an approach to closing the gaps between physical, process control, and cybersecurity for the energy...
Post on 20-Aug-2015
200 Views
Preview:
TRANSCRIPT
1
Bill Lawrence, Ph.D. Commercial Cyber Security Services, Lockheed Martin
(C) Lockheed Martin Corporation 2014© Lockheed Martin Corporation. All Rights Reserved. This document [or software] shall not be reproduced, modified, distributed or displayed without
the prior written consent of the Lockheed Martin Corporation
Closing the Gap between Physical, Process Control, and Cybersecurity for the Energy and Utilities Industry
22
Intelligence-driven Defense
The Electric Power System
DOE’s Electric Subsector Cybersecurity Capabilities Maturity Model V1.1
3
The Threat Surface Continues to Expand
256 incidents were reported either directly from asset owners or through other trusted partners.
2013 ICS-Cert Incidents
51%ENERGY*OTHER
ICS-CERT Response Monitor
198IncidentReports
20132012
256 Incident Reports
ENERGY
OTHER
51% of the 2013 ICS/PCN reported incidents were in
Energy
* The majority of these were in the energy
sector; however, critical manufacturing
and several other sectors were also
targeted.
A rise in advanced adversaries
in 2013 40 critical infrastructure
organizations targeted ICS/PCN can be both the
target and a pathway of attack Target breach came through
HVAC supplier Potential for attacker to take
advantage of a physically/
geographically dispersed
architecture to gain access to
the business network
55(C) Lockheed Martin Corporation 2014
Tools of Integration: Putting it all Together to Stop the Adversary
9
The Cyber Kill ChainTM - Where “All-Source Information” Really Pays Off
Recon Weaponize Delivery Exploit InstallAct on
ObjectivesC2
Pre-compromise Stages Post-compromise Stages
(C) Lockheed Martin Corporation 2014
• Reconnaissance – Looking for targets, social relationships, conference information, information on specific technologies, etc.
• Weaponization – Creating deliverable payload • Delivery – Delivering weaponized bundle • Exploitation – Exploiting a vulnerability • Installation – Installing some mechanism that allows adversary to maintain persistence
inside the environment • Command & Control – Channel for remote manipulation of the “weapon” or victim• Actions on Objectives – Intruders accomplish their original goal
10
The Cyber Kill ChainTM - Where “All-Source Information” Really Pays Off
Mitigated intrusion: Analysis and synthesis
Recon Weaponize Delivery Exploit InstallAct on
ObjectivesC2
Recon Weaponize ExploitDelivery InstallAct on
ObjectivesC2
Detect
Detect
Analyze
Analyze Synthesize
Full intrusion: Analysis to recreate the defense lifecycle
Pre-compromise Stages Post-compromise Stages
Gather intel regardless of attack success
(C) Lockheed Martin Corporation 2014
1111(C) Lockheed Martin Corporation 2014
Timely, Comprehensive Threat and Vulnerability Information is Key to a Successful Defense
12
Moving from Today to Tomorrow Towards a Fully Integrated Total Security Architecture
A Total Security Architecture of the future, such as I-IDD, would tightly integrate all the Security processes and information
• Requires systems architecture evolution for full multi-layer interoperability across all the Physical, Process, and Cyber-Security processes and information
– Timely Threat and Vulnerability Data Source Integration and Analysis
– Event Detection Filtering and Analysis
– Advanced Threat Detection
– Cross Domain Correlation
– Guided Forensics
– Workflow Enhancement
• Many pieces exist today in the different security functional areas
• But the full vision is a daunting task for today’s legacy systems
13
A Total Security solution is possible now as a stepwise, manageable manor
• Use a top-down system-of-systems integration and design approach
• Review all security processes in light of an Integrated Total Security approach
• Prioritize integrated functions against threat impact severity and probability
• Concentrate on the most critical functions that need to be integrated first.
– Situation Awareness: PSIMs, SIEMs, Process Monitoring Systems,
– Threat and Vulnerability Collection and Analysis
– Consolidate into centralized Total Security Operations Centers
• Then begin the migration to more automated security information correlation tools for your Total Security professionals
top related