Threats to cyber security in the rail industry are more prevalent in digital train fleets. While attackers can’t just use off-the-shelf attacks against most rail systems, the longevity of systems and lack of software updates means that vulnerabilities are inevitable.
This inevitability means that it is essential to understand the real behaviour of cyber security threats within rail. This includes understanding how a hacker will execute a cyber-attack, including what steps are involved and the consequence of actions within each step.
The ‘Cyber Kill Chain’ is one of the most widely used frameworks to understand the sequence of a cyber-attack. Using the Cyber Kill Chain, we can break down steps that an attack requires in order to be successful and recognize how to apply the necessary security controls to protect, detect and respond to cyber-attacks before they affect rail operations.
It is important to recognise that a typical attacker will take weeks and months to progress through the entire cyber kill chain and that there are multiple opportunities to detect and stop an attack. This means that early detection through the kill chain can act as a form of prevention for cyber attacks.
What is the ‘Cyber Kill Chain’?
The term ‘Kill Chain’ originated from the US Military, where it is used to describe the steps that an enemy in order to complete a successful attack, and the opportunities to “kill” the attack before it is successful. Within cyber security, Lockheed Martin developed the Cyber Kill Chain through applying the same principles; the steps a hacker exercises to breach a system and carry out an attack, and the opportunities to prevent, detect and respond to the attack before it is successful.
The Cyber Kill Chain is a sequence of stages that an attacker must follow to successfully breach a network or system and carry out malicious actions. Each stage is a step within the attack path that involves a specific goal.
With a growing range of attack vendors in rolling-stock and rail infrastructure, it is imperative to be able to think like the attackers and understand the opportunities to “kill” an attack before it is successful. This can be used as a basis for building a cyber security programme to defend against an attack at its various stages. Following the cyber kill chain model, we can see that stopping attackers at any stage breaks the chain of attack.
Hackers must completely progress through all phases for an attack to be successful. We, the defenders, just need to block them at any stage to contain the attack before it causes real damage to operations.
Six stages of Cyber Kill Chain within rail
The Cyber Kill Chain model states that to carry out a successful attack, hackers must always follow six basic steps:
1. Reconnaissance - Identifying the target
The first step in the Cyber Kill Chain is reconnaissance. During this phase, the would-be attacker is gathering as much information as they can about the target network and its systems, to discover weaknesses and potential points of entry before launching an attack.
Quite often, the reconnaissance attack is conducted by using readily available information. During this stage the attacker may focus on trying to understand the architecture and layout of your network using tools such as NMAP, port scanners and even vulnerability scanners. They may try to identify and investigate security systems that are in place, such as firewalls or intrusion prevention/detections systems.
Seeing as these scans tend to be looking out for weaknesses or vulnerabilities, it’s better for you to find them first. The best defence at this stage is being proactive with regular penetration tests and a data study, combined with detection of port/vulnerability scans, as this can allow you to manage the risk associated with your assets.
2. Weaponisation - Preparing for the attack
Having identified one or more possible means of attack the next move is the selection of a ‘weapon’ to exploit the vulnerabilities identified during the reconnaissance stage. In this stage, there is little that an organisation can do to mitigate impact as it is carried out without connecting with the target system.
Less sophisticated attackers may make use of ready-made tools, but rail systems face a mix of determined attackers from hacktivists to nation-state actors. This means that all methods including fully customised attackers should be considered. The reconnaissance and weaponization phases can take anywhere from hours to months depending on the amount of customisation required by the attacker.
3. Delivery - Transmission of the attack
Now the weapons have been selected, the attack moves into the delivery phase – where the attacker attempts to make their way onto the network and access the systems. This is the first stage that you could consider your network to be ‘breached’. Attackers have identified a vulnerable point of entry into your network, have developed their “weapons”, and are ready to exploit it to carry out their attack.
As the name suggests, this step could involve delivery of the attack mechanism, such as malware, to the target (for example, via a USB drive).
4. Exploitation - Exploiting the weaknesses
The fourth stage of the cyber kill chain is where weaknesses within your system are exploited. Once a hacker has gained access, the exploitation phase begins with the goal of gaining access to enable them to move to the next phase.
From identifying the vulnerability in your system, they continue to exploit the weaknesses and carry out their attack. During the exploitation phase of the attack, the system is further compromised by the attacker establishing a ‘foothold’ to carry out further escalation of an attack moving forward. This could involve trying to create a persistent ‘backdoor’.
With the right behavioural based security tools in place to monitor activity within your environment, there should be enough ‘abnormal’ log activity at this stage to raise an alert of a suspicious action.
5. Installation - Spreading their grip on the network
At this stage, an attacker may have spread across various systems in the network while attempting to gain privileged access rights to further establish their position. The attacker wants to have a persistent presence on the network, and the ability to access the systems at will.
The attacker has already breached multiple cyber defences at this stage, crossed multiple network boundaries, accessed multiple systems and presented opportunities to detect and stop the cyber attack. By building a layered approach to cyber defence, taking into account the cyber kill chain, will hopefully mean attacks won’t get to this stage undetected. But if the worst should happen, installations cause a significant change in behaviour, leading to cyber security alerts with the right systems in place.
It is vital at this stage to ensure monitoring in real time so that any threats identified are responded to promptly to limit the damage.
6. Command and Control - Taking control of the system
The attacker now has persistent access into the system and will try to gain control of it for manipulation. The attack timing is now within their control, and they may hold off for the optimal time to launch in order to get the most impact.
It’s at this stage where an attacker will have inserted their code into your environment. From here they can move deeper into your network, enabling them to potentially exploit additional systems, capture traffic from the network and reach systems that may be considered “closed” during cyber risk analysis.
Actions on Objectives
The attacker is now free to get on with the job they came to do. If the compromised system is not the final target, the attackers may then attempt to move laterally across your network by restarting an ‘internal cyber kill chain’ focusing on other systems. Good network segmentation can be a valuable tool in limiting the impact of this as it can mean the compromise of a single system does not lead to further attacks on other systems as well.
The attackers have managed to successfully go through with all the first six steps of the Cyber Kill Chain and start executing the actions needed to cause the harm they want to, is it too late to do anything about it now? Even at this stage, a solid cyber security programme can limit the damage and allow you to resolve things as swiftly as possible, by reducing the amount of false positive alerts to highlight the real threat actions immediately. We commonly see many published breaches, in the media, are not discovered until long after an attack has taken place. Within Rail, this is not an option and negative effects must be diverted immediately. By having clear visibility of affected assets, train operators can take precise action to resolve only the affected areas rather than completely pausing all operations.
Building a cyber security strategy with defence in depth
Understanding the Cyber Kill Chain can help organisations to better anticipate and plan cyber security programmes that will combat threats to the system. The main objective of the defender is to break the chain of attack at any stage before reaching its ‘actions on objectives’.
Railway organizations need to develop a more proactive defensive strategy inline with the threat activity at each stage of the Cyber Kill Chain, which shows that it is unsustainable to rely just on ‘prevention’ technologies that only operate in the early stages of the chain. Defense-in-depth is a cybersecurity approach with multi-layered defensive mechanisms to ensure if one defensive mechanism fails, another starts immediately. A defence-in-depth approach will defend a system against any attack using several independent methods.
If you don’t already have a robust cyber security programme and visibility of your assets, this may seem like an impossible hill to climb.
It is necessary to ensure a solution is in place at various stages of the kill chain, with intrusion detection technologies, as required with rail cyber security standards such as the NIS regulation, NIST Framework, CENELEC, and IEC-62443. RazorSecure’s behavioural based monitoring and anomaly detection will defend organisations against the most advanced attack techniques and tactics at every stage of the Cyber-Kill Chain. We have worked with leading rail organisations to support their security strategy aligned to the extended Cyber Kill Chain that has helped them protect, detect and respond to cyber-attacks.
