The energy and utilities industry needs to take extraordinary steps to protect its critical infrastructure. Gone are the days where treating physical security, process control security, and cybersecurity as separate functional areas can suffice. As the threats to our nation’s electric utility enterprises continue to rise, we must use all available information resources and security tools in highly integrated total security systems. As described in this presentation, recognizing and capitalizing upon the broad commonality of security domains across all the three security functional areas can open many more possibilities to enhance an enterprise’s defenses. Based upon this unique systems concept, already proven effective for cybersecurity, a methodology for an integrated total security defense is described that begins with threat and vulnerability intelligence-driven security processes. By extending this methodology to all three security functional areas, organizations can better organize and utilize all their security resources and processes, including threat and vulnerability information, pre-emptive defense strategies, real and near-real time situation awareness capabilities, and incident response/ recovery actions; regardless of whether they are part of the physical, process control, or cybersecurity functional areas. In addition to methods and tools for highly efficient collection and analysis of “all source” threat and vulnerability information, also described are systems approaches for fusing and correlating the high volume and wide variety of available security relevant information. These can assist the security professionals to quickly analyze and initiate actions as needed across each of the physical, control process, and cyber security areas.
3. 3
The Threat Surface Continues to Expand
256 incidents were
reported either directly from
asset owners or through
other trusted partners.
2013 ICS-Cert Incidents
51%
ENERGY*OTHER
ICS-CERT Response Monitor
51% of the 2013 ICS/PCN
reported incidents were in
Energy
* The majority of these were in the energy
sector; however, critical manufacturing
and several other sectors were also
targeted.
A rise in advanced
adversaries in 2013
40 critical infrastructure
organizations targeted
ICS/PCN can be both
the target and a pathway
of attack
Target breach came
through HVAC supplier
Potential for attacker to
take advantage of a
physically/
geographically dispersed
architecture to gain access
to the business network
9. 9
The Cyber Kill ChainTM - Where “All-Source
Information” Really Pays Off
Recon Weaponize Delivery Exploit Install
Act on
Objectives
C2
Pre-compromise Stages Post-compromise Stages
(C) Lockheed Martin Corporation 2014
• Reconnaissance – Looking for targets, social relationships, conference information,
information on specific technologies, etc.
• Weaponization – Creating deliverable payload
• Delivery – Delivering weaponized bundle
• Exploitation – Exploiting a vulnerability
• Installation – Installing some mechanism that allows adversary to maintain persistence
inside the environment
• Command & Control – Channel for remote manipulation of the “weapon” or victim
• Actions on Objectives – Intruders accomplish their original goal
10. 10
The Cyber Kill ChainTM - Where “All-Source
Information” Really Pays Off
Mitigated intrusion: Analysis and synthesis
Recon Weaponize Delivery Exploit Install
Act on
Objectives
C2
Recon Weaponize ExploitDelivery Install
Act on
Objectives
C2
Detect
Detect
Analyze
Analyze Synthesize
Full intrusion: Analysis to recreate the defense lifecycle
Pre-compromise Stages Post-compromise Stages
Gather intel regardless of attack success
(C) Lockheed Martin Corporation 2014
11. 1111(C) Lockheed Martin Corporation 2014
Timely, Comprehensive Threat and Vulnerability
Information is Key to a Successful Defense
12. 12
Moving from Today to Tomorrow Towards a
Fully Integrated Total Security Architecture
A Total Security Architecture of the future, such as I-IDD, would
tightly integrate all the Security processes and information
• Requires systems architecture evolution for full multi-layer
interoperability across all the Physical, Process, and Cyber-Security
processes and information
– Timely Threat and Vulnerability Data Source Integration and Analysis
– Event Detection Filtering and Analysis
– Advanced Threat Detection
– Cross Domain Correlation
– Guided Forensics
– Workflow Enhancement
• Many pieces exist today in the different security functional areas
• But the full vision is a daunting task for today’s legacy systems
13. 13
A Total Security solution is possible now as a
stepwise, manageable manor
• Use a top-down system-of-systems integration and design
approach
• Review all security processes in light of an Integrated Total
Security approach
• Prioritize integrated functions against threat impact severity and
probability
• Concentrate on the most critical functions that need to be
integrated first.
– Situation Awareness: PSIMs, SIEMs, Process Monitoring Systems,
– Threat and Vulnerability Collection and Analysis
– Consolidate into centralized Total Security Operations Centers
• Then begin the migration to more automated security information
correlation tools for your Total Security professionals