CYBERSECURITY IN RAILWAY - Simple search

CYBERSECURITY IN RAILWAYA Framework for Improvement of Digital Asset Security

Ravdeep Kour

Operation and Maintenance Engineering

Department of Civil, Environmental and Natural Resources EngineeringDivision of Operation and Maintenance Engineering

ISSN 1402-1544ISBN 978-91-7790-579-0 (print)ISBN 978-91-7790-580-6 (pdf)

Luleå University of Technology 2020

DOCTORA L T H E S I S

Ravdeep K

our CY

BE

RSE

CU

RIT

Y IN

RA

ILWA

Y

CYBERSECURITY IN RAILWAYA Framework for Improvement of Digital Asset Security

Ravdeep Kour

Luleå University of TechnologyDepartment of Civil, Environmental and Natural Resources Engineering

Division of Operation and Maintenance Engineering

Printed by Luleå University of Technology, Graphic Production 2020

ISSN 1402-1544 ISBN 978-91-7790-579-0 (print)ISBN 978-91-7790-580-6 (pdf)

Luleå 2020

www.ltu.se

i

ACKNOWLEDGEMENTS

The research presented in this thesis has been carried out at the Division of Operation and Maintenance Engineering, Luleå University of Technology (LTU), Sweden. I gratefully acknowledge Luleå Railway Research Center (JVTC), Artificial Intelligence Factory for Railways (AIF/R), Intelligent Innovative Smart Maintenance of Assets by integRated Technologies (IN2SMART), and A Novel Decision Support System for Intelligent Maintenance (iMain) for financing my research study.

Furthermore, with deep sense of gratitude, privilege and pride, I would like to convey my regards and sincere thanks to my main supervisor, Professor Ramin Karim, Division of Operation and Maintenance Engineering, Luleå University of Technology, Sweden. It was great pleasure and honour to work under his guidance who has vast experience and knowledge in his respective domain. Without his timely help, positive attitude, painstaking efforts, and continuous encouragement, it would have not been possible to complete this thesis in the present form.

I am grateful to Professor Uday Kumar (my co-supervisor), Chair Professor, Division of Operation and Maintenance Engineering for providing all possible help, cooperation and encouragement throughout the research work. He was always a source of motivation, inspiration and support throughout the span of PhD research work.

I express my heartfelt gratitude to Associate Professor Phillip Tretten (my co-supervisor) and Associate Senior Lecturer Adithya Thaduri (my co-supervisor), Division of Operation and Maintenance Engineering for their encouragement and support during this research work.

I would like to thank Senior Lecturer Miguel Castano and Dr Stephen Mayowa Famurewa, Division of Operation and Maintenance Engineering, Dr. Mustafa Aljumaili from KPMG, and Robert Beney from IronSky AB for the fruitful discussions. I would like to thank my colleagues at the Division of Operation and Maintenance Engineering for their support. I would also like to thank Veronica Jägare, Manager, JVTC for her support. The administrative support received from Cecilia Glover is also gratefully acknowledged.

It is my privilege to pay reverence to my parents and parents-in-law who have always supported me through the thick and thin of my life. It would have been impossible for me to enjoy work with undivided attention without the supportive and positive attitude of my husband Dr. Sarbjeet Singh and daughters Harsimrat Kour and Ekamjeet Kour. I am also thankful to all my close friends for being source of inspiration as well as strength during long durations of my work.

ii

Words cannot describe the heavenly help, which comes in immeasurable quantities, intangible forms and incomprehensible ways. Finally, I am filled with gratitude towards Almighty, ‘Waheguru’– invisible to the mortal eyes!

Ravdeep Kour June, 2020

Luleå, Sweden

iii

ABSTRACT

Digitalisation has brought many positive changes towards operation and maintenance of railway system. Emerging digital technologies facilitate the implementation of enhanced eMaintenance solutions through the utilisation of distributed computing and artificial intelligence. Digital technology is expected to improve the railway system’s sustainability, availability, reliability, maintainability, capacity, safety, and security including cybersecurity. In the digitalised railway, however, cybersecurity is essential to achieve overall system dependability. Lack of cybersecurity has negative consequences, including reputational damage, heavy costs, service unavailability and risk to the safety of employees and passengers.

Open access data indicates that many railway organisations focus on detecting security threats with less emphasis on forecasting them. To prepare in advance for cyberattacks, it is essential that both Information and Communication Technology (ICT) and Operational Technology (OT) are continually updated to enable security analytics approach. This approach will help railways to establish proactive security measures to quickly predict and prevent cyberattacks. The current standards and guidelines related to cybersecurity in railways (e.g. AS 7770- Rail Cyber Security, APTA SS-CCS-004-16, BS EN 50159:2010+A1:2020) are proprietary (i.e. either organisation-specific or country-specific) and are followed by most railway organisations. These proprietary standards and guidelines lack in providing a holistic approach to enable interoperability, scalability, orchestration, adaptability, and agility for railway stakeholders. Therefore, there is a need to develop a generic cybersecurity framework for digitalised railways to facilitate proactive cybersecurity and threat intelligence sharing within the railways.

The proposed Cybersecurity Information Delivery Framework integrates existing models, technologies, and standards to minimise the risks of cyberattacks in the railway. The framework uses different layers of Open System Architecture for Condition-Based Maintenance (OSA-CBM) in the context of cybersecurity to deliver threat intelligence. The framework implements an extended Cyber Kill Chain (CKC) and an Industrial Control System (ICS) Kill Chain to detect cyberattacks. The framework incorporates the proposed Railway Defender Kill Chain (RDKC) to enable proactive cybersecurity. The proposed framework also enhances cybersecurity maturity level and delivers threat intelligence to enable proactive cybersecurity to improve information assurance in the railway.

Keywords: Digitalisation of railway, digital operation and maintenance, cybersecurity, framework for cybersecurity, maturity indicator level, railway defender kill chain.

v

LIST OF APPENDED PAPERS

Paper I

Kour, R., Aljumaili, M., Karim, R., & Tretten, P. (2019). eMaintenance in railways: Issues and challenges in cybersecurity. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 233(10), 1012-1022. (Published)

Paper II

Kour, R., Karim, R., & Thaduri, A. (2019). Cybersecurity for railways–A maturity model. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 0954409719881849. (Published online)

Paper III

Kour, R., Thaduri, A., & Karim, R. (2020). Railway Defender Kill Chain to Predict and Detect Cyber-Attacks. Journal of Cyber Security and Mobility, 9(1), 47-90. (Published)

Paper IV

Kour, R., Thaduri, A., & Karim, R. (2020). Predictive model for multistage cyber-attack simulation. International Journal of System Assurance Engineering and Management, 1-14. (Published online)

vii

AUTHORS’ CONTRIBUTIONS

The appended papers in this thesis are divided into the following main activities along with respective author’s contributions shown in Table I below:

1. Research idea and design 2. Data collection and analysis 3. Manuscript drafting 4. Revising important intellectual contents 5. Final approval of the version to be published

Table I: Authors’ contributions

Authors Papers

I II III IV

Ravdeep Kour 1-5 1-5 1-5 1-5

Ramin Karim 1,4,5 1,4,5 1,4,5 1,4,5

Adithya Thaduri - 3-5 3-5 1-5

Phillip Tretten 4,5 - - -

Mustafa Aljumaili 2-5 - - -

ix

LIST OF RELATED PAPERS

Paper 1

Kour, R., Tretten, P., Karim, R., & Singh, S. (2019). Cybersecurity Workforce in Railway: A Case Study. Proceedings of the 5th International Workshop & Congress on eMaintenance, Stockholm, Sweden, pp. 28-32.

Paper 2

Kour, R., Thaduri, A., & Karim, R. (2019). Railway Defender Kill Chain for Cybersecurity. Proceedings of the 5th International Workshop & Congress on eMaintenance, Stockholm, Sweden, pp. 20-27.

Paper 3

Thaduri, A., Aljumaili, M., Kour, R., & Karim, R. (2019). Cybersecurity for eMaintenance in railway infrastructure: risks and consequences. International Journal of System Assurance Engineering and Management, 10(2), 149-159.

Paper 4

Kour, R., Karim, R., Parida, A., & Kumar, U. (2014). Applications of radio frequency identification (RFID) technology with eMaintenance cloud for railway system. International Journal of System Assurance Engineering and Management, 5(1), 99-106.

Paper 5

Kour, R., Tretten, P., Karim, R. (2014). eMaintenance solution through online data analysis for railway maintenance decision-making. Journal of Quality in Maintenance Engineering, 20(3), 262-275.

Paper 6

Kour, R., Karim, R., Tretten, P. (2014). eMaintenance solutions for railway maintenance decisions. InWorld Congress on Engineering: https://doi.org/02/07/2014-

04/07/2014 2015, 228-232. Newswood Limited.

Paper 7

Kour, R., Karim, R., & Parida, A. (2013). Cloud computing for maintenance performance improvement. In international conference on Industrial Engineering: 20/11/2013-22/11/2013.

xi

ACRONYMS

ACRONYM FULL FORM ACM Asset Change and Configuration Management APT Advanced Persistence Threats C2 Command & Control C2M2 Cybersecurity Capability Maturity Model CBM Condition Based Maintenance CIA Confidentiality, Integrity, and Availability CKC Cyber Kill Chain CPM Cybersecurity Program Management CYRAIL CYbersecurity in RAILway DDOS Distributed Denial of service EC-C2M2 Electricity Subsector Cybersecurity Capability Maturity Model EDM Supply Chain and External Dependencies Management ENISA European Union Agency for Network and Information Security GDPR General Data Protection Regulation HMI Human Machine Interface IA Information Assurance IAM Identity and Access Management ICS Industrial Control system ICS-SCADA Industrial Control and Supervisory Control and Data Acquisition Systems ICT Information and Communication Technology IEC International Electrotechnical Commission IoT Internet of Things IR Event and Incident Response, Continuity of Operations ISC Information Sharing and Communications LCC Life Cycle Cost MIL Maturity Indicator Level NICE National Initiative for Cybersecurity Education–Capability Maturity Model NIDS Network Intrusion Detection System NIST National Institute of Standards and Technology ONG-C2M2 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model OSA-CBM Open System Architecture for Condition-Based Maintenance OT Operational Technology PII Personally Identifying Information R-C2M2 Railway-Cybersecurity Capability Maturity Model

xii

RDKC Railway Defender Kill Chain RM Risk Management SA Situational Awareness SCADA Supervisory Control and Data Acquisition Systems SRA Safety, Reliability, and Availability TVM Threat and Vulnerability Management WM Workforce Management

xiii

TABLE OF CONTENTS ACKNOWLEDGEMENTS ................................................................................................................... i ABSTRACT ......................................................................................................................................... iii LIST OF APPENDED PAPERS ..........................................................................................................v

AUTHORS’ CONTRIBUTIONS ........................................................................................................ vii LIST OF RELATED PAPERS ............................................................................................................ ix

ACRONYMS ....................................................................................................................................... xi TABLE OF CONTENTS .................................................................................................................. xiii CHAPTER 1. INTRODUCTION ......................................................................................................... 1

1.1. Background ............................................................................................................................. 1

1.2. Problem Definition and Motivation ...................................................................................... 2

1.3. Purpose and Objectives .......................................................................................................... 4

1.4. Research Questions ................................................................................................................ 4

1.5. Scope and Limitations ........................................................................................................... 5

1.6. Structure of the Thesis .......................................................................................................... 5

CHAPTER 2. THEORIES AND BASIC CONCEPTS ........................................................................ 7

Digital Railway ....................................................................................................................... 7

Maintenance and eMaintenance ........................................................................................... 8

Open System Architecture for Condition-Based Maintenance ......................................... 10

Information Assurance ........................................................................................................ 11

Cyberattacks ......................................................................................................................... 12

Cyberattack Sources, Actions, Goals, and Impacts ............................................................ 13

Cybersecurity Maturity Models .......................................................................................... 14

Cybersecurity Awareness Risk ............................................................................................ 17

Unified Extended Cyber Kill Chain and ICS Cyber Kill Chain ........................................ 17

Multistage Cyberattack in Railway SCADA System ......................................................... 20

Interdependencies within Infrastructures: Cyber Threat Scenario Example .................. 21

CHAPTER 3. RESEARCH METHODOLOGY ................................................................................. 23

3.1. Research Approach ............................................................................................................... 23

3.2. Research Purpose ................................................................................................................. 24

xiv

3.3. Research Strategy ................................................................................................................ 25

3.4. Data Collection and Data Analysis ..................................................................................... 25

3.5. Research Validity and Reliability ....................................................................................... 26

3.6. Research Process .................................................................................................................. 27

CHAPTER 4. RESULTS ................................................................................................................... 29

4.1. Results Related to RQ1  ....................................................................................................... 29

4.2. Results Related to RQ2 ........................................................................................................ 31

4.3. Results Related to RQ3 ........................................................................................................ 35

CHAPTER 5. DISCUSSIONS ........................................................................................................... 41

5.1. Discussion of Results Related to RQ1  ................................................................................ 41

5.2. Discussion of Results Related to RQ2 ................................................................................. 42

5.3. Discussion of Results Related to RQ3 ................................................................................. 42

CHAPTER 6. CONCLUSIONS ......................................................................................................... 45

CHAPTER 7. CONTRIBUTIONS ..................................................................................................... 47

CHAPTER 8. FUTURE RESEARCH ............................................................................................... 49

REFERENCES .................................................................................................................................. 51

APPENDED PAPERS ....................................................................................................................... 57

INTRODUCTION / 1

CHAPTER 1. INTRODUCTION

This chapter describes the research area of the thesis and the problem statement. It also defines the purpose and objectives, research questions, and the scope, limitations, and structure of the thesis.

1.1. Background

Digitalisation is changing operation and maintenance of railways significantly with respect to sustainability, availability, reliability, maintainability, capacity, safety, and security including cybersecurity. However, although railway stakeholders perceive the changes brought by digitalisation as an opportunity, they also see them as a challenge. Digitalisation challenges include, data acquisition, transformation, modelling, processing, visualisation, safety, security, quality, and information assurance (Jägare et al., 2019). Other challenges include, the need for a new mind-set in the railway workforce, digital skills, and development of a strategy to counteract cyber threats and secure railway assets, requiring special skills in digital technology for railway asset management (Scordamaglia, 2019). Generally, in asset management, an asset is considered an item, thing or entity with potential or actual value to an organisation, including, servers, information, applications, databases, laptops, people, buildings, and physical systems, (ISO 55000, 2014).

In the context of digital asset management, cybersecurity is considered as preservation of confidentiality, integrity, and availability of information in cyberspace (ISO/IEC 27032, 2012). Hence, cybersecurity is a vital part of asset management to ensure the digital assets’ reliability, robustness, and resilience. According to a recent report by European Union Agency for cybersecurity ENISA (2020), cyber threats are rapidly growing, threatening critical infrastructures and causing concerns about the privacy and security of the data underlying these infrastructures. These cyber threats lead to risk and possibly harm to one or more assets (Tipton et al., 2008).

The top three cyber threats faced by industries and critical infrastructures are malware attacks, phishing attacks, and targeted attacks (Hackmageddon, 2019). Malware attacks include the following. Stuxnet is a malicious computer worm that targets Supervisory Control and Data Acquisition (SCADA) systems (Kushner, 2013). WannaCry is a ransomware attack that targeted computers running the outdated Microsoft Windows operating system by encrypting data and demanding ransom payments (Mohurle, 2017). NotPetya is a ransomware attack that targeted companies in Ukraine, attacking its government, financial and energy institutions (McQuade, 2018). According to IBM X-force (2020), the most commonly impacted infrastructures are financial services, retail, transportation, media, professional services, government, education,

INTRODUCTION / 2

manufacturing, energy, and healthcare (ranking by attack volume is provided in Chapter 2, Table 2.1).

Society relies on railway to transport passengers and goods. The railway is one of the most important critical infrastructures in the society and, as such, requires protection from various threats, such as man-made terrorism and technological threats, as well as natural disasters (Directive, 2008). The increasing digitalisation of the railway brings new opportunities to its stakeholders, but it also poses new challenges that need to be addressed to retain the dependability of the system. Hackers have already targeted the railway in Belgium, China, Denmark, Germany, Russia, South Korea, Sweden, Switzerland, the UK, and the US (Baker, 2008; The Local, 2017; BBC, 2018; Whittaker, 2018; Paganini, 2018). In the first few months of 2020, there were already two more reported cases of data breaches in railways. In the first case, the US based railroad company, RailWorks Corporation, was targeted by a ransomware attack; this led to a data breach in the Personally Identifiable Information (PII) of more than 3,000 employees (Cisomag, 2020). In the second case, the UK based railway, Network Rail, reported that the email addresses and travel details of about 10,000 people who used free Wi-Fi at UK railway stations were exposed online (BBC, 2020). Several efforts have been made to protect data, including the introduction of new data protection regulations such as the European Union’s General Data Protection Regulation (GDPR) (Europa, 2018), New York’s Cybersecurity Requirements for Financial Services Companies (DFS, 2018), and Australia’s Notifiable Data Breach (NDB) scheme (NDB, 2018). In addition to these data protection laws, some research has been conducted on railway cybersecurity, such as CYbersecurity in RAILway sector (CYRAIL), a Shift2Rail sub-project for detection, assessment, and mitigation of safety and security threats in railway infrastructures (Shift2rail, 2016; Shift2rail, 2017) and focussing on threats from external sources. According to a recent report, however, 30% of cyber-attacks are from internal sources i.e., the current or ex-employees of the organisation (Verizon, 2019). Thus, there is a need to consider internal threats as well.

The Swedish government has prioritised the need to raise the level of awareness and knowledge and create the long-term conditions for all stakeholders in society to work effectively on cybersecurity (Johansson, 2017). The Swedish Transport Administration’s (Trafikverket) Risk and Vulnerability Analysis (RVA) has highlighted information security as a very important issue, especially in light of the Denial-of-Service (DoS) attacks in the transport sector. The company has decided on an action plan to strengthen security which includes measures to create a stronger security culture (Trafikverket, 2017). The projects and initiatives are strong indicators of the need to strengthen cybersecurity in the railway.

1.2. Problem Definition and Motivation

Digitalisation in the railway is not only bringing significant benefits; it is also creating vulnerabilities, leading to cyberattacks and security breaches. Cybersecurity aims to preserve Confidentiality, Integrity and Availability (CIA) elements of information in cyberspace.

INTRODUCTION / 3

Confidentiality means only authorized personnel may disclose or observe information (Willett, 2008). Integrity means information cannot be modified in an unauthorized manner (Willett, 2008). Availability means information should be readily available for authorized users (Willett, 2008).

In order to facilitate proactive cybersecurity and threat intelligence sharing, it is believed that there is need of a generic framework that can be used to improve maturity level of cybersecurity in railway. Framework is defined as a meta-level model (a higher level abstraction) through which a range of concepts, models, techniques, methodologies can either be clarified and/or integrated (Jayaratna, 1994). Thus, a framework provides a structured set of concepts, models, guidelines, and technologies (Karim, 2008).

There are some examples of frameworks for measuring and assessing maturity level within the area of safety management in the rail industry, but few standards are referred to railway cybersecurity and the literature generally ignores cybersecurity maturity levels (Lim et al., 2014). In one exception, the European Union Agency for Network and Information Security (ENISA) analysed the current maturity levels in Industrial Control and Supervisory Control and Data Acquisition Systems (ICS-SCADA) across Europe and provided stakeholders with a set of recommendations to improve their practices, especially in critical sectors (Mattioli and Moulinos, 2015).

Some railway organisations follow cybersecurity standards or guidelines e.g., EN 50159, 2010; APTA SS-CCS-004-16, 2015; Rail Cyber Security Guidance to Industry, 2016; Rail Delivery Group, 2017; AS 7770, 2018. These are either organisation-specific or country-specific, however, they do not provide a holistic approach to enable interoperability, scalability, orchestration, adaptability, and agility across stakeholders. There is a need for a generic cybersecurity framework for digitalised railway. A review of the state-of-the-art research on the topics revealed the following research gaps:

• The existing work contributes limited efforts to evaluate and estimate cybersecurity maturity levels in railways.

• Most organisations do not share cybersecurity information because of reputational issues but there is a need for standard cybersecurity information delivery system for internal and external cybersecurity communication.

• Most organisations focus on legacy reactive and detective security technologies ignoring predictive technologies.

• Most organisations focus on external cybersecurity threats and lack an emphasis on internal cybersecurity threats.

• A holistic perspective on cybersecurity is lacking but is urgently needed for railways.

This research study aims to fill the aforementioned gaps by proposing a holistic cybersecurity framework that considers both external and internal threats and integrates existing technologies,

INTRODUCTION / 4

standards, and models to communicate cybersecurity information and minimise the risk of cyber threats.

1.3. Purpose and Objectives

The purpose of the research is to develop proactive strategy to protect railway operation from cyberattacks and breaches.

The objective of the research is to develop a holistic cybersecurity framework for digitalised railway to enable and operationalise a proactive cybersecurity strategy. The proposed framework can be used to enhance the cybersecurity maturity level and deliver threat intelligence to effectively predict, prevent, detect, and respond to cyber threats in the railway.

The sub-objectives of the study are to:

a) identify the existing cybersecurity maturity levels in the railway; b) enable prediction of cyberattacks in the context of operation and maintenance in the railway; c) design and develop a cybersecurity framework to increase the robustness and resilience of the

railway system.

1.4. Research Questions

To achieve the stated purpose and sub-objectives, the following research questions have been formulated:

RQ1: What are the cybersecurity issues & challenges and current level of cybersecurity maturity in railway organisations?

RQ2: How can proactive cybersecurity measures be enabled in operation and maintenance of railway systems?

RQ3: How can a cybersecurity framework be developed and how can it enhance cybersecurity resilience in digitalised railway?

Figure 1.1 Link between the Research sub-Objectives (ROs), Research Questions (RQs), and Appended Papers (Ps).

INTRODUCTION / 5

1.5. Scope and Limitations

Considering the available resources and based on the research purpose and objectives, as well as the specific industrial interests, the scope and limitations of the thesis are as follows.

• The thesis mainly discusses railway cybersecurity in the utilisation (operation and maintenance) phase of system’s life cycle.

• A comprehensive study of the security controls presented in this thesis is outside the scope of this work.

• The study deals with the assessment of the cybersecurity maturity level of European railways.

1.6. Structure of the Thesis

The thesis consists of eight chapters and four appended papers.

Chapter 1- Introduction: this chapter provides a brief background to the research performed for this thesis and explains the need for cybersecurity in the railway. It also provides the problem statement, the purpose and objectives, research questions, links between the research questions and appended papers, scope and limitations, and the structure of the thesis.

Chapter 2- Theories and basic concepts: this chapter describes the state of the art concepts and theories related to the research. The theories support the need to evaluate the cybersecurity maturity level in the railway and help in the selection of cybersecurity models to detect cyberattacks. These theories alo support the development of cybersecurity framework.

Chapter 3- Research methodology: this chapter describes how the research was conducted. The selection of the research methodologies was based on the research purpose and objectives, the research questions (see Chapter 1 ‘Introduction’), and the identification, evaluation, and selection of models (see Chapter 2 ‘Theories and Basic Concepts’).

Chapter 4- Results: this chapter presents the results of the research on the three RQs stated in chapter 1 ‘Introduction’.

Chapter 5- Discussions: this chapter discusses the results and findings (see Chapter 4 ‘Results’) of the conducted research work.

Chapter 6- Conclusions: this chapter concludes and analyses the results presented in Chapters 4 and 5.

Chapter 7- Research contributions: this chapter summarises the research contributions of the conducted research study.

Chapter 8- Future research: this chapter suggests how the present research can be extended for the future work .

INTRODUCTION / 6

THEORIES AND BASIC CONCEPTS / 7

CHAPTER 2. THEORIES AND BASIC CONCEPTS

This chapter presents the essential theories and basic concepts and explains their relevance to the research work.

Digital Railway

Digitalisation is one of the top priorities for the railway. The concept of digital railway is defined in

the European Initiatives and was presented by the Community of European Railways and Infrastructure Managers (CER), the International Rail Transport Committee (CIT), the Association of European Rail Infrastructure Managers (EIM), and the International Union of Railways (UIC) (Roadmap, 2016). Nemtanu and Marinov (2019) defined digital railway as a new paradigm in organising and governing the railway transport system based on digital support system using digital skills of the employees in a digital business environment in terms of increasing the efficiency and decreasing the negative aspects of railway transport system. An additional concept of digital railway is inevitably linked to fully automatic trains (future rolling stock) without a driver e.g., smart locomotives and smart trains (Avramović et al., 2019).

The objective of digital railway is to offer highly efficient and attractive transport options to the customers and to make use of the opportunities offered by digital transformation (Roadmap, 2016). In addition, digital railways need to meet the highest requirements in terms of safety, security, sustainability, availability, affordability as well as adaptability to the old setup of the railways (Roadmap, 2016).

The ePilot is one of the projects undertaken by the Luleå Railway Research Center (JVTC) at Luleå Technical University (LTU) to enable a sustainable, robust, resilient, reliable and digitalised railway system in Sweden that is attractive, safe and efficient (Karim et al., 2020). ePilot is the result from more than 20 years of research, innovation and implementation in operation and maintenance of railway (Karim et al., 2020). One of the main purposes with ePilot has been to facilitate the digital transformation in railway (Karim et al., 2020). ePilot provides a blueprint for actions needed to accelerate digitalisation in railway. These actions are described in a set of checkpoints (Karim et al., 2020). ePilot has developed two new concepts for digital railway i.e., Railway 4.0 and Testbed Railway (Karim et al., 2020) as described:

• Railway 4.0 – an overarching framework designed to facilitate the choice of concept, approach, technologies and methodologies aimed at the development of the railway system, nationally and internationally.

• Testbed Railway – a platform for implementing thorough, transparent and replicable testing of scientific theories, calculation tools (e.g. Big Data Analytics) and new technology.


Jägare et al., (2019) provided range of challenges in digital railway i.e., data acquisition, transformation, modelling, processing, visualisation, safety, security, quality, and information assurance. Jägare et al., (2019) also discussed that technological transformation affects not only the technical systems, i.e. railway infrastructure and rolling stock, but also regulations, organisations, processes, and liveware (i.e. humans). To deal with these challenges, Jägare et al. (2019) discussed the need for a railway digitalisation strategy to enable smooth transformation of the existing configuration to a digitalised system. The discussed strategy should be based on systematic risk management that address aspects of, e.g., information security, traffic safety and project risk (Jägare et al., 2019). According to Karim et al. (2020), ensuring safety and security is one of the future technological advances that digitalised rail needs to adapt.

Maintenance and eMaintenance

Maintenance refers to a combination of all technical, administrative and managerial actions during the life cycle of an item intended to retain it in, or restore it to, a state in which it can perform the required function (CEN, 2017). Maintenance includes not only repairs, but also modifications to the system that take place due to adjustment to environmental changes (Avizienis et al 2004). This is called adaptive maintenance and is performed for the purposes of adaptation to a new environment (IEV, 2015). An example of a new environment could be a new type of hardware on which the software is to be run (IEV, 2015). Figure 2.1 shows different types of maintenance strategies.

Figure 2.1 Types of maintenance strategies (CEN, 2017)

Corrective maintenance was traditionally performed regardless of the condition of the equipment or component under repair, leading to the wastage of money on repairing or replacing components in normal condition. System operators are looking for more efficient ways to maintain a system to extend its life cycle. One possible solution is Condition Based Maintenance (CBM), a type of preventive maintenance. With this type of maintenance, the system operator can perform maintenance actions for defective components only, thus increasing the lifetime of the overall system (Ahmad and Kamaruddin, 2012).


Maintenance of a complex technical system has a major impact on the system’s dependability, safety, Life Cycle Cost (LCC), and security. Dependability of a system (Figure 2.2) implies availability performance and its inherent factors: reliability performance, maintainability performance and maintenance support performance (IEV, 2015).

Figure 2.2 Elements of dependability (IEV, 2015)

For a system to remain available, it must operate in good condition and deliver required services. The utilisation phase of a system’s life cycle begins when the system is accepted for use and starts to deliver its services to users (ISO 12207, 2008). Utilisation consists of alternating periods of correct service delivery, service outage, and service shutdown (Avizienis et al., 2004). A service outage is caused by a service failure, while a service shutdown is an intentional halt of service by an authorised entity. Maintenance actions may take place during all three periods of the utilisation phase. During this utilisation phase, the system interacts with its environment, including the physical world, administrators, users, providers, infrastructure, and adversaries (Avizienis et al., 2004). Adversaries are malicious entities who try to alter or halt services. Therefore, a system requires continuous maintenance to achieve a high level of availability.

The use of Information and Communication Technology (ICT) in maintenance to develop artefacts (e.g. frameworks, tools, methodologies, and technologies) supports maintenance decision-making (Karim et al., 2016). As ICTs become increasingly pervasive, eMaintenance solutions for advanced maintenance applications are becoming more common. The term eMaintenance is defined at two levels of abstraction: first, “eMaintenance is maintenance managed and performed via computing”; second, “eMaintenance is a multidisciplinary domain based on maintenance and ICT ensuring that the eMaintenance services are aligned with the needs and business objectives of both customers and suppliers during the whole product lifecycle” (Kajko-Mattsson et al., 2011).

eMaintenance is also viewed as a predictive maintenance system that provides monitoring and predictive prognostic functions (Koc and Lee 2001; Parida and Kumar, 2004). An additional view of eMaintenance is the integration of ICT technologies in maintenance policies to deal with new expectations of innovative solutions for e-manufacturing and e-business (Muller et al., 2008). With the adoption of ICT technologies, the number of networked devices is rapidly increasing


(Radenkovic and Kocovic, 2020). These devices provide opportunities for adversaries to steal, corrupt, delete, or modify data. Cyberattacks on eMaintenance solutions may have an impact on underlying data, which, in turn, will influence the data-driven models and affect the maintenance decision-making process. However, Campos et al. (2016) have discussed the cybersecurity challenges to protect data required for the development of advanced maintenance.

Open System Architecture for Condition-Based Maintenance Condition Based Maintenance (CBM) is tightly linked to the notion of proactivity which is followed in this study. OSA-CBM or the Open System Architecture for Condition-Based Maintenance, was developed in accordance with the specifications of ISO-13374 on condition monitoring and diagnostics of machinery (ISO-13374, 2003). OSA-CBM is considered one of the most important standards of eMaintenance systems (Holmberg et al. 2010). OSA-CBM provides a prototype framework for CBM implementation; the goal in its development was to create a framework and data exchange conventions that would enable the interoperability of CBM components (Swearingen et al. 2007). OSA-CBM has seven layers: Data Acquisition, Data Manipulation, State Detection, Health Assessment, Prognostics, Advisory Generation, and Presentation (Figure 2.3). A brief description of each layer is given in the following text.

Figure 2.3 OSA-CBM Layers

• Data Acquisition: This layer provides the CBM system with digitized sensor or transducer data.

• Data Manipulation: This layer corresponds to the data preparation stage in a normal data mining process. Techniques such as data cleansing, feature selection, feature extraction, and standardization can be applied to process the raw data for analysis.


• State Detection: This layer focuses on comparing data with expected values or control limits; an alert is triggered if these limits are exceeded.

• Health Assessment: The focus of this layer is to prescribe if the health in the monitored system has degraded. This should be able to generate diagnostic records and propose fault possibilities.

• Prognostics: The focus of this layer is to calculate the future health of an asset and report the remaining useful life (RUL) of that asset.

• Advisory Generation: Its focus is to generate recommended actions and alternatives based on the predictions of the future states of the asset.

• Presentation: This layer provides an interactive human-machine interface (HMI) to visualize pertinent data, information and results obtained in previous steps.

Information Assurance

With digitalisation, the concept of Information Assurance (IA), a concept that also deals with aspects of cybersecurity, is receiving significant attention. Information Assurance defines and applies a collection of policies, standards, methodologies, services, and mechanisms to maintain mission integrity with respect to people, process, technology, information, and supporting infrastructure (Willett, 2008). The overall goal of IA is to ensure the availability of the system. Dependability includes availability, reliability, maintainability, and maintenance supportability (IEV, 2015). In some cases, dependability includes other characteristics, such as recoverability, durability, safety, and security (IEV, 2015). Sommerville (2006) lists four main dimensions of dependability: availability, reliability, safety, and security. Security needs to be considered to improve the availability of the system. One of the IA core principles, Confidentiality-Integrity-Availability (CIA), provides a fundamental risk-management objective. When authorised actions are involved with CIA, a security attribute is formed (Avizienis et. al, 2004).

Security is an inherent component of system dependability and must be continuously improved if eMaintenance tools are to achieve the high levels of availability required of them. Figure 2.4 shows the relationship between dependability and security elements.

Figure 2.4 Dependability and security attributes adapted from (Avizienis et. al, 2004 ; IEV, 2015)


Cyberattacks

A cyberattack is an attempt to destroy, expose, alter, disable, steal, gain unauthorized access to, or make unauthorized use of an asset (ISO/IEC 27000, 2009). Top threats include malware, account hijacking, unknown, vulnerability, unauthorized access, targeted attack, and so on (Figure 2.5). The North Atlantic Treaty Organisation (NATO) ranks phishing, malware, and Distributed Denial of Service (DDoS) among its greatest concerns (NATO, 2019). A DDoS attack disrupts a server's traffic by overloading it with Internet traffic to make it unavailable to users who need to exchange information.

Figure 2.5 Top 10 cyberattacks of Year 2019 (Mcafee, 2019 )

A cybersecurity statistics report from IBM X-Force confirms that the most commonly impacted sectors worldwide are finance (17%), retail (16%), transportation (10%), media (10%), professional services (10%), government (8%), education (8%), manufacturing (8%), energy (6%), and healthcare (3%) (IBM, 2020). Table 2.1 shows the top 10 targeted industries ranked by attack volume and transportation is among top three.

Table 2.1: A comparative chart of the top 10 targeted industries ranked by attack volume, 2019 vs.2018 (IBM, 2020)

Sector 2019 rank 2018 rank Financial Services 1 1 Retail 2 4 Transportation 3 2 Media 4 6 Professional Services 5 3 Government 6 7 Education 7 9 Manufacturing 8 5 Energy 9 10 Healthcare 10 8

Malware35%

Account Hijacking21%

Unknown15%

Vulnerability7%

Unauthorized Access

7%

Targeted attack5%

Code Injection3%

Denial of service3%

Defacement2%

Theft2%


Cyberattacks are increasing because adversaries are adopting new techniques and strategies to circumvent new security measures and evade detection. Advanced Persistent Threats (APTs) are increasing day-by-day. NIST (Force, 2013) defines APT as:

“An attacker that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the Information and Communication Technology (ICT) infrastructure of the targeted organisations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organisation; or positioning itself to carry out these objectives in the future”. Hence, it is important to understand cyberattack characteristics and source to protect system assets (Jouini et al., 2014).

Cyberattack Sources, Actions, Goals, and Impacts

This research thesis conducted literature review of various sources of cyber-attacks along with their actions, goals, and impacts (e.g., Zhu et al., 2011; Jouini et al., 2014; Abomhara, 2015).

• Cyberattack Sources are the origin of cyberattacks. The system can face internal or external cyberattacks from these sources. Internal cyberattacks are from people working within the organisation with authorized access to the network, including employees and business partners. External cyberattacks are from people working outside the organisation without authorized access to the network. External incidents occur through wired or wireless networks and physical intrusion.

• Actors are responsible for the cause of the attack, and these are humans, technology, and natural disasters. Human actors such as internal (insiders) or external (hackers) can cause harm to the systems and gain physical access to restricted areas such as buildings, cabins, rooms, or any other area to steal or damage hardware and software. Technology includes the failure of hardware, software, and information systems (Cebula and Young, 2010). Natural disasters include earthquakes, hurricanes, wind, floods, tsunamis, fires, lightning, animals, and wildlife which can cause severe damage to system’s assets. Certain environmental conditions, e.g., temperature, moisture, cosmic radiation, etc., can also present threats to system’s assets (Montanari and Querzoni, 2014).

• Actions include intentions of the actors which can be malicious or non-malicious. Malicious intentions consist of internal or external attacks caused by employees or non-employees to steal or modify information of an organisation using malicious code. If the authentication mechanism is not properly implemented, a malicious intruder can act as a genuine user and monitor the network traffic. A malicious user can send fake routing packets, and gain access to sensitive information of the organisation. Non-malicious intentions occur when inadequate security policies allow vulnerabilities and errors. They are caused unintentionally by employees who are not seeking to harm the system.


• Security goals are the core principles or security elements which provide fundamental objectives for managing risks. The operational goals of Information and Communications Technology (ICT) security are Confidentiality, Integrity, and Availability (CIA) and the operational goals of Operational Technology (OT) security are Safety, Reliability, and Availability (SRA) (Force CIT, 2013). According to IBM X-Force (2020), there was a 2000 percent increase in OT attacks in 2019 compared to 2018, and these attacks are expected to increase in the coming years.

• Impacts are the outcomes of the violation of security goals. Any compromise to the security goals can have the following impacts on the system. (i) Loss of public confidence: This is the loss of public confidence in the government’s ability

to protect critical infrastructures and data or to prevent a cyber-attack (Gross et al., 2017). (ii) Public embarrassment: This is associated with a high level of discomfort when an

organisation is attacked and its Personally Identifying Information (PII) is made public (Shakarian et al., 2015).

(iii) Legal action against the organisation or litigation: This is the process of taking legal action against the organisation responsible for the leakage of sensitive information (Cebula et al., 2014).

(iv) Data inaccuracy: Data inaccuracy is caused by a compromise in security element integrity. Almost all losses of customer information are caused by an integrity breach (EY, 2014).

(v) Erroneous decisions: Once the adversary launches a data integrity attack and modifies parameters related to decision-making processes, erroneous decisions will be made, and the welfare of participants in the system will be reduced (Zhang et al., 2016).

(vi) Loss of reliability, safety, and continuity: This happens when SRA security goals are compromised (D’Amico, 2000; Sridhar et al., 2012; Wood and Stankovic, 2002; Montanari and Querzoni, 2014).

Cybersecurity Maturity Models

Complex technical systems are adapting Information and Communications Technology (ICT) technologies, thus making them vulnerable towards cyber threats. In order to check the level of maturity of their existing cybersecurity practices, it is needed to estimate their cybersecurity maturity using a maturity model. A maturity model provides a benchmark against which an organisation can assess the current level of maturity of its cybersecurity practices, processes, and procedures (C2M2, 2014). Various cybersecurity maturity models were studied for this research (e.g., C2M2 V1.1, 2014; ES-C2M2, 2014; ONG-C2M2, 2014; ISO/IEC 27001, 2013; ISACA, 2012). The models were compared, and one was selected as the best for this research.


2.7.1. Selection of a Cybersecurity Capability Maturity Model

The observations from a systematic review conducted from 2012 to 2018 indicated that the most relevant cybersecurity models for the complex technical system are:

• Cybersecurity Capability Maturity Model (C2M2), • Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2), • Electricity Subsector Cybersecurity Capability Maturity Model (EC-C2M2), • Systems Security Engineering Capability Maturity Model (SSE-CMM), • Community Cyber Security Maturity Model (CCSMM), and • National Initiative for Cybersecurity Education Capability Maturity Model (NICE).

Few maturity models focus on cybersecurity (Rea-Guaman et al., 2017). The models which follow the NIST (2018) framework are:

• EC-C2M2,

• ONG-C2M2,

• CCSMM, and

• C2M2. EC-C2M2 and ONG-C2M2 are tailored for the electricity and oil and natural gas sectors, respectively. CCSMM is focused on a specific area of an organisation, while C2M2 is focused on the entire organisation. C2M2 defines roles and responsibilities, but CCSMM does not. C2M2 is NIST framework compatible, cybersecurity oriented, and simple, i.e., in the form of questionnaire. Therefore, C2M2 model was selected to evaluate the cybersecurity capabilities of railway systems. The review also revealed that little work has explored railway cybersecurity maturity. In addition, C2M2 is an easy-to-use model to evaluate its cybersecurity maturity level.

2.7.2. Capabilities of the C2M2 Model

Based on the cybersecurity maturity models’ evaluation, the C2M2 model was selected to evaluate the cybersecurity capabilities of railway organizations. The capabilities of this model are:

• Cybersecurity oriented

• Built on existing efforts, models, frameworks, and cybersecurity best practices

• NIST framework compatible

• Focused on the entire organisation

• Successful applied in the electricity sector, the oil and gas sector and building control systems

• Research instrument is based on an interview-based question-and-answer process

The C2M2 model is organised into ten domains:

1. Risk Management (RM), 2. Asset Change and Configuration Management (ACM),


3. Identity and Access Management (IAM), 4. Threat and Vulnerability Management (TVM), 5. Situational Awareness (SA), 6. Information Sharing and Communications (ISC), 7. Event and Incident Response, Continuity of Operations (IR), 8. Supply Chain and External Dependencies Management (EDM), 9. Workforce Management (WM), and 10. Cybersecurity Program Management (CPM).

Each domain includes a grouping of cybersecurity practices structured into various objectives, which represent achievements within the domain. The C2M2 model defines four Maturity Indicator Levels (MILs), 0–3, which are applied independently to each domain. This means that an organisation using the C2M2 model may have different MIL scores for different domains. MILs are “designed to discuss an organisation’s operational capabilities and management of cybersecurity risk during both normal operations and times of crises" (C2M2, 2014).

It has been observed that some organisations are one step behind because they patch their systems or configure their cyber protection methods against known attacks and breaches. To be one step ahead, this thesis introduces a new Maturity Indicator Level, MIL4 in the C2M2 model, so organisations will have proactive measures to tackle future threats. MIL4 includes initial practices of predictive security analytics and threat intelligence. The description of each level is given in Figure 2.6.

Figure 2.6 Description of maturity indicator levels (C2M2, 2014) with new proposed MIL4.

MIL0 Not Performed•MIL1 has not been achieved in the domain

MIL1 Initiated•Initial practices are performed, but may be ad hoc

MIL2 Performed•Practices are documented

•Stakeholders are involved

•Resources are provided

•Standards are used to guide practice implementation

•Practices are more complete or advanced than at MIL1

MIL3 Managed•Domain activities are guided by policy

•Activities are periodically reviewed for conformance to policy

•Responsibility and authority for practices are clearly assigned


MIL4(Proposed)

•Initial practices of security analytics and threat intelligence are performed, but may be ad hoc



The MIL4 practices are more advanced than MIL3 practices. MILs are cumulative within each domain; to earn a MIL1, 2, 3, or 4 in a given domain, an organisation must complete all practices in that level and its predecessor level(s) (C2M2, 2014). A rating of MIL0 means that MIL1 in a given domain has not been reached. To begin to manage cybersecurity, organisations must focus on implementing all the MIL1, MIL2, and MIL3 practices.

Cybersecurity Awareness Risk

Information Security Awareness Capability Model that links ISO/IEC 27002 security controls with awareness importance, capability, and risk is an important model to measure cybersecurity awareness risk (Poepjes, 2015). The awareness risk is calculated as:

AR = AI - AC Where AI = Awareness Importance, AC = Awareness Capability and AR = Awareness Risk

Awareness importance is the desired behaviour, awareness capability is the observed behaviour, and the gap between them is the awareness risk (Poepjes, 2015). The scores for the awareness importance were provided by industry professional groups (Poepjes, 2015). The instrument used to measure the risk awareness was based on the top 10 (of 39) information security awareness importance controls for the end-user stakeholder group (Poepjes, 2015).

Organizations that adopt ISO/IEC 27002 assess information risks and apply suitable security controls using the standard for guidance.

Unified Extended Cyber Kill Chain and ICS Cyber Kill Chain

The railway is converging Information and Communication Technology (ICT) with Operational Technology (OT), so adversaries can compromise and gain control of a digital asset in the OT environment through the IT environment. For example, data historian can be accessed within the OT environment (MITRE, 2020). Cyberattacks need to be detected in both environments. The Cyber Kill Chain (CKC) model is one of the most widely used models to detect cyberattacks in an ICT environment (Martin, 2009). The CKC model is focused on malware-based intrusions and APTs and can be applied in complex technical systems. It has been expanded and improved for use in Industrial Control Systems (ICS) (Assante and Lee, 2015) and in the detection of internal threats (Zhou et al., 2018). A combination of both types of kill chains can be applied in the railway as a unified extended cyber kill chain and an ICS cyber kill chain (Figure 2.7).

2.9.1. External cyber kill chain model

An initial CKC model was developed by Lockheed Martin (Martin, 2009; Cloppert, 2009). The seven stages of this model are:


• Reconnaissance: One of the most difficult stages to detect from a security monitoring perspective is the planning stage of the cyberattack. The adversary searches and gathers information about the target through social sites, conferences, blogs, mailing lists, and other network tracing tools. The collected information is useful in the later stages to deliver the payload (the actual intended message that performs the malicious action) to the target system.

Figure 2.7 Unified extended cyber kill chain and ICS cyber kill chain.

• Weaponize: The second stage of the model is the operation preparation stage. The weaponize stage involves coupling a Remote Access Trojan (RAT) with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer) (Hutchins et al., 2011). The detailed information related to RAT and an exploit is well explained by Yadav and Rao (2015). Commonly used cyber-weapons are botnet, Distributed Denial of service (DDOS), and malware. The cyberattack operation is based on the accuracy and amount of reconnaissance performed by the adversary during the first stage. Therefore, it is important to limit the exposure of publicly available information on the organisational profile.

• Delivery: The third stage of the model is the operation launch stage where an organisation can implement technology as a mitigating control (Velazquez, 2015). At this stage, the weapon is transmitted to the targeted environment. The three most frequently used delivery vectors for weaponized payloads by advanced persistent threat actors, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for 2004-2010, were email attachments, websites, and USB removable media (Hutchins et al., 2011). One of the first technologies that can be implemented at this stage is a Network Intrusion Detection System (NIDS).

• Exploitation: At this stage, the exploit is triggered to silently install/execute the delivered payload. The most common exploits are operating system, network, and application/software level vulnerabilities (Yadav and Rao, 2015). One of the most popular viruses, Wannacry, uses operating system exploits. One of the best mitigation technologies


to increase the difficulty of the exploitation phase is patching. Therefore, security patches should be installed on all systems.

• Installation: This stage involves the installation of back door RAT and stays persistent inside the targeted environment. Techniques used by malware authors for installations include anti-debugger, anti-antivirus, rootkit and bootkit installation, targeted delivery, and host-based encrypted data exfiltration (Yadav and Rao, 2015).

• Command & Control (C2): After the successful installation of back door, the adversary tries to open a two-way communication channel to enable the adversary to control the targeted environment remotely. Once the C2 channel is established, the adversary has “hands on the keyboard” access inside the targeted environment. The techniques used by malware authors to send and receive data to and from a victim machine have been discussed in the literature (e.g., Yadav and Rao, 2015).

• Act on Objective: This is the last stage of the model. In this stage, the adversary achieves the desired attack goals. These goals can be loss of confidentiality, integrity, or availability of the assets. According to Velazquez (2015), an APT threat actor may live in an organisation for years until detected.

2.9.2. Internal cyber kill chain

The internal cyber kill chain is part of the extended cyber kill chain and has almost the same steps as the external kill chain (Zhou et al., 2018). The internal cyber kill chain follows a series of steps to gain access to the Industrial Control system (ICS), go from workstations to servers using privileged escalation, move laterally within the network, and manipulate individual targeted machines (Zhou et al., 2018) (Figure 2.7). The stages of the internal cyber kill chain are the following.

• Internal Reconnaissance: This is the stage where the adversary has access to the individual user’s workstation and can discover information on its vulnerabilities.

• Internal Exploitation: This is the stage where the adversary exploits information and vulnerabilities within the internal network.

• Privilege Escalation: This is the stage where the adversary leverages the compromised accounts to gain a high level of privilege to modify security settings and configuration files and try to steal credentials (Zhou et al., 2018).

• Lateral Movement: This is the stage where the adversary moves from system to system to gain access to the restricted area of the compromised system to get critical data and sensitive information.

• Target Manipulation: This is the stage where the adversary attacks specific objectives (Zhou et al., 2018).


2.9.3. ICS cyber kill chain

After gaining knowledge from the corporate network (external cyber kill chain) and the ICS system (internal kill chain), the adversary starts developing a specific attack tool for the ICS system and validates it for reliable impact. After successful testing, the adversary delivers the tool, installs it, and executes the attack (Assante and Lee, 2015) (Figure 2.7). The following are the stages of the ICS cyber kill chain.

• Develop: This is the stage where the adversary begins with an attack tool based on ICS-specific vulnerability information (Assante and Lee, 2015; Zhou et al., 2018).

• Test: This is the stage where the adversary validates a specific attack tool for reliable impact.

• Deliver: This is the stage where the adversary delivers the attack tool to the ICS system.

• Install: This is the stage where the adversary installs the attack tool, such as malware or a Trojan, into the target ICS system.

• Execute: This is the stage where the adversary launches an attack on a specific production process to damage the physical equipment (Assante and Lee, 2015; Zhou et al., 2018).

Multistage Cyberattack in Railway SCADA System

Consider an example of how a cyberattack will propagate from an external network to an internal network and then to the Industrial Control System (ICS) system (in this case, the railway Supervisory Control and Data Acquisition (SCADA) system) (Figure 2.8).

Suppose an adversary searches and gathers information on the targeted railway system and then prepares a weapon (in the form of malware) to be delivered to this target system. After its successful delivery, it exploits the vulnerability within the system and installs it. The adversary then tries to open a two-way communication channel to control the targeted environment remotely. Once the C2 channel is established, the adversary has “hands on the keyboard” access inside the railway environment.

If the adversary’s goal is to reach the Information and Communication Technology (ICT) zone only, his/her actions can compromise the confidentiality, integrity, or availability (CIA) of an asset. But in the worst case, if the goal is to reach the Operational Technology (OT) zone, it can compromise the safety, reliability, or availability (SRA) of an asset within the railway, leading to limited or suspended operations, or even train accidents. Once the adversary moves inside the railway SCADA network, adversary will start internal reconnaissance, including directory queries and network connectivity checks to search for available systems and map the internal network and vulnerabilities (e.g., scanning OT to find HMIs). Then, adversary exploits the vulnerabilities in internal systems.

After successful exploitation, adversary leverages compromised accounts and trust relationships to gain a high level of privilege (e.g., accounts added to data history). Adversary enters through the


compromised system into restricted network zones (e.g., HMI login attempts). To manipulate the SCADA system, for example, adversary gains access to that system via new vulnerabilities. The adversary develops and tests a new platform-specific weapon (malware) to subvert the SCADA system and then deploys that malware in the SCADA system within the railway. Finally, the adversary executes a malicious command (e.g., configuration change in Programmable Logic Controller (PLC) or Remote Terminal Unit (RTU)) to damage the physical equipment. This will compromise the safety of the SCADA system and lead to severe damages like train accidents and halt the railway operation and maintenance.

Figure 2.8 Multistage Cyberattack in Railway SCADA System.

Interdependencies within Infrastructures: Cyber Threat Scenario Example The railway system is interdependent and interconnected with other infrastructure, so failure in any other system will affect it. A cyberattack on one infrastructure is likely to cause a domino effect,


in which infrastructures are damaged one after another (Menashri and Baram, 2015). For example, any type of cyberattack on the power supply or the ICT network could lead to power outages, compromise safety, affect operations and maintenance, and damage infrastructure. Figure 2.9 shows a cyber threat scenario where an adversary breaks into the ICT infrastructure and issues remote commands to start all connected loads.

Figure 2.9 Cyber threat scenario example.

This may lead to a sudden increase in the power demand. Because operators will be completely blinded during this cyberattack, they cannot intervene to start additional back-up generators. The disturbance propagates, making voltages drop below normal operating limits and leading to the immediate stoppage of several trains (Soupionis and Benoist, 2015).

RESEARCH METHODOLOGY / 23

CHAPTER 3. RESEARCH METHODOLOGY

This chapter describes the research design process followed in this thesis. The selection of the models is influenced by the theory given in Chapter 2.

3.1. Research Approach

Research is the art of scientific investigation to search for knowledge. Redman and Mory (1923) defined research as a “systematized effort to gain new knowledge”. Another way to define research is a scientific and systematic search for solutions to a specific problem (Kothari, 2011).

Research approaches can be broadly divided into three categories; qualitative research, quantitative research, and mixed research. Quantitative research is based on the measurement of quantity or amount; qualitative research is based on non-numerical data; mixed methods fall somewhere between the other two. A detailed explanation of these approaches appears in (Creswell 2017). In addition, qualitative research often employs inductive reasoning, moving from specific observations to broader generalizations and theories, while quantitative research employs deductive reasoning by beginning with the general and ending with the specific. Arguments based on experience or observation are best expressed inductively, while arguments based on laws, rules, or other widely accepted principles are best expressed deductively (Soiferman, 2010).

This thesis uses both qualitative and quantitative research methods. The qualitative research is used to explore various cybersecurity issues and challenges, estimate cybersecurity maturity levels, and formulate a cybersecurity framework. The quantitative research is based on the simulation approach defined by Kothari (2011) and is used to assess the developed framework. In addition, this research has origins in an industrial interest that represents a reality-based domain for which theories can be developed. The developed theories are verified by a deeper understanding of the studied domain through a review of the literature. Thus, this research follows both inductive and deductive approaches (aka, abductive approach).

Research can also be categorized as either applied (or action) research or fundamental (basic or pure) research. Applied research aims at solving a practical problem, whereas fundamental research is concerned with the formulation of a theory for future use (Kothari 2011).

The problems defined by this research are based on the needs and requirements of the railway. The research questions are based on the problems and on the findings from the literature review. The research objective is derived from the research questions and then verified. The cybersecurity maturity level of several railway organisations is estimated and used to provide recommendations and an action plan to attain higher maturity levels. Next, a holistic cybersecurity framework is developed. Since the research aims to solve a practical problem related to cybersecurity in an industry, the work is considered applied research.


3.2. Research Purpose

The purpose of research is to find answers to questions by applying scientific procedures (Kothari 2011). Depending on its purpose, research can be classified as exploratory, descriptive, or explanatory research.

• Exploratory Research Exploratory research is an initial study undertaken to explore a new phenomenon or a topic. It is particularly useful in identifying a problem and laying the groundwork for future studies. Qualitative methods like a literature review, interviews, etc. are often used in this type of research.

• Descriptive Research Descriptive research helps to find answers to the questions of who, what, where, when, and how that are associated with the research problem. The purpose of this type of research is to answer the research questions more clearly. It can use quantitative, mixed, and qualitative research methods like surveys, case studies, observational methods, etc.

• Explanatory Research Explanatory research, also called causal research, is conducted using quantitative research methods such as statistical techniques, especially hypothesis testing to identify cause and effect relationship. It addresses the question why.

The research methodology selected for this thesis is a combination of exploratory and descriptive approaches. In the initial stage, an exploratory research approach is to identify existing frameworks and models for cybersecurity, to determine the existing cybersecurity issues and challenges, and to obtain new insights into the research field. First, the knowledge gained from the exploratory research was used to identify the research gaps and to formulate RQ1, RQ2 and RQ3. The exploratory research also provided the knowledge required to select and develop a pilot case study and to identify the data required. Second, a descriptive approach was used to collect data and to select various technologies, models, and standards. A descriptive approach was also used to determine how to estimate the cybersecurity maturity model, how to enable proactive cybersecurity, and how to develop cybersecurity framework for railways.

Table 3.1 Research approaches used

Research Approach Paper I Paper II Paper III Paper IV

Quantitative(QTR)/Mixed(MR)/Qualitative (QLR)

QLR QLR QLR MR

Exploratory(E)/Descriptive(D)/

Explanatory or Causal (C)

E & D E & D E & D E & D


3.3. Research Strategy

Yin (2017) defines five main research strategies: experiment, survey, archival analysis, history, and case study (Table 3.2). The choice of a research strategy depends on three conditions (Yin, 2017): the type of research question; the control of behavioural events; and a focus on contemporary events.

Table 3.2 Research strategies (Yin, 2017)

Research Strategy

Type of Research Question Requires Control of Behavioural Events?

Focuses on Contemporary Events?

Experiment How, Why Yes Yes

Survey Who, What, Where, How many, How much

No Yes

Archival Analysis

Who, What, Where, How many, How much

No Yes/No

History How, Why No No

Case Study How, Why No Yes

In this research RQ2 and RQ3 focus on 'how'; the possible strategies for this research could be experiment, history or case study. However, the experiment strategy cannot be applied since it requires control of behavioural events. Furthermore, the focus of the studied domain, i.e. cybersecurity in railway, highlights current and existing technologies, thus favouring contemporary events. Hence, according to the criteria given by Yin (2017), the most appropriate strategy to answer RQ 2 & RQ 3 is a case study (see Table 3.2).

RQ1 includes 'what'; and is mainly explorative. According to Yin (2017), it is possible to use any strategy to answer this kind of explorative research question. Since a case study as an appropriate research strategy for RQ 2 and RQ 3, it may be helpful to apply the same strategy to RQ 1. Applying the same research strategy to answer all the three RQs will help to coordinate the performed work, saving both time and effort (Karim, 2008).

3.4. Data Collection and Data Analysis

Data collection is a process of gathering information from sources to answer a question (Kothari 2011). Data can be categorised as primary or secondary data (Kothari 2011). Primary data refer to those data collected by the researcher for the purpose of study (Kothari 2011). Secondary data refer to those data collected by someone else before being used by the researcher (Kothari 2011). This research uses a case study strategy, so primary data comprise the majority of data collected. These data were collected through interviews and questionnaires. The secondary data were collected from the literature, technical reports, and standards.

• Literature Study The review includes literature on different theories and practices used for cybersecurity in railway operation and maintenance. The relevant literature from journals, conference


proceedings, theses, technical reports, and standards provided information on ongoing cybersecurity activities in the railway, statistics of cyberattacks within the railway, and estimates of applied cybersecurity capability maturity models. The literature study was also used to select models to detect cyberattacks. In addition, it helped in the formulation of a holistic cybersecurity framework to enable proactive cybersecurity in railway.

• Interviews The objective of the interviews held was to consider the opinions of the personnel and experts involved in railway cybersecurity to complement the literature review and data analysis. The outcomes of the literature review and the data analysis were the basis for the interviews. The main issues discussed in the interviews were practical ones, i.e., cybersecurity in railway operation and maintenance and interpretation of the results of the data analysis. The interviewees were involved in the ongoing railway projects and experienced practitioners in the field of cybersecurity. They also provided valuable and applicable documents.

• Questionnaire A questionnaire is a structured framework consisting of set of questions and scales designed to generate primary data (Hair, 2007). The thesis used Google Forms (online survey tool) to develop and administer an online survey. A questionnaire using a series of 312 questions based on the Cybersecurity Capability Maturity Model (C2M2) was prepared and sent to the participating railway organisations. The scales designed to generate primary data on cybersecurity are: not implemented, partially implemented, largely implemented, and fully implemented. Experienced practitioners in the field of cybersecurity answered the questionnaire.

Information is extracted through data analysis. In this research, data were analysed to estimate the cybersecurity maturity levels of the participating railway organisations and to predict the cyberattack penetration probabilities at each stage of the cyber kill chain model.

The cybersecurity data were analysed by using the Railway-Cybersecurity Capability Maturity Model, modified from C2M2 (see Chapter 4 ‘Results’) to reveal the cybersecurity maturity levels of the railway organisations. The results were communicated to the corresponding senior and top managers so they could set goals and priorities for enhanced cybersecurity.

The thesis simulated cyberattacks to analyse and calculate penetration probabilities at each stage of the cyber kill chain model. It defined four cases, presented in Chapter 4, ‘Results’.

3.5. Research Validity and Reliability

Research validity and reliability mean the research can be audited (Karvinen and Bennett, 2006). Brinberg and McGrath (1985) say validity, “like integrity, character, or quality, [should] be assessed relative to purposes and circumstances”. Reliability is the consistency of results obtained in research; i.e., “it should be possible for another researcher to replicate the original research using


the same subjects and the same research design under the same conditions” (Gill and Johnson, 2002). Yin (2017) explains four tests for validity and reliability when using case study tactics: construct validity, internal validity, external validity, and reliability.

Construct validity establishes correct operational measures for a concept (Yin, 2017). Internal validity is for explanatory or causal studies, where relationships between variables are studied. Internal validity is not applicable to descriptive or exploratory studies. External validity establishes the domain to which a study’s findings can be generalised (Yin, 2017).

In this research the construct validity was strengthened by the use of multiple sources (e.g. data collection through interviews and documents) and reviewed by key informants. The external validity of the railway case study was strengthened using theories, but also through four case studies within the different railway organisations. Furthermore, to increase the reliability, the obtained results were documented using available information sources, e.g., digital databases. However, some of the data in this research were not published because of sensitivity concerns, and this limits the accessibility and repeatability for other researchers.

3.6. Research Process

The research process involves a series of steps necessary to carry out research (Kothari 2011). The research process of this thesis is illustrated in Figure 3.1. Exploratory research was used to formulate the research problem and identify the research gaps. The relevant literature from journals, conference proceedings, thesis, technical reports, standards, and open access sources was reviewed. Based on the literature study during the exploratory process, RQ1, RQ2, and RQ3 and their corresponding objectives were formulated.

Exploratory and descriptive research was used to answer RQ1, RQ2, and RQ3 (see Section 3.2). Various kinds of literature on cybersecurity in various sectors was explored. A case study was conducted on railway organisations to collect data and evaluate their cybersecurity maturity levels. To select models, various cybersecurity maturity models and cyber kill chain models were explored and those best suited for the study were selected. The selected models, technologies, and standards contributed to the formulation of the cybersecurity framework, the main contribution of this thesis.

During the research process, the results of the conducted activities were disseminated in scientific journal and conference papers. Results were also compiled and summarised in this research thesis.


Figure 3.1 Research design process

RESULTS / 29

CHAPTER 4. RESULTS

 

This chapter describes the results of the research on the three RQs. The major results of the thesis are: I) identification of cybersecurity issues and challenges in railway operation and maintenance; II) evaluation of cybersecurity maturity level in railways; III) development of Railway Defender Kill Chain to defend against cyberattacks; IV) development of cybersecurity framework to predict, prevent, detect, and respond to cyberattacks.

4.1. Results Related to RQ1 

The first research question was: What are the cybersecurity issues & challenges and current level of cybersecurity maturity in railway organisations?

In order to answer RQ1 extensive literature survey and case studies have been conducted. The results from these studies are described in the following sub-sections.

4.1.1. Identification of Cybersecurity Issues and Challenges in Railway 

The thesis identifies various cybersecurity issues and challenges in railway operation and maintenance, including malware attacks, weak identity and access management systems, Distributed Denial of Service (DDoS) attacks, interconnected infrastructures, communication gaps, and so on  (see Paper I). It analyses 20 cyberattacks; the description of each type of cyberattack is

provided in Paper I. The data show that there are respectively 30%, 20%, and 15% of malware attacks, Cyber Espionage/Data steal attacks, DDoS attacks. The other attacks constitute 35% of the total. Malware is the dominant cyberattack out of the 20 cyberattacks studied.

4.1.2. Cybersecurity Maturity Indicator Levels in Railway

This thesis extends Cybersecurity Capability Maturity Model (C2M2) as Railway-Cybersecurity Capability Maturity Model (R-C2M2) by adding a new Maturity Indicator Level called MIL4 (see Paper II). It covers initial practices of predictive security analytics and threat intelligence. Practices at MIL4 are more complete or advanced than at MIL3. To attain MIL4, all the practices at MIL1, MIL2, MIL3, and MIL4 must be completed.

Cybersecurity Maturity Indicator Levels (MILs) for railway organisations (Railway 1, 2, and 3) are shown in the spider chart (Figure 4.1.1). In Railway 1, out of 10 domains, seven are at MIL1 (RM, TVM, SA, IR, EDM, WM, and CPM), one is at MIL2 (ACM), one is at MIL 3 (IAM), and one is at MIL4 (ISC). Railway 2 has three domains at MIL4 (CPM, IAM, and ISC), four at MIL3 (RM, TVM, EDM, and WM), two at MIL2 (ACM and SA), and one at MIL1 (IR). All the domains of Railway 3 have attained MIL 4, an excellent assessment result.

RESULTS/ 30

Figure 4.1.1 Maturity level results in railway organisations (see Paper II).

Figure 4.1.1 results show all the three railways have attained MIL4 in the ISC domain. This indicates that they are sharing threat intelligence with internal and external bodies,  resulting in a decrease in cyber risks and an increase in operational resilience. The detailed results of practices in each domain of Railway 1, 2, and 3 are in Paper II. 

The research also measures the cybersecurity awareness risk of railway organisations based on Information Security Awareness Capability Model (See Chapter 2, ‘Theories and Basic Concepts’). The important roles who were involved were IT Infrastructure Architect, Project Manager, Track Specialist, and Data Scientist. Table 4.1.1 shows a heat map that represents level of cybersecurity awareness risk in railways.

Table 4.1.1 Measurement of awareness risk in railway organisations

ISO/IEC 27002

AI

Awareness Risk (AR) for Various Roles Security Control Clauses

Control objectives IT architect

AR

Project Manager

AR

Track Specialist

AR

Data Scientist

AR Access Control User Responsibilities 5.81 -1.19 0.81 5.13 1.31 Information Security Incident Management

Reporting Information security events and weaknesses

6.13 -0.87 0.63 1.63 1.63

Access Control Mobile computing and teleworking

6.24 -0.76 0.74 1.74 0.74

Communications security

Information Transfer 5.77 -1.23 -1.23 -0.23 -0.23

Asset Management Media handling 6.17 -0.83 -0.83 -0.83 3.17 Asset Management Information classification 5.53 -1.47 -1.47 -1.47 0.53 Access Control Business requirements for

access control 5.68 -1.32 -1.32 1.18 5.68

Compliance Compliance with legal requirements

5.6 2.1 -1.4 1.1 5.6

Asset Management Responsibility for assets 5.56 -1.44 -1.44 4.06 5.56 Physical & Environmental Security

Equipment security 5.74 -1.26 -1.26 -0.26 5.74

0

1

2

3

4Risk Management (RM)

Asset, Change, and ConfigurationManagement (ACM)

Identity and Access Management(IAM)

Threat and VulnerabilityManagement (TVM)

Situational Awareness (SA)

Information Sharing andCommunications (ISC)

Event and Incident Response,Continuity of Operations (IR)

Supply Chain and ExternalDependencies Management

(EDM)

Workforce Management (WM)

Cybersecurity ProgramManagement (CPM)

Railway 1 Railway 2 Railway 3

Risk

Sa

fe

RESULTS / 31

The scores for the Awareness Importance (AI) were provided by industry professional groups. The IT Infrastructure Architect has maximum awareness capabilities, more than the Project Manager, Track Specialist, or Data Scientist. Project Manager shows risk in Access Control and Information Security Incident Management security control. Track Specialist shows risk in Access Control and Asset Management. However, Data Scientist indicate highlighted risk levels in Access Control, Compliance, and Asset Management. Overall, the railway workforce needs to be more aware of cybersecurity risk.

4.2. Results Related to RQ2

The second research question was:  How can proactive cybersecurity measures be enabled in operation and maintenance of railway systems?

In order to answer RQ2, extensive literature survey and analysis have been conducted. The results from these studies are described in the following sub-sections.

4.2.1. Multi-level Cyberattack Model 

This thesis proposes a multi-level cyberattack model  (Figure 4.2.1),  based on cyberattack sources, actors, actions, goals, and impacts  (see Chapter 2, ‘Theories and Basic Concepts’). 

Figure 4.2.1 Multi-level cyberattack model (See Chapter 2, ‘Theories and Basic Concepts’)

RESULTS/ 32

The proposed model will assist railways in understanding the characteristics of cyberattacks and creating security strategy. This will be beneficial for cybersecurity risk assessment using cause-effect analysis and will help determine the severity of a cyberattack. The proposed model can enable proactive cybersecurity in railway operation and maintenance by identifying cyberattacks before their occurrence.

To justify the structure of this proposed model, different types of cyberattacks (Table 4.2.1) with railway eMaintenance data have been placed in this model (see Other Paper 3).

Table 4.2.1 Cyber-attacks linked to source, actor, intention, and compromised security element

Cyberattacks Source Actor Action Security element

Snooping and shoulder surfing

Internal or External

Human Malicious Confidentiality

Modification and masquerading


Human Malicious Integrity

Denial of service attacks Internal or External

Human Malicious Availability

Data entry errors and omissions

Internal Human Non-malicious Integrity

Jamming (telecomm) Internal or External

Technological Non-malicious Availability

Faults in power supply and data networks

Internal Technological Non-malicious Availability

Earthquakes, hurricanes, wind, flood, tsunami, fire, lightning, animals, and wildlife

External Natural disaster

Non-malicious Availability

Malware, ransomware Internal or External

Human Malicious Availability

The unauthorized account added to data historian


Human Malicious Reliability

Configuration change in Programmable Logic Controller (PLC) or Remote Terminal Unit (RTU) in SCADA system


Human Malicious Safety

4.2.2. Railway Defender Kill Chain

This thesis proposes a Railway Defender Kill Chain (RDKC) to defend against the 17 stages by unifying an extended Cyber Kill Chain (CKC) and an Industrial Control System (ICS) cyber kill chain. The core of the RDKC is the RDKC matrix (see Paper III). The thesis identifies various cyberattack scenarios in railway operation and maintenance; the proposed RDKC matrix

can help minimize the risk of these identified cyberattacks (see Paper III).

RESULTS / 33

The thesis also proposes a taxonomy of cybersecurity strategies  (Figure 4.2.2) with three levels: cybersecurity strategies, courses of action, and RDKC matrix.  

The courses of action (see Paper III) are grouped into four strategies: predictive, proactive, reactive, and active. The following section provides a summary of the four strategies.

A reactive strategy begins with an incident. It involves the initiation of an incident response plan,

an operations continuity plan, and a disaster recovery plan to respond and recover from breaches, along with forensics for legal evidence. The courses of action used in the reactive strategy are: response and recovery.

An active strategy involves the gathering of intelligence to thwart cyberattacks based on experience, knowledge, and internal and external real-time information. The courses of action used in an active strategy are: deny, disrupt, degrade, deceive, and destroy. Active strategies act in parallel with other strategies. 

A proactive strategy begins with the detection of threats before their occurrence. This involves the

use of threat intelligence to proactively identify high risk and weak areas. The strategy is implemented along with an active strategy and a defence-in-depth approach to take proactive

defensive measures. For example, a honeypot can be used to trap the attacker to a valueless network to identify and act against zero-day exploits. The courses of action used in the proactive strategy are: protect, detect, and prevent.  

A predictive strategy can detect abnormalities in traffic flow and data, sounding the alarm for a

security threat before its occurrence. It involves the ability to predict and recover quickly from adversities using security solutions like user behaviour analytics, network behaviour analytics,

pattern log, machine learning, AI and self-learning, and self-healing. The course of action in predictive strategy is predict.

The proposed taxonomy can be a quick reference guide to mitigate cyber threats.  This quick reference guide, along with the proposed multi-level cyberattack model, can act as threat

intelligence and help railways act proactively to implement the right defensive strategy.

RESULTS/ 34

Figu

re 4

.2.2  P

ropo

sed

taxo

nom

y of

cybe

rsec

urity

stra

tegi

es a

long

with

RD

KC

Mat

rix

RESULTS / 35

4.3. Results Related to RQ3

The third research question was:  How can a cybersecurity framework be developed and how can it enhance cybersecurity resilience in digitalised railway?

In order to answer RQ3, extensive literature survey and analysis have been conducted. The results from these studies are described in the following sub-sections.

4.3.1. Proposed Cybersecurity Framework for Railway 

Digitalisation in railways require a cybersecurity framework that facilitates proactive cybersecurity in operation and maintenance. This thesis develops a framework that can be used to predict, prevent, detect, and respond to cyberattacks that have significant impact on railway operation and maintenance (see Paper III and IV).

The proposed Cybersecurity Information Delivery Framework integrates existing models, technologies, and standards to enable proactive cybersecurity in the railways. The framework maps different layers of Open System Architecture for Condition-Based Maintenance (OSA-CBM) in the context of cybersecurity to deliver threat intelligence (see Paper III). It implements an extended Cyber Kill Chain (CKC) and Industrial Control System (ICS) kill chain to detect cyberattacks. The framework also incorporates proposed Railway Defender Kill Chain (RDKC) that enables proactive cybersecurity, leading to increased situation awareness capabilities even ahead of time.

The framework consists of four parts: a) Data Sources and Technologies, b) Railway Cybersecurity OSA-CBM, c) Cyber Kill Chains, and d) Railway Defender Kill Chain (RDKC). To capture the dynamically changing trend of cyber events, a vast amount of data is collected via network traffic, threat intelligence, and historical cyber event logs using various data sources shown in Figure 4.3.1. To assess cyberattacks within the railway system, criticality analysis techniques like, risk matrix can be applied.

To predict these attacks, data analysis techniques (e.g., machine learning, data mining, etc.) and the proposed cyberattack model can be applied to facilitate proactive cybersecurity. The cyber kill chains show the adversary’s behaviour (see Papers III and IV), while RDKC maps each step of the adversary and provides defensive controls to break the attack chain (see Paper III).

RESULTS/ 36

Figu

re 4

.3.1

Cyb

erse

curit

y In

form

atio

n D

eliv

ery

Fram

ewor

k (s

ee, P

aper

III)

RESULTS / 37

4.3.2. Framework Assessment

To assess the proposed cybersecurity framework, cyberattack penetration probabilities are calculated at each stage of the Cyber Kill Chain (CKC) model. The assessment is based on a model and simulation approach. The simulation approach starts by defining model parameters and assumptions. Four simulations are presented in Figure 4.3.2 and detailed explanation is provided in paper IV.

Figure 4.3.2. Simulation cases (see Paper IV)

The Detection Mechanism case simulates the cyberattack penetration probabilities at all seven stages of CKC with and without a pre-filtering mechanism. The Variable Controls case simulates the cyberattack penetration probabilities at all the seven stages when security controls at the third, fourth and fifth stages have variable probabilities. The Equalizer case estimates the impact of changing security controls on the last stage penetration. The Learning Curve case is a feedback learning criterion that simulates the penetration probabilities after assessing the cyber incidents and then improving the security controls to minimise the risk of cyber-attacks in future (see Paper IV). The results of some simulation cases are presented in figures 4.3.3 – 4.3.5. Figure 4.3.3 shows the cyberattack penetration probabilities at each stage of the cyber kill chain with and without pre-filtering.  The red lines show penetration probabilities without filtering, and the green lines show penetration probabilities with filtering.  

Figure 4.3.3 Penetration probabilities at each stage of CKC with and without pre-filtering (see, Paper IV).

Simulation Cases

DetectionMechanism

Variable Controls

EqualizerLearning

Curve

RESULTS/ 38

The thesis considers the effect of security controls on the cyberattack penetration probability. It considers three cases of security controls’ probability at the third, fourth, and fifth stages of the CKC, i.e., 20% - 25%, 26% - 30%, and 31% - 35%. Figure 4.3.4 shows cyberattack penetration probabilities when three variable cases of security controls are applied. With an increase in probability of security control from 20% - 25% to 26% - 30%, there is a decrease in cyberattack penetration probability from 0.02502 to 0.01794. Similarly, when the probability of security control increases from 26% - 30% to 31% - 35%, the cyberattack penetration probability decreases from 0.01794 to 0.008265.

Figure  4.3.4 Penetration probabilities at each stage of the cyber kill chain (see Paper IV).  

A learning curve can be used to evaluate the penetration of the cyberattack at last stage and update the security controls to enable proactive cybersecurity. Figure 4.3.5 shows the learning curve results; i.e., attack penetrations decrease (shown with green lines) when security controls are updated from 20% - 25% to 26% - 30% and then to 31% - 35%. . .

RESULTS / 39

Figure 4.3.5 Learning curve (see, Paper IV).

The thesis also develops a cybersecurity demonstrator (available at http://emaint-cbap.azurewebsites.net/Default) to predict cyberattack penetration probabilities at each stage of the CKC model. This demonstrator can be used to compare the existing and predicted systems. 

Data in this demonstrator are assumed based on literature survey. The demonstrator can be used in railways to predict future penetrations based on real cybersecurity data. 

RESULTS/ 40

DISCUSSIONS / 41

CHAPTER 5. DISCUSSIONS

 

This chapter discusses the results and findings of the conducted research work.

5.1. Discussion of Results Related to RQ1 

Cyberattacks are growing in railways because of digital transformation. Information and Communication Technology (ICT) and Operational Technology (OT) vulnerabilities causes steal or alter of railway data (e.g, signalling data, operation and maintenance data, data historian, etc) for disrupting railway operations and maintenance. These attacks  try to interrupt, block, or damage the transmission of useful railway information for eMaintenance systems, signalling systems, and

other railway infrastructure.

This thesis research has concentrated on cybersecurity in railway operation and maintenance, i.e., the utilisation phase of the system’s life cycle. Several European railway organisations participated in the research activities, including data collection, analysis, and assessment.

It is important to mention that in transportation, about 56% of attacks are undisclosed because of possible reputational damage. There is a need to share cybersecurity information to increase workforce awareness of cyberattacks. The lack of cybersecurity education in the workforce is

becoming even more problematic with the adoption of IoT (Internet of Things) and other smart devices, as these can expose organisations and individuals to new threats with major consequences. It is critical to ensure that workforce of railway organisations using ICT-based operation and maintenance is vigilant, fully aware of new and advanced cyberattacks, and trained in cybersecurity hygiene. To estimate cybersecurity awareness in railways, this thesis implements an Information Security Awareness Capability Model  (ISACM). A positive score for risk awareness

indicates an undesirable level of risk. The identified risks have been communicated to the corresponding railway organisations for future improvements. 

This thesis assesses the cybersecurity maturity level of European railway organisations. The identities of the railway organisations are kept confidential because of the sensitivity of the cybersecurity data. All domains of the railway organisations have reached the initial maturity level 1, but some railways are far from attaining MIL4 in all domains. This assessment will help these railway organisations understand the gaps and reach higher MIL levels. After the results were analysed, a detailed summary of the identified gaps was communicated to the respective railway

organisations, so they could visualise the current level of maturity and take steps to fill the gaps in their cybersecurity programs. 

Other railway organisations were contacted but did not participate in the research because they had

the perception that by sharing cybersecurity data, they risked future cyberattacks. However, if all railway organisations shared their cybersecurity data, their cybersecurity capabilities could be

DISCUSSIONS / 42

evaluated more precisely. There is a need to communicate and unite to tackle the problem of cybersecurity, one of the biggest challenges to railways, especially critical infrastructure (CI). 

5.2. Discussion of Results Related to RQ2

To become proactive in cybersecurity there is a need to identify cyber threats before an attack. This can be achieved by sharing internal and external threat intelligence and modelling cyberattacks based on their characteristics and impacts. The proposed multi-level cyberattack model (see Chapter 4, ‘Results’) can help railways in their cyberattack modelling to proactively identify cyberattack characteristics (source, actor, action, and goal) and impacts.  

This proposed multi-level cyberattack model considers almost every aspect from the adversary’s point of view including the potential impact. Based on the impacts, security controls from the proposed Railway Defender Kill Chain (RDKC) matrix (see Chapter 4, ‘Result’) can be selected to minimise the risk of these cyberattack.

Many security controls are applicable to digitalised sectors, but these need to be tailored and adapted to the context of a defender’s behaviour (tactics). The proposed RDKC matrix adapts available security controls in the form of a matrix. In the matrix, nine defender tactics (Predict,

Prevent, Detect, Response and Recovery, Deny, Disrupt, Degrade, Deceive, and Destroy) appear as columns, and 17 stages of the Cyber Kill Chain (CKC) model appear as rows (see Chapter 4, 'Results'). The defender’s tactics are aggregated to create a taxonomy of cybersecurity strategies with three levels (see Chapter 4, ‘Results’). With this method, cybersecurity strategies evolve from reactive to proactive to predictive. To be more resilient, there is a need to prepare and to develop predictive strategies. The proposed RDKC matrix contains predictions as a defensive tactic and proposes security controls for each stage of CKC models (see Chapter 4, 'Results').

5.3. Discussion of Results Related to RQ3

To keep pace with the rapid increase in cyberattacks, railway operators need to shift from legacy reactive measures to proactive security analytics. Cyber threat intelligence sharing with partners and other railway organisations is the key component of success. The proposed framework facilitates cyber threat intelligence sharing which, in turn, increases situational awareness of the threat landscape. By sharing cybersecurity information, railway organisations can achieve a more complete understanding of the threat landscape. For proactive cybersecurity, it is essential to have continuous threat intelligence from internal and external sources; this is the main component of the proposed cybersecurity framework. The framework integrates existing technologies, standards, and models to enable proactive cybersecurity and minimise the risk of cyberattacks in the railway (see Chapter 4, ‘Results’). This further enhances the availability of the railway system. The proposed framework delivers cybersecurity information from a technological point of view.

DISCUSSIONS / 43

This research uses simulation to assess the proposed framework by predicting cyber-attack penetration probabilities at each stage of Cyber Kill Chain (see Chapter 4, ‘Results’). With the results of the assessment, security controls can be improved to reduce the risk of future cyberattacks. The introduction of a cybersecurity demonstrator can also help railways predict the probability of cyberattacks on their Information and Communication Technology (ICT) infrastructure.

DISCUSSIONS / 44

CONCLUSIONS / 45

CHAPTER 6. CONCLUSIONS

This chapter draws important conclusions from the results of the research study.

The purpose of the research was to develop a holistic cybersecurity framework for the digitalised railway to enable proactive cybersecurity. The framework is aimed to enhance the railway’s cybersecurity maturity level and to deliver threat intelligence to effectively predict, prevent, detect, and respond to cyber threats. To achieve the overall objective, the thesis included several research activities and case studies. The following insights are based on the results of the data analysis.

Firstly, it can be concluded that digitalisation in railway operation and maintenance provides such benefits as sustainability, availability, reliability, maintainability, capacity, safety, and security including cybersecurity. Yet railway stakeholders are facing challenges in the digitalisation of the railways.

Secondly, the concept of information assurance, a concept that also deals with aspects of cybersecurity, is receiving significant attention in railway digitalisation. However, the cybersecurity maturity level varies for different railway organisations.

Thirdly, the railway system (infrastructure and rolling stock) is a complex technical system consisting of many items with long lifecycle. It should be studied in the context of a complex technical system with a vast number of stakeholders; thus, it is crucial to consider cybersecurity. Therefore, it can be concluded that dealing with cybersecurity requires a holistic approach that considers the railway system’s whole lifecycle, as well as any changes in its configuration.

Finally, it can be concluded that there is a need for a generic cybersecurity framework for the digitalised railway to facilitate proactive cybersecurity and threat intelligence sharing. The proposed framework was developed by integrating Open System Architecture for Condition-Based Maintenance (OSA-CBM), technologies at different stages of OSA-CBM, and cyber kill chain models.

CONCLUSIONS / 46

CONTRIBUTIONS / 47

CHAPTER 7. CONTRIBUTIONS

This chapter summarizes the contributions of the conducted research study.

This work was conducted in the domain of operation and maintenance related to railway. The focus of the work was on the provision of insights and artefacts to improve the availability of railway systems through enhanced cybersecurity implemented via eMaintenance solutions. The major contributions of the work are the following:

A. Identification of cybersecurity issues and challenges – The research contributes by identifying various cybersecurity issues and challenges in railway operation and maintenance through vast state-of-the-art.

B. Cybersecurity maturity level – The research contributes to information assurance by estimating the existing cybersecurity maturity levels in railway organisations. The estimation can be used to make recommendations for necessary actions to improve the overall system availability of railway.

C. A cybersecurity framework – The work proposes a proactive approach to railway cybersecurity. It formulates a holistic cybersecurity framework to facilitate proactive cybersecurity and enhances cybersecurity resilience. The framework facilitates threat intelligence sharing by railway organisations so they can remain updated on the latest cyber threats.

The overall contribution of the research is that it begins to close the gap between academia and practitioners in the railway industry. It will help railways implement solutions developed in a more scientific way to enhance overall dependability.

CONTRIBUTIONS / 48

FUTURE RESEARCH / 49

CHAPTER 8. FUTURE RESEARCH

This chapter suggests how the present research can be extended for the future work.

To improve cybersecurity in railway and provide appropriate tools and approaches to improve resilience and increase the availability performance of the system, the following topics are proposed for future research:

A. The research can be extended to evaluate the cybersecurity maturity level of other railway organisations within the world. This will facilitate the development of a global generic cybersecurity framework for digital railway.

B. The research can be extended during the design phase of railway systems with more focus on a security-by-design approach to make systems free of vulnerabilities to cyberattacks. This can be achieved by identifying vulnerability on existing railway systems that are not designed using a security-by-design approach.

C. The research can be extended to identify cyber threats’ vulnerabilities and their impacts and to suggest countermeasures. This can be achieved by using the ISA/IEC 62443 standard for cybersecurity risk assessment in an Industrial Control System (ICS). Future research can be initiated by:

• identifying system of interest and various assets within that system

• identifying various vulnerabilities of identified assets

• developing threats scenarios that could affect those assets. This can lead to the development of a prescriptive approach implemented via eMaintenance solutions that can analyse cyber threat scenarios about railway asset of interest and come up with specialised recommendations and corresponding outcomes to reduce operational cybersecurity risks.

FUTURE RESEARCH / 50

REFERENCES / 51

REFERENCES

Abomhara, M. (2015). Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. Journal of Cyber Security and Mobility, 4(1), 65-88.

Ahmad, R., & Kamaruddin, S. (2012). A review of condition-based maintenance decision-making. European journal of industrial engineering, 6(5), 519-541.

APTA SS-CCS-004-16. (2015). Securing control and communications systems in rail transit environments. Washington DC: American Public Transportation Association.

AS 7770:2018. (2018). Rail cyber security. Australia: Rail Industry Safety and Standards Board.

Assante, M. J., & Lee, R. M. (2015). The industrial control system cyber kill chain. SANS Institute InfoSec Reading Room,1.

Avizienis, A., Laprie, J. C., Randell, B., & Landwehr, C. (2004). Basic concepts and taxonomy of dependable and secure computing. IEEE transactions on dependable and secure computing, 1(1), 11-33.

Avramović, Z. Ž., Marinković, D. M., & Lastrić, I. T. (2019). Digitalization of Railways–ICT Approach to the Development of Automation. JITA-Journal of Information Technology and Aplications, 17(1).

Baker, G. (2008). Schoolboy hacks into city’s tram system. The Telegraph, 11, 2008.

BBC NEWS. (2020). Rail station wi-fi provider exposed traveller data, available at https://www.bbc.com/news/technology (accessed 16 April 2020).

BBC. (2018). Great Western Railway accounts breached, https://www.bbc.com/news/technology-43725640 (accessed 23 September 2018).

Brinberg, D., & McGrath, J. E. (1985). Validity and the research process. Sage Publications, Inc.

C2M2 V1.1. (2014). Department of Energy.: Cybersecurity Capability Maturity Model: Version 1.1. Technical report, Department of Homeland Security.

Campos, J., Sharma, P., Jantunen, E., Baglee, D., & Fumagalli, L. (2016). The challenges of cybersecurity frameworks to protect data required for the development of advanced maintenance. In Product-Service Systems across Life Cycle, 2016 (pp. 222-227). Elsevier.

CCSMM. (2011). The community cyber security maturity model. In 2011 IEEE international conference on technologies for homeland security (HST) (pp. 173-178). IEEE.

Cebula, J. L., & Young, L. R. (2010). A taxonomy of operational cyber security risks (No. CMU/SEI-2010-TN-028). Carnegie-Mellon Univ Pittsburgh Pa Software Engineering Inst.

CEN, E. (2017). 13306: Maintenance-Maintenance terminology.

Cisomag. (2020). U.S. RailWorks Corp. Reports Data Breach Post Ransomware Attack, available at https://www.cisomag.com/u-s-railworks-corp-reports-data-breach-post-ransomware-attack/ (accessed 16 April 2020).

Cloppert, M. (2009). Security Intelligence: Attacking the Cyber Kill Chain. SANS Computer Forensics.

REFERENCES / 52

Creswell, J. W., & Creswell, J. D. (2017). Research design: Qualitative, quantitative, and mixed methods approaches. Sage publications.

D’Amico, A. D. (2000). What does a computer security breach really cost? Secure Decisions, A Division of Applied Visions. Inc., September, 7.

Defense Do. (1997). Systems security engineering capability maturity model (SSECMM), model description, version 1.1. doi: 10.21236/ada330236.

DFS. (2018). New York State Department of Financial Services. Cybersecurity Requirements for Financial Services Companies. Available at https://dfs.ny.gov/legal/regulations/adoptions-/dfsrf500txt.pdf (Accessed 28 January 2019).

Directive C. (2008). 114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. Official Journal of the European Union L. 2008 Dec 23;345(75):23-12.

EN 50159:2010 (or IEC 62280). (2010). Railway applications - Signalling, telecommunication and processing systems - Safety communication in transmission systems.

ENISA. 2020. European Union Agency for cybersecurity.Critical Infrastructures and Services, available at https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services (accessed 16 April 2020).

ES-C2M2. (2014). Electricity subsector cybersecurity capability maturity model (ES-C2M2). Department of Homeland Security.

Europa, E. L. (2018). Regulation (EU) 2016/679 of the European Parliamentof the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal dataon the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) URL: https://eur-lex. europa. eu/legal-content/EN.

EY. (2014). Cyber insurance, security and data integrity Part 1: Insights into cyber security and risk. Available at https://www.ey.com/Publication/vwLUAssets/EY__Insights_into_cyber_ security_ and_ risk/$FILE/ey-cyber-insurance-thought-leadership.pdf (accessed 26 April 2018) .

Force, C. I. T. (2013). Operational levels of cyber intelligence.

Force, J. T., & Initiative, T. (2013). Security and privacy controls for federal information systems and organisationorganisations.NIST Special Publication, 800(53), 8-13.

Gill, J., & Johnson, P. (2002). Research methods for managers. Sage.

Gross, M. L., Canetti, D., & Vashdi, D. R. (2017). Cyberterrorism: its effects on psychological well-being, public confidence and political attitudes. Journal of Cybersecurity, 3(1), 49-58.

Hackmageddon. (2019). Information Security Timelines and Statistics. 2019. Available at https://www.hackmageddon.com/category/security/cyber-attacks-statistics/ (accessed 29 Janauary 2019).

Hair, J. F., Money, A. H., Samouel, P., & Page, M. (2007). Research methods for business. Education+ Training.

Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1(1), 80.

REFERENCES / 53

IBM X-Force. 2020. X-Force Threat Intelligence Index, available at https://www.ibm.com/ downloads /cas/DEDOLR3W (accessed 16 April 2020).

IBM. 2020. X-Force interactive security incidents, available at https://www.ibm.com/security/ resources/xforce/xfisi/ (accessed 16 April 2020).

IEC. (2015). International electrotechnical vocabulary—Part 192: Dependability. International standard IEC, 60050-192 (accessed 26 April 2019).

ISACA. (2012). Cobit 5. USA. https://www.isaca.org/bookstore/Pages/COBIT-5-Related.aspx. Updated 2012 (accessed 26 April 2018).

ISO 55000. (2014). Asset management — Overview, principles and terminology.

ISO/IEC 12207 (2008). Systems and software engineering-software life cycle processes. International Organisation for Standardization, Geneva, Switzerland.

ISO/IEC 27001: 2013. (2013). Information Technology-Security Techniques-Information Security Management Systems-Requirements. 2013.

ISO/IEC 27002. (2015). In Information technology-security techniques-code of practice for information security controls,(AS ISO/IEC 27002: 2015).

ISO/IEC 27032. (2012). Information technology—Security techniques—Guidelines for cybersecurity. International Organisation for Standardization, International Electrotechnical Commission.

ISO-13374. (2003). Condition Monitoring and Diagnostics of Machines – Data Processing,Communication and Presentation.

Jägare, V., Karim, R., Söderholm, P., Larsson-Kråik, P. O., & Juntti, U. (2019). Change management in digitalised operation and maintenance of railway. In International Heavy Haul Association (IHHA) STS 2019 Conference (pp. 904-911).

Jayaratna, N. (1994). Understanding and evaluating methodologies: NIMSAD, a systematic framework. McGraw-Hill, Inc..

Johansson, M. (2017). A national cyber security strategy Skr. 2016/17:213. Stockholm 22/06/2017. Sweden.

Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of Security Threats in Information Systems. ANT/SEIT, 32, 489-496.

Kajko-Mattsson, M., Karim, R., & Mirjamdotter, A. (2011). Essential components of e-maintenance. International Journal of Performability Engineering, 7(6), 555-571.

Karim, R. (2008). A service-oriented approach to e-maintenance of complex technical systems (Doctoral dissertation, Luleå tekniska universitet).

Karim, R., Jägare, V., Juntti, U., Glover, C.,Cipolla, A. (2020). The roadmap for digitalised operation and maintenance of railway: ePilot - A railway collaboration platform2020Report.Karim, R., Westerberg, J., Galar, D., & Kumar, U. (2016). Maintenance analytics–the new know in maintenance. IFAC-PapersOnLine, 49(28), 214-219.

Karvinen, K., & Bennett, D. (2006). Enhancing performance through the introduction of customer orientation into the building components industry. International Journal of Productivity and Performance Management.

REFERENCES / 54

Koc, M., & Lee, J. (2001). A system framework for next-generation E-maintenance systems. China Mechanical Engineering, 5, 14.

Kothari, C. R. (2011). Research methodology and techniques Delhi: New Age International Limited Publishers.

Kushner, D. (2013). The real story of stuxnet. ieee Spectrum, 3(50), 48-53.

Lim, K. K., Yeum, D., & Kim, S. (2014). The development of a railway safety maturity model and estimate procedures. Journal of the Korean Society of Civil Engineers, 34(1), 195-202.

Martin, L. (2014). Cyber kill chain®. URL: http://cyber.lockheedmartin.com/hubfs/Gaining the Advantage Cyber Kill Chain.pdf.Martin, L. (2009). Cyber kill chain®. URL: http://cyber. lockheedmartin. com/hubfs/Gaining the Advantage Cyber Kill Chain. pdf. (accessed 12 November 2018).

Mattioli, R., & Moulinos, K. (2015). Analysis of ICS-SCADA cyber security maturity levels in critical sectors. European Union Agency for Network and Information Security (ENISA).

Mcafee. (2019). McAfee Labs Threats Report. Available at https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-aug-2019.pdf (accessed 15 April 2020).

McQuade, M. (2018). The untold story of NotPetya, the most devastating cyberattack in history.

Menashri, H., & Baram, G. (2015). Critical infrastructures and their interdependence in a cyber attack–the case of the US. Military and Strategic Affairs, 7(1), 22.

MITRE. (2020). MATRICES, available at https://attack.mitre.org/matrices/enterprise/ (accessed 15 April 2020)

Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International Journal of Advanced Research in Computer Science, 8(5).

Montanari, L., & Querzoni, L. (2014). Critical infrastructure protection: Threats, attacks and countermeasures. no. March, 1-164.

Muller, A., Marquez, A. C., & Iung, B. (2008). On the concept of e-maintenance: Review and current research. Reliability Engineering & System Safety, 93(8), 1165-1187.

NATO. (2019). NATO and EU discuss cyber threatscyber threats ahead of European elections, available at https://www.ncia.nato.int/NewsRoom/Pages/20190503-test.aspx (accessed 15 April 2020).

NDB. (2018). Australian Government. Privacy Amendment (Notifiable Data Breaches) Act 2017. Available at https://www.legislation.gov.au/Details/C2017A00012/Html/Text . (Accessed 28 January 2019).

Nemtanu, F. C., & Marinov, M. (2019). Digital Railway: Trends and Innovative Approaches. In Sustainable Rail Transport (pp. 257-268). Springer, Cham.

NICE. (2018). A guide to the National Initiative for Cybersecurity Education (NICE) cybersecurity workforce framework (2.0). Auerbach Publications.

NIST. (2018). Framework for improving critical infrastructure cybersecurity version 1.1 (No. NIST Cybersecurity Framework).

ONG-C2M2. (2014). Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model: Department of Homeland Security. Available at: https://www.energy.gov/sites/prod/files/

REFERENCES / 55

2014/02/f7/ONG-C2M2-v1-1-Feb2014.pdf (accessed 26 April 2018).

Paganini, P. (2016). Black Energy infected also Ukrainian Mining and Railway Systems, https://securityaffairs.co/wordpress/44452/hacking/blackenergy-mining-and-railway-systems.html (accessed 23 September 2018).

Parida, A., & Kumar, U. (2004). Managing information is key to maintenance effectiveness. In Intelligent Maintenance Systems: 15/07/2004-17/07/2004.

Poepjes, R. (2015). The development and evaluation of an information security awareness capability model: linking ISO/IEC 27002 controls with awareness importance, capability and risk (Doctoral dissertation, University of Southern Queensland).

Radenkovic, B., & Kocovic, P. (2020). From ubiquitous computing to the Internet of things. In Securing the Internet of Things: Concepts, Methodologies, Tools, and Applications (pp. 1523-1556). IGI Global.Evans, D. (2011). The internet of things: How the next evolution of the internet is changing everything. CISCO white paper, 1(2011), 1-11.

Rail Cyber Security Guidance to Industry. (2016). Department for transport., https://www.rssb .co.uk/Library/improving-industry-performance/2016-02-cyber-security-rail-cyber-security-guidance-to-industry.pdf (accessed 23 September 2018).

Rail Delivery Group. (2017). Rail Cyber Security Strategy, UK, available at https://www. Raildeliverygroup.com/component/arkhive/?task=file.download&id=469772253 (accessed 23 September 2018).

Rea-Guaman, A. M., San Feliu, T., Calvo-Manzano, J. A., & Sanchez-Garcia, I. D. (2017). Comparative study of cybersecurity capability maturity models. In International Conference on Software Process Improvement and Capability Determination (pp. 100-113). Springer, Cham.

Redman, L. V., & Mory, A. V. H. (1923). The Romance of Research, 1923. P-10.

Roadmap. (2016). A Roadmap for Digital Railways, CER, CIT, EIM, UIC, 2016, https://www.cer. be/sites/default/files/publication/A%20Roadmap%20for%20Digital%20Railways.pdf (accessed 26 April 2020).

Scordamaglia, D. (2019). European Parliamentary Research Service. Digitalisation in railway transport A lever to improve rail competitiveness, available at https://www.europarl. europa.eu/RegData/etudes/BRIE/2019/635528/EPRS_BRI(2019)635528_EN.pdf (accessed 25 March 2020).

Shakarian, J., Shakarian, P., & Ruef, A. (2015). Cyber attacks and public embarrassment: A survey of some notable hacks. arXiv preprint arXiv:1501.05990.

Shift2rail report. (2017). CYbersecurity in the RAILway sector D2.1 – Safety and Security requirements of Rail transport system in multi-stakeholder environments [Online], available at https://ec.europa.eu/research/participants/documents/downloadPublic?docu- mentIds=080166e5b678c2dc&appId=PPGMS (accessed 26 April 2018).

Shift2Rail. (2016). Cybersecurity in the railway sector [Online]. available: https://shift2rail.org /project/cyrail/ (accessed 26 April 2018).

Soiferman, L. K. (2010). Compare and Contrast Inductive and Deductive Research Approaches. Online Submission.

Sommerville, I. (2011). Software engineering 9th Edition. ISBN-10, 137035152.

REFERENCES / 56

Soupionis, Y., & Benoist, T. (2015). Cyber-physical testbed—The impact of cyber attacks and the human factor. In 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST) (pp. 326-331). IEEE.

Sridhar, S., Hahn, A., & Govindarasu, M. (2011). Cyber–physical system security for the electric power grid. Proceedings of the IEEE, 100(1), 210-224.

Swearingen, K., Majkowski, W., Bruggeman, B., Gilbertson, D., Dunsdon, J., & Sykes, B. (2007). An open system architecture for condition based maintenance overview. In 2007 IEEE Aerospace Conference (pp. 1-8). IEEE.

The Local (2017). Swedish transport agencies targeted in cyberattack, https://www.thelocal. se/20171012/swedish-transport-agencies-targeted-in-cyber-attack cyber-attack (accessed 23 September 2018).

Tipton, H. F., & Nozaki, M. K. (2008). Information security management handbook. Volume 2/edited by Harold F. Tipton, Micki Krause.

Trafikverket Report. (2017). The Swedish Transport Administration Annual Report, available at https://trafikverket.ineko.se/Files/svSE/49148/Ineko.Product.RelatedFile/2018_086_TRV_Annual%20Report_2017.pdf (accessed 23 September 2018).

Velazquez, C. (2015). Detecting and preventing attacks earlier in the kill chain. SANS Institute Infosec Reading Room, 1-21.

Verizon. (2019). Data Breach Investigations Report, available at https://enterprise.verizon. com/ resources/reports/2019-data-breach-investigations-report.pdf (accessed 23 February 2020).

Whittaker, Z. (2018). Rail Europe had a three-month long credit card breach. ZDNet, May, 14.

Willett, K. D. (2008). Information assurance architecture. CRC Press.

Wood, A. D., & Stankovic, J. A. (2002). Denial of service in sensor networks. computer, 35(10), 54-62.

Yadav, T., Rao, AM. (2015). Technical aspects of cyber kill chain. In International Symposium on Security in Computing and Communication (pp. 438-452). Springer, Cham.

Yin, R. K. (2017). Case study research and applications: Design and methods. Sage publications.

Zhang, X., Yang, X., Lin, J., Xu, G., & Yu, W. (2016). On data integrity attacks against real-time pricing in energy-based cyber-physical systems. IEEE Transactions on Parallel and Distributed Systems, 28(1), 170-187.

Zhou, X., Xu, Z., Wang, L., Chen, K., Chen, C., & Zhang, W. (2018). Kill chain for industrial control system. In MATEC Web of Conferences (Vol. 173, p. 01013). EDP Sciences.

Zhu, B., Joseph, A., & Sastry, S. (2011). A taxonomy of cyber attacks on SCADA systems. In 2011 International conference on internet of things and 4th international conference on cyber, physical and social computing (pp. 380-388). IEEE.

APPENDED PAPERS / 57

APPENDED PAPERS

Paper I

Kour, R., Aljumaili, M., Karim, R., & Tretten, P. (2019). eMaintenance in railways: Issues and challenges in cybersecurity. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 233(10), 1012-1022. (Published)

Paper II

Kour, R., Karim, R., & Thaduri, A. (2019). Cybersecurity for railways–A maturity model. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 0954409719881849. (Published online)

Paper III

Kour, R., Thaduri, A., & Karim, R. (2020). Railway Defender Kill Chain to Predict and Detect Cyber-Attacks. Journal of Cyber Security and Mobility, 9(1), 47-90. (Published)

Paper IV

Kour, R., Thaduri, A., & Karim, R. (2020). Predictive model for multistage cyber-attack simulation. International Journal of System Assurance Engineering and Management, 1-14. (Published online)

Paper I

eMaintenance in railways: Issues and challenges in cybersecurity

Kour, R., Aljumaili, M., Karim, R., & Tretten, P. (2019). eMaintenance in railways: Issues and challenges in cybersecurity. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 233(10), 1012-1022

Original Article

eMaintenance in railways: Issues andchallenges in cybersecurity

Ravdeep Kour , Mustafa Aljumaili, Ramin Karim andPhillip Tretten

Abstract

The convergence of information technology and operation technology and the associated paradigm shift toward Industry

4.0 in complex systems, such as railways has brought significant benefits in reliability, maintainability, operational effi-

ciency, capacity, as well as improvements in passenger experience. However, with the adoption of information and

communications technologies in railway maintenance, vulnerability to cyber threats has increased. It is essential that

organizations move toward security analytics and automation to improve and prevent security breaches and to quickly

identify and respond to security events. This paper provides a statistical review of cybersecurity incidents in the trans-

portation sector with a focus on railways. It uses a web-based search for data collection in popular databases. The overall

objective is to identify cybersecurity challenges in the railway sector.

Keywords

Cybersecurity, railway, eMaintenance, challenges

Date received: 7 June 2018; accepted: 11 December 2018

Introduction

As information and communication technologies(ICTs) become increasingly pervasive, eMaintenancesolutions for advanced maintenance applications arebecoming more common. eMaintenance is a broadterm which emerged in the early 2000s with advanceddiagnostics and maintenance. The term eMaintenanceis defined at two levels of abstraction: first,‘‘eMaintenance is maintenance managed and per-formed via computing’’; second, ‘‘eMaintenance is amultidisciplinary domain based on maintenance andICT ensuring that the eMaintenance services arealigned with the needs and business objectives ofboth customers and suppliers during the whole prod-uct lifecycle’’ (Kajko-Mattsson et al.,1 p.560).

In the railway industry, like other industries, ICTshave been developing alongside business processesin maintenance activities.2 The overall gains aremore substantial than the simple improvements inproductivity and optimization of costs that may beachieved through the use of web services.2–4 Forexample, the railway sector has adopted the conceptof eMaintenance and suggests using web-based rail-way eMaintenance solutions using cloud technologyto determine optimum maintenance profiles5 andremaining useful life of railway vehicle wheels.6

Railways use data from wayside sensors to determineand implement vehicle maintenance strategies and,

thus, increase safety and reduce costs, by detectingand mitigating the ‘‘bad actors.’’6 The railway sectoralso advocates Smart Maintenance Initiatives7 andthe use of ICT in maintenance to develop artifacts(e.g. frameworks, tools, methodologies, and technol-ogies) to support maintenance decision-making.8

The eMaintenance solutions used in the railwaysector generally depend on standard Internet infra-structure, however, and this makes them vulnerableto cybersecurity threats. There is a need to find waysto minimize the impacts of such threats while ensuringthe availability of the eMaintenance services.Traditionally, dependability9 implies high levels ofavailability, reliability, maintainability, and mainten-ance support. From the software perspective, depend-ability includes reliability, availability, safety, andsecurity.10 Thus, security is an inherent component ofsystem dependability, and software security must becontinuously improved if eMaintenance tools are toachieve the high levels of availability required of them.

Division of Operation and Maintenance Engineering, Lulea University of

Technology, Lulea, Sweden

Corresponding author:

Ravdeep Kour, Division of Operation and Maintenance Engineering,

Lulea University of Technology, Lulea 97187, Sweden.

Email: [email protected]

Proc IMechE Part F:

J Rail and Rapid Transit

0(0) 1–11

! IMechE 2019

Article reuse guidelines:

sagepub.com/journals-permissions

DOI: 10.1177/0954409718822915

journals.sagepub.com/home/pif

Hackers have already targeted rail companies inBelgium, China, Denmark, Germany, Russia, SouthKorea, Sweden, Switzerland, the UK, and the US.Artificial Intelligence-powered cyber-attacks, untilrecently a theoretical possibility, have been detected‘‘in the wild,’’ with the first case of this kind in India.11

Given the new reality, the operation technology secur-ity community has begun to move toward securityanalytics and automation to improve the preventionof security breaches. For example, some organizationsare adopting a new model for adaptive cybersecurityanalytics, one that reports any suspicious networkactivity.12 Carpenter and Knapp13 proposed somenear real-time methods to report detected cybersecur-ity risk information to external systems.

In an eMaintenance context, to add value to busi-ness, smart sensors are collecting condition monitoringand predictive maintenance data to use in machinelearning algorithms. The volume of these data gener-ated from Internet of Things (IoT) devices is enormousand provides a significant number of entry points forhackers to steal, corrupt, delete, or even modify thedata. Cyber-attacks on railway eMaintenance systemsmay affect the intensity of the underlying data; this, inturn, could influence the data-driven models and alterthe maintenance decision-making process. Ultimately,these cyber-attacks may have an impact on railwaystakeholders, e.g. threat to the safety of employees,passengers, or the public in general; loss of sensitiverailway information; reputational damage; monetaryloss; erroneous decisions; loss of dependability; etc.The risks associated with a successful attack are suchthat organizations operating railway systems mustestablish procedures and plans to safeguard againstcyber-attacks, and the research community is activein this area.

The aim of this research is to identify variouscybersecurity issues and challenges in ICT-based rail-way maintenance. The paper introduces the problemand then turns to the research methodology used forthe data collection. Next, it discusses cybersecurityincidents in critical infrastructure (CI), including thetransportation sector, the railway in particular. It pro-vides a brief description of ongoing cybersecurityactivities and available cybersecurity guidelines.Finally, the paper presents cybersecurity issues andchallenges in railway systems, followed by a discus-sion and conclusion.

Research methodology fordata collection

To obtain initial estimates of the scale of the damagecaused by cyber-attacks, we conducted a web-basedsearch, exploring articles related to cybersecurity invarious sectors (nuclear, energy, railway, health, andaviation). The popular databases used were Scopus,Google Scholar, ScienceDirect, Taylor & FrancisOnline, Web of Science, and the Institute of

Electrical and Electronics Engineers (IEEE) XploreDigital Library (Table 1). The comprehensive searchincluded all types of literatures related to cybersecur-ity terms like cyber-attacks, hacking, cybercrime,hacktivism, computer security, etc. and sectors likerailway, aviation, grid, nuclear, and health.

Table 1 shows the results of the search. To explainhow the table works, for the value 232(2) at the row‘‘railway’’ and the column ‘‘cyber security,’’ for art-icles from the IEEE Xplore database, the number inthe brackets shows articles containing the specificterms ‘‘cyber security’’ and ‘‘railway’’ in the title ofthe literature. Table 1 results show that more researchhas been done in the sectors related to health, grid,and nuclear; research and innovation in the context ofcybersecurity in the railway sector has started butrequires more development.

Statistics of cybersecurity incidents in CIand rail

The security of critical national infrastructure systemsis a hot topic among security researchers. Accordingto the European Union Commission (OJ L 345, 23December 2008, p.77),14 CI refers to

those assets, systems or parts thereof located in

Member States which are essential for the mainten-

ance of vital societal functions, health, safety, secur-

ity, economic or social well-being of people, and the

disruption or destruction of which would have a sig-

nificant impact in a Member State as a result of the

failure to maintain those functions.

The organizations operating CIs are establishing pro-cedures and plans to safeguard against cyber-attacks,but incidents still take place. According to theAustralian Cyber Security Centre,15 the highestnumber of compromised systems is in the energyand communications sectors, while the banking andfinancial services and communications sectors had thehighest incidence of Distributed Denial of Service(DDoS) activity, and the energy and mining/resourcessectors had the highest number of malicious emailsreceived. In addition, between July 2015 and June2016, computer emergency response team (CERT)15

responded to 14,804 cybersecurity events affectingbusinesses, 418 of which involved systems of nationalinterest (SNI) and CI. Figure 1 shows the cybersecur-ity events affecting SNI and CI by sectors.

The total number of identified vulnerabilities (322)reported by the Industrial Control Systems CyberEmergency Response Team (ICS-CERT)16 in gen-eral-purpose software and in network protocols thatare significant to industrial software and equipment isillustrated in Figure 2.

According to a Dell report,17 in 2015, there was a73% increase in malware attacks over 2014, and thiswas more than triple the number in 2013. Statista18

2 Proc IMechE Part F: J Rail and Rapid Transit 0(0)

Tab

le1.

Inte

rnet

hits

for

cybers

ecu

rity

term

sw

ithin

diff

ere

nt

sect

ors

(as

of

20

Septe

mber

2018).

Dat

abas

es

Sect

ors

Key

word

suse

dfo

rth

ese

arch

Cyb

er

secu

rity

Cyb

ers

ecu

rity

Cyb

er-

atta

ck

Cyb

er

bre

aches

Hac

kin

g

Cyb

er

esp

ionag

e

Cyb

er

crim

e

Cyb

er

war

fare

Hac

ktivi

sm

Cyb

er

thre

ats

Com

pute

r

secu

rity

Netw

ork

secu

rity

Info

rmat

ion

secu

rity

IEEE

Xplo

reR

ailw

ay232

(2)

105

(2)

180

(0)

0(0

)89

(0)

4(0

)26

(0)

16

(0)

1(0

)48

(0)

151

(0)

294

(0)

402

(1)

Avi

atio

n331

(2)

176

(2)

238

(0)

1(0

)124

(0)

15

(0)

26

(0)

34

(0)

8(0

)88

(0)

302

(0)

390

(0)

673

(0)

Nucl

ear

911

(4)

538

(1)

877

(0)

5(0

)403

(1)

70

(0)

96

(0)

141

(0)

27

(0)

205

(0)

752

(1)

986

(1)

1087

(1)

Gri

d3567

(66)

1560

(18)

3291

(44)

11

(0)

905

(2)

59

(0)

167

(0)

139

(0)

22

(0)

612

(1)

1955

(0)

5831

(17)

4504

(14)

Heal

th1942

(1)

1254

(1)

1347

(0)

11

(0)

818

(1)

48

(0)

312

(0)

115

(0)

39

(0)

377

(0)

2127

(0)

3712

(1)

4935

(10)

Scie

nce

Dir

ect

Rai

lway

109

(0)

87

(0)

107

(0)

0(0

)899

(0)

6(0

)28

(0)

11

(0)

8(0

)43

(0)

149

(0)

176

(0)

239

(0)

Avi

atio

n211

(0)

181

(0)

184

(0)

6(0

)627

(0)

12

(0)

45

(0)

39

(0)

14

(0)

77

(0)

275

(0)

205

(0)

400

(0)

Nucl

ear

667

(5)

429

(0)

684

(2)

9(0

)7240

(2)

87

(0)

181

(0)

173

(0)

50

(0)

250

(3)

895

(2)

806

(0)

1080

(0)

Gri

d1229

(6)

582

(7)

1007

(4)

13

(0)

4197

(2)

66

(0)

179

(0)

147

(0)

49

(0)

342

(0)

927

(0)

2334

(1)

1887

(0)

Heal

th1355

(0)

965

(1)

991

(0)

25

(0)

15,2

14

(2)

68

(0)

379

(0)

152

(0)

73

(0)

390

(0)

2265

(2)

2492

(1)

4206

(8)

Scopus

Abst

ract

Rai

lway

30

(5)

16

(3)

17

(0)

1(0

)2

(0)

0(0

)2

(0)

0(0

)0

(0)

4(0

)5

(0)

16

(4)

20

(2)

Avi

atio

n27

(4)

18

(7)

17

(0)

0(0

)7

(0)

0(0

)4

(0)

2(0

)0

(0)

4(2

)3

(1)

14

(2)

28

(1)

Nucl

ear

148

(46)

63

(14)

134

(11)

0(0

)11

(0)

4(0

)5

(0)

27

(2)

0(0

)32

(4)

27

(7)

25

(3)

46

(4)

Gri

d458

(101)

184

(42)

627

(58)

2(0

)35

(2)

5(0

)6

(1)

10

(0)

0(0

)86

(7)

24

(3)

273

(26)

276

(34)

Heal

th113

(5)

100

(15)

94

(1)

1(0

)73

(8)

2(0

)13

(0)

0(0

)0

(0)

36

(3)

51

(7)

128

(9)

497

(73)

Tay

lor

&

Fran

cis

Rai

lway

91

(0)

47

(0)

59

(0)

1(0

)1548

(0)

19

(0)

27

(0)

46

(0)

13

(0)

36

(0)

42

(0)

46

(0)

141

(0)

Avi

atio

n178

(0)

99

(0)

98

(0)

1(0

)572

(0)

33

(0)

43

(0)

113

(0)

13

(0)

62

(0)

83

(0)

57

(0)

223

(0)

Nucl

ear

589

(2)

335

(0)

406

(0)

2(0

)2987

(0)

158

(0)

163

(0)

452

(1)

59

(0)

228

(0)

237

(0)

136

(0)

587

(0)

Gri

d226

(0)

132

(2)

154

(0)

1(0

)1557

(0)

50

(0)

63

(0)

88

(0)

30

(0)

83

(0)

133

(1)

185

(0)

306

(0)

Heal

th553

(0)

379

(0)

219

(0)

5(0

)11,8

37

(0)

58

(0)

245

(0)

196

(0)

63

(0)

161

(0)

542

(0)

434

(0)

1377

(0)

Web

of

Scie

nce

Rai

lway

17

(3)

9(2

)5

(0)

0(0

)4

(0)

0(0

)0

(0)

0(0

)0

(0)

1(0

)5

(0)

8(1

)12

(1)

Avi

atio

n17

(4)

16

(6)

5(0

)0

(0)

4(0

)0

(0)

2(1

)1

(0)

0(0

)4

(0)

1(0

)11

(0)

14

(0)

Nucl

ear

71

(19)

39

(3)

33

(2)

0(0

)9

(1)

5(0

)5

(0)

11

(1)

0(0

)17

(3)

11

(2)

5(0

)37

(1)

Gri

d518

(59)

141

(21)

161

(11)

1(0

)25

(1)

1(0

)3

(0)

6(0

)2

(0)

56

(1)

32

(2)

219

(14)

165

(18)

Heal

th74

(1)

65

(6)

12

(0)

0(0

)57

(2)

0(0

)5

(0)

1(0

)0

(0)

16

(1)

79

(3)

88

(5)

356

(37)

Googl

e

Schola

r

Rai

lway

6730

(8)

1780

(5)

2840

(0)

222

(0)

11,7

00

(1)

2100

(0)

2130

(0)

6020

(0)

439

(0)

1850

(0)

9180

(0)

13,9

00

(10)

17,2

00

(36)

Avi

atio

n7130

(20)

5400

(17)

3330

(0)

149

(0)

7980

(0)

2300

(0)

1840

(0)

7310

(0)

348

(0)

2310

(2)

7370

(6)

9210

(7)

20,5

00

(17)

Nucl

ear

20,3

00

(123)

16,0

00

(34)

11,1

00

(17)

176

(0)

32,4

00

(6)

3560

(0)

5700

(1)

10,4

00

(5)

1960

(0)

7140

(17)

16,1

00

(17)

16,6

00

(8)

28,6

00

(35)

Gri

d28,2

00

(284)

14,8

00

(93)

11,6

00

(71)

197

(0)

25,2

00

(12)

2070

(0)

4340

(0)

5010

(0)

961

(0)

6590

(8)

27,5

00

(7)

60,2

00

(62)

50,2

00

(184)

Heal

th37,0

00

(23)

33,3

00

(43)

12,7

00

(3)

443

(0)

88,5

00

(26)

3620

(0)

14,3

00

(0)

12,7

00

(1)

2690

(0)

10,4

00

(5)

50,9

00

(17)

65,9

00

(34)

103,0

00

(331)

IEEE:In

stitute

of

Ele

ctri

calan

dEle

ctro

nic

sEngi

neers

.

Note

:N

um

ber

inth

ebra

ckets

()

show

sar

ticl

es

conta

inin

gsp

eci

ficte

rms

like

‘‘cyb

er

secu

rity

’’A

ND

‘‘rai

lway

’’in

the

title

of

the

litera

ture

.

Kour et al. 3

reports that in 2017, there were 15 cyber security inci-dents in large transportation companies, 9 in smallcompanies, and 35 in companies of unknown size.Verizon Data Breach Investigations Report,19 draw-ing on data from the Veris Community Database,20

has slightly different, but still worrisome, totals: sevencybersecurity breaches in large transportation organ-izations, six in small ones, and five in companies ofunknown size. According to the Symantec 2018 threatreport,21 the rate of email-borne malware was 1 in486, the email malware rate was 11.5% and thespam rate was 53.9% in the transportation sector.

Tonn et al.22 analyzed cyber incident data for thetransportation sector using data from Advisen,23

a leading quality data provider. They list 214 cyberse-curity incidents and discuss the trend of cyber risk inthe transportation industry (Figure 3). The mostcommon types of cyber incidents are malicious databreaches, 27.1% (58/214) and unauthorized data col-lection, 22.9% (49/214). The authors find that thenumber and severity of cyber incidents in the trans-portation industry are growing.

Figure 4 provides a timeline, with 49 incidentsspanning 34 years. The figure illustrates the increasingrate of cyber incidents related to transportation infra-structure.24 Notably, over half the events occurredafter 2013 and just over a quarter from 2008 to 2012.

Figure 5 expands the timeline in Figure 4 to showthe threat types per transport sector. Maritime and airsectors are the most affected by individual hackersand cybercrimes.

Figure 2. Vulnerabilities in CI.

Source: Adapted from ICS-CERT.16

1.9%1.9%2.2%2.4%2.6%2.6%2.9%

5.5%6.0%6.4%

8.6%10.3%

11.7%17.0%

18.0%

RetailHealth

ManufacturingLegal and professional services

Food and AgricultureEducation and research

waterDefence Industry

Information TechnologyOthers

Mining and ResourcesTransport

CommunicationsBanking and Financial Services

Energy

Figure 1. Cybersecurity events affecting SNI and CI.

Source: Adapted from ACSC.15

1 2 1 34

71

3

3

1

11

5

2

5

2

1

1

6

Road Air Rail Maritime Pipeline

Malware

Cyber-crime

Cyber-espionage/warfare

Insider attack

Individual Hacker

Research

Figure 5. Threat types per transport sector.

Source: Adapted from Korstanje.24

39 92

2

1

1

1

1

2 22

33

11

1

11

102

1

1

12-Nov 2013 2014 2015 2016 17-Feb

MalwareBrute ForceXSSMisconfigDDoSPhishingSQLiUndisclosed

Figure 6. Timeline of incidents related to the transportation

infrastructure from November 2012 to February 2017.

Source: Adapted from IBM X-Force.25

1 1 1 1 1 2

5

1

4

1

8 97 7

1982

1997

1998

1999

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

No.

of

Inci

dent

s

Figure 4. Timeline of incidents for transportation infra-

structure.

Source: Adapted from Korstanje.24

18 14 14 1320 22 24 25

4222

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

No.

of

inci

dent

s

Figure 3. Timeline of incidents related to the transportation

infrastructure.

Source: Adapted from Tonn et al.22


Cybersecurity incidents statistics from IBM25 showthe transportation sector has been affected by varioustypes of cyber-attacks: SQLi, DDoS, Watering Hole,XSS, Malware, Brute Force, Misconfig, Phishing, andundisclosed (Figure 6). Malware attacks pose themost significant threat, representing 30% (21/69) ofthe total. Interestingly, about 38% (26/69) of the

attacks are undisclosed because of possible reputa-tional damage.

Figure 7(a) shows the timeline of 20 cybersecurityincidents involving rail; Figure 7(b) provides a briefdescription of each attack. Of these 20 incidents,30% are malware attacks; 20% are cyber espionage/data steal attacks; 15% are DDoS attacks; and 35%

1111 211

4

1 1

1

111

1 1

2003 2008 2010 2011 2013 2014 2015 2016 2017 2018

Malwarecyber crimeCyber Espionage/Data stealInsider attackDDOSBrute-ForceHacking

2003

•A computer virus infected the computer system at CSXTransportation (a railroad company) in Florida which affected23,000 miles of one railway line and disrupted railway signals for15minutes to 6 hours.26

2008•An electronics genius, a 14-year-old boy from Poland, hacked atram system and derailed a tram, which then collided with a tramcoming in the opposite direction causing injuries to 12 people.27

2010 •Unknown attackers hacked the official website of "RussianRailways" company and replaced some of the web pages28.

2011 •Cyber-attack on a Northwest rail company’s computers disruptedrailway signals for two days.29

2013•NMBS, national railway company of Belgium reported anaccidental cybersecurity incidence which made data belonging tocustomers in Belgium, France and the UK, including thousands ofCommission and Parliament employees, available.30

2014•Chinese national train reservation system was the target of aninsider attack by a 3rd party associated website who stole personaldata of customers.31

2015•Cyber-attack on South Korean Subway System.32

•Data breach in the Swedish Transport Agency led to the leak ofprivate data about every vehicle in the country.33

2016

•UK rail network was hit by four data breaches, including a cyberespionage attack, which involved entering computer systemsdealing with government data and critical infrastructure to gatherinformation.34

•Access to the Swiss railway website was interrupted for severalhours as a result of a DDoS attack.35

•Malware attack occurred simultaneously with a system breach onUkrainian State Administration of Railway Transport.36

2017

•Sweden's Transport Agency was partially down because of a DDoSattack.37

•Railway passenger information system was affected by WannaCryvirus.38

2018

•Ransomware infection on the computers of the ColoradoDepartment of Transportation Agency.39

•Great Western Railway of UK announced that hackers hadbreached a small percentage of customer accounts.40

•Rail Europe, website in US announced a three-month data breach ofcredit cards and debit cards due to malware attack on the site.41

•Massive DDoS attack on the Danish state rail operator DSBparalyzed some operations, including ticketing systems and thecommunication infrastructure.42

(a)

(b)

Figure 7. Timeline of cybersecurity incidents in railway with (a) attack type and (b) description. DDoS: Distributed Denial of Service.

Kour et al. 5

include cybercrime, insider attacks, brute-force attacks,and hacking.

Ongoing cybersecurity activities andavailable cybersecurity guidelines orstandards in the railway sector

The literature shows that cybersecurity is a concern inthe railway sector and research is ongoing.Cybersecurity in the RAILway (CYRAIL43) project,a Shift2Rail subproject, is one of the examples ofongoing activities in the railway sector. Elsewhere,researchers have proposed a framework for riskassessment and high-level security assessment basedon the IEC 62443 standard, with a particular focuson the railway domain.44,45 In addition, there hasbeen a high-level cybersecurity risk assessment of anational European Rail Traffic Management Systemimplementation,46 while other work has suggested anetwork design for securing data communicationsystem for automatic train control.47 The EuropeanUnion has established the network and informationsecurity directive which aims at safeguarding CIs.48

Cylus49 is providing a cybersecurity solution for rail-ways, keeping one step ahead of the latest cyberthreats. Thales50 is also supporting the railwaysector in its fight against cyber-attacks by participat-ing in the development of CERTs as part of theShift2Rail program of the European Commission.

In addition to this research and innovation, somecybersecurity guidelines and standards more relevantto the railway are available:

. AS 7770 Rail Cyber Security,51 an AustralianStandard, prepared by the Rail Industry Safetyand Standards Board;

. Rail Cyber Security Strategy,52 a cybersecurityvision for the rail industry, provided by the RailDelivery Group in the UK;

. Rail Cyber Security Guidance to Industry,53

a document supporting the rail industry by redu-cing its vulnerability to cyber-attacks, prepared byDepartment of Transport, UK

. APTA SS-CCS-004-16 standard,54 covering recom-mended practices for securing control and commu-nications security systems in rail transitenvironments in North America

. EN 50159:2010,55 addressing cybersecurity com-munications and identifying threats against trans-mission systems used in the railway sector.

Results

Cybersecurity challenges which are growing daily aredefined as large amounts of sensitive customer infor-mation, a greater number of control devices, poorphysical security of these devices, the move awayfrom industry-specific communication standards and

hardware, and a greater number of stakeholderswho rely on the system for its smooth operation.56

In addition to this, the single greatest challenge is toeducate the current and future workforce so they canbe prepared to meet the problem approperiately.57,58

In the transport sector, cybersecurity challengesinclude weaker European laws on cybersecurity fortransport, low cybersecurity awareness, and smallcybersecurity budgets.46

Railway maintenance based on ICT generallydepends on Internet and this makes it vulnerable tocybersecurity threats. The impact of cyber-attacks onthe railway includes threats to safety, loss of railwaydata integrity and confidentiality, reputationaldamage, monetary loss, service unavailability, lossof dependability, exposure to new types of threats,etc. Figure 8 shows a list of cybersecurity challengesand their impacts on railway systems.

Malware and system vulnerabilities

Malware and system vulnerabilities are maliciousprograms that attackers use to intrude into a railwaycomputer system for the purpose of stealing confi-dential railway data, taking control of the system ordisrupting railway service operations. The statistics oncybersecurity incidents in the transportation industry,including the railway,17,25,32,36,38,39,41 show that mal-ware is the most dominant type of cyber-attack. Thischallenge can be minimized by regular follow-up onreported threats and vulnerabilities and installation ofsecurity patches or upgrades to close the security gapsleft open by system vulnerabilities.

Weak identity, credentials, and accessmanagement

The railway eMaintenance system is vulnerable tocyber-attacks if access management systems control-ling the identity and credentials of users are not scaledproperly. With a weak identity system, any intrudercan enter into the system and affect the railway dataintegrity or its confidentiality. Multifactor authentica-tion, automated rotation of cryptographic keys, pass-words, and certificates can be used to manage access.In addition to this, prevention of physical attacks,which are often carried out through unauthorizedaccess, can be certified by applying InternationalStandards developed by IEC Technical Committee79,59 Alarm and electronic security systems; and byISO/IEC Joint Technical Committee 1/Subcommittee17,60 Cards and security devices for personalidentification.

DDoS attacks

Malicious attacks which target availability are con-sidered DDoS attacks. These attacks try to disturb,block, or even damage useful railway information


transmission in order to make eMaintenance systemsunavailable to users who need to exchange informa-tion. Instances of DDoS attacks have been docu-mented in the railway sector.35,37,42 DDOS attacksmay delay communications, forcing trains to stop,with a cascading effect on all other trains sharingthe same line. Douligeris and Mitrokotsa61 classifyDDoS attacks and DDoS defense mechanisms.

Cloudification

The web-based railway eMaintenance solutions aremigrating toward the cloud platform. Big data ana-lytics can be used to analyze and visualize the hugevolumes of data available in the cloud. However,cybersecurity is hindering the development of cloud-based big data for condition-based maintenancepurposes.62 Cloud providers make available a set ofsoftware user interfaces or application programminginterfaces for clients to manage and interact withcloud services; these are the most exposed part of asystem and, hence, are the target of attacks.63 Onesuch attack was the data breach caused by an out-sourcing deal made by the Swedish TransportAgency.33 This attack also affected the company’sreputation. Strong security management and control

solutions designed specifically for the cloud arerequired to protect the new paradigm.63

Interconnected infrastructures

A cyber-attack on one infrastructure is likely to causea domino effect, in which infrastructures are damagedone after another.64 Railway infrastructure is inter-connected, and failure in any system will affectanother. For example, any type of cyber-attack onpower supply, mobile units (rolling-stock system),communication systems, and communication networkcould cause power outages, compromise safety, affectoperations and maintenance, and damage infrastruc-ture.64–66 Steele et al.67 noted the need to protectsmart grids and railways from cyber threats.

Increasing use of IoT devices

The escalation in the implementation of IoT devicesand objects in machine condition monitoring and pre-dictive maintenance is an excellent innovation, but atthe same time, it is a security problem. To add valueto railway business, smart sensors collect conditionmonitoring and predictive maintenance data for usein machine learning algorithms. The volume of data

Figure 8. Cybersecurity challenges and their impact on railway systems. IoT: Internet of Things.

Kour et al. 7

generated this way is enormous, creating a significantnumber of entry points for hackers to steal, corrupt,delete, or even modify those data. Thus, it is advisablefor railway organizations to set up a strong cybersecuritystrategy and employ cybersecurity professionals to securenetworks and devices against unwanted infiltration.

Railway complexity

Railway systems consist of many actors, includingpeople, policies, processes, software applications,information, and infrastructure. This adds significantcomplexity and complicates security. On the onehand, the increased complexity will require additionaleffort from attackers to understand the system, but onthe other hand, this increased complexity presentsmany opportunities for exploitation.

Insider attacks

A malicious insider can authorize access to an organ-ization’s network or data and deliberately misuse thataccess to negatively affect the confidentiality, integrity,or availability of the organization’s information. Anemployee can be a threat to a railway organization ifshe/he leaks, steals, corrupts, or deletes sensitive datato halt its services. For example, if someone deleteshistorical data related to condition monitoring and pre-dictive maintenance, it is impossible to formulate data-driven models for maintenance. In the Chinese railway,the personal data of customers were stolen.31

Workforce cybersecurity gap

Human factors play a significant role in informationsecurity.68 As railway maintenance is adopting newdigital technologies, the expertise of the existing work-force must be upgraded. Workers must have a suitablelevel of cybersecurity education, experience, and train-ing. Railway organizations must establish and main-tain procedures, plans, and controls to create acybersecurity culture, including cybersecurity trainingand awareness programs.

Budgets

Security is a difficult element to quantify and put amonetary value on. Therefore, it is difficult for secur-ity professionals to acquire the budget needed for aproper cybersecurity program. In many cases, becauseof budgetary constraints, remedies for vulnerabilitiesmay not be implemented, making this one of the mostcritical challenges for railway operators.

Cybersecurity information communication gap

On the one hand, communicating cybersecurity infor-mation with external entities may lead to data leaksand malicious attacks. On the other hand,

cybersecurity information sharing to collect and pro-vide cybersecurity information can reduce risks andincrease operational resilience. However, it is essentialto strike the right balance between sharing and privacy.

Discussion

The use of digitization in railway maintenance cancreate increased vulnerability to cyber threats. It hasbeen shown that cybersecurity activities are undergo-ing in the railway sector and one of its examples isCYRAIL14 project. Some cybersecurity practices andstandards are available, but these are either organiza-tion specific or country specific. More advanced andproactive holistic standards/frameworks/models arerequired so that this sector is better prepared. Inother words, there is a need to extend this work.

Fears about cybersecurity are slowing down thedevelopment of cloud-based solutions. According to aCSA report,63 the main barrier to faster cloud adoptionis cloud security concerns, including possible data loss(57%), threats to data privacy (49%), and breaches ofconfidentiality (47%). Hackers have already targetedrail companies in Belgium, China, Denmark,Germany, Russia, South Korea, Sweden, Switzerland,the UK, and the US. Data show that 30% are malwareattacks; 20% are cyber espionage/data steal attacks;15% are DDoS attacks; and 35% are cybercrime, insi-der attacks, brute-force attacks, and hacking. The dom-inant cyber threat in the railway sector is from malware.

This paper identifies various cybersecurity chal-lenges in railway eMaintenance. Attacks will havean impact on the data, thus influencing data-drivenmodels and adversely affecting the maintenance deci-sion-making process. However, in the transportsector, there is low cybersecurity awareness, and bud-gets often do not accommodate the requiredchanges.16 The lack of cybersecurity educationamong the workforce is especially problematic, asthe widespread adoption of IoT and other smartdevices can expose organizations and individuals tonew threats with enormous consequences. It is criticalto ensure that the workforce of railway organizationsusing ICT-based maintenance is vigilant, fully awareof new and advanced cyber threats, and trained tofollow cybersecurity practices at all times. Regularfollow-up on reported threats and vulnerabilities,the installation of security patches or upgrades toclose the security gaps left open by system vulnerabil-ities, and the adoption of more advanced and pro-active cybersecurity standards are also required. Inthe near future, it will be possible to identify, priori-tize, and address threats and vulnerabilities in nearreal time using security analytics and automation.

Conclusions

The paper discusses the literature, statistics, and chal-lenges of cybersecurity, with an emphasis on the


railway sector. The literature review shows that themost active sectors in cybersecurity are health, grid sys-tems, and nuclear power. Despite some cybersecuritywork in the railway sector, such as the ‘‘CYRAIL’’project, more research and innovation is required.The statistics on cyber incidents show that the mostcommon cyber-attack in the transportation and railsector comes from malware. ICT-based railway main-tenance is especially vulnerable to cyber threats; there isa need to find ways to minimize their effects whileensuring the availability of the railway services. Thedevelopment of security analytics and automation willhelp to prevent security breaches and, if they occur, willhelp to quickly identify and respond to security events.

The paper also examines various cybersecuritychallenges in railway eMaintenance, including theuse of IoT and problems with access management,cloudification, railway complexity, interconnectedinfrastructure, budgets, etc. To overcome these chal-lenges, railway organizations need to unite and com-municate cybersecurity instances with each other. Inaddition, all organizations using ICT-based mainten-ance must be vigilant, fully aware, and trained tofollow cybersecurity practices at all times.

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with

respect to the research, authorship, and/or publication ofthis article.

Funding

The author(s) received no financial support for the research,authorship, and/or publication of this article.

ORCID iD

Ravdeep Kour http://orcid.org/0000-0003-0734-0959

References

1. Kajko-Mattsson M, Karim R and Mirijamdotter A.Essential components of eMaintenance. Int J Pedagogy

Innov New Technol 2011; 7: 555–571.2. Karim R. A service-oriented approach to e-maintenance of

complex technical systems. PhD Thesis, Lulea TekniskaUniversitet, Sweden, 2008.

3. Muller A, Marquez AC and Iung B. On the concept of e-maintenance: review and current research. Reliab EngSyst Saf 2008; 93: 1165–1187.

4. Kumar U, Parida A and Karim R. Special issue on

eMaintenance solutions and technologies. Int J SystAssur Eng Manag 2010; 1: 187–188.

5. Kour R, Tretten P and Karim R. eMaintenance solu-tion through online data analysis for railway mainten-ance decision-making. J Qual Maint Eng 2014; 20:

262–275.

6. Karim R, Birk W and Larsson-Kraik PO. Cloud-basedemaintenance solutions for condition-based maintenanceof wheels in heavy haul operation. In: International HeavyHaul Association: The 11th international heavy haul asso-

ciation conference, Perth, 21–24 June 2015. InternationalHeavy Haul Association.

7. Yokoyama A. Innovative changes for maintenance ofrailway by using ICT – to achieve ‘‘smart mainten-ance’’. Procedia CIRP 2015; 38: 24–29.

8. Karim R, Westerberg J, Galar D, et al. Maintenanceanalytics – the new know in maintenance. IFAC-PapersOnLine 2016; 49: 214–219.

9. IEC 60050-192:2015. International electrotechnicalvocabulary – Part 192: dependability, Moscow, 2015.Int. Electrotech. Comm.

10. Sommerville I. Software engineering. New York:Addison-Wesley, 2010.

11. Norton S. Era of AI-powered cyberattacks has started,https://blogs.wsj.com/cio/2017/11/15/artificial-intelli-

gence-transforms-hacker-arsenal/ (2017, accessed 20September 2018).

12. Amini L, Christodorescu M, Cohen MA, et al. Adaptive

cyber-security analytics. Patent 9,032,521, USA, 2015.13. Carpenter SG and Knapp ED. Near-real-time export of

cyber-security risk information. Patent application 15/

001,073, USA, 2017.14. EU Commission. COUNCIL DIRECTIVE 2008/114/

EC of 8 December 2008 on the identification and des-

ignation of European critical infrastructures and theassessment of the need to improve their protection.Official Journal of the European Union, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%

3AOJ.L_.2008.345.01.0075.01.ENG (2008, accessed 20September 2018).

15. Australian Cyber Security Centre. Threat report.

Australia: Australian Government, 2016.16. ICS CERT. Threat landscape for industrial automation

systems in H2. Report, Kaspersky Lab, USA, 2017.

17. Dell. Dell security annual threat report. Report, UK, 2016.18. Statista. Global number of cyber security incidents in 2017,

sorted by victim industry and organization size, https://www.statista.com/statistics/194246/cyber-crime-incidents-

victim-industry-size/ (2018, accessed 27 September 2018).19. Verizon. 2018 Data Breach Investigations Report.

Research Report, USA, 2018.

20. VCDB. Veris community database, http://veriscommu-nity.net/vcdb.html (2018, accessed 24 September 2018).

21. Symantec. Internet security threat report, Volume 23.

Report, USA, 2018.22. Tonn G, et al. Cyber risk and insurance for transpor-

tation infrastructure. Working Paper, Pennsylvania,

USA: Risk Management and Decision ProcessesCenter, The Wharton School, University ofPennsylvania, 2018.

23. Advisen. Advisen loss database, https://www.advi-

senltd.com/data/cyber-loss-data/ (2018, accessed 24September 2018).

24. ME Korstanje (ed.) Threat mitigation and detection of

cyber warfare and terrorism activities. Pennsylvania,USA: IGI Global, 2016.

25. IBM. X-Force interactive security incidents, https://

www-304.ibm.com/jct03001c/security/xforce/xfisi/(2018, accessed 24 September 2018).

26. Hancock D. Virus disrupts train signals. CBS News, 2003.27. Baker G. Schoolboy hacks into city’s tram system. The

Telegraph, 11 January 2008.

28. Railblog. RZD website hacked, http://www.railblog.ru/author/admin/ (2010, accessed 24 September 2018).

29. Sternstein A. Hackers manipulated railway computers,

TSA memo says. Nextgov. com, 23 January 2012.

Kour et al. 9

30. Lalibre. Data leak at SNCB: the file was available sinceMay, http://www.lalibre.be/actu/belgique/fuite-de-don-nees-a-la-sncb-le-fichier-etait-disponible-depuis-mai-51b8f6

f2e4b0de6db9c927fa (2013, accessed 24 September 2018).

31. Paganini P. The transportation industry is increasinglybeing targeted by hackers, https://securityaffairs.co/wordpress/48870/cyber-crime/transportation-industry-

cybersecurity.html (2014, accessed 24 September 2018).32. Hayden S. Cyber attack on South Korean subway

system could be a sign of nastier things to come,https://news.vice.com/article/cyber-attack-on-south-

korean-subway-system-could-be-a-sign-of-nastier-things-to-come (2015, accessed 23 September 2018).

33. Borg M, et al. Digitalization of Swedish government

agencies: detailed census description and analysis,Gothenburg, Sweden. SICS Technical ReportT2018:02., 2018.

34. The Sky News. Four cyber attacks on UK railways in ayear, https://news.sky.com/story/four-cyber-attacks-on-uk-railways-in-a-year-10498558 (2016, accessed 23September 2018).

35. McCaskill S. Hackers target Swiss railways, politicalparties and retailers, https://www.silicon.co.uk/secur-ity/swiss-hacks-sbb-svp-ddos-188254 (2016, accessed

23 September 2018).36. Paganini P. BlackEnergy infected also Ukrainian

mining and railway systems, https://securityaffairs.co/

wordpress/44452/hacking/blackenergy-mining-and-rail-way-systems.html (2016, accessed 23 September 2018).

37. The Local. Swedish transport agencies targeted in cyber

attack, https://www.thelocal.se/20171012/swedish-transport-agencies-targeted-in-cyber-attack (2017,accessed 23 September 2018).

38. Graham C. Cyber-attack hits German train stations as

hackers target Deutsche Bahn, https://www.telegraph.co.uk/news/2017/05/13/cyber-attack-hits-german-train-stations-hackers-target-deutsche/ (2017, accessed 23

September 2018).39. The Denver Post. SamSam virus demands bitcoin from

CDOT, state shuts down 2,000 computers, https://www.

denverpost.com/2018/02/21/samsam-virus-ransom-ware-cdot/ (2018, accessed 23 September 2018).

40. BBC. Great Western Railway accounts breached,https://www.bbc.com/news/technology-43725640

(2018, accessed 23 September 2018).41. Whittaker Z. Rail Europe had a three-month long

credit card breach, https://www.zdnet.com/article/rail-

europe-had-a-three-month-long-credit-card-breach/(2018, accessed 23 September 2018).

42. Paganini P. Massive DDoS attack hit the Danish state

rail operator DSB, https://securityaffairs.co/wordpress/72530/hacking/rail-operator-dsb-ddos.html (2018,accessed 23 September 2018).

43. Shift2Rail. Cybersecurity in the railway sector, https://shift2rail.org/project/cyrail/ (2016, accessed 22September 2018).

44. Braband J. Cyber security in railways: Quo Vadis? In:

International conference on reliability, safety and securityof railway systems, 14 November 2017, pp.3–14. Cham:Springer.

45. Masson E and Gransart C. Cyber security for rail-ways – a huge challenge–Shift2Rail perspective.In: International workshop on communication

technologies for vehicles, 4 May 2017, pp.97–104.Cham: Springer.

46. Bloomfield R, Bendele M, Bishop P, et al. The risk

assessment of ERTMS-based railway systems from acyber security perspective: methodology and lessonslearned. In: International conference on reliability,

safety and security of railway systems, 28 June 2016,pp.3–19. Cham: Springer.

47. Bantin CC and Siu J. Designing a secure data commu-

nications system for automatic train control. ProcIMechE, Part F: J Rail and Rapid Transit 2011; 225:395–402.

48. Directive NI. Directive (EU) 2016/1148 of the European

Parliament and of the Council of 6 July 2016 concerningmeasures for a high common level of security of networkand information systems across the Union. https://eur-

lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN (2016, accessed25 September 2018).

49. Cylus, Railway Cybersecurity, Israel. https://cylus.com/(2018, accessed 25 September 2018).

50. Thales. Railway digitalization: cybersecurity, https://

www.thalesgroup.com/en/spain/magazine/railway-digi-talization-cybersecurity (2018, accessed 25 September2018).

51. AS 7770:2018. Rail cyber security. Australia: Rail

Industry Safety and Standards Board, 2018.52. Rail Delivery Group. Rail cyber security strategy,

https://www.raildeliverygroup.com/component/ark-

hive/?task=file.download&id=469772253 (2017,accessed 25 September 2018).

53. Department for Transport. Rail cyber security guidance

to industry, https://www.rssb.co.uk/Library/improving-industry-performance/2016-02-cyber-security-rail-cyber-security-guidance-to-industry.pdf (2016, accessed25 September 2018).

54. SS-CC, A. P. T. A. Securing control and communicationssystems in rail transit environments. Washington DC:American Public Transportation Association, 2015.

55. EN 50159:2010 (or IEC 62280). Railway applications –signalling, telecommunication and processing systems –safety communication in transmission systems. Brussels:

European Committee for ElectrotechnicalStandardization, 2010.

56. Pearson IL. Smart grid cyber security for Europe.

Energy Policy 2011; 39: 5211–5218.57. Wells LJ, Camelio JA, Williams CB, et al. Cyber-phy-

sical security challenges in manufacturing systems.Manuf Lett 2014; 2: 74–77.

58. Gontar P, Homans H, Rostalski M, et al. Are pilotsprepared for a cyber-attack? A human factors approachto the experimental evaluation of pilots’ behavior. J Air

Transp Manag 2018; 69: 26–37.59. EN 60839-11-32:2017. Alarm and electronic security sys-

tems. UK: British Standards Institution, 2017.

60. ISO/IEC JTC 1/SC 17. Cards and security devices forpersonal identification. UK: British StandardsInstitution, 2012.

61. Douligeris C and Mitrokotsa A. DDoS attacks and

defense mechanisms: classification and state-of-the-art.Comput Netw 2004; 44: 643–666.

62. Campos J, Sharma P, Jantunen E, et al. The challenges

of cybersecurity frameworks to protect data required


for the development of advanced maintenance. ProcediaCIRP 2016; 47: 222–227.

63. CSA Top Threats Working Group. The treacherous 12:

cloud computing top threats in 2016. USA: CloudSecurity Alliance, 2016.

64. Menashri H and Baram G. Critical infrastructures and

their interdependence in a cyber attack – the case of theUS. Military Strategic Affairs 2015; 7: 99–100.

65. EC. Cybersecurity of the smart grids: summary report.

Brussels: European Commission, 2013.66. Johansson J and Hassel H. An approach for modelling

interdependent infrastructures in the context of

vulnerability analysis. Reliab Eng Syst Saf 2010; 95:1335–1344.

67. Steele H, Clive R and Stuart H. Railway smart grids:

drivers, benefits and challenges. Proc IMechE, Part F: JRail and Rapid Transit. Epub ahead of print 2018. DOI:10.1177/0954409718800523.

68. Fahey R. Human factors in information security man-agement systems. https://resources.infosecinstitute.com/human-factors-information-security-management-sys-

tems/ (2013, accessed 25 September 2018).

Kour et al. 11

Paper II

Cybersecurity for railways–A maturity model

Kour, R., Karim, R., & Thaduri, A. (2019). Cybersecurity for railways–A maturity model. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 0954409719881849.

Original Article

Cybersecurity for railways –A maturity model

Ravdeep Kour , Ramin Karim and Adithya Thaduri

Abstract

With the advancements in and widespread adoption of information and communication technologies in infrastructures,

cyber-attacks are becoming more frequent and more severe. Advanced cybersecurity threats with automated capabilities

are increasing in such sectors as finance, health, grid, retail, government, telecommunications, transportation, etc. Cyber-

attacks are also increasing in railways with an impact on railway stakeholders, e.g. threat to the safety of employees,

passengers, or the public in general; loss of sensitive railway information; reputational damage; monetary loss; erroneous

decisions; loss of dependability, etc. There is a need to move towards advanced security analytics and automation to

identify, respond to, and prevent such security breaches. The objective of this research is to reduce cyber risks and

vulnerabilities and to improve the cybersecurity capabilities of railways by evaluating their cybersecurity maturity levels

and making recommendations for improvements. After assessing various cybersecurity maturity models, the

Cybersecurity Capability Maturity Model (C2M2) was selected to assess the cybersecurity capabilities of railway organ-

izations. The contributions of this research are as follows. First, a new maturity level MIL4 (Maturity Indicator Level 4) is

introduced in the C2M2 model. Second, the C2M2 model is adapted by adding advanced security analytics and threat

intelligence to develop the Railway-Cybersecurity Capability Maturity Model (R-C2M2). The cybersecurity maturity of

three railway organizations is evaluated using this model. Third, recommendations and available standards & guidelines

are provided to the three railway organizations to improve maturity levels within different domains. In addition, they are

given an action plan to implement the recommendations in a streamlined way. The application of this model will allow

railway organizations to improve their capability to reduce the impacts of cyber-attacks and eradicate vulnerabilities. The

approach can also be extended to other infrastructures with necessary adaptations.

Keywords

Cybersecurity, maturity level, Railway-Cybersecurity Capability Maturity Model, railway organizations, Cybersecurity

Capability Maturity Model

Date received: 8 February 2019; accepted: 21 September 2019

Introduction

With the widespread adoption of information andcommunication technologies (ICT), cybersecurityhas become a grave concern for many organizations.Previous work from this research identified variouscybersecurity issues and challenges in the railwaysector.1 Cyber-attacks are growing in intensity,threatening critical infrastructures and causing con-cerns about the safety of employees or the publicin general; other concerns include loss of sensitiveinformation, reputational damage, monetary loss,erroneous decisions, loss of dependability, etc.1

Proactive and synchronized efforts are required tostrengthen and preserve critical infrastructures inthis sector. Railway system architects, cybersecurityengineers, and information technology (IT) staffwho support railway information systems must ser-iously consider cybersecurity to ensure that advances

in maintainability, operational efficiency, and passen-ger experience are not jeopardized by cyber vulner-abilities. This is important because cybersecurityincident statistics from IBM2 show that the transpor-tation sector is affected by numerous types of cyber-attacks: SQLi (SQL Injection), DDoS (DistributedDenial of Service), Watering Hole, XSS (Cross-SiteScripting), Malware, Brute Force, Misconfig,Phishing, etc. The cybersecurity incidents documentedin railways (see the ‘‘Cyber threat to railway systems’’

Division of Operation and Maintenance Engineering, Lulea University of

Technology, Lulea, Sweden

Corresponding author:

Ravdeep Kour, Division of Operation and Maintenance Engineering,

Lulea Tekniska Universitet, Lulea 97187, Sweden.

Email: [email protected]

Proc IMechE Part F:

J Rail and Rapid Transit

0(0) 1–20

! IMechE 2019

Article reuse guidelines:

sagepub.com/journals-permissions

DOI: 10.1177/0954409719881849

journals.sagepub.com/home/pif

section) clearly indicate that railway organizationsmust be prepared for major incidents.

The main challenge in formulating the proposedmodel was that minimal work addresses the evalu-ation of the maturity of cybersecurity capabilities incritical sectors, with even less work in the railwaysector. There are some examples of maturity modelswithin the area of safety management in the railindustry3–5 but few standards refer to railway cyber-security6 and the literature generally ignores cyberse-curity maturity levels. In one exception, the EuropeanUnion Agency for Network and InformationSecurity7 analyzed the current maturity levels in theIndustrial Control and Supervisory Control and DataAcquisition Systems across Europe and providedstakeholders with a set of recommendations toimprove their practices, especially in critical sectors.

There is a need for railway organizations to estimateand evaluate the maturity of their cybersecurity pro-grams, to become aware of the possible cybersecurityissues and vulnerabilities in their systems, formulateprogrammatic goals, and monitor improvements inachieving those goals. This type of evaluation willhelp organizations identify strengths and weaknessesin existing cybersecurity programs and suggestimprovements. To this end, this study revised theCybersecurity Capability Maturity Model (C2M2)8

by adding predictive security analytics (PSA)9,10 andthreat intelligence11–14 to evaluate the maturity of arailway organization’s cybersecurity program.Railway organizations can use threat intelligence toincrease their ability to sense potential threats; theywill know their adversaries and their latest tactics andtechniques. Gartner15 has defined predictive analyticsas follows:

A form of advanced analytics which examines data or

content to answer the question ‘‘What is going to

happen?’’ or more precisely, ‘‘What is likely to

happen?’’, and is characterized by techniques such

as regression analysis, forecasting, multivariate statis-

tics, pattern matching, predictive modeling, and

forecasting.

By applying PSA, railway organizations can predictcyber threats and proactively take effective securitymeasures. PSA cannot predict the attack itself, butits early indicators can be identified to statisticallypredict potential future cyber threats.

The objective of this research was to reduce cyberrisks and vulnerabilities and to improve the cyberse-curity capabilities of railways. This can be achieved byintroducing the C2M2 model to railways and demon-strating its efficacy in three railway organizations.

The scope of this research was to study the avail-ability of cybersecurity maturity models and the adap-tation of one specific model, C2M2, to evaluate thecybersecurity capabilities of railways. Its limitationwas the restricted sample size; only three railway

infrastructure owners participated because it waschallenging to share cybersecurity data. They hadthe perception that by sharing their data, theyincreased the likelihood of attacks in the future.This model is not yet conducted on train operators.The questionnaire was sent to the responsible peoplein cybersecurity area in three different railway infra-structure organizations. Due to confidentiality andprivacy issues, their names were not specified and out-come of the research and research gaps were providedto the respective railway organizations.

The model can be applied by other railway organ-izations to improve their capability to reduce theimpacts of cyber-attacks and eradicate vulnerabilities.With some adaptations, it may be also beneficial forother critical infrastructures.

The outline of the paper is as follows. First, itexplains the need to evaluate the cybersecurity matur-ity level of railway organizations; this is followed by atimeline of cyber incidents in railways. Next, theresearch methodology used for the model reviewand selection and its applicability to the railways arediscussed, and the process of evaluation and analysisis explained. Finally, the results are presented alongwith the recommendations that were given to the par-ticipating organizations to improve maturity levels indifferent domains.

Cyber threat to railway systems

Cybersecurity incidents have increased in the railwaysector. Previous work on this research shows hackershave targeted rail companies in the UK, Germany, theUS, Poland, South Korea, Denmark, and Sweden.1

For example, in 2003, a computer virus infected thecomputer system at CSX Transportation (a Floridarailroad company) and disrupted railway signalsfor periods of 15min to 6 h.16 In 2008, a 14-year-oldelectronics genius from Poland hacked a tram systemand derailed a tram, which then collided with a tramcoming in the opposite direction injuring 12 people.17

In December 2011, a cyber-attack on a rail company’scomputers disrupted railway signals for two days inthe Pacific Northwest.18 In 2015, there was a cyber-attack on a South Korean subway system which led todata and information leaks,19 and a massive databreach in the Swedish Transport Agency which ledto the leaking of private vehicle data.20 In July 2016,Darktrace, a private security company, discoveredUK Rail was hit by at least four major data breachesin 2015. These breaches included cyber espionageattacks which involved entering computer systemsdealing with government data and critical infrastruc-ture to gather information.21 In another incident inMay 2017, the railway passenger information systemwas affected by a malware WannaCry virus.22 InOctober 2017, the website of Swedish TransportAdministration (Trafikverket) was partially down asa result of a DDoS attack.23 In April 2018, the UK


Great Western Railway reported that hackers hadbreached a small percentage of customer accounts ina Brute-Force/Credential Stuffing attack.24 In May2018, Rail Europe announced a three-month databreach of credit cards and debit cards due to a mal-ware attack.25 Also in May 2018, a massive DDoSattack on the Danish state rail operator (DSB) paral-yzed some operations, including ticketing systems andthe communication infrastructure.26 Figure 1 showsthe timeline of these cybersecurity incidents.

Clearly, cybersecurity incidents have a majorimpact (e.g. financial loss, reputational and publicconfidence loss) on railway organizations. However,with the adoption of ICT, the vulnerability of rail-ways to cyber threats has increased, exposing themto attacks from hacktivists, cyberespionage agents,criminals, and disgruntled insiders. Cyber-attackscan compromise the confidentiality of information,integrity and availability of IT and OperationalTechnology (OT) assets that support the efficientand consistent operation of railway systems.

On the one hand, railways use communication andsignaling systems, e.g. European Rail TrafficManagement System (ERTMS), to improve safety,increase efficiency, and enhance the cross-border inter-operability of rail transport. On the other hand, turningthe railway network digital and centrally controlled byusing advanced ICT technology increases vulnerabilityto cyber threats that could possibly affect the safety ofthe entire railway system. Bloomfield et al.27 have con-ducted research on security-informed safety in rails.Overall, the argument of cybersecurity and railways isthat safety is the top priority and security breachesincur safety risks. In addition to this, a wide areaDDoS attack on the Global System for Mobile com-munication-Radio network could bring down theERTMS/European Train Control System and causemaximum disruption and/or passenger discomfort.28

In addition, ICT devices and components are generallyinterdependent, and any weakness in one linked elem-ent in the system can compromise the security anddependability of railway systems.

The overall goal of this research is to reduce cyberrisks and vulnerabilities and to improve the cyberse-curity capabilities of railways. Risk is ‘‘A threat that

exploits a vulnerability that may cause harm to one ormore assets’’.29 Railway assets can be servers, informa-tion, applications, databases, laptops, people, build-ings, tracks, signaling systems, etc. Vulnerabilities arethe exposure risks that a threat actor (person, organ-ization, nation state) can exploit to damage railwayassets. There are two types of cybersecurity risks inrailway organizations: business risks and societalrisks.30 Examples of business risks include loss ofrevenue, impact on reputation/loss of trust, non-compliance with regulations on data protection,risks to hardware and software, reliance on invalidinformation, and lack of security of dependencies.Examples of societal risks include public health andsafety, unavailability of the railway service, disruptionto society, environmental impact, and confidentialityand privacy. Railway organizations need to take arobust and holistic approach to cybersecurity toguard against cyber risks and attacks. The first stepis to evaluate the maturity and capability of existingcybersecurity programs. Railway decision makersneed to identify what their cybersecurity programcan do to eliminate or reduce risks.

Research methodology

The first step was to review the literature on C2M2models and identify the most relevant one for thisresearch study. The results were analyzed and com-municated to the corresponding senior and top man-agement of the three railway organizations. Figure 2shows the flowchart of the research methodology,starting with the review and selection of the cyberse-curity model.

Based on the selected model, a questionnaire wasprepared to test for an additional maturity level,Maturity Indicator Level 4 (MIL4). This maturitylevel includes practices of predictive and advancedsecurity analytics. The questionnaire was the first con-tribution of this research. The questionnaire was sentto the railway organizations to fill in. An online modewas selected for responses. The next step was adaptingR-C2M2 to evaluate the current cybersecurity statusof the three organizations being studied, the secondcontribution of the research. After the maturity levels

11112

1

1

4

1 1

1

1

1

1

1 1

2003 2008 2010 2011 2013 2014 2015 2016 2017 2018

Malware Cyber crimeCyber Espionage/Data steal Insider attackDDOS Brute-ForceHacking

Figure 1. Timeline of cybersecurity incidents in railway organizations, adapted from Kour et al.1

Kour et al. 3

of the cybersecurity capabilities of these railwayorganizations were evaluated, the results were com-municated in the form of recommendations and anaction plan. This was the third contribution of theresearch. The research methodology is discussed inmore detail below.

Review and selection of the cybersecuritymaturity model

Researchers are actively investigating the securitymaturity models. Some authors31,32 have looked atthe characteristics of the existing security maturitymodels and identified their strengths and weaknesses.There has also been a critical analysis of a compre-hensive information security maturity model33 anda systematic review of the existing security maturitymodels from 2012 to 2017.34,35 Some of the

best-known security models were reviewed forthis research.

Model identification. According to Howe,36 the mostimportant security standard is NIST 800-53.37 It hasevolved and has been updated regularly over the last10 years and is part of the US government’s NationalInstitute for Standards and Technology (NISTCybersecurity Framework.38 This framework definessecurity and privacy controls for the FederalInformation Systems and Organizations. In addition,the ISO/IEC 27000-series,39 an information manage-ment security system standard, provides guidelines forestablishing an information security managementsystem; ISA99/IEC 6244340 focuses on IndustrialAutomation and Control Systems; ISO/IEC 1540841

lists criteria for computer security certification. Thefollowing maturity models identified in the literature

3.3Analyze

Cybersecurity Program (Policies,

Practices and Planning)3.2

Evaluate

3.1. Cybersecurity Maturity Model Review and Selection

3.1.3.1C2M2

3.1.2Model

Evaluation

3.1.3.2R-C2M2 Model

3.1.1 Model

Identification

3.1.3Model

Selection

Start

Needs Continuous

Improvement

YES

End

NO

3.4Results/

Recommendations

Questionnaire Based on Predictive Analytics

IntroducingMIL4

Adapted

Continuous Improvement

Contribution 1

Contribution 2

Contribution 3

Figure 2. Flowchart of the research methodology.


provide a benchmark against which an organizationcan assess the current level of maturity of its practices,processes, and procedures:

. Electricity Subsector Cybersecurity CapabilityMaturity Model (ES-C2M2)42 and Oil andNatural Gas Subsector Cybersecurity CapabilityMaturity Model (ONG-C2M2)43 are tailored toenergy and oil and natural gas sectors.

. Community Cyber Security Maturity Model(CCSMM) provides guidance on responding tocyber threats at the community level and focuseson a specific area of an organization.44

. ISO/IEC 21827 or Systems Security EngineeringCapability Maturity Model (SSE-CMM) is astandard metric for security engineering practicesand is not focused on cybersecurity.45

. Control Objectives for Information and relatedTechnology (COBIT) is an IT governance and con-trol framework, focused on information securitynot cybersecurity.46

. National Initiative for Cybersecurity EducationCapability Maturity Model (NICE)47 is focusedon workforce development, process maturity, andoperational resilience practices and does not offerspecific cybersecurity best practices.

. NIST Cybersecurity Framework38 is a risk-basedframework that provides guidelines for managingcybersecurity risks. Although the model providesan outline of the implementation process, there islittle guidance beyond the following high-level con-cepts: prioritize and scope; orient; create a currentprofile; conduct a risk assessment; create a targetprofile; determine, analyze, and prioritize gaps;implement action plan.48

. C2M28 is a Cybersecurity Capability MaturityModel that focuses on cybersecurity and is to beimplemented in conjunction with the NIST frame-work; it is very simple and comes in the form of aquestionnaire.

. Citigroup’s Information Security EvaluationMaturity Model (ISEM)49 is one of the firstmodels of maturity applied to information security.It focuses on security awareness and evaluationand has been used as a reference to develop othermodels of maturity applied to cybersecurity, but itis not currently applied in the industry.

. IBM Information Security Framework (IBM-ISF)50 is an information security framework thatfocuses on security gap analysis and helps organ-izations to determine their current security posture.

. Information Security Management MaturityModel (ISM3)51 is a commercial standard focusedon information security management, risk assess-ment, and process integration.

Model evaluation. Based on the systematic reviewfrom 2012 to 2017 (Figure 3) conducted by

Rea-Guaman et al.,35 the most relevant cybersecuritymodels are C2M2,8 CCSMM,44 SSE-CMM,52 andNICE.47 The review indicated that few maturitymodels focus on cybersecurity.

Table 1 shows in which literature the application ofthe said models is discussed. No literature can befound on the application of NICE-CMM47 andISEM49 models for that period.

Table 2 compares the most relevant cybersecuritymodels. The models, which follow NIST frame-work,38 are C2M2,8 ES-C2M2,42 ONG-C2M2,43 andCCSMM.44 ES-C2M242 and ONG-C2M243 are tai-lored for the electricity sector and the oil and naturalgas sector, respectively. CCSMM44 is only focused ona specific area of an organization, while C2M28 isfocused on the entire organization. C2M28 definesroles and responsibilities but CCSMM44 does not.Finally, C2M28, which is NIST framework38 compat-ible and cybersecurity oriented, is very simple andcomes in the form of a questionnaire.

Model selection. Based on the evaluation, the C2M2model8 was selected to evaluate the cybersecurity cap-abilities of railway organizations. The literature

Table 1. Literature review of application of maturity models

from 2017 to 2018.

Model Authors

C2M2 Hosseini and Paul,53 Mylrea et al.,54

Ibrahim,55 Ingram and Martin,56

AXIO,57 Tripwire,58 and USEA59

CSF-NIST Hosseini and Paul,53 Mylrea et al.,54

Ibrahim,55 Ingram and Martin,56

Almuhammadi and Alsaleh,60 and

Radziwill and Benton61

CCSMM Zhao and White62

SSE-CMM Siqueira et al.,63 Kurniawan and

Riadi,64 and Mshangi et al.65

COBIT Drljaca and Latinovic,66 Laita and

Belaissaoui,67 and Alencar et al.68

ISM3 Open Group Standard69

1 2 1

6

11

6

31 1

1

2

1

1 1

2

11 1

1

1

1 1

1

1

1

1

1

0

2

4

6

8

10

12

14

16

18

2012 2013 2014 2015 2016 2017 2018

Num

ber

of a

pplic

atio

ns

Year of usage

C2M2

CSF-NIST

SSE-CMM

COBIT

ISM3

NICE-CMM

CCSMM

ISEM

Figure 3. Frequency of cybersecurity maturity models per

year, modified from Rea-Guaman et al.35

Kour et al. 5

review also revealed that no work has been conductedto evaluate the cybersecurity maturity levels in railwayorganizations. Based on the model selection and dia-logue with the railway organizations, we came to theconclusion that C2M2 model suits better for railwaysat the design and conceptual stages.

C2M2 model: The C2M2 model8 was originallydeveloped as a White House initiative under theDepartment of Energy in partnership with the USDepartment of Homeland Security in support of theElectricity Subsector Cybersecurity Risk ManagementMaturity Initiative.70 This initiative builds on existingwork, models, and cybersecurity best practices and isassociated with the Cyberspace Policy Review,71

Cross-Sector Roadmap for Cybersecurity of ControlSystems,71 and Roadmap to Achieve Energy DeliverySystems Cybersecurity.72 The C2M2 model8 is orga-nized into 10 domains, with each domain including agroup of cybersecurity practices. The cybersecuritypractices within each domain are structured into vari-ous objectives representing achievements within thedomain. Table 3 describes the domains and theirobjectives.

The C2M2 model8 defines four maturity indicatorlevels, (MILs 0–3), which are applied independently toeach domain of C2M2. This means that an organiza-tion using a C2M28 model may have different MILscores for different domains.

As of now, some railway organizations are a stepbehind because they patch their systems or try to con-figure cyber protection methods against knownattacks and breaches. Unfortunately, the appearanceof new threats, like zero-day threats, makes it difficultto detect and protect against them. We need PSA toproactively identify cyber threats before they can

cause losses. Railway organizations can use threatintelligence to increase their ability to sense potentialthreats; they will know their adversaries and theirlatest tactics and techniques. By applying PSA, theycan predict cyber threats and proactively take effectivesecurity measures. PSA cannot predict the attackitself, but its early indicators can be identified to stat-istically predict potential future cyber threats. Toincorporate threat intelligence and PSA, a new matur-ity indicator level, MIL4, is included in the C2M2model,8 so that proactive measures can be taken totackle the future threats (Figure 4).

MIL4 includes initial practices of predictive andadvanced security analytics with automation toolsand threat intelligence. These practices are more com-plete or advanced than those in MIL3. MILs arecumulative within each domain8; to earn an MIL ina given domain, an organization must perform all thepractices at that level and its predecessor level(s). Forexample, to earn MIL3, all the practices in MIL1,MIL2, and MIL3 must be performed.

The C2M2 model8 evaluates the performance ofpractices using a series of questions. These questionsare designed to be answered in one of four ways: notimplemented, partially implemented, largely imple-mented, and fully implemented. Answers of ‘‘largelyimplemented’’ or ‘‘fully implemented’’ receive creditfor achieving a practice. An answer of ‘‘not imple-mented’’ or ‘‘partially implemented’’ will prevent anMIL level from being attained.

R-C2M2 model: The revised model, R-C2M2, wasadapted from the C2M2 model.8 R-C2M2 uses theC2M28 domains and practices to evaluate the matur-ity of cybersecurity programs for railway organiza-tions, but more practices were added to fit the needs

Table 2. Comparison of the Cybersecurity Capability Maturity Models, adapted from Rea-Guaman et al.34

Criteria

Models

NIST

framework

compatibility

Cybersecurity

oriented

Defining

roles and

responsibilities Purposes and strengths

C2M28 Yes Yes Yes Assessment of implementation and management

in critical infrastructure

ES-C2M242 Yes Yes Yes Tailored to electricity sector

ONG-C2M243 Yes Yes Yes Tailored to oil and natural gas sector

CCSMM44 Yes Yes No Community effort and communication capability

in communities

SSE-CMM45 No No Yes Evaluation of software engineering processes

COBIT46 No No Yes Measurement of the level of maturity in IT

governance domain

NICE47 No Yes Yes Workforce planning for cybersecurity best

practices

ISEM49 No No No Security awareness and evaluation

IBM-ISF50 No No Yes Analysis of security gap between business and

technology

ISM351 No No Yes Prevention and mitigation of incidents and opti-

mization of information, money, people, time,

and infrastructure


Table 3. Domain descriptions and objectives (C2M28).

Domain Domain description Objectives

Risk management (RM) Establish, operate, and maintain an

enterprise cybersecurity risk man-

agement program to identify, ana-

lyze, and mitigate cybersecurity risk

to the organization

Establish cybersecurity risk manage-

ment strategy; manage cybersecurity

risk; perform management activities

Asset, Change, and configuration

management (ACM)

Manage the organization’s information

technology (IT) and operations

technology (OT) assets, including

both hardware and software

Manage asset inventory; manage asset

configuration; manage changes to

assets; perform management

activities

Identity and access management

(IAM)

Create and manage identities for enti-

ties that may be granted logical or

physical access to the organization’s

assets. Control access to the organ-

ization’s assets

Establish and maintain identities; con-

trol access; perform management

activities

Threat and vulnerability man-

agement (TVM)

Establish and maintain plans, proced-

ures, and technologies to detect,

identify, analyze, manage and

respond to cybersecurity threats and

vulnerabilities

Identify and respond to threats; reduce

cybersecurity vulnerability; perform

management activities

Situational awareness (SA) Establish and maintain activities and

technologies to collect, analyze,

alarm, present and use operational

and cybersecurity information,

including status and summary infor-

mation from the other C2M2

domains, to form a common oper-

ating picture (COP)

Perform logging; perform monitoring;

establish and maintain a COP; per-

form management activities

Information sharing and com-

munications (ISC)

Establish and maintain relationships

with internal and external entities to

collect and provide cybersecurity

information, including threats and

vulnerabilities, to reduce risks and to

increase operational resilience

Share cybersecurity information; per-

form management activities

Event and incident response,

continuity of operations (IR)

Establish and maintain plans, proced-

ures, and technologies to detect,

analyze, and respond to cybersecur-

ity events, and to sustain operations

throughout a cybersecurity event

Detect cybersecurity events; escalate

cybersecurity events and declare

incidents; respond to incidents and

escalated cybersecurity events; plan

for continuity; perform management

activities

Supply chain and external

dependencies management

(EDM)

Establish and maintain controls to

manage the cybersecurity risks

associated with services and assets

that are dependent on external

entities

Identify dependencies; manage depend-

ency risk; perform management

activities

Workforce management (WM) Establish and maintain plans, proced-

ures, technologies and controls to

create a culture of cybersecurity and

to ensure the ongoing suitability and

competence of personnel

Assign cybersecurity responsibilities;

control the workforce life cycle;

develop cybersecurity workforce;

increase cybersecurity awareness;

perform management activities

Cybersecurity program manage-

ment (CPM)

Establish and maintain an enterprise

cybersecurity program that provides

governance, strategic planning, and

sponsorship for the organization’s

cybersecurity activities

Establish cybersecurity program strat-

egy; sponsor cybersecurity program;

establish and maintain cybersecurity

architecture; perform secure soft-

ware development; perform man-

agement activities

Kour et al. 7

of advanced security analytics. A new maturity indica-tor level, MIL4, covers the initial practices of predict-ive and advanced security analytics with automationtools and threat intelligence. Practices in MIL4 aremore complete or advanced than in MIL3. To attainMIL4, all the practices in MIL1, MIL2, MIL3, andMIL4 must be completed.

Today, huge amounts of data are generated incybersecurity log files, allowing IT and security staffto understand whether things are running normally orrequire more attention. The security industry usesSecurity Incident and Event Monitoring (SIEM) solu-tions to aggregate and correlate events in order togain insights (multiple correlated events are oftenindicators of an incident). These indicators can beused in machine self-learning and advanced analyticsto get insight into data. For example, advanced secur-ity analytics can help IT and security staff predictthreat risks, allowing them to provide remedies in atimely fashion. Therefore, MIL4 is proposed for theR-C2M2 model.

The railway staff members who provided input onthe R-C2M2 model were information and operationalsecurity staff, railway system architects, dedicatedsecurity staff, and high-level persons dealing withorganizational strategies and policies. Basically, thisrevised model allows the entire staff to perform quickself-assessments of an organization’s cybersecuritycapabilities. In addition, during the study’s assess-ment process, railway staff identified a number ofcybersecurity issues that they had not previouslybeen considered. Addressing these issues and gapscan increase the maturity of the cybersecurity pro-gram supporting railway systems.

Evaluation of the current cybersecurity status

Various railway organizations around the worldwere contacted and asked if they would evaluate thematurity levels of their cybersecurity capabilitiesfor the study. Three agreed to participate. The iden-tities are confidential, and their detailed assessmentdata are with the authors. For the assessment process,a questionnaire based on the C2M2 model8 with newpractices related to advanced security analytics andthreat intelligence was prepared and sent to selectedrailway staff at these organizations. The railway staffgenerally included the railway system architect, infor-mation and operational security staff and high-levelmanagers from each organization.

Analysis of results

After staff evaluated their organization’s cybersecur-ity capabilities, the data were analyzed using theC2M2 toolkit8 with the MIL4 added. Colored piecharts in Figure 5 illustrate the results for each ofthe 10 domains (see Table 3), along with attainedmaturity levels. Some are discussed in more detail inthe ‘‘Results and discussion’’ section; more compre-hensive results and detailed gap summaries remainwith the authors for reasons of confidentiality.

Communication of results/recommendations

The assessed results, along with a detailed summaryof gaps, recommendations, and an action plan werecommunicated to the corresponding senior and topmanagement of the participating railway

MIL0Not Performed

MIL1 has not been achieved in the domain

MIL1 Initiated

Initial practices are performed, but may be ad hoc

MIL2 Performed

• Practices are documented

• Stakeholders are involved

• Adequate resources are provided for the practices

• Standards or guidelines are used to guide practice implementation

• Practices are more complete or advanced than at MIL1

MIL3 Managed

• Domain activities are guided by policy (or other directives)

• Activities are periodically reviewed for conformance to policy

• Responsibility and authority for practices are clearly assigned to personnel with adequate skills and knowledge

• Practices are more complete or advanced than at MIL2

MIL4(Proposed)

• Initial practices of predictiveand advanced securityanalytics with automationtools and threat intelligenceare performed, but may bead hoc

• Practices are more completeor advanced than at MIL3

Figure 4. Description of maturity indicator levels with proposed MIL4.


organizations so they could set goals and priorities toenhance their cybersecurity programs.

Results and discussion

The results of this research included the determinationof the attained maturity levels of 10 domains in threerailway companies, the derivation of recommenda-tions, standards, and guidelines to improve the matur-ity levels of the domains, and an action plan forimplementing these recommendations.

Results of the maturity indicator level in differentdomains

Figure 5 shows 40 colored pie charts illustratingresults for each of the 10 domains, along with prac-tices and attained maturity levels for one of the parti-cipating railway organizations, i.e. Railway 1. Barlines in Figure 5 show attained MILs. The numberin the center of each pie chart specifies the totalnumber of practices required for that maturity level.The pie charts use color-coding to specify the answers.

Figure 5. Maturity indicator levels of Railway 1 along with practices.

Table 4. Results of the maturity indicator levels (MILs) for the three railway organizations.

Domain names Railway 1 Railway 2 Railway 3

Risk management (RM) 1 3 4

Asset, change, and configuration

management (ACM)

2 2 4

Identity and access management (IAM) 3 4 4

Threat and vulnerability management (TVM) 1 3 4

Situational awareness (SA) 1 2 4

Information sharing and communications (ISC) 4 4 4

Event and incident response,

continuity of operations (IR)

1 1 4

Supply chain and external dependencies

management (EDM)

1 3 4

Workforce management (WM) 1 3 4

Cybersecurity program management (CPM) 1 4 4

Kour et al. 9

Tab

le5.

Reco

mm

endat

ions

and

avai

lable

stan

dar

ds

and

guid

elin

es

toim

pro

veth

em

aturi

tyle

vels

of

cybers

ecu

rity

inra

ilway

org

aniz

atio

ns.

Dom

ain

Reas

ons

for

curr

ent

stat

us

Reco

mm

endat

ions

toim

pro

veM

IL

Reso

urc

es

for

impro

vem

ent

(fra

mew

ork

s/st

andar

ds/

guid

elin

es/

rese

arch

litera

ture

)

RM

–U

ndefin

ed

org

aniz

atio

nal

risk

criteri

a

–In

itia

lst

age

of

adva

nce

dcy

bers

ecu

rity

anal

ytic

s

RM

1.Pro

vide

adequat

ere

sourc

es

(lik

efu

ndin

g,people

,

and

tools

)

RM

2.D

efin

ead

vance

dcy

bers

ecu

rity

anal

ytic

sin

the

risk

man

agem

ent

polic

yan

dO

rgan

izat

ional

risk

criteri

a

RM

3.In

creas

eth

esk

illle

vel

RM

4.D

ocu

ment

org

aniz

atio

nal

speci

ficri

skta

xonom

y

RM

5.D

ocu

ment,

anal

yze,m

onitor,

and

pre

dic

tid

entifie

d

risk

sac

cord

ing

toth

eri

skm

anag

em

ent

stra

tegy

AS

7770,6

NIS

TC

ybers

ecu

rity

Fram

ew

ork

,38

NIS

TSP

800-5

3(R

ev.4),

37

UIC

-Guid

elin

es

for

Cyb

er-

Secu

rity

inR

ailw

ays,

73

ISO

31000,7

4N

IST

800-3

7,7

5

APTA

,76

NIS

TSP

800-3

9,7

7IS

O/IEC

31010,7

8N

IST

SP800-3

0(R

ev.1

),79

ISO

/IEC

27032,8

0ri

skm

an-

agem

ent

fram

ework

for

cloud

mig

ration

deci

sion

support

(Isl

amet

al.),8

1G

oal

-dri

ven

Soft

war

e

Dev

elo

pm

ent

Ris

kM

anag

em

ent

Model(I

slam

et

al.),8

2SE

CU

R-E

D,8

3R

ailC

yber

Secu

rity

Guid

ance

toIn

dust

ry,8

4R

ailC

yber

Secu

rity

Stra

tegy

,85

NIS

T

SP800-1

2R

evis

ion

1,8

6IS

O/IEC

27005

87

TV

M–

Thre

atpro

files

not

est

ablis

hed

–Fe

wre

sourc

es

tosu

pport

thre

atan

d

vuln

era

bili

tym

anag

em

ent

activi

ties

–In

itia

lst

age

of

adva

nce

dcy

bers

ecu

rity

anal

ytic

s

TV

M1.P

rovi

de

adequat

ere

sourc

es

(e.g

.fu

ndin

g,people

,

and

tools

)

TV

M2.In

creas

esk

illle

vel

TV

M3.Id

entify

,an

alyz

e,an

dpri

ori

tize

thre

ats

TV

M4.Est

ablis

hth

reat

pro

files

(e.g

.in

tent,

capab

ility

,

and

targ

et)

and

monitor

their

info

rmat

ion

sourc

es

TV

M5.Perf

orm

info

rmed

anal

ysis

and

pri

ori

tize

thre

ats

acco

rdin

gto

org

aniz

atio

n’s

risk

criteri

a

TV

M6.A

pply

pre

dic

tive

anal

ytic

sto

identify

and

resp

ond

toth

reat

s

NIS

TSP

800-5

3(R

ev.4),

37

AN

SI/ISA

–62443,4

0IS

O/IEC

21827,5

2U

IC-G

uid

elin

es

for

Cyb

er-

Secu

rity

in

Rai

lway

s,73

ISO

/IEC

27032,8

0R

ailC

yber

Secu

rity

Guid

ance

toIn

dust

ry,8

4O

CTA

VE

fram

ework

,88

EN

50159,8

9N

IST

SP800-5

1R

ev.1

,90

ISO

/IEC

27001,9

1

ISO

/IEC

29147,9

2N

IST

SP800-4

0(R

ev.3),

93

ITSS

_04

ITSe

curi

tySt

andar

d,9

4M

inim

um

Cyb

er

Secu

rity

Stan

dar

d,9

5Fr

amew

ork

for

Vuln

era

bili

ty

Dete

ctio

nin

Euro

pean

Tra

inC

ontr

olR

ailw

ay

Com

munic

atio

ns

(Ars

uag

aet

al.)

96

SA–

Log

dat

anot

aggr

ega

ted

–M

onitori

ng

activi

ties

par

tial

lyin

tegr

ated

with

oth

er

secu

rity

pro

cess

es

(e.g

.in

ci-

dence

resp

onse

,as

set

man

agem

ent)

–In

dic

ators

of

anom

alous

activi

ties

par

tial

ly

defin

ed

–In

itia

lst

age

of

adva

nce

dcy

bers

ecu

rity

anal

ytic

s

SA1.Fo

llow

docu

mente

dpra

ctic

es

of

logg

ing,

monitor-

ing,

and

com

mon

opera

ting

pic

ture

(CO

P)

activi

ties

SA2.Pro

vide

adequat

ere

sourc

es

(e.g

.fu

ndin

g,people

,

and

tools

)

SA3.A

ssig

nre

sponsi

bili

tyan

din

creas

esk

illle

velfo

r

logg

ing,

monitori

ng

and

CO

Pac

tivi

ties

SA4.D

efin

e,

monitor,

and

cate

gori

zeal

arm

sbas

ed

on

anom

alous

activi

ties

SA5.Est

ablis

hm

eth

ods

for

com

munic

atin

gcy

bers

ecu

r-

ity

info

rmat

ion

SA6.Perf

orm

pre

dic

tive

anal

ytic

sto

enhan

ceC

OP

NIS

TSP

800-5

3(R

ev.4),

37

ISO

/IEC

27001,9

1C

yber

situ

atio

nal

awar

eness

(Jaj

odia

et

al.),9

7

Depar

tmenta

lC

ybers

ecu

rity

Polic

y(D

OT

Ord

er

1351.3

7),

98

Acl

oud

com

puting

bas

ed

arch

itect

ure

for

cybers

ecu

rity

situ

atio

naw

areness

(Yu

et

al.),9

9

cybers

ecu

rity

situ

atio

nal

awar

eness

(Tia

nfie

ld),

100

Arc

hitect

ure

for

the

Cyb

er

Secu

rity

Situ

atio

nal

Aw

aren

ess

Syst

em

(Kokko

nen),

101

Colla

bora

tive

cybers

ecu

rity

situ

atio

nal

awar

eness

(Alm

ual

la),

102

Cyb

er-

situ

atio

naw

aren

ess

:a

visu

alan

alyt

ics

per-

spect

ive

(Maz

um

dar

and

Wan

g)103

(continued)


Tab

le5.

Continued

Dom

ain

Reas

ons

for

curr

ent

stat

us

Reco

mm

endat

ions

toim

pro

veM

IL

Reso

urc

es

for

impro

vem

ent

(fra

mew

ork

s/st

andar

ds/

guid

elin

es/

rese

arch

litera

ture

)

IR–

Par

tial

follo

w-u

pof

risk

regi

ster

for

eve

nt

dete

ctio

n

–Less

skill

leve

l

–Less

coord

inat

ion

with

exte

rnal

entities

–In

itia

lst

age

of

adva

nce

dcy

bers

ecu

rity

anal

ytic

s

IR1.Pro

vide

adequat

ere

sourc

es

(e.g

.fu

ndin

g,people

,

and

tools

)

IR2.In

creas

esk

illle

velfo

rin

cident

resp

onse

IR3.Est

ablis

hcy

bers

ecu

rity

event

esc

alat

ion

criteri

aan

d

inci

dent

resp

onse

stra

tegi

es

IR4.Fo

rmula

tebusi

ness

impac

tan

alys

isfo

rco

ntinuity

pla

ns

IR5.Eva

luat

e,

lear

n,an

dexerc

ise

continuity

pla

ns

IR6.M

onitor

inci

dents

,id

entify

bott

leneck

s,an

d

impro

vein

cident

resp

onse

tim

e

NIS

TSP

800-5

3(R

ev.4),

37

UIC

-Guid

elin

es

for

Cyb

er-

Secu

rity

inR

ailw

ays,

73

Rai

lCyb

er

Secu

rity

Guid

ance

toIn

dust

ry,8

4N

IST

SP800-1

2(R

ev.1),

86

Depar

tmenta

lIS

O/IEC

27001,9

1M

inim

um

Cyb

er

Secu

rity

Stan

dar

d,9

5C

ybers

ecu

rity

Polic

y(D

OT

Ord

er

1351.3

7),

98

Han

dbook

for

com

pute

rse

curi

ty

inci

dent

resp

onse

team

s(W

est

-Bro

wn

et

al.),1

04

CY

RA

IL,1

05

Inci

dent

Resp

onse

Fram

ew

ork

s

(Thom

pso

n),

106

Cyb

ers

ecu

rity

inci

dent

dete

ctio

n

syst

em

san

dte

chniq

ues

(Gar

man

et

al.),1

07

An

event

man

agem

ent

fram

ework

toai

dso

lution

pro

viders

in

cybers

ecu

rity

(Leon),

108

Ear

lydete

ctio

nof

cyber-

secu

rity

thre

ats

(Nar

ayan

anet

al.)

109

ED

M–

Par

tial

follo

w-u

pof

risk

regi

ster

for

cybers

ecu

rity

dependency

risk

s

–Su

pplie

rsan

doth

er

exte

rnal

entities

not

revi

ewed

–In

adequat

ere

sourc

es

–In

itia

lst

age

of

adva

nce

dcy

bers

ecu

rity

anal

ytic

s

ED

M1.P

rovi

de

adequat

ere

sourc

es

(e.g

.fundin

g,people

,

and

tools

)

ED

M2.A

ssig

nre

sponsi

bili

tyan

din

creas

esk

illle

velfo

r

dependency

risk

man

agem

ent

ED

M3.Peri

odic

ally

monitor,

revi

ew

and

asse

sssu

pplie

rs

and

oth

er

exte

rnal

entities

ED

M4.Est

ablis

hco

ntr

actu

alag

reem

ents

with

supplie

rs

that

incl

ude

cybers

ecu

rity

requir

em

ents

ED

M5.Id

entify

dependenci

es

usi

ng

thre

atin

telli

gence

UIC

-Guid

elin

es

for

Cyb

er-

Secu

rity

inR

ailw

ays,

73

Rai

l

Cyb

er

Secu

rity

Guid

ance

toIn

dust

ry,8

4R

ailC

yber

Secu

rity

Stra

tegy

,85

Min

imum

Cyb

er

Secu

rity

Stan

dar

d,9

5SA

EIn

tern

atio

nal

stan

dar

ds

AR

P9113,1

10

ISO

28001,1

11

Supply

chai

nri

skm

an-

agem

ent

and

the

soft

war

esu

pply

chai

n

(Goert

zel),1

12

Cyb

er

supply

chai

nri

skm

anag

em

ent

(Boys

on),

113

NIS

TSP

800-1

61,1

14

ISO

/IEC

27036,1

15

Supply

Chai

nR

isk

Man

agem

ent

Fram

ework

for

Vir

tual

Ente

rpri

ses

(Blo

san

d

Hoefli

ch),

116

Cyb

er

Secu

rity

Supply

Chai

nR

isk

Man

agem

ent

Guid

ance

(C-S

CR

M),

117

Supply

chai

n

secu

rity

colle

ctio

nG

uid

ance

(CPN

I)118

(continued)

Kour et al. 11

Tab

le5.

Continued

Dom

ain

Reas

ons

for

curr

ent

stat

us

Reco

mm

endat

ions

toim

pro

veM

IL

Reso

urc

es

for

impro

vem

ent

(fra

mew

ork

s/st

andar

ds/

guid

elin

es/

rese

arch

litera

ture

)

WM

–Par

tial

lydefin

ed

risk

desi

gnat

ions

–W

eak

cybers

ecu

rity

work

forc

e

–In

itia

lst

age

of

adva

nce

dcy

bers

ecu

rity

anal

ytic

s

WM

1.Pro

vide

adequat

ere

sourc

es

(e.g

.fu

ndin

g,people

,

and

tools

)

WM

2.Id

entify

cybers

ecu

rity

skill

gap

WM

3.Se

tri

skdesi

gnat

ions

for

acce

ssin

gcr

itic

alas

sets

WM

4.D

evelo

pcy

bers

ecu

rity

culture

,in

cludin

gcy

ber-

secu

rity

trai

nin

gan

daw

areness

(als

opre

dic

tive

ana-

lytics

and

thre

atin

telli

gence

pro

gram

sto

han

dle

futu

reth

reat

s)

WM

5.Eva

luat

etr

ainin

gpro

gram

for

furt

her

impro

ve-

ments

WM

6.D

isci

plin

ary

action

for

those

faili

ng

tofo

llow

cybers

ecu

rity

rule

san

dre

gula

tions

NIS

TSP

800-5

3(R

ev.4),

37

UIC

-Guid

elin

es

for

Cyb

er-

Secu

rity

inR

ailw

ays,

73

Rai

lCyb

er

Secu

rity

Guid

ance

toIn

dust

ry,8

4N

IST

SP800-1

2(R

ev.1),

86

Min

imum

Cyb

er

Secu

rity

Stan

dar

d,9

5C

ybers

ecu

rity

Work

forc

eFr

amew

ork

(Shoem

aker)

,119

Cyb

ers

ecu

rity

work

forc

edev

elo

pm

ent

(Jan

eja

et

al.),1

20

Cyb

ers

ecu

rity

Work

forc

eD

evelo

pm

ent

and

the

Pro

tect

ion

of

Cri

tica

lIn

fras

truct

ure

(Chap

man

),121

ASt

rate

gyfo

ra

Cyb

ers

ecu

rity

Culture

(Gca

zavo

nSo

lms)

,122

Build

ing

ast

ronge

r

cybers

ecu

rity

work

forc

e(C

SX),

123

The

Futu

re

Cyb

ers

ecu

rity

Work

forc

e(D

awso

nan

d

Thom

son),

124

Cyb

ers

ecu

rity

for

the

Nat

ion:

Work

forc

eD

evelo

pm

ent

(Dill

),125

Nove

lap

pro

ach

for

cybers

ecu

rity

work

forc

edev

elo

pm

ent

(Shar

evsk

iet

al.)

126

CPM

–In

adequat

efu

ndin

g

–In

visi

ble

and

inac

tive

senio

rm

anag

em

ent

–In

itia

lst

age

of

adva

nce

dcy

bers

ecu

rity

anal

ytic

s

CPM

1.Pro

vide

adequat

efu

ndin

gfo

rcy

bers

ecu

rity

pro

gram

CPM

2.A

ssig

nre

sponsi

bili

tyfo

rcy

bers

ecu

rity

pro

gram

CPM

3.G

et

senio

rm

anag

em

ent

appro

valan

dsp

onso

r-

ship

of

cybers

ecu

rity

pro

gram

stra

tegy

(CPS)

CPM

4.In

clude

pre

dic

tive

anal

ytic

sin

cybers

ecu

rity

pro

gram

CPM

5.N

eed

toal

ign

CPS

with

org

aniz

atio

n’s

obje

ctiv

es

CPM

6.C

PS

should

be

updat

ed

peri

odic

ally

CPM

7.C

ybers

ecu

rity

pro

gram

must

be

independently

revi

ewed

peri

odic

ally

NIS

TSP

800-5

3(R

ev.4),

37

ISO

/IEC

21827,5

2IS

O/IEC

27005,8

7IS

O/IEC

27001,9

1IS

O28001,1

11

NIS

T/IT

L

Cyb

ers

ecu

rity

Pro

gram

(O’R

eill

yet

al.),1

27

Cyb

er

defe

nse

Pro

gram

Aga

inst

Adva

nce

dT

hre

ats

(Donal

dso

net

al.),1

28

Dev

elo

pin

ga

Cyb

ers

ecu

rity

Man

agem

ent

Pro

gram

(Tay

lor

and

Steele

),129

AN

SI-

ASQ

Nat

ional

Acc

reditat

ion

Boar

d(A

NA

B)

accr

editat

ion

pro

gram

,130

Glo

bal

Info

rmat

ion

Ass

ura

nce

Cert

ifica

tion

(GIA

C),

131

Info

rmat

ion

Secu

rity

Cert

ifica

tions

(ISC

)2,1

32

Clo

ud

Secu

rity

Alli

ance

(CSA

),133

Nat

ional

Cyb

er

Secu

rity

Alli

ance

(NC

SA)1

34

AC

M–

Par

tial

lydefin

ed

asse

tin

vento

ry

–Lac

kof

adva

nce

dan

alyt

ics

tools

AC

M1.IT

and

OT

asse

tin

vento

rysh

ould

be

updat

ed

peri

odic

ally

asdefin

ed

by

org

aniz

atio

n

AC

M2.Peri

odic

ally

revi

ew

cybers

ecu

rity

impac

tsw

ith

chan

gean

dre

config

ura

tion

of

asse

ts

AC

M3.Peri

odic

ally

revi

ew

pre

dic

tive

tools

todete

ct

and

blo

ckunau

thori

zed

chan

ges

toO

Tan

dIT

asse

ts

NIS

TSP

800-5

3(R

ev.4),

37

UIC

-Guid

elin

es

for

Cyb

er-

Secu

rity

inR

ailw

ays,

73

ISO

/IEC

27032,8

0IS

O/IEC

27001,9

1M

inim

um

Cyb

er

Secu

rity

Stan

dar

d95

IAM

–Lac

kof

adva

nce

dan

alyt

ics

tools

IAM

1.A

dva

nce

dan

alyt

ics

tools

reco

mm

ended

toan

a-

lyze

acce

ssed

dat

a

NIS

TSP

800-5

3(R

ev.4),

37

ISO

/IEC

21827,5

2U

IC-

Guid

elin

es

for

Cyb

er-

Secu

rity

inR

ailw

ays,

73

NIS

T

SP800-1

2(R

ev.1),

86

ISO

/IEC

27001,9

1C

YR

AIL

,105

Min

imum

Cyb

er

Secu

rity

Stan

dar

d95

(continued)


Dark green signifies an answer of ‘‘fully implemented’’and light green is ‘‘largely implemented’’; these arepositive answers for attaining an MIL.8 Light red is‘‘partially implemented’’ and dark red is ‘‘not imple-mented’’; these are negative answers.8

To understand how to read Figure 5, look at theMIL2 pie chart for domain risk management (RM).Two evaluation practices are assessed as ‘‘fully imple-mented’’, six as ‘‘largely implemented,’’ and five as‘‘partially implemented’’. These five ‘‘partially imple-mented’’ practices prevent this domain from attainingMIL2, MIL3, and MIL4. The same procedure worksfor other MILs. Figure 5 shows resulting MILs forRailway 1 with seven domains at MIL1, one at MIL2,one at MIL3, and one at MIL4.

The pie chart shows that some of the practices athigher levels are fully implemented but practices atlower levels are not. It is very important for railwayorganizations to start at the lower level, implement allthe practices, and then go to the higher level andimplement all the practices because MILs are cumu-lative within each domain, i.e. to attain an MIL in agiven domain, an organization must implement all ofthe practices in that level and its predecessor level(s).8

The reasons for the current status of maturity levelswithin each domain are shown in the second columnof Table 5 (see the ‘‘Recommendations to improvematurity levels’’ section).

Combined results of the three railway organizations

Table 4 and the spider chart in Figure 6 show thematurity level results for the three real railway organ-izations. The comprehensive results of objectives andpractices within each domain are with the authors forreasons of confidentiality. Table 4 and Figure 6 indi-cate that seven domains of Railway 1 are at MIL1,one domain is at MIL2, one is at MIL3, and one is atMIL4. Railway 2 has three domains at MIL4, four atMIL3, two at MIL2, and one at MIL1. The reasonsfor their current status are provided in Table 5, alongwith recommendations for improvements. It is alsovisible that all the domains of Railway 3 have attainedMIL4, an excellent assessment result.

The results indicate a general movement towardspredictive and advanced security analytics. The aver-age evaluation results show that the identity andaccess management (IAM), cybersecurity programmanagement (CPM), and information sharing andcommunications (ISC) domains for Railway 2 andRailway 3 have attained MIL4 but more work isrequired to improve the incident response (IR), situ-ational awareness (SA), threat and vulnerability man-agement (TVM), asset change and configurationmanagement (ACM), RM, workforce management(WM), external dependencies management (EDM)domains for Railway 1 and Railway 2. Notably, theISC domain for all the three railway organizations hasattained MIL4; this indicates that these organizationsT

ab

le5.

Continued

Dom

ain

Reas

ons

for

curr

ent

stat

us

Reco

mm

endat

ions

toim

pro

veM

IL

Reso

urc

es

for

impro

vem

ent

(fra

mew

ork

s/st

andar

ds/

guid

elin

es/

rese

arch

litera

ture

)

ISC

–M

IL4

has

been

achie

ved

for

allth

e

thre

era

ilway

org

aniz

atio

ns

under

study

–T

his

dom

ain

can

be

use

das

are

fere

nce

for

railw

ay

org

aniz

atio

ns

toim

pro

vecy

bers

ecu

rity

info

rmat

ion

shar

ing

NIS

TSP

800-5

3(R

ev.4),

37

AN

SI/ISA

–62443,4

0IS

O/IEC

21827,5

2U

IC-G

uid

elin

es

for

Cyb

er-

Secu

rity

in

Rai

lway

s,73

ISO

/IEC

27032,8

0IS

O/IEC

27001,9

1

Min

imum

Cyb

er

Secu

rity

Stan

dar

d,9

5A

fram

ework

for

cybers

ecu

rity

info

rmat

ion

shar

ing

and

risk

reduct

ion

(Goodw

inet

al.),1

35

NIS

TC

om

pute

r

Secu

rity

Reso

urc

eC

ente

r,136

US-

CERT,1

37

ICS-

CERT,1

38

Info

rmat

ion

Shar

ing

and

Anal

ysis

Org

aniz

atio

ns

(ISA

Os)

,139

CIS

�140

RM

:ri

skm

anag

em

ent;

TV

M:th

reat

and

vuln

era

bili

tym

anag

em

ent;

SA:si

tuat

ional

awar

eness

;IR

:in

cident

resp

onse

;ED

M:exte

rnal

dependenci

es

man

agem

ent;

WM

:w

ork

forc

em

anag

em

ent;

CPM

:cy

bers

ecu

rity

pro

gram

man

agem

ent;

CO

P:co

mm

on

opera

ting

pic

ture

;IA

M:id

entity

and

acce

ssm

anag

em

ent;

ISC

:in

form

atio

nsh

arin

gan

dco

mm

unic

atio

ns.

Kour et al. 13

have maintained a relationship with internal and exter-nal bodies to collect and provide cybersecurity informa-tion, including threats and vulnerabilities, to decreasecyber risks and to increase operational resilience.

On the one hand, it is good that each domain ofRailway 1 and Railway 2 has at least attained MIL1but on the other hand, many domains are far fromattaining MIL4. This assessment will help these rail-way organizations examine the gaps and movetowards higher MILs. Note that all these results arefrom the cybersecurity data provided by the railwayorganizations, and the reliability of the data is up tothe provider.

Organizations which have not attained the neces-sary maturity levels need to reconsider their cyberse-curity programs to protect this critical infrastructure.A detailed summary of the identified gaps was sent tothe respective railway organizations, so they couldvisualize the current level of maturity and take stepsto fill the gap in their cybersecurity programs.

It was challenging for these organizations to sharetheir cybersecurity data. They had the perception thatby sharing their data, they increased the likelihood ofattacks in the future. However, if more railway organ-izations shared their cybersecurity data, a holisticcybersecurity approach to railway systems could beformulated. There is a need to communicate andunite to tackle the problem of cybersecurity, one ofthe biggest challenges to critical infrastructures.

Recommendations to improve maturity levels

The maturity level results of the three railway organ-izations indicated a need to improve cybersecuritycapabilities.

Table 5 lists the reasons for the status of the currentmaturity levels and provides a set of recommendationsand other resources to improve cybersecurity. So thatthe companies could implement the recommendations

in a streamlined way, and an action plan was devel-oped for each. The first column of Table 5 lists the 10domains; the second gives the reasons for the lowmaturity level; the third provides a set of recommen-dations; the fourth provides available frameworks/standards/guidelines/research literature.

Action plan

Many recommendations based on C2M2 model8 arelisted in Table 5, and it would obviously be difficultfor the railway organizations to prioritize and organizethem. Accordingly, a quick action plan was developedfor each company. After the implementation of thisaction plan (Table 6 in Appendix 1), the cybersecurityprogram should be evaluated periodically to ensure thedesired improvements are achieved. With the imple-mentation plan and periodic reevaluation, the organ-izations will be able to identify further gaps in theircurrent cybersecurity programs. The reevaluation of acybersecurity program is a repetitive process.

The proposed plan shown in Appendix 1 is just ademonstration plan for one year and, as such, pro-vides guidance to the railway organizations. Tounderstand how this action plan will work, consideran example of an RM domain where RM1 to RM5are the recommendations to improve maturity indica-tor levels in months M1 to M12. The dark portion ofRM1 and RM2 shows that railway organizationsshould provide adequate resources and defineadvanced cybersecurity analytics in the risk manage-ment policy within the first two months to improvetheir cybersecurity capabilities. The implementationof the recommendations defined in RM3 (Table 5)starts in the third month and lasts for four months.Similarly, the implementation of recommendationsRM4 and RM5 will start in the seventh and ninthmonth, respectively. The process of implementationof each recommendation will work in a similar way

0

1

2

3

4Risk Management (RM)

Asset, Change, andConfiguration Management

(ACM)

Identity and AccessManagement (IAM)

Threat and VulnerabilityManagement (TVM)

Situational Awareness (SA)

Information Sharing andCommunications (ISC)

Event and IncidentResponse, Continuity of

Operations (IR)

Supply Chain and ExternalDependencies Management

(EDM)

Workforce Management(WM)

Cybersecurity ProgramManagement (CPM)

Railway 1 Railway 2 Railway 3

Figure 6. Maturity level results for the three railway organizations.


to minimize the identified gaps in the current cyberse-curity programs. The plan can be further elaborated,and a more detailed plan can be developed based ondiscussions with the railway organizations.

Conclusions

Cyber-attacks are increasing in many sectors includingfinance, health, grid, retail, government, telecommuni-cations, transportation, etc. Railway organizations areadapting ICT-based technologies, making them vulner-able to these attacks; therefore, they need to focus oncybersecurity. This research assessed the cybersecuritymaturity capabilities of three railway organizations andfound only one was well prepared for cyber risks. Theresearch identified the strengths and weaknesses in theexisting cybersecurity programs of these organizations,suggested improvements in the form of recommenda-tions, and provided a quick action plan for them toimplement the recommendations in a streamlinedway. Since the case studies were carried out with realinfrastructure owners, the outcome of the research andthe gaps in their cybersecurity programs were explainedto the respective railway organizations. We will includethe verification and validation part of the research in afuture work.

Acknowledgements

The authors would like to acknowledge the contributionsfrom Dr Janet Lin for the research idea and Dr Uday

Kumar, Dr Phillip Tretten, Dr Mustafa Aljumaili, andRobert Beney for their valuable expertise.

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with

respect to the research, authorship, and/or publication ofthis article.

Funding

The author(s) disclosed receipt of the following financial sup-

port for the research, authorship, and/or publication of thisarticle: The authors would like to thank Lulea RailwayResearch Center (JVTC) for sponsoring the research work.

ORCID iDs

Ravdeep Kour https://orcid.org/0000-0003-0734-0959Adithya Thaduri https://orcid.org/0000-0002-1938-0985

References

1. Kour R, Aljumaili M, Karim R, et al. eMaintenance in

railways: issues and challenges in cybersecurity. ProcIMechE, Part F: J Rail Rapid Transit 2019; 233:1012–1022.

2. X-Force IBM. IBM X-force interactive security inci-dents, www.ibm.com/security/xforce/xfisi/ (accessed 12June 2019).

3. Kyriakidis M, Hirsch R and Majumdar A. Metro rail-

way safety: an analysis of accident precursors. Saf Sci2012; 50: 1535–1548.

4. Ferguson I. The ORR railway management maturitymodel and its use in benchmarking safety and securingcontinued improvement. Saf Reliab 2012; 32: 43–57.

5. Kim S. The development of a railway safety maturitymodel and estimate procedures. J Korean Soc Civil Eng2014; 34: 195.

6. AS 7770:2018. Rail cyber security.7. Mattioli R and Moulinos K. Analysis of ICS-SCADA

cyber security maturity levels in critical sectors. Athens,

Greece: European Union Agency for Network andInformation Security (ENISA), 2015.

8. Christopher JD. Cybersecurity capability maturitymodel (C2M2). Washington: Department of

Homeland Security, 2014.9. Hoek S. Predictive security analytics. Netherlands:

Tilburg University, 2017.

10. NIST & GSA Sponsored Project. The cyber risk pre-dictive analytics project, https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/docu-

ments/UMD%20Final%20Report-Cyber%20Risk%20Analytics%20Project%20revised%20tc%20november%2025%202017.pdf (accessed 27

September 2019).11. Tounsi W and Rais H. A survey on technical threat

intelligence in the age of sophisticated cyber attacks.Comput Secur 2018; 72: 212–233.

12. Conti M, Dargahi T and Dehghantanha A. Cyberthreat intelligence: challenges and opportunities. NewYork: Springer, 2018.

13. Johnson CS, Feldman L and Witte GA. Cyber threatintelligence and information sharing/NIST. ITLBulletin, www.nist.gov/publications/cyber-threat-intelli-

gence-and-information-sharing (2017, accessed 26 June2019).

14. Johnson C, Badger L, Waltermire D, et al. NIST specialpublication 800-150: guide to cyber threat information

sharing. NIST, Technical Report, 2016.15. Gartner IT. Gartner IT glossary. Technology Research,

2013.

16. Hancock D. Virus disrupts train signals. CBS News,www.cbsnews.com/news/virus-disrupts-train-signals/(2003, accessed 12 October 2019).

17. Baker G. Schoolboy hacks into city’s tram system. TheTelegraph, 11 January 2008, www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-

tram-system.html (accessed 12 October 2019).18. Sternstein A. Hackers manipulated railway computers,

TSA memo says. Nextgov.com, www.nextgov.com/cybersecurity/2012/01/hackers-manipulated-railway-

computers-tsa-memo-says/50498/ (accessed 12 October2019).

19. Hayden S. Cyber attack on southKorean subway system

could be a sign of nastier things to come. Vice News,https://news.vice.com/en_us/article/vb8bp8/cyber-attack-on-south-korean-subway-system-could-be-a-

sign-of-nastier-things-to-come (accessed 12 June 2019).20. Borg M, Olsson T, Franke U, et al. Digitalization of

Swedish government agencies. In: Proceedings of the40th international conference on software engineering

software engineering in society – ICSE-SEIS’18,Gothenburg, Sweden, 27 May–3 June 2018.

21. Four cyber attacks on UK railways in a year, https://

news.sky.com/story/four-cyber-attacks-on-uk-railways-in-a-year-10498558 (accessed 12 June 2019).

Kour et al. 15

22. Graham C. Cyber attack hits German train stations ashackers target Deutsche Bahn. The Telegraph, 2017,www.telegraph.co.uk/news/2017/05/13/cyber-attack-

hits-german-trainstations-hackers-target-deutsche/(accessed 12 October 2019).

23. The Local. Swedish transport agencies targeted in cyberattack, www.thelocal.se/20171012/swedish-transport-

agenciestargeted-in-cyber-attack (accessed 12 June2019).

24. BBC News. Great western railway accounts breached,www.bbc.com/news/technology-43725640 (accessed 12

June 2019).25. Whittaker Z. Rail Europe had a three-month long

credit card breach, www.zdnet.com/article/rail-europe-

had-a-three-month-long-credit-card-breach/ (accessed12 June 2019).

26. Paganini P. Massive DDoS attack hit the Danish state

rail operator. DSB, 15 May 2018, https://securityaf-fairs.co/wordpress/72530/hacking/rail-operator-dsb-ddos.html (accessed 12 June 2019).

27. Bloomfield R, Netkachova K and Stroud R. Security-

informed safety: if it’s not secure, it’s not safe. In:International Workshop on Software Engineering forResilient Systems, 3 October 2013, pp.17–32. Berlin,

Heidelberg: Springer.28. Bloomfield R, Bloomfield R, Gashi I, et al. How secure

is ERTMS? In: International Conference on Computer

Safety, Reliability, and Security, 25 September 2012,pp.247–258. Berlin, Heidelberg: Springer.

29. Stewart JM, Chapple M and Gibson D. CISSP:

Certified Information Systems Security ProfessionalStudy Guide. New Jersey: John Wiley & Sons, 2012.

30. Thaduri A, Aljumaili M, Kour R, et al. Cybersecurityfor eMaintenance in railway infrastructure: risks and

consequences. Int J Syst Assur Eng Manage 2019; 10:149–159.

31. Le NT and Hoang DB. Can maturity models support

cyber security? In: 2016 IEEE 35th international perfor-mance computing and communications conference(IPCCC), Las Vegas, NV, USA, 9–11 December 2016.

32. Lessing MM. Best practices show the way to informa-tion security maturity. In: 6th National conference onprocess establishment, assessment and improvement ininformation technology (ImproveIT 2008),

Johannesburg, South Africa, 17–19 September 2008.33. Karokola G, Kowalski S and Yngstrom L. Secure e-

government services: towards a framework for integrat-

ing it security services into e-government maturitymodels. In: 2011 Information security for South Africa,Johannesburg, South Africa, 15–17 August 2011.

34. Rea-Guaman AM, San Feliu T, Calvo-Manzano JA, etal. Comparative study of cybersecurity capabilitymaturity models. In: International Conference on

Software Process Improvement and CapabilityDetermination, 4 October 2017, pp.100–113. Cham:Springer.

35. Rea-Guaman A, Sanchez-Garcia I, Feliu TS, et al.

Maturity models in cybersecurity: a systematic review.In: 2017 12th Iberian conference on information systemsand technologies (CISTI), Lisbon, Portugal, 14–17 June

2017.36. Howe N. Cybersecurity in railway signalling systems.

Institution of Railway Signal Engineers News, 2017,

p.1–4.

37. Force JT and Initiative T. Security and privacy controlsfor federal information systems and organizations.NIST Spec Publ 2013; 800: 8–13.

38. Barrett MP. Framework for improving critical infra-structure cybersecurity version 1.1. NIST cybersecurityframework, www.nist.gov/publications/framework-

improving-critical-infrastructure-cybersecurity-version-11 (2018, accessed 17 June 2019).

39. Disterer G. ISO/IEC 27000, 27001 and 27002 for infor-

mation security management. J Inf Secur 2013; 4:92–100.

40. ISA-62443-2-1: 2009. Security for industrial automationand control systems: establishing an industrial automa-

tion and control systems security program.41. Im JW. Refining software vulnerbility Analysis under

ISO/IEC 15408 and 18045. J Korea Inst Inf Secur

Cryptol 2014; 24: 969–974.42. ES-C2M2. Electricity subsector cybersecurity capability

maturity model (ES-C2M2), www.energy.gov/ceser/

activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0-1 (accessed 17 June 2019).

43. ONG-C2M2. Oil and natural gas subsector cybersecur-

ity capability maturity model (ONG-C2M2), www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0/oil-and (accessed 17 June 2019).

44. White GB. The community cyber security maturitymodel. In: 2011 IEEE international conference on tech-nologies for homeland security (HST), Waltham, MA,

USA, 15–17 November 2011.45. Defense DO. Systems security engineering capability

maturity model (SSECMM), model description.

Version 1.1. USA: Defense Technical InformationCenter, 1997.

46. ISACA. Cobit 5. USA: ISACA.47. Newhouse W, Keith S, Scribner B, et al. National initia-

tive for cybersecurity education (NICE) cybersecurityworkforce framework. NIST Special Publication, vol.800. USA: NIST, 2017, p.181.

48. Tari Schreider S, CISM C, CISO I. Building effectivecybersecurity programs: a security manager’s handbook.Brookfield: Rothstein Publishing, 2017.

49. Masinsin RQ. Secretary of defense corporate fellowsprogram: final report. New York, NY: Time. 2008.

50. Buecker A, Borrett M, Lorenz C, et al. Introducing the

IBM security framework and IBM security blueprint torealize business-driven security. IBM Redpaper 2010;4528: 1–96.

51. Aceituno V. ISM3-information security management

maturity model. Version 2.1. San Francisco, CA,USA: ISM3 Consortium, The Open Group, 2007.

52. Carnegie Mellon University. Systems security engineer-

ing capability maturity model (SSE-CMM) modeldescription document. Version 3.0. Carnegie MellonUniversity: Pittsburgh.

53. Hosseini K and Paul DL. Assessing cybersecurity riskfor oil & gas mergers and acquisitions. In: SPE westernregional meeting, Bakersfield, California, USA 23–27April 2017.

54. Mylrea M, Gourisetti SNG and Nicholls A. An intro-duction to buildings cybersecurity framework. In: 2017IEEE symposium series on computational intelligence

(SSCI), Hawaii, USA, 27 November–1 December2017.


55. Ibrahim E. Disruptive ideas for power grid security andresilience with der. In: National renewable energylaboratory annual cybersecurity and resilience workshop,

Golden, Colorado, USA, 9–10 October 2017.56. IngramM and Martin M. Guide to cybersecurity, resili-

ence, and reliability for small and under-resourced uti-

lities. 2017.57. AXIO. Axio is solving cyber risk, https://axio.com/wp-

content/uploads/2019/04/Axio360-Detail.pdf (accessed

12 October 2019).58. Tripwire. Security reference architecture: a practical

guide to implementing foundational controls by DaveMeltzer CTO, Tripwire, Inc. USA: Tipwire.

59. The United States Energy Association. Request for pro-

posals utility cyber security initiative. Cybersecurity cap-ability maturity model (C2M2) assessment for theGeorgian state electrosystem. Washington: The United

States Energy Association.

60. Almuhammadi S and Alsaleh M. Information security

maturity model for nist cyber security framework.Comput Sci Inf Technol 2017; 51.

61. Radziwill NM and Benton MC. Cybersecurity cost ofquality: managing the costs of cybersecurity risk man-

agement, 2017.62. Zhao W and White G. An evolution roadmap for com-

munity cyber security information sharing maturitymodel. In: Proceedings of the 50th Hawaii international

conference on system sciences, Hilton Waikoloa Village,Hawaii, USA, 4–7 January 2017.

63. Siqueira AA, Reinehr S and Malucelli A (2017) Using

the ISO/IEC 27034 as reference to develop an applica-tion security control library. In: Stolfa J, Stolfa S,O’Connor R, et al. (eds) Systems, software and services

process improvement. EuroSPI 2017 Communications inComputer and Information Science, vol. 748, 2017.Cham: Springer.

64. Kurniawan E and Riadi I. Security level analysis ofacademic information systems based on standard iso27002: 2013 using Sse-Cmm. Int J Comput Sci InfSecur 2018; 16: 139–147.

65. Mshangi M, Nfuka EN and Sanga C. Human sensorweb crowd sourcing security incidents management inTanzania context. J Inf Secur 2018; 9: 191–208.

66. Drljaca D and Latinovic B. Frameworks for audit of aninformation system in practice. J Inf Technol Appl 2016;12: 78–85.

67. Laita A and Belaissaoui M. Information technologygovernance in public sector organizations. In: RochaA, Serrhini M and Felgueiras C (eds) Europe andMENA Cooperation advances in information and commu-

nication technologies. Advances in Intelligent Systemsand Computing, vol. 520. Cham: Springer, 2017.

68. Alencar GD, de Moura HP, Junior IH, et al. An adap-

table maturity strategy for information security, 2018.69. Open Group Standard. Open information security man-

agement maturity model (O-ISM3). Version 2.0. USA:

Open Group Standard.70. Pederson P, Roxey T and Gray J. Cross-sector roadmap

for cybersecurity of control systems. USA: ICSJWG

(Industrial Control Systems Joint Working Group),Cybersecurity and Infrastructure Security Agency(CISA), 2011.

71. House W. Cyberspace policy review: Assuring a trusted

and resilient information and communications

infrastructure. Washington, DC, www. whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final. pdf (2009, accessed 12 October 2019).

72. Chavez A. Evaluation of roadmap to achieve energydelivery systems cybersecurity. Albuquerque, NM,USA: Sandia National Lab (SNL-NM), 2017.

73. UIC – Rail System Department. Guidelines for cyber-security in railways, www.shop-etf.com/en/guidelines-for-cyber-security-in-railways (accessed 27 September

2019).74. ISO 31000:2009. Risk management: principles and

guidelines.75. Joint Task Force Transformation Initiative. Guide for

applying the risk management framework to federal

information systems: a security life cycle approach.Gaithersburg, MD: National Institute of Standards

and Technology, 2014.76. SS-CC APTA. Securing control and communications sys-

tems in rail transit environments. Washington, DC:

American Public Transportation Association, 2015.77. NIST SP. 800-39. Managing information security risk –

organization, mission, and information system view.

USA: National Institute of Standards andTechnology, 2017.

78. GOST R ISO / IEC 31010-2011. Risk management. Riskassessment methods. Russia: National Standard of The

Russian Federation, Scientific Research Center forMonitoring and Diagnostics of Technical Systems,December 2012.

79. Joint Task Force Transformation Initiative. Guide forconducting risk assessments. Gaithersburg, MD:National Institute of Standards and Technology, 2012.

80. ISO/IEC 27032: 2012. Information technology securitytechniques guidelines for cybersecurity.

81. Islam S, Fenz S, Weippl E, et al. A risk management

framework for cloud migration decision support. J RiskFinanc Manage 2017; 10: 10.

82. Islam S, Mouratidis H and Weippl ER. An empiricalstudy on the implementation and evaluation of a goal-driven software development risk management model.

Inf Softw Technol 2014; 56: 117–133.83. European Union Project Report. SECUR-ED cyber-

security roadmap for PTOs, www.secur-ed.eu/wp-con-

tent/uploads/2014/11/SECUR-ED_Cyber_security_roadmap_v3.pdf (2014, accessed 12 October 2019).

84. Department for Transport. Rail cyber security guidance

to industry. UK: Department for Transport.85. Rail Delivery Group. Rail cyber security strategy. UK:

Rail Delivery Group.86. Nieles M, Dempsey K and Pillitteri V. An introduction

to information security. Gaithersburg, MD: NationalInstitute of Standards and Technology, 2017.

87. International Organization for Standardization. ISO/

IEC 27005:2018. Information technology – securitytechniques – information security risk management,2018.

88. Alberts CJ, Behrens SG, Pethia RD, et al. Operationallycritical threat, asset, and vulnerability evaluation(OCTAVE) framework. Version 1.0, Pittsburgh, PA,

USA: Software Engineering Institute, 1999.89. EN50129 CE. Railway applications – communication,

signalling and processing systems-Safety related electro-nic systems for signalling. UK: British Standards

Institution, 2003, p.0580-4181.

Kour et al. 17

90. Waltermire D and Scarfone K. Guide to using vulner-ability naming schemes. NIST Special Publication. vol.800. Gaithersburg, MD: NIST, 2011, p.51.

91. ISO/IEC 27001: 2013: Information technology – secur-ity techniques – information security management sys-tems – requirements.

92. ISO/IEC 29147:2018. Vulnerability disclosure in infor-mation technology.

93. Souppaya M and Scarfone K. Guide to enterprise patch

management technologies. Revision 3. NIST SpecialPublication 800-40. USA: US Department ofCommerce, 2013.

94. ITSS_04. IT security standard – vulnerability manage-

ment. Australia: UNSW.95. The Government of the United Kingdom. Minimum

cyber security standard. Version 1.0. UK: The

Government of the United Kingdom.96. Arsuaga I, Toledo N, Lopez I, et al. A framework for

vulnerability detection in European train control rail-

way communications. Secur Commun Netw 2018;2018: 1–9.

97. Jajodia S, Liu P, Swarup V, et al. Cyber situational

awareness. New York: Springer, 2009.98. DOT Order 1351.37. Departmental cybersecurity

policy. USA: Department of Transportation.99. Yu W, Xu G, Chen Z, et al. A cloud computing based

architecture for cyber security situation awareness. In:2013 IEEE conference on communications and networksecurity (CNS), Washington, DC, USA, 14–16

October 2013, pp.488–492.100. Tianfield H. Cyber security situational awareness. In:

2016 IEEE international conference on internet of things

(iThings) and IEEE green computing and communica-tions (GreenCom) and IEEE cyber, physical andsocial computing (CPSCom) and IEEE smartdata (SmartData), Chengdu, China, 15–18

December 2016.101. Kokkonen T. Architecture for the cyber security situa-

tional awareness system. In: Internet of things, smart

spaces, and next generation networks and systems, 26September 2016, pp.294–302. Cham: Springer.

102. Almualla MH. Collaborative cyber security situational

awareness. Doctoral Dissertation, Brunel University,London.

103. Mazumdar S and Wang J. Cyber-situation awareness:

a visual analytics perspective. In: Simon P, Andrew Cand Richard H (eds) Guide to vulnerability analysis forcomputer networks and systems : an artificial intelli-gence approach. Computer communications and net-

works. Berlin: Springer.104. West-Brown MJ, Stikvoort D, Kossakowski KP, et al.

Handbook for computer security incident response

teams (csirts). Pittsburgh, PA: Carnegie MellonUniversity, 2003.

105. CYRAIL Project Report. Cyber security in the

RAILway sector. D2.1 – safety and security require-ments of rail transport system in multi-stakeholderenvironments, https://ec.europa.eu/research/partici-pants/documents/downloadPublic?documentIds=

080166e5b678c2dc&appId=PPGMS (2017, accessed12 October 2019).

106. Thompson EC. Incident response frameworks. In:Cybersecurity incident response. Berkeley, CA:

Apress, 2018, pp. 17–46.

107. Garman JA, Johnson B, Mcfarland JJ, inventors;Carbon Black, Inc., assignee. Cybersecurity IncidentDetection Systems And Techniques. Patent applica-

tion 15/704,676, USA, 2018.

108. Leon RJ. An event management framework to aid solu-tion providers in cybersecurity. Doctoral Dissertation,The George Washington University.

109. Narayanan SN, Ganesan A, Joshi K, et al. Early detec-tion of cybersecurity threats using collaborative cogni-tion. In: 2018 IEEE 4th international conference oncollaboration and internet computing (CIC),

Philadelphia, Pennsylvania, USA, 18–20 October 2018.110. ARP9134A. Supply chain risk management guidelines.

SAE International in United States, 2014.

111. ISO 28001:2007. Security management systems for thesupply chain. Best practices for implementing supplychain security, assessments and plans. Requirements

and guidance.112. Goertzel KM. Supply chain risk management and the

software supply chain. In: OWASP AppSec DC,Washington, DC, USA, 8–11 November 2010.

113. Boyson S. Cyber supply chain risk management:Revolutionizing the strategic control of critical IT sys-tems. Technovation 2014; 34: 342–353.

114. Boyens J, Paulsen C, Moorthy R, et al. Supply chainrisk management practices for federal information sys-tems and organizations. NIST Special Publication. vol.

800. Gaithersburg, MD: NIST, 2015, p.32.115. ISO/IEC 27036-3:2013 Information technology –

security techniques – information security for supplier

relationships – Part 3: guidelines for information andcommunication technology supply chain security.

116. Blos MF and Hoeflich SL. Supply chain risk manage-ment framework for virtual enterprises: a theoretical

approach. Unisanta Sci Technol 2017; 5: 161–166.117. C-SCRM. Cyber security supply chain risk manage-

ment guidance, North American transmission forum,

www.nerc.com/pa/comp/SupplyChainRiskMitigationProgramDL/NATF%20Cyber%20Security%20Supply%20Chain%20Risk%20Management%20

Guidance.pdf (accessed 27 September 2019).118. CPNI. Centre for the protection of national infrastruc-

ture. Supply chain security collection guidance, UK,www.cpni.gov.uk/system/files/documents/2e/87/

Supply_Chain_Security_Collection_Jan2018.pdf(accessed 22 January 2019).

119. Shoemaker D, Kohnke A and Sigler K. A guide to the

National Initiative for Cybersecurity Education(NICE) cybersecurity workforce framework (2.0).Boca Raton, FL: Auerbach Publications, 2018.

120. Janeja VP, Seaman C, Kephart K, et al. Cybersecurityworkforce development: a peer mentoring approach.In: 2016 IEEE conference on intelligence and security

informatics (ISI), Tucson, Arizona, USA, 27–30September 2016.

121. Chapman MA. Cybersecurity workforce developmentand the protection of critical infrastructure. Pearl

City, USA: University of Hawaii, 2017.122. Gcaza N and von Solms R. A strategy for a cyberse-

curity culture: a South African perspective. Electr J Inf

Syst Developing Countries 2017; 80: 1–17.123. CSX. Cybersecurity NexusTM. Building a stronger

cybersecurity workforce, https://cybersecurity.isaca.

org/csx-nexus (accessed 27 September 2019).


124. Dawson J and Thomson R. The future cybersecurityworkforce: going beyond technical skills for successfulcyber performance. Front Psychol 2018; 9: 1–12.

125. Dill KJ. Cybersecurity for the nation: workforce devel-opment. Cyber Defense Rev 2018; 3: 55–64.

126. Sharevski F, Trowbridge A and Westbrook J. Novel

approach for cybersecurity workforce development: acourse in secure design. In: 2018 IEEE integratedSTEM education conference (ISEC), Princeton, NJ,

USA, 10 March 2018.127. O’Reilly P, Rigopoulos K, Feldman L, et al. 2016

NIST/ITL cybersecurity program: annual report.2017.

128. Donaldson SE, Siegel SG, Williams CK, et al.Managing an enterprise cybersecurity program. In:Enterprise Cybersecurity. Berkeley, CA: Apress, 2015,

pp.243–262.129. Taylor B and Steele J. Developing a cybersecurity

management program. Benefits Q 2018; 34: 21–26.

130. Cyber security Intelligence. ANSI NationalAccreditation Board (ANAB), www.cybersecurityin-telligence.com/ansi-national-accreditation-board-

anab-5494.html (accessed 12 October 2019).131. GIAC. Global information assurance certification.132. (ISC)2. Information security certifications, www.isc2.

org/Certifications (accessed 27 September 2019).

133. Samani R, Honan B and Reavis J. Chapter 8 – CloudSecurity Alliance Research. In: Samani R, Honan Band Reavis J (eds) CSA guide to cloud computing, syn-

gress. 2015, pp.149–169.134. NCSA. National cyber security alliance, https://stay-

safeonline.org/about (accessed 27 September 2019).

135. Goodwin C, Nicholas JP, Bryant J, et al. A frameworkfor cybersecurity information sharing and risk reduc-tion. Microsoft 2015.

136. NIST CSRC. Computer Security Resource Center.Home/CSRC, USA, https://csrc.nist.gov/ (accessed12 June 2019).

137. US-CERT. Critical infrastructure cyber community

voluntary program (C3). www.us-cert.gov/ccubedvp(accessed 27 September 2019).

138. ICS-CERT. Industrial control systems cyber emer-

gency response teams, https://ics-cert.us-cert.gov/(accessed 27 September 2019).

139. Information sharing and analysis organizations

(ISAOs), www.dhs.gov/cisa/information-sharing-and-analysis-organizations-isaos (accessed 12 June 2019).

140. CIS – Center for Internet Security, www.cisecurity.

org/about-us/ (accessed 12 June 2019).

Appendix 1

Table 6. Example of cybersecurity quick action plan for vision 2020.

Domain Recommendation#

For vision 2020

M1 M2 M3 M4 M5 M 6 M 7 M 8 M 9 M 10 M 11 M 12

RM RM1

RM2

RM3

RM4

RM5

TVM TVM1

TVM2

TVM3

TVM4

TVM5

TVM6

SA SA1

SA2

SA3

SA4

SA5

SA6

IR IR1

IR2

IR3

IR4

IR5

IR6

(continued)

Kour et al. 19

Table 6. Continued

Domain Recommendation#

For vision 2020

M1 M2 M3 M4 M5 M 6 M 7 M 8 M 9 M 10 M 11 M 12

EDM EDM1

EDM2

EDM3

EDM4

EDM5

WM WM1

WM2

WM3

WM4

WM5

WM6

CPM CPM1

CPM2

CPM3

CPM4

CPM5

CPM6

CPM7

ACM ACM1

ACM2

ACM3

IAM IAM1

ISC MIL4 has been achieved

RM: risk management; TVM: threat and vulnerability management; SA: situational awareness; IR: incident response; EDM: external dependencies

management; WM: workforce management; CPM: cybersecurity program management; IAM: Identity and access management; Gray shades represent

the approximate time suggested in months (M1- M12) to complete suggested recommendations.


Paper III

Railway Defender Kill Chain to Predict and Detect Cyber-Attacks

Kour, R., Thaduri, A., & Karim, R. (2020). Railway Defender Kill Chain to Predict and Detect Cyber-Attacks. Journal of Cyber Security and Mobility, 9(1), 47-90.

Railway Defender Kill Chain to Predictand Detect Cyber-Attacks

Ravdeep Kour∗, Adithya Thaduri and Ramin Karim

Division of Operation and Maintenance Engineering, Lulea University ofTechnology 97187 Lulea, SwedenE-mail: [email protected], [email protected], [email protected]∗Corresponding Author

Received 04 August 2019; Accepted 26 November 2019;Publication 14 December 2019

Abstract

Most organizations focus on intrusion prevention technologies, with lessemphasis on prediction and detection. This research looks at prediction anddetection in the railway industry. It uses an extended cyber kill chain (CKC)model and an industrial control system (ICS) cyber kill chain for detectionand proposes predictive technologies that will help railway organizationspredict and recover from cyber-attacks. The extended CKC model consistsof both internal and external cyber kill chain; breaking the chain at anearly stage will help the defender stop the adversary’s malicious actions.This research incorporates an OSA (open system architecture) for railwayswith the railway cybersecurity OSA-CBM (open system architecture forcondition-based maintenance) architecture. The railway cybersecurity OSA-CBM architecture consists of eight layers; cybersecurity information movesfrom the initial level of data acquisition to data processing, data analysis, inci-dent detection, incident assessment, incident prognostics, decision support,and visualization.

The main objective of the research is to predict, prevent, detect, andrespond to cyber-attacks early in the CKC by using defensive controls calledthe Railway Defender Kill Chain (RDKC).

The contributions of the research are as follows. First, it adapts and mod-ifies the railway cybersecurity OSA-CBM architecture for railways. Second,

Journal of Cyber Security and Mobility, Vol. 9 1, 47–90.doi: 10.13052/jcsm2245-1439.912This is an Open Access publication. c© 2019 the Author(s). All rights reserved.

48 R. Kour et al.

it adapts the cyber kill chain model for the railway. Third, it introduces theRailway Defender Kill Chain. Fourth, it presents examples of cyber-attackscenarios in the railway system.

Keywords: Cybersecurity, cyber kill chain, railway, cyber-attack, OSA-CBM, predict.

1 Introduction

The railway is a complex system which consists of railway infrastructureand rolling stock. Railway infrastructure is divided into technical subsystems,including, signalling system, track, electrical system, and telecommunicationsystem [1]. Rolling stock consists of both powered and unpowered vehiclesthat move on the rail track. Supervisory Control and Data Acquisition Sys-tem (SCADA) is an operational technology (OT) that provides centralizedmonitoring and control of the railway system. It is designed to collectfield information (such as the status of the trains, signal systems, tractionelectrification systems, and ticket vending machines), transfer it to operatorconsoles at an HMI (Human Machine Interface) station at the rail controlcenter [2]. The received information is displayed graphically or textually,thereby allowing the operator to monitor or control the railway system froma central location in near real time. The SCADA system also sends high-level operator commands to the rail section components based on conditionmonitoring (e.g., stopping a train to prevent it from entering an area that hasbeen determined to be flooded or occupied by another train) [2]. Figure 1shows subsystems of a railway system.

The convergence of the railway system with Information Technology(IT) and Operational Technology (OT) has brought significant benefits inreliability, maintainability, operational efficiency, capacity and passengerexperience, as the use of Internet-connected sensors and devices can provide

Railwaysystem

SignallingICT

TracksBridgesTunnels

ElectrificationRollingStock

Databases

SCADA

Figure 1 The Railway system.

Railway Defender Kill Chain to Predict and Detect Cyber-Attacks 49

timely and accurate information about the physical world. The railway isadapting Information and Communication Technology (ICT) to take advan-tage of cloud technology to integrate, analyze and visualize data for effectivedecision-making [3]. European Union and Shift2Rail [4] programs have pro-posed to include ICT in transportation because they expect potential benefits.Railway maintenance data can be collected and integrated within the cloudcomputing infrastructures to facilitate condition-based maintenance (CBM),a strategy that predicts future failures based on the condition of an asset; inCBM, maintenance actions are performed on the defective elements only [5].However, these innovative developments are not without risks. Transfer ofdata from the field to the cloud causes some concern, as adversaries can attacknetwork, servers and communication channels. Subramanian and Jeyaraj [6]have explored various security challenges faced by cloud service providers,data owners, and cloud users.

NATO (North Atlantic Treaty Organization) ranks phishing and malwarecyber-attacks among its greatest concerns [7]. According to Patel [8], one ofthe top cyber threats is phishing scams. Other threats are: ransomware attacks(like WannaCry), system vulnerability due to unchecked gaps (nearly 50% ofalerts and logs are never investigated), new threats and dangers from and toAI (Artificial Intelligence) powered systems, and human weaknesses [9–12].In 2018, HelpSystems [13] surveyed more than 600 IT and cybersecu-rity professionals to determine the main cybersecurity risks and mitigationstrategies. It found the top five cyber-threats were ransomware, phishing,weak/stolen credentials, system misconfigurations, and unsecure file trans-fers [13]. Hackmageddon [14] lists malware, account hijacking, unknownattacks, targeted attacks and vulnerability as threats and says such attacksare growing. Worldwide statistics show the dominant type of cyber-attack isa malware attack, including in the railway [15]. ‘Unknown’ cyber-attacks,which means the reason for an attack is unknown, are increasing as well.These unknown attacks are even more dangerous because we do not know themotives for them. Targeted attacks are also increasing day-by-day. Accordingto Symantec [16], Formjacking was a breakthrough threat in 2018; it usesmalicious code to steal credit card details and other information from apayment form submission. As the railway is being digitalized, all thesetypes of attack can occur. The railway requires a cyber-resilient system tocounteract malware and advanced persistent threats (APT) to continue in thecase of an attack. NIST says an APT is:

“An adversary that possesses sophisticated levels of expertise and signifi-cant resources which allow it to create opportunities to achieve its objectives

50 R. Kour et al.

by using multiple attack vectors (e.g., cyber, physical, and deception). Theseobjectives typically include establishing and extending footholds within theinformation technology infrastructure of the targeted organizations for pur-poses of filtrating information, undermining or impeding critical aspects ofa mission, program, or organization; or positioning itself to carry out theseobjectives in the future. The advanced persistent threat:

(i) pursues its objectives repeatedly over an extended period of time;(ii) adapts to defenders’ efforts to resist it; and

(iii) is determined to maintain the level of interaction needed to execute itsobjectives.” [17]

Cyber kill chain (CKC) is one of the most widely used frameworks todetect cyber-attacks in IT network; it is based on the kill chain tactic ofthe US military’s F2T2EA (find, fix, track, target, engage and assess) [18].The extension of this kill chain concept has been proposed to gather threatintelligence by allowing the attacker to continue his activities even after he isdetected [19]. The gathered threat intelligence can be used to detect futureadvanced persistent threats. Mrabet et al. [20] have identified four stepsused by attackers to attack and get control of a smart grid: reconnaissance,scanning, exploitation, and maintain access. This IT CKC model has beenexpanded and improved for use in industrial control systems (ICS) called ICSCyber Kill Chain to understand the attackers’ activities and provide effectivesecurity measures [21]. Researchers are analyzing cyber-attacks by applyingICS cyber kill chain [21]; one example of such research is an analysis ofa cyber-attack on the Ukrainian power grid [22]. The railway is convergingIT and OT technologies, so similar types of cyber-attacks can happen hereas well. Thus, as an initial step, instead of going into detail on different killchains, this research applies Lockheed Martin’s (LM) CKC model [18, 23],ICS cyber kill chain [21, 24] and extended cyber kill chain [25] model to therailway to detect cyber-attacks. Lockheed Martin’s (LM) CKC model [18, 23]has a seven-stage attack path. It is very important to break this path or chainat any stage using defensive controls instead of focusing on defending theorganization’s perimeter alone. It is always beneficial to break the chain asearly as possible. The disadvantage of LM’s CKC (external cyber kill chain)is that it does not fully address insider threats. Therefore, this research adaptsextended cyber kill chain [25] to be able to consider internal threats as well.

Hence, the main objective of this research is to predict, prevent, detectand respond to cyber-attacks early in the chain by using the proposed


Railway Defender Kill Chain (RDKC). RDKC uses cybersecurity con-trols, technologies, standards, and defenses to mitigate security risks thatcan be characterized in terms of threats that could cause harm to railwayassets. Northcutt [26] defines security controls as “technical or administra-tive safeguards or countermeasures to avoid, counteract or minimize lossor unavailability due to threats acting on their matching vulnerability, i.e.,security risk”. Understanding each phase of the chain will help the analystand incident responder identify proper courses of defensive action. The USDepartment of Defense [27] has identified six basic tactics: detect, deny,disrupt, degrade, deceive and destroy. Hutchins et al. [28] say these tacticscan design a course of action (CoA) matrix to detect, deny, disrupt, degrade,deceive and destroy the effectiveness of the adversary events along the killchain phases. This research uses a CoA matrix called RDKC matrix thatconsiders DoD’s [27] course of action, along with an additional course ofaction, i.e., predict, prevent, and response and recover, in addition to theCKC phases. These CoAs are used in RDKC matrix as defensive controls.As mentioned above, the scope of this research is that it does not go into thedetail on the various kill chain models. Rather, it applies a combination ofexternal cyber kill chain, extended cyber kill chain, and ICS cyber kill chainmodel to the railway as an initial step.

2 State of the Art of Currently Used Technologiesin Railway

Many activities related to cybersecurity in the railway are ongoing, for exam-ple, the RAILway (CYRAIL) project, a Shift2Rail sub-project [4]. Thales[29] is supporting the Shift2Rail program of the European Commission byparticipating in the development of CERTs (computer emergency responseteams). According to European Union (EU) Shift2Rail project report [30],the list of currently used security technologies in railway are divided intothree parts: networks security, signalling security and deployment security.The detail of these security technologies is provided in the EU report [30]and the list is given below:

• Virtual private networks (VPN)• Wavelength-division multiplexing (WDM)• Cryptography (PE26)• Firewall• Demilitarized Zone (DMZ)

52 R. Kour et al.

• Intrusion detection systems and intrusion prevention system• Network segmentation• Redundancy• Internal and external intrusion tests• Contingency plans for cyber attack• Adoption of security standards• Real-time functional monitoring system• Double check of received commands by onboard units• Network intrusion detection system/host intrusion detection system that

checks the signalling traffic• Intrusion tests• Collaboration with national Community Emergency Response• Software and hardware testing• White box policy

Shift2Rail project report [30] also provided list of cybersecurity standardsthat should be considered and tailored with respect to the security require-ments for railway system. In addition to these technologies and standards,some railway-specific cybersecurity standards, practices, and guidelines arealso available [15]. Furthermore, some private sector resources for sharingcybersecurity information can be used by railways to enhance their cyberse-curity capabilities. These resources can be NIST Computer Security [31], ICScyber emergency response teams [32], US Computer Emergency ReadinessTeam (US-CERT) [33], Information Sharing and Analysis Organizations(ISAOs) [34], The Public Transportation Information Sharing and AnalysisCenter (PT-ISAC) [35], CIS R©(Center for Internet Security, Inc.) [36], andMinimum Cyber Security Standard [37].

At the point of publication of this research, there is only one researcharticle related to application of ICS cyber kill chain that consists of multiple-scenario ICS testbed for thermal power plant, rail transit, smart grid, andintelligent manufacturing with two typical attack scenarios [38]. Althoughmodified versions of cyber kill chain model have been applied in otherdomains like multimedia service environments [39], Internet-of-Things (IoT)systems [40], security information and event management (SIEM) soft-ware [41], and cyber-physical system [42]. The proposed framework inthis research is an attempt to integrate and collaborate all these existingtechnologies, standards, frameworks, models, and methodologies to detectand minimize the risks of cyber-attacks and to communicate cybersecu-rity information in the railway system. In addition to this, our proposed


framework will provide defensive controls at each stage of IT and OT/ICScyber kill chains.

3 Conceptual Methodology and Framework

3.1 Unified Extended Cyber Kill Chain and ICSCyber Kill Chain

Cyber kill chain (CKC) is one of the most widely used frameworks forthe identification, prevention and detection of advanced persistent cyberthreats [43–47]. Some of the researchers have proposed methodologies todetect cyber threats early in the stages of CKC [48, 49]. Cyber kill chainis focused on malware-based intrusion and APTs [50]. The CKC model hasbeen expanded and improved for use in industrial control systems (ICS) andinternal threats, i.e., the ICS cyber kill chain [21, 24] and extended cyberkill chain [25] respectively. A combination of both these kill chains can beapplied in the railway (Figure 2).

3.1.1 External cyber kill chain modelAn initial CKC model was developed by Lockheed Martin [18, 23] to attackthe corporate network. The seven stages of this model are:

• Reconnaissance: The first stage of the model, one of the most difficultstages to detect from a security monitoring perspective, is the planningstage of the cyber-attack. The adversary searches for and gathers infor-mation about the organization background, resources, and individualemployees through social sites, conferences, blogs, mailing lists and

Figure 2 Unified extended cyber kill chain [25] and ICS cyber kill chain [21, 24].

54 R. Kour et al.

other network tracing tools [51]. The collected information is usefulin the later stages to deliver payload (the actual intended message thatperforms malicious action) to the target system.

• Weaponize: The second stage of the model is the operation preparationstage. This stage involves the coupling of a remote access Trojan (RAT)with an exploit into a deliverable payload, typically by means of anautomated tool (weaponizer) [28]. The detailed information related toRAT and an exploit are well explained by Yadav and Rao [52].

• Delivery: The third stage of the model is the operation launch stage whenan organization can implement technology as a mitigating control [49].At this stage, the weapon is transmitted to the targeted environment.

• Exploitation: At this stage, exploit is triggered to silently install/executethe delivered payload. The most frequent exploits are operating system,network and application/software level vulnerabilities [52]. One of themost popular viruses, WannaCry, uses the operating system exploit.

• Installation: This stage involves the installation of back door remoteaccess Trojans (RATs) and the maintenance of persistence inside thetargeted environment. The techniques used by malware authors toinstall a back door include anti-debugger and anti-emulation, anti-antivirus, rootkit and bootkit installation, targeted delivery and host-based encrypted data exfiltration [52].

• Command & Control (C2): After the successful installation of a backdoor, the adversary tries to open a two-way communication channel toenable the attacker to control the targeted environment remotely. Oncethe C2 channel is established, the adversary has “hands on the keyboard”access inside the targeted environment.

• Act on Objective: In the last stage of the model, the adversary achievesthe desired attack goals. These goals can be a loss of confidentiality,integrity or availability of the assets. Velazquez [49] says an APT threatactor may live in an organization for years until detected.

According to Heckman [53], the pre-exploit steps offer opportunities forintrusion detection and mitigation, and the post-exploit steps offer opportuni-ties to deploy incident response and forensics. Cyber forensics or computerforensics is defined as “the science of locating, extracting and analyzing typesof data from difference devices, which specialists then interpret to serve aslegal evidence” [54]. Incident response helps defenders detect and respond tobreaches with minimal potential damage. The previous research has providedrecommendations to railway organizations to improve event and incident


response domain that can further improve their capabilities to reduce theimpacts of cyber-attacks and eradicate vulnerabilities [55].

3.1.2 Internal cyber kill chainThe internal cyber kill chain is part of an extended cyber kill chain [25].It consists of almost the same steps as external kill chain but is preceded bythe word internal [25]. Internal cyber kill chain follows a chain of steps to gainaccess to the ICS system, go from workstations to servers using privilegedescalation, move laterally within the network, and then manipulate individualtargeted machines [25] (Figure 2). Considerable work has already been doneon ICS security [2, 56–58].

3.1.3 ICS cyber kill chainAfter gaining knowledge from the corporate network (external cyber killchain) and the ICS system (internal kill chain), the attacker starts developinga specific attack tool for the ICS system and validates it for reliable impact.After successful testing, the attacker delivers the tool, installs it, and executesthe attack [21] (Figure 2).

3.2 Railway cybersecurity OSA-CBM overview

The proposed railway cybersecurity OSA-CBM (open system architecturefor condition-based maintenance) framework delivers cybersecurity infor-mation from a technological point of view. This cybersecurity informationflow is strongly related to the open system architecture for condition-basedmaintenance, developed in accordance with the functional specificationsof ISO-13374 on the condition monitoring and diagnostics of machin-ery [59]. It is considered one of the most important standards of eMainte-nance systems [60]. The railway sector also advocates Smart MaintenanceInitiatives [61] and uses ICT in maintenance to develop artifacts (e.g.frameworks, tools, methodologies, and technologies) to support maintenancedecision-making [62]. The adoption of ICT in railway maintenance makes itvulnerable to cyber threats. Thus, there is a need for standards or frameworksthat can help minimize these threats.

The OSA-CBM standard can be modified and adapted for use in therailway to deliver cybersecurity information. The modified cybersecurityOSA-CBM architecture has eight layers: cyber events data acquisition,data processing, data analysis, incident detection, incident assessment,incident prognostics, decision support, and visualization. Table 1 shows

56 R. Kour et al.

Table 1 A mapping between OSA-CBM based on ISO-13374 standard and cybersecurityinformation delivery system (modified cybersecurity OSA-CBM architecture)

OSA-CBM Railway Cybersecurity OSA-CBMLayers Description Layers DescriptionDataAcquisition

Provides the CBM systemwith digitized sensor ortransducer data.

DataAcquisition

Provide the railwaysystem with cyber eventsoccurrence data that canbe acquired from internaland external threatintelligence, networktraffic and from the historyof cyber event logs.

DataManipulation

This step corresponds tothe data preparation stagein a normal data miningprocess. Techniques suchas data cleansing, featureselection, featureextraction, andstandardization can beapplied to process the rawdata for analysis.

DataProcessing

This layer involves all theactivities to build a finaldataset from the first rawdata. For example, each IPaddress is stored in thedotted-quad notation oreach IP address has beengeo-located into thelatitude and longitudepair, but they are in asingle field separated by acomma.

DataAnalysis

This layer involves theanalysis of data like userbehavior analytics,network behavioranalytics, and end-pointanalytics by usingmachine-learningalgorithms. The predictedresults are feedback to thedata sources and usedduring the detection phaseof the architecture.

StateDetection

This step focuses oncomparing data withexpected values or controllimits; an alert is triggeredif these limits areexceeded.

IncidentDetection

This layer involves theapplication of RDKC forthe detection of cyberincidents within therailway system.


Table 1 ContinuedOSA-CBM Railway Cybersecurity OSA-CBMLayers Description Layers DescriptionHealthAssessment

The focus of this step is toprescribe if the health in themonitored system hasdegraded. This should beable to generate diagnosticrecords and propose faultpossibilities.

IncidentAssessment

This layer is a proactive approachwith a focus on prevent andprepare. This step performs aqualitative assessment ofcybersecurity incidents withcause-effect analysis andlessons-learned activities andfocuses on determining the level orseverity of the cyber events. Itshould also consider the trends ofevent history along with itsoperational context. Thus, it willhelp to predict early indicators tostatistically predict potential futurecyber-threats.

Prognostics The focus of this step is tocalculate the future healthof an asset and report theremaining useful life (RUL)of that asset.

IncidentPrognostics

This layer involves the use ofmachine learning prognosticmodels to analyze or monitorfuture cyber incidents on thesystem and estimate the remainingsecure life of the system based oncyber-attacks on the system.

AdvisoryGeneration

Its focus is to generaterecommended actions andalternatives based on thepredictions of the futurestates of the asset.

DecisionSupport

This layer involvesrecommendations and remedialactions based on the predictions ofthe future states of the system.These actions may include theimmediate shutdown of thesystem, using back-ups or use ofantivirus, etc. Examples of someof available decision supportsystems in cybersecurity domainare Nexpose, Nessus Home,Security System Analyzer 2.0Beta, Open Vas, Saint8, Nmap,eEye Retina, QualysGuard, andnCircle IP360.

Presentation This step provides aninteractive human-machineinterface (HMI) to visualizepertinent data, informationand results obtained inprevious steps.

Visualization This layer involves an interactivehuman-machine interface (HMI)that facilitates visualization ofanalyzed cybersecurityinformation by qualifiedpersonnel.

58 R. Kour et al.

mapping between OSA-CBM based on ISO-13374 standard and the cyber-security information delivery system (modified cybersecurity OSA-CBMarchitecture).

Figure 3 shows the proposed cybersecurity information delivery frame-work to identify, predict, prevent and detect cyber threats and communicatethem to internal and external railway organizations.

This research integrates existing technologies, standards, frameworks,models, and methodologies to minimize the risks of cyber-attacks in therailway system. To capture the dynamically changing trend of cyber events,vast amounts of data can be collected via network traffic, threat intelligenceand historical cyber event logs using various data sources and technologiesas shown in Figure 3. The extended cyber kill chain and ICS cyber kill chaincan be applied to detect the cyber incidents, along with various data analysistechniques (e.g., machine learning, data mining, etc.), to assess and predictcyber incidents within the railway system, thereby facilitating the decisionsupport system.

There is a feedback loop after cyber incidents are detected; countermea-sures can be reconsidered to minimize similar types of future cyber-attacks.As we move towards the 2020s, cyber-attacks are rapidly adopting newtechniques and strategies to circumvent new security measures and evadedetection. There is a need to shift towards a type of resilience that hasthe ability to recover quickly from adversities, including advanced securitysolutions like automated anomaly detection, cloud-based back-ups, disasterrecovery services, security-by-design, and self-healing.

This research uses railway as a case study and proposes a cybersecurityframework adapted and modified from the OSA-CBM framework. It alsoproposes a railway defender kill chain (RDKC) that offers defensive controlsat each stage of LM’s cyber kill chain, an extended cyber kill chain, and anICS cyber kill chain. RDKC involves defense-in-depth security, cybersecuritystandards and resources and an RDKC matrix. The RDKC matrix is explainedin the results section.

3.3 Defense-in-Depth Security

Defense-in-depth (DiD) is a cybersecurity approach with multi-layereddefensive mechanisms to protect valuable railway data and information. Itslayered security is like the Swiss cheese model [63] used in risk analysisand risk management. Railway organizations need to develop more completeand complex proactive defensive mechanisms. The benefit of using this


D

efen

se-I

n-D

epth

Sec

urity

RD

KC

Mat

rix

CKC Phase 1

CO

A1

SC

CO

A2

SC

CKC Phase 2

SCSC

Priv

ate

Sect

or R

esou

rces

for

Shar

ing

Info

rmat

ion

Rai

lway

Pol

icie

s/Pr

oced

ures

/Pra

ctic

es

Ava

ilabl

e C

yber

secu

rity

Sta

ndar

ds A

nd T

echn

olog

ies

Rai

lway

Spe

cific

Cyb

erse

curi

ty S

tand

ards

Rai

lway

Def

ende

r’s K

ill C

hain

(R

DK

C)

Exte

rnal

Rec

onna

issa

nce

Inte

rnal

Exp

loita

tion

Del

iver

y

Expl

oita

tion

Inst

alla

tion

Com

man

d &

Con

trol

Act

Inte

rnal

Rec

onna

issa

nce

Wea

poni

ze

Late

ral M

ovem

ent

Priv

ilege

Esc

alat

ion

Dev

elop

Targ

et M

anip

ulat

ion

Inst

all

Del

iver

Exec

ute

ICS

Atta

ck

Inte

rnal

Cyb

er K

ill C

hain

ICS

Cyb

er K

ill C

hain

1 2 3 4 6 7 8 95 10 11 12 13 15 16 17

Test

14

Ext

erna

l Cyb

er K

ill C

hain

Cyb

er E

vent

s D

ata

Acq

uisi

tion

Dat

a Pr

oces

sing

Dat

a A

naly

sis

Inci

dent

A

sses

smen

t

Inci

dent

Pr

ogno

stic

s

Dec

isio

n Su

ppor

t

Vis

ualiz

atio

n

Cri

tical

ity A

naly

sis

Mac

hine

Lea

rnin

g Pr

ogno

stic

Mod

els

Inci

dent

D

etec

tion

•Sy

stem

Log

Eve

nts

•N

etw

ork

Traf

fic•

Inte

rnal

and

Ext

erna

l Th

reat

Inte

llige

nce

Dec

isio

n Su

ppor

t Sy

stem

in

Cyb

erse

curi

ty(N

expo

se, N

essu

s Hom

e,

Ope

n V

as, S

aint

8, N

map

)

•U

ser b

ehav

ior

anal

ytic

s•

Net

wor

k be

havi

or

anal

ytic

s•

End-

poin

t ana

lytic

s

Rai

lway

Cyb

erse

curi

ty

OSA

-CB

M

Dat

a So

urce

s and

Tec

hnol

ogie

sC

yber

Kill

Cha

ins

Figure3

Cyb

erse

curi

tyin

form

atio

nde

liver

yfr

amew

ork

topr

edic

t,pr

even

tan

dde

tect

cybe

rin

cide

nts

inra

ilway

,ad

apte

dan

dm

odifi

edfr

omO

SA-C

BM

fram

ewor

k(H

olm

berg

[60]

).

60 R. Kour et al.

type of multi-layered approach is that if one defensive mechanism fails,another starts immediately. The purpose of the defense-in-depth approach isto defend a system against any particular attack using several independentmethods. Different researchers define the layers differently. For example,Starrett [64] deploys a triple-layered defense to control access, infrastructureand data. NSA layers [65] are people, technology and operations, whereasIndustryWeek layers [66] are device, application, computer, network andphysical layer. These multi-layered defensive mechanisms do not provideperfect security but can strengthen and complicate the cybersecurity level.

4 Results and Discussion

This section explains how the Railway Defender Kill Chain (RDKC) matrixprovides security controls at each stage of CKC using various course ofactions.

4.1 Railway Defender Kill Chain (RDKC) Matrix

The convergence of IT and OT technology in the railway has brought signif-icant benefits but at the same time has made it vulnerable to cyber threats.This vulnerability also depends upon the maturity of the integration of ITwith OT; e.g., ERTMS (European Rail Traffic Management System) level 3,which is fully digital, is more vulnerable to cyber threats. The operationalgoals of IT security are confidentiality, integrity, and availability (CIA) andthe operational goals of OT security are safety, reliability, and availability(SRA) [67]. OT security generally deals with industrial control systems(ICS) like SCADA systems. The rationale of this research is to introducea railway defender kill chain that will consider security controls relatedto both IT and OT technologies. RDKC involves defense-in-depth security,cybersecurity standards and resources, and an RDKC matrix. RDKC matrixdescribes the logic of a defender to stop the attack by breaking cyber killchain at any point by implementing appropriate IT/OT security controlsfrom Table 2. Thus, Table 2 show security controls at each stage of theCKC; these defensive controls along with course of actions will help railwayorganizations predict, prevent, detect and respond to cyber-attacks. The mainobjective of the defender is to stop or minimize the risk of cyber-attack atthe initial stage of the CKC by applying security controls from the RDKCmatrix. Cells in the matrix can be viewed as characterizing the types of effecta given defensive control could have on a CKC phase. The Reconnaissance –Detect cell, for instance, is at the intersection of the detect tactic and the


Tab

le2

RD

KC

Mat

rix

(mod

ified

from

Hut

chin

set

al.[

28],

Tarn

owsk

i[69

],an

dM

alon

e[7

0])

Res

pons

eC

oAan

dC

KC

Step

sPr

edic

tPr

even

tD

etec

tR

ecov

ery

Den

yD

isru

ptD

egra

deD

ecei

veD

estr

oyExterna

lcyb

erkillchain

Ext

erna

lR

econ

nais

-sa

nce

•U

ser

beha

vior

anal

ytic

s•

Net

wor

kbe

havi

oran

alyt

ics

•E

nd-p

oint

anal

ytic

s•

DPI

•N

IPS

•D

enia

lof

port

scan

ning

•Fi

rew

allA

CL

•C

yber

secu

rity

educ

atio

nan

daw

aren

ess

ofra

ilway

wor

kfor

cein

clud

ing

ITan

dO

Tse

curi

type

rson

nel

•Se

nsiti

vean

dco

nfide

ntia

lda

tase

cure

lydi

spos

edof

•Se

curi

tyby

desi

gn

•N

IDS

•H

oney

Pot

•W

eban

alyt

ics

•T

hrea

tIn

telli

genc

e•

Vid

eosu

rvei

llanc

e•

SIE

M•

Scan

the

railw

ayne

twor

kin

tern

ally

and

exte

rnal

lyby

usin

gvu

lner

abili

ty-

scan

ning

tool

s•

Pene

trat

ion

test

ing

•Fi

rew

all

AC

L•

Phys

ical

lock

son

criti

cal

serv

erro

oms

•Sy

stem

and

serv

ice

hard

en-

ing

•N

etw

ork

obfu

scat

-in

g•

Log

ical

segm

en-

tatio

n

•H

oney

Net

•T

imeo

ut•

Hon

eyPo

t (Con

tinu

ed)

62 R. Kour et al.Tab

le2

Con

tinue

dR

espo

nse

CoA

and

CK

CSt

eps

Pred

ict

Prev

ent

Det

ect

Rec

over

yD

eny

Dis

rupt

Deg

rade

Dec

eive

Des

troy

Wea

poni

ze•

Shar

edth

reat

info

rmat

ion

•Pe

netr

atio

nte

stin

g•

App

licat

ion

obfu

scat

ion

•Sy

stem

and

appl

icat

ion

patc

hing

•V

ersi

onhi

dden

•N

IPS

•N

IDS

•T

hrea

tsin

form

atio

nsh

arin

g•

Vul

nera

bilit

yin

telli

genc

e•

Hon

eypo

ts•

Iden

tify

wea

poni

za-

tion

attr

ibut

esto

prev

ent

atta

cks

reac

hing

late

rst

ages

NIP

S•

Har

deni

ng•

Ver

sion

obfu

scat

ing

•A

pplic

atio

nob

fusc

atio

n•

Dis

ablin

gun

used

serv

ices

Fake

wea

poni

zeco

des

toat

trac

tad

vers

arie

s


Del

iver

yB

lock

know

nso

urce

sof at

tack

san

dco

mpr

o-m

ise

(ind

ica-

tors

ofat

tack

s(I

oA)

and

Indi

ca-

tors

ofco

mpr

o-m

ise

(IoC

))

•N

IPS

•Fi

rew

all

•Po

rtK

nock

ing

•A

CL

•R

BA

Cto

limit

who

has

acce

ssto

the

SCA

DA

orE

TC

S•

Two-

pers

onru

leth

atin

itiat

esre

mot

em

aint

enan

ceco

mm

and

•C

hang

efa

bric

setti

ngs

•N

etw

ork

traf

ficdi

sabl

ed•

Upd

ate

secu

reso

cket

sla

yer

(SSL

)en

cryp

tion

prot

ocol

s•

Proh

ibit

the

use

ofU

SBs

onra

ilway

criti

cal

syst

ems

•Is

olat

ene

twor

ksse

rvin

gcr

itica

lfu

nctio

nalit

y,su

chas

cont

rol

syst

ems,

from

the

Inte

rnet

•N

IDS

•Fi

rew

all

•N

etw

ork

anal

ysis

•V

igila

ntus

ers

•C

onte

xt-

awar

e•

End

poin

tM

alw

are

Prot

ectio

n•

Blo

cked

atte

mpt

sal

ert

•D

etec

tan

omal

ous

com

man

dsno

tst

emm

ing

from

the

norm

alR

emot

eC

ontr

olC

ente

r•

DPI

tode

tect

traf

fican

dex

trac

tuse

ful

met

adat

asu

chas

MA

Cad

dres

ses

•Pr

oxy

Filte

r•

Ant

i-vi

rus

•W

ebbr

owse

rsan

dpl

ug-i

nsm

ustb

eup

-to-

date

•H

arde

ning

•In

-lin

eA

nti-

viru

s

•M

anda

tory

Inte

grity

•E

mai

lQ

ueui

ng

•H

oney

Pot

(Con

tinu

ed)

64 R. Kour et al.

Tab

le2

Con

tinue

dR

espo

nse

CoA

and

CK

CSt

eps

Pred

ict

Prev

ent

Det

ect

Rec

over

yD

eny

Dis

rupt

Deg

rade

Dec

eive

Des

troy

Exp

loita

tion

Cor

rela

teflo

ws

and

bloc

km

alic

ious

beha

vior

ofde

vice

s

•U

ser

awar

enes

str

aini

ng•

Secu

reco

ding

trai

ning

for

web

deve

lop-

ers

•L

ocal

sand

box

•Sy

stem

and

appl

i-ca

tion

upda

tes

•Se

curi

tyto

olki

ts•

Tur

nop

erat

ing

Syst

emup

date

ON

•H

IDS

•E

ndpo

int

Mal

war

ePr

otec

tion

•Pr

oact

ive

pene

trat

ion

test

ing

for

appl

icat

ion

and

oper

atin

gsy

stem

vuln

erab

il-iti

es

•C

yber

poli-

cies

/pro

cedu

res

•C

yber

law

s•

Isol

atio

nof

infe

cted

devi

ces

•D

ata

loss

prev

entio

n(D

LP)

tech

nolo

gy•

Con

tinui

tyof O

pera

tions

Plan

•D

isas

ter

Rec

over

yO

pera

tions

Plan

•Fo

rens

ic

•Pa

tch

and

upda

teth

esy

stem

•U

sede

dica

ted

anti

ran-

som

war

eut

il-ity

/blo

cker

•H

arde

ning

•D

EP

•C

onfig

urat

ion

auto

-rol

lbac

k•

TAR

PIT

•R

emov

ere

mot

ead

min

istr

atio

nca

pabi

litie

sfr

omw

ebpl

atfo

rms

Hon

eyPo

t


Inst

alla

tion

Aut

omat

ical

lyis

olat

ein

fect

edde

vice

sto

prev

ent

hori

zont

alsp

read

•C

yber

secu

rity

educ

atio

nan

daw

aren

ess

•H

IPS

•A

pplic

atio

nW

hite

listin

g

•C

yber

secu

rity

educ

atio

nan

daw

aren

ess

•G

ener

ate

alar

ms

for

unau

thor

ized

acce

ssto

railw

aycr

itica

lsy

stem

s•

HID

S•

Mod

ifica

tion

and

chan

geal

erts

/ala

rms

•IP

Sona

r•

Che

ckm

essa

gein

tegr

ity(d

igita

lsi

gnat

ures

)of

com

man

dsan

dda

tare

ceiv

edby

the

netw

ork

com

pone

nts

•C

onfig

urat

ion

chec

k•

Acc

ess

logs

•E

DR

•C

hroo

tjai

l•

Mul

ti-fa

ctor

auth

entic

atio

nto

gain

acce

ssto

sens

itive

railw

ayin

form

atio

n•

Secu

repa

ssw

ord

•A

uthe

ntic

ate

user

sso

that

phys

ical

acce

ssto

the

railw

ayas

set(

s)do

esno

tau

tom

atic

ally

gran

tlo

gica

lacc

ess

•A

ppen

dau

then

ticat

ion

data

(mes

sage

auth

entic

atio

nco

de(M

AC

)or

digi

tal

sign

atur

e)to

the

balis

es•

Rem

ove

hard

code

dcr

eden

tials

onra

ilway

CM

MS

•R

equi

reap

prov

edcr

ypto

grap

hic

algo

rith

ms

for

auth

entic

atio

nan

dm

essa

gein

tegr

ityon

the

railw

aysi

gnal

ling

netw

ork

•H

arde

ning

•A

ntiv

irus

•C

onfig

urat

ion

auto

-rol

lbac

k•

TAR

PIT

•H

oney

Pot

•D

NS

redi

rect

ED

R

(Con

tinu

ed)

66 R. Kour et al.

Tab

le2

Con

tinue

dR

espo

nse

CoA

and

CK

CSt

eps

Pred

ict

Prev

ent

Det

ect

Rec

over

yD

eny

Dis

rupt

Deg

rade

Dec

eive

Des

troy

Com

man

d&

Con

trol

(C2)

•C

orre

late

netw

ork

traf

ficag

ains

tkno

wn

IoC

s•

Aut

omat

ical

lyis

olat

ein

fect

edde

vice

s

•W

hite

listin

gfir

ewal

l•

IPS

•N

IDS

•SI

EM

•T

hrea

tin

telli

genc

efe

ed•

Inte

rnal

reco

nnai

s-sa

nce

Fire

wal

lAC

LN

IPS

Tarp

it•

DN

Sre

dire

ct•

Hon

eypo

tsto

redi

rect

susp

icio

usne

twor

ktr

affic

tolo

cal

trap

s

ED

R

Act

onO

bjec

tive

•A

sses

sda

mag

eby

anal

yzin

gne

twor

ktr

affic

befo

rean

daf

ter

the

infe

ctio

n

•D

ata

loss

prev

entio

n(D

LP)

tech

nolo

gy•

Con

figur

eem

ail

syst

ems

and

web

prox

ies

topr

even

tse

nsiti

vean

dco

nfide

ntia

lrai

lway

data

from

bein

gse

nt•

Blo

ckac

cess

tosi

tes

that

faci

litat

eda

tatr

ansf

er•

Tur

nof

fco

py/p

aste

over

rem

ote

desk

top

conn

ectio

ns•

Dat

a-at

-res

ten

cryp

tion

sche

mes

•L

ogan

alys

is•

Impl

emen

tin

tern

alID

S,IP

San

dot

her

cont

rols

with

inth

era

ilway

netw

ork

tode

tect

and

miti

gate

unau

thor

ized

late

ral

mov

emen

t

Out

boun

dA

CL

Qua

lity

ofSe

rvic

eth

rottl

eH

oney

Pot


Internal

cyberkillchain

Inte

rnal

reco

nnai

ssan

ceU

sean

IPS

toch

eck

for

any

activ

esc

anal

erts

Use

host

-bas

edin

trus

ion

dete

ctio

nsy

stem

engi

nefo

ral

ertin

g

Inte

rnal

expl

oita

tion

Patc

h&

vuln

erab

ility

man

agem

ent

End

poin

tpro

tect

ion

Ent

erpr

ise

priv

ilege

esca

latio

n

Seta

lert

sfo

rad

ditio

nor

dele

tion

toad

min

user

grou

pB

ehav

iora

lana

lytic

s

Lat

eral

mov

emen

tSe

gmen

ted

secu

rity

zone

sat

all

laye

rs

•V

ulne

rabi

lity

scan

ning

•B

ehav

iora

lana

lysi

sof

succ

essf

ullo

gin

even

ts

Dec

oyse

rver

s

Targ

etm

anip

ulat

ion

•H

ostl

evel

log

anal

ysis

ICScyberkillchain

ICS

atta

ckde

velo

pmen

tand

test

ing

•R

estr

icta

cces

sto

docu

men

tatio

nan

dsp

ecifi

catio

ns•

Har

den/

obfu

scat

eap

plic

atio

nsto

mak

ere

vers

ing

diffi

cult

•A

cces

spa

ttern

s•

Wor

king

offli

ne

Del

iver

HIP

SH

IDS

Dat

adi

ode

Inst

all

App

licat

ion

sign

ing

•Fi

lein

tegr

ityM

onito

ring

•R

edun

dant

proc

essi

ngsy

stem

sD

ata

diod

e

(Con

tinu

ed)

68 R. Kour et al.

Tab

le2

Con

tinue

dR

espo

nse

CoA

and

CK

CSt

eps

Pred

ict

Prev

ent

Det

ect

Rec

over

yD

eny

Dis

rupt

Deg

rade

Dec

eive

Des

troy

Exe

cute

•Fo

rens

ics

•B

reac

hin

sura

nce

Exp

lana

tion

sof

theTab

le2:

ACL:

Acc

ess

cont

roll

isti

sus

edto

filte

rin

com

ing

and

outg

oing

traf

ficin

the

netw

orks

bya

rout

er.

DEP:

Dat

aex

ecut

ion

prev

entio

nm

onito

rsan

dse

nds

ano

tifica

tion

ifso

meo

netr

ies

toex

ecut

em

alic

ious

code

in”n

on-e

xecu

tabl

e”m

emor

ylo

catio

ns.

EDR:

End

poin

tde

tect

ion

and

resp

onse

isan

emer

ging

tech

nolo

gyth

atde

tect

sm

alic

ious

activ

ities

byco

ntin

uous

lym

onito

ring

endp

oint

and

netw

ork

even

tsan

dre

spon

ding

toad

vanc

edth

reat

s.H

arde

ning

:Sec

urin

gsy

stem

byre

duci

ngits

surf

ace

ofvu

lner

abili

ty.

HID

S:H

ost-

base

din

trus

ion

dete

ctio

nsy

stem

exam

ines

spec

ific

host

-bas

edac

tions

,lik

em

alic

ious

atte

mpt

sto

rew

rite

afil

e.HIPS:

Hos

t-ba

sed

intr

usio

npr

even

tion

syst

emev

alua

tes

pack

ets

befo

reth

eyar

eal

low

edto

ente

ra

com

pute

r.H

oney

Net:

Ane

twor

kse

tup

with

inte

ntio

nal

vuln

erab

ilitie

s,co

ntai

ning

one

orm

ore

hone

ypo

ts(m

echa

nism

set

tode

tect

,de

flect

orin

som

em

anne

rco

unte

ract

atte

mpt

sat

unau

thor

ized

use

ofin

form

atio

nsy

stem

s).

RBAC:

Rol

e-B

ased

Acc

ess

Con

trol

isa

met

hod

ofre

stri

ctin

gsy

stem

acce

ssto

unau

thor

ized

user

s.PortKno

cking:

Am

etho

dof

exte

rnal

lyop

enin

gpo

rts

byge

nera

ting

aco

nnec

tion

atte

mpt

ona

seto

fpr

e-sp

ecifi

edcl

osed

port

s.DPI:

Dee

pPa

cket

Insp

ectio

nis

are

al-t

ime

filte

ring

tech

niqu

e.ID

S:In

trus

ion

dete

ctio

nsy

stem

prov

ides

prev

entiv

ese

curi

tyag

ains

tany

susp

icio

usac

tivity

thro

ugh

earl

yw

arni

ngs.

IPS:

Intr

usio

npr

even

tion

syst

emis

desi

gned

toin

spec

tatta

ckda

taan

dta

keth

eco

rres

pond

ing

actio

n,lik

ebl

ocki

ngda

ta.

NID

S:N

etw

ork-

base

din

trus

ion

dete

ctio

nsy

stem

anal

yzes

netw

ork

traf

ficfo

rsu

spic

ious

beha

vior

.NIPS:

Net

wor

k-ba

sed

intr

usio

npr

even

tion

syst

emev

alua

tes

traf

ficbe

fore

itis

allo

wed

into

ane

twor

kor

subn

et.

Obfuscating

:A

delib

erat

eac

tof

mak

ing

som

ethi

ngdi

fficu

ltto

unde

rsta

nd.

Outbo

undACL

:AC

Lis

plac

edin

the

exit

inte

rfac

ean

dfil

ters

the

traf

ficaf

ter

the

rout

erm

akes

afo

rwar

dde

cisi

on.

Sand

box:

Test

sun

veri

fied

prog

ram

sth

atm

ayco

ntai

nvi

ruse

sor

mal

icio

usco

des.

ETCS:

Eur

opea

nT

rain

Con

trol

Syst

emis

anau

tom

atic

trai

npr

otec

tion

syst

em(A

TP)

tore

plac

eth

eex

istin

gna

tiona

lAT

P-sy

stem

s.ERTMS:

Eur

opea

nR

ailT

raffi

cM

anag

emen

tSys

tem

isst

anda

rdiz

edco

mm

unic

atio

nan

dsi

gnal

ling

syst

em.

CMMS:

Itis

com

pute

rize

dm

aint

enan

cem

anag

emen

tsys

tem

Datadiod

e:It

isa

hard

war

eth

atal

low

sin

form

atio

nflo

win

one

dire

ctio

non

ly.

Decoy

server

:Iti

sco

nfigu

red

toac

tas

ale

gitim

ate

serv

er.


reconnaissance phase of CKC; this means that to detect cyber incidents at thereconnaissance phase, we must employ the defensive controls noted in theReconnaissance – Detect cell. Technologies like Chroot Jail, DEP, FirewallACL, HIDS, Honeypot, In-line AV, NIDS, NIPS and Tarpit are defined inmore detail in a white paper by Force CI [68]. One of the advantages ofRDKC matrix is that it provides maximum defensive controls at one place tofollow quickly.

4.2 Case Study of CDOT Network Breach

To illustrate how a cyber-attack follows the extended cyber kill chain [25],this research uses the case study of ransomware infection in the computers ofthe Colorado Department of Transportation (CDOT). In March 2018, 2,000CDOT computers were shut down because of a ransomware infection, Sam-Sam [71, 72]. Unlike many ransomware attacks, SamSam is not distributedin spam emails. Instead, the attacker tries to avoid user interaction and takesa more direct route to infection. In the CDOT ransomware infection, theattacker identified open port 3389, exposing the remote desktop protocol(RDP), and gained access to the company’s internal networks by brute-forcing the RDP connections (Figure 4). The impacted employee computerswere running Windows and using McAfee security software. The attackerthen tried to gain access to as many end-points on the same network aspossible, manually running the SamSam ransomware to encrypt the files. In

Figure 4 Cyber kill chain steps for SamSam virus using extended cyber kill chain [25].

70 R. Kour et al.

(a)

(b)

(c)

Reconnaissance Weaponize Delivery Exploitation Installation Command & Control

Act on Objective


Act on Objective


Act on Objective

Figure 5 Attack detection and prevention area and external chain break.

the last stage, the attacker demanded Bitcoin in exchange for the decryptionkey to unlock the system, but CDOT did not pay. As the railway is adoptingadvanced ICT technologies, it is becoming more vulnerable to cyber-attacks,making it essential to move towards security analytics and automation topredict, prevent, and detect security breaches and to quickly identify andrespond to security events.

Figure 5(a–b) shows the attack detection area and chain break if thedefender had approached security proactively. As noted above, the SamSamcyber-attack gained access by brute-forcing RDP connections, but cyberdefenders could have proactively used the following security measures:

(a) A brute-force attack is very noisy and can be picked up by anomalydetection, behavior analytics, and monitoring systems at the recon-naissance stage of cyber kill chain. Security controls from thereconnaissance-predict cell of the RDKC matrix can notice this attack,and the chain can be broken at the reconnaissance stage (Figure 5(a)).

(b) This attack can be stopped before the exploitation stage by patching thesystem and using security control from the exploitation-deny cell of theRDKC matrix (Figure 5(b)).

(c) The attack can also be stopped before the installation stage by two-factorauthentication on externally facing applications and using security con-trols from the installation-deny cell of the RDKC matrix (Figure 5(c)).


Thus, to minimize the risk of an attack by malware or ransomwareinfection, railway workforce must keep software updated, avoid phishingemails and maintain strong passwords.

4.3 Cyber-Attack Scenarios in Railway Operationand Maintenance

With the advanced ICT technologies and tools (e.g., Internet of Things,Cloudification, Big Data Analytics, and Artificial Intelligence, etc) beingused in railway operation and maintenance, railway data are collected con-tinuously and sent to the cloud for data analysis and visualization. Thesecurity of these data is very important because they will help build data-driven models for operation and maintenance. In addition, the convergenceof IT and OT technology in the railway promises significant benefits inreliability, maintainability, operational efficiency, capacity, and passengerexperience. But with this convergence, OT technology has the same riskexposures as those of IT practitioners. Thus, there is a need for the securityof both IT and OT infrastructures. The following are a few examples of thevulnerabilities:

The signalling system carries critical information and turns it fully digital;it is centrally controlled, making it vulnerable to cyber threats. The system’sICT devices and components are generally interdependent, and any weaknessin one linked element in the system (e.g., security gaps left open by systemvulnerabilities, vulnerabilities in software or operating systems, or inappro-priate security-related decisions by railway staff) can jeopardize the securityand dependability of the whole system.

Railway electrification depends on the electric grid infrastructure for thepower supply. Any disturbance in the power grid propagates to the wholerailway system, causing an immediate stoppage of several trains.

The SCADA system provides centralized monitoring and control of therailway system. This system sends high-level operator commands to the railsection components based on condition monitoring. Any type of cyber-attackon this system will shut down train services and in extreme cases will causeaccidents.

Table 3 lists some examples of cyber-attack scenarios in railway oper-ation and maintenance along with their vulnerabilities, risks, and defensivecontrols.

72 R. Kour et al.

Tab

le3

Exa

mpl

esof

cybe

r-at

tack

ssc

enar

ios

inra

ilway

oper

atio

nan

dm

aint

enan

cean

dde

fens

ive

cont

rols

from

RD

KC

mat

rix

Cyb

er-a

ttack

Des

crip

tion

Vul

nera

bilit

ies

Ris

ks/C

onse

quen

ces

Def

ensi

veC

ontr

ols

RD

KC

Mat

rix

Cel

lM

alic

ious

atta

cks

onra

ilway

netw

ork

and

infr

astr

uctu

relik

e: –Si

gnal

ling

–R

ollin

gst

ock

–Po

wer

supp

ly–

Dat

abas

es–

ICT

Ath

reat

agen

tact

ing

asa

mai

nten

ance

engi

neer

requ

ests

phys

ical

and

logi

cal

acce

ssto

the

railw

ayen

terp

rise

netw

ork

usin

gm

alw

are.

The

thre

atag

enti

nsta

llsre

mot

eac

cess

ible

mal

war

eal

low

ing

rem

ote

mai

nten

ance

com

man

dan

dco

ntro

lof

the

netw

ork

acce

ssib

lefr

oman

yav

aila

ble

Inte

rnet

conn

ectio

n.Fu

rthe

r,ph

ysic

alac

cess

can

beac

hiev

edvi

apo

orlo

cks,

unlo

cked

door

s,st

olen

cred

entia

lsor

soci

alen

gine

erin

g.

•W

eak

iden

tity

and

acce

ssco

ntro

lm

anag

emen

t(p

hysi

cala

ndlo

gica

l)•

Poor

cont

rols

onso

ftw

are

inst

alla

tion

and

inte

grity

•In

adeq

uate

lypr

otec

ted

Inte

rnet

acce

ssto

the

railw

ayen

terp

rise

netw

ork

orE

TC

Ssy

stem

impl

emen

tatio

n

•Po

tent

ial

rem

ote

com

man

dan

dco

ntro

lca

pabi

lity

bya

thre

atag

ent

•D

epen

ding

onth

esy

stem

’sar

chite

ctur

ean

dpe

rmis

sion

s,de

grad

edra

ilway

perf

orm

ance

Req

uire

vide

osu

rvei

llanc

e(u

sing

deep

lear

ning

)to

docu

men

twho

ente

rsth

ese

rver

room

Rec

onna

issa

nce-

Det

ect

Use

RB

AC

tolim

itw

hoha

sac

cess

toth

era

ilway

ente

rpri

sene

twor

kor

ET

CS

syst

em

Del

iver

y-Pr

even

t

Gen

erat

eal

erts

ofw

hoha

sm

ade

soft

war

ead

ditio

nsor

mod

ifica

tions

Inst

alla

tion-

Det

ect

Che

ckso

ftw

are

exec

utio

nin

tegr

ity,s

ince

soft

war

em

aybe

com

prom

ised

whe

nlo

aded

for

exec

utio

n

Inst

alla

tion-

Det

ect


Aut

hent

icat

eus

ers

soth

atph

ysic

alac

cess

toth

esy

stem

(s)

does

not

auto

mat

ical

lygr

antl

ogic

alac

cess

Inst

alla

tion-

Den

y

Req

uire

mul

ti-fa

ctor

auth

entic

atio

nto

gain

acce

ssto

sens

itive

syst

ems

Inst

alla

tion-

Den

y

Res

tric

tcon

figur

atio

nac

cess

tolim

itw

hoha

sac

cess

and

can

mak

eco

nfigu

ratio

nch

ange

s

Inst

alla

tion-

Det

ect

Cre

ate

audi

tlog

sof

who

has

mad

eso

ftw

are

addi

tions

orm

odifi

catio

nsA

cton

Obj

ectiv

e-D

etec

t

Ath

reat

agen

tget

sac

cess

toIT

orco

mm

uni-

catio

nsin

fras

truc

-tu

revi

aun

auth

oriz

edac

cess

tode

stro

y,di

sclo

seor

mod

ify

railw

ayda

taor

disr

upt

railw

ayse

rvic

es.

•L

ack

ofac

cess

cont

rol

•In

secu

reco

mm

uni-

catio

npr

otoc

olth

atal

low

sun

auth

en-

ticat

edch

ange

sto

sens

itive

data

•Ph

ysic

alda

mag

eto

ITor

com

mun

icat

ions

infr

astr

uctu

re•

Los

sof

data

confi

dent

ialit

y,in

tegr

ityan

dav

aila

bilit

y•

Una

vaila

bilit

yof

railw

ayse

rvic

es•

Rep

utat

iona

lda

mag

eto

railw

ayor

gani

zatio

n•

Inw

orse

case

,tr

ain

acci

dent

due

tose

ndin

gw

rong

sign

al

Det

ecta

nom

alou

spa

ttern

sin

the

netw

ork

Rec

onna

issa

nce-

dete

ctD

eliv

ery-

Det

ect

Req

uire

mul

ti-fa

ctor

auth

entic

atio

nIn

stal

latio

n-D

eny

Use

RB

AC

for

adm

inis

trat

ive

acce

ss,

emer

genc

yac

cess

and

shar

edac

coun

ts

Del

iver

y-Pr

even

t

Mon

itor

anom

alou

sac

cess

atte

mpt

sas

indi

cato

rsof

cybe

rsec

urity

even

tsD

eliv

ery-

Det

ect

Che

ckm

essa

gein

tegr

ity(d

igita

lsi

gnat

ures

)of

com

man

dsan

dda

tare

ceiv

edby

the

netw

ork

com

pone

nts

Inst

alla

tion-

Det

ect (C

onti

nued

)

74 R. Kour et al.

Tab

le3

Con

tinue

dC

yber

-atta

ckD

escr

iptio

nV

ulne

rabi

litie

sR

isks

/Con

sequ

ence

sD

efen

sive

Con

trol

sR

DK

CM

atri

xC

ell

Bal

ises

prov

ide

noau

then

ticat

ion

guar

ante

e;th

eref

ore,

ther

eis

apo

ssib

ility

ofm

alic

ious

atta

ckvi

aba

lise

inte

rfac

e(b

ysu

bver

ting

exis

ting

balis

esor

plac

ing

ane

wba

lise

onth

etr

ack)

Ope

nan

dac

cess

ible

publ

icra

ilway

infr

astr

uctu

re

•Fa

ilure

toen

coun

ter

alin

ked

balis

ein

the

expe

cted

loca

tion

will

caus

eth

etr

ain

toha

lt•

Exc

essi

veco

mm

ands

from

unlin

ked

balis

esca

ncr

eate

haza

rdou

ssi

tuat

ions

App

end

auth

entic

atio

nda

ta(m

essa

geau

then

ticat

ion

code

(MA

C)

ordi

gita

lsi

gnat

ure)

toth

eba

lises

Inst

alla

tion-

Den

y

Cre

dent

ial

thef

tatta

cks

onra

ilway

asse

tslik

e:

–D

atab

ases

–IC

T

Ath

reat

agen

tac

quir

esra

ilway

com

pute

rize

dm

aint

enan

cem

anag

emen

tsy

stem

(CM

MS)

auth

entic

atio

ncr

eden

tials

tovi

sual

ize

railw

ayas

sets

rem

otel

y

•H

ardc

oded

pass

wor

ds•

Shar

edpa

ssw

ords

and

cred

entia

ls

•A

uthe

ntic

ityof

railw

ayC

MM

Scr

eden

tials

isco

mpr

omis

ed•

Une

xpec

ted

and

perh

aps

inte

rmitt

ent

mai

nten

ance

serv

ice

loss

•C

redi

bilit

ylo

ss•

Rev

enue

loss

Req

uire

mul

ti-fa

ctor

auth

entic

atio

nfo

rpr

ivile

ged

func

tiona

lity

Inst

alla

tion-

Den

y

Ver

ify

abse

nce

ofha

rdco

ded

cred

entia

lson

railw

ayC

MM

S

Inst

alla

tion-

Den

y


“Man

-in-

the-

mid

dle”

atta

cks

onra

ilway

asse

tslik

e:

–Si

gnal

ling

–R

ollin

gst

ock

–D

atab

ases

–IC

T

Eur

oRad

iopr

otoc

olus

esw

eak

encr

yptio

nal

gori

thm

toen

cryp

tthe

mes

sage

s

Poss

ibili

tyof

expl

oitin

gcr

ypto

grap

hic

wea

knes

ses

inE

uroR

adio

Wea

kcr

ypto

grap

hyex

pose

sG

SM-R

com

mun

icat

ion

mes

sage

son

the

Inte

rnet

Use

deep

pack

etin

spec

tion

(DPI

)to

dete

cttr

affic

and

extr

actu

sefu

lm

etad

ata,

such

asM

AC

addr

esse

s

Del

iver

y-D

etec

t

Upd

ate

the

SSL

encr

yptio

npr

otoc

ols

(lik

eA

ES)

Del

iver

y-Pr

even

t

Vul

nera

bilit

y/ra

nsom

war

eat

tack

son

railw

ayas

sets

like: –

ICT

–D

atab

ases

Ath

reat

agen

tis

able

toga

inac

cess

toth

era

ilway

syst

emby

expl

oitin

ga

know

nvu

lner

abili

tyth

atha

sno

tyet

been

patc

hed.

The

thre

atag

enti

sun

able

toac

cess

the

railw

ayap

plic

atio

nsbu

tcan

acce

ssot

her

railw

ayde

vice

s.T

here

cent

Wan

naC

ryan

dPe

tya

rans

omw

are

stra

ins

expl

oite

da

vuln

erab

ility

inun

patc

hed

syst

ems

•Im

prop

eror

no chan

ge/c

onfig

urat

ion

man

agem

ent

for

the

timel

yde

ploy

men

tof

patc

hes

and

secu

rity

upda

tes

•U

npat

ched

firew

alla

ndop

erat

ing

syst

em

•N

etw

ork

shut

dow

n•

Cus

tom

erse

rvic

eun

avai

labl

e•

Tro

uble

shoo

ting

cost

s

Scan

the

railw

ayne

twor

kin

tern

ally

and

exte

rnal

lyby

usin

gvu

lner

abili

ty-

scan

ning

tool

s

Rec

onna

issa

nce-

Det

ect

Impl

emen

tco

nfigu

ratio

nm

anag

emen

tin

clud

ing

ase

veri

tyra

ting

(cri

tical

,im

port

ant,

mod

erat

e,lo

w)

and

timef

ram

esfo

rpa

tchi

ngvu

lner

abili

ties

base

don

seve

rity

Exp

loita

tion-

Den

yE

xplo

itatio

n-D

egra

de

(Con

tinu

ed)

76 R. Kour et al.

Tab

le3

Con

tinue

dC

yber

-atta

ckD

escr

iptio

nV

ulne

rabi

litie

sR

isks

/Con

sequ

ence

sD

efen

sive

Con

trol

sR

DK

CM

atri

xC

ell

Mon

itor

acce

sslo

gson

criti

cal

syst

ems

and

serv

ers

Inst

alla

tion-

Det

ect

Gen

erat

eal

arm

sfo

run

auth

oriz

edac

cess

tora

ilway

criti

cals

yste

ms

Inst

alla

tion-

Det

ect

Upd

ate

patc

hes

Exp

loita

tion-

Den

yD

enia

lof

serv

ice

(DO

S)at

tack

son

railw

ayas

sets

like: –

Sign

allin

g–

ICT

–D

atab

ases

–R

ollin

gst

ock

Cyb

er-a

ttack

onE

RT

MS/

ET

CS

and

railw

ayen

terp

rise

netw

ork

coul

dbr

ing

dow

nth

eE

RT

MS/

ET

CS

syst

eman

dra

ilway

Web

serv

ices

resp

ectiv

ely

•D

ata-

driv

enpr

oper

tyof

ER

TM

S/E

TC

S•

Ope

nco

m-

mun

icat

ion

chan

nel,

i.e.

“thr

ough

the

air,”

usin

gra

dio

freq

uenc

ies

whi

char

eop

enan

dac

cess

ible

inpu

blic

railw

ayin

fras

truc

ture

•D

elay

orlo

ssof

GSM

-Rco

mm

unic

atio

nm

essa

ges

•St

oppa

geor

dela

yof

trai

ns•

Pass

enge

rdi

scom

fort

•D

isru

ptio

nof

Web

serv

ices

for

rese

rvat

ions

orup

date

son

dela

ys•

Roa

dtr

affic

map

saf

fect

ed

Upd

ate

SSL

encr

yptio

npr

otoc

ols

Del

iver

y-Pr

even

t

Det

ecta

nom

alou

sbe

havi

our

cont

inuo

usly

Del

iver

y-D

etec

t

Det

ectm

alic

ious

activ

ities

byco

ntin

uous

mon

itori

ngen

dpoi

ntan

dne

twor

kev

ents

usin

gE

DR

tech

nolo

gy

Inst

alla

tion-

Det

ect

Use

Web

appl

icat

ion

firew

all

Del

iver

y-D

etec

t


Mal

icio

usat

tack

onra

ilway

ICS

syst

emlik

e:

–SC

AD

A

Ath

reat

agen

tbr

each

esa

railw

aySC

AD

Asy

stem

and

caus

esth

eSC

AD

Asy

stem

tois

sue

anun

regi

ster

edor

mal

icio

usco

mm

ands

.Sin

cera

ilway

syst

ems

may

reac

tdi

ffer

ently

toin

valid

com

man

ds,

the

railw

aysy

stem

expe

rien

ces

imm

edia

tese

rvic

esh

utdo

wn

Inad

equa

teau

then

ticat

ion

and

acce

ssco

ntro

lm

echa

nism

s

•D

enia

lof

serv

ice

atta

cks

•D

evic

esar

ere

mot

ely

shut

dow

n,af

fect

ing

trai

nse

rvic

e•

Rec

onfig

ured

inst

ruct

ions

,dat

aor

code

lead

ing

tom

ore

dest

ruct

ive

and

cost

lyat

tack

s•

Inex

trem

eca

se,

poss

ibili

tyof

trai

nac

cide

nt

Res

tric

trem

ote

acce

ssto

the

ET

CS

Inst

alla

tion-

Den

y

Det

ectu

naut

hori

zed

conn

ectio

nsca

ptur

edin

the

com

mun

icat

ion

patte

rns

toan

dfr

omth

eE

TC

S

Inst

alla

tion-

Det

ect

Req

uire

appr

oved

cryp

togr

aphi

cal

gori

thm

sfo

rau

then

ticat

ion

and

mes

sage

inte

grity

onth

era

ilway

sign

allin

gne

twor

k

Inst

alla

tion-

Den

y

Prov

ide

cybe

rsec

urity

trai

ning

toSC

AD

Asy

stem

oper

ator

s

Exp

loita

tion-

Prev

ent

Aut

hent

icat

eus

ers

acce

ssin

gth

eSC

AD

Asy

stem

Inst

alla

tion-

Prev

ent

Che

ckin

tegr

ityof

mes

sage

sis

sued

byth

eSC

AD

Asy

stem

Del

iver

y-D

egra

deIn

stal

latio

n-D

etec

t

(Con

tinu

ed)

78 R. Kour et al.

Tab

le3

Con

tinue

dC

yber

-atta

ckD

escr

iptio

nV

ulne

rabi

litie

sR

isks

/Con

sequ

ence

sD

efen

sive

Con

trol

sR

DK

CM

atri

xC

ell

Insi

der

atta

cks

inra

ilway

asse

tslik

e: –Si

gnal

ling

–R

ollin

gst

ock

–Po

wer

supp

ly–

Dat

abas

es–

ICT

–SC

AD

A

An

auth

oriz

edm

aint

enan

cete

amm

embe

rw

ithin

the

railw

aym

aint

enan

ceha

ving

valid

auth

oriz

atio

n,is

sues

com

man

dfo

rre

mot

em

aint

enan

ceof

criti

calr

ailw

ayas

setl

ike

SCA

DA

Inad

equa

tesy

stem

and

proc

ess

chec

ksfo

rra

ilway

criti

cal

asse

ts

•E

quip

men

tda

mag

e/sa

bota

ge•

Tem

pora

ryst

oppa

geof

trai

ns•

Los

sof

cust

omer

confi

denc

e•

Inw

orse

case

,ac

cide

ntm

ayha

ppen

Det

ecta

nom

alou

sco

mm

ands

not

stem

min

gfr

omth

eno

rmal

rem

ote

cont

rolc

ente

r

Del

iver

y-D

etec

t

Use

RB

AC

tolim

itw

hoha

sac

cess

tose

nsiti

vefu

nctio

ns

Del

iver

y-Pr

even

t

Req

uire

two-

pers

onru

leth

atin

itiat

esre

mot

em

aint

enan

ceco

mm

and

Del

iver

y-Pr

even

t

Gen

erat

eal

arm

sto

issu

ese

nsiti

veco

mm

ands

Inst

alla

tion-

Det

ect

Cre

ate

audi

tlog

sto

trac

kw

hois

sues

rem

ote

mai

nten

ance

com

man

ds

Act

onO

bjec

tive-

Det

ect


An

insi

der

isab

leto

gain

acce

ssto

the

netw

ork

tow

hich

anE

TC

Ssy

stem

isco

nnec

ted

and

toth

eE

TC

S’s

cred

entia

ls,

assu

min

gcr

eden

tials

are

inpl

ace.

Thi

sin

divi

dual

com

prom

ises

(mal

icio

usin

tent

)or

mis

confi

gure

s(a

ccid

enta

lly)

the

ET

CS

syst

em.

•Fi

rew

alls

non-

exis

tent

orim

prop

erly

confi

gure

dal

low

ing

acce

ssto

the

ET

CS

syst

emby

anun

auth

oriz

edin

side

r•

Wea

kne

twor

kse

curi

tyar

chite

ctur

eal

low

ing

acce

ssto

the

ET

CS

syst

em•

No

secu

rity

mon

itori

ngon

the

railw

aysi

gnal

ling

netw

ork

•In

adeq

uate

auth

entic

atio

nan

dac

cess

cont

rolf

orco

nfigu

ratio

nan

dpr

ogra

mm

ing

soft

war

eon

the

ET

CS

syst

em•

Inse

cure

rem

ote

acce

ssto

the

ET

CS

syst

em

•D

elay

inta

king

mai

nten

ance

and

oper

atio

nac

tions

,whe

nne

eded

•In

corr

ect

mai

nten

ance

and

oper

atio

nac

tions

take

n•

Cas

cadi

ngfa

ilure

s•

Tra

inac

cide

ntm

ayha

ppen

Res

tric

tnet

wor

kse

rvic

eac

cess

atm

ultip

lela

yers

topr

even

tuna

utho

rize

din

divi

dual

sfr

omga

inin

gac

cess

toth

eE

TC

S

Inst

alla

tion-

Prev

ent

Res

tric

trem

ote

acce

ssto

the

ET

CS

Inst

alla

tion-

Den

y

Det

ectu

naut

hori

zed

conn

ectio

nsca

ptur

edin

the

com

mun

icat

ion

patte

rns

toan

dfr

omth

eE

TC

S

Inst

alla

tion-

Det

ect

Req

uire

appr

oved

cryp

togr

aphi

cal

gori

thm

sfo

rau

then

ticat

ion

and

mes

sage

inte

grity

onth

era

ilway

sign

allin

gne

twor

k

Inst

alla

tion-

Den

y

Exp

lana

tion

sof

theTab

le3.:(R

DKC

matrixcell)

Thi

sco

lum

nis

the

valu

efr

omth

eR

DK

Cm

atri

xce

ll.T

his

mat

rix

cell

can

bevi

ewed

asch

arac

teri

zing

the

type

sof

effe

cta

give

nde

fens

ive

cont

rol

coul

dha

veon

aC

KC

phas

e.Fo

rex

ampl

e,th

eR

econ

nais

sanc

e–

Det

ect

cell

isat

the

inte

rsec

tion

ofth

ede

tect

tact

ican

dth

ere

conn

aiss

ance

phas

eof

CK

C;

this

mea

nsth

atin

the

reco

nnai

ssan

ceph

ase,

tode

tect

cybe

rin

cide

nts,

we

mus

tfol

low

the

defe

nsiv

eco

ntro

lspr

ovid

edin

the

Rec

onna

issa

nce

–D

etec

tcel

l.

80 R. Kour et al.

4.4 How RDKC will Help to Reduce the Risk of Cyber-Attack:A Case of Railway SCADA Example

Consider an example of multistage cyber-attack on railway SCADA system(one of the scenarios from Table 3) where a threat agent breaches a railwaySCADA system and causes this system to issue an unregistered or maliciouscommand. To proactively reduce the risk of this attack, various courses ofaction from the RDKC matrix can be chosen to reduce the risk of thisattack (Figure 6). For example, to defend against the first stage (externalreconnaissance), defender may implement detect technologies like NIDS orweb analytics. In the second stage (weaponized), defender may deceive theattacker by providing some fake weaponized codes or fake registration. In thethird stage (delivery), defender may detect the attacker by using deep packetinspection.

In the fourth stage (exploitation), defender may prevent the attack byusing systems & application updates. In the fifth stage (Installation), defender

External Reconnaissance (ER)

Internal Exploitation (IE)

Delivery (D)

Exploitation (E)

Installation (I)

Command & Control (C2)

Act

Internal Reconnaissance (IR)

Weaponize (W)

Lateral Movement (LM)

Privilege Escalation (PE)

Develop & Test (D&T)

Target Manipulation (TM)

Install

Deliver

Execute ICS Attack

Internal Cyber Kill Chain

ICS Cyber Kill Chain

1

2

3

4

6

7

8

9

5

10

11

12

13

15

16

17

14

External Cyber Kill Chain

IT

OT

Internet

PC

1

2

3

4

5

Data Historian

6

7

8 9

1011

12

15

16

Execute

17

HMI

Printer

Workstation

PLC

RTU

13 14

Server

HMI

IE-Prevent

IR-Detect

LM-Deceive

PE-Detect

D&T-Prevent

TM-Detect

Install-Deny

Deliver-Detect

Execute-Recovery

Internal Cyber Kill Chain

ICS Cyber Kill Chain

8

9

10

11

12

13

15

16

17

14

External Cyber Kill Chain

RDKC Matrix CellsCyber Kill Chains

ER-Detect

D-Detect

E-Prevent

I-Detect

C2-Deceive

Act-Deny

W-Deceive

1

2

3

4

6

7

5

Figure 6 Cyber kill chain and railway defender kill chain to reduce the risk of cyber-attacks:An example of the railway SCADA system.


may detect the attack by using an alarm/alert system. In the sixth stage(command & control), defender may deceive the attacker by using DNSredirect or honeypot. In the seventh stage (act), defender may deny the attackby using outbound access control lists. If the cyber-attack is successful thenattacker may move to stage eighth inside the network and starts internalreconnaissance to search for available systems and map the internal networkand vulnerabilities (e.g scanning OT to find Human Machine Interfaces).To defend against this, defender may detect this attack by using HIDS foralerting. In the ninth stage (internal exploitation), defender may preventthe attack by using patch and vulnerability management. In the tenth stage(privilege escalation), defender may detect the attack by using behavioralanalytics. In the eleventh stage (lateral movement), defender may deceivethe attack by using decoy servers. In the twelfth stage (target manipulation),defender may detect the attack by using host-level log analysis. If the attackerwill be successful in the manipulation of the railway SCADA system thenhe will gain access to the physical system via new vulnerabilities. Thus, inthe thirteenth and fourteenth stages (develop and test), defender may preventthe attack by harden/obfuscate applications to make reversing difficult. Inthe fifteenth stage (Deliver), defender may detect the attack by using HIDSsystems. In the sixteenth stage (install), defender may deny the attack byusing data diode. In the last stage (execute), defender may recover from theattack by using forensics or breach insurance.

4.5 Penetration Probabilities at Each Stage of CyberKill Chain

To assess the proposed framework this research has started the simulationof cyber-attack penetration probabilities with varying security controls ateach stage of the cyber kill chain. These security controls are the proposedtechnologies presented in the RDKC matrix (Table 2). Defender can choosethese security controls at each stage of the cyber kill chain to defend againstthe cyber-attack. Figure 7 is one of the simulated results of penetrationprobabilities at each stage of the cyber kill chain based on the cyber-attackprobability. In this case, the probability of defense lies between 11% to 20%(first two stages) and 21% to 30% (rest of the five stages). The penetrationprobabilities keep on decreasing from first stage to seventh stage. Thisresearch has started simulation with seven stages but it will simulate for allthe 17 stages in the future.

82 R. Kour et al.

Figure 7 Cyber-attack penetration probabilities at each stage of the cyber kill chain.

5 Conclusions and Future Work

With digitalization, the railway’s vulnerability to cyber-attacks is increasing,suggesting the need to focus on cybersecurity. Most organizations are focus-ing on intrusion prevention technologies, with less emphasis on predictionand detection technologies. This research proposes a Railway Defender KillChain (RDKC) to predict, prevent, detect, and respond to cyber-attacks.RDKC uses a course of action matrix, which determines how to predict,prevent, detect, respond to, deny, disrupt, degrade, deceive, and destroyadversary events along the kill chain phases to avoid or minimize loss orunavailability. By being proactive instead of reactive, a defender can mitigatecyber threats, implementing the right defensive strategy provided in theRDKC matrix instead of deploying incident response and forensics after asuccessful exploit.

Future research will simulate cyber-attack penetration probabilities withvarying defensive controls at each stage of the cyber kill chain. The simu-lation will help railway organizations predict the risk of attack penetrationsby applying various security controls at each stage of the cyber kill chain. Inaddition, a complete set of cyber-attacks along with defensive controls willbe sent to the participating railway organizations.


Acknowledgments

The authors would like to thanks Lulea Railway Research Center (JVTC)for sponsoring research work. The authors would also like to acknowledgethe contributions of Dr. Phillip Tretten and Robert Beney for their valuableexpertise.

References

[1] U. Espling and U. Kumar, “Benchmarking of the maintenance pro-cess at Banverket (the Swedish National Rail Administration),” inComplex System Maintenance Handbook, Anonymous: Springer, 2008,pp. 559–583.

[2] K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams and A. Hahn, “NISTspecial publication 800–82, revision 2: Guide to industrial control sys-tems (ICS) security,” National Institute of Standards and Technology2014.

[3] U. Kumar, R. Kour, P. Tretten and R. Karim, “eMaintenance solutionthrough online data analysis for railway maintenance decision-making,”Journal of Quality in Maintenance Engineering 2014.

[4] Shift2Rail. Cybersecurity in the railway sector [Online]. Available: https://shift2rail.org/project/cyrail/.

[5] R. Ahmad and S. Kamaruddin, “A review of condition-based mainte-nance decision-making,” European journal of industrial engineering,vol. 6, no. 5, pp. 519–541, 2012.

[6] N. Subramanian and A. Jeyaraj, “Recent security challenges in cloudcomputing,” Comput.Electr.Eng., vol. 71, pp. 28–42, 2018.

[7] J.R. Nobles, “Cybersecurity threats & challenges,” 2018.[8] D. Patel, “Test utility for live and online testing of an anti-phishing

message security system,” 2018.[9] M. Bromiley, “Incident response capabilities in 2016: The 2016 SANS

incident response survey,” SANS Institute, June 2016.[10] U.D. Ani, H. He and A. Tiwari, “Human factor security: Evaluating the

cybersecurity capacity of the industrial workforce,” Journal of Systemsand Information Technology, vol. 21, no. 1, pp. 2–35, 2019.

[11] M. Algarni, S. Almesalm and M. Syed, “Towards Enhanced Com-prehension of Human Errors in Cybersecurity Attacks,” in Interna-tional Conference on Applied Human Factors and Ergonomics, 2018,pp. 163–175.

84 R. Kour et al.

[12] S. Kremer, L. Me, D. Remy and V. Roca, “Cybersecurity,” 2019.[13] Helpsystems. Survey Results: 2018 Top Cybersecurity Risks and

Mitigation Strategies [Online]. Available: https://www.helpsystems.com/resources/on-demand-webinars/survey-results-2018-top-cybersecurity-risks-and-mitigation-strategies.

[14] Hackmageddon, “Information security timelines and statistics,”. https://www.hackmageddon.com/category/security/cyber-attacks-statistics/.

[15] R. Kour, M. Aljumaili, R. Karim and P. Tretten, “eMaintenance in rail-ways: Issues and challenges in cybersecurity,” Proc.Inst.Mech.Eng.Pt.F:J.Rail Rapid Transit, pp. 095440971882291 2019. http://dx.doi.org/10.1177/0954409718822915.

[16] Symantec. 2019 Internet Security Threat Report (ISTR): The New ThreatLandscape, California, United States [Online]. Available: https://www.symantec.com/security-center/threat-report.

[17] J.T. Force and T. Initiative, “Security and privacy controls for federalinformation systems and organizations,” NIST Special Publication, vol.800, no. 53, pp. 8–13, 2013.

[18] Lockheed Martin. Cyber Kill Chain R© [Online]. Available: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.

[19] V. Bukac, V. Lorenc and V. Matyas, “Red queen’s race: APT win-wingame,” in Cambridge International Workshop on Security Protocols,2014, pp. 55–61.

[20] Z. El Mrabet, N. Kaabouch, H. El Ghazi and H. El Ghazi, “Cyber-security in smart grid: Survey and challenges,” Comput. Electr. Eng.,vol. 67, pp. 469–482, 2018.

[21] M.J. Assante and R.M. Lee, “The industrial control system cyber killchain,” SANS Institute InfoSec Reading Room, vol. 1 2015.

[22] D.U. Case, “Analysis of the cyber attack on the ukrainian power grid,”Electricity Information Sharing and Analysis Center (E-ISAC) 2016.

[23] M. Cloppert, “Security intelligence: Attacking the cyber kill chain,”SANS Computer Forensics 2009.

[24] X. Zhou, Z. Xu, L. Wang, K. Chen, C. Chen and W. Zhang, “Kill chainfor industrial control system,” in MATEC Web of Conferences, 2018,pp. 01013.

[25] Pandasecurity. Understanding Cyber-Attacks Part I. The Cyber-KillChain, Spain [Online]. Available: http://resources.pandasecurity.com/enterprise/solutions/ad360/1704-WHITEPAPER-CKC-EN.pdf.


[26] S. Northcutt. Security Controls. SANS Technology Institute, USA[Online]. Available: https://www.sans.edu/cyber-research/security-laboratory/article/security-controls.

[27] Department of Defense. JP 3–13 Information Operations [Online].[28] E.M. Hutchins, M.J. Cloppert and R.M. Amin, “Intelligence-driven

computer network defense informed by analysis of adversary campaignsand intrusion kill chains,” Leading Issues in Information Warfare &Security Research, vol. 1, no. 1, pp. 80, 2011.

[29] Thales. Railway Digitalization: Cybersecurity [Online]. Available:https://www.thalesgroup.com/en/spain/magazine/railway-digitalization-cybersecurity.

[30] Shift2rail report. CYbersecurity in the RAILway sector D2.1 – Safetyand Security requirements of Rail transport system in multi-stakeholderenvironments [Online]. Available: https://ec.europa.eu/research/participants/documents/downloadPublic?documentIds=080166e5b678c2dc&appId=PPGMS.

[31] CSRC. NIST Computer Security Resource Center [Online].Available: https://csrc.nist.gov/.

[32] ICS-CERT. Industrial Control Systems Cyber Emergency ResponseTeams [Online]. Available: https://ics-cert.us-cert.gov/.

[33] US-CERT. Critical Infrastructure Cyber Community Voluntary Program(C3) [Online]. Available: https://www.us-cert.gov/ccubedvp.

[34] Anonymous (-02-10T15:19:26-05:00). Information Sharing and Analy-sis Organizations (ISAOs) [Online]. Available: https://www.dhs.gov/cisa/information-sharing-and-analysis-organizations-isaos.

[35] APTA. American Public Transportation Association. Information Shar-ing & Analysis Center (PT-ISAC) [Online]. Available: https://www.surfacetransportationisac.org/.

[36] CIS R©. Center for Internet Security [Online]. Available: https://www.cisecurity.org/about-us/.

[37] Minimum Cyber Security Standard. Version 1.0. UK [Online]. Avail-able: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment data/file/719067/25062018 Minimum Cyber Security Standard gov.uk 3.pdf.

[38] W. Xu, Y. Tao, C. Yang and H. Chen, “MSICST: Multiple-scenarioindustrial control system testbed for security research,”.

[39] H. Kim, H. Kwon and K.K. Kim, “Modified cyber kill chain modelfor multimedia service environments,” Multimedia Tools Appl, vol. 78,no. 3, pp. 3153–3170, 2019.

86 R. Kour et al.

[40] M. Mohsin and Z. Anwar, “Where to kill the cyber kill-chain: Anontology-driven framework for iot security analytics,” in 2016 Interna-tional Conference on Frontiers of Information Technology (FIT), 2016,pp. 23–28.

[41] B.D. Bryant and H. Saiedian, “A novel kill-chain framework for remotesecurity log analysis with SIEM software,” Comput.Secur., vol. 67,pp. 198–210, 2017.

[42] A. Hahn, R.K. Thomas, I. Lozano and A. Cardenas, “A multi-layeredand kill-chain based security analysis framework for cyber-physicalsystems,” International Journal of Critical Infrastructure Protection,vol. 11, pp. 39–50, 2015.

[43] I. Mihai, S. Pruna and I. Barbu, “Cyber kill chain analysis,” Int’lJ.Info.Sec.& Cybercrime, vol. 3, pp. 37, 2014.

[44] S. Wen, N. He and H. Yan, “Detecting and Predicting APT Based on theStudy of Cyber Kill Chain with Hierarchical Knowledge Reasoning,”in Proceedings of the 2017 VI International Conference on Network,Communication and Computing, 2017, pp. 115–119.

[45] S. Wen, Y. Rao and H. Yan, “Information Protecting against APT Basedon the Study of Cyber Kill Chain with Weighted Bayesian Classificationwith Correction Factor,” in Proceedings of the 7th International Con-ference on Informatics, Environment, Energy and Applications, 2018,pp. 231–235.

[46] L. Ertaul and M. Mousa, “Applying the Kill Chain and DiamondModels to Microsoft Advanced Threat Analytics,” in Proceedings of theInternational Conference on Security and Management (SAM), 2018,pp. 252–258.

[47] Garba FA, Junaidu SB, Ahmad I, Tekanyi MS, “Proposed framework foreffective detection and prediction of advanced persistent threats basedon the cyber kill chain,” 2018.

[48] I. Herwono and F.A. El-Moussa, “Automated Detection of the EarlyStages of Cyber Kill Chain.” in ICISSP, 2018, pp. 182–189.

[49] C. Velazquez, “Detecting and preventing attacks earlier in the kill chain,”SANS Institute Infosec Reading Room, pp. 1–21 2015.

[50] Y. Ayrour, A. Raji and M. Nassar, “Modelling cyber-attacks: A surveystudy,” Network Security, vol. 2018, no. 3, pp. 13–19, 2018.

[51] W. Wang, J. Bickford, I. Murynets, R. Subbaraman, A.G. Forte andG. Singaraju, “Detecting targeted attacks by multilayer deception,”Journal of Cyber Security and Mobility, vol. 2, no. 2, pp. 175–199, 2013.


[52] R.A. Yadav T, “Technical aspects of cyber kill chain,” in, 2015,pp. 438–452.

[53] K.E. Heckman, F.J. Stech, R.K. Thomas, B. Schmoker and A.W. Tsow,“Intrusions, Deception, and Campaigns,” in Cyber Denial, Deceptionand Counter Deception, Anonymous: Springer, 2015, pp. 31–52.

[54] A. Marcella Jr and D. Menendez, Cyber forensics: a field manual forcollecting, examining, and preserving evidence of computer crimes,Auerbach Publications, 2007.

[55] R. Kour, R. Karim and A. Thaduri, “Cybersecurity for railway – A matu-rity model,” Proceedings of the Institution of Mechanical Engineers,Part F: Journal of Rail and Rapid Transit (2019): 0954409719881849.

[56] D. Kuipers and M. Fabro, “No title,” Control systems cyber security:Defense in depth strategies 2006.

[57] X. Fan, K. Fan, Y. Wang and R. Zhou, “Overview of cyber-security ofindustrial control system,” in 2015 international conference on cybersecurity of smart cities, industrial control system and communications(SSIC), 2015, pp. 1–7.

[58] R. Radvanovsky and J. Brodsky, Handbook of SCADA/control systemssecurity, CRC Press, 2013.

[59] K. Swearingen, W. Majkowski, B. Bruggeman, D. Gilbertson, J. Duns-don and B. Sykes, “An open system architecture for condition basedmaintenance overview,” in 2007 IEEE Aerospace Conference, 2007,pp. 1–8.

[60] Kenneth Holmberg et al., “Information and Communication Technolo-gies Within E-maintenance,” in Emaintenanc, Anonymous: SpringerScience & Business Media, 2010, pp. 39–60.

[61] A. Yokoyama, “Innovative changes for maintenance of railway byusing ICT–to achieve “smart maintenance”,” Procedia CIRP, vol. 38,pp. 24–29, 2015.

[62] R. Karim, J. Westerberg, D. Galar and U. Kumar, “Maintenanceanalytics–the new know in maintenance,” IFAC-PapersOnLine, vol. 49,no. 28, pp. 214–219, 2016.

[63] J. Reason, E. Hollnagel and J. Paries, “Revisiting the swiss cheese modelof accidents,” J.Clin.Eng., vol. 27, no. 4, pp. 110–115, 2006.

[64] R. Starrett. How to protect data in an IP world [Online]. Available: https://www.eetimes.com/document.asp?doc id=1274286.

[65] NSA. Defense in Depth. US National Security Agency [Online].Available: https://apps.nsa.gov/iaarchive/customcf/openAttachment.cfm?FilePath=/iad/library/ia-guidance/archive/assets/public/upload/

88 R. Kour et al.

Defense-in-Depth.pdf&WpKes=aF6woL7fQp3dJimPuJLAvwxazbq3mDYX6mWmFe.

[66] IndustryWeek. Proactive Protection Through Industrial Networks[Online]. Available: https://www.industryweek.com/rockwell-automation-connected-industrial-enterprise/proactive-protection-through-industrial-networks.

[67] W. Knowles, J.M. Such, A. Gouglidis, G. Misra and A. Rashid, “Assur-ance techniques for industrial control systems (ics),” in Proceedings ofthe First ACM Workshop on Cyber-Physical Systems-Security and/orPrivaCy, 2015, pp. 101–112.

[68] C.I.T. Force, “Operational levels of cyber intelligence,” 2013.[69] I. Tarnowski, “How to use cyber kill chain model to build cybersecu-

rity?” European Journal of Higher Education IT [Online]. Available:http://www.eunis.org/download/TNC2017/TNC17-IreneuszTarnowski-cybersecurity.pdf 2017.

[70] S. Malone, “Using an expanded cyber kill chain model to increase attackresiliency,” Black Hat US 2016.

[71] The Denver Post. SamSam virus demands bitcoin from CDOT, stateshuts down 2,000 computers [Online]. Available: https://www.denverpost.com/2018/02/21/samsam-virus-ransomware-cdot/.

[72] P. Paganini. For the second time in two weeks CDOT shut downcomputers after a ransomware infection [Online]. Available: https://securityaffairs.co/wordpress/69946/cyber-crime/cdot-second-ransomware-attack.html.

Biographies

Ravdeep Kour is a Ph.D. student in the Division of Operation and Mainte-nance Engineering at Lulea University of Technology, Sweden. She receivedBachelor’s degree in Information Technology and Master’s degree in Com-puter Science Engineering from Jammu University of India and Punjab


University of India, in 2004 and 2012 respectively. She worked as AssistantProfessor in India from 2004 to 2012 and worked in Lulea Technical Univer-sity, Lulea, Sweden as Research Engineer from 2012 to 2014. She workedon European Union and Swedish Railway Projects. Her total academic andresearch work experience is 15 years. Her research interests are machinelearning, cybersecurity in the context of IT and OT technologies, securityrisk assessment, cloud computing, and big data analytics.

Adithya Thaduri is working as Associate Senior Lecturer in the Divi-sion of Operation and Maintenance Engineering at Lulea University ofTechnology. He has experience in coordination of four European projects(IN2RAIL, INFRALERT, IN2SMART and FR8RAIL) and three nationalprojects (InfraSweden, Mindi and SKF) in the area of Railways and haveworked in collaboration in other seven projects. He recently got funding forone European project for Railways (IN2SMART2) and two national projects;one from Vinnova to Railway and other from Coal India Limited to Mining.He is part of over 35 deliverables/reports within above mentioned projects. Hehas over 40 research publications (28 after PhD) in journals, book chaptersand conference proceedings. He has been teaching Maintenance Engineeringcourse for master’s programme for two years. His areas of research aremachine learning and context-aware maintenance decision making withinthe framework of Maintenance 4.0 in Railways, asset maintenance analytics,prognostics and degradation modelling of railway infrastructure, reliabilitypredictions, maintenance planning and optimization, RAMS, LCC and Riskassessment, predictive analytics of mining machines, and cybersecurity.

90 R. Kour et al.

Ramin Karim is PhD in the area of Operation and Maintenance Engi-neering with focus on eMaintenance and Industrial AI. Ramin has over20 years of industry experiences in computer science and Information andCommunication Technologies (ICT), with roles as software developer, sys-tems architect, project manager, multi-project leader, process owner, productmanager, responsible for standardization, model developer, and technologybusiness developer. Ramin has over 60 publications in several research areasrelated to eMaintenance. Ramin is head of the eMaintenance Research Team,focusing on Industrial AI for Operation and Maintenance. He is also founderof a spin-off company from Lulea University of Technology, which developsanalytics solutions based on Industrial AI and eMaintenance.

Paper IV

Predictive model for multistage cyber-attack simulation

Kour, R., Thaduri, A., & Karim, R. (2020). Predictive model for multistage cyber-attack simulation. International Journal of System Assurance Engineering and Management, 1-14.

ORIGINAL ARTICLE

Predictive model for multistage cyber-attack simulation

Ravdeep Kour1 • Adithya Thaduri1 • Ramin Karim1

Received: 30 August 2019 / Revised: 30 August 2019

� The Author(s) 2020

Abstract Adoption of information and communication

technologies (ICT) in railway has improved the reliability,

maintainability, operational efficiency, capacity as well as

the comfort of passengers. This adoption introduces new

vulnerabilities and entry points for hackers to launch

attacks. Advanced cybersecurity threats with automated

capabilities are increasing in such sectors as finance,

health, grid, retail, government, telecommunications,

transportation, etc. These cyber threats are also increasing

in railways and, therefore, it needs for cybersecurity mea-

sures to predict, detect and respond these threats. The cyber

kill chain (CKC) model is a widely used model to detect

cyber-attacks and it consists of seven stages/chains;

breaking the chain at an early stage will help the defender

stop the adversary’s malicious actions. Due to lack of real

cybersecurity data, this research simulates cyber-attacks to

calculate the attack penetration probabilities at each stage

of the cyber kill chain model. The objective of this research

is to predict cyber-attack penetrations by implementing

various security controls using modeling and simulation.

This research is an extension of developed railway defen-

der kill chain which provides security controls at each stage

of CKC for railway organizations to minimize the risk of

cyber threats.

Keywords Cyber-attack � Cyber kill chain � Securitycontrol � Predict � Simulation

1 Introduction

Railway is one of the important critical infrastructures on

which most of the common people rely on travelling and is

also one of the major contributors towards the growth of

the economy of a country. On one hand, the use of new

advanced technologies (like Internet of Things, smart

sensors, etc.) have brought significant benefits in reliability,

operational efficiency, capacity as well as improved pas-

senger experience. But on the other hand, it also increases

the vulnerability of railway system towards cyber threats.

Attacker may launch an attack remotely which can lead to

denial of control, malfunction of alarms, manipulation of

sensors or actuators to adversely affect the physical system,

resulting in catastrophic consequences (Karnouskos 2011).

Hackers’ already targeted rail companies in Belgium,

China, Denmark, Germany, Russia, South Korea, Sweden,

Switzerland, the UK, and the US (Kour et al. 2019). Thus,

the safety and well-being of passengers, employees, and

public in general, including nearby traffic and pedestrians,

must be the first priority of rail operators. However, this

safety is on risk due to cybersecurity incidents, which are

increasing over the last years. There are two types of

cybersecurity risks in railway organizations: business risks

and societal risks (Thaduri et al. 2019a, b). The impact of

cybersecurity business risks include loss of revenue, impact

on reputation/loss of trust, non-compliance with regula-

tions on data protection, risks to hardware and software,

reliance on invalid information, and lack of security of

dependencies (Thaduri et al. 2019a, b). The impact of

cybersecurity societal risks include risk to public health

& Ravdeep Kour

[email protected]

Adithya Thaduri

[email protected]

Ramin Karim

[email protected]

1 Division of Operation and Maintenance Engineering, Lulea

University of Technology, 97187 Lulea, Sweden

123

Int J Syst Assur Eng Manag

https://doi.org/10.1007/s13198-020-00952-5

and safety, unavailability of the railway service, societal

financial losses, environmental impact due to increased

energy consumption, and risk to the confidentiality and

privacy of citizens (Thaduri et al. 2019a, b). Therefore,

there is a need to build or establish strong cybersecurity

measures to safeguard railway infrastructure against cyber-

attack penetrations. However, there is a lack of real

cybersecurity data and, therefore, this research will use

simulation to predict cyber-attack penetration probabilities

at each stage of cyber kill chain by assuming various

security controls to defend against these attacks. Security

controls are defined as ‘‘The management, operational, and

technical controls (i.e., safeguards or countermeasures)

prescribed for a system to protect the confidentiality,

integrity, and availability of the system, its components,

processes, and data’’ (Stouffer et al. 2014). There are three

general classes of security controls i.e., management,

operational, and technical (Ross et al. 2007). Management

and operational controls involve contingency planning

controls, incident response controls, security awareness and

training controls, personnel security controls, physical

security controls, etc. Technical controls involve logical

access control, user authentication, antivirus softwares,

firewalls, penetration testing, etc.

To carry out this research, cyber kill chain (CKC) model

has been used which is one of the most widely used

framework to detect cyber-attack based on the kill chain

tactic of the US military’s F2T2EA (find, fix, track, target,

engage and assess) (Martin 2014). This model consists of

seven stages and describes a logic that an attacker follows

during cyber-attack within the system. Henceforth, this

research will simulate cyber-attack penetrations within

each stage of this model.

The outline of the paper is as follows. After introduc-

tion, state-of-the-art is provided and then seven stages of

the cyber kill chain model are explained; followed by

research methodology. Then, it explains the overview of

developed model. Next, simulation cases are discussed.

Finally, results and discussions are presented followed by

conclusions and future research directions.

2 State-of-the-art

2.1 Generalized modeling tools

There are various modeling tools (both proprietary and

open), such as optimized network engineering tools and

network simulators to analyze the impact of cyber-attacks

on the modeled network (NS-3 2019; OPNET 2019). Lit-

erature study shows that researcher are active in the area of

simulating cyber-attacks in critical infrastructures and used

network simulator i.e. NS2 to predict the impact of denial

of service, malware propagation, and man-in-the-middle

attacks on supervisory control and data acquisition systems

(SCADA) (Ciancamerla et al. 2013). An agent-based

modeling and simulation approach was used in facilitating

the assessment of critical infrastructure entities under

cyber-attack (Rybnicek et al. 2014). A generalized simu-

lation model of cyber-attacks in IT network was also

developed (Shourabi 2015). Researchers are also active in

the area of game theory to model the behaviors of complex

multistage cyber-attacks. He (2017) has developed an

application-oriented cyber threat assessment framework in

order to address the risk posed by multistage cyber-attacks

in smart grids. Intelligent transportation systems (ITS) have

also developed game-theory models to secure against the

fatal cyber-attacks (Alpcan and Buchegger 2010; Bahamou

et al. 2016; Mejri et al. 2016; Sanjab et al. 2017; Sedjel-

maci et al. 2016). In addition to this, a combined simulation

of interconnected railway network, ICT network and

energy grid using OpenTrack, SINCAL, and NS3 respec-

tively has been achieved in European Union Project

(Ciprnet 2013).

2.2 Railway specific simulators

A Survey of existing railway simulators show that most of

them were designed for planning and operational purposes

(eTrax 2016; Grube et al. 2011; OpenPowerNet Version, 1.

8. 1. 2019; OpenTrack 1990; Yao et al. 2013). The limi-

tations of these simulators are that they lack to support

cyber-attack analysis and are very costly to adopt in rail-

way cybersecurity research. To overcome these limitations

there was introduction of another simulator called

SecureRails; an open source simulator for analyzing cyber-

physical attacks in railway (Teo et al. 2016). This simulator

is restricted to only two subsystems; the mechanical system

(involving the train’s motion) and the electrical system

(traction power system). In addition to this, literature does

not provide simulation tools to predict cyber-attack pene-

tration probabilities in multiple stages of an attack. Thus,

this research provides an easy model using MATLAB to

simulate cyber-attack penetration probabilities at various

stages of the cyber kill chain model.

The objective of this research is to analyze and simulate

cyber-attacks to predict cyber-attack penetration probabil-

ities. The scope of this research is that it does not go into

the detail on the various kill chain models. Rather, it

applies a simple cyber kill chain model to the railway as an

initial step. The limitation of this research is scarcity of real

cybersecuriy data.

123


3 Attack propagation in seven stages of cyber killchain model

An initial CKC model was developed by Lockheed Martin

(2009). The seven stages of this model are:

• Reconnaissance It is the planning stage of the cyber-

attack. The adversary searches for and gathers infor-

mation about the target through social sites, confer-

ences, blogs, mailing lists and other network tracing

tools.

• Weaponize The second stage of the model is the

operation preparation stage. This stage involves the

coupling of a remote access Trojan (RAT) with an

exploit into a deliverable payload, typically by means of

an automated tool (weaponizer).

• Delivery The third stage of the model is the operation

launch stage where a weapon is transmitted to the

targeted environment.

• Exploitation At this stage, exploit is triggered to silently

install/execute the delivered payload. The most frequent

exploits are operating system, network and applica-

tion/software level vulnerabilities.

• Installation This stage involves the installation of back

door remote access Trojans (RATs) and the mainte-

nance of persistence inside the targeted environment.

• Command and control (C2) After the successful

installation of a back door, the adversary tries to open

a two-way communication channel to enable the

attacker to control the targeted environment remotely.

Once the C2 channel is established, the adversary has

‘‘hands on the keyboard’’ access inside the targeted

environment.

• Act on objective In the last stage of the model, the

adversary achieves the desired attack goals. These goals

can be loss of confidentiality, integrity or availability of

an asset.

Figure 1 represents the propagation of cyber-attack

penetrations at each stage of the cyber kill chain model.

P_attack is the probability of initiation of cyber-attack and

S1–S7 are the seven stages of cyber kill chain model.

Pc11, Pc12, Pc13, Pc14…Pc73, Pc74 are the 28 secu-

rity controls implemented by the defender to minimize the

risk of cyber-attacks.

Pg1 to Pg7 are the probabilities of propagation of cyber-

attack penetrations from S1–S7.

Table 1 shows example of these security controls to be

implemented by the defender at each stage of the CKC

model. Pc1–Pc7 are the probabilities of at least one secu-

rity control will defend at each of the stage of CKC model.

4 Research methodology

Due to lack of real cybersecurity data, this research is

conducted by using simulation in MATLAB. Figure 2

shows flowchart of the research methodology. This

research started with generating relevant cybersecurity data

from the perspective of both defender and attacker. At the

defender side, this research has implemented four security

controls at each stage of CKC model. Next, it calculated

the probability that out of four security controls at least one

will work at each stage of the CKC model. At the attacker

side, cyber-attacks were launched using poisson probability

density function. After all the simulated cybersecurity data

has been generated, the next step of the research method-

ology is data analysis. During data analysis, this research

defined four cases, which are explained at Sect. 6 of this

research paper. In the last, cyber-attack penetration prob-

abilities have been visualized and important decisions can

be taken in order to minimize the risk of these attacks.

5 Overview of the model

5.1 Notations

The notations used in this research work are as follows:

5.1.1 Intrusion/cyber-attack rates

P_attack It is the probability of initiation of cyber-attack. It

can be modeled as a random process of arrival with a

Poisson Probability Density Function (PDF) (Eq. 1). This

Fig. 1 Seven stages of cyber

kill chain

123


function is commonly used for a variety of arrival appli-

cations including cyber-attacks (Shourabi 2015). The

probability of k occurrences of cyber-attack during any

specified interval of time can be expressed as:

Pðk events in intervalÞ ¼ kke�=k! ð1Þ

where k is the average number of events per interval and

k takes values 0, 1, 2, 3, ….

5.1.2 Model parameters

• S: It is the finite set of stages S = {S1, S2, S3, S4, S5, S6,

S7} with S7 as the last stage where data get

compromised.

• Pfi: It is the probability of pre-filtering (intrusion

detection system) at each stage of CKC.

• C: It is the finite set of 28 security controls C = (Pc11,

Pc12, Pc13, Pc14, Pc21, Pc22, Pc23, Pc24, Pc31,



Pc72, Pc73, Pc74) with four controls at each stage to

defend against the cyber-attack (Eq. 2).

Xi¼4

i¼1

Pcji

|fflfflfflffl{zfflfflfflffl}Stage j¼1

Xi¼4

i¼1

Pcji


. . .Xi¼4

i¼1

Pcji


ð2Þ

These security controls include Intrusion Detection and

Prevention System, HoneyPot, Web Analytics, Threat

Intelligence, Video Surveillance, Vulnerability Scan-

ning, Penetration Testing, Firewall, Proxy Filter, Anti-

virus, and most of them were listed in the previous work

(Kour et al. 2020).

Table 1 Example of security controls at each stage of CKC model

Stage Example of security control

Reconnaissance Cyber hygienic workforce of railway

Scan the railway network internally and externally using vulnerability-scanning tools

Securely dispose of sensitive and confidential railway data

Perform proactive penetration testing

Weaponize Conduct cybersecurity education and improve awareness of railway workforce

Conduct detailed analysis of possible attack types to proactively identify indicators of adversaries’ actions

Share and utilize threat intelligence to learn about adversaries’ tactics and techniques

Identify weaponization attributes to prevent attacks reaching later stages

Delivery Use email filtering services

Detect anomalous commands not stemming from the normal remote control center

Use role-based access control (RBAC) to limit who has access to the railway enterprise network, SCADA system

(supervisory control and data acquisition system) or European Train Control System (ETCS) system

Require approved cryptographic algorithms for authentication and message integrity on the railway signalling network

Exploitation Perform patching

Use network intrusion detection system

Remove remote administration capabilities from Web platforms

Use security toolkits to prevent exploits

Installation Implement firewalls

Authenticate users so that physical access to railway assets does not automatically grant logical access

Require multi-factor authentication to gain access to sensitive railway information

Generate alerts on who has made software additions or modifications

Command and control

(C2)

Block communication to the external C2 server

Automatically isolate infected devices

Perform internal reconnaissance to detect and block the attacker

Use DNS blackholing

Act on objective Use data loss prevention technology

Configure email systems and web proxies to prevent sensitive and confidential railway data from being sent

Implement internal intrusion detection system, intrusion prevention system and other controls within the railway

network to detect and mitigate unauthorized lateral movement

Use data-at-rest encryption schemes

123


• Pci: It is the probability of at least one security control

will work at stage Si of CKC, i = 1, 2, …, 7.

• Pg1: It is the probability of attack penetration at stage

S1.

• Pgi: It is the probability of attack penetration at stage

Si, i = 2, 3, …, 7.

• Loss: It is the malicious cyber activity cost in Euro.

Around 30% of Swedes were exposed to cybercrime,

resulting in total financial losses of 3.14 billion Euros in

2018 (Ahlstrom 2019).

• Risk: Risk is related to three elements: Threat, Vulner-

ability, and Asset (ISO/IEC 27005:2011). In this model,

risk is a function of probability of cyber-attack,

probability that defensive mechanism can exploit the

vulnerabilities present and the loss to the asset as

consequence.

• Uc: It is the updated security control which will be

implemented after assessing cyber-attack for a period of

one month.

5.1.3 Model functions

• f P attack; Pc1ð Þ: It calculates the probability of infil-

tration at the first stage of CKC.

• f Pg i� 1ð Þ; Pcið Þ: It calculates the probability of prop-

agation of cyber-attack to next stage of CKC with i as

current stage and i - 1 as previous stage, i = 2, 3, …,

7.

• f Pci; Pfið Þ: It calculates the probability of filtering the

attack traffic with a detection mechanism. The success

of an attack depends upon this detection mechanism to

thwart the attack.

• f P attack; f Pcið Þ; lossð Þ: It calculates the risk of pen-

etration of cyber-attack at each stages of the CKC

model.

Risk ¼ Threat � Vulnerability� Asset ð3Þ

• f Uc; Pc; Pg;Pattackð Þ: It calculates last stage penetra-

tion probabilities with updated controls for each month.

5.2 Assumptions

1. This research assumes the probability of cyber-attack

arrival as a Poisson Probability Density Function

(PDF) (Shourabi 2015). According to University of

Maryland, hackers attack every 39 s (University of

Maryland, 2007). In addition to this, Cisco reported

that Asia–Pacific companies receive 6 cyber threats

every minute (Cisco 2018). McAfee recorded 478 new

Fig. 2 Flowchart of research

methodology

123


cyber threats every minute, 8 every second with an

18% increase in the number of reported security inci-

dents across Europe (McAfee 2019). This research

assumed 8 cyber-attacks every second and simulated

attack arrival as Poisson PDF.

2. This research assumes four security controls imple-

mented at each stage with at least one security control

to work at each stage to defend against the cyber-

attacks. But these security controls can be extended

further based on the requirements of the defender.

3. This research assumes a prefilter which is cyber-attack

detection mechanism at each of the seven stages of

CKC. This detection mechanism assumes an exponen-

tial pdf for detection (Shourabi 2015).

4. This research assumes three cases of probabilities of

security controls at third, fourth and fifth stage of CKC

as (20–25%), (26–30%), and (31–35%). In addition to

this, the probabilities of security controls for rest four

stages (1–2 and 6–7) are 1–5%. The security control

probabilities at first two stages are less, because these

two stages are bound towards attacker side and from

delivery stage actual attack happens. But these prob-

abilities can be extended further based on the require-

ments of the defender.

5. This research assumed that the Loss due to cyber-

attack is 3.14 billion Euros in a year (Ahlstrom 2019).

6 Simulation cases

This research considers following cases for simulating the

penetration probabilities:

6.1 Case 1 (detection mechanism)

This case simulates the cyber-attack penetration probabil-

ities at all the seven stages when attack detection mecha-

nism as prefiltering is applied and when no prefiltering

mechanism is applied at each of the seven stages (Fig. 3).

In Fig. 3a, b, Pg1–Pg7 are the next stage cyber-attack

penetration probabilities and Pc1–Pc7 are the security

controls which are at least working at each stage of the

CKC. In Fig. 3b, Pf1–Pf7 are the prefilters implemented at

each stage of CKC. This case will estimate how much of

the cyber-attack penetration probability will be reduced by

using prefilter in the form of cyber-attack detection

mechanism.

6.2 Case 2 (variable controls)

This case simulates the cyber-attack penetration probabil-

ities at all the seven stages when security controls at third,

fourth and fifth stages are having variable probabilities

(Fig. 4). The control probabilities at first two stages are less

because these two stages are bound towards attacker side

and from delivery stage actual attack happens. Further,

control probabilities at last two stages are assumed less for

simulation in this research but can be extended further

based on the requirements of the defender.

This case considers three cases of security control

probabilities:

1. Probabilities of four controls at delivery, exploit and

install stages are between (20 and 25%).





The rest of the four security controls’ probabilities are

between 1 and 5% for all the three cases. This simulation

considers that out of four security controls at least one will

work. Therefore, the probability that at least one control is

defensive is:

Pðat least one control is defensiveÞ¼ 1� ðNone is defensiveÞ ð4Þ

6.3 Case 3 (equalizer)

This case considers that probability of each of the 25

security controls out of 28 is same except the three controls

at any one stage (Fig. 5). This case will estimate the impact

of changing security controls on the last stage penetration.

These variable controls are implemented at each of the

stages in seven iterations to calculate the penetration

probability at last stage.

6.4 Case 4 (learning curve)

This case is a feedback learning criterion that simulates the

penetration probabilities after assessing the cyber incidents

and then improving the security controls for similar types

of cyber-attacks in future (Fig. 6).

This research has undertaken this case because it will

help the defender to learn from the attack and reconsider

the security controls to minimize the risk of similar type of

cyber-attacks in future. This simulation considers that

every month the cyber-attacks will be assessed, and then

security controls were updated based on the attack pene-

trations. The following expression is used to calculate

updated control for each simulated month:

Uc ¼ Pg7ðPrevious MonthÞ � Updated Percenage=100þ Pc1ðPrevious MonthÞ

ð5Þ

123


Fig. 3 Cyber-attack

penetrations without prefilter

a and with prefilter b

Fig. 4 Three cases of security

controls

123


Equation 5 shows how every month the updated security

control probability (Uc) is calculated after assessing cyber-

attack for 1 month. The security control will be updated

based on the attack’s penetration probability at last stage

during previous month. After calculating updated security

control probability, new penetration probabilities were

simulated using following function:

functionðUc; Pc; Pg;PattackÞ ð6Þ

This function is called for each month to draw pene-

tration probabilities with new updated controls each time.

7 Simulation results and discussion

MATLAB has been used for the simulation of cyber-attack

penetration probabilities. All the discussed cases have been

simulated in this research.

Case 1 results and discussions Figure 7 shows cyber-

attack penetration probabilities at each stage of the cyber

kill chain model. Green lines show that there is a prefilter

in the form of detection mechanism implemented at each of

the stage of CKC. Red line on the other hand, shows that

there is no prefilter implemented at any of the stage. Fig-

ure 7 clearly indicates that after implementing prefilter at

each stage of CKC, the attack penetration probabilities can

be reduced. For example, in Fig. 7 five cases of cyber-

Fig. 5 Changing security

controls at each stage of CKC

123


attacks have been presented that shows how these attacks

will penetrate within each of the stages with and without

cyber-attack detection mechanism. For instance in Figs. 7

and 8, with the cyber-attack probability of 0.13953, pene-

tration probability at stage 2 is 0.1151 and 0.07865 without

and with detection mechanism respectively. More cases of

cyber-attack and penetration probabilities at second stage

of the CKC are presented in the Fig. 8. These results

clearly indicate that after implementing prefilter in the

form of detection mechanism at each stage of CKC, the

cyber-attack penetration probabilities can be reduced.

Case 2 results and discussions This case considers three

cases of security controls’ probability at third, fourth and

fifth stages of the CKC i.e. (20–25%), (26–30%), and

(31–35%). In these three cases, it has been indicated that

with the increase in security controls, the cyber-attack

penetration probabilities will decrease. In Fig. 9 it can be

seen that with cyber-attack probability of 0.1241, the

cyber-attack penetration at exploitation stage of CKC

decreases from 0.0069 to 0.0038 to 0.0012, when security

controls’ probability is (20–25%), (26–30%), and

(31–35%) respectively at delivery, exploit and install

stages (also shown as highlighted value in Fig. 10). Few

more simulated results of penetration probability values at

exploitation stage are given in Fig. 10, when security

controls are (20–25%), (26–30%), and (31–35%).

Thus, with the real cybersecurity data related to cyber-

attack and security controls probability, this simulation will

help to predict attack penetrations at each stage of the

cyber kill chain.

Case 3 results and discussions Figure 11 represents the

result of an equalizer, where the probability of each of the

25 security controls out of 28 is same except the three

controls at any one stage. The displayed results are for 1, 3,

5 and 7 stages (reconnaissance, delivery, installation, and

act on objective) of CKC model. These variable controls

are implemented at each of the stages in seven iterations to

calculate the penetration probability at last stage. The result

shows that when the sum of probabilities of controls is

same at any stage, penetration at the last stage will remain

same and position of controls does not matter.

Fig. 6 Feedback loop showing

security controls enhanced at

every next iteration

123


Case 4 results and discussions Figure 12 shows learning

curve results; that after detecting cyber-attacks, these

attacks were assessed so that future attacks can be mini-

mized. Based on assessment result, security controls are

improved (refer Fig. 6) so that penetrations can be reduced.

Figure 12 shows that attack penetrations are decreasing

with updating security controls. This simulation considers

that after assessing the cyber-attacks, security controls are

enhanced or updated with 10% successively for each attack

for consecutive 4 months. Thus, it can be seen clearly in

Fig. 12 that last stage penetrations are decreasing with 10%

increase in controls each time in four consecutive months

for three variable cases of security controls i.e. when

security controls lie between (20 and 25%), (26 and 30%),

and (31 and 35%).

Other results and discussions Figure 13 shows the risk

of cyber-attack penetration per person in Euro at the last

stage of the CKC with three cases of security controls at

delivery, exploit and install stages as 20–25%, 26–30%,

and 31–35%. Risk is related to three elements: Threat,

Fig. 7 Cyber-attack penetration

probabilities at each stage of

cyber kill chain model

Fig. 8 Cyber-attack and

penetration probabilities at

second stage of cyber kill chain

123


Fig. 9 Cyber-attack penetration

probabilities with varied

security controls at 3–5 stages

of CKC

Fig. 10 Penetration probabilities for exploitation stage when security controls are (20–25%), (26–30%), and (31–35%)

Fig. 11 Penetration

probabilities at reconnaissance,

delivery, installation, and act on

objective stage of CKC

123


Fig. 12 Last stage penetration

probabilities with updated

(improved) security controls

Fig. 13 Cyber-attack risk with varying security controls at delivery, exploit, and install stages

123


Vulnerability, and Asset. In this model, risk is a function of

probability of cyber-attack, defensive mechanism that can

exploit vulnerabilities present and the loss to the asset as

consequence. Loss in this model is the total financial losses

of 3.14 billion Euros caused due to malicious cyber activity

where around 30% of Swedes were exposed to cybercrime

(Ahlstrom 2019). Thus, loss per person due to this cyber-

crime is 1152.83 Euro (3.5 Billion/30% of 10.12 Million

Swedish population in year 2018). Figure 13 data point

shows that risk/person in euro reduces from 3.02 to 2.17 to

1.99 when attack probability is 0.099.

8 Conclusion and future research directions

This research simulates and predicts cyber-attack penetra-

tions in the presence of various security controls. This

research concludes following points:

• Cyber-attack detection mechanism in the form of

prefilter at each stage of the cyber kill chain will

reduce the attack penetrations at each stage.

• These penetrations will further reduce with increase in

the probabilities of security controls to defend against

these cyber-attacks.

• Next, it was inferred that when the sum of probabilities

of controls is same at any stage, penetration at the last

stage will remain same and position of controls does not

matter.

• In addition to this, simulation results show that after

assessing last stage penetrations to improve the security

controls will further reduce the future cyber-attack.

In future, this research will consider cyber-attack pen-

etration probabilities in combined extended cyber kill chain

and industrial control system (ICS) cyber kill chain.

Acknowledgements Open access funding provided by Lulea

University of Technology. The authors would like to thanks Lulea

Railway Research Center (JVTC) for sponsoring research work.

Open Access This article is licensed under a Creative Commons

Attribution 4.0 International License, which permits use, sharing,

adaptation, distribution and reproduction in any medium or format, as

long as you give appropriate credit to the original author(s) and the

source, provide a link to the Creative Commons licence, and indicate

if changes were made. The images or other third party material in this

article are included in the article’s Creative Commons licence, unless

indicated otherwise in a credit line to the material. If material is not

included in the article’s Creative Commons licence and your intended

use is not permitted by statutory regulation or exceeds the permitted

use, you will need to obtain permission directly from the copyright

holder. To view a copy of this licence, visit http://creativecommons.

org/licenses/by/4.0/.

References

Ahlstrom T (2019) Sweden: cyber security. Retrieved from https://

www.export.gov/article?id=Sweden-Cyber-Security. Accessed

13 Aug 2019

Alpcan T, Buchegger S (2010) Security games for vehicular

networks. IEEE Trans Mob Comput 10(2):280–290

Bahamou S, Ouadghiri E, Driss M, Bonnin J (2016) When game

theory meets VANET’s security and privacy. Paper presented at

the proceedings of the 14th international conference on advances

in mobile computing and multi media, pp 292–297

Ciancamerla E, Minichino M, Palmieri S (2013) Modeling cyber

attacks on a critical infrastructure scenario. Paper presented at

the IISA 2013, pp 1–6

Ciprnet (2013) Critical infrastructures preparedness and resilience

research network. EU project. Retrieved from https://www.

ciprnet.eu/home.html. Accessed 13 Aug 2019

Cisco (2018) Asia pacific security capabilities benchmark study.

Retrieved from https://www.cisco.com/c/dam/global/en_au/pro

ducts/pdfs/executive_summary_cisco_2018_asia_pacific_Secur

ity_capabilities_benchmark_study.pdf. Accessed 13 Aug 2019

eTrax (2016) Railway traction power analysis | rail power system

software. Retrieved from https://etap.com/solutions/railways.

Accessed 13 Aug 2019

Grube P, Nunez F, Cipriano A (2011) An event-driven simulator for

multi-line metro systems and its application to santiago de chile

metropolitan rail network. Simul Model Pract Theory

19(1):393–405

He X (2017) Threat assessment for multistage cyber attacks in smart

grid communication networks (doctoral dissertation, universitat

passau). Threat assessment for multistage cyber attacks in smart

grid communication networks

Karnouskos S (2011) Stuxnet worm impact on industrial cyber-

physical system security. Paper presented at the IECON

2011-37th annual conference of the IEEE industrial electronics

society, pp 4490–4494

Kour R, Aljumaili M, Karim R, Tretten P (2019) eMaintenance in

railways: issues and challenges in cybersecurity. Proc Inst Mech

Eng F J Rail Rapid Transit. https://doi.org/10.1177/

0954409718822915

Kour R, Thaduri A, Karim R (2020) Railway defender kill chain to

predict and detect cyber-attacks. J Cyber Secur Mobil

9(1):47–90

Lockheed Martin (2009) Cyber kill chain�. Retrieved from https://

www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-

chain.html. Accessed 13 Aug 2019

Martin L (2014) Cyber kill chain�. http://Cyber.Lockheedmartin.

Com/Hubfs/GainingtheAdvantageCyberKillChain.Pdf. Accessed

13 Aug 2019

McAfee (2019) McAfee labs reports record. Retrieved from https://

www.mcafee.com/enterprise/es-es/about/newsroom/press-

releases/press-release.html?news_id=20180311005028. Acces-

sed 13 Aug 2019

Mejri MN, Achir N, Hamdi M (2016) A new security games based

reaction algorithm against DOS attacks in VANETs. Paper

presented at the 2016 13th IEEE annual consumer communica-

tions and networking conference (CCNC), pp 837–840

NS-3 (2019) Network simulator. Retrieved from https://www.nsnam.

org/. Accessed 13 Aug 2019

OpenPowerNet Version, 1. 8. 1. (2019) Traction power supply and

train performance simulation software. Retrieved from http://

www.openpowernet.com/. Accessed 13 Aug 2019

OpenTrack. (1990). Simulation of railway networks. Retrieved from

http://www.opentrack.ch/opentrack/opentrack_e/opentrack_e.

html. Accessed 13 Aug 2019

123


OPNET. (2019). Opnet is now part of riverbed steelcentralTM.

Retrieved from https://www.riverbed.com/se/products/steelcen

tral/opnet.html. Accessed 13 Aug 2019

Ross RS, Katzke SW, Johnson LA, Swanson MM (2007) Recom-

mended security controls for federal information systems | NIST

(No. Special Publication (NIST SP)-800-53 rev 2)o title

Rybnicek M, Tjoa S, Poisel R (2014) Simulation-based cyber-attack

assessment of critical infrastructures. Paper presented at the

Workshop on enterprise and organizational modeling and

simulation, pp 135–150

Sanjab A, Saad W, Basar T (2017) Prospect theory for enhanced

cyber-physical security of drone delivery systems: a network

interdiction game. Paper presented at the 2017 IEEE interna-

tional conference on communications (ICC), pp 1–6

Sedjelmaci H, Senouci SM, Ansari N (2016) Intrusion detection and

ejection framework against lethal attacks in UAV-aided net-

works: a bayesian game-theoretic methodology. IEEE Trans

Intell Transp Syst 18(5):1143–1153

Shourabi NB (2015) A model for cyber attack risks in telemetry

networks. International Foundation for Telemetering, San Diego

Stouffer K, Lightman S, Pillitteri V, Abrams M, Hahn A (2014) NIST

special publication 800-82, revision 2: guide to industrial control

systems (ICS) security. National Institute of Standards and

Technology

Teo Z, Tran BAN, Lakshminarayana S, Temple WG, Chen B, Tan R,

Yau DK (2016) SecureRails: towards An open simulation

platform for analyzing cyber-physical attacks in railways. Paper

presented at the 2016 IEEE region 10 conference (TENCON),

pp 95–98

Thaduri A, Aljumaili M, Kour R, Karim R (2019a) Cybersecurity for

eMaintenance in railway infrastructure: risks and consequences.

Int J Syst Assur Eng Manag 10:149–159

Thaduri A, Aljumaili M, Kour R, Karim R (2019b) Cybersecurity for

eMaintenance in railway infrastructure: risks and consequences.

Int J Syst Assur Eng Manag 10(2):149–159. https://doi.org/10.

1007/s13198-019-00778-w

University of Maryland (2007) Study: hackers Attack every 39

seconds. Retrieved from https://eng.umd.edu/news/story/study-

hackers-attack-every-39-seconds. Accessed 13 Aug 2019

Yao X, Zhao P, Qiao K (2013) Simulation and evaluation of urban

rail transit network based on multi-agent approach. J Ind Eng

Manag (JIEM) 6(1):367–379

Publisher’s Note Springer Nature remains neutral with regard to

jurisdictional claims in published maps and institutional affiliations.

123


CYBERSECURITY IN RAILWAY - Simple search

Documents

Transcript of CYBERSECURITY IN RAILWAY - Simple search