where to kill the cyber kill-chain: An
ontology-driven framework for iot security analytics,” in 2016 International
Conference on Frontiers of Information Technology (FIT), 2016,
pp. 23–28.
B.D. Bryant and H. Saiedian, “A novel kill-chain framework for remote
security log analysis with SIEM software,” Comput.Secur., vol. 67,
pp. 198–210, 2017.
A. Hahn, R.K. Thomas, I. Lozano and A. Cardenas, “A multi-layered
and kill-chain based security analysis framework for cyber-physical
systems,” International Journal of Critical Infrastructure Protection,
vol. 11, pp. 39–50, 2015.
I. Mihai, S. Pruna and I. Barbu, “Cyber kill chain analysis,” Int’l
J.Info.Sec.& Cybercrime, vol. 3, pp. 37, 2014.
S.Wen, N. He and H. Yan, “Detecting and Predicting APT Based on the
Study of Cyber Kill Chain with Hierarchical Knowledge Reasoning,”
in Proceedings of the 2017 VI International Conference on Network,
Communication and Computing, 2017, pp. 115–119.
S. Wen, Y. Rao and H. Yan, “Information Protecting against APT Based
on the Study of Cyber Kill Chain withWeighted Bayesian Classification
with Correction Factor,” in Proceedings of the 7th International Conference
on Informatics, Environment, Energy and Applications, 2018,
pp. 231–235.
L. Ertaul and M. Mousa, “Applying the Kill Chain and Diamond
Models to Microsoft Advanced Threat Analytics,” in Proceedings of the
International Conference on Security and Management (SAM), 2018,
pp. 252–258.
Garba FA, Junaidu SB, Ahmad I, Tekanyi MS, “Proposed framework for
effective detection and prediction of advanced persistent threats based
on the cyber kill chain,” 2018.
I. Herwono and F.A. El-Moussa, “Automated Detection of the Early
Stages of Cyber Kill Chain.” in ICISSP, 2018, pp. 182–189.
C. Velazquez, “Detecting and preventing attacks earlier in the kill chain,”
SANS Institute Infosec Reading Room, pp. 1–21 2015.
Y. Ayrour, A. Raji and M. Nassar, “Modelling cyber-attacks: A survey
study,” Network Security, vol. 2018, no. 3, pp. 13–19, 2018.
W. Wang, J. Bickford, I. Murynets, R. Subbaraman, A.G. Forte and
G. Singaraju, “Detecting targeted attacks by multilayer deception,”
Journal of Cyber Security and Mobility, vol. 2, no. 2, pp. 175–199, 2013.
R.A. Yadav T, “Technical aspects of cyber kill chain,” in, 2015,
pp. 438–452.
K.E. Heckman, F.J. Stech, R.K. Thomas, B. Schmoker and A.W. Tsow,
“Intrusions, Deception, and Campaigns,” in Cyber Denial, Deception
and Counter Deception, Anonymous: Springer, 2015, pp. 31–52.
A. Marcella Jr and D. Menendez, Cyber forensics: a field manual for
collecting, examining, and preserving evidence of computer crimes,
Auerbach Publications, 2007.
R. Kour, R. Karim and A. Thaduri, “Cybersecurity for railway – A maturity
model,” Proceedings of the Institution of Mechanical Engineers,
Part F: Journal of Rail and Rapid Transit (2019): 0954409719881849.
D. Kuipers and M. Fabro, “No title,” Control systems cyber security:
Defense in depth strategies 2006.
X. Fan, K. Fan, Y. Wang and R. Zhou, “Overview of cyber-security of
industrial control system,” in 2015 international conference on cyber
security of smart cities, industrial control system and communications
(SSIC), 2015, pp. 1–7.
R. Radvanovsky and J. Brodsky, Handbook of SCADA/control systems
security, CRC Press, 2013.
K. Swearingen, W. Majkowski, B. Bruggeman, D. Gilbertson, J. Dunsdon
and B. Sykes, “An open system architecture for condition based
maintenance overview,” in 2007 IEEE Aerospace Conference, 2007,
pp. 1–8.
Kenneth Holmberg et al., “Information and Communication Technologies
Within E-maintenance,” in Emaintenanc, Anonymous: Springer
Science & Business Media, 2010, pp. 39–60.
A. Yokoyama, “Innovative changes for maintenance of railway by
using ICT–to achieve “smart maintenance”,” Procedia CIRP, vol. 38,
pp. 24–29, 2015.
R. Karim, J. Westerberg, D. Galar and U. Kumar, “Maintenance
analytics–the new know in maintenance,” IFAC-PapersOnLine, vol. 49,
no. 28, pp. 214–219, 2016.
J. Reason, E. Hollnagel and J. Paries, “Revisiting the swiss cheese model
of accidents,” J.Clin.Eng., vol. 27, no. 4, pp. 110–115, 2006.
R. Starrett. How to protect data in an IP world [Online]. Available: https:
//www.eetimes.com/document.asp?doc id=1274286.
NSA. Defense in Depth. US National Security Agency [Online].
Available: https://apps.nsa.gov/iaarchive/customcf/openAttachment
.cfm?FilePath=/iad/library/ia-guidance/archive/assets/public/upload/
Defense-in-Depth.pdf&WpKes=aF6woL7fQp3dJimPuJLAvwxazbq3m
DYX6mWmFe.
IndustryWeek. Proactive Protection Through Industrial Networks
[Online]. Available: https://www.industryweek.com/rockwell-automat
ion-connected-industrial-enterprise/proactive-protection-through-indust
rial-networks.
W. Knowles, J.M. Such, A. Gouglidis, G. Misra and A. Rashid, “Assurance
techniques for industrial control systems (ics),” in Proceedings of
the First ACM Workshop on Cyber-Physical Systems-Security and/or
PrivaCy, 2015, pp. 101–112.
C.I.T. Force, “Operational levels of cyber intelligence,” 2013.
I. Tarnowski, “How to use cyber kill chain model to build cybersecurity?”
European Journal of Higher Education IT [Online]. Available:
http://www.eunis.org/download/TNC2017/TNC17-IreneuszTarnowskicybersecurity.
pdf 2017.
S. Malone, “Using an expanded cyber kill chain model to increase attack
resiliency,” Black Hat US 2016.
The Denver Post. SamSam virus demands bitcoin from CDOT, state
shuts down 2,000 computers [Online]. Available: https://www.denver
post.com/2018/02/21/samsam-virus-ransomware-cdot/.
P. Paganini. For the second time in two weeks CDOT shut down
computers after a ransomware infection [Online]. Available: https:
//securityaffairs.co/wordpress/69946/cyber-crime/cdot-second-ran
somware-attack.html.