Kill Chain for Industrial Control System

Zhou, Xiaojun; Xu, Zhen; Wang, Liming; Chen, Kai; Chen, Cong; Zhang, Wei

doi:10.1051/matecconf/201817301013

Cited by 14 publications

(12 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The paper with the title "Kill chain for industrial control system" [21] explains adversary actions and techniques with the help of the kill chain. We have derived kill chain methodology for SCADA from [21] and integrated it with cyber deception, and presents kill chain and deception approach for SCADA as shown in Figure 4. This will help us to identify attack behaviors at each phase of an attack.…”

Section: A Kill Chain Analysismentioning

confidence: 99%

Last Line of Defense: Reliability Through Inducing Cyber Threat Hunting With Deception in SCADA Networks

et al. 2021

View full text Add to dashboard Cite

There exists a gap between existing security mechanisms and their ability to detect advancing threats. Antivirus and EDR (End Point Detection and Response) aim to detect and prevent threats; such security mechanisms are reactive. This approach did not prove to be effective in protecting against stealthy attacks. SCADA (Supervisory Control and Data Acquisition) security is crucial for any country. However, SCADA is always an easy target for adversaries due to a lack of security for heterogeneous devices. An attack on SCADA is mainly considered a national-level threat. Recent research on SCADA security has not considered "unknown threats," which has left a gap in security. The proactive approach, such as threat hunting, is the need of the hour. In this research, we investigated that threat hunting in conjunction with cyber deception and kill chain has countervailing effects on detecting SCADA threats and mitigating them. We have used the concept of "decoy farm" in the SCADA network, where all attacks are engaged. Moreover, we present a novel threat detection and prevention approach for SCADA, focusing on unknown threats. To test the effectiveness of approach, we emulated several Linux and Windows-based attacks on a simulated SCADA network. We have concluded that our approach detects and prevents the attacker before using the current reactive approach and security mechanism for SCADA with enhanced protection for heterogeneous devices. The results and experiments show that the proposed threat hunting approach has significantly improved the threat detection ability.

show abstract

Section: A Kill Chain Analysismentioning

confidence: 99%

Last Line of Defense: Reliability Through Inducing Cyber Threat Hunting With Deception in SCADA Networks

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Cyberattacks on the grid-such as the 2019 DoS on energy provider Sustainable Power Group (sPower) and the Havex malware, which targeted industrial control system (ICS) devices through a remote access Trojan-emphasize the need for secure DERs and grid edge devices (Zhou et al 2018).…”

Section: Motivation To Establish Cybersecurity Certification Recommendationsmentioning

confidence: 99%

Cybersecurity Certification Recommendations for Interconnected Grid Edge Devices and Inverter Based Resources

Hupp¹,

Saleem²,

Peterson³

et al. 2021

View full text Add to dashboard Cite

“…Cyber kill chain is focused on malware-based intrusion and APTs [50]. The CKC model has been expanded and improved for use in industrial control systems (ICS) and internal threats, i.e., the ICS cyber kill chain [21,24] and extended cyber kill chain [25] respectively. A combination of both these kill chains can be applied in the railway (Figure 2).…”

Section: Unified Extended Cyber Kill Chain and Ics Cyber Kill Chainmentioning

confidence: 99%

“…• Reconnaissance: The first stage of the model, one of the most difficult stages to detect from a security monitoring perspective, is the planning stage of the cyber-attack. The adversary searches for and gathers information about the organization background, resources, and individual employees through social sites, conferences, blogs, mailing lists and Figure 2 Unified extended cyber kill chain [25] and ICS cyber kill chain [21,24].…”

Section: External Cyber Kill Chain Modelmentioning

confidence: 99%

“…The railway is converging IT and OT technologies, so similar types of cyber-attacks can happen here as well. Thus, as an initial step, instead of going into detail on different kill chains, this research applies Lockheed Martin's (LM) CKC model [18,23], ICS cyber kill chain [21,24] and extended cyber kill chain [25] model to the railway to detect cyber-attacks. Lockheed Martin's (LM) CKC model [18,23] has a seven-stage attack path.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Railway Defender Kill Chain to Predict and Detect Cyber-Attacks

Kour

Thaduri

Karim

2020

JCSANDM

View full text Add to dashboard Cite

Most organizations focus on intrusion prevention technologies, with less emphasis on prediction and detection. This research looks at prediction and detection in the railway industry. It uses an extended cyber kill chain (CKC) model and an industrial control system (ICS) cyber kill chain for detection and proposes predictive technologies that will help railway organizations predict and recover from cyber-attacks. The extended CKC model consists of both internal and external cyber kill chain; breaking the chain at an early stage will help the defender stop the adversary’s malicious actions. This research incorporates an OSA (open system architecture) for railways with the railway cybersecurity OSA-CBM (open system architecture for condition-based maintenance) architecture. The railway cybersecurity OSACBM architecture consists of eight layers; cybersecurity information moves from the initial level of data acquisition to data processing, data analysis, incident detection, incident assessment, incident prognostics, decision support, and visualization. The main objective of the research is to predict, prevent, detect, and respond to cyber-attacks early in the CKC by using defensive controls called the Railway Defender Kill Chain (RDKC). The contributions of the research are as follows. First, it adapts and modifies the railway cybersecurity OSA-CBM architecture for railways. Second, it adapts the cyber kill chain model for the railway. Third, it introduces the Railway Defender Kill Chain. Fourth, it presents examples of cyber-attack scenarios in the railway system.

show abstract

Kill Chain for Industrial Control System

Cited by 14 publications

References 2 publications

Last Line of Defense: Reliability Through Inducing Cyber Threat Hunting With Deception in SCADA Networks

Last Line of Defense: Reliability Through Inducing Cyber Threat Hunting With Deception in SCADA Networks

Cybersecurity Certification Recommendations for Interconnected Grid Edge Devices and Inverter Based Resources

Railway Defender Kill Chain to Predict and Detect Cyber-Attacks

Contact Info

Product

Resources

About