What is the Cyber Kill Chain?
The Cyber Kill Chain is a model that describes the phases of a targeted cyber attack — from preparation through to actual impact. It was developed by Lockheed Martin and helps organisations understand, detect and disrupt attacks.
In an OT context, the Kill Chain is useful for analysing and interrupting attacks on production environments, such as APTs, in a structured way.
🔁 The 7 phases of the Cyber Kill Chain
| # | Phase | Description in OT context |
|---|---|---|
| 1 | Reconnaissance | Gathering information about PLCs, SCADA, suppliers, network layout |
| 2 | Weaponization | Building a payload (e.g. modified firmware, backdoor for an HMI) |
| 3 | Delivery | Distribution via phishing, USB, vulnerable remote access or supply chain |
| 4 | Exploitation | Executing the exploit (e.g. abuse of unprotected engineering software) |
| 5 | Installation | Installing malware, RAT or rogue tools on an HMI or engineering station |
| 6 | Command & Control | Setting up a communication channel to the attacker (e.g. via a Historian bridge) |
| 7 | Actions on Objective | Data breach, PLC sabotage, manipulation of sensor values, etc. |
🧠 Kill Chain & OT-specific examples
| Phase | Example |
|---|---|
| Reconnaissance | The attacker scans the network and discovers an open TCP/102 (S7 Comm) to a PLC |
| Weaponization | The attacker builds custom Ladder Logic for sabotage |
| Delivery | A trojan is delivered via a vendor’s update package (see supply chain risk) |
| Exploitation | The PLC accepts unsigned code without Code Signing |
| Installation | Backdoor on the Engineering Station or SCADA web server |
| Command & Control | Outbound connection via Historian to the attacker’s server |
| Actions on Objective | Temperature sensor manipulated, safety function disabled |
🔐 Breaking the Kill Chain
| Phase | Defensive measure |
|---|---|
| Reconnaissance | Network segmentation, Firewall, SIEM logging |
| Weaponization | Threat Intelligence and IOC detection |
| Delivery | Email Filtering, USB Control, Software Whitelisting |
| Exploitation | Patch management, Access Control, Vulnerability Scanning |
| Installation | EDR, Application Control, Least Privilege |
| Command & Control | Proxy, DNS Monitoring, anomaly detection |
| Actions on Objective | Zero Trust Architecture, Incident Response Plan |
The earlier you intervene in the chain, the greater the chance of stopping the attack without damage.
✅ Why is this model valuable in OT?
- It structures thinking about cyber attacks in an industrial context
- You can map measures per phase to existing systems and processes
- It supports training of operators, engineers and security teams
- Integrates with MITRE ATT&CK for ICS for additional depth
📌 In summary
The Cyber Kill Chain shows how cyber attacks unfold and where it is best to detect and interrupt them. In OT environments, early detection in phases 1–3 is essential to avoid physical impact in phase 7.