CYBERSECURITY IN RAILWAY - Simple search
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of CYBERSECURITY IN RAILWAY - Simple search
CYBERSECURITY IN RAILWAYA Framework for Improvement of Digital Asset Security
Ravdeep Kour
Operation and Maintenance Engineering
Department of Civil, Environmental and Natural Resources EngineeringDivision of Operation and Maintenance Engineering
ISSN 1402-1544ISBN 978-91-7790-579-0 (print)ISBN 978-91-7790-580-6 (pdf)
Luleå University of Technology 2020
DOCTORA L T H E S I S
Ravdeep K
our CY
BE
RSE
CU
RIT
Y IN
RA
ILWA
Y
CYBERSECURITY IN RAILWAYA Framework for Improvement of Digital Asset Security
Ravdeep Kour
Luleå University of TechnologyDepartment of Civil, Environmental and Natural Resources Engineering
Division of Operation and Maintenance Engineering
Printed by Luleå University of Technology, Graphic Production 2020
ISSN 1402-1544 ISBN 978-91-7790-579-0 (print)ISBN 978-91-7790-580-6 (pdf)
Luleå 2020
www.ltu.se
i
ACKNOWLEDGEMENTS
The research presented in this thesis has been carried out at the Division of Operation and Maintenance Engineering, Luleå University of Technology (LTU), Sweden. I gratefully acknowledge Luleå Railway Research Center (JVTC), Artificial Intelligence Factory for Railways (AIF/R), Intelligent Innovative Smart Maintenance of Assets by integRated Technologies (IN2SMART), and A Novel Decision Support System for Intelligent Maintenance (iMain) for financing my research study.
Furthermore, with deep sense of gratitude, privilege and pride, I would like to convey my regards and sincere thanks to my main supervisor, Professor Ramin Karim, Division of Operation and Maintenance Engineering, Luleå University of Technology, Sweden. It was great pleasure and honour to work under his guidance who has vast experience and knowledge in his respective domain. Without his timely help, positive attitude, painstaking efforts, and continuous encouragement, it would have not been possible to complete this thesis in the present form.
I am grateful to Professor Uday Kumar (my co-supervisor), Chair Professor, Division of Operation and Maintenance Engineering for providing all possible help, cooperation and encouragement throughout the research work. He was always a source of motivation, inspiration and support throughout the span of PhD research work.
I express my heartfelt gratitude to Associate Professor Phillip Tretten (my co-supervisor) and Associate Senior Lecturer Adithya Thaduri (my co-supervisor), Division of Operation and Maintenance Engineering for their encouragement and support during this research work.
I would like to thank Senior Lecturer Miguel Castano and Dr Stephen Mayowa Famurewa, Division of Operation and Maintenance Engineering, Dr. Mustafa Aljumaili from KPMG, and Robert Beney from IronSky AB for the fruitful discussions. I would like to thank my colleagues at the Division of Operation and Maintenance Engineering for their support. I would also like to thank Veronica Jägare, Manager, JVTC for her support. The administrative support received from Cecilia Glover is also gratefully acknowledged.
It is my privilege to pay reverence to my parents and parents-in-law who have always supported me through the thick and thin of my life. It would have been impossible for me to enjoy work with undivided attention without the supportive and positive attitude of my husband Dr. Sarbjeet Singh and daughters Harsimrat Kour and Ekamjeet Kour. I am also thankful to all my close friends for being source of inspiration as well as strength during long durations of my work.
ii
Words cannot describe the heavenly help, which comes in immeasurable quantities, intangible forms and incomprehensible ways. Finally, I am filled with gratitude towards Almighty, ‘Waheguru’– invisible to the mortal eyes!
Ravdeep Kour June, 2020
Luleå, Sweden
iii
ABSTRACT
Digitalisation has brought many positive changes towards operation and maintenance of railway system. Emerging digital technologies facilitate the implementation of enhanced eMaintenance solutions through the utilisation of distributed computing and artificial intelligence. Digital technology is expected to improve the railway system’s sustainability, availability, reliability, maintainability, capacity, safety, and security including cybersecurity. In the digitalised railway, however, cybersecurity is essential to achieve overall system dependability. Lack of cybersecurity has negative consequences, including reputational damage, heavy costs, service unavailability and risk to the safety of employees and passengers.
Open access data indicates that many railway organisations focus on detecting security threats with less emphasis on forecasting them. To prepare in advance for cyberattacks, it is essential that both Information and Communication Technology (ICT) and Operational Technology (OT) are continually updated to enable security analytics approach. This approach will help railways to establish proactive security measures to quickly predict and prevent cyberattacks. The current standards and guidelines related to cybersecurity in railways (e.g. AS 7770- Rail Cyber Security, APTA SS-CCS-004-16, BS EN 50159:2010+A1:2020) are proprietary (i.e. either organisation-specific or country-specific) and are followed by most railway organisations. These proprietary standards and guidelines lack in providing a holistic approach to enable interoperability, scalability, orchestration, adaptability, and agility for railway stakeholders. Therefore, there is a need to develop a generic cybersecurity framework for digitalised railways to facilitate proactive cybersecurity and threat intelligence sharing within the railways.
The proposed Cybersecurity Information Delivery Framework integrates existing models, technologies, and standards to minimise the risks of cyberattacks in the railway. The framework uses different layers of Open System Architecture for Condition-Based Maintenance (OSA-CBM) in the context of cybersecurity to deliver threat intelligence. The framework implements an extended Cyber Kill Chain (CKC) and an Industrial Control System (ICS) Kill Chain to detect cyberattacks. The framework incorporates the proposed Railway Defender Kill Chain (RDKC) to enable proactive cybersecurity. The proposed framework also enhances cybersecurity maturity level and delivers threat intelligence to enable proactive cybersecurity to improve information assurance in the railway.
Keywords: Digitalisation of railway, digital operation and maintenance, cybersecurity, framework for cybersecurity, maturity indicator level, railway defender kill chain.
v
LIST OF APPENDED PAPERS
Paper I
Kour, R., Aljumaili, M., Karim, R., & Tretten, P. (2019). eMaintenance in railways: Issues and challenges in cybersecurity. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 233(10), 1012-1022. (Published)
Paper II
Kour, R., Karim, R., & Thaduri, A. (2019). Cybersecurity for railways–A maturity model. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 0954409719881849. (Published online)
Paper III
Kour, R., Thaduri, A., & Karim, R. (2020). Railway Defender Kill Chain to Predict and Detect Cyber-Attacks. Journal of Cyber Security and Mobility, 9(1), 47-90. (Published)
Paper IV
Kour, R., Thaduri, A., & Karim, R. (2020). Predictive model for multistage cyber-attack simulation. International Journal of System Assurance Engineering and Management, 1-14. (Published online)
vii
AUTHORS’ CONTRIBUTIONS
The appended papers in this thesis are divided into the following main activities along with respective author’s contributions shown in Table I below:
1. Research idea and design 2. Data collection and analysis 3. Manuscript drafting 4. Revising important intellectual contents 5. Final approval of the version to be published
Table I: Authors’ contributions
Authors Papers
I II III IV
Ravdeep Kour 1-5 1-5 1-5 1-5
Ramin Karim 1,4,5 1,4,5 1,4,5 1,4,5
Adithya Thaduri - 3-5 3-5 1-5
Phillip Tretten 4,5 - - -
Mustafa Aljumaili 2-5 - - -
ix
LIST OF RELATED PAPERS
Paper 1
Kour, R., Tretten, P., Karim, R., & Singh, S. (2019). Cybersecurity Workforce in Railway: A Case Study. Proceedings of the 5th International Workshop & Congress on eMaintenance, Stockholm, Sweden, pp. 28-32.
Paper 2
Kour, R., Thaduri, A., & Karim, R. (2019). Railway Defender Kill Chain for Cybersecurity. Proceedings of the 5th International Workshop & Congress on eMaintenance, Stockholm, Sweden, pp. 20-27.
Paper 3
Thaduri, A., Aljumaili, M., Kour, R., & Karim, R. (2019). Cybersecurity for eMaintenance in railway infrastructure: risks and consequences. International Journal of System Assurance Engineering and Management, 10(2), 149-159.
Paper 4
Kour, R., Karim, R., Parida, A., & Kumar, U. (2014). Applications of radio frequency identification (RFID) technology with eMaintenance cloud for railway system. International Journal of System Assurance Engineering and Management, 5(1), 99-106.
Paper 5
Kour, R., Tretten, P., Karim, R. (2014). eMaintenance solution through online data analysis for railway maintenance decision-making. Journal of Quality in Maintenance Engineering, 20(3), 262-275.
Paper 6
Kour, R., Karim, R., Tretten, P. (2014). eMaintenance solutions for railway maintenance decisions. InWorld Congress on Engineering: https://doi.org/02/07/2014-
04/07/2014 2015, 228-232. Newswood Limited.
Paper 7
Kour, R., Karim, R., & Parida, A. (2013). Cloud computing for maintenance performance improvement. In international conference on Industrial Engineering: 20/11/2013-22/11/2013.
xi
ACRONYMS
ACRONYM FULL FORM ACM Asset Change and Configuration Management APT Advanced Persistence Threats C2 Command & Control C2M2 Cybersecurity Capability Maturity Model CBM Condition Based Maintenance CIA Confidentiality, Integrity, and Availability CKC Cyber Kill Chain CPM Cybersecurity Program Management CYRAIL CYbersecurity in RAILway DDOS Distributed Denial of service EC-C2M2 Electricity Subsector Cybersecurity Capability Maturity Model EDM Supply Chain and External Dependencies Management ENISA European Union Agency for Network and Information Security GDPR General Data Protection Regulation HMI Human Machine Interface IA Information Assurance IAM Identity and Access Management ICS Industrial Control system ICS-SCADA Industrial Control and Supervisory Control and Data Acquisition Systems ICT Information and Communication Technology IEC International Electrotechnical Commission IoT Internet of Things IR Event and Incident Response, Continuity of Operations ISC Information Sharing and Communications LCC Life Cycle Cost MIL Maturity Indicator Level NICE National Initiative for Cybersecurity Education–Capability Maturity Model NIDS Network Intrusion Detection System NIST National Institute of Standards and Technology ONG-C2M2 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model OSA-CBM Open System Architecture for Condition-Based Maintenance OT Operational Technology PII Personally Identifying Information R-C2M2 Railway-Cybersecurity Capability Maturity Model
xii
RDKC Railway Defender Kill Chain RM Risk Management SA Situational Awareness SCADA Supervisory Control and Data Acquisition Systems SRA Safety, Reliability, and Availability TVM Threat and Vulnerability Management WM Workforce Management
xiii
TABLE OF CONTENTS ACKNOWLEDGEMENTS ................................................................................................................... i ABSTRACT ......................................................................................................................................... iii LIST OF APPENDED PAPERS ..........................................................................................................v
AUTHORS’ CONTRIBUTIONS ........................................................................................................ vii LIST OF RELATED PAPERS ............................................................................................................ ix
ACRONYMS ....................................................................................................................................... xi TABLE OF CONTENTS .................................................................................................................. xiii CHAPTER 1. INTRODUCTION ......................................................................................................... 1
1.1. Background ............................................................................................................................. 1
1.2. Problem Definition and Motivation ...................................................................................... 2
1.3. Purpose and Objectives .......................................................................................................... 4
1.4. Research Questions ................................................................................................................ 4
1.5. Scope and Limitations ........................................................................................................... 5
1.6. Structure of the Thesis .......................................................................................................... 5
CHAPTER 2. THEORIES AND BASIC CONCEPTS ........................................................................ 7
Digital Railway ....................................................................................................................... 7
Maintenance and eMaintenance ........................................................................................... 8
Open System Architecture for Condition-Based Maintenance ......................................... 10
Information Assurance ........................................................................................................ 11
Cyberattacks ......................................................................................................................... 12
Cyberattack Sources, Actions, Goals, and Impacts ............................................................ 13
Cybersecurity Maturity Models .......................................................................................... 14
Cybersecurity Awareness Risk ............................................................................................ 17
Unified Extended Cyber Kill Chain and ICS Cyber Kill Chain ........................................ 17
Multistage Cyberattack in Railway SCADA System ......................................................... 20
Interdependencies within Infrastructures: Cyber Threat Scenario Example .................. 21
CHAPTER 3. RESEARCH METHODOLOGY ................................................................................. 23
3.1. Research Approach ............................................................................................................... 23
3.2. Research Purpose ................................................................................................................. 24
xiv
3.3. Research Strategy ................................................................................................................ 25
3.4. Data Collection and Data Analysis ..................................................................................... 25
3.5. Research Validity and Reliability ....................................................................................... 26
3.6. Research Process .................................................................................................................. 27
CHAPTER 4. RESULTS ................................................................................................................... 29
4.1. Results Related to RQ1 ....................................................................................................... 29
4.2. Results Related to RQ2 ........................................................................................................ 31
4.3. Results Related to RQ3 ........................................................................................................ 35
CHAPTER 5. DISCUSSIONS ........................................................................................................... 41
5.1. Discussion of Results Related to RQ1 ................................................................................ 41
5.2. Discussion of Results Related to RQ2 ................................................................................. 42
5.3. Discussion of Results Related to RQ3 ................................................................................. 42
CHAPTER 6. CONCLUSIONS ......................................................................................................... 45
CHAPTER 7. CONTRIBUTIONS ..................................................................................................... 47
CHAPTER 8. FUTURE RESEARCH ............................................................................................... 49
REFERENCES .................................................................................................................................. 51
APPENDED PAPERS ....................................................................................................................... 57
INTRODUCTION / 1
CHAPTER 1. INTRODUCTION
This chapter describes the research area of the thesis and the problem statement. It also defines the purpose and objectives, research questions, and the scope, limitations, and structure of the thesis.
1.1. Background
Digitalisation is changing operation and maintenance of railways significantly with respect to sustainability, availability, reliability, maintainability, capacity, safety, and security including cybersecurity. However, although railway stakeholders perceive the changes brought by digitalisation as an opportunity, they also see them as a challenge. Digitalisation challenges include, data acquisition, transformation, modelling, processing, visualisation, safety, security, quality, and information assurance (Jägare et al., 2019). Other challenges include, the need for a new mind-set in the railway workforce, digital skills, and development of a strategy to counteract cyber threats and secure railway assets, requiring special skills in digital technology for railway asset management (Scordamaglia, 2019). Generally, in asset management, an asset is considered an item, thing or entity with potential or actual value to an organisation, including, servers, information, applications, databases, laptops, people, buildings, and physical systems, (ISO 55000, 2014).
In the context of digital asset management, cybersecurity is considered as preservation of confidentiality, integrity, and availability of information in cyberspace (ISO/IEC 27032, 2012). Hence, cybersecurity is a vital part of asset management to ensure the digital assets’ reliability, robustness, and resilience. According to a recent report by European Union Agency for cybersecurity ENISA (2020), cyber threats are rapidly growing, threatening critical infrastructures and causing concerns about the privacy and security of the data underlying these infrastructures. These cyber threats lead to risk and possibly harm to one or more assets (Tipton et al., 2008).
The top three cyber threats faced by industries and critical infrastructures are malware attacks, phishing attacks, and targeted attacks (Hackmageddon, 2019). Malware attacks include the following. Stuxnet is a malicious computer worm that targets Supervisory Control and Data Acquisition (SCADA) systems (Kushner, 2013). WannaCry is a ransomware attack that targeted computers running the outdated Microsoft Windows operating system by encrypting data and demanding ransom payments (Mohurle, 2017). NotPetya is a ransomware attack that targeted companies in Ukraine, attacking its government, financial and energy institutions (McQuade, 2018). According to IBM X-force (2020), the most commonly impacted infrastructures are financial services, retail, transportation, media, professional services, government, education,
INTRODUCTION / 2
manufacturing, energy, and healthcare (ranking by attack volume is provided in Chapter 2, Table 2.1).
Society relies on railway to transport passengers and goods. The railway is one of the most important critical infrastructures in the society and, as such, requires protection from various threats, such as man-made terrorism and technological threats, as well as natural disasters (Directive, 2008). The increasing digitalisation of the railway brings new opportunities to its stakeholders, but it also poses new challenges that need to be addressed to retain the dependability of the system. Hackers have already targeted the railway in Belgium, China, Denmark, Germany, Russia, South Korea, Sweden, Switzerland, the UK, and the US (Baker, 2008; The Local, 2017; BBC, 2018; Whittaker, 2018; Paganini, 2018). In the first few months of 2020, there were already two more reported cases of data breaches in railways. In the first case, the US based railroad company, RailWorks Corporation, was targeted by a ransomware attack; this led to a data breach in the Personally Identifiable Information (PII) of more than 3,000 employees (Cisomag, 2020). In the second case, the UK based railway, Network Rail, reported that the email addresses and travel details of about 10,000 people who used free Wi-Fi at UK railway stations were exposed online (BBC, 2020). Several efforts have been made to protect data, including the introduction of new data protection regulations such as the European Union’s General Data Protection Regulation (GDPR) (Europa, 2018), New York’s Cybersecurity Requirements for Financial Services Companies (DFS, 2018), and Australia’s Notifiable Data Breach (NDB) scheme (NDB, 2018). In addition to these data protection laws, some research has been conducted on railway cybersecurity, such as CYbersecurity in RAILway sector (CYRAIL), a Shift2Rail sub-project for detection, assessment, and mitigation of safety and security threats in railway infrastructures (Shift2rail, 2016; Shift2rail, 2017) and focussing on threats from external sources. According to a recent report, however, 30% of cyber-attacks are from internal sources i.e., the current or ex-employees of the organisation (Verizon, 2019). Thus, there is a need to consider internal threats as well.
The Swedish government has prioritised the need to raise the level of awareness and knowledge and create the long-term conditions for all stakeholders in society to work effectively on cybersecurity (Johansson, 2017). The Swedish Transport Administration’s (Trafikverket) Risk and Vulnerability Analysis (RVA) has highlighted information security as a very important issue, especially in light of the Denial-of-Service (DoS) attacks in the transport sector. The company has decided on an action plan to strengthen security which includes measures to create a stronger security culture (Trafikverket, 2017). The projects and initiatives are strong indicators of the need to strengthen cybersecurity in the railway.
1.2. Problem Definition and Motivation
Digitalisation in the railway is not only bringing significant benefits; it is also creating vulnerabilities, leading to cyberattacks and security breaches. Cybersecurity aims to preserve Confidentiality, Integrity and Availability (CIA) elements of information in cyberspace.
INTRODUCTION / 3
Confidentiality means only authorized personnel may disclose or observe information (Willett, 2008). Integrity means information cannot be modified in an unauthorized manner (Willett, 2008). Availability means information should be readily available for authorized users (Willett, 2008).
In order to facilitate proactive cybersecurity and threat intelligence sharing, it is believed that there is need of a generic framework that can be used to improve maturity level of cybersecurity in railway. Framework is defined as a meta-level model (a higher level abstraction) through which a range of concepts, models, techniques, methodologies can either be clarified and/or integrated (Jayaratna, 1994). Thus, a framework provides a structured set of concepts, models, guidelines, and technologies (Karim, 2008).
There are some examples of frameworks for measuring and assessing maturity level within the area of safety management in the rail industry, but few standards are referred to railway cybersecurity and the literature generally ignores cybersecurity maturity levels (Lim et al., 2014). In one exception, the European Union Agency for Network and Information Security (ENISA) analysed the current maturity levels in Industrial Control and Supervisory Control and Data Acquisition Systems (ICS-SCADA) across Europe and provided stakeholders with a set of recommendations to improve their practices, especially in critical sectors (Mattioli and Moulinos, 2015).
Some railway organisations follow cybersecurity standards or guidelines e.g., EN 50159, 2010; APTA SS-CCS-004-16, 2015; Rail Cyber Security Guidance to Industry, 2016; Rail Delivery Group, 2017; AS 7770, 2018. These are either organisation-specific or country-specific, however, they do not provide a holistic approach to enable interoperability, scalability, orchestration, adaptability, and agility across stakeholders. There is a need for a generic cybersecurity framework for digitalised railway. A review of the state-of-the-art research on the topics revealed the following research gaps:
• The existing work contributes limited efforts to evaluate and estimate cybersecurity maturity levels in railways.
• Most organisations do not share cybersecurity information because of reputational issues but there is a need for standard cybersecurity information delivery system for internal and external cybersecurity communication.
• Most organisations focus on legacy reactive and detective security technologies ignoring predictive technologies.
• Most organisations focus on external cybersecurity threats and lack an emphasis on internal cybersecurity threats.
• A holistic perspective on cybersecurity is lacking but is urgently needed for railways.
This research study aims to fill the aforementioned gaps by proposing a holistic cybersecurity framework that considers both external and internal threats and integrates existing technologies,
INTRODUCTION / 4
standards, and models to communicate cybersecurity information and minimise the risk of cyber threats.
1.3. Purpose and Objectives
The purpose of the research is to develop proactive strategy to protect railway operation from cyberattacks and breaches.
The objective of the research is to develop a holistic cybersecurity framework for digitalised railway to enable and operationalise a proactive cybersecurity strategy. The proposed framework can be used to enhance the cybersecurity maturity level and deliver threat intelligence to effectively predict, prevent, detect, and respond to cyber threats in the railway.
The sub-objectives of the study are to:
a) identify the existing cybersecurity maturity levels in the railway; b) enable prediction of cyberattacks in the context of operation and maintenance in the railway; c) design and develop a cybersecurity framework to increase the robustness and resilience of the
railway system.
1.4. Research Questions
To achieve the stated purpose and sub-objectives, the following research questions have been formulated:
RQ1: What are the cybersecurity issues & challenges and current level of cybersecurity maturity in railway organisations?
RQ2: How can proactive cybersecurity measures be enabled in operation and maintenance of railway systems?
RQ3: How can a cybersecurity framework be developed and how can it enhance cybersecurity resilience in digitalised railway?
Figure 1.1 Link between the Research sub-Objectives (ROs), Research Questions (RQs), and Appended Papers (Ps).
INTRODUCTION / 5
1.5. Scope and Limitations
Considering the available resources and based on the research purpose and objectives, as well as the specific industrial interests, the scope and limitations of the thesis are as follows.
• The thesis mainly discusses railway cybersecurity in the utilisation (operation and maintenance) phase of system’s life cycle.
• A comprehensive study of the security controls presented in this thesis is outside the scope of this work.
• The study deals with the assessment of the cybersecurity maturity level of European railways.
1.6. Structure of the Thesis
The thesis consists of eight chapters and four appended papers.
Chapter 1- Introduction: this chapter provides a brief background to the research performed for this thesis and explains the need for cybersecurity in the railway. It also provides the problem statement, the purpose and objectives, research questions, links between the research questions and appended papers, scope and limitations, and the structure of the thesis.
Chapter 2- Theories and basic concepts: this chapter describes the state of the art concepts and theories related to the research. The theories support the need to evaluate the cybersecurity maturity level in the railway and help in the selection of cybersecurity models to detect cyberattacks. These theories alo support the development of cybersecurity framework.
Chapter 3- Research methodology: this chapter describes how the research was conducted. The selection of the research methodologies was based on the research purpose and objectives, the research questions (see Chapter 1 ‘Introduction’), and the identification, evaluation, and selection of models (see Chapter 2 ‘Theories and Basic Concepts’).
Chapter 4- Results: this chapter presents the results of the research on the three RQs stated in chapter 1 ‘Introduction’.
Chapter 5- Discussions: this chapter discusses the results and findings (see Chapter 4 ‘Results’) of the conducted research work.
Chapter 6- Conclusions: this chapter concludes and analyses the results presented in Chapters 4 and 5.
Chapter 7- Research contributions: this chapter summarises the research contributions of the conducted research study.
Chapter 8- Future research: this chapter suggests how the present research can be extended for the future work .
THEORIES AND BASIC CONCEPTS / 7
CHAPTER 2. THEORIES AND BASIC CONCEPTS
This chapter presents the essential theories and basic concepts and explains their relevance to the research work.
Digital Railway
Digitalisation is one of the top priorities for the railway. The concept of digital railway is defined in
the European Initiatives and was presented by the Community of European Railways and Infrastructure Managers (CER), the International Rail Transport Committee (CIT), the Association of European Rail Infrastructure Managers (EIM), and the International Union of Railways (UIC) (Roadmap, 2016). Nemtanu and Marinov (2019) defined digital railway as a new paradigm in organising and governing the railway transport system based on digital support system using digital skills of the employees in a digital business environment in terms of increasing the efficiency and decreasing the negative aspects of railway transport system. An additional concept of digital railway is inevitably linked to fully automatic trains (future rolling stock) without a driver e.g., smart locomotives and smart trains (Avramović et al., 2019).
The objective of digital railway is to offer highly efficient and attractive transport options to the customers and to make use of the opportunities offered by digital transformation (Roadmap, 2016). In addition, digital railways need to meet the highest requirements in terms of safety, security, sustainability, availability, affordability as well as adaptability to the old setup of the railways (Roadmap, 2016).
The ePilot is one of the projects undertaken by the Luleå Railway Research Center (JVTC) at Luleå Technical University (LTU) to enable a sustainable, robust, resilient, reliable and digitalised railway system in Sweden that is attractive, safe and efficient (Karim et al., 2020). ePilot is the result from more than 20 years of research, innovation and implementation in operation and maintenance of railway (Karim et al., 2020). One of the main purposes with ePilot has been to facilitate the digital transformation in railway (Karim et al., 2020). ePilot provides a blueprint for actions needed to accelerate digitalisation in railway. These actions are described in a set of checkpoints (Karim et al., 2020). ePilot has developed two new concepts for digital railway i.e., Railway 4.0 and Testbed Railway (Karim et al., 2020) as described:
• Railway 4.0 – an overarching framework designed to facilitate the choice of concept, approach, technologies and methodologies aimed at the development of the railway system, nationally and internationally.
• Testbed Railway – a platform for implementing thorough, transparent and replicable testing of scientific theories, calculation tools (e.g. Big Data Analytics) and new technology.
THEORIES AND BASIC CONCEPTS / 8
Jägare et al., (2019) provided range of challenges in digital railway i.e., data acquisition, transformation, modelling, processing, visualisation, safety, security, quality, and information assurance. Jägare et al., (2019) also discussed that technological transformation affects not only the technical systems, i.e. railway infrastructure and rolling stock, but also regulations, organisations, processes, and liveware (i.e. humans). To deal with these challenges, Jägare et al. (2019) discussed the need for a railway digitalisation strategy to enable smooth transformation of the existing configuration to a digitalised system. The discussed strategy should be based on systematic risk management that address aspects of, e.g., information security, traffic safety and project risk (Jägare et al., 2019). According to Karim et al. (2020), ensuring safety and security is one of the future technological advances that digitalised rail needs to adapt.
Maintenance and eMaintenance
Maintenance refers to a combination of all technical, administrative and managerial actions during the life cycle of an item intended to retain it in, or restore it to, a state in which it can perform the required function (CEN, 2017). Maintenance includes not only repairs, but also modifications to the system that take place due to adjustment to environmental changes (Avizienis et al 2004). This is called adaptive maintenance and is performed for the purposes of adaptation to a new environment (IEV, 2015). An example of a new environment could be a new type of hardware on which the software is to be run (IEV, 2015). Figure 2.1 shows different types of maintenance strategies.
Figure 2.1 Types of maintenance strategies (CEN, 2017)
Corrective maintenance was traditionally performed regardless of the condition of the equipment or component under repair, leading to the wastage of money on repairing or replacing components in normal condition. System operators are looking for more efficient ways to maintain a system to extend its life cycle. One possible solution is Condition Based Maintenance (CBM), a type of preventive maintenance. With this type of maintenance, the system operator can perform maintenance actions for defective components only, thus increasing the lifetime of the overall system (Ahmad and Kamaruddin, 2012).
THEORIES AND BASIC CONCEPTS / 9
Maintenance of a complex technical system has a major impact on the system’s dependability, safety, Life Cycle Cost (LCC), and security. Dependability of a system (Figure 2.2) implies availability performance and its inherent factors: reliability performance, maintainability performance and maintenance support performance (IEV, 2015).
Figure 2.2 Elements of dependability (IEV, 2015)
For a system to remain available, it must operate in good condition and deliver required services. The utilisation phase of a system’s life cycle begins when the system is accepted for use and starts to deliver its services to users (ISO 12207, 2008). Utilisation consists of alternating periods of correct service delivery, service outage, and service shutdown (Avizienis et al., 2004). A service outage is caused by a service failure, while a service shutdown is an intentional halt of service by an authorised entity. Maintenance actions may take place during all three periods of the utilisation phase. During this utilisation phase, the system interacts with its environment, including the physical world, administrators, users, providers, infrastructure, and adversaries (Avizienis et al., 2004). Adversaries are malicious entities who try to alter or halt services. Therefore, a system requires continuous maintenance to achieve a high level of availability.
The use of Information and Communication Technology (ICT) in maintenance to develop artefacts (e.g. frameworks, tools, methodologies, and technologies) supports maintenance decision-making (Karim et al., 2016). As ICTs become increasingly pervasive, eMaintenance solutions for advanced maintenance applications are becoming more common. The term eMaintenance is defined at two levels of abstraction: first, “eMaintenance is maintenance managed and performed via computing”; second, “eMaintenance is a multidisciplinary domain based on maintenance and ICT ensuring that the eMaintenance services are aligned with the needs and business objectives of both customers and suppliers during the whole product lifecycle” (Kajko-Mattsson et al., 2011).
eMaintenance is also viewed as a predictive maintenance system that provides monitoring and predictive prognostic functions (Koc and Lee 2001; Parida and Kumar, 2004). An additional view of eMaintenance is the integration of ICT technologies in maintenance policies to deal with new expectations of innovative solutions for e-manufacturing and e-business (Muller et al., 2008). With the adoption of ICT technologies, the number of networked devices is rapidly increasing
THEORIES AND BASIC CONCEPTS / 10
(Radenkovic and Kocovic, 2020). These devices provide opportunities for adversaries to steal, corrupt, delete, or modify data. Cyberattacks on eMaintenance solutions may have an impact on underlying data, which, in turn, will influence the data-driven models and affect the maintenance decision-making process. However, Campos et al. (2016) have discussed the cybersecurity challenges to protect data required for the development of advanced maintenance.
Open System Architecture for Condition-Based Maintenance Condition Based Maintenance (CBM) is tightly linked to the notion of proactivity which is followed in this study. OSA-CBM or the Open System Architecture for Condition-Based Maintenance, was developed in accordance with the specifications of ISO-13374 on condition monitoring and diagnostics of machinery (ISO-13374, 2003). OSA-CBM is considered one of the most important standards of eMaintenance systems (Holmberg et al. 2010). OSA-CBM provides a prototype framework for CBM implementation; the goal in its development was to create a framework and data exchange conventions that would enable the interoperability of CBM components (Swearingen et al. 2007). OSA-CBM has seven layers: Data Acquisition, Data Manipulation, State Detection, Health Assessment, Prognostics, Advisory Generation, and Presentation (Figure 2.3). A brief description of each layer is given in the following text.
Figure 2.3 OSA-CBM Layers
• Data Acquisition: This layer provides the CBM system with digitized sensor or transducer data.
• Data Manipulation: This layer corresponds to the data preparation stage in a normal data mining process. Techniques such as data cleansing, feature selection, feature extraction, and standardization can be applied to process the raw data for analysis.
THEORIES AND BASIC CONCEPTS / 11
• State Detection: This layer focuses on comparing data with expected values or control limits; an alert is triggered if these limits are exceeded.
• Health Assessment: The focus of this layer is to prescribe if the health in the monitored system has degraded. This should be able to generate diagnostic records and propose fault possibilities.
• Prognostics: The focus of this layer is to calculate the future health of an asset and report the remaining useful life (RUL) of that asset.
• Advisory Generation: Its focus is to generate recommended actions and alternatives based on the predictions of the future states of the asset.
• Presentation: This layer provides an interactive human-machine interface (HMI) to visualize pertinent data, information and results obtained in previous steps.
Information Assurance
With digitalisation, the concept of Information Assurance (IA), a concept that also deals with aspects of cybersecurity, is receiving significant attention. Information Assurance defines and applies a collection of policies, standards, methodologies, services, and mechanisms to maintain mission integrity with respect to people, process, technology, information, and supporting infrastructure (Willett, 2008). The overall goal of IA is to ensure the availability of the system. Dependability includes availability, reliability, maintainability, and maintenance supportability (IEV, 2015). In some cases, dependability includes other characteristics, such as recoverability, durability, safety, and security (IEV, 2015). Sommerville (2006) lists four main dimensions of dependability: availability, reliability, safety, and security. Security needs to be considered to improve the availability of the system. One of the IA core principles, Confidentiality-Integrity-Availability (CIA), provides a fundamental risk-management objective. When authorised actions are involved with CIA, a security attribute is formed (Avizienis et. al, 2004).
Security is an inherent component of system dependability and must be continuously improved if eMaintenance tools are to achieve the high levels of availability required of them. Figure 2.4 shows the relationship between dependability and security elements.
Figure 2.4 Dependability and security attributes adapted from (Avizienis et. al, 2004 ; IEV, 2015)
THEORIES AND BASIC CONCEPTS / 12
Cyberattacks
A cyberattack is an attempt to destroy, expose, alter, disable, steal, gain unauthorized access to, or make unauthorized use of an asset (ISO/IEC 27000, 2009). Top threats include malware, account hijacking, unknown, vulnerability, unauthorized access, targeted attack, and so on (Figure 2.5). The North Atlantic Treaty Organisation (NATO) ranks phishing, malware, and Distributed Denial of Service (DDoS) among its greatest concerns (NATO, 2019). A DDoS attack disrupts a server's traffic by overloading it with Internet traffic to make it unavailable to users who need to exchange information.
Figure 2.5 Top 10 cyberattacks of Year 2019 (Mcafee, 2019 )
A cybersecurity statistics report from IBM X-Force confirms that the most commonly impacted sectors worldwide are finance (17%), retail (16%), transportation (10%), media (10%), professional services (10%), government (8%), education (8%), manufacturing (8%), energy (6%), and healthcare (3%) (IBM, 2020). Table 2.1 shows the top 10 targeted industries ranked by attack volume and transportation is among top three.
Table 2.1: A comparative chart of the top 10 targeted industries ranked by attack volume, 2019 vs.2018 (IBM, 2020)
Sector 2019 rank 2018 rank Financial Services 1 1 Retail 2 4 Transportation 3 2 Media 4 6 Professional Services 5 3 Government 6 7 Education 7 9 Manufacturing 8 5 Energy 9 10 Healthcare 10 8
Malware35%
Account Hijacking21%
Unknown15%
Vulnerability7%
Unauthorized Access
7%
Targeted attack5%
Code Injection3%
Denial of service3%
Defacement2%
Theft2%
THEORIES AND BASIC CONCEPTS / 13
Cyberattacks are increasing because adversaries are adopting new techniques and strategies to circumvent new security measures and evade detection. Advanced Persistent Threats (APTs) are increasing day-by-day. NIST (Force, 2013) defines APT as:
“An attacker that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the Information and Communication Technology (ICT) infrastructure of the targeted organisations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organisation; or positioning itself to carry out these objectives in the future”. Hence, it is important to understand cyberattack characteristics and source to protect system assets (Jouini et al., 2014).
Cyberattack Sources, Actions, Goals, and Impacts
This research thesis conducted literature review of various sources of cyber-attacks along with their actions, goals, and impacts (e.g., Zhu et al., 2011; Jouini et al., 2014; Abomhara, 2015).
• Cyberattack Sources are the origin of cyberattacks. The system can face internal or external cyberattacks from these sources. Internal cyberattacks are from people working within the organisation with authorized access to the network, including employees and business partners. External cyberattacks are from people working outside the organisation without authorized access to the network. External incidents occur through wired or wireless networks and physical intrusion.
• Actors are responsible for the cause of the attack, and these are humans, technology, and natural disasters. Human actors such as internal (insiders) or external (hackers) can cause harm to the systems and gain physical access to restricted areas such as buildings, cabins, rooms, or any other area to steal or damage hardware and software. Technology includes the failure of hardware, software, and information systems (Cebula and Young, 2010). Natural disasters include earthquakes, hurricanes, wind, floods, tsunamis, fires, lightning, animals, and wildlife which can cause severe damage to system’s assets. Certain environmental conditions, e.g., temperature, moisture, cosmic radiation, etc., can also present threats to system’s assets (Montanari and Querzoni, 2014).
• Actions include intentions of the actors which can be malicious or non-malicious. Malicious intentions consist of internal or external attacks caused by employees or non-employees to steal or modify information of an organisation using malicious code. If the authentication mechanism is not properly implemented, a malicious intruder can act as a genuine user and monitor the network traffic. A malicious user can send fake routing packets, and gain access to sensitive information of the organisation. Non-malicious intentions occur when inadequate security policies allow vulnerabilities and errors. They are caused unintentionally by employees who are not seeking to harm the system.
THEORIES AND BASIC CONCEPTS / 14
• Security goals are the core principles or security elements which provide fundamental objectives for managing risks. The operational goals of Information and Communications Technology (ICT) security are Confidentiality, Integrity, and Availability (CIA) and the operational goals of Operational Technology (OT) security are Safety, Reliability, and Availability (SRA) (Force CIT, 2013). According to IBM X-Force (2020), there was a 2000 percent increase in OT attacks in 2019 compared to 2018, and these attacks are expected to increase in the coming years.
• Impacts are the outcomes of the violation of security goals. Any compromise to the security goals can have the following impacts on the system. (i) Loss of public confidence: This is the loss of public confidence in the government’s ability
to protect critical infrastructures and data or to prevent a cyber-attack (Gross et al., 2017). (ii) Public embarrassment: This is associated with a high level of discomfort when an
organisation is attacked and its Personally Identifying Information (PII) is made public (Shakarian et al., 2015).
(iii) Legal action against the organisation or litigation: This is the process of taking legal action against the organisation responsible for the leakage of sensitive information (Cebula et al., 2014).
(iv) Data inaccuracy: Data inaccuracy is caused by a compromise in security element integrity. Almost all losses of customer information are caused by an integrity breach (EY, 2014).
(v) Erroneous decisions: Once the adversary launches a data integrity attack and modifies parameters related to decision-making processes, erroneous decisions will be made, and the welfare of participants in the system will be reduced (Zhang et al., 2016).
(vi) Loss of reliability, safety, and continuity: This happens when SRA security goals are compromised (D’Amico, 2000; Sridhar et al., 2012; Wood and Stankovic, 2002; Montanari and Querzoni, 2014).
Cybersecurity Maturity Models
Complex technical systems are adapting Information and Communications Technology (ICT) technologies, thus making them vulnerable towards cyber threats. In order to check the level of maturity of their existing cybersecurity practices, it is needed to estimate their cybersecurity maturity using a maturity model. A maturity model provides a benchmark against which an organisation can assess the current level of maturity of its cybersecurity practices, processes, and procedures (C2M2, 2014). Various cybersecurity maturity models were studied for this research (e.g., C2M2 V1.1, 2014; ES-C2M2, 2014; ONG-C2M2, 2014; ISO/IEC 27001, 2013; ISACA, 2012). The models were compared, and one was selected as the best for this research.
THEORIES AND BASIC CONCEPTS / 15
2.7.1. Selection of a Cybersecurity Capability Maturity Model
The observations from a systematic review conducted from 2012 to 2018 indicated that the most relevant cybersecurity models for the complex technical system are:
• Cybersecurity Capability Maturity Model (C2M2), • Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2), • Electricity Subsector Cybersecurity Capability Maturity Model (EC-C2M2), • Systems Security Engineering Capability Maturity Model (SSE-CMM), • Community Cyber Security Maturity Model (CCSMM), and • National Initiative for Cybersecurity Education Capability Maturity Model (NICE).
Few maturity models focus on cybersecurity (Rea-Guaman et al., 2017). The models which follow the NIST (2018) framework are:
• EC-C2M2,
• ONG-C2M2,
• CCSMM, and
• C2M2. EC-C2M2 and ONG-C2M2 are tailored for the electricity and oil and natural gas sectors, respectively. CCSMM is focused on a specific area of an organisation, while C2M2 is focused on the entire organisation. C2M2 defines roles and responsibilities, but CCSMM does not. C2M2 is NIST framework compatible, cybersecurity oriented, and simple, i.e., in the form of questionnaire. Therefore, C2M2 model was selected to evaluate the cybersecurity capabilities of railway systems. The review also revealed that little work has explored railway cybersecurity maturity. In addition, C2M2 is an easy-to-use model to evaluate its cybersecurity maturity level.
2.7.2. Capabilities of the C2M2 Model
Based on the cybersecurity maturity models’ evaluation, the C2M2 model was selected to evaluate the cybersecurity capabilities of railway organizations. The capabilities of this model are:
• Cybersecurity oriented
• Built on existing efforts, models, frameworks, and cybersecurity best practices
• NIST framework compatible
• Focused on the entire organisation
• Successful applied in the electricity sector, the oil and gas sector and building control systems
• Research instrument is based on an interview-based question-and-answer process
The C2M2 model is organised into ten domains:
1. Risk Management (RM), 2. Asset Change and Configuration Management (ACM),
THEORIES AND BASIC CONCEPTS / 16
3. Identity and Access Management (IAM), 4. Threat and Vulnerability Management (TVM), 5. Situational Awareness (SA), 6. Information Sharing and Communications (ISC), 7. Event and Incident Response, Continuity of Operations (IR), 8. Supply Chain and External Dependencies Management (EDM), 9. Workforce Management (WM), and 10. Cybersecurity Program Management (CPM).
Each domain includes a grouping of cybersecurity practices structured into various objectives, which represent achievements within the domain. The C2M2 model defines four Maturity Indicator Levels (MILs), 0–3, which are applied independently to each domain. This means that an organisation using the C2M2 model may have different MIL scores for different domains. MILs are “designed to discuss an organisation’s operational capabilities and management of cybersecurity risk during both normal operations and times of crises" (C2M2, 2014).
It has been observed that some organisations are one step behind because they patch their systems or configure their cyber protection methods against known attacks and breaches. To be one step ahead, this thesis introduces a new Maturity Indicator Level, MIL4 in the C2M2 model, so organisations will have proactive measures to tackle future threats. MIL4 includes initial practices of predictive security analytics and threat intelligence. The description of each level is given in Figure 2.6.
Figure 2.6 Description of maturity indicator levels (C2M2, 2014) with new proposed MIL4.
MIL0 Not Performed•MIL1 has not been achieved in the domain
MIL1 Initiated•Initial practices are performed, but may be ad hoc
MIL2 Performed•Practices are documented
•Stakeholders are involved
•Resources are provided
•Standards are used to guide practice implementation
•Practices are more complete or advanced than at MIL1
MIL3 Managed•Domain activities are guided by policy
•Activities are periodically reviewed for conformance to policy
•Responsibility and authority for practices are clearly assigned
•Practices are more complete or advanced than at MIL2
MIL4(Proposed)
•Initial practices of security analytics and threat intelligence are performed, but may be ad hoc
•Practices are more complete or advanced than at MIL3
THEORIES AND BASIC CONCEPTS / 17
The MIL4 practices are more advanced than MIL3 practices. MILs are cumulative within each domain; to earn a MIL1, 2, 3, or 4 in a given domain, an organisation must complete all practices in that level and its predecessor level(s) (C2M2, 2014). A rating of MIL0 means that MIL1 in a given domain has not been reached. To begin to manage cybersecurity, organisations must focus on implementing all the MIL1, MIL2, and MIL3 practices.
Cybersecurity Awareness Risk
Information Security Awareness Capability Model that links ISO/IEC 27002 security controls with awareness importance, capability, and risk is an important model to measure cybersecurity awareness risk (Poepjes, 2015). The awareness risk is calculated as:
AR = AI - AC Where AI = Awareness Importance, AC = Awareness Capability and AR = Awareness Risk
Awareness importance is the desired behaviour, awareness capability is the observed behaviour, and the gap between them is the awareness risk (Poepjes, 2015). The scores for the awareness importance were provided by industry professional groups (Poepjes, 2015). The instrument used to measure the risk awareness was based on the top 10 (of 39) information security awareness importance controls for the end-user stakeholder group (Poepjes, 2015).
Organizations that adopt ISO/IEC 27002 assess information risks and apply suitable security controls using the standard for guidance.
Unified Extended Cyber Kill Chain and ICS Cyber Kill Chain
The railway is converging Information and Communication Technology (ICT) with Operational Technology (OT), so adversaries can compromise and gain control of a digital asset in the OT environment through the IT environment. For example, data historian can be accessed within the OT environment (MITRE, 2020). Cyberattacks need to be detected in both environments. The Cyber Kill Chain (CKC) model is one of the most widely used models to detect cyberattacks in an ICT environment (Martin, 2009). The CKC model is focused on malware-based intrusions and APTs and can be applied in complex technical systems. It has been expanded and improved for use in Industrial Control Systems (ICS) (Assante and Lee, 2015) and in the detection of internal threats (Zhou et al., 2018). A combination of both types of kill chains can be applied in the railway as a unified extended cyber kill chain and an ICS cyber kill chain (Figure 2.7).
2.9.1. External cyber kill chain model
An initial CKC model was developed by Lockheed Martin (Martin, 2009; Cloppert, 2009). The seven stages of this model are:
THEORIES AND BASIC CONCEPTS / 18
• Reconnaissance: One of the most difficult stages to detect from a security monitoring perspective is the planning stage of the cyberattack. The adversary searches and gathers information about the target through social sites, conferences, blogs, mailing lists, and other network tracing tools. The collected information is useful in the later stages to deliver the payload (the actual intended message that performs the malicious action) to the target system.
Figure 2.7 Unified extended cyber kill chain and ICS cyber kill chain.
• Weaponize: The second stage of the model is the operation preparation stage. The weaponize stage involves coupling a Remote Access Trojan (RAT) with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer) (Hutchins et al., 2011). The detailed information related to RAT and an exploit is well explained by Yadav and Rao (2015). Commonly used cyber-weapons are botnet, Distributed Denial of service (DDOS), and malware. The cyberattack operation is based on the accuracy and amount of reconnaissance performed by the adversary during the first stage. Therefore, it is important to limit the exposure of publicly available information on the organisational profile.
• Delivery: The third stage of the model is the operation launch stage where an organisation can implement technology as a mitigating control (Velazquez, 2015). At this stage, the weapon is transmitted to the targeted environment. The three most frequently used delivery vectors for weaponized payloads by advanced persistent threat actors, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for 2004-2010, were email attachments, websites, and USB removable media (Hutchins et al., 2011). One of the first technologies that can be implemented at this stage is a Network Intrusion Detection System (NIDS).
• Exploitation: At this stage, the exploit is triggered to silently install/execute the delivered payload. The most common exploits are operating system, network, and application/software level vulnerabilities (Yadav and Rao, 2015). One of the most popular viruses, Wannacry, uses operating system exploits. One of the best mitigation technologies
THEORIES AND BASIC CONCEPTS / 19
to increase the difficulty of the exploitation phase is patching. Therefore, security patches should be installed on all systems.
• Installation: This stage involves the installation of back door RAT and stays persistent inside the targeted environment. Techniques used by malware authors for installations include anti-debugger, anti-antivirus, rootkit and bootkit installation, targeted delivery, and host-based encrypted data exfiltration (Yadav and Rao, 2015).
• Command & Control (C2): After the successful installation of back door, the adversary tries to open a two-way communication channel to enable the adversary to control the targeted environment remotely. Once the C2 channel is established, the adversary has “hands on the keyboard” access inside the targeted environment. The techniques used by malware authors to send and receive data to and from a victim machine have been discussed in the literature (e.g., Yadav and Rao, 2015).
• Act on Objective: This is the last stage of the model. In this stage, the adversary achieves the desired attack goals. These goals can be loss of confidentiality, integrity, or availability of the assets. According to Velazquez (2015), an APT threat actor may live in an organisation for years until detected.
2.9.2. Internal cyber kill chain
The internal cyber kill chain is part of the extended cyber kill chain and has almost the same steps as the external kill chain (Zhou et al., 2018). The internal cyber kill chain follows a series of steps to gain access to the Industrial Control system (ICS), go from workstations to servers using privileged escalation, move laterally within the network, and manipulate individual targeted machines (Zhou et al., 2018) (Figure 2.7). The stages of the internal cyber kill chain are the following.
• Internal Reconnaissance: This is the stage where the adversary has access to the individual user’s workstation and can discover information on its vulnerabilities.
• Internal Exploitation: This is the stage where the adversary exploits information and vulnerabilities within the internal network.
• Privilege Escalation: This is the stage where the adversary leverages the compromised accounts to gain a high level of privilege to modify security settings and configuration files and try to steal credentials (Zhou et al., 2018).
• Lateral Movement: This is the stage where the adversary moves from system to system to gain access to the restricted area of the compromised system to get critical data and sensitive information.
• Target Manipulation: This is the stage where the adversary attacks specific objectives (Zhou et al., 2018).
THEORIES AND BASIC CONCEPTS / 20
2.9.3. ICS cyber kill chain
After gaining knowledge from the corporate network (external cyber kill chain) and the ICS system (internal kill chain), the adversary starts developing a specific attack tool for the ICS system and validates it for reliable impact. After successful testing, the adversary delivers the tool, installs it, and executes the attack (Assante and Lee, 2015) (Figure 2.7). The following are the stages of the ICS cyber kill chain.
• Develop: This is the stage where the adversary begins with an attack tool based on ICS-specific vulnerability information (Assante and Lee, 2015; Zhou et al., 2018).
• Test: This is the stage where the adversary validates a specific attack tool for reliable impact.
• Deliver: This is the stage where the adversary delivers the attack tool to the ICS system.
• Install: This is the stage where the adversary installs the attack tool, such as malware or a Trojan, into the target ICS system.
• Execute: This is the stage where the adversary launches an attack on a specific production process to damage the physical equipment (Assante and Lee, 2015; Zhou et al., 2018).
Multistage Cyberattack in Railway SCADA System
Consider an example of how a cyberattack will propagate from an external network to an internal network and then to the Industrial Control System (ICS) system (in this case, the railway Supervisory Control and Data Acquisition (SCADA) system) (Figure 2.8).
Suppose an adversary searches and gathers information on the targeted railway system and then prepares a weapon (in the form of malware) to be delivered to this target system. After its successful delivery, it exploits the vulnerability within the system and installs it. The adversary then tries to open a two-way communication channel to control the targeted environment remotely. Once the C2 channel is established, the adversary has “hands on the keyboard” access inside the railway environment.
If the adversary’s goal is to reach the Information and Communication Technology (ICT) zone only, his/her actions can compromise the confidentiality, integrity, or availability (CIA) of an asset. But in the worst case, if the goal is to reach the Operational Technology (OT) zone, it can compromise the safety, reliability, or availability (SRA) of an asset within the railway, leading to limited or suspended operations, or even train accidents. Once the adversary moves inside the railway SCADA network, adversary will start internal reconnaissance, including directory queries and network connectivity checks to search for available systems and map the internal network and vulnerabilities (e.g., scanning OT to find HMIs). Then, adversary exploits the vulnerabilities in internal systems.
After successful exploitation, adversary leverages compromised accounts and trust relationships to gain a high level of privilege (e.g., accounts added to data history). Adversary enters through the
THEORIES AND BASIC CONCEPTS / 21
compromised system into restricted network zones (e.g., HMI login attempts). To manipulate the SCADA system, for example, adversary gains access to that system via new vulnerabilities. The adversary develops and tests a new platform-specific weapon (malware) to subvert the SCADA system and then deploys that malware in the SCADA system within the railway. Finally, the adversary executes a malicious command (e.g., configuration change in Programmable Logic Controller (PLC) or Remote Terminal Unit (RTU)) to damage the physical equipment. This will compromise the safety of the SCADA system and lead to severe damages like train accidents and halt the railway operation and maintenance.
Figure 2.8 Multistage Cyberattack in Railway SCADA System.
Interdependencies within Infrastructures: Cyber Threat Scenario Example The railway system is interdependent and interconnected with other infrastructure, so failure in any other system will affect it. A cyberattack on one infrastructure is likely to cause a domino effect,
THEORIES AND BASIC CONCEPTS / 22
in which infrastructures are damaged one after another (Menashri and Baram, 2015). For example, any type of cyberattack on the power supply or the ICT network could lead to power outages, compromise safety, affect operations and maintenance, and damage infrastructure. Figure 2.9 shows a cyber threat scenario where an adversary breaks into the ICT infrastructure and issues remote commands to start all connected loads.
Figure 2.9 Cyber threat scenario example.
This may lead to a sudden increase in the power demand. Because operators will be completely blinded during this cyberattack, they cannot intervene to start additional back-up generators. The disturbance propagates, making voltages drop below normal operating limits and leading to the immediate stoppage of several trains (Soupionis and Benoist, 2015).
RESEARCH METHODOLOGY / 23
CHAPTER 3. RESEARCH METHODOLOGY
This chapter describes the research design process followed in this thesis. The selection of the models is influenced by the theory given in Chapter 2.
3.1. Research Approach
Research is the art of scientific investigation to search for knowledge. Redman and Mory (1923) defined research as a “systematized effort to gain new knowledge”. Another way to define research is a scientific and systematic search for solutions to a specific problem (Kothari, 2011).
Research approaches can be broadly divided into three categories; qualitative research, quantitative research, and mixed research. Quantitative research is based on the measurement of quantity or amount; qualitative research is based on non-numerical data; mixed methods fall somewhere between the other two. A detailed explanation of these approaches appears in (Creswell 2017). In addition, qualitative research often employs inductive reasoning, moving from specific observations to broader generalizations and theories, while quantitative research employs deductive reasoning by beginning with the general and ending with the specific. Arguments based on experience or observation are best expressed inductively, while arguments based on laws, rules, or other widely accepted principles are best expressed deductively (Soiferman, 2010).
This thesis uses both qualitative and quantitative research methods. The qualitative research is used to explore various cybersecurity issues and challenges, estimate cybersecurity maturity levels, and formulate a cybersecurity framework. The quantitative research is based on the simulation approach defined by Kothari (2011) and is used to assess the developed framework. In addition, this research has origins in an industrial interest that represents a reality-based domain for which theories can be developed. The developed theories are verified by a deeper understanding of the studied domain through a review of the literature. Thus, this research follows both inductive and deductive approaches (aka, abductive approach).
Research can also be categorized as either applied (or action) research or fundamental (basic or pure) research. Applied research aims at solving a practical problem, whereas fundamental research is concerned with the formulation of a theory for future use (Kothari 2011).
The problems defined by this research are based on the needs and requirements of the railway. The research questions are based on the problems and on the findings from the literature review. The research objective is derived from the research questions and then verified. The cybersecurity maturity level of several railway organisations is estimated and used to provide recommendations and an action plan to attain higher maturity levels. Next, a holistic cybersecurity framework is developed. Since the research aims to solve a practical problem related to cybersecurity in an industry, the work is considered applied research.
RESEARCH METHODOLOGY / 24
3.2. Research Purpose
The purpose of research is to find answers to questions by applying scientific procedures (Kothari 2011). Depending on its purpose, research can be classified as exploratory, descriptive, or explanatory research.
• Exploratory Research Exploratory research is an initial study undertaken to explore a new phenomenon or a topic. It is particularly useful in identifying a problem and laying the groundwork for future studies. Qualitative methods like a literature review, interviews, etc. are often used in this type of research.
• Descriptive Research Descriptive research helps to find answers to the questions of who, what, where, when, and how that are associated with the research problem. The purpose of this type of research is to answer the research questions more clearly. It can use quantitative, mixed, and qualitative research methods like surveys, case studies, observational methods, etc.
• Explanatory Research Explanatory research, also called causal research, is conducted using quantitative research methods such as statistical techniques, especially hypothesis testing to identify cause and effect relationship. It addresses the question why.
The research methodology selected for this thesis is a combination of exploratory and descriptive approaches. In the initial stage, an exploratory research approach is to identify existing frameworks and models for cybersecurity, to determine the existing cybersecurity issues and challenges, and to obtain new insights into the research field. First, the knowledge gained from the exploratory research was used to identify the research gaps and to formulate RQ1, RQ2 and RQ3. The exploratory research also provided the knowledge required to select and develop a pilot case study and to identify the data required. Second, a descriptive approach was used to collect data and to select various technologies, models, and standards. A descriptive approach was also used to determine how to estimate the cybersecurity maturity model, how to enable proactive cybersecurity, and how to develop cybersecurity framework for railways.
Table 3.1 Research approaches used
Research Approach Paper I Paper II Paper III Paper IV
Quantitative(QTR)/Mixed(MR)/Qualitative (QLR)
QLR QLR QLR MR
Exploratory(E)/Descriptive(D)/
Explanatory or Causal (C)
E & D E & D E & D E & D
RESEARCH METHODOLOGY / 25
3.3. Research Strategy
Yin (2017) defines five main research strategies: experiment, survey, archival analysis, history, and case study (Table 3.2). The choice of a research strategy depends on three conditions (Yin, 2017): the type of research question; the control of behavioural events; and a focus on contemporary events.
Table 3.2 Research strategies (Yin, 2017)
Research Strategy
Type of Research Question Requires Control of Behavioural Events?
Focuses on Contemporary Events?
Experiment How, Why Yes Yes
Survey Who, What, Where, How many, How much
No Yes
Archival Analysis
Who, What, Where, How many, How much
No Yes/No
History How, Why No No
Case Study How, Why No Yes
In this research RQ2 and RQ3 focus on 'how'; the possible strategies for this research could be experiment, history or case study. However, the experiment strategy cannot be applied since it requires control of behavioural events. Furthermore, the focus of the studied domain, i.e. cybersecurity in railway, highlights current and existing technologies, thus favouring contemporary events. Hence, according to the criteria given by Yin (2017), the most appropriate strategy to answer RQ 2 & RQ 3 is a case study (see Table 3.2).
RQ1 includes 'what'; and is mainly explorative. According to Yin (2017), it is possible to use any strategy to answer this kind of explorative research question. Since a case study as an appropriate research strategy for RQ 2 and RQ 3, it may be helpful to apply the same strategy to RQ 1. Applying the same research strategy to answer all the three RQs will help to coordinate the performed work, saving both time and effort (Karim, 2008).
3.4. Data Collection and Data Analysis
Data collection is a process of gathering information from sources to answer a question (Kothari 2011). Data can be categorised as primary or secondary data (Kothari 2011). Primary data refer to those data collected by the researcher for the purpose of study (Kothari 2011). Secondary data refer to those data collected by someone else before being used by the researcher (Kothari 2011). This research uses a case study strategy, so primary data comprise the majority of data collected. These data were collected through interviews and questionnaires. The secondary data were collected from the literature, technical reports, and standards.
• Literature Study The review includes literature on different theories and practices used for cybersecurity in railway operation and maintenance. The relevant literature from journals, conference
RESEARCH METHODOLOGY / 26
proceedings, theses, technical reports, and standards provided information on ongoing cybersecurity activities in the railway, statistics of cyberattacks within the railway, and estimates of applied cybersecurity capability maturity models. The literature study was also used to select models to detect cyberattacks. In addition, it helped in the formulation of a holistic cybersecurity framework to enable proactive cybersecurity in railway.
• Interviews The objective of the interviews held was to consider the opinions of the personnel and experts involved in railway cybersecurity to complement the literature review and data analysis. The outcomes of the literature review and the data analysis were the basis for the interviews. The main issues discussed in the interviews were practical ones, i.e., cybersecurity in railway operation and maintenance and interpretation of the results of the data analysis. The interviewees were involved in the ongoing railway projects and experienced practitioners in the field of cybersecurity. They also provided valuable and applicable documents.
• Questionnaire A questionnaire is a structured framework consisting of set of questions and scales designed to generate primary data (Hair, 2007). The thesis used Google Forms (online survey tool) to develop and administer an online survey. A questionnaire using a series of 312 questions based on the Cybersecurity Capability Maturity Model (C2M2) was prepared and sent to the participating railway organisations. The scales designed to generate primary data on cybersecurity are: not implemented, partially implemented, largely implemented, and fully implemented. Experienced practitioners in the field of cybersecurity answered the questionnaire.
Information is extracted through data analysis. In this research, data were analysed to estimate the cybersecurity maturity levels of the participating railway organisations and to predict the cyberattack penetration probabilities at each stage of the cyber kill chain model.
The cybersecurity data were analysed by using the Railway-Cybersecurity Capability Maturity Model, modified from C2M2 (see Chapter 4 ‘Results’) to reveal the cybersecurity maturity levels of the railway organisations. The results were communicated to the corresponding senior and top managers so they could set goals and priorities for enhanced cybersecurity.
The thesis simulated cyberattacks to analyse and calculate penetration probabilities at each stage of the cyber kill chain model. It defined four cases, presented in Chapter 4, ‘Results’.
3.5. Research Validity and Reliability
Research validity and reliability mean the research can be audited (Karvinen and Bennett, 2006). Brinberg and McGrath (1985) say validity, “like integrity, character, or quality, [should] be assessed relative to purposes and circumstances”. Reliability is the consistency of results obtained in research; i.e., “it should be possible for another researcher to replicate the original research using
RESEARCH METHODOLOGY / 27
the same subjects and the same research design under the same conditions” (Gill and Johnson, 2002). Yin (2017) explains four tests for validity and reliability when using case study tactics: construct validity, internal validity, external validity, and reliability.
Construct validity establishes correct operational measures for a concept (Yin, 2017). Internal validity is for explanatory or causal studies, where relationships between variables are studied. Internal validity is not applicable to descriptive or exploratory studies. External validity establishes the domain to which a study’s findings can be generalised (Yin, 2017).
In this research the construct validity was strengthened by the use of multiple sources (e.g. data collection through interviews and documents) and reviewed by key informants. The external validity of the railway case study was strengthened using theories, but also through four case studies within the different railway organisations. Furthermore, to increase the reliability, the obtained results were documented using available information sources, e.g., digital databases. However, some of the data in this research were not published because of sensitivity concerns, and this limits the accessibility and repeatability for other researchers.
3.6. Research Process
The research process involves a series of steps necessary to carry out research (Kothari 2011). The research process of this thesis is illustrated in Figure 3.1. Exploratory research was used to formulate the research problem and identify the research gaps. The relevant literature from journals, conference proceedings, thesis, technical reports, standards, and open access sources was reviewed. Based on the literature study during the exploratory process, RQ1, RQ2, and RQ3 and their corresponding objectives were formulated.
Exploratory and descriptive research was used to answer RQ1, RQ2, and RQ3 (see Section 3.2). Various kinds of literature on cybersecurity in various sectors was explored. A case study was conducted on railway organisations to collect data and evaluate their cybersecurity maturity levels. To select models, various cybersecurity maturity models and cyber kill chain models were explored and those best suited for the study were selected. The selected models, technologies, and standards contributed to the formulation of the cybersecurity framework, the main contribution of this thesis.
During the research process, the results of the conducted activities were disseminated in scientific journal and conference papers. Results were also compiled and summarised in this research thesis.
RESULTS / 29
CHAPTER 4. RESULTS
This chapter describes the results of the research on the three RQs. The major results of the thesis are: I) identification of cybersecurity issues and challenges in railway operation and maintenance; II) evaluation of cybersecurity maturity level in railways; III) development of Railway Defender Kill Chain to defend against cyberattacks; IV) development of cybersecurity framework to predict, prevent, detect, and respond to cyberattacks.
4.1. Results Related to RQ1
The first research question was: What are the cybersecurity issues & challenges and current level of cybersecurity maturity in railway organisations?
In order to answer RQ1 extensive literature survey and case studies have been conducted. The results from these studies are described in the following sub-sections.
4.1.1. Identification of Cybersecurity Issues and Challenges in Railway
The thesis identifies various cybersecurity issues and challenges in railway operation and maintenance, including malware attacks, weak identity and access management systems, Distributed Denial of Service (DDoS) attacks, interconnected infrastructures, communication gaps, and so on (see Paper I). It analyses 20 cyberattacks; the description of each type of cyberattack is
provided in Paper I. The data show that there are respectively 30%, 20%, and 15% of malware attacks, Cyber Espionage/Data steal attacks, DDoS attacks. The other attacks constitute 35% of the total. Malware is the dominant cyberattack out of the 20 cyberattacks studied.
4.1.2. Cybersecurity Maturity Indicator Levels in Railway
This thesis extends Cybersecurity Capability Maturity Model (C2M2) as Railway-Cybersecurity Capability Maturity Model (R-C2M2) by adding a new Maturity Indicator Level called MIL4 (see Paper II). It covers initial practices of predictive security analytics and threat intelligence. Practices at MIL4 are more complete or advanced than at MIL3. To attain MIL4, all the practices at MIL1, MIL2, MIL3, and MIL4 must be completed.
Cybersecurity Maturity Indicator Levels (MILs) for railway organisations (Railway 1, 2, and 3) are shown in the spider chart (Figure 4.1.1). In Railway 1, out of 10 domains, seven are at MIL1 (RM, TVM, SA, IR, EDM, WM, and CPM), one is at MIL2 (ACM), one is at MIL 3 (IAM), and one is at MIL4 (ISC). Railway 2 has three domains at MIL4 (CPM, IAM, and ISC), four at MIL3 (RM, TVM, EDM, and WM), two at MIL2 (ACM and SA), and one at MIL1 (IR). All the domains of Railway 3 have attained MIL 4, an excellent assessment result.
RESULTS/ 30
Figure 4.1.1 Maturity level results in railway organisations (see Paper II).
Figure 4.1.1 results show all the three railways have attained MIL4 in the ISC domain. This indicates that they are sharing threat intelligence with internal and external bodies, resulting in a decrease in cyber risks and an increase in operational resilience. The detailed results of practices in each domain of Railway 1, 2, and 3 are in Paper II.
The research also measures the cybersecurity awareness risk of railway organisations based on Information Security Awareness Capability Model (See Chapter 2, ‘Theories and Basic Concepts’). The important roles who were involved were IT Infrastructure Architect, Project Manager, Track Specialist, and Data Scientist. Table 4.1.1 shows a heat map that represents level of cybersecurity awareness risk in railways.
Table 4.1.1 Measurement of awareness risk in railway organisations
ISO/IEC 27002
AI
Awareness Risk (AR) for Various Roles Security Control Clauses
Control objectives IT architect
AR
Project Manager
AR
Track Specialist
AR
Data Scientist
AR Access Control User Responsibilities 5.81 -1.19 0.81 5.13 1.31 Information Security Incident Management
Reporting Information security events and weaknesses
6.13 -0.87 0.63 1.63 1.63
Access Control Mobile computing and teleworking
6.24 -0.76 0.74 1.74 0.74
Communications security
Information Transfer 5.77 -1.23 -1.23 -0.23 -0.23
Asset Management Media handling 6.17 -0.83 -0.83 -0.83 3.17 Asset Management Information classification 5.53 -1.47 -1.47 -1.47 0.53 Access Control Business requirements for
access control 5.68 -1.32 -1.32 1.18 5.68
Compliance Compliance with legal requirements
5.6 2.1 -1.4 1.1 5.6
Asset Management Responsibility for assets 5.56 -1.44 -1.44 4.06 5.56 Physical & Environmental Security
Equipment security 5.74 -1.26 -1.26 -0.26 5.74
0
1
2
3
4Risk Management (RM)
Asset, Change, and ConfigurationManagement (ACM)
Identity and Access Management(IAM)
Threat and VulnerabilityManagement (TVM)
Situational Awareness (SA)
Information Sharing andCommunications (ISC)
Event and Incident Response,Continuity of Operations (IR)
Supply Chain and ExternalDependencies Management
(EDM)
Workforce Management (WM)
Cybersecurity ProgramManagement (CPM)
Railway 1 Railway 2 Railway 3
Risk
Sa
fe
RESULTS / 31
The scores for the Awareness Importance (AI) were provided by industry professional groups. The IT Infrastructure Architect has maximum awareness capabilities, more than the Project Manager, Track Specialist, or Data Scientist. Project Manager shows risk in Access Control and Information Security Incident Management security control. Track Specialist shows risk in Access Control and Asset Management. However, Data Scientist indicate highlighted risk levels in Access Control, Compliance, and Asset Management. Overall, the railway workforce needs to be more aware of cybersecurity risk.
4.2. Results Related to RQ2
The second research question was: How can proactive cybersecurity measures be enabled in operation and maintenance of railway systems?
In order to answer RQ2, extensive literature survey and analysis have been conducted. The results from these studies are described in the following sub-sections.
4.2.1. Multi-level Cyberattack Model
This thesis proposes a multi-level cyberattack model (Figure 4.2.1), based on cyberattack sources, actors, actions, goals, and impacts (see Chapter 2, ‘Theories and Basic Concepts’).
Figure 4.2.1 Multi-level cyberattack model (See Chapter 2, ‘Theories and Basic Concepts’)
RESULTS/ 32
The proposed model will assist railways in understanding the characteristics of cyberattacks and creating security strategy. This will be beneficial for cybersecurity risk assessment using cause-effect analysis and will help determine the severity of a cyberattack. The proposed model can enable proactive cybersecurity in railway operation and maintenance by identifying cyberattacks before their occurrence.
To justify the structure of this proposed model, different types of cyberattacks (Table 4.2.1) with railway eMaintenance data have been placed in this model (see Other Paper 3).
Table 4.2.1 Cyber-attacks linked to source, actor, intention, and compromised security element
Cyberattacks Source Actor Action Security element
Snooping and shoulder surfing
Internal or External
Human Malicious Confidentiality
Modification and masquerading
Internal or External
Human Malicious Integrity
Denial of service attacks Internal or External
Human Malicious Availability
Data entry errors and omissions
Internal Human Non-malicious Integrity
Jamming (telecomm) Internal or External
Technological Non-malicious Availability
Faults in power supply and data networks
Internal Technological Non-malicious Availability
Earthquakes, hurricanes, wind, flood, tsunami, fire, lightning, animals, and wildlife
External Natural disaster
Non-malicious Availability
Malware, ransomware Internal or External
Human Malicious Availability
The unauthorized account added to data historian
Internal or External
Human Malicious Reliability
Configuration change in Programmable Logic Controller (PLC) or Remote Terminal Unit (RTU) in SCADA system
Internal or External
Human Malicious Safety
4.2.2. Railway Defender Kill Chain
This thesis proposes a Railway Defender Kill Chain (RDKC) to defend against the 17 stages by unifying an extended Cyber Kill Chain (CKC) and an Industrial Control System (ICS) cyber kill chain. The core of the RDKC is the RDKC matrix (see Paper III). The thesis identifies various cyberattack scenarios in railway operation and maintenance; the proposed RDKC matrix
can help minimize the risk of these identified cyberattacks (see Paper III).
RESULTS / 33
The thesis also proposes a taxonomy of cybersecurity strategies (Figure 4.2.2) with three levels: cybersecurity strategies, courses of action, and RDKC matrix.
The courses of action (see Paper III) are grouped into four strategies: predictive, proactive, reactive, and active. The following section provides a summary of the four strategies.
A reactive strategy begins with an incident. It involves the initiation of an incident response plan,
an operations continuity plan, and a disaster recovery plan to respond and recover from breaches, along with forensics for legal evidence. The courses of action used in the reactive strategy are: response and recovery.
An active strategy involves the gathering of intelligence to thwart cyberattacks based on experience, knowledge, and internal and external real-time information. The courses of action used in an active strategy are: deny, disrupt, degrade, deceive, and destroy. Active strategies act in parallel with other strategies.
A proactive strategy begins with the detection of threats before their occurrence. This involves the
use of threat intelligence to proactively identify high risk and weak areas. The strategy is implemented along with an active strategy and a defence-in-depth approach to take proactive
defensive measures. For example, a honeypot can be used to trap the attacker to a valueless network to identify and act against zero-day exploits. The courses of action used in the proactive strategy are: protect, detect, and prevent.
A predictive strategy can detect abnormalities in traffic flow and data, sounding the alarm for a
security threat before its occurrence. It involves the ability to predict and recover quickly from adversities using security solutions like user behaviour analytics, network behaviour analytics,
pattern log, machine learning, AI and self-learning, and self-healing. The course of action in predictive strategy is predict.
The proposed taxonomy can be a quick reference guide to mitigate cyber threats. This quick reference guide, along with the proposed multi-level cyberattack model, can act as threat
intelligence and help railways act proactively to implement the right defensive strategy.
RESULTS/ 34
Figu
re 4
.2.2 P
ropo
sed
taxo
nom
y of
cybe
rsec
urity
stra
tegi
es a
long
with
RD
KC
Mat
rix
RESULTS / 35
4.3. Results Related to RQ3
The third research question was: How can a cybersecurity framework be developed and how can it enhance cybersecurity resilience in digitalised railway?
In order to answer RQ3, extensive literature survey and analysis have been conducted. The results from these studies are described in the following sub-sections.
4.3.1. Proposed Cybersecurity Framework for Railway
Digitalisation in railways require a cybersecurity framework that facilitates proactive cybersecurity in operation and maintenance. This thesis develops a framework that can be used to predict, prevent, detect, and respond to cyberattacks that have significant impact on railway operation and maintenance (see Paper III and IV).
The proposed Cybersecurity Information Delivery Framework integrates existing models, technologies, and standards to enable proactive cybersecurity in the railways. The framework maps different layers of Open System Architecture for Condition-Based Maintenance (OSA-CBM) in the context of cybersecurity to deliver threat intelligence (see Paper III). It implements an extended Cyber Kill Chain (CKC) and Industrial Control System (ICS) kill chain to detect cyberattacks. The framework also incorporates proposed Railway Defender Kill Chain (RDKC) that enables proactive cybersecurity, leading to increased situation awareness capabilities even ahead of time.
The framework consists of four parts: a) Data Sources and Technologies, b) Railway Cybersecurity OSA-CBM, c) Cyber Kill Chains, and d) Railway Defender Kill Chain (RDKC). To capture the dynamically changing trend of cyber events, a vast amount of data is collected via network traffic, threat intelligence, and historical cyber event logs using various data sources shown in Figure 4.3.1. To assess cyberattacks within the railway system, criticality analysis techniques like, risk matrix can be applied.
To predict these attacks, data analysis techniques (e.g., machine learning, data mining, etc.) and the proposed cyberattack model can be applied to facilitate proactive cybersecurity. The cyber kill chains show the adversary’s behaviour (see Papers III and IV), while RDKC maps each step of the adversary and provides defensive controls to break the attack chain (see Paper III).
RESULTS/ 36
Figu
re 4
.3.1
Cyb
erse
curit
y In
form
atio
n D
eliv
ery
Fram
ewor
k (s
ee, P
aper
III)
RESULTS / 37
4.3.2. Framework Assessment
To assess the proposed cybersecurity framework, cyberattack penetration probabilities are calculated at each stage of the Cyber Kill Chain (CKC) model. The assessment is based on a model and simulation approach. The simulation approach starts by defining model parameters and assumptions. Four simulations are presented in Figure 4.3.2 and detailed explanation is provided in paper IV.
Figure 4.3.2. Simulation cases (see Paper IV)
The Detection Mechanism case simulates the cyberattack penetration probabilities at all seven stages of CKC with and without a pre-filtering mechanism. The Variable Controls case simulates the cyberattack penetration probabilities at all the seven stages when security controls at the third, fourth and fifth stages have variable probabilities. The Equalizer case estimates the impact of changing security controls on the last stage penetration. The Learning Curve case is a feedback learning criterion that simulates the penetration probabilities after assessing the cyber incidents and then improving the security controls to minimise the risk of cyber-attacks in future (see Paper IV). The results of some simulation cases are presented in figures 4.3.3 – 4.3.5. Figure 4.3.3 shows the cyberattack penetration probabilities at each stage of the cyber kill chain with and without pre-filtering. The red lines show penetration probabilities without filtering, and the green lines show penetration probabilities with filtering.
Figure 4.3.3 Penetration probabilities at each stage of CKC with and without pre-filtering (see, Paper IV).
Simulation Cases
DetectionMechanism
Variable Controls
EqualizerLearning
Curve
RESULTS/ 38
The thesis considers the effect of security controls on the cyberattack penetration probability. It considers three cases of security controls’ probability at the third, fourth, and fifth stages of the CKC, i.e., 20% - 25%, 26% - 30%, and 31% - 35%. Figure 4.3.4 shows cyberattack penetration probabilities when three variable cases of security controls are applied. With an increase in probability of security control from 20% - 25% to 26% - 30%, there is a decrease in cyberattack penetration probability from 0.02502 to 0.01794. Similarly, when the probability of security control increases from 26% - 30% to 31% - 35%, the cyberattack penetration probability decreases from 0.01794 to 0.008265.
Figure 4.3.4 Penetration probabilities at each stage of the cyber kill chain (see Paper IV).
A learning curve can be used to evaluate the penetration of the cyberattack at last stage and update the security controls to enable proactive cybersecurity. Figure 4.3.5 shows the learning curve results; i.e., attack penetrations decrease (shown with green lines) when security controls are updated from 20% - 25% to 26% - 30% and then to 31% - 35%. . .
RESULTS / 39
Figure 4.3.5 Learning curve (see, Paper IV).
The thesis also develops a cybersecurity demonstrator (available at http://emaint-cbap.azurewebsites.net/Default) to predict cyberattack penetration probabilities at each stage of the CKC model. This demonstrator can be used to compare the existing and predicted systems.
Data in this demonstrator are assumed based on literature survey. The demonstrator can be used in railways to predict future penetrations based on real cybersecurity data.
DISCUSSIONS / 41
CHAPTER 5. DISCUSSIONS
This chapter discusses the results and findings of the conducted research work.
5.1. Discussion of Results Related to RQ1
Cyberattacks are growing in railways because of digital transformation. Information and Communication Technology (ICT) and Operational Technology (OT) vulnerabilities causes steal or alter of railway data (e.g, signalling data, operation and maintenance data, data historian, etc) for disrupting railway operations and maintenance. These attacks try to interrupt, block, or damage the transmission of useful railway information for eMaintenance systems, signalling systems, and
other railway infrastructure.
This thesis research has concentrated on cybersecurity in railway operation and maintenance, i.e., the utilisation phase of the system’s life cycle. Several European railway organisations participated in the research activities, including data collection, analysis, and assessment.
It is important to mention that in transportation, about 56% of attacks are undisclosed because of possible reputational damage. There is a need to share cybersecurity information to increase workforce awareness of cyberattacks. The lack of cybersecurity education in the workforce is
becoming even more problematic with the adoption of IoT (Internet of Things) and other smart devices, as these can expose organisations and individuals to new threats with major consequences. It is critical to ensure that workforce of railway organisations using ICT-based operation and maintenance is vigilant, fully aware of new and advanced cyberattacks, and trained in cybersecurity hygiene. To estimate cybersecurity awareness in railways, this thesis implements an Information Security Awareness Capability Model (ISACM). A positive score for risk awareness
indicates an undesirable level of risk. The identified risks have been communicated to the corresponding railway organisations for future improvements.
This thesis assesses the cybersecurity maturity level of European railway organisations. The identities of the railway organisations are kept confidential because of the sensitivity of the cybersecurity data. All domains of the railway organisations have reached the initial maturity level 1, but some railways are far from attaining MIL4 in all domains. This assessment will help these railway organisations understand the gaps and reach higher MIL levels. After the results were analysed, a detailed summary of the identified gaps was communicated to the respective railway
organisations, so they could visualise the current level of maturity and take steps to fill the gaps in their cybersecurity programs.
Other railway organisations were contacted but did not participate in the research because they had
the perception that by sharing cybersecurity data, they risked future cyberattacks. However, if all railway organisations shared their cybersecurity data, their cybersecurity capabilities could be
DISCUSSIONS / 42
evaluated more precisely. There is a need to communicate and unite to tackle the problem of cybersecurity, one of the biggest challenges to railways, especially critical infrastructure (CI).
5.2. Discussion of Results Related to RQ2
To become proactive in cybersecurity there is a need to identify cyber threats before an attack. This can be achieved by sharing internal and external threat intelligence and modelling cyberattacks based on their characteristics and impacts. The proposed multi-level cyberattack model (see Chapter 4, ‘Results’) can help railways in their cyberattack modelling to proactively identify cyberattack characteristics (source, actor, action, and goal) and impacts.
This proposed multi-level cyberattack model considers almost every aspect from the adversary’s point of view including the potential impact. Based on the impacts, security controls from the proposed Railway Defender Kill Chain (RDKC) matrix (see Chapter 4, ‘Result’) can be selected to minimise the risk of these cyberattack.
Many security controls are applicable to digitalised sectors, but these need to be tailored and adapted to the context of a defender’s behaviour (tactics). The proposed RDKC matrix adapts available security controls in the form of a matrix. In the matrix, nine defender tactics (Predict,
Prevent, Detect, Response and Recovery, Deny, Disrupt, Degrade, Deceive, and Destroy) appear as columns, and 17 stages of the Cyber Kill Chain (CKC) model appear as rows (see Chapter 4, 'Results'). The defender’s tactics are aggregated to create a taxonomy of cybersecurity strategies with three levels (see Chapter 4, ‘Results’). With this method, cybersecurity strategies evolve from reactive to proactive to predictive. To be more resilient, there is a need to prepare and to develop predictive strategies. The proposed RDKC matrix contains predictions as a defensive tactic and proposes security controls for each stage of CKC models (see Chapter 4, 'Results').
5.3. Discussion of Results Related to RQ3
To keep pace with the rapid increase in cyberattacks, railway operators need to shift from legacy reactive measures to proactive security analytics. Cyber threat intelligence sharing with partners and other railway organisations is the key component of success. The proposed framework facilitates cyber threat intelligence sharing which, in turn, increases situational awareness of the threat landscape. By sharing cybersecurity information, railway organisations can achieve a more complete understanding of the threat landscape. For proactive cybersecurity, it is essential to have continuous threat intelligence from internal and external sources; this is the main component of the proposed cybersecurity framework. The framework integrates existing technologies, standards, and models to enable proactive cybersecurity and minimise the risk of cyberattacks in the railway (see Chapter 4, ‘Results’). This further enhances the availability of the railway system. The proposed framework delivers cybersecurity information from a technological point of view.
DISCUSSIONS / 43
This research uses simulation to assess the proposed framework by predicting cyber-attack penetration probabilities at each stage of Cyber Kill Chain (see Chapter 4, ‘Results’). With the results of the assessment, security controls can be improved to reduce the risk of future cyberattacks. The introduction of a cybersecurity demonstrator can also help railways predict the probability of cyberattacks on their Information and Communication Technology (ICT) infrastructure.
CONCLUSIONS / 45
CHAPTER 6. CONCLUSIONS
This chapter draws important conclusions from the results of the research study.
The purpose of the research was to develop a holistic cybersecurity framework for the digitalised railway to enable proactive cybersecurity. The framework is aimed to enhance the railway’s cybersecurity maturity level and to deliver threat intelligence to effectively predict, prevent, detect, and respond to cyber threats. To achieve the overall objective, the thesis included several research activities and case studies. The following insights are based on the results of the data analysis.
Firstly, it can be concluded that digitalisation in railway operation and maintenance provides such benefits as sustainability, availability, reliability, maintainability, capacity, safety, and security including cybersecurity. Yet railway stakeholders are facing challenges in the digitalisation of the railways.
Secondly, the concept of information assurance, a concept that also deals with aspects of cybersecurity, is receiving significant attention in railway digitalisation. However, the cybersecurity maturity level varies for different railway organisations.
Thirdly, the railway system (infrastructure and rolling stock) is a complex technical system consisting of many items with long lifecycle. It should be studied in the context of a complex technical system with a vast number of stakeholders; thus, it is crucial to consider cybersecurity. Therefore, it can be concluded that dealing with cybersecurity requires a holistic approach that considers the railway system’s whole lifecycle, as well as any changes in its configuration.
Finally, it can be concluded that there is a need for a generic cybersecurity framework for the digitalised railway to facilitate proactive cybersecurity and threat intelligence sharing. The proposed framework was developed by integrating Open System Architecture for Condition-Based Maintenance (OSA-CBM), technologies at different stages of OSA-CBM, and cyber kill chain models.
CONTRIBUTIONS / 47
CHAPTER 7. CONTRIBUTIONS
This chapter summarizes the contributions of the conducted research study.
This work was conducted in the domain of operation and maintenance related to railway. The focus of the work was on the provision of insights and artefacts to improve the availability of railway systems through enhanced cybersecurity implemented via eMaintenance solutions. The major contributions of the work are the following:
A. Identification of cybersecurity issues and challenges – The research contributes by identifying various cybersecurity issues and challenges in railway operation and maintenance through vast state-of-the-art.
B. Cybersecurity maturity level – The research contributes to information assurance by estimating the existing cybersecurity maturity levels in railway organisations. The estimation can be used to make recommendations for necessary actions to improve the overall system availability of railway.
C. A cybersecurity framework – The work proposes a proactive approach to railway cybersecurity. It formulates a holistic cybersecurity framework to facilitate proactive cybersecurity and enhances cybersecurity resilience. The framework facilitates threat intelligence sharing by railway organisations so they can remain updated on the latest cyber threats.
The overall contribution of the research is that it begins to close the gap between academia and practitioners in the railway industry. It will help railways implement solutions developed in a more scientific way to enhance overall dependability.
FUTURE RESEARCH / 49
CHAPTER 8. FUTURE RESEARCH
This chapter suggests how the present research can be extended for the future work.
To improve cybersecurity in railway and provide appropriate tools and approaches to improve resilience and increase the availability performance of the system, the following topics are proposed for future research:
A. The research can be extended to evaluate the cybersecurity maturity level of other railway organisations within the world. This will facilitate the development of a global generic cybersecurity framework for digital railway.
B. The research can be extended during the design phase of railway systems with more focus on a security-by-design approach to make systems free of vulnerabilities to cyberattacks. This can be achieved by identifying vulnerability on existing railway systems that are not designed using a security-by-design approach.
C. The research can be extended to identify cyber threats’ vulnerabilities and their impacts and to suggest countermeasures. This can be achieved by using the ISA/IEC 62443 standard for cybersecurity risk assessment in an Industrial Control System (ICS). Future research can be initiated by:
• identifying system of interest and various assets within that system
• identifying various vulnerabilities of identified assets
• developing threats scenarios that could affect those assets. This can lead to the development of a prescriptive approach implemented via eMaintenance solutions that can analyse cyber threat scenarios about railway asset of interest and come up with specialised recommendations and corresponding outcomes to reduce operational cybersecurity risks.
REFERENCES / 51
REFERENCES
Abomhara, M. (2015). Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. Journal of Cyber Security and Mobility, 4(1), 65-88.
Ahmad, R., & Kamaruddin, S. (2012). A review of condition-based maintenance decision-making. European journal of industrial engineering, 6(5), 519-541.
APTA SS-CCS-004-16. (2015). Securing control and communications systems in rail transit environments. Washington DC: American Public Transportation Association.
AS 7770:2018. (2018). Rail cyber security. Australia: Rail Industry Safety and Standards Board.
Assante, M. J., & Lee, R. M. (2015). The industrial control system cyber kill chain. SANS Institute InfoSec Reading Room,1.
Avizienis, A., Laprie, J. C., Randell, B., & Landwehr, C. (2004). Basic concepts and taxonomy of dependable and secure computing. IEEE transactions on dependable and secure computing, 1(1), 11-33.
Avramović, Z. Ž., Marinković, D. M., & Lastrić, I. T. (2019). Digitalization of Railways–ICT Approach to the Development of Automation. JITA-Journal of Information Technology and Aplications, 17(1).
Baker, G. (2008). Schoolboy hacks into city’s tram system. The Telegraph, 11, 2008.
BBC NEWS. (2020). Rail station wi-fi provider exposed traveller data, available at https://www.bbc.com/news/technology (accessed 16 April 2020).
BBC. (2018). Great Western Railway accounts breached, https://www.bbc.com/news/technology-43725640 (accessed 23 September 2018).
Brinberg, D., & McGrath, J. E. (1985). Validity and the research process. Sage Publications, Inc.
C2M2 V1.1. (2014). Department of Energy.: Cybersecurity Capability Maturity Model: Version 1.1. Technical report, Department of Homeland Security.
Campos, J., Sharma, P., Jantunen, E., Baglee, D., & Fumagalli, L. (2016). The challenges of cybersecurity frameworks to protect data required for the development of advanced maintenance. In Product-Service Systems across Life Cycle, 2016 (pp. 222-227). Elsevier.
CCSMM. (2011). The community cyber security maturity model. In 2011 IEEE international conference on technologies for homeland security (HST) (pp. 173-178). IEEE.
Cebula, J. L., & Young, L. R. (2010). A taxonomy of operational cyber security risks (No. CMU/SEI-2010-TN-028). Carnegie-Mellon Univ Pittsburgh Pa Software Engineering Inst.
CEN, E. (2017). 13306: Maintenance-Maintenance terminology.
Cisomag. (2020). U.S. RailWorks Corp. Reports Data Breach Post Ransomware Attack, available at https://www.cisomag.com/u-s-railworks-corp-reports-data-breach-post-ransomware-attack/ (accessed 16 April 2020).
Cloppert, M. (2009). Security Intelligence: Attacking the Cyber Kill Chain. SANS Computer Forensics.
REFERENCES / 52
Creswell, J. W., & Creswell, J. D. (2017). Research design: Qualitative, quantitative, and mixed methods approaches. Sage publications.
D’Amico, A. D. (2000). What does a computer security breach really cost? Secure Decisions, A Division of Applied Visions. Inc., September, 7.
Defense Do. (1997). Systems security engineering capability maturity model (SSECMM), model description, version 1.1. doi: 10.21236/ada330236.
DFS. (2018). New York State Department of Financial Services. Cybersecurity Requirements for Financial Services Companies. Available at https://dfs.ny.gov/legal/regulations/adoptions-/dfsrf500txt.pdf (Accessed 28 January 2019).
Directive C. (2008). 114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. Official Journal of the European Union L. 2008 Dec 23;345(75):23-12.
EN 50159:2010 (or IEC 62280). (2010). Railway applications - Signalling, telecommunication and processing systems - Safety communication in transmission systems.
ENISA. 2020. European Union Agency for cybersecurity.Critical Infrastructures and Services, available at https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services (accessed 16 April 2020).
ES-C2M2. (2014). Electricity subsector cybersecurity capability maturity model (ES-C2M2). Department of Homeland Security.
Europa, E. L. (2018). Regulation (EU) 2016/679 of the European Parliamentof the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal dataon the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) URL: https://eur-lex. europa. eu/legal-content/EN.
EY. (2014). Cyber insurance, security and data integrity Part 1: Insights into cyber security and risk. Available at https://www.ey.com/Publication/vwLUAssets/EY__Insights_into_cyber_ security_ and_ risk/$FILE/ey-cyber-insurance-thought-leadership.pdf (accessed 26 April 2018) .
Force, C. I. T. (2013). Operational levels of cyber intelligence.
Force, J. T., & Initiative, T. (2013). Security and privacy controls for federal information systems and organisationorganisations.NIST Special Publication, 800(53), 8-13.
Gill, J., & Johnson, P. (2002). Research methods for managers. Sage.
Gross, M. L., Canetti, D., & Vashdi, D. R. (2017). Cyberterrorism: its effects on psychological well-being, public confidence and political attitudes. Journal of Cybersecurity, 3(1), 49-58.
Hackmageddon. (2019). Information Security Timelines and Statistics. 2019. Available at https://www.hackmageddon.com/category/security/cyber-attacks-statistics/ (accessed 29 Janauary 2019).
Hair, J. F., Money, A. H., Samouel, P., & Page, M. (2007). Research methods for business. Education+ Training.
Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1(1), 80.
REFERENCES / 53
IBM X-Force. 2020. X-Force Threat Intelligence Index, available at https://www.ibm.com/ downloads /cas/DEDOLR3W (accessed 16 April 2020).
IBM. 2020. X-Force interactive security incidents, available at https://www.ibm.com/security/ resources/xforce/xfisi/ (accessed 16 April 2020).
IEC. (2015). International electrotechnical vocabulary—Part 192: Dependability. International standard IEC, 60050-192 (accessed 26 April 2019).
ISACA. (2012). Cobit 5. USA. https://www.isaca.org/bookstore/Pages/COBIT-5-Related.aspx. Updated 2012 (accessed 26 April 2018).
ISO 55000. (2014). Asset management — Overview, principles and terminology.
ISO/IEC 12207 (2008). Systems and software engineering-software life cycle processes. International Organisation for Standardization, Geneva, Switzerland.
ISO/IEC 27001: 2013. (2013). Information Technology-Security Techniques-Information Security Management Systems-Requirements. 2013.
ISO/IEC 27002. (2015). In Information technology-security techniques-code of practice for information security controls,(AS ISO/IEC 27002: 2015).
ISO/IEC 27032. (2012). Information technology—Security techniques—Guidelines for cybersecurity. International Organisation for Standardization, International Electrotechnical Commission.
ISO-13374. (2003). Condition Monitoring and Diagnostics of Machines – Data Processing,Communication and Presentation.
Jägare, V., Karim, R., Söderholm, P., Larsson-Kråik, P. O., & Juntti, U. (2019). Change management in digitalised operation and maintenance of railway. In International Heavy Haul Association (IHHA) STS 2019 Conference (pp. 904-911).
Jayaratna, N. (1994). Understanding and evaluating methodologies: NIMSAD, a systematic framework. McGraw-Hill, Inc..
Johansson, M. (2017). A national cyber security strategy Skr. 2016/17:213. Stockholm 22/06/2017. Sweden.
Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of Security Threats in Information Systems. ANT/SEIT, 32, 489-496.
Kajko-Mattsson, M., Karim, R., & Mirjamdotter, A. (2011). Essential components of e-maintenance. International Journal of Performability Engineering, 7(6), 555-571.
Karim, R. (2008). A service-oriented approach to e-maintenance of complex technical systems (Doctoral dissertation, Luleå tekniska universitet).
Karim, R., Jägare, V., Juntti, U., Glover, C.,Cipolla, A. (2020). The roadmap for digitalised operation and maintenance of railway: ePilot - A railway collaboration platform2020Report.Karim, R., Westerberg, J., Galar, D., & Kumar, U. (2016). Maintenance analytics–the new know in maintenance. IFAC-PapersOnLine, 49(28), 214-219.
Karvinen, K., & Bennett, D. (2006). Enhancing performance through the introduction of customer orientation into the building components industry. International Journal of Productivity and Performance Management.
REFERENCES / 54
Koc, M., & Lee, J. (2001). A system framework for next-generation E-maintenance systems. China Mechanical Engineering, 5, 14.
Kothari, C. R. (2011). Research methodology and techniques Delhi: New Age International Limited Publishers.
Kushner, D. (2013). The real story of stuxnet. ieee Spectrum, 3(50), 48-53.
Lim, K. K., Yeum, D., & Kim, S. (2014). The development of a railway safety maturity model and estimate procedures. Journal of the Korean Society of Civil Engineers, 34(1), 195-202.
Martin, L. (2014). Cyber kill chain®. URL: http://cyber.lockheedmartin.com/hubfs/Gaining the Advantage Cyber Kill Chain.pdf.Martin, L. (2009). Cyber kill chain®. URL: http://cyber. lockheedmartin. com/hubfs/Gaining the Advantage Cyber Kill Chain. pdf. (accessed 12 November 2018).
Mattioli, R., & Moulinos, K. (2015). Analysis of ICS-SCADA cyber security maturity levels in critical sectors. European Union Agency for Network and Information Security (ENISA).
Mcafee. (2019). McAfee Labs Threats Report. Available at https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-aug-2019.pdf (accessed 15 April 2020).
McQuade, M. (2018). The untold story of NotPetya, the most devastating cyberattack in history.
Menashri, H., & Baram, G. (2015). Critical infrastructures and their interdependence in a cyber attack–the case of the US. Military and Strategic Affairs, 7(1), 22.
MITRE. (2020). MATRICES, available at https://attack.mitre.org/matrices/enterprise/ (accessed 15 April 2020)
Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International Journal of Advanced Research in Computer Science, 8(5).
Montanari, L., & Querzoni, L. (2014). Critical infrastructure protection: Threats, attacks and countermeasures. no. March, 1-164.
Muller, A., Marquez, A. C., & Iung, B. (2008). On the concept of e-maintenance: Review and current research. Reliability Engineering & System Safety, 93(8), 1165-1187.
NATO. (2019). NATO and EU discuss cyber threatscyber threats ahead of European elections, available at https://www.ncia.nato.int/NewsRoom/Pages/20190503-test.aspx (accessed 15 April 2020).
NDB. (2018). Australian Government. Privacy Amendment (Notifiable Data Breaches) Act 2017. Available at https://www.legislation.gov.au/Details/C2017A00012/Html/Text . (Accessed 28 January 2019).
Nemtanu, F. C., & Marinov, M. (2019). Digital Railway: Trends and Innovative Approaches. In Sustainable Rail Transport (pp. 257-268). Springer, Cham.
NICE. (2018). A guide to the National Initiative for Cybersecurity Education (NICE) cybersecurity workforce framework (2.0). Auerbach Publications.
NIST. (2018). Framework for improving critical infrastructure cybersecurity version 1.1 (No. NIST Cybersecurity Framework).
ONG-C2M2. (2014). Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model: Department of Homeland Security. Available at: https://www.energy.gov/sites/prod/files/
REFERENCES / 55
2014/02/f7/ONG-C2M2-v1-1-Feb2014.pdf (accessed 26 April 2018).
Paganini, P. (2016). Black Energy infected also Ukrainian Mining and Railway Systems, https://securityaffairs.co/wordpress/44452/hacking/blackenergy-mining-and-railway-systems.html (accessed 23 September 2018).
Parida, A., & Kumar, U. (2004). Managing information is key to maintenance effectiveness. In Intelligent Maintenance Systems: 15/07/2004-17/07/2004.
Poepjes, R. (2015). The development and evaluation of an information security awareness capability model: linking ISO/IEC 27002 controls with awareness importance, capability and risk (Doctoral dissertation, University of Southern Queensland).
Radenkovic, B., & Kocovic, P. (2020). From ubiquitous computing to the Internet of things. In Securing the Internet of Things: Concepts, Methodologies, Tools, and Applications (pp. 1523-1556). IGI Global.Evans, D. (2011). The internet of things: How the next evolution of the internet is changing everything. CISCO white paper, 1(2011), 1-11.
Rail Cyber Security Guidance to Industry. (2016). Department for transport., https://www.rssb .co.uk/Library/improving-industry-performance/2016-02-cyber-security-rail-cyber-security-guidance-to-industry.pdf (accessed 23 September 2018).
Rail Delivery Group. (2017). Rail Cyber Security Strategy, UK, available at https://www. Raildeliverygroup.com/component/arkhive/?task=file.download&id=469772253 (accessed 23 September 2018).
Rea-Guaman, A. M., San Feliu, T., Calvo-Manzano, J. A., & Sanchez-Garcia, I. D. (2017). Comparative study of cybersecurity capability maturity models. In International Conference on Software Process Improvement and Capability Determination (pp. 100-113). Springer, Cham.
Redman, L. V., & Mory, A. V. H. (1923). The Romance of Research, 1923. P-10.
Roadmap. (2016). A Roadmap for Digital Railways, CER, CIT, EIM, UIC, 2016, https://www.cer. be/sites/default/files/publication/A%20Roadmap%20for%20Digital%20Railways.pdf (accessed 26 April 2020).
Scordamaglia, D. (2019). European Parliamentary Research Service. Digitalisation in railway transport A lever to improve rail competitiveness, available at https://www.europarl. europa.eu/RegData/etudes/BRIE/2019/635528/EPRS_BRI(2019)635528_EN.pdf (accessed 25 March 2020).
Shakarian, J., Shakarian, P., & Ruef, A. (2015). Cyber attacks and public embarrassment: A survey of some notable hacks. arXiv preprint arXiv:1501.05990.
Shift2rail report. (2017). CYbersecurity in the RAILway sector D2.1 – Safety and Security requirements of Rail transport system in multi-stakeholder environments [Online], available at https://ec.europa.eu/research/participants/documents/downloadPublic?docu- mentIds=080166e5b678c2dc&appId=PPGMS (accessed 26 April 2018).
Shift2Rail. (2016). Cybersecurity in the railway sector [Online]. available: https://shift2rail.org /project/cyrail/ (accessed 26 April 2018).
Soiferman, L. K. (2010). Compare and Contrast Inductive and Deductive Research Approaches. Online Submission.
Sommerville, I. (2011). Software engineering 9th Edition. ISBN-10, 137035152.
REFERENCES / 56
Soupionis, Y., & Benoist, T. (2015). Cyber-physical testbed—The impact of cyber attacks and the human factor. In 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST) (pp. 326-331). IEEE.
Sridhar, S., Hahn, A., & Govindarasu, M. (2011). Cyber–physical system security for the electric power grid. Proceedings of the IEEE, 100(1), 210-224.
Swearingen, K., Majkowski, W., Bruggeman, B., Gilbertson, D., Dunsdon, J., & Sykes, B. (2007). An open system architecture for condition based maintenance overview. In 2007 IEEE Aerospace Conference (pp. 1-8). IEEE.
The Local (2017). Swedish transport agencies targeted in cyberattack, https://www.thelocal. se/20171012/swedish-transport-agencies-targeted-in-cyber-attack cyber-attack (accessed 23 September 2018).
Tipton, H. F., & Nozaki, M. K. (2008). Information security management handbook. Volume 2/edited by Harold F. Tipton, Micki Krause.
Trafikverket Report. (2017). The Swedish Transport Administration Annual Report, available at https://trafikverket.ineko.se/Files/svSE/49148/Ineko.Product.RelatedFile/2018_086_TRV_Annual%20Report_2017.pdf (accessed 23 September 2018).
Velazquez, C. (2015). Detecting and preventing attacks earlier in the kill chain. SANS Institute Infosec Reading Room, 1-21.
Verizon. (2019). Data Breach Investigations Report, available at https://enterprise.verizon. com/ resources/reports/2019-data-breach-investigations-report.pdf (accessed 23 February 2020).
Whittaker, Z. (2018). Rail Europe had a three-month long credit card breach. ZDNet, May, 14.
Willett, K. D. (2008). Information assurance architecture. CRC Press.
Wood, A. D., & Stankovic, J. A. (2002). Denial of service in sensor networks. computer, 35(10), 54-62.
Yadav, T., Rao, AM. (2015). Technical aspects of cyber kill chain. In International Symposium on Security in Computing and Communication (pp. 438-452). Springer, Cham.
Yin, R. K. (2017). Case study research and applications: Design and methods. Sage publications.
Zhang, X., Yang, X., Lin, J., Xu, G., & Yu, W. (2016). On data integrity attacks against real-time pricing in energy-based cyber-physical systems. IEEE Transactions on Parallel and Distributed Systems, 28(1), 170-187.
Zhou, X., Xu, Z., Wang, L., Chen, K., Chen, C., & Zhang, W. (2018). Kill chain for industrial control system. In MATEC Web of Conferences (Vol. 173, p. 01013). EDP Sciences.
Zhu, B., Joseph, A., & Sastry, S. (2011). A taxonomy of cyber attacks on SCADA systems. In 2011 International conference on internet of things and 4th international conference on cyber, physical and social computing (pp. 380-388). IEEE.
APPENDED PAPERS / 57
APPENDED PAPERS
Paper I
Kour, R., Aljumaili, M., Karim, R., & Tretten, P. (2019). eMaintenance in railways: Issues and challenges in cybersecurity. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 233(10), 1012-1022. (Published)
Paper II
Kour, R., Karim, R., & Thaduri, A. (2019). Cybersecurity for railways–A maturity model. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 0954409719881849. (Published online)
Paper III
Kour, R., Thaduri, A., & Karim, R. (2020). Railway Defender Kill Chain to Predict and Detect Cyber-Attacks. Journal of Cyber Security and Mobility, 9(1), 47-90. (Published)
Paper IV
Kour, R., Thaduri, A., & Karim, R. (2020). Predictive model for multistage cyber-attack simulation. International Journal of System Assurance Engineering and Management, 1-14. (Published online)
Paper I
eMaintenance in railways: Issues and challenges in cybersecurity
Kour, R., Aljumaili, M., Karim, R., & Tretten, P. (2019). eMaintenance in railways: Issues and challenges in cybersecurity. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 233(10), 1012-1022
Original Article
eMaintenance in railways: Issues andchallenges in cybersecurity
Ravdeep Kour , Mustafa Aljumaili, Ramin Karim andPhillip Tretten
Abstract
The convergence of information technology and operation technology and the associated paradigm shift toward Industry
4.0 in complex systems, such as railways has brought significant benefits in reliability, maintainability, operational effi-
ciency, capacity, as well as improvements in passenger experience. However, with the adoption of information and
communications technologies in railway maintenance, vulnerability to cyber threats has increased. It is essential that
organizations move toward security analytics and automation to improve and prevent security breaches and to quickly
identify and respond to security events. This paper provides a statistical review of cybersecurity incidents in the trans-
portation sector with a focus on railways. It uses a web-based search for data collection in popular databases. The overall
objective is to identify cybersecurity challenges in the railway sector.
Keywords
Cybersecurity, railway, eMaintenance, challenges
Date received: 7 June 2018; accepted: 11 December 2018
Introduction
As information and communication technologies(ICTs) become increasingly pervasive, eMaintenancesolutions for advanced maintenance applications arebecoming more common. eMaintenance is a broadterm which emerged in the early 2000s with advanceddiagnostics and maintenance. The term eMaintenanceis defined at two levels of abstraction: first,‘‘eMaintenance is maintenance managed and per-formed via computing’’; second, ‘‘eMaintenance is amultidisciplinary domain based on maintenance andICT ensuring that the eMaintenance services arealigned with the needs and business objectives ofboth customers and suppliers during the whole prod-uct lifecycle’’ (Kajko-Mattsson et al.,1 p.560).
In the railway industry, like other industries, ICTshave been developing alongside business processesin maintenance activities.2 The overall gains aremore substantial than the simple improvements inproductivity and optimization of costs that may beachieved through the use of web services.2–4 Forexample, the railway sector has adopted the conceptof eMaintenance and suggests using web-based rail-way eMaintenance solutions using cloud technologyto determine optimum maintenance profiles5 andremaining useful life of railway vehicle wheels.6
Railways use data from wayside sensors to determineand implement vehicle maintenance strategies and,
thus, increase safety and reduce costs, by detectingand mitigating the ‘‘bad actors.’’6 The railway sectoralso advocates Smart Maintenance Initiatives7 andthe use of ICT in maintenance to develop artifacts(e.g. frameworks, tools, methodologies, and technol-ogies) to support maintenance decision-making.8
The eMaintenance solutions used in the railwaysector generally depend on standard Internet infra-structure, however, and this makes them vulnerableto cybersecurity threats. There is a need to find waysto minimize the impacts of such threats while ensuringthe availability of the eMaintenance services.Traditionally, dependability9 implies high levels ofavailability, reliability, maintainability, and mainten-ance support. From the software perspective, depend-ability includes reliability, availability, safety, andsecurity.10 Thus, security is an inherent component ofsystem dependability, and software security must becontinuously improved if eMaintenance tools are toachieve the high levels of availability required of them.
Division of Operation and Maintenance Engineering, Lulea University of
Technology, Lulea, Sweden
Corresponding author:
Ravdeep Kour, Division of Operation and Maintenance Engineering,
Lulea University of Technology, Lulea 97187, Sweden.
Email: [email protected]
Proc IMechE Part F:
J Rail and Rapid Transit
0(0) 1–11
! IMechE 2019
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/0954409718822915
journals.sagepub.com/home/pif
Hackers have already targeted rail companies inBelgium, China, Denmark, Germany, Russia, SouthKorea, Sweden, Switzerland, the UK, and the US.Artificial Intelligence-powered cyber-attacks, untilrecently a theoretical possibility, have been detected‘‘in the wild,’’ with the first case of this kind in India.11
Given the new reality, the operation technology secur-ity community has begun to move toward securityanalytics and automation to improve the preventionof security breaches. For example, some organizationsare adopting a new model for adaptive cybersecurityanalytics, one that reports any suspicious networkactivity.12 Carpenter and Knapp13 proposed somenear real-time methods to report detected cybersecur-ity risk information to external systems.
In an eMaintenance context, to add value to busi-ness, smart sensors are collecting condition monitoringand predictive maintenance data to use in machinelearning algorithms. The volume of these data gener-ated from Internet of Things (IoT) devices is enormousand provides a significant number of entry points forhackers to steal, corrupt, delete, or even modify thedata. Cyber-attacks on railway eMaintenance systemsmay affect the intensity of the underlying data; this, inturn, could influence the data-driven models and alterthe maintenance decision-making process. Ultimately,these cyber-attacks may have an impact on railwaystakeholders, e.g. threat to the safety of employees,passengers, or the public in general; loss of sensitiverailway information; reputational damage; monetaryloss; erroneous decisions; loss of dependability; etc.The risks associated with a successful attack are suchthat organizations operating railway systems mustestablish procedures and plans to safeguard againstcyber-attacks, and the research community is activein this area.
The aim of this research is to identify variouscybersecurity issues and challenges in ICT-based rail-way maintenance. The paper introduces the problemand then turns to the research methodology used forthe data collection. Next, it discusses cybersecurityincidents in critical infrastructure (CI), including thetransportation sector, the railway in particular. It pro-vides a brief description of ongoing cybersecurityactivities and available cybersecurity guidelines.Finally, the paper presents cybersecurity issues andchallenges in railway systems, followed by a discus-sion and conclusion.
Research methodology fordata collection
To obtain initial estimates of the scale of the damagecaused by cyber-attacks, we conducted a web-basedsearch, exploring articles related to cybersecurity invarious sectors (nuclear, energy, railway, health, andaviation). The popular databases used were Scopus,Google Scholar, ScienceDirect, Taylor & FrancisOnline, Web of Science, and the Institute of
Electrical and Electronics Engineers (IEEE) XploreDigital Library (Table 1). The comprehensive searchincluded all types of literatures related to cybersecur-ity terms like cyber-attacks, hacking, cybercrime,hacktivism, computer security, etc. and sectors likerailway, aviation, grid, nuclear, and health.
Table 1 shows the results of the search. To explainhow the table works, for the value 232(2) at the row‘‘railway’’ and the column ‘‘cyber security,’’ for art-icles from the IEEE Xplore database, the number inthe brackets shows articles containing the specificterms ‘‘cyber security’’ and ‘‘railway’’ in the title ofthe literature. Table 1 results show that more researchhas been done in the sectors related to health, grid,and nuclear; research and innovation in the context ofcybersecurity in the railway sector has started butrequires more development.
Statistics of cybersecurity incidents in CIand rail
The security of critical national infrastructure systemsis a hot topic among security researchers. Accordingto the European Union Commission (OJ L 345, 23December 2008, p.77),14 CI refers to
those assets, systems or parts thereof located in
Member States which are essential for the mainten-
ance of vital societal functions, health, safety, secur-
ity, economic or social well-being of people, and the
disruption or destruction of which would have a sig-
nificant impact in a Member State as a result of the
failure to maintain those functions.
The organizations operating CIs are establishing pro-cedures and plans to safeguard against cyber-attacks,but incidents still take place. According to theAustralian Cyber Security Centre,15 the highestnumber of compromised systems is in the energyand communications sectors, while the banking andfinancial services and communications sectors had thehighest incidence of Distributed Denial of Service(DDoS) activity, and the energy and mining/resourcessectors had the highest number of malicious emailsreceived. In addition, between July 2015 and June2016, computer emergency response team (CERT)15
responded to 14,804 cybersecurity events affectingbusinesses, 418 of which involved systems of nationalinterest (SNI) and CI. Figure 1 shows the cybersecur-ity events affecting SNI and CI by sectors.
The total number of identified vulnerabilities (322)reported by the Industrial Control Systems CyberEmergency Response Team (ICS-CERT)16 in gen-eral-purpose software and in network protocols thatare significant to industrial software and equipment isillustrated in Figure 2.
According to a Dell report,17 in 2015, there was a73% increase in malware attacks over 2014, and thiswas more than triple the number in 2013. Statista18
2 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
Tab
le1.
Inte
rnet
hits
for
cybers
ecu
rity
term
sw
ithin
diff
ere
nt
sect
ors
(as
of
20
Septe
mber
2018).
Dat
abas
es
Sect
ors
Key
word
suse
dfo
rth
ese
arch
Cyb
er
secu
rity
Cyb
ers
ecu
rity
Cyb
er-
atta
ck
Cyb
er
bre
aches
Hac
kin
g
Cyb
er
esp
ionag
e
Cyb
er
crim
e
Cyb
er
war
fare
Hac
ktivi
sm
Cyb
er
thre
ats
Com
pute
r
secu
rity
Netw
ork
secu
rity
Info
rmat
ion
secu
rity
IEEE
Xplo
reR
ailw
ay232
(2)
105
(2)
180
(0)
0(0
)89
(0)
4(0
)26
(0)
16
(0)
1(0
)48
(0)
151
(0)
294
(0)
402
(1)
Avi
atio
n331
(2)
176
(2)
238
(0)
1(0
)124
(0)
15
(0)
26
(0)
34
(0)
8(0
)88
(0)
302
(0)
390
(0)
673
(0)
Nucl
ear
911
(4)
538
(1)
877
(0)
5(0
)403
(1)
70
(0)
96
(0)
141
(0)
27
(0)
205
(0)
752
(1)
986
(1)
1087
(1)
Gri
d3567
(66)
1560
(18)
3291
(44)
11
(0)
905
(2)
59
(0)
167
(0)
139
(0)
22
(0)
612
(1)
1955
(0)
5831
(17)
4504
(14)
Heal
th1942
(1)
1254
(1)
1347
(0)
11
(0)
818
(1)
48
(0)
312
(0)
115
(0)
39
(0)
377
(0)
2127
(0)
3712
(1)
4935
(10)
Scie
nce
Dir
ect
Rai
lway
109
(0)
87
(0)
107
(0)
0(0
)899
(0)
6(0
)28
(0)
11
(0)
8(0
)43
(0)
149
(0)
176
(0)
239
(0)
Avi
atio
n211
(0)
181
(0)
184
(0)
6(0
)627
(0)
12
(0)
45
(0)
39
(0)
14
(0)
77
(0)
275
(0)
205
(0)
400
(0)
Nucl
ear
667
(5)
429
(0)
684
(2)
9(0
)7240
(2)
87
(0)
181
(0)
173
(0)
50
(0)
250
(3)
895
(2)
806
(0)
1080
(0)
Gri
d1229
(6)
582
(7)
1007
(4)
13
(0)
4197
(2)
66
(0)
179
(0)
147
(0)
49
(0)
342
(0)
927
(0)
2334
(1)
1887
(0)
Heal
th1355
(0)
965
(1)
991
(0)
25
(0)
15,2
14
(2)
68
(0)
379
(0)
152
(0)
73
(0)
390
(0)
2265
(2)
2492
(1)
4206
(8)
Scopus
Abst
ract
Rai
lway
30
(5)
16
(3)
17
(0)
1(0
)2
(0)
0(0
)2
(0)
0(0
)0
(0)
4(0
)5
(0)
16
(4)
20
(2)
Avi
atio
n27
(4)
18
(7)
17
(0)
0(0
)7
(0)
0(0
)4
(0)
2(0
)0
(0)
4(2
)3
(1)
14
(2)
28
(1)
Nucl
ear
148
(46)
63
(14)
134
(11)
0(0
)11
(0)
4(0
)5
(0)
27
(2)
0(0
)32
(4)
27
(7)
25
(3)
46
(4)
Gri
d458
(101)
184
(42)
627
(58)
2(0
)35
(2)
5(0
)6
(1)
10
(0)
0(0
)86
(7)
24
(3)
273
(26)
276
(34)
Heal
th113
(5)
100
(15)
94
(1)
1(0
)73
(8)
2(0
)13
(0)
0(0
)0
(0)
36
(3)
51
(7)
128
(9)
497
(73)
Tay
lor
&
Fran
cis
Rai
lway
91
(0)
47
(0)
59
(0)
1(0
)1548
(0)
19
(0)
27
(0)
46
(0)
13
(0)
36
(0)
42
(0)
46
(0)
141
(0)
Avi
atio
n178
(0)
99
(0)
98
(0)
1(0
)572
(0)
33
(0)
43
(0)
113
(0)
13
(0)
62
(0)
83
(0)
57
(0)
223
(0)
Nucl
ear
589
(2)
335
(0)
406
(0)
2(0
)2987
(0)
158
(0)
163
(0)
452
(1)
59
(0)
228
(0)
237
(0)
136
(0)
587
(0)
Gri
d226
(0)
132
(2)
154
(0)
1(0
)1557
(0)
50
(0)
63
(0)
88
(0)
30
(0)
83
(0)
133
(1)
185
(0)
306
(0)
Heal
th553
(0)
379
(0)
219
(0)
5(0
)11,8
37
(0)
58
(0)
245
(0)
196
(0)
63
(0)
161
(0)
542
(0)
434
(0)
1377
(0)
Web
of
Scie
nce
Rai
lway
17
(3)
9(2
)5
(0)
0(0
)4
(0)
0(0
)0
(0)
0(0
)0
(0)
1(0
)5
(0)
8(1
)12
(1)
Avi
atio
n17
(4)
16
(6)
5(0
)0
(0)
4(0
)0
(0)
2(1
)1
(0)
0(0
)4
(0)
1(0
)11
(0)
14
(0)
Nucl
ear
71
(19)
39
(3)
33
(2)
0(0
)9
(1)
5(0
)5
(0)
11
(1)
0(0
)17
(3)
11
(2)
5(0
)37
(1)
Gri
d518
(59)
141
(21)
161
(11)
1(0
)25
(1)
1(0
)3
(0)
6(0
)2
(0)
56
(1)
32
(2)
219
(14)
165
(18)
Heal
th74
(1)
65
(6)
12
(0)
0(0
)57
(2)
0(0
)5
(0)
1(0
)0
(0)
16
(1)
79
(3)
88
(5)
356
(37)
Googl
e
Schola
r
Rai
lway
6730
(8)
1780
(5)
2840
(0)
222
(0)
11,7
00
(1)
2100
(0)
2130
(0)
6020
(0)
439
(0)
1850
(0)
9180
(0)
13,9
00
(10)
17,2
00
(36)
Avi
atio
n7130
(20)
5400
(17)
3330
(0)
149
(0)
7980
(0)
2300
(0)
1840
(0)
7310
(0)
348
(0)
2310
(2)
7370
(6)
9210
(7)
20,5
00
(17)
Nucl
ear
20,3
00
(123)
16,0
00
(34)
11,1
00
(17)
176
(0)
32,4
00
(6)
3560
(0)
5700
(1)
10,4
00
(5)
1960
(0)
7140
(17)
16,1
00
(17)
16,6
00
(8)
28,6
00
(35)
Gri
d28,2
00
(284)
14,8
00
(93)
11,6
00
(71)
197
(0)
25,2
00
(12)
2070
(0)
4340
(0)
5010
(0)
961
(0)
6590
(8)
27,5
00
(7)
60,2
00
(62)
50,2
00
(184)
Heal
th37,0
00
(23)
33,3
00
(43)
12,7
00
(3)
443
(0)
88,5
00
(26)
3620
(0)
14,3
00
(0)
12,7
00
(1)
2690
(0)
10,4
00
(5)
50,9
00
(17)
65,9
00
(34)
103,0
00
(331)
IEEE:In
stitute
of
Ele
ctri
calan
dEle
ctro
nic
sEngi
neers
.
Note
:N
um
ber
inth
ebra
ckets
()
show
sar
ticl
es
conta
inin
gsp
eci
ficte
rms
like
‘‘cyb
er
secu
rity
’’A
ND
‘‘rai
lway
’’in
the
title
of
the
litera
ture
.
Kour et al. 3
reports that in 2017, there were 15 cyber security inci-dents in large transportation companies, 9 in smallcompanies, and 35 in companies of unknown size.Verizon Data Breach Investigations Report,19 draw-ing on data from the Veris Community Database,20
has slightly different, but still worrisome, totals: sevencybersecurity breaches in large transportation organ-izations, six in small ones, and five in companies ofunknown size. According to the Symantec 2018 threatreport,21 the rate of email-borne malware was 1 in486, the email malware rate was 11.5% and thespam rate was 53.9% in the transportation sector.
Tonn et al.22 analyzed cyber incident data for thetransportation sector using data from Advisen,23
a leading quality data provider. They list 214 cyberse-curity incidents and discuss the trend of cyber risk inthe transportation industry (Figure 3). The mostcommon types of cyber incidents are malicious databreaches, 27.1% (58/214) and unauthorized data col-lection, 22.9% (49/214). The authors find that thenumber and severity of cyber incidents in the trans-portation industry are growing.
Figure 4 provides a timeline, with 49 incidentsspanning 34 years. The figure illustrates the increasingrate of cyber incidents related to transportation infra-structure.24 Notably, over half the events occurredafter 2013 and just over a quarter from 2008 to 2012.
Figure 5 expands the timeline in Figure 4 to showthe threat types per transport sector. Maritime and airsectors are the most affected by individual hackersand cybercrimes.
Figure 2. Vulnerabilities in CI.
Source: Adapted from ICS-CERT.16
1.9%1.9%2.2%2.4%2.6%2.6%2.9%
5.5%6.0%6.4%
8.6%10.3%
11.7%17.0%
18.0%
RetailHealth
ManufacturingLegal and professional services
Food and AgricultureEducation and research
waterDefence Industry
Information TechnologyOthers
Mining and ResourcesTransport
CommunicationsBanking and Financial Services
Energy
Figure 1. Cybersecurity events affecting SNI and CI.
Source: Adapted from ACSC.15
1 2 1 34
71
3
3
1
11
5
2
5
2
1
1
6
Road Air Rail Maritime Pipeline
Malware
Cyber-crime
Cyber-espionage/warfare
Insider attack
Individual Hacker
Research
Figure 5. Threat types per transport sector.
Source: Adapted from Korstanje.24
39 92
2
1
1
1
1
2 22
33
11
1
11
102
1
1
12-Nov 2013 2014 2015 2016 17-Feb
MalwareBrute ForceXSSMisconfigDDoSPhishingSQLiUndisclosed
Figure 6. Timeline of incidents related to the transportation
infrastructure from November 2012 to February 2017.
Source: Adapted from IBM X-Force.25
1 1 1 1 1 2
5
1
4
1
8 97 7
1982
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
No.
of
Inci
dent
s
Figure 4. Timeline of incidents for transportation infra-
structure.
Source: Adapted from Korstanje.24
18 14 14 1320 22 24 25
4222
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
No.
of
inci
dent
s
Figure 3. Timeline of incidents related to the transportation
infrastructure.
Source: Adapted from Tonn et al.22
4 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
Cybersecurity incidents statistics from IBM25 showthe transportation sector has been affected by varioustypes of cyber-attacks: SQLi, DDoS, Watering Hole,XSS, Malware, Brute Force, Misconfig, Phishing, andundisclosed (Figure 6). Malware attacks pose themost significant threat, representing 30% (21/69) ofthe total. Interestingly, about 38% (26/69) of the
attacks are undisclosed because of possible reputa-tional damage.
Figure 7(a) shows the timeline of 20 cybersecurityincidents involving rail; Figure 7(b) provides a briefdescription of each attack. Of these 20 incidents,30% are malware attacks; 20% are cyber espionage/data steal attacks; 15% are DDoS attacks; and 35%
1111 211
4
1 1
1
111
1 1
2003 2008 2010 2011 2013 2014 2015 2016 2017 2018
Malwarecyber crimeCyber Espionage/Data stealInsider attackDDOSBrute-ForceHacking
2003
•A computer virus infected the computer system at CSXTransportation (a railroad company) in Florida which affected23,000 miles of one railway line and disrupted railway signals for15minutes to 6 hours.26
2008•An electronics genius, a 14-year-old boy from Poland, hacked atram system and derailed a tram, which then collided with a tramcoming in the opposite direction causing injuries to 12 people.27
2010 •Unknown attackers hacked the official website of "RussianRailways" company and replaced some of the web pages28.
2011 •Cyber-attack on a Northwest rail company’s computers disruptedrailway signals for two days.29
2013•NMBS, national railway company of Belgium reported anaccidental cybersecurity incidence which made data belonging tocustomers in Belgium, France and the UK, including thousands ofCommission and Parliament employees, available.30
2014•Chinese national train reservation system was the target of aninsider attack by a 3rd party associated website who stole personaldata of customers.31
2015•Cyber-attack on South Korean Subway System.32
•Data breach in the Swedish Transport Agency led to the leak ofprivate data about every vehicle in the country.33
2016
•UK rail network was hit by four data breaches, including a cyberespionage attack, which involved entering computer systemsdealing with government data and critical infrastructure to gatherinformation.34
•Access to the Swiss railway website was interrupted for severalhours as a result of a DDoS attack.35
•Malware attack occurred simultaneously with a system breach onUkrainian State Administration of Railway Transport.36
2017
•Sweden's Transport Agency was partially down because of a DDoSattack.37
•Railway passenger information system was affected by WannaCryvirus.38
2018
•Ransomware infection on the computers of the ColoradoDepartment of Transportation Agency.39
•Great Western Railway of UK announced that hackers hadbreached a small percentage of customer accounts.40
•Rail Europe, website in US announced a three-month data breach ofcredit cards and debit cards due to malware attack on the site.41
•Massive DDoS attack on the Danish state rail operator DSBparalyzed some operations, including ticketing systems and thecommunication infrastructure.42
(a)
(b)
Figure 7. Timeline of cybersecurity incidents in railway with (a) attack type and (b) description. DDoS: Distributed Denial of Service.
Kour et al. 5
include cybercrime, insider attacks, brute-force attacks,and hacking.
Ongoing cybersecurity activities andavailable cybersecurity guidelines orstandards in the railway sector
The literature shows that cybersecurity is a concern inthe railway sector and research is ongoing.Cybersecurity in the RAILway (CYRAIL43) project,a Shift2Rail subproject, is one of the examples ofongoing activities in the railway sector. Elsewhere,researchers have proposed a framework for riskassessment and high-level security assessment basedon the IEC 62443 standard, with a particular focuson the railway domain.44,45 In addition, there hasbeen a high-level cybersecurity risk assessment of anational European Rail Traffic Management Systemimplementation,46 while other work has suggested anetwork design for securing data communicationsystem for automatic train control.47 The EuropeanUnion has established the network and informationsecurity directive which aims at safeguarding CIs.48
Cylus49 is providing a cybersecurity solution for rail-ways, keeping one step ahead of the latest cyberthreats. Thales50 is also supporting the railwaysector in its fight against cyber-attacks by participat-ing in the development of CERTs as part of theShift2Rail program of the European Commission.
In addition to this research and innovation, somecybersecurity guidelines and standards more relevantto the railway are available:
. AS 7770 Rail Cyber Security,51 an AustralianStandard, prepared by the Rail Industry Safetyand Standards Board;
. Rail Cyber Security Strategy,52 a cybersecurityvision for the rail industry, provided by the RailDelivery Group in the UK;
. Rail Cyber Security Guidance to Industry,53
a document supporting the rail industry by redu-cing its vulnerability to cyber-attacks, prepared byDepartment of Transport, UK
. APTA SS-CCS-004-16 standard,54 covering recom-mended practices for securing control and commu-nications security systems in rail transitenvironments in North America
. EN 50159:2010,55 addressing cybersecurity com-munications and identifying threats against trans-mission systems used in the railway sector.
Results
Cybersecurity challenges which are growing daily aredefined as large amounts of sensitive customer infor-mation, a greater number of control devices, poorphysical security of these devices, the move awayfrom industry-specific communication standards and
hardware, and a greater number of stakeholderswho rely on the system for its smooth operation.56
In addition to this, the single greatest challenge is toeducate the current and future workforce so they canbe prepared to meet the problem approperiately.57,58
In the transport sector, cybersecurity challengesinclude weaker European laws on cybersecurity fortransport, low cybersecurity awareness, and smallcybersecurity budgets.46
Railway maintenance based on ICT generallydepends on Internet and this makes it vulnerable tocybersecurity threats. The impact of cyber-attacks onthe railway includes threats to safety, loss of railwaydata integrity and confidentiality, reputationaldamage, monetary loss, service unavailability, lossof dependability, exposure to new types of threats,etc. Figure 8 shows a list of cybersecurity challengesand their impacts on railway systems.
Malware and system vulnerabilities
Malware and system vulnerabilities are maliciousprograms that attackers use to intrude into a railwaycomputer system for the purpose of stealing confi-dential railway data, taking control of the system ordisrupting railway service operations. The statistics oncybersecurity incidents in the transportation industry,including the railway,17,25,32,36,38,39,41 show that mal-ware is the most dominant type of cyber-attack. Thischallenge can be minimized by regular follow-up onreported threats and vulnerabilities and installation ofsecurity patches or upgrades to close the security gapsleft open by system vulnerabilities.
Weak identity, credentials, and accessmanagement
The railway eMaintenance system is vulnerable tocyber-attacks if access management systems control-ling the identity and credentials of users are not scaledproperly. With a weak identity system, any intrudercan enter into the system and affect the railway dataintegrity or its confidentiality. Multifactor authentica-tion, automated rotation of cryptographic keys, pass-words, and certificates can be used to manage access.In addition to this, prevention of physical attacks,which are often carried out through unauthorizedaccess, can be certified by applying InternationalStandards developed by IEC Technical Committee79,59 Alarm and electronic security systems; and byISO/IEC Joint Technical Committee 1/Subcommittee17,60 Cards and security devices for personalidentification.
DDoS attacks
Malicious attacks which target availability are con-sidered DDoS attacks. These attacks try to disturb,block, or even damage useful railway information
6 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
transmission in order to make eMaintenance systemsunavailable to users who need to exchange informa-tion. Instances of DDoS attacks have been docu-mented in the railway sector.35,37,42 DDOS attacksmay delay communications, forcing trains to stop,with a cascading effect on all other trains sharingthe same line. Douligeris and Mitrokotsa61 classifyDDoS attacks and DDoS defense mechanisms.
Cloudification
The web-based railway eMaintenance solutions aremigrating toward the cloud platform. Big data ana-lytics can be used to analyze and visualize the hugevolumes of data available in the cloud. However,cybersecurity is hindering the development of cloud-based big data for condition-based maintenancepurposes.62 Cloud providers make available a set ofsoftware user interfaces or application programminginterfaces for clients to manage and interact withcloud services; these are the most exposed part of asystem and, hence, are the target of attacks.63 Onesuch attack was the data breach caused by an out-sourcing deal made by the Swedish TransportAgency.33 This attack also affected the company’sreputation. Strong security management and control
solutions designed specifically for the cloud arerequired to protect the new paradigm.63
Interconnected infrastructures
A cyber-attack on one infrastructure is likely to causea domino effect, in which infrastructures are damagedone after another.64 Railway infrastructure is inter-connected, and failure in any system will affectanother. For example, any type of cyber-attack onpower supply, mobile units (rolling-stock system),communication systems, and communication networkcould cause power outages, compromise safety, affectoperations and maintenance, and damage infrastruc-ture.64–66 Steele et al.67 noted the need to protectsmart grids and railways from cyber threats.
Increasing use of IoT devices
The escalation in the implementation of IoT devicesand objects in machine condition monitoring and pre-dictive maintenance is an excellent innovation, but atthe same time, it is a security problem. To add valueto railway business, smart sensors collect conditionmonitoring and predictive maintenance data for usein machine learning algorithms. The volume of data
Figure 8. Cybersecurity challenges and their impact on railway systems. IoT: Internet of Things.
Kour et al. 7
generated this way is enormous, creating a significantnumber of entry points for hackers to steal, corrupt,delete, or even modify those data. Thus, it is advisablefor railway organizations to set up a strong cybersecuritystrategy and employ cybersecurity professionals to securenetworks and devices against unwanted infiltration.
Railway complexity
Railway systems consist of many actors, includingpeople, policies, processes, software applications,information, and infrastructure. This adds significantcomplexity and complicates security. On the onehand, the increased complexity will require additionaleffort from attackers to understand the system, but onthe other hand, this increased complexity presentsmany opportunities for exploitation.
Insider attacks
A malicious insider can authorize access to an organ-ization’s network or data and deliberately misuse thataccess to negatively affect the confidentiality, integrity,or availability of the organization’s information. Anemployee can be a threat to a railway organization ifshe/he leaks, steals, corrupts, or deletes sensitive datato halt its services. For example, if someone deleteshistorical data related to condition monitoring and pre-dictive maintenance, it is impossible to formulate data-driven models for maintenance. In the Chinese railway,the personal data of customers were stolen.31
Workforce cybersecurity gap
Human factors play a significant role in informationsecurity.68 As railway maintenance is adopting newdigital technologies, the expertise of the existing work-force must be upgraded. Workers must have a suitablelevel of cybersecurity education, experience, and train-ing. Railway organizations must establish and main-tain procedures, plans, and controls to create acybersecurity culture, including cybersecurity trainingand awareness programs.
Budgets
Security is a difficult element to quantify and put amonetary value on. Therefore, it is difficult for secur-ity professionals to acquire the budget needed for aproper cybersecurity program. In many cases, becauseof budgetary constraints, remedies for vulnerabilitiesmay not be implemented, making this one of the mostcritical challenges for railway operators.
Cybersecurity information communication gap
On the one hand, communicating cybersecurity infor-mation with external entities may lead to data leaksand malicious attacks. On the other hand,
cybersecurity information sharing to collect and pro-vide cybersecurity information can reduce risks andincrease operational resilience. However, it is essentialto strike the right balance between sharing and privacy.
Discussion
The use of digitization in railway maintenance cancreate increased vulnerability to cyber threats. It hasbeen shown that cybersecurity activities are undergo-ing in the railway sector and one of its examples isCYRAIL14 project. Some cybersecurity practices andstandards are available, but these are either organiza-tion specific or country specific. More advanced andproactive holistic standards/frameworks/models arerequired so that this sector is better prepared. Inother words, there is a need to extend this work.
Fears about cybersecurity are slowing down thedevelopment of cloud-based solutions. According to aCSA report,63 the main barrier to faster cloud adoptionis cloud security concerns, including possible data loss(57%), threats to data privacy (49%), and breaches ofconfidentiality (47%). Hackers have already targetedrail companies in Belgium, China, Denmark,Germany, Russia, South Korea, Sweden, Switzerland,the UK, and the US. Data show that 30% are malwareattacks; 20% are cyber espionage/data steal attacks;15% are DDoS attacks; and 35% are cybercrime, insi-der attacks, brute-force attacks, and hacking. The dom-inant cyber threat in the railway sector is from malware.
This paper identifies various cybersecurity chal-lenges in railway eMaintenance. Attacks will havean impact on the data, thus influencing data-drivenmodels and adversely affecting the maintenance deci-sion-making process. However, in the transportsector, there is low cybersecurity awareness, and bud-gets often do not accommodate the requiredchanges.16 The lack of cybersecurity educationamong the workforce is especially problematic, asthe widespread adoption of IoT and other smartdevices can expose organizations and individuals tonew threats with enormous consequences. It is criticalto ensure that the workforce of railway organizationsusing ICT-based maintenance is vigilant, fully awareof new and advanced cyber threats, and trained tofollow cybersecurity practices at all times. Regularfollow-up on reported threats and vulnerabilities,the installation of security patches or upgrades toclose the security gaps left open by system vulnerabil-ities, and the adoption of more advanced and pro-active cybersecurity standards are also required. Inthe near future, it will be possible to identify, priori-tize, and address threats and vulnerabilities in nearreal time using security analytics and automation.
Conclusions
The paper discusses the literature, statistics, and chal-lenges of cybersecurity, with an emphasis on the
8 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
railway sector. The literature review shows that themost active sectors in cybersecurity are health, grid sys-tems, and nuclear power. Despite some cybersecuritywork in the railway sector, such as the ‘‘CYRAIL’’project, more research and innovation is required.The statistics on cyber incidents show that the mostcommon cyber-attack in the transportation and railsector comes from malware. ICT-based railway main-tenance is especially vulnerable to cyber threats; there isa need to find ways to minimize their effects whileensuring the availability of the railway services. Thedevelopment of security analytics and automation willhelp to prevent security breaches and, if they occur, willhelp to quickly identify and respond to security events.
The paper also examines various cybersecuritychallenges in railway eMaintenance, including theuse of IoT and problems with access management,cloudification, railway complexity, interconnectedinfrastructure, budgets, etc. To overcome these chal-lenges, railway organizations need to unite and com-municate cybersecurity instances with each other. Inaddition, all organizations using ICT-based mainten-ance must be vigilant, fully aware, and trained tofollow cybersecurity practices at all times.
Declaration of Conflicting Interests
The author(s) declared no potential conflicts of interest with
respect to the research, authorship, and/or publication ofthis article.
Funding
The author(s) received no financial support for the research,authorship, and/or publication of this article.
ORCID iD
Ravdeep Kour http://orcid.org/0000-0003-0734-0959
References
1. Kajko-Mattsson M, Karim R and Mirijamdotter A.Essential components of eMaintenance. Int J Pedagogy
Innov New Technol 2011; 7: 555–571.2. Karim R. A service-oriented approach to e-maintenance of
complex technical systems. PhD Thesis, Lulea TekniskaUniversitet, Sweden, 2008.
3. Muller A, Marquez AC and Iung B. On the concept of e-maintenance: review and current research. Reliab EngSyst Saf 2008; 93: 1165–1187.
4. Kumar U, Parida A and Karim R. Special issue on
eMaintenance solutions and technologies. Int J SystAssur Eng Manag 2010; 1: 187–188.
5. Kour R, Tretten P and Karim R. eMaintenance solu-tion through online data analysis for railway mainten-ance decision-making. J Qual Maint Eng 2014; 20:
262–275.
6. Karim R, Birk W and Larsson-Kraik PO. Cloud-basedemaintenance solutions for condition-based maintenanceof wheels in heavy haul operation. In: International HeavyHaul Association: The 11th international heavy haul asso-
ciation conference, Perth, 21–24 June 2015. InternationalHeavy Haul Association.
7. Yokoyama A. Innovative changes for maintenance ofrailway by using ICT – to achieve ‘‘smart mainten-ance’’. Procedia CIRP 2015; 38: 24–29.
8. Karim R, Westerberg J, Galar D, et al. Maintenanceanalytics – the new know in maintenance. IFAC-PapersOnLine 2016; 49: 214–219.
9. IEC 60050-192:2015. International electrotechnicalvocabulary – Part 192: dependability, Moscow, 2015.Int. Electrotech. Comm.
10. Sommerville I. Software engineering. New York:Addison-Wesley, 2010.
11. Norton S. Era of AI-powered cyberattacks has started,https://blogs.wsj.com/cio/2017/11/15/artificial-intelli-
gence-transforms-hacker-arsenal/ (2017, accessed 20September 2018).
12. Amini L, Christodorescu M, Cohen MA, et al. Adaptive
cyber-security analytics. Patent 9,032,521, USA, 2015.13. Carpenter SG and Knapp ED. Near-real-time export of
cyber-security risk information. Patent application 15/
001,073, USA, 2017.14. EU Commission. COUNCIL DIRECTIVE 2008/114/
EC of 8 December 2008 on the identification and des-
ignation of European critical infrastructures and theassessment of the need to improve their protection.Official Journal of the European Union, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%
3AOJ.L_.2008.345.01.0075.01.ENG (2008, accessed 20September 2018).
15. Australian Cyber Security Centre. Threat report.
Australia: Australian Government, 2016.16. ICS CERT. Threat landscape for industrial automation
systems in H2. Report, Kaspersky Lab, USA, 2017.
17. Dell. Dell security annual threat report. Report, UK, 2016.18. Statista. Global number of cyber security incidents in 2017,
sorted by victim industry and organization size, https://www.statista.com/statistics/194246/cyber-crime-incidents-
victim-industry-size/ (2018, accessed 27 September 2018).19. Verizon. 2018 Data Breach Investigations Report.
Research Report, USA, 2018.
20. VCDB. Veris community database, http://veriscommu-nity.net/vcdb.html (2018, accessed 24 September 2018).
21. Symantec. Internet security threat report, Volume 23.
Report, USA, 2018.22. Tonn G, et al. Cyber risk and insurance for transpor-
tation infrastructure. Working Paper, Pennsylvania,
USA: Risk Management and Decision ProcessesCenter, The Wharton School, University ofPennsylvania, 2018.
23. Advisen. Advisen loss database, https://www.advi-
senltd.com/data/cyber-loss-data/ (2018, accessed 24September 2018).
24. ME Korstanje (ed.) Threat mitigation and detection of
cyber warfare and terrorism activities. Pennsylvania,USA: IGI Global, 2016.
25. IBM. X-Force interactive security incidents, https://
www-304.ibm.com/jct03001c/security/xforce/xfisi/(2018, accessed 24 September 2018).
26. Hancock D. Virus disrupts train signals. CBS News, 2003.27. Baker G. Schoolboy hacks into city’s tram system. The
Telegraph, 11 January 2008.
28. Railblog. RZD website hacked, http://www.railblog.ru/author/admin/ (2010, accessed 24 September 2018).
29. Sternstein A. Hackers manipulated railway computers,
TSA memo says. Nextgov. com, 23 January 2012.
Kour et al. 9
30. Lalibre. Data leak at SNCB: the file was available sinceMay, http://www.lalibre.be/actu/belgique/fuite-de-don-nees-a-la-sncb-le-fichier-etait-disponible-depuis-mai-51b8f6
f2e4b0de6db9c927fa (2013, accessed 24 September 2018).
31. Paganini P. The transportation industry is increasinglybeing targeted by hackers, https://securityaffairs.co/wordpress/48870/cyber-crime/transportation-industry-
cybersecurity.html (2014, accessed 24 September 2018).32. Hayden S. Cyber attack on South Korean subway
system could be a sign of nastier things to come,https://news.vice.com/article/cyber-attack-on-south-
korean-subway-system-could-be-a-sign-of-nastier-things-to-come (2015, accessed 23 September 2018).
33. Borg M, et al. Digitalization of Swedish government
agencies: detailed census description and analysis,Gothenburg, Sweden. SICS Technical ReportT2018:02., 2018.
34. The Sky News. Four cyber attacks on UK railways in ayear, https://news.sky.com/story/four-cyber-attacks-on-uk-railways-in-a-year-10498558 (2016, accessed 23September 2018).
35. McCaskill S. Hackers target Swiss railways, politicalparties and retailers, https://www.silicon.co.uk/secur-ity/swiss-hacks-sbb-svp-ddos-188254 (2016, accessed
23 September 2018).36. Paganini P. BlackEnergy infected also Ukrainian
mining and railway systems, https://securityaffairs.co/
wordpress/44452/hacking/blackenergy-mining-and-rail-way-systems.html (2016, accessed 23 September 2018).
37. The Local. Swedish transport agencies targeted in cyber
attack, https://www.thelocal.se/20171012/swedish-transport-agencies-targeted-in-cyber-attack (2017,accessed 23 September 2018).
38. Graham C. Cyber-attack hits German train stations as
hackers target Deutsche Bahn, https://www.telegraph.co.uk/news/2017/05/13/cyber-attack-hits-german-train-stations-hackers-target-deutsche/ (2017, accessed 23
September 2018).39. The Denver Post. SamSam virus demands bitcoin from
CDOT, state shuts down 2,000 computers, https://www.
denverpost.com/2018/02/21/samsam-virus-ransom-ware-cdot/ (2018, accessed 23 September 2018).
40. BBC. Great Western Railway accounts breached,https://www.bbc.com/news/technology-43725640
(2018, accessed 23 September 2018).41. Whittaker Z. Rail Europe had a three-month long
credit card breach, https://www.zdnet.com/article/rail-
europe-had-a-three-month-long-credit-card-breach/(2018, accessed 23 September 2018).
42. Paganini P. Massive DDoS attack hit the Danish state
rail operator DSB, https://securityaffairs.co/wordpress/72530/hacking/rail-operator-dsb-ddos.html (2018,accessed 23 September 2018).
43. Shift2Rail. Cybersecurity in the railway sector, https://shift2rail.org/project/cyrail/ (2016, accessed 22September 2018).
44. Braband J. Cyber security in railways: Quo Vadis? In:
International conference on reliability, safety and securityof railway systems, 14 November 2017, pp.3–14. Cham:Springer.
45. Masson E and Gransart C. Cyber security for rail-ways – a huge challenge–Shift2Rail perspective.In: International workshop on communication
technologies for vehicles, 4 May 2017, pp.97–104.Cham: Springer.
46. Bloomfield R, Bendele M, Bishop P, et al. The risk
assessment of ERTMS-based railway systems from acyber security perspective: methodology and lessonslearned. In: International conference on reliability,
safety and security of railway systems, 28 June 2016,pp.3–19. Cham: Springer.
47. Bantin CC and Siu J. Designing a secure data commu-
nications system for automatic train control. ProcIMechE, Part F: J Rail and Rapid Transit 2011; 225:395–402.
48. Directive NI. Directive (EU) 2016/1148 of the European
Parliament and of the Council of 6 July 2016 concerningmeasures for a high common level of security of networkand information systems across the Union. https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN (2016, accessed25 September 2018).
49. Cylus, Railway Cybersecurity, Israel. https://cylus.com/(2018, accessed 25 September 2018).
50. Thales. Railway digitalization: cybersecurity, https://
www.thalesgroup.com/en/spain/magazine/railway-digi-talization-cybersecurity (2018, accessed 25 September2018).
51. AS 7770:2018. Rail cyber security. Australia: Rail
Industry Safety and Standards Board, 2018.52. Rail Delivery Group. Rail cyber security strategy,
https://www.raildeliverygroup.com/component/ark-
hive/?task=file.download&id=469772253 (2017,accessed 25 September 2018).
53. Department for Transport. Rail cyber security guidance
to industry, https://www.rssb.co.uk/Library/improving-industry-performance/2016-02-cyber-security-rail-cyber-security-guidance-to-industry.pdf (2016, accessed25 September 2018).
54. SS-CC, A. P. T. A. Securing control and communicationssystems in rail transit environments. Washington DC:American Public Transportation Association, 2015.
55. EN 50159:2010 (or IEC 62280). Railway applications –signalling, telecommunication and processing systems –safety communication in transmission systems. Brussels:
European Committee for ElectrotechnicalStandardization, 2010.
56. Pearson IL. Smart grid cyber security for Europe.
Energy Policy 2011; 39: 5211–5218.57. Wells LJ, Camelio JA, Williams CB, et al. Cyber-phy-
sical security challenges in manufacturing systems.Manuf Lett 2014; 2: 74–77.
58. Gontar P, Homans H, Rostalski M, et al. Are pilotsprepared for a cyber-attack? A human factors approachto the experimental evaluation of pilots’ behavior. J Air
Transp Manag 2018; 69: 26–37.59. EN 60839-11-32:2017. Alarm and electronic security sys-
tems. UK: British Standards Institution, 2017.
60. ISO/IEC JTC 1/SC 17. Cards and security devices forpersonal identification. UK: British StandardsInstitution, 2012.
61. Douligeris C and Mitrokotsa A. DDoS attacks and
defense mechanisms: classification and state-of-the-art.Comput Netw 2004; 44: 643–666.
62. Campos J, Sharma P, Jantunen E, et al. The challenges
of cybersecurity frameworks to protect data required
10 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
for the development of advanced maintenance. ProcediaCIRP 2016; 47: 222–227.
63. CSA Top Threats Working Group. The treacherous 12:
cloud computing top threats in 2016. USA: CloudSecurity Alliance, 2016.
64. Menashri H and Baram G. Critical infrastructures and
their interdependence in a cyber attack – the case of theUS. Military Strategic Affairs 2015; 7: 99–100.
65. EC. Cybersecurity of the smart grids: summary report.
Brussels: European Commission, 2013.66. Johansson J and Hassel H. An approach for modelling
interdependent infrastructures in the context of
vulnerability analysis. Reliab Eng Syst Saf 2010; 95:1335–1344.
67. Steele H, Clive R and Stuart H. Railway smart grids:
drivers, benefits and challenges. Proc IMechE, Part F: JRail and Rapid Transit. Epub ahead of print 2018. DOI:10.1177/0954409718800523.
68. Fahey R. Human factors in information security man-agement systems. https://resources.infosecinstitute.com/human-factors-information-security-management-sys-
tems/ (2013, accessed 25 September 2018).
Kour et al. 11
Paper II
Cybersecurity for railways–A maturity model
Kour, R., Karim, R., & Thaduri, A. (2019). Cybersecurity for railways–A maturity model. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 0954409719881849.
Original Article
Cybersecurity for railways –A maturity model
Ravdeep Kour , Ramin Karim and Adithya Thaduri
Abstract
With the advancements in and widespread adoption of information and communication technologies in infrastructures,
cyber-attacks are becoming more frequent and more severe. Advanced cybersecurity threats with automated capabilities
are increasing in such sectors as finance, health, grid, retail, government, telecommunications, transportation, etc. Cyber-
attacks are also increasing in railways with an impact on railway stakeholders, e.g. threat to the safety of employees,
passengers, or the public in general; loss of sensitive railway information; reputational damage; monetary loss; erroneous
decisions; loss of dependability, etc. There is a need to move towards advanced security analytics and automation to
identify, respond to, and prevent such security breaches. The objective of this research is to reduce cyber risks and
vulnerabilities and to improve the cybersecurity capabilities of railways by evaluating their cybersecurity maturity levels
and making recommendations for improvements. After assessing various cybersecurity maturity models, the
Cybersecurity Capability Maturity Model (C2M2) was selected to assess the cybersecurity capabilities of railway organ-
izations. The contributions of this research are as follows. First, a new maturity level MIL4 (Maturity Indicator Level 4) is
introduced in the C2M2 model. Second, the C2M2 model is adapted by adding advanced security analytics and threat
intelligence to develop the Railway-Cybersecurity Capability Maturity Model (R-C2M2). The cybersecurity maturity of
three railway organizations is evaluated using this model. Third, recommendations and available standards & guidelines
are provided to the three railway organizations to improve maturity levels within different domains. In addition, they are
given an action plan to implement the recommendations in a streamlined way. The application of this model will allow
railway organizations to improve their capability to reduce the impacts of cyber-attacks and eradicate vulnerabilities. The
approach can also be extended to other infrastructures with necessary adaptations.
Keywords
Cybersecurity, maturity level, Railway-Cybersecurity Capability Maturity Model, railway organizations, Cybersecurity
Capability Maturity Model
Date received: 8 February 2019; accepted: 21 September 2019
Introduction
With the widespread adoption of information andcommunication technologies (ICT), cybersecurityhas become a grave concern for many organizations.Previous work from this research identified variouscybersecurity issues and challenges in the railwaysector.1 Cyber-attacks are growing in intensity,threatening critical infrastructures and causing con-cerns about the safety of employees or the publicin general; other concerns include loss of sensitiveinformation, reputational damage, monetary loss,erroneous decisions, loss of dependability, etc.1
Proactive and synchronized efforts are required tostrengthen and preserve critical infrastructures inthis sector. Railway system architects, cybersecurityengineers, and information technology (IT) staffwho support railway information systems must ser-iously consider cybersecurity to ensure that advances
in maintainability, operational efficiency, and passen-ger experience are not jeopardized by cyber vulner-abilities. This is important because cybersecurityincident statistics from IBM2 show that the transpor-tation sector is affected by numerous types of cyber-attacks: SQLi (SQL Injection), DDoS (DistributedDenial of Service), Watering Hole, XSS (Cross-SiteScripting), Malware, Brute Force, Misconfig,Phishing, etc. The cybersecurity incidents documentedin railways (see the ‘‘Cyber threat to railway systems’’
Division of Operation and Maintenance Engineering, Lulea University of
Technology, Lulea, Sweden
Corresponding author:
Ravdeep Kour, Division of Operation and Maintenance Engineering,
Lulea Tekniska Universitet, Lulea 97187, Sweden.
Email: [email protected]
Proc IMechE Part F:
J Rail and Rapid Transit
0(0) 1–20
! IMechE 2019
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/0954409719881849
journals.sagepub.com/home/pif
section) clearly indicate that railway organizationsmust be prepared for major incidents.
The main challenge in formulating the proposedmodel was that minimal work addresses the evalu-ation of the maturity of cybersecurity capabilities incritical sectors, with even less work in the railwaysector. There are some examples of maturity modelswithin the area of safety management in the railindustry3–5 but few standards refer to railway cyber-security6 and the literature generally ignores cyberse-curity maturity levels. In one exception, the EuropeanUnion Agency for Network and InformationSecurity7 analyzed the current maturity levels in theIndustrial Control and Supervisory Control and DataAcquisition Systems across Europe and providedstakeholders with a set of recommendations toimprove their practices, especially in critical sectors.
There is a need for railway organizations to estimateand evaluate the maturity of their cybersecurity pro-grams, to become aware of the possible cybersecurityissues and vulnerabilities in their systems, formulateprogrammatic goals, and monitor improvements inachieving those goals. This type of evaluation willhelp organizations identify strengths and weaknessesin existing cybersecurity programs and suggestimprovements. To this end, this study revised theCybersecurity Capability Maturity Model (C2M2)8
by adding predictive security analytics (PSA)9,10 andthreat intelligence11–14 to evaluate the maturity of arailway organization’s cybersecurity program.Railway organizations can use threat intelligence toincrease their ability to sense potential threats; theywill know their adversaries and their latest tactics andtechniques. Gartner15 has defined predictive analyticsas follows:
A form of advanced analytics which examines data or
content to answer the question ‘‘What is going to
happen?’’ or more precisely, ‘‘What is likely to
happen?’’, and is characterized by techniques such
as regression analysis, forecasting, multivariate statis-
tics, pattern matching, predictive modeling, and
forecasting.
By applying PSA, railway organizations can predictcyber threats and proactively take effective securitymeasures. PSA cannot predict the attack itself, butits early indicators can be identified to statisticallypredict potential future cyber threats.
The objective of this research was to reduce cyberrisks and vulnerabilities and to improve the cyberse-curity capabilities of railways. This can be achieved byintroducing the C2M2 model to railways and demon-strating its efficacy in three railway organizations.
The scope of this research was to study the avail-ability of cybersecurity maturity models and the adap-tation of one specific model, C2M2, to evaluate thecybersecurity capabilities of railways. Its limitationwas the restricted sample size; only three railway
infrastructure owners participated because it waschallenging to share cybersecurity data. They hadthe perception that by sharing their data, theyincreased the likelihood of attacks in the future.This model is not yet conducted on train operators.The questionnaire was sent to the responsible peoplein cybersecurity area in three different railway infra-structure organizations. Due to confidentiality andprivacy issues, their names were not specified and out-come of the research and research gaps were providedto the respective railway organizations.
The model can be applied by other railway organ-izations to improve their capability to reduce theimpacts of cyber-attacks and eradicate vulnerabilities.With some adaptations, it may be also beneficial forother critical infrastructures.
The outline of the paper is as follows. First, itexplains the need to evaluate the cybersecurity matur-ity level of railway organizations; this is followed by atimeline of cyber incidents in railways. Next, theresearch methodology used for the model reviewand selection and its applicability to the railways arediscussed, and the process of evaluation and analysisis explained. Finally, the results are presented alongwith the recommendations that were given to the par-ticipating organizations to improve maturity levels indifferent domains.
Cyber threat to railway systems
Cybersecurity incidents have increased in the railwaysector. Previous work on this research shows hackershave targeted rail companies in the UK, Germany, theUS, Poland, South Korea, Denmark, and Sweden.1
For example, in 2003, a computer virus infected thecomputer system at CSX Transportation (a Floridarailroad company) and disrupted railway signalsfor periods of 15min to 6 h.16 In 2008, a 14-year-oldelectronics genius from Poland hacked a tram systemand derailed a tram, which then collided with a tramcoming in the opposite direction injuring 12 people.17
In December 2011, a cyber-attack on a rail company’scomputers disrupted railway signals for two days inthe Pacific Northwest.18 In 2015, there was a cyber-attack on a South Korean subway system which led todata and information leaks,19 and a massive databreach in the Swedish Transport Agency which ledto the leaking of private vehicle data.20 In July 2016,Darktrace, a private security company, discoveredUK Rail was hit by at least four major data breachesin 2015. These breaches included cyber espionageattacks which involved entering computer systemsdealing with government data and critical infrastruc-ture to gather information.21 In another incident inMay 2017, the railway passenger information systemwas affected by a malware WannaCry virus.22 InOctober 2017, the website of Swedish TransportAdministration (Trafikverket) was partially down asa result of a DDoS attack.23 In April 2018, the UK
2 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
Great Western Railway reported that hackers hadbreached a small percentage of customer accounts ina Brute-Force/Credential Stuffing attack.24 In May2018, Rail Europe announced a three-month databreach of credit cards and debit cards due to a mal-ware attack.25 Also in May 2018, a massive DDoSattack on the Danish state rail operator (DSB) paral-yzed some operations, including ticketing systems andthe communication infrastructure.26 Figure 1 showsthe timeline of these cybersecurity incidents.
Clearly, cybersecurity incidents have a majorimpact (e.g. financial loss, reputational and publicconfidence loss) on railway organizations. However,with the adoption of ICT, the vulnerability of rail-ways to cyber threats has increased, exposing themto attacks from hacktivists, cyberespionage agents,criminals, and disgruntled insiders. Cyber-attackscan compromise the confidentiality of information,integrity and availability of IT and OperationalTechnology (OT) assets that support the efficientand consistent operation of railway systems.
On the one hand, railways use communication andsignaling systems, e.g. European Rail TrafficManagement System (ERTMS), to improve safety,increase efficiency, and enhance the cross-border inter-operability of rail transport. On the other hand, turningthe railway network digital and centrally controlled byusing advanced ICT technology increases vulnerabilityto cyber threats that could possibly affect the safety ofthe entire railway system. Bloomfield et al.27 have con-ducted research on security-informed safety in rails.Overall, the argument of cybersecurity and railways isthat safety is the top priority and security breachesincur safety risks. In addition to this, a wide areaDDoS attack on the Global System for Mobile com-munication-Radio network could bring down theERTMS/European Train Control System and causemaximum disruption and/or passenger discomfort.28
In addition, ICT devices and components are generallyinterdependent, and any weakness in one linked elem-ent in the system can compromise the security anddependability of railway systems.
The overall goal of this research is to reduce cyberrisks and vulnerabilities and to improve the cyberse-curity capabilities of railways. Risk is ‘‘A threat that
exploits a vulnerability that may cause harm to one ormore assets’’.29 Railway assets can be servers, informa-tion, applications, databases, laptops, people, build-ings, tracks, signaling systems, etc. Vulnerabilities arethe exposure risks that a threat actor (person, organ-ization, nation state) can exploit to damage railwayassets. There are two types of cybersecurity risks inrailway organizations: business risks and societalrisks.30 Examples of business risks include loss ofrevenue, impact on reputation/loss of trust, non-compliance with regulations on data protection,risks to hardware and software, reliance on invalidinformation, and lack of security of dependencies.Examples of societal risks include public health andsafety, unavailability of the railway service, disruptionto society, environmental impact, and confidentialityand privacy. Railway organizations need to take arobust and holistic approach to cybersecurity toguard against cyber risks and attacks. The first stepis to evaluate the maturity and capability of existingcybersecurity programs. Railway decision makersneed to identify what their cybersecurity programcan do to eliminate or reduce risks.
Research methodology
The first step was to review the literature on C2M2models and identify the most relevant one for thisresearch study. The results were analyzed and com-municated to the corresponding senior and top man-agement of the three railway organizations. Figure 2shows the flowchart of the research methodology,starting with the review and selection of the cyberse-curity model.
Based on the selected model, a questionnaire wasprepared to test for an additional maturity level,Maturity Indicator Level 4 (MIL4). This maturitylevel includes practices of predictive and advancedsecurity analytics. The questionnaire was the first con-tribution of this research. The questionnaire was sentto the railway organizations to fill in. An online modewas selected for responses. The next step was adaptingR-C2M2 to evaluate the current cybersecurity statusof the three organizations being studied, the secondcontribution of the research. After the maturity levels
11112
1
1
4
1 1
1
1
1
1
1 1
2003 2008 2010 2011 2013 2014 2015 2016 2017 2018
Malware Cyber crimeCyber Espionage/Data steal Insider attackDDOS Brute-ForceHacking
Figure 1. Timeline of cybersecurity incidents in railway organizations, adapted from Kour et al.1
Kour et al. 3
of the cybersecurity capabilities of these railwayorganizations were evaluated, the results were com-municated in the form of recommendations and anaction plan. This was the third contribution of theresearch. The research methodology is discussed inmore detail below.
Review and selection of the cybersecuritymaturity model
Researchers are actively investigating the securitymaturity models. Some authors31,32 have looked atthe characteristics of the existing security maturitymodels and identified their strengths and weaknesses.There has also been a critical analysis of a compre-hensive information security maturity model33 anda systematic review of the existing security maturitymodels from 2012 to 2017.34,35 Some of the
best-known security models were reviewed forthis research.
Model identification. According to Howe,36 the mostimportant security standard is NIST 800-53.37 It hasevolved and has been updated regularly over the last10 years and is part of the US government’s NationalInstitute for Standards and Technology (NISTCybersecurity Framework.38 This framework definessecurity and privacy controls for the FederalInformation Systems and Organizations. In addition,the ISO/IEC 27000-series,39 an information manage-ment security system standard, provides guidelines forestablishing an information security managementsystem; ISA99/IEC 6244340 focuses on IndustrialAutomation and Control Systems; ISO/IEC 1540841
lists criteria for computer security certification. Thefollowing maturity models identified in the literature
3.3Analyze
Cybersecurity Program (Policies,
Practices and Planning)3.2
Evaluate
3.1. Cybersecurity Maturity Model Review and Selection
3.1.3.1C2M2
3.1.2Model
Evaluation
3.1.3.2R-C2M2 Model
3.1.1 Model
Identification
3.1.3Model
Selection
Start
Needs Continuous
Improvement
YES
End
NO
3.4Results/
Recommendations
Questionnaire Based on Predictive Analytics
IntroducingMIL4
Adapted
Continuous Improvement
Contribution 1
Contribution 2
Contribution 3
Figure 2. Flowchart of the research methodology.
4 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
provide a benchmark against which an organizationcan assess the current level of maturity of its practices,processes, and procedures:
. Electricity Subsector Cybersecurity CapabilityMaturity Model (ES-C2M2)42 and Oil andNatural Gas Subsector Cybersecurity CapabilityMaturity Model (ONG-C2M2)43 are tailored toenergy and oil and natural gas sectors.
. Community Cyber Security Maturity Model(CCSMM) provides guidance on responding tocyber threats at the community level and focuseson a specific area of an organization.44
. ISO/IEC 21827 or Systems Security EngineeringCapability Maturity Model (SSE-CMM) is astandard metric for security engineering practicesand is not focused on cybersecurity.45
. Control Objectives for Information and relatedTechnology (COBIT) is an IT governance and con-trol framework, focused on information securitynot cybersecurity.46
. National Initiative for Cybersecurity EducationCapability Maturity Model (NICE)47 is focusedon workforce development, process maturity, andoperational resilience practices and does not offerspecific cybersecurity best practices.
. NIST Cybersecurity Framework38 is a risk-basedframework that provides guidelines for managingcybersecurity risks. Although the model providesan outline of the implementation process, there islittle guidance beyond the following high-level con-cepts: prioritize and scope; orient; create a currentprofile; conduct a risk assessment; create a targetprofile; determine, analyze, and prioritize gaps;implement action plan.48
. C2M28 is a Cybersecurity Capability MaturityModel that focuses on cybersecurity and is to beimplemented in conjunction with the NIST frame-work; it is very simple and comes in the form of aquestionnaire.
. Citigroup’s Information Security EvaluationMaturity Model (ISEM)49 is one of the firstmodels of maturity applied to information security.It focuses on security awareness and evaluationand has been used as a reference to develop othermodels of maturity applied to cybersecurity, but itis not currently applied in the industry.
. IBM Information Security Framework (IBM-ISF)50 is an information security framework thatfocuses on security gap analysis and helps organ-izations to determine their current security posture.
. Information Security Management MaturityModel (ISM3)51 is a commercial standard focusedon information security management, risk assess-ment, and process integration.
Model evaluation. Based on the systematic reviewfrom 2012 to 2017 (Figure 3) conducted by
Rea-Guaman et al.,35 the most relevant cybersecuritymodels are C2M2,8 CCSMM,44 SSE-CMM,52 andNICE.47 The review indicated that few maturitymodels focus on cybersecurity.
Table 1 shows in which literature the application ofthe said models is discussed. No literature can befound on the application of NICE-CMM47 andISEM49 models for that period.
Table 2 compares the most relevant cybersecuritymodels. The models, which follow NIST frame-work,38 are C2M2,8 ES-C2M2,42 ONG-C2M2,43 andCCSMM.44 ES-C2M242 and ONG-C2M243 are tai-lored for the electricity sector and the oil and naturalgas sector, respectively. CCSMM44 is only focused ona specific area of an organization, while C2M28 isfocused on the entire organization. C2M28 definesroles and responsibilities but CCSMM44 does not.Finally, C2M28, which is NIST framework38 compat-ible and cybersecurity oriented, is very simple andcomes in the form of a questionnaire.
Model selection. Based on the evaluation, the C2M2model8 was selected to evaluate the cybersecurity cap-abilities of railway organizations. The literature
Table 1. Literature review of application of maturity models
from 2017 to 2018.
Model Authors
C2M2 Hosseini and Paul,53 Mylrea et al.,54
Ibrahim,55 Ingram and Martin,56
AXIO,57 Tripwire,58 and USEA59
CSF-NIST Hosseini and Paul,53 Mylrea et al.,54
Ibrahim,55 Ingram and Martin,56
Almuhammadi and Alsaleh,60 and
Radziwill and Benton61
CCSMM Zhao and White62
SSE-CMM Siqueira et al.,63 Kurniawan and
Riadi,64 and Mshangi et al.65
COBIT Drljaca and Latinovic,66 Laita and
Belaissaoui,67 and Alencar et al.68
ISM3 Open Group Standard69
1 2 1
6
11
6
31 1
1
2
1
1 1
2
11 1
1
1
1 1
1
1
1
1
1
0
2
4
6
8
10
12
14
16
18
2012 2013 2014 2015 2016 2017 2018
Num
ber
of a
pplic
atio
ns
Year of usage
C2M2
CSF-NIST
SSE-CMM
COBIT
ISM3
NICE-CMM
CCSMM
ISEM
Figure 3. Frequency of cybersecurity maturity models per
year, modified from Rea-Guaman et al.35
Kour et al. 5
review also revealed that no work has been conductedto evaluate the cybersecurity maturity levels in railwayorganizations. Based on the model selection and dia-logue with the railway organizations, we came to theconclusion that C2M2 model suits better for railwaysat the design and conceptual stages.
C2M2 model: The C2M2 model8 was originallydeveloped as a White House initiative under theDepartment of Energy in partnership with the USDepartment of Homeland Security in support of theElectricity Subsector Cybersecurity Risk ManagementMaturity Initiative.70 This initiative builds on existingwork, models, and cybersecurity best practices and isassociated with the Cyberspace Policy Review,71
Cross-Sector Roadmap for Cybersecurity of ControlSystems,71 and Roadmap to Achieve Energy DeliverySystems Cybersecurity.72 The C2M2 model8 is orga-nized into 10 domains, with each domain including agroup of cybersecurity practices. The cybersecuritypractices within each domain are structured into vari-ous objectives representing achievements within thedomain. Table 3 describes the domains and theirobjectives.
The C2M2 model8 defines four maturity indicatorlevels, (MILs 0–3), which are applied independently toeach domain of C2M2. This means that an organiza-tion using a C2M28 model may have different MILscores for different domains.
As of now, some railway organizations are a stepbehind because they patch their systems or try to con-figure cyber protection methods against knownattacks and breaches. Unfortunately, the appearanceof new threats, like zero-day threats, makes it difficultto detect and protect against them. We need PSA toproactively identify cyber threats before they can
cause losses. Railway organizations can use threatintelligence to increase their ability to sense potentialthreats; they will know their adversaries and theirlatest tactics and techniques. By applying PSA, theycan predict cyber threats and proactively take effectivesecurity measures. PSA cannot predict the attackitself, but its early indicators can be identified to stat-istically predict potential future cyber threats. Toincorporate threat intelligence and PSA, a new matur-ity indicator level, MIL4, is included in the C2M2model,8 so that proactive measures can be taken totackle the future threats (Figure 4).
MIL4 includes initial practices of predictive andadvanced security analytics with automation toolsand threat intelligence. These practices are more com-plete or advanced than those in MIL3. MILs arecumulative within each domain8; to earn an MIL ina given domain, an organization must perform all thepractices at that level and its predecessor level(s). Forexample, to earn MIL3, all the practices in MIL1,MIL2, and MIL3 must be performed.
The C2M2 model8 evaluates the performance ofpractices using a series of questions. These questionsare designed to be answered in one of four ways: notimplemented, partially implemented, largely imple-mented, and fully implemented. Answers of ‘‘largelyimplemented’’ or ‘‘fully implemented’’ receive creditfor achieving a practice. An answer of ‘‘not imple-mented’’ or ‘‘partially implemented’’ will prevent anMIL level from being attained.
R-C2M2 model: The revised model, R-C2M2, wasadapted from the C2M2 model.8 R-C2M2 uses theC2M28 domains and practices to evaluate the matur-ity of cybersecurity programs for railway organiza-tions, but more practices were added to fit the needs
Table 2. Comparison of the Cybersecurity Capability Maturity Models, adapted from Rea-Guaman et al.34
Criteria
Models
NIST
framework
compatibility
Cybersecurity
oriented
Defining
roles and
responsibilities Purposes and strengths
C2M28 Yes Yes Yes Assessment of implementation and management
in critical infrastructure
ES-C2M242 Yes Yes Yes Tailored to electricity sector
ONG-C2M243 Yes Yes Yes Tailored to oil and natural gas sector
CCSMM44 Yes Yes No Community effort and communication capability
in communities
SSE-CMM45 No No Yes Evaluation of software engineering processes
COBIT46 No No Yes Measurement of the level of maturity in IT
governance domain
NICE47 No Yes Yes Workforce planning for cybersecurity best
practices
ISEM49 No No No Security awareness and evaluation
IBM-ISF50 No No Yes Analysis of security gap between business and
technology
ISM351 No No Yes Prevention and mitigation of incidents and opti-
mization of information, money, people, time,
and infrastructure
6 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
Table 3. Domain descriptions and objectives (C2M28).
Domain Domain description Objectives
Risk management (RM) Establish, operate, and maintain an
enterprise cybersecurity risk man-
agement program to identify, ana-
lyze, and mitigate cybersecurity risk
to the organization
Establish cybersecurity risk manage-
ment strategy; manage cybersecurity
risk; perform management activities
Asset, Change, and configuration
management (ACM)
Manage the organization’s information
technology (IT) and operations
technology (OT) assets, including
both hardware and software
Manage asset inventory; manage asset
configuration; manage changes to
assets; perform management
activities
Identity and access management
(IAM)
Create and manage identities for enti-
ties that may be granted logical or
physical access to the organization’s
assets. Control access to the organ-
ization’s assets
Establish and maintain identities; con-
trol access; perform management
activities
Threat and vulnerability man-
agement (TVM)
Establish and maintain plans, proced-
ures, and technologies to detect,
identify, analyze, manage and
respond to cybersecurity threats and
vulnerabilities
Identify and respond to threats; reduce
cybersecurity vulnerability; perform
management activities
Situational awareness (SA) Establish and maintain activities and
technologies to collect, analyze,
alarm, present and use operational
and cybersecurity information,
including status and summary infor-
mation from the other C2M2
domains, to form a common oper-
ating picture (COP)
Perform logging; perform monitoring;
establish and maintain a COP; per-
form management activities
Information sharing and com-
munications (ISC)
Establish and maintain relationships
with internal and external entities to
collect and provide cybersecurity
information, including threats and
vulnerabilities, to reduce risks and to
increase operational resilience
Share cybersecurity information; per-
form management activities
Event and incident response,
continuity of operations (IR)
Establish and maintain plans, proced-
ures, and technologies to detect,
analyze, and respond to cybersecur-
ity events, and to sustain operations
throughout a cybersecurity event
Detect cybersecurity events; escalate
cybersecurity events and declare
incidents; respond to incidents and
escalated cybersecurity events; plan
for continuity; perform management
activities
Supply chain and external
dependencies management
(EDM)
Establish and maintain controls to
manage the cybersecurity risks
associated with services and assets
that are dependent on external
entities
Identify dependencies; manage depend-
ency risk; perform management
activities
Workforce management (WM) Establish and maintain plans, proced-
ures, technologies and controls to
create a culture of cybersecurity and
to ensure the ongoing suitability and
competence of personnel
Assign cybersecurity responsibilities;
control the workforce life cycle;
develop cybersecurity workforce;
increase cybersecurity awareness;
perform management activities
Cybersecurity program manage-
ment (CPM)
Establish and maintain an enterprise
cybersecurity program that provides
governance, strategic planning, and
sponsorship for the organization’s
cybersecurity activities
Establish cybersecurity program strat-
egy; sponsor cybersecurity program;
establish and maintain cybersecurity
architecture; perform secure soft-
ware development; perform man-
agement activities
Kour et al. 7
of advanced security analytics. A new maturity indica-tor level, MIL4, covers the initial practices of predict-ive and advanced security analytics with automationtools and threat intelligence. Practices in MIL4 aremore complete or advanced than in MIL3. To attainMIL4, all the practices in MIL1, MIL2, MIL3, andMIL4 must be completed.
Today, huge amounts of data are generated incybersecurity log files, allowing IT and security staffto understand whether things are running normally orrequire more attention. The security industry usesSecurity Incident and Event Monitoring (SIEM) solu-tions to aggregate and correlate events in order togain insights (multiple correlated events are oftenindicators of an incident). These indicators can beused in machine self-learning and advanced analyticsto get insight into data. For example, advanced secur-ity analytics can help IT and security staff predictthreat risks, allowing them to provide remedies in atimely fashion. Therefore, MIL4 is proposed for theR-C2M2 model.
The railway staff members who provided input onthe R-C2M2 model were information and operationalsecurity staff, railway system architects, dedicatedsecurity staff, and high-level persons dealing withorganizational strategies and policies. Basically, thisrevised model allows the entire staff to perform quickself-assessments of an organization’s cybersecuritycapabilities. In addition, during the study’s assess-ment process, railway staff identified a number ofcybersecurity issues that they had not previouslybeen considered. Addressing these issues and gapscan increase the maturity of the cybersecurity pro-gram supporting railway systems.
Evaluation of the current cybersecurity status
Various railway organizations around the worldwere contacted and asked if they would evaluate thematurity levels of their cybersecurity capabilitiesfor the study. Three agreed to participate. The iden-tities are confidential, and their detailed assessmentdata are with the authors. For the assessment process,a questionnaire based on the C2M2 model8 with newpractices related to advanced security analytics andthreat intelligence was prepared and sent to selectedrailway staff at these organizations. The railway staffgenerally included the railway system architect, infor-mation and operational security staff and high-levelmanagers from each organization.
Analysis of results
After staff evaluated their organization’s cybersecur-ity capabilities, the data were analyzed using theC2M2 toolkit8 with the MIL4 added. Colored piecharts in Figure 5 illustrate the results for each ofthe 10 domains (see Table 3), along with attainedmaturity levels. Some are discussed in more detail inthe ‘‘Results and discussion’’ section; more compre-hensive results and detailed gap summaries remainwith the authors for reasons of confidentiality.
Communication of results/recommendations
The assessed results, along with a detailed summaryof gaps, recommendations, and an action plan werecommunicated to the corresponding senior and topmanagement of the participating railway
MIL0Not Performed
MIL1 has not been achieved in the domain
MIL1 Initiated
Initial practices are performed, but may be ad hoc
MIL2 Performed
• Practices are documented
• Stakeholders are involved
• Adequate resources are provided for the practices
• Standards or guidelines are used to guide practice implementation
• Practices are more complete or advanced than at MIL1
MIL3 Managed
• Domain activities are guided by policy (or other directives)
• Activities are periodically reviewed for conformance to policy
• Responsibility and authority for practices are clearly assigned to personnel with adequate skills and knowledge
• Practices are more complete or advanced than at MIL2
MIL4(Proposed)
• Initial practices of predictiveand advanced securityanalytics with automationtools and threat intelligenceare performed, but may bead hoc
• Practices are more completeor advanced than at MIL3
Figure 4. Description of maturity indicator levels with proposed MIL4.
8 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
organizations so they could set goals and priorities toenhance their cybersecurity programs.
Results and discussion
The results of this research included the determinationof the attained maturity levels of 10 domains in threerailway companies, the derivation of recommenda-tions, standards, and guidelines to improve the matur-ity levels of the domains, and an action plan forimplementing these recommendations.
Results of the maturity indicator level in differentdomains
Figure 5 shows 40 colored pie charts illustratingresults for each of the 10 domains, along with prac-tices and attained maturity levels for one of the parti-cipating railway organizations, i.e. Railway 1. Barlines in Figure 5 show attained MILs. The numberin the center of each pie chart specifies the totalnumber of practices required for that maturity level.The pie charts use color-coding to specify the answers.
Figure 5. Maturity indicator levels of Railway 1 along with practices.
Table 4. Results of the maturity indicator levels (MILs) for the three railway organizations.
Domain names Railway 1 Railway 2 Railway 3
Risk management (RM) 1 3 4
Asset, change, and configuration
management (ACM)
2 2 4
Identity and access management (IAM) 3 4 4
Threat and vulnerability management (TVM) 1 3 4
Situational awareness (SA) 1 2 4
Information sharing and communications (ISC) 4 4 4
Event and incident response,
continuity of operations (IR)
1 1 4
Supply chain and external dependencies
management (EDM)
1 3 4
Workforce management (WM) 1 3 4
Cybersecurity program management (CPM) 1 4 4
Kour et al. 9
Tab
le5.
Reco
mm
endat
ions
and
avai
lable
stan
dar
ds
and
guid
elin
es
toim
pro
veth
em
aturi
tyle
vels
of
cybers
ecu
rity
inra
ilway
org
aniz
atio
ns.
Dom
ain
Reas
ons
for
curr
ent
stat
us
Reco
mm
endat
ions
toim
pro
veM
IL
Reso
urc
es
for
impro
vem
ent
(fra
mew
ork
s/st
andar
ds/
guid
elin
es/
rese
arch
litera
ture
)
RM
–U
ndefin
ed
org
aniz
atio
nal
risk
criteri
a
–In
itia
lst
age
of
adva
nce
dcy
bers
ecu
rity
anal
ytic
s
RM
1.Pro
vide
adequat
ere
sourc
es
(lik
efu
ndin
g,people
,
and
tools
)
RM
2.D
efin
ead
vance
dcy
bers
ecu
rity
anal
ytic
sin
the
risk
man
agem
ent
polic
yan
dO
rgan
izat
ional
risk
criteri
a
RM
3.In
creas
eth
esk
illle
vel
RM
4.D
ocu
ment
org
aniz
atio
nal
speci
ficri
skta
xonom
y
RM
5.D
ocu
ment,
anal
yze,m
onitor,
and
pre
dic
tid
entifie
d
risk
sac
cord
ing
toth
eri
skm
anag
em
ent
stra
tegy
AS
7770,6
NIS
TC
ybers
ecu
rity
Fram
ew
ork
,38
NIS
TSP
800-5
3(R
ev.4),
37
UIC
-Guid
elin
es
for
Cyb
er-
Secu
rity
inR
ailw
ays,
73
ISO
31000,7
4N
IST
800-3
7,7
5
APTA
,76
NIS
TSP
800-3
9,7
7IS
O/IEC
31010,7
8N
IST
SP800-3
0(R
ev.1
),79
ISO
/IEC
27032,8
0ri
skm
an-
agem
ent
fram
ework
for
cloud
mig
ration
deci
sion
support
(Isl
amet
al.),8
1G
oal
-dri
ven
Soft
war
e
Dev
elo
pm
ent
Ris
kM
anag
em
ent
Model(I
slam
et
al.),8
2SE
CU
R-E
D,8
3R
ailC
yber
Secu
rity
Guid
ance
toIn
dust
ry,8
4R
ailC
yber
Secu
rity
Stra
tegy
,85
NIS
T
SP800-1
2R
evis
ion
1,8
6IS
O/IEC
27005
87
TV
M–
Thre
atpro
files
not
est
ablis
hed
–Fe
wre
sourc
es
tosu
pport
thre
atan
d
vuln
era
bili
tym
anag
em
ent
activi
ties
–In
itia
lst
age
of
adva
nce
dcy
bers
ecu
rity
anal
ytic
s
TV
M1.P
rovi
de
adequat
ere
sourc
es
(e.g
.fu
ndin
g,people
,
and
tools
)
TV
M2.In
creas
esk
illle
vel
TV
M3.Id
entify
,an
alyz
e,an
dpri
ori
tize
thre
ats
TV
M4.Est
ablis
hth
reat
pro
files
(e.g
.in
tent,
capab
ility
,
and
targ
et)
and
monitor
their
info
rmat
ion
sourc
es
TV
M5.Perf
orm
info
rmed
anal
ysis
and
pri
ori
tize
thre
ats
acco
rdin
gto
org
aniz
atio
n’s
risk
criteri
a
TV
M6.A
pply
pre
dic
tive
anal
ytic
sto
identify
and
resp
ond
toth
reat
s
NIS
TSP
800-5
3(R
ev.4),
37
AN
SI/ISA
–62443,4
0IS
O/IEC
21827,5
2U
IC-G
uid
elin
es
for
Cyb
er-
Secu
rity
in
Rai
lway
s,73
ISO
/IEC
27032,8
0R
ailC
yber
Secu
rity
Guid
ance
toIn
dust
ry,8
4O
CTA
VE
fram
ework
,88
EN
50159,8
9N
IST
SP800-5
1R
ev.1
,90
ISO
/IEC
27001,9
1
ISO
/IEC
29147,9
2N
IST
SP800-4
0(R
ev.3),
93
ITSS
_04
ITSe
curi
tySt
andar
d,9
4M
inim
um
Cyb
er
Secu
rity
Stan
dar
d,9
5Fr
amew
ork
for
Vuln
era
bili
ty
Dete
ctio
nin
Euro
pean
Tra
inC
ontr
olR
ailw
ay
Com
munic
atio
ns
(Ars
uag
aet
al.)
96
SA–
Log
dat
anot
aggr
ega
ted
–M
onitori
ng
activi
ties
par
tial
lyin
tegr
ated
with
oth
er
secu
rity
pro
cess
es
(e.g
.in
ci-
dence
resp
onse
,as
set
man
agem
ent)
–In
dic
ators
of
anom
alous
activi
ties
par
tial
ly
defin
ed
–In
itia
lst
age
of
adva
nce
dcy
bers
ecu
rity
anal
ytic
s
SA1.Fo
llow
docu
mente
dpra
ctic
es
of
logg
ing,
monitor-
ing,
and
com
mon
opera
ting
pic
ture
(CO
P)
activi
ties
SA2.Pro
vide
adequat
ere
sourc
es
(e.g
.fu
ndin
g,people
,
and
tools
)
SA3.A
ssig
nre
sponsi
bili
tyan
din
creas
esk
illle
velfo
r
logg
ing,
monitori
ng
and
CO
Pac
tivi
ties
SA4.D
efin
e,
monitor,
and
cate
gori
zeal
arm
sbas
ed
on
anom
alous
activi
ties
SA5.Est
ablis
hm
eth
ods
for
com
munic
atin
gcy
bers
ecu
r-
ity
info
rmat
ion
SA6.Perf
orm
pre
dic
tive
anal
ytic
sto
enhan
ceC
OP
NIS
TSP
800-5
3(R
ev.4),
37
ISO
/IEC
27001,9
1C
yber
situ
atio
nal
awar
eness
(Jaj
odia
et
al.),9
7
Depar
tmenta
lC
ybers
ecu
rity
Polic
y(D
OT
Ord
er
1351.3
7),
98
Acl
oud
com
puting
bas
ed
arch
itect
ure
for
cybers
ecu
rity
situ
atio
naw
areness
(Yu
et
al.),9
9
cybers
ecu
rity
situ
atio
nal
awar
eness
(Tia
nfie
ld),
100
Arc
hitect
ure
for
the
Cyb
er
Secu
rity
Situ
atio
nal
Aw
aren
ess
Syst
em
(Kokko
nen),
101
Colla
bora
tive
cybers
ecu
rity
situ
atio
nal
awar
eness
(Alm
ual
la),
102
Cyb
er-
situ
atio
naw
aren
ess
:a
visu
alan
alyt
ics
per-
spect
ive
(Maz
um
dar
and
Wan
g)103
(continued)
10 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
Tab
le5.
Continued
Dom
ain
Reas
ons
for
curr
ent
stat
us
Reco
mm
endat
ions
toim
pro
veM
IL
Reso
urc
es
for
impro
vem
ent
(fra
mew
ork
s/st
andar
ds/
guid
elin
es/
rese
arch
litera
ture
)
IR–
Par
tial
follo
w-u
pof
risk
regi
ster
for
eve
nt
dete
ctio
n
–Less
skill
leve
l
–Less
coord
inat
ion
with
exte
rnal
entities
–In
itia
lst
age
of
adva
nce
dcy
bers
ecu
rity
anal
ytic
s
IR1.Pro
vide
adequat
ere
sourc
es
(e.g
.fu
ndin
g,people
,
and
tools
)
IR2.In
creas
esk
illle
velfo
rin
cident
resp
onse
IR3.Est
ablis
hcy
bers
ecu
rity
event
esc
alat
ion
criteri
aan
d
inci
dent
resp
onse
stra
tegi
es
IR4.Fo
rmula
tebusi
ness
impac
tan
alys
isfo
rco
ntinuity
pla
ns
IR5.Eva
luat
e,
lear
n,an
dexerc
ise
continuity
pla
ns
IR6.M
onitor
inci
dents
,id
entify
bott
leneck
s,an
d
impro
vein
cident
resp
onse
tim
e
NIS
TSP
800-5
3(R
ev.4),
37
UIC
-Guid
elin
es
for
Cyb
er-
Secu
rity
inR
ailw
ays,
73
Rai
lCyb
er
Secu
rity
Guid
ance
toIn
dust
ry,8
4N
IST
SP800-1
2(R
ev.1),
86
Depar
tmenta
lIS
O/IEC
27001,9
1M
inim
um
Cyb
er
Secu
rity
Stan
dar
d,9
5C
ybers
ecu
rity
Polic
y(D
OT
Ord
er
1351.3
7),
98
Han
dbook
for
com
pute
rse
curi
ty
inci
dent
resp
onse
team
s(W
est
-Bro
wn
et
al.),1
04
CY
RA
IL,1
05
Inci
dent
Resp
onse
Fram
ew
ork
s
(Thom
pso
n),
106
Cyb
ers
ecu
rity
inci
dent
dete
ctio
n
syst
em
san
dte
chniq
ues
(Gar
man
et
al.),1
07
An
event
man
agem
ent
fram
ework
toai
dso
lution
pro
viders
in
cybers
ecu
rity
(Leon),
108
Ear
lydete
ctio
nof
cyber-
secu
rity
thre
ats
(Nar
ayan
anet
al.)
109
ED
M–
Par
tial
follo
w-u
pof
risk
regi
ster
for
cybers
ecu
rity
dependency
risk
s
–Su
pplie
rsan
doth
er
exte
rnal
entities
not
revi
ewed
–In
adequat
ere
sourc
es
–In
itia
lst
age
of
adva
nce
dcy
bers
ecu
rity
anal
ytic
s
ED
M1.P
rovi
de
adequat
ere
sourc
es
(e.g
.fundin
g,people
,
and
tools
)
ED
M2.A
ssig
nre
sponsi
bili
tyan
din
creas
esk
illle
velfo
r
dependency
risk
man
agem
ent
ED
M3.Peri
odic
ally
monitor,
revi
ew
and
asse
sssu
pplie
rs
and
oth
er
exte
rnal
entities
ED
M4.Est
ablis
hco
ntr
actu
alag
reem
ents
with
supplie
rs
that
incl
ude
cybers
ecu
rity
requir
em
ents
ED
M5.Id
entify
dependenci
es
usi
ng
thre
atin
telli
gence
UIC
-Guid
elin
es
for
Cyb
er-
Secu
rity
inR
ailw
ays,
73
Rai
l
Cyb
er
Secu
rity
Guid
ance
toIn
dust
ry,8
4R
ailC
yber
Secu
rity
Stra
tegy
,85
Min
imum
Cyb
er
Secu
rity
Stan
dar
d,9
5SA
EIn
tern
atio
nal
stan
dar
ds
AR
P9113,1
10
ISO
28001,1
11
Supply
chai
nri
skm
an-
agem
ent
and
the
soft
war
esu
pply
chai
n
(Goert
zel),1
12
Cyb
er
supply
chai
nri
skm
anag
em
ent
(Boys
on),
113
NIS
TSP
800-1
61,1
14
ISO
/IEC
27036,1
15
Supply
Chai
nR
isk
Man
agem
ent
Fram
ework
for
Vir
tual
Ente
rpri
ses
(Blo
san
d
Hoefli
ch),
116
Cyb
er
Secu
rity
Supply
Chai
nR
isk
Man
agem
ent
Guid
ance
(C-S
CR
M),
117
Supply
chai
n
secu
rity
colle
ctio
nG
uid
ance
(CPN
I)118
(continued)
Kour et al. 11
Tab
le5.
Continued
Dom
ain
Reas
ons
for
curr
ent
stat
us
Reco
mm
endat
ions
toim
pro
veM
IL
Reso
urc
es
for
impro
vem
ent
(fra
mew
ork
s/st
andar
ds/
guid
elin
es/
rese
arch
litera
ture
)
WM
–Par
tial
lydefin
ed
risk
desi
gnat
ions
–W
eak
cybers
ecu
rity
work
forc
e
–In
itia
lst
age
of
adva
nce
dcy
bers
ecu
rity
anal
ytic
s
WM
1.Pro
vide
adequat
ere
sourc
es
(e.g
.fu
ndin
g,people
,
and
tools
)
WM
2.Id
entify
cybers
ecu
rity
skill
gap
WM
3.Se
tri
skdesi
gnat
ions
for
acce
ssin
gcr
itic
alas
sets
WM
4.D
evelo
pcy
bers
ecu
rity
culture
,in
cludin
gcy
ber-
secu
rity
trai
nin
gan
daw
areness
(als
opre
dic
tive
ana-
lytics
and
thre
atin
telli
gence
pro
gram
sto
han
dle
futu
reth
reat
s)
WM
5.Eva
luat
etr
ainin
gpro
gram
for
furt
her
impro
ve-
ments
WM
6.D
isci
plin
ary
action
for
those
faili
ng
tofo
llow
cybers
ecu
rity
rule
san
dre
gula
tions
NIS
TSP
800-5
3(R
ev.4),
37
UIC
-Guid
elin
es
for
Cyb
er-
Secu
rity
inR
ailw
ays,
73
Rai
lCyb
er
Secu
rity
Guid
ance
toIn
dust
ry,8
4N
IST
SP800-1
2(R
ev.1),
86
Min
imum
Cyb
er
Secu
rity
Stan
dar
d,9
5C
ybers
ecu
rity
Work
forc
eFr
amew
ork
(Shoem
aker)
,119
Cyb
ers
ecu
rity
work
forc
edev
elo
pm
ent
(Jan
eja
et
al.),1
20
Cyb
ers
ecu
rity
Work
forc
eD
evelo
pm
ent
and
the
Pro
tect
ion
of
Cri
tica
lIn
fras
truct
ure
(Chap
man
),121
ASt
rate
gyfo
ra
Cyb
ers
ecu
rity
Culture
(Gca
zavo
nSo
lms)
,122
Build
ing
ast
ronge
r
cybers
ecu
rity
work
forc
e(C
SX),
123
The
Futu
re
Cyb
ers
ecu
rity
Work
forc
e(D
awso
nan
d
Thom
son),
124
Cyb
ers
ecu
rity
for
the
Nat
ion:
Work
forc
eD
evelo
pm
ent
(Dill
),125
Nove
lap
pro
ach
for
cybers
ecu
rity
work
forc
edev
elo
pm
ent
(Shar
evsk
iet
al.)
126
CPM
–In
adequat
efu
ndin
g
–In
visi
ble
and
inac
tive
senio
rm
anag
em
ent
–In
itia
lst
age
of
adva
nce
dcy
bers
ecu
rity
anal
ytic
s
CPM
1.Pro
vide
adequat
efu
ndin
gfo
rcy
bers
ecu
rity
pro
gram
CPM
2.A
ssig
nre
sponsi
bili
tyfo
rcy
bers
ecu
rity
pro
gram
CPM
3.G
et
senio
rm
anag
em
ent
appro
valan
dsp
onso
r-
ship
of
cybers
ecu
rity
pro
gram
stra
tegy
(CPS)
CPM
4.In
clude
pre
dic
tive
anal
ytic
sin
cybers
ecu
rity
pro
gram
CPM
5.N
eed
toal
ign
CPS
with
org
aniz
atio
n’s
obje
ctiv
es
CPM
6.C
PS
should
be
updat
ed
peri
odic
ally
CPM
7.C
ybers
ecu
rity
pro
gram
must
be
independently
revi
ewed
peri
odic
ally
NIS
TSP
800-5
3(R
ev.4),
37
ISO
/IEC
21827,5
2IS
O/IEC
27005,8
7IS
O/IEC
27001,9
1IS
O28001,1
11
NIS
T/IT
L
Cyb
ers
ecu
rity
Pro
gram
(O’R
eill
yet
al.),1
27
Cyb
er
defe
nse
Pro
gram
Aga
inst
Adva
nce
dT
hre
ats
(Donal
dso
net
al.),1
28
Dev
elo
pin
ga
Cyb
ers
ecu
rity
Man
agem
ent
Pro
gram
(Tay
lor
and
Steele
),129
AN
SI-
ASQ
Nat
ional
Acc
reditat
ion
Boar
d(A
NA
B)
accr
editat
ion
pro
gram
,130
Glo
bal
Info
rmat
ion
Ass
ura
nce
Cert
ifica
tion
(GIA
C),
131
Info
rmat
ion
Secu
rity
Cert
ifica
tions
(ISC
)2,1
32
Clo
ud
Secu
rity
Alli
ance
(CSA
),133
Nat
ional
Cyb
er
Secu
rity
Alli
ance
(NC
SA)1
34
AC
M–
Par
tial
lydefin
ed
asse
tin
vento
ry
–Lac
kof
adva
nce
dan
alyt
ics
tools
AC
M1.IT
and
OT
asse
tin
vento
rysh
ould
be
updat
ed
peri
odic
ally
asdefin
ed
by
org
aniz
atio
n
AC
M2.Peri
odic
ally
revi
ew
cybers
ecu
rity
impac
tsw
ith
chan
gean
dre
config
ura
tion
of
asse
ts
AC
M3.Peri
odic
ally
revi
ew
pre
dic
tive
tools
todete
ct
and
blo
ckunau
thori
zed
chan
ges
toO
Tan
dIT
asse
ts
NIS
TSP
800-5
3(R
ev.4),
37
UIC
-Guid
elin
es
for
Cyb
er-
Secu
rity
inR
ailw
ays,
73
ISO
/IEC
27032,8
0IS
O/IEC
27001,9
1M
inim
um
Cyb
er
Secu
rity
Stan
dar
d95
IAM
–Lac
kof
adva
nce
dan
alyt
ics
tools
IAM
1.A
dva
nce
dan
alyt
ics
tools
reco
mm
ended
toan
a-
lyze
acce
ssed
dat
a
NIS
TSP
800-5
3(R
ev.4),
37
ISO
/IEC
21827,5
2U
IC-
Guid
elin
es
for
Cyb
er-
Secu
rity
inR
ailw
ays,
73
NIS
T
SP800-1
2(R
ev.1),
86
ISO
/IEC
27001,9
1C
YR
AIL
,105
Min
imum
Cyb
er
Secu
rity
Stan
dar
d95
(continued)
12 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
Dark green signifies an answer of ‘‘fully implemented’’and light green is ‘‘largely implemented’’; these arepositive answers for attaining an MIL.8 Light red is‘‘partially implemented’’ and dark red is ‘‘not imple-mented’’; these are negative answers.8
To understand how to read Figure 5, look at theMIL2 pie chart for domain risk management (RM).Two evaluation practices are assessed as ‘‘fully imple-mented’’, six as ‘‘largely implemented,’’ and five as‘‘partially implemented’’. These five ‘‘partially imple-mented’’ practices prevent this domain from attainingMIL2, MIL3, and MIL4. The same procedure worksfor other MILs. Figure 5 shows resulting MILs forRailway 1 with seven domains at MIL1, one at MIL2,one at MIL3, and one at MIL4.
The pie chart shows that some of the practices athigher levels are fully implemented but practices atlower levels are not. It is very important for railwayorganizations to start at the lower level, implement allthe practices, and then go to the higher level andimplement all the practices because MILs are cumu-lative within each domain, i.e. to attain an MIL in agiven domain, an organization must implement all ofthe practices in that level and its predecessor level(s).8
The reasons for the current status of maturity levelswithin each domain are shown in the second columnof Table 5 (see the ‘‘Recommendations to improvematurity levels’’ section).
Combined results of the three railway organizations
Table 4 and the spider chart in Figure 6 show thematurity level results for the three real railway organ-izations. The comprehensive results of objectives andpractices within each domain are with the authors forreasons of confidentiality. Table 4 and Figure 6 indi-cate that seven domains of Railway 1 are at MIL1,one domain is at MIL2, one is at MIL3, and one is atMIL4. Railway 2 has three domains at MIL4, four atMIL3, two at MIL2, and one at MIL1. The reasonsfor their current status are provided in Table 5, alongwith recommendations for improvements. It is alsovisible that all the domains of Railway 3 have attainedMIL4, an excellent assessment result.
The results indicate a general movement towardspredictive and advanced security analytics. The aver-age evaluation results show that the identity andaccess management (IAM), cybersecurity programmanagement (CPM), and information sharing andcommunications (ISC) domains for Railway 2 andRailway 3 have attained MIL4 but more work isrequired to improve the incident response (IR), situ-ational awareness (SA), threat and vulnerability man-agement (TVM), asset change and configurationmanagement (ACM), RM, workforce management(WM), external dependencies management (EDM)domains for Railway 1 and Railway 2. Notably, theISC domain for all the three railway organizations hasattained MIL4; this indicates that these organizationsT
ab
le5.
Continued
Dom
ain
Reas
ons
for
curr
ent
stat
us
Reco
mm
endat
ions
toim
pro
veM
IL
Reso
urc
es
for
impro
vem
ent
(fra
mew
ork
s/st
andar
ds/
guid
elin
es/
rese
arch
litera
ture
)
ISC
–M
IL4
has
been
achie
ved
for
allth
e
thre
era
ilway
org
aniz
atio
ns
under
study
–T
his
dom
ain
can
be
use
das
are
fere
nce
for
railw
ay
org
aniz
atio
ns
toim
pro
vecy
bers
ecu
rity
info
rmat
ion
shar
ing
NIS
TSP
800-5
3(R
ev.4),
37
AN
SI/ISA
–62443,4
0IS
O/IEC
21827,5
2U
IC-G
uid
elin
es
for
Cyb
er-
Secu
rity
in
Rai
lway
s,73
ISO
/IEC
27032,8
0IS
O/IEC
27001,9
1
Min
imum
Cyb
er
Secu
rity
Stan
dar
d,9
5A
fram
ework
for
cybers
ecu
rity
info
rmat
ion
shar
ing
and
risk
reduct
ion
(Goodw
inet
al.),1
35
NIS
TC
om
pute
r
Secu
rity
Reso
urc
eC
ente
r,136
US-
CERT,1
37
ICS-
CERT,1
38
Info
rmat
ion
Shar
ing
and
Anal
ysis
Org
aniz
atio
ns
(ISA
Os)
,139
CIS
�140
RM
:ri
skm
anag
em
ent;
TV
M:th
reat
and
vuln
era
bili
tym
anag
em
ent;
SA:si
tuat
ional
awar
eness
;IR
:in
cident
resp
onse
;ED
M:exte
rnal
dependenci
es
man
agem
ent;
WM
:w
ork
forc
em
anag
em
ent;
CPM
:cy
bers
ecu
rity
pro
gram
man
agem
ent;
CO
P:co
mm
on
opera
ting
pic
ture
;IA
M:id
entity
and
acce
ssm
anag
em
ent;
ISC
:in
form
atio
nsh
arin
gan
dco
mm
unic
atio
ns.
Kour et al. 13
have maintained a relationship with internal and exter-nal bodies to collect and provide cybersecurity informa-tion, including threats and vulnerabilities, to decreasecyber risks and to increase operational resilience.
On the one hand, it is good that each domain ofRailway 1 and Railway 2 has at least attained MIL1but on the other hand, many domains are far fromattaining MIL4. This assessment will help these rail-way organizations examine the gaps and movetowards higher MILs. Note that all these results arefrom the cybersecurity data provided by the railwayorganizations, and the reliability of the data is up tothe provider.
Organizations which have not attained the neces-sary maturity levels need to reconsider their cyberse-curity programs to protect this critical infrastructure.A detailed summary of the identified gaps was sent tothe respective railway organizations, so they couldvisualize the current level of maturity and take stepsto fill the gap in their cybersecurity programs.
It was challenging for these organizations to sharetheir cybersecurity data. They had the perception thatby sharing their data, they increased the likelihood ofattacks in the future. However, if more railway organ-izations shared their cybersecurity data, a holisticcybersecurity approach to railway systems could beformulated. There is a need to communicate andunite to tackle the problem of cybersecurity, one ofthe biggest challenges to critical infrastructures.
Recommendations to improve maturity levels
The maturity level results of the three railway organ-izations indicated a need to improve cybersecuritycapabilities.
Table 5 lists the reasons for the status of the currentmaturity levels and provides a set of recommendationsand other resources to improve cybersecurity. So thatthe companies could implement the recommendations
in a streamlined way, and an action plan was devel-oped for each. The first column of Table 5 lists the 10domains; the second gives the reasons for the lowmaturity level; the third provides a set of recommen-dations; the fourth provides available frameworks/standards/guidelines/research literature.
Action plan
Many recommendations based on C2M2 model8 arelisted in Table 5, and it would obviously be difficultfor the railway organizations to prioritize and organizethem. Accordingly, a quick action plan was developedfor each company. After the implementation of thisaction plan (Table 6 in Appendix 1), the cybersecurityprogram should be evaluated periodically to ensure thedesired improvements are achieved. With the imple-mentation plan and periodic reevaluation, the organ-izations will be able to identify further gaps in theircurrent cybersecurity programs. The reevaluation of acybersecurity program is a repetitive process.
The proposed plan shown in Appendix 1 is just ademonstration plan for one year and, as such, pro-vides guidance to the railway organizations. Tounderstand how this action plan will work, consideran example of an RM domain where RM1 to RM5are the recommendations to improve maturity indica-tor levels in months M1 to M12. The dark portion ofRM1 and RM2 shows that railway organizationsshould provide adequate resources and defineadvanced cybersecurity analytics in the risk manage-ment policy within the first two months to improvetheir cybersecurity capabilities. The implementationof the recommendations defined in RM3 (Table 5)starts in the third month and lasts for four months.Similarly, the implementation of recommendationsRM4 and RM5 will start in the seventh and ninthmonth, respectively. The process of implementationof each recommendation will work in a similar way
0
1
2
3
4Risk Management (RM)
Asset, Change, andConfiguration Management
(ACM)
Identity and AccessManagement (IAM)
Threat and VulnerabilityManagement (TVM)
Situational Awareness (SA)
Information Sharing andCommunications (ISC)
Event and IncidentResponse, Continuity of
Operations (IR)
Supply Chain and ExternalDependencies Management
(EDM)
Workforce Management(WM)
Cybersecurity ProgramManagement (CPM)
Railway 1 Railway 2 Railway 3
Figure 6. Maturity level results for the three railway organizations.
14 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
to minimize the identified gaps in the current cyberse-curity programs. The plan can be further elaborated,and a more detailed plan can be developed based ondiscussions with the railway organizations.
Conclusions
Cyber-attacks are increasing in many sectors includingfinance, health, grid, retail, government, telecommuni-cations, transportation, etc. Railway organizations areadapting ICT-based technologies, making them vulner-able to these attacks; therefore, they need to focus oncybersecurity. This research assessed the cybersecuritymaturity capabilities of three railway organizations andfound only one was well prepared for cyber risks. Theresearch identified the strengths and weaknesses in theexisting cybersecurity programs of these organizations,suggested improvements in the form of recommenda-tions, and provided a quick action plan for them toimplement the recommendations in a streamlinedway. Since the case studies were carried out with realinfrastructure owners, the outcome of the research andthe gaps in their cybersecurity programs were explainedto the respective railway organizations. We will includethe verification and validation part of the research in afuture work.
Acknowledgements
The authors would like to acknowledge the contributionsfrom Dr Janet Lin for the research idea and Dr Uday
Kumar, Dr Phillip Tretten, Dr Mustafa Aljumaili, andRobert Beney for their valuable expertise.
Declaration of Conflicting Interests
The author(s) declared no potential conflicts of interest with
respect to the research, authorship, and/or publication ofthis article.
Funding
The author(s) disclosed receipt of the following financial sup-
port for the research, authorship, and/or publication of thisarticle: The authors would like to thank Lulea RailwayResearch Center (JVTC) for sponsoring the research work.
ORCID iDs
Ravdeep Kour https://orcid.org/0000-0003-0734-0959Adithya Thaduri https://orcid.org/0000-0002-1938-0985
References
1. Kour R, Aljumaili M, Karim R, et al. eMaintenance in
railways: issues and challenges in cybersecurity. ProcIMechE, Part F: J Rail Rapid Transit 2019; 233:1012–1022.
2. X-Force IBM. IBM X-force interactive security inci-dents, www.ibm.com/security/xforce/xfisi/ (accessed 12June 2019).
3. Kyriakidis M, Hirsch R and Majumdar A. Metro rail-
way safety: an analysis of accident precursors. Saf Sci2012; 50: 1535–1548.
4. Ferguson I. The ORR railway management maturitymodel and its use in benchmarking safety and securingcontinued improvement. Saf Reliab 2012; 32: 43–57.
5. Kim S. The development of a railway safety maturitymodel and estimate procedures. J Korean Soc Civil Eng2014; 34: 195.
6. AS 7770:2018. Rail cyber security.7. Mattioli R and Moulinos K. Analysis of ICS-SCADA
cyber security maturity levels in critical sectors. Athens,
Greece: European Union Agency for Network andInformation Security (ENISA), 2015.
8. Christopher JD. Cybersecurity capability maturitymodel (C2M2). Washington: Department of
Homeland Security, 2014.9. Hoek S. Predictive security analytics. Netherlands:
Tilburg University, 2017.
10. NIST & GSA Sponsored Project. The cyber risk pre-dictive analytics project, https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/docu-
ments/UMD%20Final%20Report-Cyber%20Risk%20Analytics%20Project%20revised%20tc%20november%2025%202017.pdf (accessed 27
September 2019).11. Tounsi W and Rais H. A survey on technical threat
intelligence in the age of sophisticated cyber attacks.Comput Secur 2018; 72: 212–233.
12. Conti M, Dargahi T and Dehghantanha A. Cyberthreat intelligence: challenges and opportunities. NewYork: Springer, 2018.
13. Johnson CS, Feldman L and Witte GA. Cyber threatintelligence and information sharing/NIST. ITLBulletin, www.nist.gov/publications/cyber-threat-intelli-
gence-and-information-sharing (2017, accessed 26 June2019).
14. Johnson C, Badger L, Waltermire D, et al. NIST specialpublication 800-150: guide to cyber threat information
sharing. NIST, Technical Report, 2016.15. Gartner IT. Gartner IT glossary. Technology Research,
2013.
16. Hancock D. Virus disrupts train signals. CBS News,www.cbsnews.com/news/virus-disrupts-train-signals/(2003, accessed 12 October 2019).
17. Baker G. Schoolboy hacks into city’s tram system. TheTelegraph, 11 January 2008, www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-
tram-system.html (accessed 12 October 2019).18. Sternstein A. Hackers manipulated railway computers,
TSA memo says. Nextgov.com, www.nextgov.com/cybersecurity/2012/01/hackers-manipulated-railway-
computers-tsa-memo-says/50498/ (accessed 12 October2019).
19. Hayden S. Cyber attack on southKorean subway system
could be a sign of nastier things to come. Vice News,https://news.vice.com/en_us/article/vb8bp8/cyber-attack-on-south-korean-subway-system-could-be-a-
sign-of-nastier-things-to-come (accessed 12 June 2019).20. Borg M, Olsson T, Franke U, et al. Digitalization of
Swedish government agencies. In: Proceedings of the40th international conference on software engineering
software engineering in society – ICSE-SEIS’18,Gothenburg, Sweden, 27 May–3 June 2018.
21. Four cyber attacks on UK railways in a year, https://
news.sky.com/story/four-cyber-attacks-on-uk-railways-in-a-year-10498558 (accessed 12 June 2019).
Kour et al. 15
22. Graham C. Cyber attack hits German train stations ashackers target Deutsche Bahn. The Telegraph, 2017,www.telegraph.co.uk/news/2017/05/13/cyber-attack-
hits-german-trainstations-hackers-target-deutsche/(accessed 12 October 2019).
23. The Local. Swedish transport agencies targeted in cyberattack, www.thelocal.se/20171012/swedish-transport-
agenciestargeted-in-cyber-attack (accessed 12 June2019).
24. BBC News. Great western railway accounts breached,www.bbc.com/news/technology-43725640 (accessed 12
June 2019).25. Whittaker Z. Rail Europe had a three-month long
credit card breach, www.zdnet.com/article/rail-europe-
had-a-three-month-long-credit-card-breach/ (accessed12 June 2019).
26. Paganini P. Massive DDoS attack hit the Danish state
rail operator. DSB, 15 May 2018, https://securityaf-fairs.co/wordpress/72530/hacking/rail-operator-dsb-ddos.html (accessed 12 June 2019).
27. Bloomfield R, Netkachova K and Stroud R. Security-
informed safety: if it’s not secure, it’s not safe. In:International Workshop on Software Engineering forResilient Systems, 3 October 2013, pp.17–32. Berlin,
Heidelberg: Springer.28. Bloomfield R, Bloomfield R, Gashi I, et al. How secure
is ERTMS? In: International Conference on Computer
Safety, Reliability, and Security, 25 September 2012,pp.247–258. Berlin, Heidelberg: Springer.
29. Stewart JM, Chapple M and Gibson D. CISSP:
Certified Information Systems Security ProfessionalStudy Guide. New Jersey: John Wiley & Sons, 2012.
30. Thaduri A, Aljumaili M, Kour R, et al. Cybersecurityfor eMaintenance in railway infrastructure: risks and
consequences. Int J Syst Assur Eng Manage 2019; 10:149–159.
31. Le NT and Hoang DB. Can maturity models support
cyber security? In: 2016 IEEE 35th international perfor-mance computing and communications conference(IPCCC), Las Vegas, NV, USA, 9–11 December 2016.
32. Lessing MM. Best practices show the way to informa-tion security maturity. In: 6th National conference onprocess establishment, assessment and improvement ininformation technology (ImproveIT 2008),
Johannesburg, South Africa, 17–19 September 2008.33. Karokola G, Kowalski S and Yngstrom L. Secure e-
government services: towards a framework for integrat-
ing it security services into e-government maturitymodels. In: 2011 Information security for South Africa,Johannesburg, South Africa, 15–17 August 2011.
34. Rea-Guaman AM, San Feliu T, Calvo-Manzano JA, etal. Comparative study of cybersecurity capabilitymaturity models. In: International Conference on
Software Process Improvement and CapabilityDetermination, 4 October 2017, pp.100–113. Cham:Springer.
35. Rea-Guaman A, Sanchez-Garcia I, Feliu TS, et al.
Maturity models in cybersecurity: a systematic review.In: 2017 12th Iberian conference on information systemsand technologies (CISTI), Lisbon, Portugal, 14–17 June
2017.36. Howe N. Cybersecurity in railway signalling systems.
Institution of Railway Signal Engineers News, 2017,
p.1–4.
37. Force JT and Initiative T. Security and privacy controlsfor federal information systems and organizations.NIST Spec Publ 2013; 800: 8–13.
38. Barrett MP. Framework for improving critical infra-structure cybersecurity version 1.1. NIST cybersecurityframework, www.nist.gov/publications/framework-
improving-critical-infrastructure-cybersecurity-version-11 (2018, accessed 17 June 2019).
39. Disterer G. ISO/IEC 27000, 27001 and 27002 for infor-
mation security management. J Inf Secur 2013; 4:92–100.
40. ISA-62443-2-1: 2009. Security for industrial automationand control systems: establishing an industrial automa-
tion and control systems security program.41. Im JW. Refining software vulnerbility Analysis under
ISO/IEC 15408 and 18045. J Korea Inst Inf Secur
Cryptol 2014; 24: 969–974.42. ES-C2M2. Electricity subsector cybersecurity capability
maturity model (ES-C2M2), www.energy.gov/ceser/
activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0-1 (accessed 17 June 2019).
43. ONG-C2M2. Oil and natural gas subsector cybersecur-
ity capability maturity model (ONG-C2M2), www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0/oil-and (accessed 17 June 2019).
44. White GB. The community cyber security maturitymodel. In: 2011 IEEE international conference on tech-nologies for homeland security (HST), Waltham, MA,
USA, 15–17 November 2011.45. Defense DO. Systems security engineering capability
maturity model (SSECMM), model description.
Version 1.1. USA: Defense Technical InformationCenter, 1997.
46. ISACA. Cobit 5. USA: ISACA.47. Newhouse W, Keith S, Scribner B, et al. National initia-
tive for cybersecurity education (NICE) cybersecurityworkforce framework. NIST Special Publication, vol.800. USA: NIST, 2017, p.181.
48. Tari Schreider S, CISM C, CISO I. Building effectivecybersecurity programs: a security manager’s handbook.Brookfield: Rothstein Publishing, 2017.
49. Masinsin RQ. Secretary of defense corporate fellowsprogram: final report. New York, NY: Time. 2008.
50. Buecker A, Borrett M, Lorenz C, et al. Introducing the
IBM security framework and IBM security blueprint torealize business-driven security. IBM Redpaper 2010;4528: 1–96.
51. Aceituno V. ISM3-information security management
maturity model. Version 2.1. San Francisco, CA,USA: ISM3 Consortium, The Open Group, 2007.
52. Carnegie Mellon University. Systems security engineer-
ing capability maturity model (SSE-CMM) modeldescription document. Version 3.0. Carnegie MellonUniversity: Pittsburgh.
53. Hosseini K and Paul DL. Assessing cybersecurity riskfor oil & gas mergers and acquisitions. In: SPE westernregional meeting, Bakersfield, California, USA 23–27April 2017.
54. Mylrea M, Gourisetti SNG and Nicholls A. An intro-duction to buildings cybersecurity framework. In: 2017IEEE symposium series on computational intelligence
(SSCI), Hawaii, USA, 27 November–1 December2017.
16 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
55. Ibrahim E. Disruptive ideas for power grid security andresilience with der. In: National renewable energylaboratory annual cybersecurity and resilience workshop,
Golden, Colorado, USA, 9–10 October 2017.56. IngramM and Martin M. Guide to cybersecurity, resili-
ence, and reliability for small and under-resourced uti-
lities. 2017.57. AXIO. Axio is solving cyber risk, https://axio.com/wp-
content/uploads/2019/04/Axio360-Detail.pdf (accessed
12 October 2019).58. Tripwire. Security reference architecture: a practical
guide to implementing foundational controls by DaveMeltzer CTO, Tripwire, Inc. USA: Tipwire.
59. The United States Energy Association. Request for pro-
posals utility cyber security initiative. Cybersecurity cap-ability maturity model (C2M2) assessment for theGeorgian state electrosystem. Washington: The United
States Energy Association.
60. Almuhammadi S and Alsaleh M. Information security
maturity model for nist cyber security framework.Comput Sci Inf Technol 2017; 51.
61. Radziwill NM and Benton MC. Cybersecurity cost ofquality: managing the costs of cybersecurity risk man-
agement, 2017.62. Zhao W and White G. An evolution roadmap for com-
munity cyber security information sharing maturitymodel. In: Proceedings of the 50th Hawaii international
conference on system sciences, Hilton Waikoloa Village,Hawaii, USA, 4–7 January 2017.
63. Siqueira AA, Reinehr S and Malucelli A (2017) Using
the ISO/IEC 27034 as reference to develop an applica-tion security control library. In: Stolfa J, Stolfa S,O’Connor R, et al. (eds) Systems, software and services
process improvement. EuroSPI 2017 Communications inComputer and Information Science, vol. 748, 2017.Cham: Springer.
64. Kurniawan E and Riadi I. Security level analysis ofacademic information systems based on standard iso27002: 2013 using Sse-Cmm. Int J Comput Sci InfSecur 2018; 16: 139–147.
65. Mshangi M, Nfuka EN and Sanga C. Human sensorweb crowd sourcing security incidents management inTanzania context. J Inf Secur 2018; 9: 191–208.
66. Drljaca D and Latinovic B. Frameworks for audit of aninformation system in practice. J Inf Technol Appl 2016;12: 78–85.
67. Laita A and Belaissaoui M. Information technologygovernance in public sector organizations. In: RochaA, Serrhini M and Felgueiras C (eds) Europe andMENA Cooperation advances in information and commu-
nication technologies. Advances in Intelligent Systemsand Computing, vol. 520. Cham: Springer, 2017.
68. Alencar GD, de Moura HP, Junior IH, et al. An adap-
table maturity strategy for information security, 2018.69. Open Group Standard. Open information security man-
agement maturity model (O-ISM3). Version 2.0. USA:
Open Group Standard.70. Pederson P, Roxey T and Gray J. Cross-sector roadmap
for cybersecurity of control systems. USA: ICSJWG
(Industrial Control Systems Joint Working Group),Cybersecurity and Infrastructure Security Agency(CISA), 2011.
71. House W. Cyberspace policy review: Assuring a trusted
and resilient information and communications
infrastructure. Washington, DC, www. whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final. pdf (2009, accessed 12 October 2019).
72. Chavez A. Evaluation of roadmap to achieve energydelivery systems cybersecurity. Albuquerque, NM,USA: Sandia National Lab (SNL-NM), 2017.
73. UIC – Rail System Department. Guidelines for cyber-security in railways, www.shop-etf.com/en/guidelines-for-cyber-security-in-railways (accessed 27 September
2019).74. ISO 31000:2009. Risk management: principles and
guidelines.75. Joint Task Force Transformation Initiative. Guide for
applying the risk management framework to federal
information systems: a security life cycle approach.Gaithersburg, MD: National Institute of Standards
and Technology, 2014.76. SS-CC APTA. Securing control and communications sys-
tems in rail transit environments. Washington, DC:
American Public Transportation Association, 2015.77. NIST SP. 800-39. Managing information security risk –
organization, mission, and information system view.
USA: National Institute of Standards andTechnology, 2017.
78. GOST R ISO / IEC 31010-2011. Risk management. Riskassessment methods. Russia: National Standard of The
Russian Federation, Scientific Research Center forMonitoring and Diagnostics of Technical Systems,December 2012.
79. Joint Task Force Transformation Initiative. Guide forconducting risk assessments. Gaithersburg, MD:National Institute of Standards and Technology, 2012.
80. ISO/IEC 27032: 2012. Information technology securitytechniques guidelines for cybersecurity.
81. Islam S, Fenz S, Weippl E, et al. A risk management
framework for cloud migration decision support. J RiskFinanc Manage 2017; 10: 10.
82. Islam S, Mouratidis H and Weippl ER. An empiricalstudy on the implementation and evaluation of a goal-driven software development risk management model.
Inf Softw Technol 2014; 56: 117–133.83. European Union Project Report. SECUR-ED cyber-
security roadmap for PTOs, www.secur-ed.eu/wp-con-
tent/uploads/2014/11/SECUR-ED_Cyber_security_roadmap_v3.pdf (2014, accessed 12 October 2019).
84. Department for Transport. Rail cyber security guidance
to industry. UK: Department for Transport.85. Rail Delivery Group. Rail cyber security strategy. UK:
Rail Delivery Group.86. Nieles M, Dempsey K and Pillitteri V. An introduction
to information security. Gaithersburg, MD: NationalInstitute of Standards and Technology, 2017.
87. International Organization for Standardization. ISO/
IEC 27005:2018. Information technology – securitytechniques – information security risk management,2018.
88. Alberts CJ, Behrens SG, Pethia RD, et al. Operationallycritical threat, asset, and vulnerability evaluation(OCTAVE) framework. Version 1.0, Pittsburgh, PA,
USA: Software Engineering Institute, 1999.89. EN50129 CE. Railway applications – communication,
signalling and processing systems-Safety related electro-nic systems for signalling. UK: British Standards
Institution, 2003, p.0580-4181.
Kour et al. 17
90. Waltermire D and Scarfone K. Guide to using vulner-ability naming schemes. NIST Special Publication. vol.800. Gaithersburg, MD: NIST, 2011, p.51.
91. ISO/IEC 27001: 2013: Information technology – secur-ity techniques – information security management sys-tems – requirements.
92. ISO/IEC 29147:2018. Vulnerability disclosure in infor-mation technology.
93. Souppaya M and Scarfone K. Guide to enterprise patch
management technologies. Revision 3. NIST SpecialPublication 800-40. USA: US Department ofCommerce, 2013.
94. ITSS_04. IT security standard – vulnerability manage-
ment. Australia: UNSW.95. The Government of the United Kingdom. Minimum
cyber security standard. Version 1.0. UK: The
Government of the United Kingdom.96. Arsuaga I, Toledo N, Lopez I, et al. A framework for
vulnerability detection in European train control rail-
way communications. Secur Commun Netw 2018;2018: 1–9.
97. Jajodia S, Liu P, Swarup V, et al. Cyber situational
awareness. New York: Springer, 2009.98. DOT Order 1351.37. Departmental cybersecurity
policy. USA: Department of Transportation.99. Yu W, Xu G, Chen Z, et al. A cloud computing based
architecture for cyber security situation awareness. In:2013 IEEE conference on communications and networksecurity (CNS), Washington, DC, USA, 14–16
October 2013, pp.488–492.100. Tianfield H. Cyber security situational awareness. In:
2016 IEEE international conference on internet of things
(iThings) and IEEE green computing and communica-tions (GreenCom) and IEEE cyber, physical andsocial computing (CPSCom) and IEEE smartdata (SmartData), Chengdu, China, 15–18
December 2016.101. Kokkonen T. Architecture for the cyber security situa-
tional awareness system. In: Internet of things, smart
spaces, and next generation networks and systems, 26September 2016, pp.294–302. Cham: Springer.
102. Almualla MH. Collaborative cyber security situational
awareness. Doctoral Dissertation, Brunel University,London.
103. Mazumdar S and Wang J. Cyber-situation awareness:
a visual analytics perspective. In: Simon P, Andrew Cand Richard H (eds) Guide to vulnerability analysis forcomputer networks and systems : an artificial intelli-gence approach. Computer communications and net-
works. Berlin: Springer.104. West-Brown MJ, Stikvoort D, Kossakowski KP, et al.
Handbook for computer security incident response
teams (csirts). Pittsburgh, PA: Carnegie MellonUniversity, 2003.
105. CYRAIL Project Report. Cyber security in the
RAILway sector. D2.1 – safety and security require-ments of rail transport system in multi-stakeholderenvironments, https://ec.europa.eu/research/partici-pants/documents/downloadPublic?documentIds=
080166e5b678c2dc&appId=PPGMS (2017, accessed12 October 2019).
106. Thompson EC. Incident response frameworks. In:Cybersecurity incident response. Berkeley, CA:
Apress, 2018, pp. 17–46.
107. Garman JA, Johnson B, Mcfarland JJ, inventors;Carbon Black, Inc., assignee. Cybersecurity IncidentDetection Systems And Techniques. Patent applica-
tion 15/704,676, USA, 2018.
108. Leon RJ. An event management framework to aid solu-tion providers in cybersecurity. Doctoral Dissertation,The George Washington University.
109. Narayanan SN, Ganesan A, Joshi K, et al. Early detec-tion of cybersecurity threats using collaborative cogni-tion. In: 2018 IEEE 4th international conference oncollaboration and internet computing (CIC),
Philadelphia, Pennsylvania, USA, 18–20 October 2018.110. ARP9134A. Supply chain risk management guidelines.
SAE International in United States, 2014.
111. ISO 28001:2007. Security management systems for thesupply chain. Best practices for implementing supplychain security, assessments and plans. Requirements
and guidance.112. Goertzel KM. Supply chain risk management and the
software supply chain. In: OWASP AppSec DC,Washington, DC, USA, 8–11 November 2010.
113. Boyson S. Cyber supply chain risk management:Revolutionizing the strategic control of critical IT sys-tems. Technovation 2014; 34: 342–353.
114. Boyens J, Paulsen C, Moorthy R, et al. Supply chainrisk management practices for federal information sys-tems and organizations. NIST Special Publication. vol.
800. Gaithersburg, MD: NIST, 2015, p.32.115. ISO/IEC 27036-3:2013 Information technology –
security techniques – information security for supplier
relationships – Part 3: guidelines for information andcommunication technology supply chain security.
116. Blos MF and Hoeflich SL. Supply chain risk manage-ment framework for virtual enterprises: a theoretical
approach. Unisanta Sci Technol 2017; 5: 161–166.117. C-SCRM. Cyber security supply chain risk manage-
ment guidance, North American transmission forum,
www.nerc.com/pa/comp/SupplyChainRiskMitigationProgramDL/NATF%20Cyber%20Security%20Supply%20Chain%20Risk%20Management%20
Guidance.pdf (accessed 27 September 2019).118. CPNI. Centre for the protection of national infrastruc-
ture. Supply chain security collection guidance, UK,www.cpni.gov.uk/system/files/documents/2e/87/
Supply_Chain_Security_Collection_Jan2018.pdf(accessed 22 January 2019).
119. Shoemaker D, Kohnke A and Sigler K. A guide to the
National Initiative for Cybersecurity Education(NICE) cybersecurity workforce framework (2.0).Boca Raton, FL: Auerbach Publications, 2018.
120. Janeja VP, Seaman C, Kephart K, et al. Cybersecurityworkforce development: a peer mentoring approach.In: 2016 IEEE conference on intelligence and security
informatics (ISI), Tucson, Arizona, USA, 27–30September 2016.
121. Chapman MA. Cybersecurity workforce developmentand the protection of critical infrastructure. Pearl
City, USA: University of Hawaii, 2017.122. Gcaza N and von Solms R. A strategy for a cyberse-
curity culture: a South African perspective. Electr J Inf
Syst Developing Countries 2017; 80: 1–17.123. CSX. Cybersecurity NexusTM. Building a stronger
cybersecurity workforce, https://cybersecurity.isaca.
org/csx-nexus (accessed 27 September 2019).
18 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
124. Dawson J and Thomson R. The future cybersecurityworkforce: going beyond technical skills for successfulcyber performance. Front Psychol 2018; 9: 1–12.
125. Dill KJ. Cybersecurity for the nation: workforce devel-opment. Cyber Defense Rev 2018; 3: 55–64.
126. Sharevski F, Trowbridge A and Westbrook J. Novel
approach for cybersecurity workforce development: acourse in secure design. In: 2018 IEEE integratedSTEM education conference (ISEC), Princeton, NJ,
USA, 10 March 2018.127. O’Reilly P, Rigopoulos K, Feldman L, et al. 2016
NIST/ITL cybersecurity program: annual report.2017.
128. Donaldson SE, Siegel SG, Williams CK, et al.Managing an enterprise cybersecurity program. In:Enterprise Cybersecurity. Berkeley, CA: Apress, 2015,
pp.243–262.129. Taylor B and Steele J. Developing a cybersecurity
management program. Benefits Q 2018; 34: 21–26.
130. Cyber security Intelligence. ANSI NationalAccreditation Board (ANAB), www.cybersecurityin-telligence.com/ansi-national-accreditation-board-
anab-5494.html (accessed 12 October 2019).131. GIAC. Global information assurance certification.132. (ISC)2. Information security certifications, www.isc2.
org/Certifications (accessed 27 September 2019).
133. Samani R, Honan B and Reavis J. Chapter 8 – CloudSecurity Alliance Research. In: Samani R, Honan Band Reavis J (eds) CSA guide to cloud computing, syn-
gress. 2015, pp.149–169.134. NCSA. National cyber security alliance, https://stay-
safeonline.org/about (accessed 27 September 2019).
135. Goodwin C, Nicholas JP, Bryant J, et al. A frameworkfor cybersecurity information sharing and risk reduc-tion. Microsoft 2015.
136. NIST CSRC. Computer Security Resource Center.Home/CSRC, USA, https://csrc.nist.gov/ (accessed12 June 2019).
137. US-CERT. Critical infrastructure cyber community
voluntary program (C3). www.us-cert.gov/ccubedvp(accessed 27 September 2019).
138. ICS-CERT. Industrial control systems cyber emer-
gency response teams, https://ics-cert.us-cert.gov/(accessed 27 September 2019).
139. Information sharing and analysis organizations
(ISAOs), www.dhs.gov/cisa/information-sharing-and-analysis-organizations-isaos (accessed 12 June 2019).
140. CIS – Center for Internet Security, www.cisecurity.
org/about-us/ (accessed 12 June 2019).
Appendix 1
Table 6. Example of cybersecurity quick action plan for vision 2020.
Domain Recommendation#
For vision 2020
M1 M2 M3 M4 M5 M 6 M 7 M 8 M 9 M 10 M 11 M 12
RM RM1
RM2
RM3
RM4
RM5
TVM TVM1
TVM2
TVM3
TVM4
TVM5
TVM6
SA SA1
SA2
SA3
SA4
SA5
SA6
IR IR1
IR2
IR3
IR4
IR5
IR6
(continued)
Kour et al. 19
Table 6. Continued
Domain Recommendation#
For vision 2020
M1 M2 M3 M4 M5 M 6 M 7 M 8 M 9 M 10 M 11 M 12
EDM EDM1
EDM2
EDM3
EDM4
EDM5
WM WM1
WM2
WM3
WM4
WM5
WM6
CPM CPM1
CPM2
CPM3
CPM4
CPM5
CPM6
CPM7
ACM ACM1
ACM2
ACM3
IAM IAM1
ISC MIL4 has been achieved
RM: risk management; TVM: threat and vulnerability management; SA: situational awareness; IR: incident response; EDM: external dependencies
management; WM: workforce management; CPM: cybersecurity program management; IAM: Identity and access management; Gray shades represent
the approximate time suggested in months (M1- M12) to complete suggested recommendations.
20 Proc IMechE Part F: J Rail and Rapid Transit 0(0)
Paper III
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks
Kour, R., Thaduri, A., & Karim, R. (2020). Railway Defender Kill Chain to Predict and Detect Cyber-Attacks. Journal of Cyber Security and Mobility, 9(1), 47-90.
Railway Defender Kill Chain to Predictand Detect Cyber-Attacks
Ravdeep Kour∗, Adithya Thaduri and Ramin Karim
Division of Operation and Maintenance Engineering, Lulea University ofTechnology 97187 Lulea, SwedenE-mail: [email protected], [email protected], [email protected]∗Corresponding Author
Received 04 August 2019; Accepted 26 November 2019;Publication 14 December 2019
Abstract
Most organizations focus on intrusion prevention technologies, with lessemphasis on prediction and detection. This research looks at prediction anddetection in the railway industry. It uses an extended cyber kill chain (CKC)model and an industrial control system (ICS) cyber kill chain for detectionand proposes predictive technologies that will help railway organizationspredict and recover from cyber-attacks. The extended CKC model consistsof both internal and external cyber kill chain; breaking the chain at anearly stage will help the defender stop the adversary’s malicious actions.This research incorporates an OSA (open system architecture) for railwayswith the railway cybersecurity OSA-CBM (open system architecture forcondition-based maintenance) architecture. The railway cybersecurity OSA-CBM architecture consists of eight layers; cybersecurity information movesfrom the initial level of data acquisition to data processing, data analysis, inci-dent detection, incident assessment, incident prognostics, decision support,and visualization.
The main objective of the research is to predict, prevent, detect, andrespond to cyber-attacks early in the CKC by using defensive controls calledthe Railway Defender Kill Chain (RDKC).
The contributions of the research are as follows. First, it adapts and mod-ifies the railway cybersecurity OSA-CBM architecture for railways. Second,
Journal of Cyber Security and Mobility, Vol. 9 1, 47–90.doi: 10.13052/jcsm2245-1439.912This is an Open Access publication. c© 2019 the Author(s). All rights reserved.
48 R. Kour et al.
it adapts the cyber kill chain model for the railway. Third, it introduces theRailway Defender Kill Chain. Fourth, it presents examples of cyber-attackscenarios in the railway system.
Keywords: Cybersecurity, cyber kill chain, railway, cyber-attack, OSA-CBM, predict.
1 Introduction
The railway is a complex system which consists of railway infrastructureand rolling stock. Railway infrastructure is divided into technical subsystems,including, signalling system, track, electrical system, and telecommunicationsystem [1]. Rolling stock consists of both powered and unpowered vehiclesthat move on the rail track. Supervisory Control and Data Acquisition Sys-tem (SCADA) is an operational technology (OT) that provides centralizedmonitoring and control of the railway system. It is designed to collectfield information (such as the status of the trains, signal systems, tractionelectrification systems, and ticket vending machines), transfer it to operatorconsoles at an HMI (Human Machine Interface) station at the rail controlcenter [2]. The received information is displayed graphically or textually,thereby allowing the operator to monitor or control the railway system froma central location in near real time. The SCADA system also sends high-level operator commands to the rail section components based on conditionmonitoring (e.g., stopping a train to prevent it from entering an area that hasbeen determined to be flooded or occupied by another train) [2]. Figure 1shows subsystems of a railway system.
The convergence of the railway system with Information Technology(IT) and Operational Technology (OT) has brought significant benefits inreliability, maintainability, operational efficiency, capacity and passengerexperience, as the use of Internet-connected sensors and devices can provide
Railwaysystem
SignallingICT
TracksBridgesTunnels
ElectrificationRollingStock
Databases
SCADA
Figure 1 The Railway system.
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 49
timely and accurate information about the physical world. The railway isadapting Information and Communication Technology (ICT) to take advan-tage of cloud technology to integrate, analyze and visualize data for effectivedecision-making [3]. European Union and Shift2Rail [4] programs have pro-posed to include ICT in transportation because they expect potential benefits.Railway maintenance data can be collected and integrated within the cloudcomputing infrastructures to facilitate condition-based maintenance (CBM),a strategy that predicts future failures based on the condition of an asset; inCBM, maintenance actions are performed on the defective elements only [5].However, these innovative developments are not without risks. Transfer ofdata from the field to the cloud causes some concern, as adversaries can attacknetwork, servers and communication channels. Subramanian and Jeyaraj [6]have explored various security challenges faced by cloud service providers,data owners, and cloud users.
NATO (North Atlantic Treaty Organization) ranks phishing and malwarecyber-attacks among its greatest concerns [7]. According to Patel [8], one ofthe top cyber threats is phishing scams. Other threats are: ransomware attacks(like WannaCry), system vulnerability due to unchecked gaps (nearly 50% ofalerts and logs are never investigated), new threats and dangers from and toAI (Artificial Intelligence) powered systems, and human weaknesses [9–12].In 2018, HelpSystems [13] surveyed more than 600 IT and cybersecu-rity professionals to determine the main cybersecurity risks and mitigationstrategies. It found the top five cyber-threats were ransomware, phishing,weak/stolen credentials, system misconfigurations, and unsecure file trans-fers [13]. Hackmageddon [14] lists malware, account hijacking, unknownattacks, targeted attacks and vulnerability as threats and says such attacksare growing. Worldwide statistics show the dominant type of cyber-attack isa malware attack, including in the railway [15]. ‘Unknown’ cyber-attacks,which means the reason for an attack is unknown, are increasing as well.These unknown attacks are even more dangerous because we do not know themotives for them. Targeted attacks are also increasing day-by-day. Accordingto Symantec [16], Formjacking was a breakthrough threat in 2018; it usesmalicious code to steal credit card details and other information from apayment form submission. As the railway is being digitalized, all thesetypes of attack can occur. The railway requires a cyber-resilient system tocounteract malware and advanced persistent threats (APT) to continue in thecase of an attack. NIST says an APT is:
“An adversary that possesses sophisticated levels of expertise and signifi-cant resources which allow it to create opportunities to achieve its objectives
50 R. Kour et al.
by using multiple attack vectors (e.g., cyber, physical, and deception). Theseobjectives typically include establishing and extending footholds within theinformation technology infrastructure of the targeted organizations for pur-poses of filtrating information, undermining or impeding critical aspects ofa mission, program, or organization; or positioning itself to carry out theseobjectives in the future. The advanced persistent threat:
(i) pursues its objectives repeatedly over an extended period of time;(ii) adapts to defenders’ efforts to resist it; and
(iii) is determined to maintain the level of interaction needed to execute itsobjectives.” [17]
Cyber kill chain (CKC) is one of the most widely used frameworks todetect cyber-attacks in IT network; it is based on the kill chain tactic ofthe US military’s F2T2EA (find, fix, track, target, engage and assess) [18].The extension of this kill chain concept has been proposed to gather threatintelligence by allowing the attacker to continue his activities even after he isdetected [19]. The gathered threat intelligence can be used to detect futureadvanced persistent threats. Mrabet et al. [20] have identified four stepsused by attackers to attack and get control of a smart grid: reconnaissance,scanning, exploitation, and maintain access. This IT CKC model has beenexpanded and improved for use in industrial control systems (ICS) called ICSCyber Kill Chain to understand the attackers’ activities and provide effectivesecurity measures [21]. Researchers are analyzing cyber-attacks by applyingICS cyber kill chain [21]; one example of such research is an analysis ofa cyber-attack on the Ukrainian power grid [22]. The railway is convergingIT and OT technologies, so similar types of cyber-attacks can happen hereas well. Thus, as an initial step, instead of going into detail on different killchains, this research applies Lockheed Martin’s (LM) CKC model [18, 23],ICS cyber kill chain [21, 24] and extended cyber kill chain [25] model to therailway to detect cyber-attacks. Lockheed Martin’s (LM) CKC model [18, 23]has a seven-stage attack path. It is very important to break this path or chainat any stage using defensive controls instead of focusing on defending theorganization’s perimeter alone. It is always beneficial to break the chain asearly as possible. The disadvantage of LM’s CKC (external cyber kill chain)is that it does not fully address insider threats. Therefore, this research adaptsextended cyber kill chain [25] to be able to consider internal threats as well.
Hence, the main objective of this research is to predict, prevent, detectand respond to cyber-attacks early in the chain by using the proposed
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 51
Railway Defender Kill Chain (RDKC). RDKC uses cybersecurity con-trols, technologies, standards, and defenses to mitigate security risks thatcan be characterized in terms of threats that could cause harm to railwayassets. Northcutt [26] defines security controls as “technical or administra-tive safeguards or countermeasures to avoid, counteract or minimize lossor unavailability due to threats acting on their matching vulnerability, i.e.,security risk”. Understanding each phase of the chain will help the analystand incident responder identify proper courses of defensive action. The USDepartment of Defense [27] has identified six basic tactics: detect, deny,disrupt, degrade, deceive and destroy. Hutchins et al. [28] say these tacticscan design a course of action (CoA) matrix to detect, deny, disrupt, degrade,deceive and destroy the effectiveness of the adversary events along the killchain phases. This research uses a CoA matrix called RDKC matrix thatconsiders DoD’s [27] course of action, along with an additional course ofaction, i.e., predict, prevent, and response and recover, in addition to theCKC phases. These CoAs are used in RDKC matrix as defensive controls.As mentioned above, the scope of this research is that it does not go into thedetail on the various kill chain models. Rather, it applies a combination ofexternal cyber kill chain, extended cyber kill chain, and ICS cyber kill chainmodel to the railway as an initial step.
2 State of the Art of Currently Used Technologiesin Railway
Many activities related to cybersecurity in the railway are ongoing, for exam-ple, the RAILway (CYRAIL) project, a Shift2Rail sub-project [4]. Thales[29] is supporting the Shift2Rail program of the European Commission byparticipating in the development of CERTs (computer emergency responseteams). According to European Union (EU) Shift2Rail project report [30],the list of currently used security technologies in railway are divided intothree parts: networks security, signalling security and deployment security.The detail of these security technologies is provided in the EU report [30]and the list is given below:
• Virtual private networks (VPN)• Wavelength-division multiplexing (WDM)• Cryptography (PE26)• Firewall• Demilitarized Zone (DMZ)
52 R. Kour et al.
• Intrusion detection systems and intrusion prevention system• Network segmentation• Redundancy• Internal and external intrusion tests• Contingency plans for cyber attack• Adoption of security standards• Real-time functional monitoring system• Double check of received commands by onboard units• Network intrusion detection system/host intrusion detection system that
checks the signalling traffic• Intrusion tests• Collaboration with national Community Emergency Response• Software and hardware testing• White box policy
Shift2Rail project report [30] also provided list of cybersecurity standardsthat should be considered and tailored with respect to the security require-ments for railway system. In addition to these technologies and standards,some railway-specific cybersecurity standards, practices, and guidelines arealso available [15]. Furthermore, some private sector resources for sharingcybersecurity information can be used by railways to enhance their cyberse-curity capabilities. These resources can be NIST Computer Security [31], ICScyber emergency response teams [32], US Computer Emergency ReadinessTeam (US-CERT) [33], Information Sharing and Analysis Organizations(ISAOs) [34], The Public Transportation Information Sharing and AnalysisCenter (PT-ISAC) [35], CIS R©(Center for Internet Security, Inc.) [36], andMinimum Cyber Security Standard [37].
At the point of publication of this research, there is only one researcharticle related to application of ICS cyber kill chain that consists of multiple-scenario ICS testbed for thermal power plant, rail transit, smart grid, andintelligent manufacturing with two typical attack scenarios [38]. Althoughmodified versions of cyber kill chain model have been applied in otherdomains like multimedia service environments [39], Internet-of-Things (IoT)systems [40], security information and event management (SIEM) soft-ware [41], and cyber-physical system [42]. The proposed framework inthis research is an attempt to integrate and collaborate all these existingtechnologies, standards, frameworks, models, and methodologies to detectand minimize the risks of cyber-attacks and to communicate cybersecu-rity information in the railway system. In addition to this, our proposed
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 53
framework will provide defensive controls at each stage of IT and OT/ICScyber kill chains.
3 Conceptual Methodology and Framework
3.1 Unified Extended Cyber Kill Chain and ICSCyber Kill Chain
Cyber kill chain (CKC) is one of the most widely used frameworks forthe identification, prevention and detection of advanced persistent cyberthreats [43–47]. Some of the researchers have proposed methodologies todetect cyber threats early in the stages of CKC [48, 49]. Cyber kill chainis focused on malware-based intrusion and APTs [50]. The CKC model hasbeen expanded and improved for use in industrial control systems (ICS) andinternal threats, i.e., the ICS cyber kill chain [21, 24] and extended cyberkill chain [25] respectively. A combination of both these kill chains can beapplied in the railway (Figure 2).
3.1.1 External cyber kill chain modelAn initial CKC model was developed by Lockheed Martin [18, 23] to attackthe corporate network. The seven stages of this model are:
• Reconnaissance: The first stage of the model, one of the most difficultstages to detect from a security monitoring perspective, is the planningstage of the cyber-attack. The adversary searches for and gathers infor-mation about the organization background, resources, and individualemployees through social sites, conferences, blogs, mailing lists and
Figure 2 Unified extended cyber kill chain [25] and ICS cyber kill chain [21, 24].
54 R. Kour et al.
other network tracing tools [51]. The collected information is usefulin the later stages to deliver payload (the actual intended message thatperforms malicious action) to the target system.
• Weaponize: The second stage of the model is the operation preparationstage. This stage involves the coupling of a remote access Trojan (RAT)with an exploit into a deliverable payload, typically by means of anautomated tool (weaponizer) [28]. The detailed information related toRAT and an exploit are well explained by Yadav and Rao [52].
• Delivery: The third stage of the model is the operation launch stage whenan organization can implement technology as a mitigating control [49].At this stage, the weapon is transmitted to the targeted environment.
• Exploitation: At this stage, exploit is triggered to silently install/executethe delivered payload. The most frequent exploits are operating system,network and application/software level vulnerabilities [52]. One of themost popular viruses, WannaCry, uses the operating system exploit.
• Installation: This stage involves the installation of back door remoteaccess Trojans (RATs) and the maintenance of persistence inside thetargeted environment. The techniques used by malware authors toinstall a back door include anti-debugger and anti-emulation, anti-antivirus, rootkit and bootkit installation, targeted delivery and host-based encrypted data exfiltration [52].
• Command & Control (C2): After the successful installation of a backdoor, the adversary tries to open a two-way communication channel toenable the attacker to control the targeted environment remotely. Oncethe C2 channel is established, the adversary has “hands on the keyboard”access inside the targeted environment.
• Act on Objective: In the last stage of the model, the adversary achievesthe desired attack goals. These goals can be a loss of confidentiality,integrity or availability of the assets. Velazquez [49] says an APT threatactor may live in an organization for years until detected.
According to Heckman [53], the pre-exploit steps offer opportunities forintrusion detection and mitigation, and the post-exploit steps offer opportuni-ties to deploy incident response and forensics. Cyber forensics or computerforensics is defined as “the science of locating, extracting and analyzing typesof data from difference devices, which specialists then interpret to serve aslegal evidence” [54]. Incident response helps defenders detect and respond tobreaches with minimal potential damage. The previous research has providedrecommendations to railway organizations to improve event and incident
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 55
response domain that can further improve their capabilities to reduce theimpacts of cyber-attacks and eradicate vulnerabilities [55].
3.1.2 Internal cyber kill chainThe internal cyber kill chain is part of an extended cyber kill chain [25].It consists of almost the same steps as external kill chain but is preceded bythe word internal [25]. Internal cyber kill chain follows a chain of steps to gainaccess to the ICS system, go from workstations to servers using privilegedescalation, move laterally within the network, and then manipulate individualtargeted machines [25] (Figure 2). Considerable work has already been doneon ICS security [2, 56–58].
3.1.3 ICS cyber kill chainAfter gaining knowledge from the corporate network (external cyber killchain) and the ICS system (internal kill chain), the attacker starts developinga specific attack tool for the ICS system and validates it for reliable impact.After successful testing, the attacker delivers the tool, installs it, and executesthe attack [21] (Figure 2).
3.2 Railway cybersecurity OSA-CBM overview
The proposed railway cybersecurity OSA-CBM (open system architecturefor condition-based maintenance) framework delivers cybersecurity infor-mation from a technological point of view. This cybersecurity informationflow is strongly related to the open system architecture for condition-basedmaintenance, developed in accordance with the functional specificationsof ISO-13374 on the condition monitoring and diagnostics of machin-ery [59]. It is considered one of the most important standards of eMainte-nance systems [60]. The railway sector also advocates Smart MaintenanceInitiatives [61] and uses ICT in maintenance to develop artifacts (e.g.frameworks, tools, methodologies, and technologies) to support maintenancedecision-making [62]. The adoption of ICT in railway maintenance makes itvulnerable to cyber threats. Thus, there is a need for standards or frameworksthat can help minimize these threats.
The OSA-CBM standard can be modified and adapted for use in therailway to deliver cybersecurity information. The modified cybersecurityOSA-CBM architecture has eight layers: cyber events data acquisition,data processing, data analysis, incident detection, incident assessment,incident prognostics, decision support, and visualization. Table 1 shows
56 R. Kour et al.
Table 1 A mapping between OSA-CBM based on ISO-13374 standard and cybersecurityinformation delivery system (modified cybersecurity OSA-CBM architecture)
OSA-CBM Railway Cybersecurity OSA-CBMLayers Description Layers DescriptionDataAcquisition
Provides the CBM systemwith digitized sensor ortransducer data.
DataAcquisition
Provide the railwaysystem with cyber eventsoccurrence data that canbe acquired from internaland external threatintelligence, networktraffic and from the historyof cyber event logs.
DataManipulation
This step corresponds tothe data preparation stagein a normal data miningprocess. Techniques suchas data cleansing, featureselection, featureextraction, andstandardization can beapplied to process the rawdata for analysis.
DataProcessing
This layer involves all theactivities to build a finaldataset from the first rawdata. For example, each IPaddress is stored in thedotted-quad notation oreach IP address has beengeo-located into thelatitude and longitudepair, but they are in asingle field separated by acomma.
DataAnalysis
This layer involves theanalysis of data like userbehavior analytics,network behavioranalytics, and end-pointanalytics by usingmachine-learningalgorithms. The predictedresults are feedback to thedata sources and usedduring the detection phaseof the architecture.
StateDetection
This step focuses oncomparing data withexpected values or controllimits; an alert is triggeredif these limits areexceeded.
IncidentDetection
This layer involves theapplication of RDKC forthe detection of cyberincidents within therailway system.
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 57
Table 1 ContinuedOSA-CBM Railway Cybersecurity OSA-CBMLayers Description Layers DescriptionHealthAssessment
The focus of this step is toprescribe if the health in themonitored system hasdegraded. This should beable to generate diagnosticrecords and propose faultpossibilities.
IncidentAssessment
This layer is a proactive approachwith a focus on prevent andprepare. This step performs aqualitative assessment ofcybersecurity incidents withcause-effect analysis andlessons-learned activities andfocuses on determining the level orseverity of the cyber events. Itshould also consider the trends ofevent history along with itsoperational context. Thus, it willhelp to predict early indicators tostatistically predict potential futurecyber-threats.
Prognostics The focus of this step is tocalculate the future healthof an asset and report theremaining useful life (RUL)of that asset.
IncidentPrognostics
This layer involves the use ofmachine learning prognosticmodels to analyze or monitorfuture cyber incidents on thesystem and estimate the remainingsecure life of the system based oncyber-attacks on the system.
AdvisoryGeneration
Its focus is to generaterecommended actions andalternatives based on thepredictions of the futurestates of the asset.
DecisionSupport
This layer involvesrecommendations and remedialactions based on the predictions ofthe future states of the system.These actions may include theimmediate shutdown of thesystem, using back-ups or use ofantivirus, etc. Examples of someof available decision supportsystems in cybersecurity domainare Nexpose, Nessus Home,Security System Analyzer 2.0Beta, Open Vas, Saint8, Nmap,eEye Retina, QualysGuard, andnCircle IP360.
Presentation This step provides aninteractive human-machineinterface (HMI) to visualizepertinent data, informationand results obtained inprevious steps.
Visualization This layer involves an interactivehuman-machine interface (HMI)that facilitates visualization ofanalyzed cybersecurityinformation by qualifiedpersonnel.
58 R. Kour et al.
mapping between OSA-CBM based on ISO-13374 standard and the cyber-security information delivery system (modified cybersecurity OSA-CBMarchitecture).
Figure 3 shows the proposed cybersecurity information delivery frame-work to identify, predict, prevent and detect cyber threats and communicatethem to internal and external railway organizations.
This research integrates existing technologies, standards, frameworks,models, and methodologies to minimize the risks of cyber-attacks in therailway system. To capture the dynamically changing trend of cyber events,vast amounts of data can be collected via network traffic, threat intelligenceand historical cyber event logs using various data sources and technologiesas shown in Figure 3. The extended cyber kill chain and ICS cyber kill chaincan be applied to detect the cyber incidents, along with various data analysistechniques (e.g., machine learning, data mining, etc.), to assess and predictcyber incidents within the railway system, thereby facilitating the decisionsupport system.
There is a feedback loop after cyber incidents are detected; countermea-sures can be reconsidered to minimize similar types of future cyber-attacks.As we move towards the 2020s, cyber-attacks are rapidly adopting newtechniques and strategies to circumvent new security measures and evadedetection. There is a need to shift towards a type of resilience that hasthe ability to recover quickly from adversities, including advanced securitysolutions like automated anomaly detection, cloud-based back-ups, disasterrecovery services, security-by-design, and self-healing.
This research uses railway as a case study and proposes a cybersecurityframework adapted and modified from the OSA-CBM framework. It alsoproposes a railway defender kill chain (RDKC) that offers defensive controlsat each stage of LM’s cyber kill chain, an extended cyber kill chain, and anICS cyber kill chain. RDKC involves defense-in-depth security, cybersecuritystandards and resources and an RDKC matrix. The RDKC matrix is explainedin the results section.
3.3 Defense-in-Depth Security
Defense-in-depth (DiD) is a cybersecurity approach with multi-layereddefensive mechanisms to protect valuable railway data and information. Itslayered security is like the Swiss cheese model [63] used in risk analysisand risk management. Railway organizations need to develop more completeand complex proactive defensive mechanisms. The benefit of using this
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 59
D
efen
se-I
n-D
epth
Sec
urity
RD
KC
Mat
rix
CKC Phase 1
CO
A1
SC
CO
A2
SC
CKC Phase 2
SCSC
Priv
ate
Sect
or R
esou
rces
for
Shar
ing
Info
rmat
ion
Rai
lway
Pol
icie
s/Pr
oced
ures
/Pra
ctic
es
Ava
ilabl
e C
yber
secu
rity
Sta
ndar
ds A
nd T
echn
olog
ies
Rai
lway
Spe
cific
Cyb
erse
curi
ty S
tand
ards
Rai
lway
Def
ende
r’s K
ill C
hain
(R
DK
C)
Exte
rnal
Rec
onna
issa
nce
Inte
rnal
Exp
loita
tion
Del
iver
y
Expl
oita
tion
Inst
alla
tion
Com
man
d &
Con
trol
Act
Inte
rnal
Rec
onna
issa
nce
Wea
poni
ze
Late
ral M
ovem
ent
Priv
ilege
Esc
alat
ion
Dev
elop
Targ
et M
anip
ulat
ion
Inst
all
Del
iver
Exec
ute
ICS
Atta
ck
Inte
rnal
Cyb
er K
ill C
hain
ICS
Cyb
er K
ill C
hain
1 2 3 4 6 7 8 95 10 11 12 13 15 16 17
Test
14
Ext
erna
l Cyb
er K
ill C
hain
Cyb
er E
vent
s D
ata
Acq
uisi
tion
Dat
a Pr
oces
sing
Dat
a A
naly
sis
Inci
dent
A
sses
smen
t
Inci
dent
Pr
ogno
stic
s
Dec
isio
n Su
ppor
t
Vis
ualiz
atio
n
Cri
tical
ity A
naly
sis
Mac
hine
Lea
rnin
g Pr
ogno
stic
Mod
els
Inci
dent
D
etec
tion
•Sy
stem
Log
Eve
nts
•N
etw
ork
Traf
fic•
Inte
rnal
and
Ext
erna
l Th
reat
Inte
llige
nce
Dec
isio
n Su
ppor
t Sy
stem
in
Cyb
erse
curi
ty(N
expo
se, N
essu
s Hom
e,
Ope
n V
as, S
aint
8, N
map
)
•U
ser b
ehav
ior
anal
ytic
s•
Net
wor
k be
havi
or
anal
ytic
s•
End-
poin
t ana
lytic
s
Rai
lway
Cyb
erse
curi
ty
OSA
-CB
M
Dat
a So
urce
s and
Tec
hnol
ogie
sC
yber
Kill
Cha
ins
Figure3
Cyb
erse
curi
tyin
form
atio
nde
liver
yfr
amew
ork
topr
edic
t,pr
even
tan
dde
tect
cybe
rin
cide
nts
inra
ilway
,ad
apte
dan
dm
odifi
edfr
omO
SA-C
BM
fram
ewor
k(H
olm
berg
[60]
).
60 R. Kour et al.
type of multi-layered approach is that if one defensive mechanism fails,another starts immediately. The purpose of the defense-in-depth approach isto defend a system against any particular attack using several independentmethods. Different researchers define the layers differently. For example,Starrett [64] deploys a triple-layered defense to control access, infrastructureand data. NSA layers [65] are people, technology and operations, whereasIndustryWeek layers [66] are device, application, computer, network andphysical layer. These multi-layered defensive mechanisms do not provideperfect security but can strengthen and complicate the cybersecurity level.
4 Results and Discussion
This section explains how the Railway Defender Kill Chain (RDKC) matrixprovides security controls at each stage of CKC using various course ofactions.
4.1 Railway Defender Kill Chain (RDKC) Matrix
The convergence of IT and OT technology in the railway has brought signif-icant benefits but at the same time has made it vulnerable to cyber threats.This vulnerability also depends upon the maturity of the integration of ITwith OT; e.g., ERTMS (European Rail Traffic Management System) level 3,which is fully digital, is more vulnerable to cyber threats. The operationalgoals of IT security are confidentiality, integrity, and availability (CIA) andthe operational goals of OT security are safety, reliability, and availability(SRA) [67]. OT security generally deals with industrial control systems(ICS) like SCADA systems. The rationale of this research is to introducea railway defender kill chain that will consider security controls relatedto both IT and OT technologies. RDKC involves defense-in-depth security,cybersecurity standards and resources, and an RDKC matrix. RDKC matrixdescribes the logic of a defender to stop the attack by breaking cyber killchain at any point by implementing appropriate IT/OT security controlsfrom Table 2. Thus, Table 2 show security controls at each stage of theCKC; these defensive controls along with course of actions will help railwayorganizations predict, prevent, detect and respond to cyber-attacks. The mainobjective of the defender is to stop or minimize the risk of cyber-attack atthe initial stage of the CKC by applying security controls from the RDKCmatrix. Cells in the matrix can be viewed as characterizing the types of effecta given defensive control could have on a CKC phase. The Reconnaissance –Detect cell, for instance, is at the intersection of the detect tactic and the
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 61
Tab
le2
RD
KC
Mat
rix
(mod
ified
from
Hut
chin
set
al.[
28],
Tarn
owsk
i[69
],an
dM
alon
e[7
0])
Res
pons
eC
oAan
dC
KC
Step
sPr
edic
tPr
even
tD
etec
tR
ecov
ery
Den
yD
isru
ptD
egra
deD
ecei
veD
estr
oyExterna
lcyb
erkillchain
Ext
erna
lR
econ
nais
-sa
nce
•U
ser
beha
vior
anal
ytic
s•
Net
wor
kbe
havi
oran
alyt
ics
•E
nd-p
oint
anal
ytic
s•
DPI
•N
IPS
•D
enia
lof
port
scan
ning
•Fi
rew
allA
CL
•C
yber
secu
rity
educ
atio
nan
daw
aren
ess
ofra
ilway
wor
kfor
cein
clud
ing
ITan
dO
Tse
curi
type
rson
nel
•Se
nsiti
vean
dco
nfide
ntia
lda
tase
cure
lydi
spos
edof
•Se
curi
tyby
desi
gn
•N
IDS
•H
oney
Pot
•W
eban
alyt
ics
•T
hrea
tIn
telli
genc
e•
Vid
eosu
rvei
llanc
e•
SIE
M•
Scan
the
railw
ayne
twor
kin
tern
ally
and
exte
rnal
lyby
usin
gvu
lner
abili
ty-
scan
ning
tool
s•
Pene
trat
ion
test
ing
•Fi
rew
all
AC
L•
Phys
ical
lock
son
criti
cal
serv
erro
oms
•Sy
stem
and
serv
ice
hard
en-
ing
•N
etw
ork
obfu
scat
-in
g•
Log
ical
segm
en-
tatio
n
•H
oney
Net
•T
imeo
ut•
Hon
eyPo
t (Con
tinu
ed)
62 R. Kour et al.Tab
le2
Con
tinue
dR
espo
nse
CoA
and
CK
CSt
eps
Pred
ict
Prev
ent
Det
ect
Rec
over
yD
eny
Dis
rupt
Deg
rade
Dec
eive
Des
troy
Wea
poni
ze•
Shar
edth
reat
info
rmat
ion
•Pe
netr
atio
nte
stin
g•
App
licat
ion
obfu
scat
ion
•Sy
stem
and
appl
icat
ion
patc
hing
•V
ersi
onhi
dden
•N
IPS
•N
IDS
•T
hrea
tsin
form
atio
nsh
arin
g•
Vul
nera
bilit
yin
telli
genc
e•
Hon
eypo
ts•
Iden
tify
wea
poni
za-
tion
attr
ibut
esto
prev
ent
atta
cks
reac
hing
late
rst
ages
NIP
S•
Har
deni
ng•
Ver
sion
obfu
scat
ing
•A
pplic
atio
nob
fusc
atio
n•
Dis
ablin
gun
used
serv
ices
Fake
wea
poni
zeco
des
toat
trac
tad
vers
arie
s
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 63
Del
iver
yB
lock
know
nso
urce
sof at
tack
san
dco
mpr
o-m
ise
(ind
ica-
tors
ofat
tack
s(I
oA)
and
Indi
ca-
tors
ofco
mpr
o-m
ise
(IoC
))
•N
IPS
•Fi
rew
all
•Po
rtK
nock
ing
•A
CL
•R
BA
Cto
limit
who
has
acce
ssto
the
SCA
DA
orE
TC
S•
Two-
pers
onru
leth
atin
itiat
esre
mot
em
aint
enan
ceco
mm
and
•C
hang
efa
bric
setti
ngs
•N
etw
ork
traf
ficdi
sabl
ed•
Upd
ate
secu
reso
cket
sla
yer
(SSL
)en
cryp
tion
prot
ocol
s•
Proh
ibit
the
use
ofU
SBs
onra
ilway
criti
cal
syst
ems
•Is
olat
ene
twor
ksse
rvin
gcr
itica
lfu
nctio
nalit
y,su
chas
cont
rol
syst
ems,
from
the
Inte
rnet
•N
IDS
•Fi
rew
all
•N
etw
ork
anal
ysis
•V
igila
ntus
ers
•C
onte
xt-
awar
e•
End
poin
tM
alw
are
Prot
ectio
n•
Blo
cked
atte
mpt
sal
ert
•D
etec
tan
omal
ous
com
man
dsno
tst
emm
ing
from
the
norm
alR
emot
eC
ontr
olC
ente
r•
DPI
tode
tect
traf
fican
dex
trac
tuse
ful
met
adat
asu
chas
MA
Cad
dres
ses
•Pr
oxy
Filte
r•
Ant
i-vi
rus
•W
ebbr
owse
rsan
dpl
ug-i
nsm
ustb
eup
-to-
date
•H
arde
ning
•In
-lin
eA
nti-
viru
s
•M
anda
tory
Inte
grity
•E
mai
lQ
ueui
ng
•H
oney
Pot
(Con
tinu
ed)
64 R. Kour et al.
Tab
le2
Con
tinue
dR
espo
nse
CoA
and
CK
CSt
eps
Pred
ict
Prev
ent
Det
ect
Rec
over
yD
eny
Dis
rupt
Deg
rade
Dec
eive
Des
troy
Exp
loita
tion
Cor
rela
teflo
ws
and
bloc
km
alic
ious
beha
vior
ofde
vice
s
•U
ser
awar
enes
str
aini
ng•
Secu
reco
ding
trai
ning
for
web
deve
lop-
ers
•L
ocal
sand
box
•Sy
stem
and
appl
i-ca
tion
upda
tes
•Se
curi
tyto
olki
ts•
Tur
nop
erat
ing
Syst
emup
date
ON
•H
IDS
•E
ndpo
int
Mal
war
ePr
otec
tion
•Pr
oact
ive
pene
trat
ion
test
ing
for
appl
icat
ion
and
oper
atin
gsy
stem
vuln
erab
il-iti
es
•C
yber
poli-
cies
/pro
cedu
res
•C
yber
law
s•
Isol
atio
nof
infe
cted
devi
ces
•D
ata
loss
prev
entio
n(D
LP)
tech
nolo
gy•
Con
tinui
tyof O
pera
tions
Plan
•D
isas
ter
Rec
over
yO
pera
tions
Plan
•Fo
rens
ic
•Pa
tch
and
upda
teth
esy
stem
•U
sede
dica
ted
anti
ran-
som
war
eut
il-ity
/blo
cker
•H
arde
ning
•D
EP
•C
onfig
urat
ion
auto
-rol
lbac
k•
TAR
PIT
•R
emov
ere
mot
ead
min
istr
atio
nca
pabi
litie
sfr
omw
ebpl
atfo
rms
Hon
eyPo
t
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 65
Inst
alla
tion
Aut
omat
ical
lyis
olat
ein
fect
edde
vice
sto
prev
ent
hori
zont
alsp
read
•C
yber
secu
rity
educ
atio
nan
daw
aren
ess
•H
IPS
•A
pplic
atio
nW
hite
listin
g
•C
yber
secu
rity
educ
atio
nan
daw
aren
ess
•G
ener
ate
alar
ms
for
unau
thor
ized
acce
ssto
railw
aycr
itica
lsy
stem
s•
HID
S•
Mod
ifica
tion
and
chan
geal
erts
/ala
rms
•IP
Sona
r•
Che
ckm
essa
gein
tegr
ity(d
igita
lsi
gnat
ures
)of
com
man
dsan
dda
tare
ceiv
edby
the
netw
ork
com
pone
nts
•C
onfig
urat
ion
chec
k•
Acc
ess
logs
•E
DR
•C
hroo
tjai
l•
Mul
ti-fa
ctor
auth
entic
atio
nto
gain
acce
ssto
sens
itive
railw
ayin
form
atio
n•
Secu
repa
ssw
ord
•A
uthe
ntic
ate
user
sso
that
phys
ical
acce
ssto
the
railw
ayas
set(
s)do
esno
tau
tom
atic
ally
gran
tlo
gica
lacc
ess
•A
ppen
dau
then
ticat
ion
data
(mes
sage
auth
entic
atio
nco
de(M
AC
)or
digi
tal
sign
atur
e)to
the
balis
es•
Rem
ove
hard
code
dcr
eden
tials
onra
ilway
CM
MS
•R
equi
reap
prov
edcr
ypto
grap
hic
algo
rith
ms
for
auth
entic
atio
nan
dm
essa
gein
tegr
ityon
the
railw
aysi
gnal
ling
netw
ork
•H
arde
ning
•A
ntiv
irus
•C
onfig
urat
ion
auto
-rol
lbac
k•
TAR
PIT
•H
oney
Pot
•D
NS
redi
rect
ED
R
(Con
tinu
ed)
66 R. Kour et al.
Tab
le2
Con
tinue
dR
espo
nse
CoA
and
CK
CSt
eps
Pred
ict
Prev
ent
Det
ect
Rec
over
yD
eny
Dis
rupt
Deg
rade
Dec
eive
Des
troy
Com
man
d&
Con
trol
(C2)
•C
orre
late
netw
ork
traf
ficag
ains
tkno
wn
IoC
s•
Aut
omat
ical
lyis
olat
ein
fect
edde
vice
s
•W
hite
listin
gfir
ewal
l•
IPS
•N
IDS
•SI
EM
•T
hrea
tin
telli
genc
efe
ed•
Inte
rnal
reco
nnai
s-sa
nce
Fire
wal
lAC
LN
IPS
Tarp
it•
DN
Sre
dire
ct•
Hon
eypo
tsto
redi
rect
susp
icio
usne
twor
ktr
affic
tolo
cal
trap
s
ED
R
Act
onO
bjec
tive
•A
sses
sda
mag
eby
anal
yzin
gne
twor
ktr
affic
befo
rean
daf
ter
the
infe
ctio
n
•D
ata
loss
prev
entio
n(D
LP)
tech
nolo
gy•
Con
figur
eem
ail
syst
ems
and
web
prox
ies
topr
even
tse
nsiti
vean
dco
nfide
ntia
lrai
lway
data
from
bein
gse
nt•
Blo
ckac
cess
tosi
tes
that
faci
litat
eda
tatr
ansf
er•
Tur
nof
fco
py/p
aste
over
rem
ote
desk
top
conn
ectio
ns•
Dat
a-at
-res
ten
cryp
tion
sche
mes
•L
ogan
alys
is•
Impl
emen
tin
tern
alID
S,IP
San
dot
her
cont
rols
with
inth
era
ilway
netw
ork
tode
tect
and
miti
gate
unau
thor
ized
late
ral
mov
emen
t
Out
boun
dA
CL
Qua
lity
ofSe
rvic
eth
rottl
eH
oney
Pot
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 67
Internal
cyberkillchain
Inte
rnal
reco
nnai
ssan
ceU
sean
IPS
toch
eck
for
any
activ
esc
anal
erts
Use
host
-bas
edin
trus
ion
dete
ctio
nsy
stem
engi
nefo
ral
ertin
g
Inte
rnal
expl
oita
tion
Patc
h&
vuln
erab
ility
man
agem
ent
End
poin
tpro
tect
ion
Ent
erpr
ise
priv
ilege
esca
latio
n
Seta
lert
sfo
rad
ditio
nor
dele
tion
toad
min
user
grou
pB
ehav
iora
lana
lytic
s
Lat
eral
mov
emen
tSe
gmen
ted
secu
rity
zone
sat
all
laye
rs
•V
ulne
rabi
lity
scan
ning
•B
ehav
iora
lana
lysi
sof
succ
essf
ullo
gin
even
ts
Dec
oyse
rver
s
Targ
etm
anip
ulat
ion
•H
ostl
evel
log
anal
ysis
ICScyberkillchain
ICS
atta
ckde
velo
pmen
tand
test
ing
•R
estr
icta
cces
sto
docu
men
tatio
nan
dsp
ecifi
catio
ns•
Har
den/
obfu
scat
eap
plic
atio
nsto
mak
ere
vers
ing
diffi
cult
•A
cces
spa
ttern
s•
Wor
king
offli
ne
Del
iver
HIP
SH
IDS
Dat
adi
ode
Inst
all
App
licat
ion
sign
ing
•Fi
lein
tegr
ityM
onito
ring
•R
edun
dant
proc
essi
ngsy
stem
sD
ata
diod
e
(Con
tinu
ed)
68 R. Kour et al.
Tab
le2
Con
tinue
dR
espo
nse
CoA
and
CK
CSt
eps
Pred
ict
Prev
ent
Det
ect
Rec
over
yD
eny
Dis
rupt
Deg
rade
Dec
eive
Des
troy
Exe
cute
•Fo
rens
ics
•B
reac
hin
sura
nce
Exp
lana
tion
sof
theTab
le2:
ACL:
Acc
ess
cont
roll
isti
sus
edto
filte
rin
com
ing
and
outg
oing
traf
ficin
the
netw
orks
bya
rout
er.
DEP:
Dat
aex
ecut
ion
prev
entio
nm
onito
rsan
dse
nds
ano
tifica
tion
ifso
meo
netr
ies
toex
ecut
em
alic
ious
code
in”n
on-e
xecu
tabl
e”m
emor
ylo
catio
ns.
EDR:
End
poin
tde
tect
ion
and
resp
onse
isan
emer
ging
tech
nolo
gyth
atde
tect
sm
alic
ious
activ
ities
byco
ntin
uous
lym
onito
ring
endp
oint
and
netw
ork
even
tsan
dre
spon
ding
toad
vanc
edth
reat
s.H
arde
ning
:Sec
urin
gsy
stem
byre
duci
ngits
surf
ace
ofvu
lner
abili
ty.
HID
S:H
ost-
base
din
trus
ion
dete
ctio
nsy
stem
exam
ines
spec
ific
host
-bas
edac
tions
,lik
em
alic
ious
atte
mpt
sto
rew
rite
afil
e.HIPS:
Hos
t-ba
sed
intr
usio
npr
even
tion
syst
emev
alua
tes
pack
ets
befo
reth
eyar
eal
low
edto
ente
ra
com
pute
r.H
oney
Net:
Ane
twor
kse
tup
with
inte
ntio
nal
vuln
erab
ilitie
s,co
ntai
ning
one
orm
ore
hone
ypo
ts(m
echa
nism
set
tode
tect
,de
flect
orin
som
em
anne
rco
unte
ract
atte
mpt
sat
unau
thor
ized
use
ofin
form
atio
nsy
stem
s).
RBAC:
Rol
e-B
ased
Acc
ess
Con
trol
isa
met
hod
ofre
stri
ctin
gsy
stem
acce
ssto
unau
thor
ized
user
s.PortKno
cking:
Am
etho
dof
exte
rnal
lyop
enin
gpo
rts
byge
nera
ting
aco
nnec
tion
atte
mpt
ona
seto
fpr
e-sp
ecifi
edcl
osed
port
s.DPI:
Dee
pPa
cket
Insp
ectio
nis
are
al-t
ime
filte
ring
tech
niqu
e.ID
S:In
trus
ion
dete
ctio
nsy
stem
prov
ides
prev
entiv
ese
curi
tyag
ains
tany
susp
icio
usac
tivity
thro
ugh
earl
yw
arni
ngs.
IPS:
Intr
usio
npr
even
tion
syst
emis
desi
gned
toin
spec
tatta
ckda
taan
dta
keth
eco
rres
pond
ing
actio
n,lik
ebl
ocki
ngda
ta.
NID
S:N
etw
ork-
base
din
trus
ion
dete
ctio
nsy
stem
anal
yzes
netw
ork
traf
ficfo
rsu
spic
ious
beha
vior
.NIPS:
Net
wor
k-ba
sed
intr
usio
npr
even
tion
syst
emev
alua
tes
traf
ficbe
fore
itis
allo
wed
into
ane
twor
kor
subn
et.
Obfuscating
:A
delib
erat
eac
tof
mak
ing
som
ethi
ngdi
fficu
ltto
unde
rsta
nd.
Outbo
undACL
:AC
Lis
plac
edin
the
exit
inte
rfac
ean
dfil
ters
the
traf
ficaf
ter
the
rout
erm
akes
afo
rwar
dde
cisi
on.
Sand
box:
Test
sun
veri
fied
prog
ram
sth
atm
ayco
ntai
nvi
ruse
sor
mal
icio
usco
des.
ETCS:
Eur
opea
nT
rain
Con
trol
Syst
emis
anau
tom
atic
trai
npr
otec
tion
syst
em(A
TP)
tore
plac
eth
eex
istin
gna
tiona
lAT
P-sy
stem
s.ERTMS:
Eur
opea
nR
ailT
raffi
cM
anag
emen
tSys
tem
isst
anda
rdiz
edco
mm
unic
atio
nan
dsi
gnal
ling
syst
em.
CMMS:
Itis
com
pute
rize
dm
aint
enan
cem
anag
emen
tsys
tem
Datadiod
e:It
isa
hard
war
eth
atal
low
sin
form
atio
nflo
win
one
dire
ctio
non
ly.
Decoy
server
:Iti
sco
nfigu
red
toac
tas
ale
gitim
ate
serv
er.
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 69
reconnaissance phase of CKC; this means that to detect cyber incidents at thereconnaissance phase, we must employ the defensive controls noted in theReconnaissance – Detect cell. Technologies like Chroot Jail, DEP, FirewallACL, HIDS, Honeypot, In-line AV, NIDS, NIPS and Tarpit are defined inmore detail in a white paper by Force CI [68]. One of the advantages ofRDKC matrix is that it provides maximum defensive controls at one place tofollow quickly.
4.2 Case Study of CDOT Network Breach
To illustrate how a cyber-attack follows the extended cyber kill chain [25],this research uses the case study of ransomware infection in the computers ofthe Colorado Department of Transportation (CDOT). In March 2018, 2,000CDOT computers were shut down because of a ransomware infection, Sam-Sam [71, 72]. Unlike many ransomware attacks, SamSam is not distributedin spam emails. Instead, the attacker tries to avoid user interaction and takesa more direct route to infection. In the CDOT ransomware infection, theattacker identified open port 3389, exposing the remote desktop protocol(RDP), and gained access to the company’s internal networks by brute-forcing the RDP connections (Figure 4). The impacted employee computerswere running Windows and using McAfee security software. The attackerthen tried to gain access to as many end-points on the same network aspossible, manually running the SamSam ransomware to encrypt the files. In
Figure 4 Cyber kill chain steps for SamSam virus using extended cyber kill chain [25].
70 R. Kour et al.
(a)
(b)
(c)
Reconnaissance Weaponize Delivery Exploitation Installation Command & Control
Act on Objective
Reconnaissance Weaponize Delivery Exploitation Installation Command & Control
Act on Objective
Reconnaissance Weaponize Delivery Exploitation Installation Command & Control
Act on Objective
Figure 5 Attack detection and prevention area and external chain break.
the last stage, the attacker demanded Bitcoin in exchange for the decryptionkey to unlock the system, but CDOT did not pay. As the railway is adoptingadvanced ICT technologies, it is becoming more vulnerable to cyber-attacks,making it essential to move towards security analytics and automation topredict, prevent, and detect security breaches and to quickly identify andrespond to security events.
Figure 5(a–b) shows the attack detection area and chain break if thedefender had approached security proactively. As noted above, the SamSamcyber-attack gained access by brute-forcing RDP connections, but cyberdefenders could have proactively used the following security measures:
(a) A brute-force attack is very noisy and can be picked up by anomalydetection, behavior analytics, and monitoring systems at the recon-naissance stage of cyber kill chain. Security controls from thereconnaissance-predict cell of the RDKC matrix can notice this attack,and the chain can be broken at the reconnaissance stage (Figure 5(a)).
(b) This attack can be stopped before the exploitation stage by patching thesystem and using security control from the exploitation-deny cell of theRDKC matrix (Figure 5(b)).
(c) The attack can also be stopped before the installation stage by two-factorauthentication on externally facing applications and using security con-trols from the installation-deny cell of the RDKC matrix (Figure 5(c)).
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 71
Thus, to minimize the risk of an attack by malware or ransomwareinfection, railway workforce must keep software updated, avoid phishingemails and maintain strong passwords.
4.3 Cyber-Attack Scenarios in Railway Operationand Maintenance
With the advanced ICT technologies and tools (e.g., Internet of Things,Cloudification, Big Data Analytics, and Artificial Intelligence, etc) beingused in railway operation and maintenance, railway data are collected con-tinuously and sent to the cloud for data analysis and visualization. Thesecurity of these data is very important because they will help build data-driven models for operation and maintenance. In addition, the convergenceof IT and OT technology in the railway promises significant benefits inreliability, maintainability, operational efficiency, capacity, and passengerexperience. But with this convergence, OT technology has the same riskexposures as those of IT practitioners. Thus, there is a need for the securityof both IT and OT infrastructures. The following are a few examples of thevulnerabilities:
The signalling system carries critical information and turns it fully digital;it is centrally controlled, making it vulnerable to cyber threats. The system’sICT devices and components are generally interdependent, and any weaknessin one linked element in the system (e.g., security gaps left open by systemvulnerabilities, vulnerabilities in software or operating systems, or inappro-priate security-related decisions by railway staff) can jeopardize the securityand dependability of the whole system.
Railway electrification depends on the electric grid infrastructure for thepower supply. Any disturbance in the power grid propagates to the wholerailway system, causing an immediate stoppage of several trains.
The SCADA system provides centralized monitoring and control of therailway system. This system sends high-level operator commands to the railsection components based on condition monitoring. Any type of cyber-attackon this system will shut down train services and in extreme cases will causeaccidents.
Table 3 lists some examples of cyber-attack scenarios in railway oper-ation and maintenance along with their vulnerabilities, risks, and defensivecontrols.
72 R. Kour et al.
Tab
le3
Exa
mpl
esof
cybe
r-at
tack
ssc
enar
ios
inra
ilway
oper
atio
nan
dm
aint
enan
cean
dde
fens
ive
cont
rols
from
RD
KC
mat
rix
Cyb
er-a
ttack
Des
crip
tion
Vul
nera
bilit
ies
Ris
ks/C
onse
quen
ces
Def
ensi
veC
ontr
ols
RD
KC
Mat
rix
Cel
lM
alic
ious
atta
cks
onra
ilway
netw
ork
and
infr
astr
uctu
relik
e: –Si
gnal
ling
–R
ollin
gst
ock
–Po
wer
supp
ly–
Dat
abas
es–
ICT
Ath
reat
agen
tact
ing
asa
mai
nten
ance
engi
neer
requ
ests
phys
ical
and
logi
cal
acce
ssto
the
railw
ayen
terp
rise
netw
ork
usin
gm
alw
are.
The
thre
atag
enti
nsta
llsre
mot
eac
cess
ible
mal
war
eal
low
ing
rem
ote
mai
nten
ance
com
man
dan
dco
ntro
lof
the
netw
ork
acce
ssib
lefr
oman
yav
aila
ble
Inte
rnet
conn
ectio
n.Fu
rthe
r,ph
ysic
alac
cess
can
beac
hiev
edvi
apo
orlo
cks,
unlo
cked
door
s,st
olen
cred
entia
lsor
soci
alen
gine
erin
g.
•W
eak
iden
tity
and
acce
ssco
ntro
lm
anag
emen
t(p
hysi
cala
ndlo
gica
l)•
Poor
cont
rols
onso
ftw
are
inst
alla
tion
and
inte
grity
•In
adeq
uate
lypr
otec
ted
Inte
rnet
acce
ssto
the
railw
ayen
terp
rise
netw
ork
orE
TC
Ssy
stem
impl
emen
tatio
n
•Po
tent
ial
rem
ote
com
man
dan
dco
ntro
lca
pabi
lity
bya
thre
atag
ent
•D
epen
ding
onth
esy
stem
’sar
chite
ctur
ean
dpe
rmis
sion
s,de
grad
edra
ilway
perf
orm
ance
Req
uire
vide
osu
rvei
llanc
e(u
sing
deep
lear
ning
)to
docu
men
twho
ente
rsth
ese
rver
room
Rec
onna
issa
nce-
Det
ect
Use
RB
AC
tolim
itw
hoha
sac
cess
toth
era
ilway
ente
rpri
sene
twor
kor
ET
CS
syst
em
Del
iver
y-Pr
even
t
Gen
erat
eal
erts
ofw
hoha
sm
ade
soft
war
ead
ditio
nsor
mod
ifica
tions
Inst
alla
tion-
Det
ect
Che
ckso
ftw
are
exec
utio
nin
tegr
ity,s
ince
soft
war
em
aybe
com
prom
ised
whe
nlo
aded
for
exec
utio
n
Inst
alla
tion-
Det
ect
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 73
Aut
hent
icat
eus
ers
soth
atph
ysic
alac
cess
toth
esy
stem
(s)
does
not
auto
mat
ical
lygr
antl
ogic
alac
cess
Inst
alla
tion-
Den
y
Req
uire
mul
ti-fa
ctor
auth
entic
atio
nto
gain
acce
ssto
sens
itive
syst
ems
Inst
alla
tion-
Den
y
Res
tric
tcon
figur
atio
nac
cess
tolim
itw
hoha
sac
cess
and
can
mak
eco
nfigu
ratio
nch
ange
s
Inst
alla
tion-
Det
ect
Cre
ate
audi
tlog
sof
who
has
mad
eso
ftw
are
addi
tions
orm
odifi
catio
nsA
cton
Obj
ectiv
e-D
etec
t
Ath
reat
agen
tget
sac
cess
toIT
orco
mm
uni-
catio
nsin
fras
truc
-tu
revi
aun
auth
oriz
edac
cess
tode
stro
y,di
sclo
seor
mod
ify
railw
ayda
taor
disr
upt
railw
ayse
rvic
es.
•L
ack
ofac
cess
cont
rol
•In
secu
reco
mm
uni-
catio
npr
otoc
olth
atal
low
sun
auth
en-
ticat
edch
ange
sto
sens
itive
data
•Ph
ysic
alda
mag
eto
ITor
com
mun
icat
ions
infr
astr
uctu
re•
Los
sof
data
confi
dent
ialit
y,in
tegr
ityan
dav
aila
bilit
y•
Una
vaila
bilit
yof
railw
ayse
rvic
es•
Rep
utat
iona
lda
mag
eto
railw
ayor
gani
zatio
n•
Inw
orse
case
,tr
ain
acci
dent
due
tose
ndin
gw
rong
sign
al
Det
ecta
nom
alou
spa
ttern
sin
the
netw
ork
Rec
onna
issa
nce-
dete
ctD
eliv
ery-
Det
ect
Req
uire
mul
ti-fa
ctor
auth
entic
atio
nIn
stal
latio
n-D
eny
Use
RB
AC
for
adm
inis
trat
ive
acce
ss,
emer
genc
yac
cess
and
shar
edac
coun
ts
Del
iver
y-Pr
even
t
Mon
itor
anom
alou
sac
cess
atte
mpt
sas
indi
cato
rsof
cybe
rsec
urity
even
tsD
eliv
ery-
Det
ect
Che
ckm
essa
gein
tegr
ity(d
igita
lsi
gnat
ures
)of
com
man
dsan
dda
tare
ceiv
edby
the
netw
ork
com
pone
nts
Inst
alla
tion-
Det
ect (C
onti
nued
)
74 R. Kour et al.
Tab
le3
Con
tinue
dC
yber
-atta
ckD
escr
iptio
nV
ulne
rabi
litie
sR
isks
/Con
sequ
ence
sD
efen
sive
Con
trol
sR
DK
CM
atri
xC
ell
Bal
ises
prov
ide
noau
then
ticat
ion
guar
ante
e;th
eref
ore,
ther
eis
apo
ssib
ility
ofm
alic
ious
atta
ckvi
aba
lise
inte
rfac
e(b
ysu
bver
ting
exis
ting
balis
esor
plac
ing
ane
wba
lise
onth
etr
ack)
Ope
nan
dac
cess
ible
publ
icra
ilway
infr
astr
uctu
re
•Fa
ilure
toen
coun
ter
alin
ked
balis
ein
the
expe
cted
loca
tion
will
caus
eth
etr
ain
toha
lt•
Exc
essi
veco
mm
ands
from
unlin
ked
balis
esca
ncr
eate
haza
rdou
ssi
tuat
ions
App
end
auth
entic
atio
nda
ta(m
essa
geau
then
ticat
ion
code
(MA
C)
ordi
gita
lsi
gnat
ure)
toth
eba
lises
Inst
alla
tion-
Den
y
Cre
dent
ial
thef
tatta
cks
onra
ilway
asse
tslik
e:
–D
atab
ases
–IC
T
Ath
reat
agen
tac
quir
esra
ilway
com
pute
rize
dm
aint
enan
cem
anag
emen
tsy
stem
(CM
MS)
auth
entic
atio
ncr
eden
tials
tovi
sual
ize
railw
ayas
sets
rem
otel
y
•H
ardc
oded
pass
wor
ds•
Shar
edpa
ssw
ords
and
cred
entia
ls
•A
uthe
ntic
ityof
railw
ayC
MM
Scr
eden
tials
isco
mpr
omis
ed•
Une
xpec
ted
and
perh
aps
inte
rmitt
ent
mai
nten
ance
serv
ice
loss
•C
redi
bilit
ylo
ss•
Rev
enue
loss
Req
uire
mul
ti-fa
ctor
auth
entic
atio
nfo
rpr
ivile
ged
func
tiona
lity
Inst
alla
tion-
Den
y
Ver
ify
abse
nce
ofha
rdco
ded
cred
entia
lson
railw
ayC
MM
S
Inst
alla
tion-
Den
y
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 75
“Man
-in-
the-
mid
dle”
atta
cks
onra
ilway
asse
tslik
e:
–Si
gnal
ling
–R
ollin
gst
ock
–D
atab
ases
–IC
T
Eur
oRad
iopr
otoc
olus
esw
eak
encr
yptio
nal
gori
thm
toen
cryp
tthe
mes
sage
s
Poss
ibili
tyof
expl
oitin
gcr
ypto
grap
hic
wea
knes
ses
inE
uroR
adio
Wea
kcr
ypto
grap
hyex
pose
sG
SM-R
com
mun
icat
ion
mes
sage
son
the
Inte
rnet
Use
deep
pack
etin
spec
tion
(DPI
)to
dete
cttr
affic
and
extr
actu
sefu
lm
etad
ata,
such
asM
AC
addr
esse
s
Del
iver
y-D
etec
t
Upd
ate
the
SSL
encr
yptio
npr
otoc
ols
(lik
eA
ES)
Del
iver
y-Pr
even
t
Vul
nera
bilit
y/ra
nsom
war
eat
tack
son
railw
ayas
sets
like: –
ICT
–D
atab
ases
Ath
reat
agen
tis
able
toga
inac
cess
toth
era
ilway
syst
emby
expl
oitin
ga
know
nvu
lner
abili
tyth
atha
sno
tyet
been
patc
hed.
The
thre
atag
enti
sun
able
toac
cess
the
railw
ayap
plic
atio
nsbu
tcan
acce
ssot
her
railw
ayde
vice
s.T
here
cent
Wan
naC
ryan
dPe
tya
rans
omw
are
stra
ins
expl
oite
da
vuln
erab
ility
inun
patc
hed
syst
ems
•Im
prop
eror
no chan
ge/c
onfig
urat
ion
man
agem
ent
for
the
timel
yde
ploy
men
tof
patc
hes
and
secu
rity
upda
tes
•U
npat
ched
firew
alla
ndop
erat
ing
syst
em
•N
etw
ork
shut
dow
n•
Cus
tom
erse
rvic
eun
avai
labl
e•
Tro
uble
shoo
ting
cost
s
Scan
the
railw
ayne
twor
kin
tern
ally
and
exte
rnal
lyby
usin
gvu
lner
abili
ty-
scan
ning
tool
s
Rec
onna
issa
nce-
Det
ect
Impl
emen
tco
nfigu
ratio
nm
anag
emen
tin
clud
ing
ase
veri
tyra
ting
(cri
tical
,im
port
ant,
mod
erat
e,lo
w)
and
timef
ram
esfo
rpa
tchi
ngvu
lner
abili
ties
base
don
seve
rity
Exp
loita
tion-
Den
yE
xplo
itatio
n-D
egra
de
(Con
tinu
ed)
76 R. Kour et al.
Tab
le3
Con
tinue
dC
yber
-atta
ckD
escr
iptio
nV
ulne
rabi
litie
sR
isks
/Con
sequ
ence
sD
efen
sive
Con
trol
sR
DK
CM
atri
xC
ell
Mon
itor
acce
sslo
gson
criti
cal
syst
ems
and
serv
ers
Inst
alla
tion-
Det
ect
Gen
erat
eal
arm
sfo
run
auth
oriz
edac
cess
tora
ilway
criti
cals
yste
ms
Inst
alla
tion-
Det
ect
Upd
ate
patc
hes
Exp
loita
tion-
Den
yD
enia
lof
serv
ice
(DO
S)at
tack
son
railw
ayas
sets
like: –
Sign
allin
g–
ICT
–D
atab
ases
–R
ollin
gst
ock
Cyb
er-a
ttack
onE
RT
MS/
ET
CS
and
railw
ayen
terp
rise
netw
ork
coul
dbr
ing
dow
nth
eE
RT
MS/
ET
CS
syst
eman
dra
ilway
Web
serv
ices
resp
ectiv
ely
•D
ata-
driv
enpr
oper
tyof
ER
TM
S/E
TC
S•
Ope
nco
m-
mun
icat
ion
chan
nel,
i.e.
“thr
ough
the
air,”
usin
gra
dio
freq
uenc
ies
whi
char
eop
enan
dac
cess
ible
inpu
blic
railw
ayin
fras
truc
ture
•D
elay
orlo
ssof
GSM
-Rco
mm
unic
atio
nm
essa
ges
•St
oppa
geor
dela
yof
trai
ns•
Pass
enge
rdi
scom
fort
•D
isru
ptio
nof
Web
serv
ices
for
rese
rvat
ions
orup
date
son
dela
ys•
Roa
dtr
affic
map
saf
fect
ed
Upd
ate
SSL
encr
yptio
npr
otoc
ols
Del
iver
y-Pr
even
t
Det
ecta
nom
alou
sbe
havi
our
cont
inuo
usly
Del
iver
y-D
etec
t
Det
ectm
alic
ious
activ
ities
byco
ntin
uous
mon
itori
ngen
dpoi
ntan
dne
twor
kev
ents
usin
gE
DR
tech
nolo
gy
Inst
alla
tion-
Det
ect
Use
Web
appl
icat
ion
firew
all
Del
iver
y-D
etec
t
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 77
Mal
icio
usat
tack
onra
ilway
ICS
syst
emlik
e:
–SC
AD
A
Ath
reat
agen
tbr
each
esa
railw
aySC
AD
Asy
stem
and
caus
esth
eSC
AD
Asy
stem
tois
sue
anun
regi
ster
edor
mal
icio
usco
mm
ands
.Sin
cera
ilway
syst
ems
may
reac
tdi
ffer
ently
toin
valid
com
man
ds,
the
railw
aysy
stem
expe
rien
ces
imm
edia
tese
rvic
esh
utdo
wn
Inad
equa
teau
then
ticat
ion
and
acce
ssco
ntro
lm
echa
nism
s
•D
enia
lof
serv
ice
atta
cks
•D
evic
esar
ere
mot
ely
shut
dow
n,af
fect
ing
trai
nse
rvic
e•
Rec
onfig
ured
inst
ruct
ions
,dat
aor
code
lead
ing
tom
ore
dest
ruct
ive
and
cost
lyat
tack
s•
Inex
trem
eca
se,
poss
ibili
tyof
trai
nac
cide
nt
Res
tric
trem
ote
acce
ssto
the
ET
CS
Inst
alla
tion-
Den
y
Det
ectu
naut
hori
zed
conn
ectio
nsca
ptur
edin
the
com
mun
icat
ion
patte
rns
toan
dfr
omth
eE
TC
S
Inst
alla
tion-
Det
ect
Req
uire
appr
oved
cryp
togr
aphi
cal
gori
thm
sfo
rau
then
ticat
ion
and
mes
sage
inte
grity
onth
era
ilway
sign
allin
gne
twor
k
Inst
alla
tion-
Den
y
Prov
ide
cybe
rsec
urity
trai
ning
toSC
AD
Asy
stem
oper
ator
s
Exp
loita
tion-
Prev
ent
Aut
hent
icat
eus
ers
acce
ssin
gth
eSC
AD
Asy
stem
Inst
alla
tion-
Prev
ent
Che
ckin
tegr
ityof
mes
sage
sis
sued
byth
eSC
AD
Asy
stem
Del
iver
y-D
egra
deIn
stal
latio
n-D
etec
t
(Con
tinu
ed)
78 R. Kour et al.
Tab
le3
Con
tinue
dC
yber
-atta
ckD
escr
iptio
nV
ulne
rabi
litie
sR
isks
/Con
sequ
ence
sD
efen
sive
Con
trol
sR
DK
CM
atri
xC
ell
Insi
der
atta
cks
inra
ilway
asse
tslik
e: –Si
gnal
ling
–R
ollin
gst
ock
–Po
wer
supp
ly–
Dat
abas
es–
ICT
–SC
AD
A
An
auth
oriz
edm
aint
enan
cete
amm
embe
rw
ithin
the
railw
aym
aint
enan
ceha
ving
valid
auth
oriz
atio
n,is
sues
com
man
dfo
rre
mot
em
aint
enan
ceof
criti
calr
ailw
ayas
setl
ike
SCA
DA
Inad
equa
tesy
stem
and
proc
ess
chec
ksfo
rra
ilway
criti
cal
asse
ts
•E
quip
men
tda
mag
e/sa
bota
ge•
Tem
pora
ryst
oppa
geof
trai
ns•
Los
sof
cust
omer
confi
denc
e•
Inw
orse
case
,ac
cide
ntm
ayha
ppen
Det
ecta
nom
alou
sco
mm
ands
not
stem
min
gfr
omth
eno
rmal
rem
ote
cont
rolc
ente
r
Del
iver
y-D
etec
t
Use
RB
AC
tolim
itw
hoha
sac
cess
tose
nsiti
vefu
nctio
ns
Del
iver
y-Pr
even
t
Req
uire
two-
pers
onru
leth
atin
itiat
esre
mot
em
aint
enan
ceco
mm
and
Del
iver
y-Pr
even
t
Gen
erat
eal
arm
sto
issu
ese
nsiti
veco
mm
ands
Inst
alla
tion-
Det
ect
Cre
ate
audi
tlog
sto
trac
kw
hois
sues
rem
ote
mai
nten
ance
com
man
ds
Act
onO
bjec
tive-
Det
ect
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 79
An
insi
der
isab
leto
gain
acce
ssto
the
netw
ork
tow
hich
anE
TC
Ssy
stem
isco
nnec
ted
and
toth
eE
TC
S’s
cred
entia
ls,
assu
min
gcr
eden
tials
are
inpl
ace.
Thi
sin
divi
dual
com
prom
ises
(mal
icio
usin
tent
)or
mis
confi
gure
s(a
ccid
enta
lly)
the
ET
CS
syst
em.
•Fi
rew
alls
non-
exis
tent
orim
prop
erly
confi
gure
dal
low
ing
acce
ssto
the
ET
CS
syst
emby
anun
auth
oriz
edin
side
r•
Wea
kne
twor
kse
curi
tyar
chite
ctur
eal
low
ing
acce
ssto
the
ET
CS
syst
em•
No
secu
rity
mon
itori
ngon
the
railw
aysi
gnal
ling
netw
ork
•In
adeq
uate
auth
entic
atio
nan
dac
cess
cont
rolf
orco
nfigu
ratio
nan
dpr
ogra
mm
ing
soft
war
eon
the
ET
CS
syst
em•
Inse
cure
rem
ote
acce
ssto
the
ET
CS
syst
em
•D
elay
inta
king
mai
nten
ance
and
oper
atio
nac
tions
,whe
nne
eded
•In
corr
ect
mai
nten
ance
and
oper
atio
nac
tions
take
n•
Cas
cadi
ngfa
ilure
s•
Tra
inac
cide
ntm
ayha
ppen
Res
tric
tnet
wor
kse
rvic
eac
cess
atm
ultip
lela
yers
topr
even
tuna
utho
rize
din
divi
dual
sfr
omga
inin
gac
cess
toth
eE
TC
S
Inst
alla
tion-
Prev
ent
Res
tric
trem
ote
acce
ssto
the
ET
CS
Inst
alla
tion-
Den
y
Det
ectu
naut
hori
zed
conn
ectio
nsca
ptur
edin
the
com
mun
icat
ion
patte
rns
toan
dfr
omth
eE
TC
S
Inst
alla
tion-
Det
ect
Req
uire
appr
oved
cryp
togr
aphi
cal
gori
thm
sfo
rau
then
ticat
ion
and
mes
sage
inte
grity
onth
era
ilway
sign
allin
gne
twor
k
Inst
alla
tion-
Den
y
Exp
lana
tion
sof
theTab
le3.:(R
DKC
matrixcell)
Thi
sco
lum
nis
the
valu
efr
omth
eR
DK
Cm
atri
xce
ll.T
his
mat
rix
cell
can
bevi
ewed
asch
arac
teri
zing
the
type
sof
effe
cta
give
nde
fens
ive
cont
rol
coul
dha
veon
aC
KC
phas
e.Fo
rex
ampl
e,th
eR
econ
nais
sanc
e–
Det
ect
cell
isat
the
inte
rsec
tion
ofth
ede
tect
tact
ican
dth
ere
conn
aiss
ance
phas
eof
CK
C;
this
mea
nsth
atin
the
reco
nnai
ssan
ceph
ase,
tode
tect
cybe
rin
cide
nts,
we
mus
tfol
low
the
defe
nsiv
eco
ntro
lspr
ovid
edin
the
Rec
onna
issa
nce
–D
etec
tcel
l.
80 R. Kour et al.
4.4 How RDKC will Help to Reduce the Risk of Cyber-Attack:A Case of Railway SCADA Example
Consider an example of multistage cyber-attack on railway SCADA system(one of the scenarios from Table 3) where a threat agent breaches a railwaySCADA system and causes this system to issue an unregistered or maliciouscommand. To proactively reduce the risk of this attack, various courses ofaction from the RDKC matrix can be chosen to reduce the risk of thisattack (Figure 6). For example, to defend against the first stage (externalreconnaissance), defender may implement detect technologies like NIDS orweb analytics. In the second stage (weaponized), defender may deceive theattacker by providing some fake weaponized codes or fake registration. In thethird stage (delivery), defender may detect the attacker by using deep packetinspection.
In the fourth stage (exploitation), defender may prevent the attack byusing systems & application updates. In the fifth stage (Installation), defender
External Reconnaissance (ER)
Internal Exploitation (IE)
Delivery (D)
Exploitation (E)
Installation (I)
Command & Control (C2)
Act
Internal Reconnaissance (IR)
Weaponize (W)
Lateral Movement (LM)
Privilege Escalation (PE)
Develop & Test (D&T)
Target Manipulation (TM)
Install
Deliver
Execute ICS Attack
Internal Cyber Kill Chain
ICS Cyber Kill Chain
1
2
3
4
6
7
8
9
5
10
11
12
13
15
16
17
14
External Cyber Kill Chain
IT
OT
Internet
PC
1
2
3
4
5
Data Historian
6
7
8 9
1011
12
15
16
Execute
17
HMI
Printer
Workstation
PLC
RTU
13 14
Server
HMI
IE-Prevent
IR-Detect
LM-Deceive
PE-Detect
D&T-Prevent
TM-Detect
Install-Deny
Deliver-Detect
Execute-Recovery
Internal Cyber Kill Chain
ICS Cyber Kill Chain
8
9
10
11
12
13
15
16
17
14
External Cyber Kill Chain
RDKC Matrix CellsCyber Kill Chains
ER-Detect
D-Detect
E-Prevent
I-Detect
C2-Deceive
Act-Deny
W-Deceive
1
2
3
4
6
7
5
Figure 6 Cyber kill chain and railway defender kill chain to reduce the risk of cyber-attacks:An example of the railway SCADA system.
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 81
may detect the attack by using an alarm/alert system. In the sixth stage(command & control), defender may deceive the attacker by using DNSredirect or honeypot. In the seventh stage (act), defender may deny the attackby using outbound access control lists. If the cyber-attack is successful thenattacker may move to stage eighth inside the network and starts internalreconnaissance to search for available systems and map the internal networkand vulnerabilities (e.g scanning OT to find Human Machine Interfaces).To defend against this, defender may detect this attack by using HIDS foralerting. In the ninth stage (internal exploitation), defender may preventthe attack by using patch and vulnerability management. In the tenth stage(privilege escalation), defender may detect the attack by using behavioralanalytics. In the eleventh stage (lateral movement), defender may deceivethe attack by using decoy servers. In the twelfth stage (target manipulation),defender may detect the attack by using host-level log analysis. If the attackerwill be successful in the manipulation of the railway SCADA system thenhe will gain access to the physical system via new vulnerabilities. Thus, inthe thirteenth and fourteenth stages (develop and test), defender may preventthe attack by harden/obfuscate applications to make reversing difficult. Inthe fifteenth stage (Deliver), defender may detect the attack by using HIDSsystems. In the sixteenth stage (install), defender may deny the attack byusing data diode. In the last stage (execute), defender may recover from theattack by using forensics or breach insurance.
4.5 Penetration Probabilities at Each Stage of CyberKill Chain
To assess the proposed framework this research has started the simulationof cyber-attack penetration probabilities with varying security controls ateach stage of the cyber kill chain. These security controls are the proposedtechnologies presented in the RDKC matrix (Table 2). Defender can choosethese security controls at each stage of the cyber kill chain to defend againstthe cyber-attack. Figure 7 is one of the simulated results of penetrationprobabilities at each stage of the cyber kill chain based on the cyber-attackprobability. In this case, the probability of defense lies between 11% to 20%(first two stages) and 21% to 30% (rest of the five stages). The penetrationprobabilities keep on decreasing from first stage to seventh stage. Thisresearch has started simulation with seven stages but it will simulate for allthe 17 stages in the future.
82 R. Kour et al.
Figure 7 Cyber-attack penetration probabilities at each stage of the cyber kill chain.
5 Conclusions and Future Work
With digitalization, the railway’s vulnerability to cyber-attacks is increasing,suggesting the need to focus on cybersecurity. Most organizations are focus-ing on intrusion prevention technologies, with less emphasis on predictionand detection technologies. This research proposes a Railway Defender KillChain (RDKC) to predict, prevent, detect, and respond to cyber-attacks.RDKC uses a course of action matrix, which determines how to predict,prevent, detect, respond to, deny, disrupt, degrade, deceive, and destroyadversary events along the kill chain phases to avoid or minimize loss orunavailability. By being proactive instead of reactive, a defender can mitigatecyber threats, implementing the right defensive strategy provided in theRDKC matrix instead of deploying incident response and forensics after asuccessful exploit.
Future research will simulate cyber-attack penetration probabilities withvarying defensive controls at each stage of the cyber kill chain. The simu-lation will help railway organizations predict the risk of attack penetrationsby applying various security controls at each stage of the cyber kill chain. Inaddition, a complete set of cyber-attacks along with defensive controls willbe sent to the participating railway organizations.
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 83
Acknowledgments
The authors would like to thanks Lulea Railway Research Center (JVTC)for sponsoring research work. The authors would also like to acknowledgethe contributions of Dr. Phillip Tretten and Robert Beney for their valuableexpertise.
References
[1] U. Espling and U. Kumar, “Benchmarking of the maintenance pro-cess at Banverket (the Swedish National Rail Administration),” inComplex System Maintenance Handbook, Anonymous: Springer, 2008,pp. 559–583.
[2] K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams and A. Hahn, “NISTspecial publication 800–82, revision 2: Guide to industrial control sys-tems (ICS) security,” National Institute of Standards and Technology2014.
[3] U. Kumar, R. Kour, P. Tretten and R. Karim, “eMaintenance solutionthrough online data analysis for railway maintenance decision-making,”Journal of Quality in Maintenance Engineering 2014.
[4] Shift2Rail. Cybersecurity in the railway sector [Online]. Available: https://shift2rail.org/project/cyrail/.
[5] R. Ahmad and S. Kamaruddin, “A review of condition-based mainte-nance decision-making,” European journal of industrial engineering,vol. 6, no. 5, pp. 519–541, 2012.
[6] N. Subramanian and A. Jeyaraj, “Recent security challenges in cloudcomputing,” Comput.Electr.Eng., vol. 71, pp. 28–42, 2018.
[7] J.R. Nobles, “Cybersecurity threats & challenges,” 2018.[8] D. Patel, “Test utility for live and online testing of an anti-phishing
message security system,” 2018.[9] M. Bromiley, “Incident response capabilities in 2016: The 2016 SANS
incident response survey,” SANS Institute, June 2016.[10] U.D. Ani, H. He and A. Tiwari, “Human factor security: Evaluating the
cybersecurity capacity of the industrial workforce,” Journal of Systemsand Information Technology, vol. 21, no. 1, pp. 2–35, 2019.
[11] M. Algarni, S. Almesalm and M. Syed, “Towards Enhanced Com-prehension of Human Errors in Cybersecurity Attacks,” in Interna-tional Conference on Applied Human Factors and Ergonomics, 2018,pp. 163–175.
84 R. Kour et al.
[12] S. Kremer, L. Me, D. Remy and V. Roca, “Cybersecurity,” 2019.[13] Helpsystems. Survey Results: 2018 Top Cybersecurity Risks and
Mitigation Strategies [Online]. Available: https://www.helpsystems.com/resources/on-demand-webinars/survey-results-2018-top-cybersecurity-risks-and-mitigation-strategies.
[14] Hackmageddon, “Information security timelines and statistics,”. https://www.hackmageddon.com/category/security/cyber-attacks-statistics/.
[15] R. Kour, M. Aljumaili, R. Karim and P. Tretten, “eMaintenance in rail-ways: Issues and challenges in cybersecurity,” Proc.Inst.Mech.Eng.Pt.F:J.Rail Rapid Transit, pp. 095440971882291 2019. http://dx.doi.org/10.1177/0954409718822915.
[16] Symantec. 2019 Internet Security Threat Report (ISTR): The New ThreatLandscape, California, United States [Online]. Available: https://www.symantec.com/security-center/threat-report.
[17] J.T. Force and T. Initiative, “Security and privacy controls for federalinformation systems and organizations,” NIST Special Publication, vol.800, no. 53, pp. 8–13, 2013.
[18] Lockheed Martin. Cyber Kill Chain R© [Online]. Available: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.
[19] V. Bukac, V. Lorenc and V. Matyas, “Red queen’s race: APT win-wingame,” in Cambridge International Workshop on Security Protocols,2014, pp. 55–61.
[20] Z. El Mrabet, N. Kaabouch, H. El Ghazi and H. El Ghazi, “Cyber-security in smart grid: Survey and challenges,” Comput. Electr. Eng.,vol. 67, pp. 469–482, 2018.
[21] M.J. Assante and R.M. Lee, “The industrial control system cyber killchain,” SANS Institute InfoSec Reading Room, vol. 1 2015.
[22] D.U. Case, “Analysis of the cyber attack on the ukrainian power grid,”Electricity Information Sharing and Analysis Center (E-ISAC) 2016.
[23] M. Cloppert, “Security intelligence: Attacking the cyber kill chain,”SANS Computer Forensics 2009.
[24] X. Zhou, Z. Xu, L. Wang, K. Chen, C. Chen and W. Zhang, “Kill chainfor industrial control system,” in MATEC Web of Conferences, 2018,pp. 01013.
[25] Pandasecurity. Understanding Cyber-Attacks Part I. The Cyber-KillChain, Spain [Online]. Available: http://resources.pandasecurity.com/enterprise/solutions/ad360/1704-WHITEPAPER-CKC-EN.pdf.
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 85
[26] S. Northcutt. Security Controls. SANS Technology Institute, USA[Online]. Available: https://www.sans.edu/cyber-research/security-laboratory/article/security-controls.
[27] Department of Defense. JP 3–13 Information Operations [Online].[28] E.M. Hutchins, M.J. Cloppert and R.M. Amin, “Intelligence-driven
computer network defense informed by analysis of adversary campaignsand intrusion kill chains,” Leading Issues in Information Warfare &Security Research, vol. 1, no. 1, pp. 80, 2011.
[29] Thales. Railway Digitalization: Cybersecurity [Online]. Available:https://www.thalesgroup.com/en/spain/magazine/railway-digitalization-cybersecurity.
[30] Shift2rail report. CYbersecurity in the RAILway sector D2.1 – Safetyand Security requirements of Rail transport system in multi-stakeholderenvironments [Online]. Available: https://ec.europa.eu/research/participants/documents/downloadPublic?documentIds=080166e5b678c2dc&appId=PPGMS.
[31] CSRC. NIST Computer Security Resource Center [Online].Available: https://csrc.nist.gov/.
[32] ICS-CERT. Industrial Control Systems Cyber Emergency ResponseTeams [Online]. Available: https://ics-cert.us-cert.gov/.
[33] US-CERT. Critical Infrastructure Cyber Community Voluntary Program(C3) [Online]. Available: https://www.us-cert.gov/ccubedvp.
[34] Anonymous (-02-10T15:19:26-05:00). Information Sharing and Analy-sis Organizations (ISAOs) [Online]. Available: https://www.dhs.gov/cisa/information-sharing-and-analysis-organizations-isaos.
[35] APTA. American Public Transportation Association. Information Shar-ing & Analysis Center (PT-ISAC) [Online]. Available: https://www.surfacetransportationisac.org/.
[36] CIS R©. Center for Internet Security [Online]. Available: https://www.cisecurity.org/about-us/.
[37] Minimum Cyber Security Standard. Version 1.0. UK [Online]. Avail-able: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment data/file/719067/25062018 Minimum Cyber Security Standard gov.uk 3.pdf.
[38] W. Xu, Y. Tao, C. Yang and H. Chen, “MSICST: Multiple-scenarioindustrial control system testbed for security research,”.
[39] H. Kim, H. Kwon and K.K. Kim, “Modified cyber kill chain modelfor multimedia service environments,” Multimedia Tools Appl, vol. 78,no. 3, pp. 3153–3170, 2019.
86 R. Kour et al.
[40] M. Mohsin and Z. Anwar, “Where to kill the cyber kill-chain: Anontology-driven framework for iot security analytics,” in 2016 Interna-tional Conference on Frontiers of Information Technology (FIT), 2016,pp. 23–28.
[41] B.D. Bryant and H. Saiedian, “A novel kill-chain framework for remotesecurity log analysis with SIEM software,” Comput.Secur., vol. 67,pp. 198–210, 2017.
[42] A. Hahn, R.K. Thomas, I. Lozano and A. Cardenas, “A multi-layeredand kill-chain based security analysis framework for cyber-physicalsystems,” International Journal of Critical Infrastructure Protection,vol. 11, pp. 39–50, 2015.
[43] I. Mihai, S. Pruna and I. Barbu, “Cyber kill chain analysis,” Int’lJ.Info.Sec.& Cybercrime, vol. 3, pp. 37, 2014.
[44] S. Wen, N. He and H. Yan, “Detecting and Predicting APT Based on theStudy of Cyber Kill Chain with Hierarchical Knowledge Reasoning,”in Proceedings of the 2017 VI International Conference on Network,Communication and Computing, 2017, pp. 115–119.
[45] S. Wen, Y. Rao and H. Yan, “Information Protecting against APT Basedon the Study of Cyber Kill Chain with Weighted Bayesian Classificationwith Correction Factor,” in Proceedings of the 7th International Con-ference on Informatics, Environment, Energy and Applications, 2018,pp. 231–235.
[46] L. Ertaul and M. Mousa, “Applying the Kill Chain and DiamondModels to Microsoft Advanced Threat Analytics,” in Proceedings of theInternational Conference on Security and Management (SAM), 2018,pp. 252–258.
[47] Garba FA, Junaidu SB, Ahmad I, Tekanyi MS, “Proposed framework foreffective detection and prediction of advanced persistent threats basedon the cyber kill chain,” 2018.
[48] I. Herwono and F.A. El-Moussa, “Automated Detection of the EarlyStages of Cyber Kill Chain.” in ICISSP, 2018, pp. 182–189.
[49] C. Velazquez, “Detecting and preventing attacks earlier in the kill chain,”SANS Institute Infosec Reading Room, pp. 1–21 2015.
[50] Y. Ayrour, A. Raji and M. Nassar, “Modelling cyber-attacks: A surveystudy,” Network Security, vol. 2018, no. 3, pp. 13–19, 2018.
[51] W. Wang, J. Bickford, I. Murynets, R. Subbaraman, A.G. Forte andG. Singaraju, “Detecting targeted attacks by multilayer deception,”Journal of Cyber Security and Mobility, vol. 2, no. 2, pp. 175–199, 2013.
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 87
[52] R.A. Yadav T, “Technical aspects of cyber kill chain,” in, 2015,pp. 438–452.
[53] K.E. Heckman, F.J. Stech, R.K. Thomas, B. Schmoker and A.W. Tsow,“Intrusions, Deception, and Campaigns,” in Cyber Denial, Deceptionand Counter Deception, Anonymous: Springer, 2015, pp. 31–52.
[54] A. Marcella Jr and D. Menendez, Cyber forensics: a field manual forcollecting, examining, and preserving evidence of computer crimes,Auerbach Publications, 2007.
[55] R. Kour, R. Karim and A. Thaduri, “Cybersecurity for railway – A matu-rity model,” Proceedings of the Institution of Mechanical Engineers,Part F: Journal of Rail and Rapid Transit (2019): 0954409719881849.
[56] D. Kuipers and M. Fabro, “No title,” Control systems cyber security:Defense in depth strategies 2006.
[57] X. Fan, K. Fan, Y. Wang and R. Zhou, “Overview of cyber-security ofindustrial control system,” in 2015 international conference on cybersecurity of smart cities, industrial control system and communications(SSIC), 2015, pp. 1–7.
[58] R. Radvanovsky and J. Brodsky, Handbook of SCADA/control systemssecurity, CRC Press, 2013.
[59] K. Swearingen, W. Majkowski, B. Bruggeman, D. Gilbertson, J. Duns-don and B. Sykes, “An open system architecture for condition basedmaintenance overview,” in 2007 IEEE Aerospace Conference, 2007,pp. 1–8.
[60] Kenneth Holmberg et al., “Information and Communication Technolo-gies Within E-maintenance,” in Emaintenanc, Anonymous: SpringerScience & Business Media, 2010, pp. 39–60.
[61] A. Yokoyama, “Innovative changes for maintenance of railway byusing ICT–to achieve “smart maintenance”,” Procedia CIRP, vol. 38,pp. 24–29, 2015.
[62] R. Karim, J. Westerberg, D. Galar and U. Kumar, “Maintenanceanalytics–the new know in maintenance,” IFAC-PapersOnLine, vol. 49,no. 28, pp. 214–219, 2016.
[63] J. Reason, E. Hollnagel and J. Paries, “Revisiting the swiss cheese modelof accidents,” J.Clin.Eng., vol. 27, no. 4, pp. 110–115, 2006.
[64] R. Starrett. How to protect data in an IP world [Online]. Available: https://www.eetimes.com/document.asp?doc id=1274286.
[65] NSA. Defense in Depth. US National Security Agency [Online].Available: https://apps.nsa.gov/iaarchive/customcf/openAttachment.cfm?FilePath=/iad/library/ia-guidance/archive/assets/public/upload/
88 R. Kour et al.
Defense-in-Depth.pdf&WpKes=aF6woL7fQp3dJimPuJLAvwxazbq3mDYX6mWmFe.
[66] IndustryWeek. Proactive Protection Through Industrial Networks[Online]. Available: https://www.industryweek.com/rockwell-automation-connected-industrial-enterprise/proactive-protection-through-industrial-networks.
[67] W. Knowles, J.M. Such, A. Gouglidis, G. Misra and A. Rashid, “Assur-ance techniques for industrial control systems (ics),” in Proceedings ofthe First ACM Workshop on Cyber-Physical Systems-Security and/orPrivaCy, 2015, pp. 101–112.
[68] C.I.T. Force, “Operational levels of cyber intelligence,” 2013.[69] I. Tarnowski, “How to use cyber kill chain model to build cybersecu-
rity?” European Journal of Higher Education IT [Online]. Available:http://www.eunis.org/download/TNC2017/TNC17-IreneuszTarnowski-cybersecurity.pdf 2017.
[70] S. Malone, “Using an expanded cyber kill chain model to increase attackresiliency,” Black Hat US 2016.
[71] The Denver Post. SamSam virus demands bitcoin from CDOT, stateshuts down 2,000 computers [Online]. Available: https://www.denverpost.com/2018/02/21/samsam-virus-ransomware-cdot/.
[72] P. Paganini. For the second time in two weeks CDOT shut downcomputers after a ransomware infection [Online]. Available: https://securityaffairs.co/wordpress/69946/cyber-crime/cdot-second-ransomware-attack.html.
Biographies
Ravdeep Kour is a Ph.D. student in the Division of Operation and Mainte-nance Engineering at Lulea University of Technology, Sweden. She receivedBachelor’s degree in Information Technology and Master’s degree in Com-puter Science Engineering from Jammu University of India and Punjab
Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 89
University of India, in 2004 and 2012 respectively. She worked as AssistantProfessor in India from 2004 to 2012 and worked in Lulea Technical Univer-sity, Lulea, Sweden as Research Engineer from 2012 to 2014. She workedon European Union and Swedish Railway Projects. Her total academic andresearch work experience is 15 years. Her research interests are machinelearning, cybersecurity in the context of IT and OT technologies, securityrisk assessment, cloud computing, and big data analytics.
Adithya Thaduri is working as Associate Senior Lecturer in the Divi-sion of Operation and Maintenance Engineering at Lulea University ofTechnology. He has experience in coordination of four European projects(IN2RAIL, INFRALERT, IN2SMART and FR8RAIL) and three nationalprojects (InfraSweden, Mindi and SKF) in the area of Railways and haveworked in collaboration in other seven projects. He recently got funding forone European project for Railways (IN2SMART2) and two national projects;one from Vinnova to Railway and other from Coal India Limited to Mining.He is part of over 35 deliverables/reports within above mentioned projects. Hehas over 40 research publications (28 after PhD) in journals, book chaptersand conference proceedings. He has been teaching Maintenance Engineeringcourse for master’s programme for two years. His areas of research aremachine learning and context-aware maintenance decision making withinthe framework of Maintenance 4.0 in Railways, asset maintenance analytics,prognostics and degradation modelling of railway infrastructure, reliabilitypredictions, maintenance planning and optimization, RAMS, LCC and Riskassessment, predictive analytics of mining machines, and cybersecurity.
90 R. Kour et al.
Ramin Karim is PhD in the area of Operation and Maintenance Engi-neering with focus on eMaintenance and Industrial AI. Ramin has over20 years of industry experiences in computer science and Information andCommunication Technologies (ICT), with roles as software developer, sys-tems architect, project manager, multi-project leader, process owner, productmanager, responsible for standardization, model developer, and technologybusiness developer. Ramin has over 60 publications in several research areasrelated to eMaintenance. Ramin is head of the eMaintenance Research Team,focusing on Industrial AI for Operation and Maintenance. He is also founderof a spin-off company from Lulea University of Technology, which developsanalytics solutions based on Industrial AI and eMaintenance.
Paper IV
Predictive model for multistage cyber-attack simulation
Kour, R., Thaduri, A., & Karim, R. (2020). Predictive model for multistage cyber-attack simulation. International Journal of System Assurance Engineering and Management, 1-14.
ORIGINAL ARTICLE
Predictive model for multistage cyber-attack simulation
Ravdeep Kour1 • Adithya Thaduri1 • Ramin Karim1
Received: 30 August 2019 / Revised: 30 August 2019
� The Author(s) 2020
Abstract Adoption of information and communication
technologies (ICT) in railway has improved the reliability,
maintainability, operational efficiency, capacity as well as
the comfort of passengers. This adoption introduces new
vulnerabilities and entry points for hackers to launch
attacks. Advanced cybersecurity threats with automated
capabilities are increasing in such sectors as finance,
health, grid, retail, government, telecommunications,
transportation, etc. These cyber threats are also increasing
in railways and, therefore, it needs for cybersecurity mea-
sures to predict, detect and respond these threats. The cyber
kill chain (CKC) model is a widely used model to detect
cyber-attacks and it consists of seven stages/chains;
breaking the chain at an early stage will help the defender
stop the adversary’s malicious actions. Due to lack of real
cybersecurity data, this research simulates cyber-attacks to
calculate the attack penetration probabilities at each stage
of the cyber kill chain model. The objective of this research
is to predict cyber-attack penetrations by implementing
various security controls using modeling and simulation.
This research is an extension of developed railway defen-
der kill chain which provides security controls at each stage
of CKC for railway organizations to minimize the risk of
cyber threats.
Keywords Cyber-attack � Cyber kill chain � Securitycontrol � Predict � Simulation
1 Introduction
Railway is one of the important critical infrastructures on
which most of the common people rely on travelling and is
also one of the major contributors towards the growth of
the economy of a country. On one hand, the use of new
advanced technologies (like Internet of Things, smart
sensors, etc.) have brought significant benefits in reliability,
operational efficiency, capacity as well as improved pas-
senger experience. But on the other hand, it also increases
the vulnerability of railway system towards cyber threats.
Attacker may launch an attack remotely which can lead to
denial of control, malfunction of alarms, manipulation of
sensors or actuators to adversely affect the physical system,
resulting in catastrophic consequences (Karnouskos 2011).
Hackers’ already targeted rail companies in Belgium,
China, Denmark, Germany, Russia, South Korea, Sweden,
Switzerland, the UK, and the US (Kour et al. 2019). Thus,
the safety and well-being of passengers, employees, and
public in general, including nearby traffic and pedestrians,
must be the first priority of rail operators. However, this
safety is on risk due to cybersecurity incidents, which are
increasing over the last years. There are two types of
cybersecurity risks in railway organizations: business risks
and societal risks (Thaduri et al. 2019a, b). The impact of
cybersecurity business risks include loss of revenue, impact
on reputation/loss of trust, non-compliance with regula-
tions on data protection, risks to hardware and software,
reliance on invalid information, and lack of security of
dependencies (Thaduri et al. 2019a, b). The impact of
cybersecurity societal risks include risk to public health
& Ravdeep Kour
Adithya Thaduri
Ramin Karim
1 Division of Operation and Maintenance Engineering, Lulea
University of Technology, 97187 Lulea, Sweden
123
Int J Syst Assur Eng Manag
https://doi.org/10.1007/s13198-020-00952-5
and safety, unavailability of the railway service, societal
financial losses, environmental impact due to increased
energy consumption, and risk to the confidentiality and
privacy of citizens (Thaduri et al. 2019a, b). Therefore,
there is a need to build or establish strong cybersecurity
measures to safeguard railway infrastructure against cyber-
attack penetrations. However, there is a lack of real
cybersecurity data and, therefore, this research will use
simulation to predict cyber-attack penetration probabilities
at each stage of cyber kill chain by assuming various
security controls to defend against these attacks. Security
controls are defined as ‘‘The management, operational, and
technical controls (i.e., safeguards or countermeasures)
prescribed for a system to protect the confidentiality,
integrity, and availability of the system, its components,
processes, and data’’ (Stouffer et al. 2014). There are three
general classes of security controls i.e., management,
operational, and technical (Ross et al. 2007). Management
and operational controls involve contingency planning
controls, incident response controls, security awareness and
training controls, personnel security controls, physical
security controls, etc. Technical controls involve logical
access control, user authentication, antivirus softwares,
firewalls, penetration testing, etc.
To carry out this research, cyber kill chain (CKC) model
has been used which is one of the most widely used
framework to detect cyber-attack based on the kill chain
tactic of the US military’s F2T2EA (find, fix, track, target,
engage and assess) (Martin 2014). This model consists of
seven stages and describes a logic that an attacker follows
during cyber-attack within the system. Henceforth, this
research will simulate cyber-attack penetrations within
each stage of this model.
The outline of the paper is as follows. After introduc-
tion, state-of-the-art is provided and then seven stages of
the cyber kill chain model are explained; followed by
research methodology. Then, it explains the overview of
developed model. Next, simulation cases are discussed.
Finally, results and discussions are presented followed by
conclusions and future research directions.
2 State-of-the-art
2.1 Generalized modeling tools
There are various modeling tools (both proprietary and
open), such as optimized network engineering tools and
network simulators to analyze the impact of cyber-attacks
on the modeled network (NS-3 2019; OPNET 2019). Lit-
erature study shows that researcher are active in the area of
simulating cyber-attacks in critical infrastructures and used
network simulator i.e. NS2 to predict the impact of denial
of service, malware propagation, and man-in-the-middle
attacks on supervisory control and data acquisition systems
(SCADA) (Ciancamerla et al. 2013). An agent-based
modeling and simulation approach was used in facilitating
the assessment of critical infrastructure entities under
cyber-attack (Rybnicek et al. 2014). A generalized simu-
lation model of cyber-attacks in IT network was also
developed (Shourabi 2015). Researchers are also active in
the area of game theory to model the behaviors of complex
multistage cyber-attacks. He (2017) has developed an
application-oriented cyber threat assessment framework in
order to address the risk posed by multistage cyber-attacks
in smart grids. Intelligent transportation systems (ITS) have
also developed game-theory models to secure against the
fatal cyber-attacks (Alpcan and Buchegger 2010; Bahamou
et al. 2016; Mejri et al. 2016; Sanjab et al. 2017; Sedjel-
maci et al. 2016). In addition to this, a combined simulation
of interconnected railway network, ICT network and
energy grid using OpenTrack, SINCAL, and NS3 respec-
tively has been achieved in European Union Project
(Ciprnet 2013).
2.2 Railway specific simulators
A Survey of existing railway simulators show that most of
them were designed for planning and operational purposes
(eTrax 2016; Grube et al. 2011; OpenPowerNet Version, 1.
8. 1. 2019; OpenTrack 1990; Yao et al. 2013). The limi-
tations of these simulators are that they lack to support
cyber-attack analysis and are very costly to adopt in rail-
way cybersecurity research. To overcome these limitations
there was introduction of another simulator called
SecureRails; an open source simulator for analyzing cyber-
physical attacks in railway (Teo et al. 2016). This simulator
is restricted to only two subsystems; the mechanical system
(involving the train’s motion) and the electrical system
(traction power system). In addition to this, literature does
not provide simulation tools to predict cyber-attack pene-
tration probabilities in multiple stages of an attack. Thus,
this research provides an easy model using MATLAB to
simulate cyber-attack penetration probabilities at various
stages of the cyber kill chain model.
The objective of this research is to analyze and simulate
cyber-attacks to predict cyber-attack penetration probabil-
ities. The scope of this research is that it does not go into
the detail on the various kill chain models. Rather, it
applies a simple cyber kill chain model to the railway as an
initial step. The limitation of this research is scarcity of real
cybersecuriy data.
123
Int J Syst Assur Eng Manag
3 Attack propagation in seven stages of cyber killchain model
An initial CKC model was developed by Lockheed Martin
(2009). The seven stages of this model are:
• Reconnaissance It is the planning stage of the cyber-
attack. The adversary searches for and gathers infor-
mation about the target through social sites, confer-
ences, blogs, mailing lists and other network tracing
tools.
• Weaponize The second stage of the model is the
operation preparation stage. This stage involves the
coupling of a remote access Trojan (RAT) with an
exploit into a deliverable payload, typically by means of
an automated tool (weaponizer).
• Delivery The third stage of the model is the operation
launch stage where a weapon is transmitted to the
targeted environment.
• Exploitation At this stage, exploit is triggered to silently
install/execute the delivered payload. The most frequent
exploits are operating system, network and applica-
tion/software level vulnerabilities.
• Installation This stage involves the installation of back
door remote access Trojans (RATs) and the mainte-
nance of persistence inside the targeted environment.
• Command and control (C2) After the successful
installation of a back door, the adversary tries to open
a two-way communication channel to enable the
attacker to control the targeted environment remotely.
Once the C2 channel is established, the adversary has
‘‘hands on the keyboard’’ access inside the targeted
environment.
• Act on objective In the last stage of the model, the
adversary achieves the desired attack goals. These goals
can be loss of confidentiality, integrity or availability of
an asset.
Figure 1 represents the propagation of cyber-attack
penetrations at each stage of the cyber kill chain model.
P_attack is the probability of initiation of cyber-attack and
S1–S7 are the seven stages of cyber kill chain model.
Pc11, Pc12, Pc13, Pc14…Pc73, Pc74 are the 28 secu-
rity controls implemented by the defender to minimize the
risk of cyber-attacks.
Pg1 to Pg7 are the probabilities of propagation of cyber-
attack penetrations from S1–S7.
Table 1 shows example of these security controls to be
implemented by the defender at each stage of the CKC
model. Pc1–Pc7 are the probabilities of at least one secu-
rity control will defend at each of the stage of CKC model.
4 Research methodology
Due to lack of real cybersecurity data, this research is
conducted by using simulation in MATLAB. Figure 2
shows flowchart of the research methodology. This
research started with generating relevant cybersecurity data
from the perspective of both defender and attacker. At the
defender side, this research has implemented four security
controls at each stage of CKC model. Next, it calculated
the probability that out of four security controls at least one
will work at each stage of the CKC model. At the attacker
side, cyber-attacks were launched using poisson probability
density function. After all the simulated cybersecurity data
has been generated, the next step of the research method-
ology is data analysis. During data analysis, this research
defined four cases, which are explained at Sect. 6 of this
research paper. In the last, cyber-attack penetration prob-
abilities have been visualized and important decisions can
be taken in order to minimize the risk of these attacks.
5 Overview of the model
5.1 Notations
The notations used in this research work are as follows:
5.1.1 Intrusion/cyber-attack rates
P_attack It is the probability of initiation of cyber-attack. It
can be modeled as a random process of arrival with a
Poisson Probability Density Function (PDF) (Eq. 1). This
Fig. 1 Seven stages of cyber
kill chain
123
Int J Syst Assur Eng Manag
function is commonly used for a variety of arrival appli-
cations including cyber-attacks (Shourabi 2015). The
probability of k occurrences of cyber-attack during any
specified interval of time can be expressed as:
Pðk events in intervalÞ ¼ kke�=k! ð1Þ
where k is the average number of events per interval and
k takes values 0, 1, 2, 3, ….
5.1.2 Model parameters
• S: It is the finite set of stages S = {S1, S2, S3, S4, S5, S6,
S7} with S7 as the last stage where data get
compromised.
• Pfi: It is the probability of pre-filtering (intrusion
detection system) at each stage of CKC.
• C: It is the finite set of 28 security controls C = (Pc11,
Pc12, Pc13, Pc14, Pc21, Pc22, Pc23, Pc24, Pc31,
Pc32, Pc33, Pc34, Pc41, Pc42, Pc43, Pc44, Pc51,
Pc52, Pc53, Pc54, Pc61, Pc62, Pc63, Pc64, Pc71,
Pc72, Pc73, Pc74) with four controls at each stage to
defend against the cyber-attack (Eq. 2).
Xi¼4
i¼1
Pcji
|fflfflfflffl{zfflfflfflffl}Stage j¼1
Xi¼4
i¼1
Pcji
|fflfflfflffl{zfflfflfflffl}Stage j¼2
. . .Xi¼4
i¼1
Pcji
|fflfflfflffl{zfflfflfflffl}Stage j¼7
ð2Þ
These security controls include Intrusion Detection and
Prevention System, HoneyPot, Web Analytics, Threat
Intelligence, Video Surveillance, Vulnerability Scan-
ning, Penetration Testing, Firewall, Proxy Filter, Anti-
virus, and most of them were listed in the previous work
(Kour et al. 2020).
Table 1 Example of security controls at each stage of CKC model
Stage Example of security control
Reconnaissance Cyber hygienic workforce of railway
Scan the railway network internally and externally using vulnerability-scanning tools
Securely dispose of sensitive and confidential railway data
Perform proactive penetration testing
Weaponize Conduct cybersecurity education and improve awareness of railway workforce
Conduct detailed analysis of possible attack types to proactively identify indicators of adversaries’ actions
Share and utilize threat intelligence to learn about adversaries’ tactics and techniques
Identify weaponization attributes to prevent attacks reaching later stages
Delivery Use email filtering services
Detect anomalous commands not stemming from the normal remote control center
Use role-based access control (RBAC) to limit who has access to the railway enterprise network, SCADA system
(supervisory control and data acquisition system) or European Train Control System (ETCS) system
Require approved cryptographic algorithms for authentication and message integrity on the railway signalling network
Exploitation Perform patching
Use network intrusion detection system
Remove remote administration capabilities from Web platforms
Use security toolkits to prevent exploits
Installation Implement firewalls
Authenticate users so that physical access to railway assets does not automatically grant logical access
Require multi-factor authentication to gain access to sensitive railway information
Generate alerts on who has made software additions or modifications
Command and control
(C2)
Block communication to the external C2 server
Automatically isolate infected devices
Perform internal reconnaissance to detect and block the attacker
Use DNS blackholing
Act on objective Use data loss prevention technology
Configure email systems and web proxies to prevent sensitive and confidential railway data from being sent
Implement internal intrusion detection system, intrusion prevention system and other controls within the railway
network to detect and mitigate unauthorized lateral movement
Use data-at-rest encryption schemes
123
Int J Syst Assur Eng Manag
• Pci: It is the probability of at least one security control
will work at stage Si of CKC, i = 1, 2, …, 7.
• Pg1: It is the probability of attack penetration at stage
S1.
• Pgi: It is the probability of attack penetration at stage
Si, i = 2, 3, …, 7.
• Loss: It is the malicious cyber activity cost in Euro.
Around 30% of Swedes were exposed to cybercrime,
resulting in total financial losses of 3.14 billion Euros in
2018 (Ahlstrom 2019).
• Risk: Risk is related to three elements: Threat, Vulner-
ability, and Asset (ISO/IEC 27005:2011). In this model,
risk is a function of probability of cyber-attack,
probability that defensive mechanism can exploit the
vulnerabilities present and the loss to the asset as
consequence.
• Uc: It is the updated security control which will be
implemented after assessing cyber-attack for a period of
one month.
5.1.3 Model functions
• f P attack; Pc1ð Þ: It calculates the probability of infil-
tration at the first stage of CKC.
• f Pg i� 1ð Þ; Pcið Þ: It calculates the probability of prop-
agation of cyber-attack to next stage of CKC with i as
current stage and i - 1 as previous stage, i = 2, 3, …,
7.
• f Pci; Pfið Þ: It calculates the probability of filtering the
attack traffic with a detection mechanism. The success
of an attack depends upon this detection mechanism to
thwart the attack.
• f P attack; f Pcið Þ; lossð Þ: It calculates the risk of pen-
etration of cyber-attack at each stages of the CKC
model.
Risk ¼ Threat � Vulnerability� Asset ð3Þ
• f Uc; Pc; Pg;Pattackð Þ: It calculates last stage penetra-
tion probabilities with updated controls for each month.
5.2 Assumptions
1. This research assumes the probability of cyber-attack
arrival as a Poisson Probability Density Function
(PDF) (Shourabi 2015). According to University of
Maryland, hackers attack every 39 s (University of
Maryland, 2007). In addition to this, Cisco reported
that Asia–Pacific companies receive 6 cyber threats
every minute (Cisco 2018). McAfee recorded 478 new
Fig. 2 Flowchart of research
methodology
123
Int J Syst Assur Eng Manag
cyber threats every minute, 8 every second with an
18% increase in the number of reported security inci-
dents across Europe (McAfee 2019). This research
assumed 8 cyber-attacks every second and simulated
attack arrival as Poisson PDF.
2. This research assumes four security controls imple-
mented at each stage with at least one security control
to work at each stage to defend against the cyber-
attacks. But these security controls can be extended
further based on the requirements of the defender.
3. This research assumes a prefilter which is cyber-attack
detection mechanism at each of the seven stages of
CKC. This detection mechanism assumes an exponen-
tial pdf for detection (Shourabi 2015).
4. This research assumes three cases of probabilities of
security controls at third, fourth and fifth stage of CKC
as (20–25%), (26–30%), and (31–35%). In addition to
this, the probabilities of security controls for rest four
stages (1–2 and 6–7) are 1–5%. The security control
probabilities at first two stages are less, because these
two stages are bound towards attacker side and from
delivery stage actual attack happens. But these prob-
abilities can be extended further based on the require-
ments of the defender.
5. This research assumed that the Loss due to cyber-
attack is 3.14 billion Euros in a year (Ahlstrom 2019).
6 Simulation cases
This research considers following cases for simulating the
penetration probabilities:
6.1 Case 1 (detection mechanism)
This case simulates the cyber-attack penetration probabil-
ities at all the seven stages when attack detection mecha-
nism as prefiltering is applied and when no prefiltering
mechanism is applied at each of the seven stages (Fig. 3).
In Fig. 3a, b, Pg1–Pg7 are the next stage cyber-attack
penetration probabilities and Pc1–Pc7 are the security
controls which are at least working at each stage of the
CKC. In Fig. 3b, Pf1–Pf7 are the prefilters implemented at
each stage of CKC. This case will estimate how much of
the cyber-attack penetration probability will be reduced by
using prefilter in the form of cyber-attack detection
mechanism.
6.2 Case 2 (variable controls)
This case simulates the cyber-attack penetration probabil-
ities at all the seven stages when security controls at third,
fourth and fifth stages are having variable probabilities
(Fig. 4). The control probabilities at first two stages are less
because these two stages are bound towards attacker side
and from delivery stage actual attack happens. Further,
control probabilities at last two stages are assumed less for
simulation in this research but can be extended further
based on the requirements of the defender.
This case considers three cases of security control
probabilities:
1. Probabilities of four controls at delivery, exploit and
install stages are between (20 and 25%).
2. Probabilities of four controls at delivery, exploit and
install stages are between (26 and 30%).
3. Probabilities of four controls at delivery, exploit and
install stages are between (31 and 35%).
The rest of the four security controls’ probabilities are
between 1 and 5% for all the three cases. This simulation
considers that out of four security controls at least one will
work. Therefore, the probability that at least one control is
defensive is:
Pðat least one control is defensiveÞ¼ 1� ðNone is defensiveÞ ð4Þ
6.3 Case 3 (equalizer)
This case considers that probability of each of the 25
security controls out of 28 is same except the three controls
at any one stage (Fig. 5). This case will estimate the impact
of changing security controls on the last stage penetration.
These variable controls are implemented at each of the
stages in seven iterations to calculate the penetration
probability at last stage.
6.4 Case 4 (learning curve)
This case is a feedback learning criterion that simulates the
penetration probabilities after assessing the cyber incidents
and then improving the security controls for similar types
of cyber-attacks in future (Fig. 6).
This research has undertaken this case because it will
help the defender to learn from the attack and reconsider
the security controls to minimize the risk of similar type of
cyber-attacks in future. This simulation considers that
every month the cyber-attacks will be assessed, and then
security controls were updated based on the attack pene-
trations. The following expression is used to calculate
updated control for each simulated month:
Uc ¼ Pg7ðPrevious MonthÞ � Updated Percenage=100þ Pc1ðPrevious MonthÞ
ð5Þ
123
Int J Syst Assur Eng Manag
Fig. 3 Cyber-attack
penetrations without prefilter
a and with prefilter b
Fig. 4 Three cases of security
controls
123
Int J Syst Assur Eng Manag
Equation 5 shows how every month the updated security
control probability (Uc) is calculated after assessing cyber-
attack for 1 month. The security control will be updated
based on the attack’s penetration probability at last stage
during previous month. After calculating updated security
control probability, new penetration probabilities were
simulated using following function:
functionðUc; Pc; Pg;PattackÞ ð6Þ
This function is called for each month to draw pene-
tration probabilities with new updated controls each time.
7 Simulation results and discussion
MATLAB has been used for the simulation of cyber-attack
penetration probabilities. All the discussed cases have been
simulated in this research.
Case 1 results and discussions Figure 7 shows cyber-
attack penetration probabilities at each stage of the cyber
kill chain model. Green lines show that there is a prefilter
in the form of detection mechanism implemented at each of
the stage of CKC. Red line on the other hand, shows that
there is no prefilter implemented at any of the stage. Fig-
ure 7 clearly indicates that after implementing prefilter at
each stage of CKC, the attack penetration probabilities can
be reduced. For example, in Fig. 7 five cases of cyber-
Fig. 5 Changing security
controls at each stage of CKC
123
Int J Syst Assur Eng Manag
attacks have been presented that shows how these attacks
will penetrate within each of the stages with and without
cyber-attack detection mechanism. For instance in Figs. 7
and 8, with the cyber-attack probability of 0.13953, pene-
tration probability at stage 2 is 0.1151 and 0.07865 without
and with detection mechanism respectively. More cases of
cyber-attack and penetration probabilities at second stage
of the CKC are presented in the Fig. 8. These results
clearly indicate that after implementing prefilter in the
form of detection mechanism at each stage of CKC, the
cyber-attack penetration probabilities can be reduced.
Case 2 results and discussions This case considers three
cases of security controls’ probability at third, fourth and
fifth stages of the CKC i.e. (20–25%), (26–30%), and
(31–35%). In these three cases, it has been indicated that
with the increase in security controls, the cyber-attack
penetration probabilities will decrease. In Fig. 9 it can be
seen that with cyber-attack probability of 0.1241, the
cyber-attack penetration at exploitation stage of CKC
decreases from 0.0069 to 0.0038 to 0.0012, when security
controls’ probability is (20–25%), (26–30%), and
(31–35%) respectively at delivery, exploit and install
stages (also shown as highlighted value in Fig. 10). Few
more simulated results of penetration probability values at
exploitation stage are given in Fig. 10, when security
controls are (20–25%), (26–30%), and (31–35%).
Thus, with the real cybersecurity data related to cyber-
attack and security controls probability, this simulation will
help to predict attack penetrations at each stage of the
cyber kill chain.
Case 3 results and discussions Figure 11 represents the
result of an equalizer, where the probability of each of the
25 security controls out of 28 is same except the three
controls at any one stage. The displayed results are for 1, 3,
5 and 7 stages (reconnaissance, delivery, installation, and
act on objective) of CKC model. These variable controls
are implemented at each of the stages in seven iterations to
calculate the penetration probability at last stage. The result
shows that when the sum of probabilities of controls is
same at any stage, penetration at the last stage will remain
same and position of controls does not matter.
Fig. 6 Feedback loop showing
security controls enhanced at
every next iteration
123
Int J Syst Assur Eng Manag
Case 4 results and discussions Figure 12 shows learning
curve results; that after detecting cyber-attacks, these
attacks were assessed so that future attacks can be mini-
mized. Based on assessment result, security controls are
improved (refer Fig. 6) so that penetrations can be reduced.
Figure 12 shows that attack penetrations are decreasing
with updating security controls. This simulation considers
that after assessing the cyber-attacks, security controls are
enhanced or updated with 10% successively for each attack
for consecutive 4 months. Thus, it can be seen clearly in
Fig. 12 that last stage penetrations are decreasing with 10%
increase in controls each time in four consecutive months
for three variable cases of security controls i.e. when
security controls lie between (20 and 25%), (26 and 30%),
and (31 and 35%).
Other results and discussions Figure 13 shows the risk
of cyber-attack penetration per person in Euro at the last
stage of the CKC with three cases of security controls at
delivery, exploit and install stages as 20–25%, 26–30%,
and 31–35%. Risk is related to three elements: Threat,
Fig. 7 Cyber-attack penetration
probabilities at each stage of
cyber kill chain model
Fig. 8 Cyber-attack and
penetration probabilities at
second stage of cyber kill chain
123
Int J Syst Assur Eng Manag
Fig. 9 Cyber-attack penetration
probabilities with varied
security controls at 3–5 stages
of CKC
Fig. 10 Penetration probabilities for exploitation stage when security controls are (20–25%), (26–30%), and (31–35%)
Fig. 11 Penetration
probabilities at reconnaissance,
delivery, installation, and act on
objective stage of CKC
123
Int J Syst Assur Eng Manag
Fig. 12 Last stage penetration
probabilities with updated
(improved) security controls
Fig. 13 Cyber-attack risk with varying security controls at delivery, exploit, and install stages
123
Int J Syst Assur Eng Manag
Vulnerability, and Asset. In this model, risk is a function of
probability of cyber-attack, defensive mechanism that can
exploit vulnerabilities present and the loss to the asset as
consequence. Loss in this model is the total financial losses
of 3.14 billion Euros caused due to malicious cyber activity
where around 30% of Swedes were exposed to cybercrime
(Ahlstrom 2019). Thus, loss per person due to this cyber-
crime is 1152.83 Euro (3.5 Billion/30% of 10.12 Million
Swedish population in year 2018). Figure 13 data point
shows that risk/person in euro reduces from 3.02 to 2.17 to
1.99 when attack probability is 0.099.
8 Conclusion and future research directions
This research simulates and predicts cyber-attack penetra-
tions in the presence of various security controls. This
research concludes following points:
• Cyber-attack detection mechanism in the form of
prefilter at each stage of the cyber kill chain will
reduce the attack penetrations at each stage.
• These penetrations will further reduce with increase in
the probabilities of security controls to defend against
these cyber-attacks.
• Next, it was inferred that when the sum of probabilities
of controls is same at any stage, penetration at the last
stage will remain same and position of controls does not
matter.
• In addition to this, simulation results show that after
assessing last stage penetrations to improve the security
controls will further reduce the future cyber-attack.
In future, this research will consider cyber-attack pen-
etration probabilities in combined extended cyber kill chain
and industrial control system (ICS) cyber kill chain.
Acknowledgements Open access funding provided by Lulea
University of Technology. The authors would like to thanks Lulea
Railway Research Center (JVTC) for sponsoring research work.
Open Access This article is licensed under a Creative Commons
Attribution 4.0 International License, which permits use, sharing,
adaptation, distribution and reproduction in any medium or format, as
long as you give appropriate credit to the original author(s) and the
source, provide a link to the Creative Commons licence, and indicate
if changes were made. The images or other third party material in this
article are included in the article’s Creative Commons licence, unless
indicated otherwise in a credit line to the material. If material is not
included in the article’s Creative Commons licence and your intended
use is not permitted by statutory regulation or exceeds the permitted
use, you will need to obtain permission directly from the copyright
holder. To view a copy of this licence, visit http://creativecommons.
org/licenses/by/4.0/.
References
Ahlstrom T (2019) Sweden: cyber security. Retrieved from https://
www.export.gov/article?id=Sweden-Cyber-Security. Accessed
13 Aug 2019
Alpcan T, Buchegger S (2010) Security games for vehicular
networks. IEEE Trans Mob Comput 10(2):280–290
Bahamou S, Ouadghiri E, Driss M, Bonnin J (2016) When game
theory meets VANET’s security and privacy. Paper presented at
the proceedings of the 14th international conference on advances
in mobile computing and multi media, pp 292–297
Ciancamerla E, Minichino M, Palmieri S (2013) Modeling cyber
attacks on a critical infrastructure scenario. Paper presented at
the IISA 2013, pp 1–6
Ciprnet (2013) Critical infrastructures preparedness and resilience
research network. EU project. Retrieved from https://www.
ciprnet.eu/home.html. Accessed 13 Aug 2019
Cisco (2018) Asia pacific security capabilities benchmark study.
Retrieved from https://www.cisco.com/c/dam/global/en_au/pro
ducts/pdfs/executive_summary_cisco_2018_asia_pacific_Secur
ity_capabilities_benchmark_study.pdf. Accessed 13 Aug 2019
eTrax (2016) Railway traction power analysis | rail power system
software. Retrieved from https://etap.com/solutions/railways.
Accessed 13 Aug 2019
Grube P, Nunez F, Cipriano A (2011) An event-driven simulator for
multi-line metro systems and its application to santiago de chile
metropolitan rail network. Simul Model Pract Theory
19(1):393–405
He X (2017) Threat assessment for multistage cyber attacks in smart
grid communication networks (doctoral dissertation, universitat
passau). Threat assessment for multistage cyber attacks in smart
grid communication networks
Karnouskos S (2011) Stuxnet worm impact on industrial cyber-
physical system security. Paper presented at the IECON
2011-37th annual conference of the IEEE industrial electronics
society, pp 4490–4494
Kour R, Aljumaili M, Karim R, Tretten P (2019) eMaintenance in
railways: issues and challenges in cybersecurity. Proc Inst Mech
Eng F J Rail Rapid Transit. https://doi.org/10.1177/
0954409718822915
Kour R, Thaduri A, Karim R (2020) Railway defender kill chain to
predict and detect cyber-attacks. J Cyber Secur Mobil
9(1):47–90
Lockheed Martin (2009) Cyber kill chain�. Retrieved from https://
www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-
chain.html. Accessed 13 Aug 2019
Martin L (2014) Cyber kill chain�. http://Cyber.Lockheedmartin.
Com/Hubfs/GainingtheAdvantageCyberKillChain.Pdf. Accessed
13 Aug 2019
McAfee (2019) McAfee labs reports record. Retrieved from https://
www.mcafee.com/enterprise/es-es/about/newsroom/press-
releases/press-release.html?news_id=20180311005028. Acces-
sed 13 Aug 2019
Mejri MN, Achir N, Hamdi M (2016) A new security games based
reaction algorithm against DOS attacks in VANETs. Paper
presented at the 2016 13th IEEE annual consumer communica-
tions and networking conference (CCNC), pp 837–840
NS-3 (2019) Network simulator. Retrieved from https://www.nsnam.
org/. Accessed 13 Aug 2019
OpenPowerNet Version, 1. 8. 1. (2019) Traction power supply and
train performance simulation software. Retrieved from http://
www.openpowernet.com/. Accessed 13 Aug 2019
OpenTrack. (1990). Simulation of railway networks. Retrieved from
http://www.opentrack.ch/opentrack/opentrack_e/opentrack_e.
html. Accessed 13 Aug 2019
123
Int J Syst Assur Eng Manag
OPNET. (2019). Opnet is now part of riverbed steelcentralTM.
Retrieved from https://www.riverbed.com/se/products/steelcen
tral/opnet.html. Accessed 13 Aug 2019
Ross RS, Katzke SW, Johnson LA, Swanson MM (2007) Recom-
mended security controls for federal information systems | NIST
(No. Special Publication (NIST SP)-800-53 rev 2)o title
Rybnicek M, Tjoa S, Poisel R (2014) Simulation-based cyber-attack
assessment of critical infrastructures. Paper presented at the
Workshop on enterprise and organizational modeling and
simulation, pp 135–150
Sanjab A, Saad W, Basar T (2017) Prospect theory for enhanced
cyber-physical security of drone delivery systems: a network
interdiction game. Paper presented at the 2017 IEEE interna-
tional conference on communications (ICC), pp 1–6
Sedjelmaci H, Senouci SM, Ansari N (2016) Intrusion detection and
ejection framework against lethal attacks in UAV-aided net-
works: a bayesian game-theoretic methodology. IEEE Trans
Intell Transp Syst 18(5):1143–1153
Shourabi NB (2015) A model for cyber attack risks in telemetry
networks. International Foundation for Telemetering, San Diego
Stouffer K, Lightman S, Pillitteri V, Abrams M, Hahn A (2014) NIST
special publication 800-82, revision 2: guide to industrial control
systems (ICS) security. National Institute of Standards and
Technology
Teo Z, Tran BAN, Lakshminarayana S, Temple WG, Chen B, Tan R,
Yau DK (2016) SecureRails: towards An open simulation
platform for analyzing cyber-physical attacks in railways. Paper
presented at the 2016 IEEE region 10 conference (TENCON),
pp 95–98
Thaduri A, Aljumaili M, Kour R, Karim R (2019a) Cybersecurity for
eMaintenance in railway infrastructure: risks and consequences.
Int J Syst Assur Eng Manag 10:149–159
Thaduri A, Aljumaili M, Kour R, Karim R (2019b) Cybersecurity for
eMaintenance in railway infrastructure: risks and consequences.
Int J Syst Assur Eng Manag 10(2):149–159. https://doi.org/10.
1007/s13198-019-00778-w
University of Maryland (2007) Study: hackers Attack every 39
seconds. Retrieved from https://eng.umd.edu/news/story/study-
hackers-attack-every-39-seconds. Accessed 13 Aug 2019
Yao X, Zhao P, Qiao K (2013) Simulation and evaluation of urban
rail transit network based on multi-agent approach. J Ind Eng
Manag (JIEM) 6(1):367–379
Publisher’s Note Springer Nature remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.
123
Int J Syst Assur Eng Manag