Systems Security Engineering

Home , Security engineering

SYSTEMS SECURITY ENGINEERING Mission Statement • Integrating Security into Every Solution We Deliver – Reducing Risk and Providing Fully Reliable and Trusted Solutions • Utilizing Best Practices and Rigorous Processes – LM Employs a System Security Engineering Process that employs, Cyber security/IA, Anti-Tamper and Secure Supply Chain

Integrated. Proactive. Resilient.

Our main areas of focus are in defense, space, intelligence, homeland security, and information technology, including cyber security

Information Systems & Missiles & Mission Systems Aeronautics Space Systems Global Solutions Fire Control & Training

We Never Forgot Who We Are Working For… And Neither Do Our Adversaries

Systems security engineering is comprised of the following Lockheed Martin sub disciplines: System Security Engineering • Operations Security

• Information Security

• Network Security

• Physical Security

• Personnel Security

• Administrative Security

Tamper Tamper -

Cyber Cyber • Communications Security

Privacy Assurance

Anti • Emanation Security

Secure Processing Secure • Computer Security

Advanced Research Advanced

(Hardware Security) (Hardware Secure Supply Chain Supply Secure Security/Information Security/Information • ISO/IEC 21827

LM has developed a strong, multi-disciplinary approach

LM Strategy System Security Engineering

Anti-Tamper (Hardware Security) Next Gen Information Assurance / Product Base Cyber Security Secure Supply Chain Secure Processing DoD Funding (CRAD / Privacy Program) Advanced Research

LM Investment (IRAD/ Other Funding)

2013 Identify technology that needs to be developed 2011 2013 Establish SSE Implement SSE process across programs & IPT for captures collaboration 2014 Invest in developing the key technology and leverage into DoD Lab CRAD wins

2010 2012 2014+ Reduce stove-pipe Leverage CRAD wins into Create Process that can be approach to solving LM’s Product Base used across the System Security Enterprise-Wide corporation

• Understaffed • Heavyweight development • Unclear whose job security is approaches • Lack of domain expertise • Buried in regulations & process compliance • Lack of training & outdated training • Outdated security practices • Complexity of large system designs

• Lack of information sharing • Challenge keeping up with • No situational awareness new & changing technology • Lack of internal & external • Stove piped solutions collaboration • Time to market • No lessons learned

LM has implemented a Security Engineering Procedure for use across all lines of business

• Identifies the security engineering activities, milestones, and work products performed and created throughout the engineering lifecycle from concept to retirement • Illustrates how security engineering work products integrate into systems engineering deliverables throughout the engineering lifecycle © 2014 Lockheed Martin Corporation 8 Security Engineering Activities & Products throughout the Life Cycle

Security Needs Assessment Security Cost Security & Privacy Estimates Requirements Security RFI System Security Secure Builds & Security Retirement Policy Security Technical Configuration Approved Security and Transition Plan Solution Security Test Baseline Sustainment Safeguard of Static Analysis Incident Response Security & Privacy Cases System Data Plan Risk Analysis Security RTVM Security Test Planning Proposal Requirements Development Deployment Retirement

Planning Design Test O&M Security Operational Secure Functional System Security Control Monitoring Concept Component Design Testing Secure Upgrades Security Plan Secure System Design Dynamic Analysis Security Metrics & Specialty Security Testing Secure Coding Attack Surface Reporting Security Reviews, Standards Analysis/Reduction Attack Surface Review Testing & Scans Threat & Vulnerability Contingency & DR Analysis Security Test Results & Incident Response C&A Planning Discrepancy Mitigation Security Policy & Plan SRA Report POA&M C&A C&A Package SATE Contingency and DR Planning © 2014 Lockheed Martin Corporation 9 Integration of SSE process into other domain’s processes for success

Business Development /Capture Process RS-BDEV-0009

Program Management Process PM-001-1

SSE Process S-ENGP-0668 Proposal/Program Review Process (PPRP) representatives – Risk Review Board

© 2014 Lockheed Martin Corporation 10 A model created to “SEAM” together people, process and tools across a system life cycle/organization to reduce cyber security risk to system/program • Security Engineering best practices, Policy Procedure Standards Checklists processes, standards, and checklists/tools

Secure Application • Integrates security throughout a systems life Development Checklist SAT for PPRs & cycle Tech Reviews RS-ENGP-0044, Security Risk • Develops a culture of security responsibility System Security Assessment Checklist S-ENGP-0668, within all program and engineering Security Engineering disciplines Threat Modeling Checklist • Rooted in community- and corporate- recognized standards and industry best Security Testing Checklist practices • Agile and constantly evolving process to .SEAM breaks down the Security Engineering respond to dynamic cyber-threat policy & procedure into standards and checklists environment applicable to all program staff (eg. Business • Constant feedback loop where operations development, Program managers, Capture provides information back into development managers, software developers, system as new threats are identified engineers)

© 2014 Lockheed Martin Corporation 11 Security Engineering Domain Advocates • Security Engineering IPT in place to foster communication & collaboration across all business areas security AERO focused SMEs • IPT used to develop, review and CIS IS&GS communicate system security engineering efforts (eg. Security SECURITY procedure, standards, SEAM tools)

ENGINEERING

SPACE IPT MFC • Various eForums, portals and groups for outreach • LM Security Engineering Community of Practice ATL MST • Info-Assurance eForum • Cyber Fellows Action Team(FACT) eForum • AT COE • Secure SW Engineering eForum • Info System Security WG

© 2014 Lockheed Martin Corporation 12 What Can NDIA Do? • Help Develop Risked-Based Candidate Measures – Include leading indicators to help proactive insight – Can be tailored for each program (case-by-case) – Focus on specific program vulnerabilities – Span the types of issues – Build on previous measurement efforts (NIST, PSM, INCOSE, NDIA) • Work with other industry associations (e.g., INCOSE) to integrate SSE into SE guidance and standards • Work with SERC and others on research and pilots, providing industry insight and experience • Work with DoD to help with Intelligence awareness of emerging threats • Continue to reduce compartmentalization across activities, when appropriate

© 2014 Lockheed Martin Corporation Describe what you think SSE needs to be in 5 years • It needs to be a more Proactive organization with more agility. • Recognized rigorous scientific discipline and supported as such • Standard set of base requirements with advanced features implemented/tailorable on a program by program basis. • Security Measurement framework developed to inform security engineering and risk management processes • Actionable Threat model for risk management & sec engr • Must be able to communicate, translate and integrate security engineering to non-technical workforce as well – program managers, business development, etc. • Foster a security mindset across all disciplines

LOCKHEED MARTIN and the STAR DESIGN are either registered marks in the U.S. Patent and Trademark Office and/or other countries throughout the world, or are trademarks and service marks of Lockheed Martin Corporation in the U.S. and/or other countries. All rights reserved.

• Systems Security Engineering – Systems Security Engineering is a specialty engineering field strongly related to systems engineering. It applies scientific, engineering, and cybersecurity/information assurance principles to deliver trustworthy security solutions that satisfy stakeholder requirements. • Anti-Tamper – Systems Engineering Activity intended to impede countermeasure development, unintended technology transfer, or alteration of a system • Information Assurance / Cyber Security – The measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. • Supply Chain Risk Management – The implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity • Secure Processing – Design of components that grant a secure environment for processing of information • Privacy – Appropriate management (data protection) & use of personal information under the circumstances • Advanced Research • Development of Next Generation Solutions