The Industrial Control System Cyber Kill Chain

Policy Paper
Oct. 6, 2015

Cyber attacks on industrial control systems (ICS) differ in impact based on a number of factors, including the adversary’s intent, their sophistication and capabilities, and their familiarization with ICS and automated processes. Cyber attackers target systems not in single incidents and breaches but, instead, through a campaign of efforts that enables access and provides sufficient information to devise an effect. A campaign represents the entirety of the operation against the defender organization and its systems. Understanding where an adversary is in his or her campaign can enable defenders to make better-informed security and risk management decisions. Additionally, this knowledge of the adversary’s operations can help defenders appreciate the attacker’s possible intent, level of sophistication, capabilities and familiarization with the ICS, which together work to unveil the potential impact of the attack on an organization. The authors believe ICS networks are more defensible than enterprise information technology (IT) systems. By understanding the inherent advantages of well-architected ICS networks and by understanding adversary attack campaigns against ICS, security personnel can see how defense is doable. New America Cybersecurity Fellow Robert M. Lee and Michael J. Assante introduce the concept of the ICS Cyber Kill Chain to help defenders understand the adversary’s cyber attack campaign.

Read the full report at the SANS Institute.