1) The document discusses research challenges and advancements towards protecting critical cyber assets and infrastructure. It identifies threat actors and their increasing sophistication as well as common targets. 2) Oak Ridge National Laboratory is working on techniques like predictive awareness, operating through outages/attacks, and security in the cloud to address grand challenges. Their research strengths include computational cybersecurity, quantum simulation, and control systems security. 3) Technologies discussed include Hyperion Protocol for validating software functionality, Oak Ridge Cyber Analytics for detecting zero-day attacks using machine learning, and VERDE for power grid situational awareness.

2. Research Advancements Towards
Protecting Critical Assets
Dr. Richard “Rick” Raines
Cyber Portfolio Manager
Oak Ridge National Laboratory
15 July 2013

3. The Cyber Defense?
The Economist May 9, 2009

4. The Threat Landscape
• National intellectual property is being stolen at alarming
rates
• National assets are vulnerable to attack and exploitation
• Personal Identifiable Information at risk
• Competing and difficult national priorities for resources
Electric Power
Oil & Gas
Water
Emergency
Transportation
Communications
Financial
The Landscape is continually changing

5. Understanding the Challenges
• Dynamic environment with a constant churn
– A domain of operations—”within” and “through”
– Anytime, anywhere access to data and information
– Policy and Statutory lanes emerging
• Agile adversaries
– Cyber and Cyber Physical
– Overt and covert attacks/exploits
• Data continues to grow
– Sensor feeds yield terabytes of raw data
– Analyst burdens continue to grow
We Continue to Play Catch Up

6. Who Are the Threat Actors ?
• Unintended threat actors -- Can be just about anyone??
– Target rich environment—people, processes, machines
• Personal gain threat actors -- individual and organized crime
– Insiders?
• Ideological threat actors
– Hacktivists, extremists and terrorists
#OpUSA (7 May 13)
#OpNorthKorea (25 Jun 13)
• Nation-state threat actors
– Intelligence gathering, military actions
The Sophistication of the Actors Continue to Increase

7. Who “Really” Are the Threat
Actors?
• Over 90% of threat actors are external to an organization
• 55% of the actors associated with organized crime
– Predominantly in U.S. and Eastern Europe
• ~20% of actors associated with nation-state operations
– Over 90% attributable to China
• Internal actors: large percentage of events tied to
unintentional misconfigurations
Source: www.verizonenterprise.com/DBIR/2013
But, sophistication not always needed….

8. The Targets
• 37% of incidents affected financial organizations
– Organized crime—virtual and physical methods
– Since 9/2012, 46 U.S. institutions in over 200 separate intrusions
(FBI)
• 24% targeted individuals in retail environments
– 40% of data thefts attributed to employees in the direct
payment chain
• Waiters, cashiers, bank tellers—”skimmers” and like-devices
• Organizations will always be targets for who
they are and what they do
Source: www.verizonenterprise.com/DBIR/2013
Actors will continue to look for the “low hanging fruit”

9. Understanding Your Mission
• What does cyber Situational Awareness really mean?
– User-defined
– Real-time awareness of mission health
– Highly relevant information to the decision-maker
• What are the “crown jewels” in your mission space?
– The critical components that you can’t operate without
– Understanding the interdependencies
• What are the capabilities needed for success?
– Revolutionary advances rather than evolutionary
progress
– The right talent and enough to ensure success
– Partnerships are critical
Mission Assurance = Operational Success

10. Long Term Grand Challenges

11. Cyber R&D Challenges
Operate Through An Outage/Attack
Identify
missioncritical
capabilities
Assess
complex
attack
planning
problem
Design
defense
in depth
Detect/
block
attacks
Discover/
mitigate
attacks
Enable
graceful
degradation
of resilient
(self-healing)
systems
System of systems approach to ensure continuity of operations (COOP)

12. Cyber R&D Challenges
Predictive Awareness
Near-real-time
situational
awareness
of the
battlespace
Automated/
user-defined
view
Network
mapping
Predictive/
self-healing
systems
Anticipate
failure
or attack
and react
automatically
Mission-critical systems available and functional to operate through

13. Cyber R&D Challenges
Security in the Cloud
Approach:
Wholly owned/
cloud service/
public internet
Complex
attack
planning
problem
Variety
of security
structures
Masking
deception
Continuous
maneuver
Graceful
degradation
of resilient
(self-healing)
systems
Visibility of data and computations without access to specific problem

14. Cyber R&D Challenges
Self-Protective Data/Software
Resilient
data
(at rest and
in motion)
Protocols:
Secure,
resilient,
active
Trustworthy
computing
High-userconfidence
check sum
Hardwarebacked
trust
High user confidence in data and software
Graceful
degradation
of missioncritical data to
“last known
good”

15. Cyber R&D Challenges
Security of Mobile Devices
Classified/
UNCLAS
encryption
Power and
performance
issues
addressed
Hardware
root of
trust
Self
healing
Data
Validated
Leakage/
Transfer
contained
Biometric
security
features
Bring your own device (disaster?)

16. ORNL Cyber Research Strengths
• Observation-based
generative models
• Control of false
positives/negatives
• Modeling
of adversaries
• Photon pair and
continuous variable
entanglement
• Comprehensive
source design
and simulation
• High-performance
computing resources
• Putting quantum and
computing together
• Mathematical rigor
• Computationally
intensive methods
• At scale, near real time
Computational
cyber
Evidencesecurity
based action
Nonclassical
light sources
• Statistics vs metrics
• Repeatability
and reproducibility
• Trend observation
and identification
Sciencebased
security
Protection and
control
Quantum
simulation
Data
management
Information
visualization
Applicationoriented
research
• From first principles
to real solutions
• Quantum for computing,
communication,
sensing, and security
Analytics
•
•
•
•
Probabilistic modeling
Social network analysis
Relational learning
Heterogeneous data analysis
• Online, near-real-time
methods
• Graph modeling/retrieval
• Distributed storage
and analysis methods
• Geospatial and temporal
display methods
• Multiple, coordinated
visualizations
• User-centered design
and user testing

17. ORNL Control Systems Security
Research Strengths
• Observation-based
generative models
• Control of false
positives/negatives
• Modeling
of adversaries
• Vulnerability assessments
• Mathematical rigor
• Computationally
intensive methods
• At scale, near real time
• Time synchronized data
• Fault disturbances
recorders, PMUs
• Voltage, frequency,
phase 3, current
Computational
cyber
Real-time
Evidencesecurity
Monitoring
based action
• Industry guidelines
• Interoperability
• Physics based
protection schemes
• Cyber physical
interface
Standards
development
Resilient
control
systems
Detection, control
and wide-area
visualization
Data
management
Information
visualization
Advanced
components
• Fault current limiters
• Saturable reactors
• Power electronics
Analytics
•
•
•
•
Probabilistic modeling
Social network analysis
Relational learning
Heterogeneous data analysis
• Online, near-real-time
methods
• Graph modeling/retrieval
• Distributed storage
and analysis methods
• Geospatial and temporal
display methods
• Multiple, coordinated
visualizations
• User-centered design
and user testing

18. VERDE: Visualizing Energy Resources
Dynamically on Earth
• Monitoring Capability
– Situational awareness of subset of
transmission lines (above 65 KV)
– Situational awareness of distribution
outages (status of approximately 100
Million power customers)
– Social-media feeds ingest
Wide-Area Power Grid Situational Awareness
– Real-time weather overlays
• Modeling and Analysis
– Predictive and post-event impact
modeling and contingency simulation
– Automatic forecasts of power recovery
– Energy interdependency modeling
– Mobile application
– Cyber dependency
Impact Models and Data Analysis
Distribution Outages Analysis

19. Current technology
provides no practical
means to validate the full
behavior of software.
Program instructions
implement functional
semantics that can be
precisely defined.
Instruction semantics
can be mathematically
combined to compute
the functional effect of
programs.
HOW IT WORKS:
• Hyperion Protocol technology computes the
behavior of compiled binaries.
• Structure theorem shows how to transform
code into standard control structures with no
arbitrary branching.
• Correctness theorem shows how to express
behavior of control structures as nonprocedural specifications.
QUANTITATIVE IMPACT
Software may contain
unknown vulnerabilities
and sleeper code that
compromise operations.
Mathematical Foundations developed at IBM
SEI/CMU developed Function Extraction (FX)
ORNL developing 2nd Gen FX on HPC
• Computed behavior can be compared to
semantic signatures of vulnerabilities and
malicious operations.
GOAL
NEW INSIGHTS
STATUS QUO
Hyperion Protocol
Determination of
vulnerabilities and
malicious content
can be carried out at
machine speeds.
Validation. Software
can be analyzed for
intended functionality.
Readiness. Software
can be analyzed for
malicious content.
System for computing
behavior of binaries to
identify vulnerabilities
sleeper codes and
malware.
Function and security analysis of compiled binaries through behavior computation

20. Oak Ridge Cyber Analytics: Detecting
Zero Day Attacks
DoD Warfighter Challenge evaluation of ORNL’s ORCA:
•
•
•
Supervised Learner (Tweaked AdaBoost):
• Detected 94% of attacks using machine learning methods
• False positive rate is only 1.8%
Semi-supervised Learner (Linear Laplacian RLS):
• Detected 60% of attacks using machine learning methods
• No false positives
Detecting both previously seen and never before seen attacks.
Approach:
• Generalize computer communication behaviors
using machine learning models.
• Classify incoming network data in real-time.
• Complement signature-based sensor arrays to
focus on attack variants.
Advantages:
• No signatures – trains on examples of attacks
• Detects attacks missed by the most advanced
OTS intrusion detectors.
• Detect zero day attacks that are variants of
existing attack vectors.

21. Moving Ahead
•
•
•
•
•
•
•
Increased national focus on cyber security
Cyber law enforcement capabilities growing – “who”
Digital forensics are improving -- “how”
Information Sharing and Analysis Centers (ISACs) – “what”
Maturing education and training for the professionals
Better education for “the masses”
Rapidly evolving R&D breakthroughs
The Human is still the weakest element in the cyber domain

22. Questions?
rainesra@ornl.gov