1

Bill Lawrence, Ph.D. Commercial Cyber Security Services, Lockheed Martin

(C) Lockheed Martin Corporation 2014© Lockheed Martin Corporation. All Rights Reserved. This document [or software] shall not be reproduced, modified, distributed or displayed without

the prior written consent of the Lockheed Martin Corporation

Closing the Gap between Physical, Process Control, and Cybersecurity for the Energy and Utilities Industry

22

Intelligence-driven Defense

The Electric Power System

DOE’s Electric Subsector Cybersecurity Capabilities Maturity Model V1.1

3

The Threat Surface Continues to Expand

256 incidents were reported either directly from asset owners or through other trusted partners.

2013 ICS-Cert Incidents

51%ENERGY*OTHER

ICS-CERT Response Monitor

198IncidentReports

20132012

256 Incident Reports

ENERGY

OTHER

51% of the 2013 ICS/PCN reported incidents were in

Energy

* The majority of these were in the energy

sector; however, critical manufacturing

and several other sectors were also

targeted.

A rise in advanced adversaries

in 2013 40 critical infrastructure

organizations targeted ICS/PCN can be both the

target and a pathway of attack Target breach came through

HVAC supplier Potential for attacker to take

advantage of a physically/

geographically dispersed

architecture to gain access to

the business network

44(C) Lockheed Martin Corporation 2014

Security Domain Commonality

Utility Enterprise

55(C) Lockheed Martin Corporation 2014

Tools of Integration: Putting it all Together to Stop the Adversary

66(C) Lockheed Martin Corporation 2014

Intelligence Driven Defense®

77(C) Lockheed Martin Corporation 2014

A Total Security Approach

Utility Enterprise

88(C) Lockheed Martin Corporation 2014

A Total Security Integrated Lifecycle

Utility Enterprise

9

The Cyber Kill ChainTM - Where “All-Source Information” Really Pays Off

Recon Weaponize Delivery Exploit InstallAct on

ObjectivesC2

Pre-compromise Stages Post-compromise Stages

(C) Lockheed Martin Corporation 2014

• Reconnaissance – Looking for targets, social relationships, conference information, information on specific technologies, etc.

• Weaponization – Creating deliverable payload • Delivery – Delivering weaponized bundle • Exploitation – Exploiting a vulnerability • Installation – Installing some mechanism that allows adversary to maintain persistence

inside the environment • Command & Control – Channel for remote manipulation of the “weapon” or victim• Actions on Objectives – Intruders accomplish their original goal

10

The Cyber Kill ChainTM - Where “All-Source Information” Really Pays Off

Mitigated intrusion: Analysis and synthesis

Recon Weaponize Delivery Exploit InstallAct on

ObjectivesC2

Recon Weaponize ExploitDelivery InstallAct on

ObjectivesC2

Detect

Detect

Analyze

Analyze Synthesize

Full intrusion: Analysis to recreate the defense lifecycle

Pre-compromise Stages Post-compromise Stages

Gather intel regardless of attack success

(C) Lockheed Martin Corporation 2014

1111(C) Lockheed Martin Corporation 2014

Timely, Comprehensive Threat and Vulnerability Information is Key to a Successful Defense

12

Moving from Today to Tomorrow Towards a Fully Integrated Total Security Architecture

A Total Security Architecture of the future, such as I-IDD, would tightly integrate all the Security processes and information

• Requires systems architecture evolution for full multi-layer interoperability across all the Physical, Process, and Cyber-Security processes and information

– Timely Threat and Vulnerability Data Source Integration and Analysis

– Event Detection Filtering and Analysis

– Advanced Threat Detection

– Cross Domain Correlation

– Guided Forensics

– Workflow Enhancement

• Many pieces exist today in the different security functional areas

• But the full vision is a daunting task for today’s legacy systems

13

A Total Security solution is possible now as a stepwise, manageable manor

• Use a top-down system-of-systems integration and design approach

• Review all security processes in light of an Integrated Total Security approach

• Prioritize integrated functions against threat impact severity and probability

• Concentrate on the most critical functions that need to be integrated first.

– Situation Awareness: PSIMs, SIEMs, Process Monitoring Systems,

– Threat and Vulnerability Collection and Analysis

– Consolidate into centralized Total Security Operations Centers

• Then begin the migration to more automated security information correlation tools for your Total Security professionals