SYSTEMS SECURITY ENGINEERING Mission Statement • Integrating Security into Every Solution We Deliver – Reducing Risk and Providing Fully Reliable and Trusted Solutions • Utilizing Best Practices and Rigorous Processes – LM Employs a System Security Engineering Process that employs, Cyber security/IA, Anti-Tamper and Secure Supply Chain
Integrated. Proactive. Resilient.
© 2014 Lockheed Martin Corporation 2 Why SSE? Our customers demand secure solutions
Our main areas of focus are in defense, space, intelligence, homeland security, and information technology, including cyber security
Information Systems & Missiles & Mission Systems Aeronautics Space Systems Global Solutions Fire Control & Training
We Never Forgot Who We Are Working For… And Neither Do Our Adversaries
© 2014 Lockheed Martin Corporation 3 Security is an Enterprise-Wide Concern
Systems security engineering is comprised of the following Lockheed Martin sub disciplines: System Security Engineering • Operations Security
• Network Security
• Personnel Security
• Administrative Security
Tamper Tamper -
Cyber Cyber • Communications Security
Privacy Assurance
Anti • Emanation Security
Secure Processing Secure • Computer Security
Advanced Research Advanced
(Hardware Security) (Hardware Secure Supply Chain Supply Secure Security/Information Security/Information • ISO/IEC 21827
LM has developed a strong, multi-disciplinary approach
© 2014 Lockheed Martin Corporation 4 Lockheed Martin Strategy
LM Strategy System Security Engineering
Anti-Tamper (Hardware Security) Next Gen Information Assurance / Product Base Cyber Security Secure Supply Chain Secure Processing DoD Funding (CRAD / Privacy Program) Advanced Research
LM Investment (IRAD/ Other Funding)
© 2014 Lockheed Martin Corporation 5 LM SSE Timeline
2013 Identify technology that needs to be developed 2011 2013 Establish SSE Implement SSE process across programs & IPT for captures collaboration 2014 Invest in developing the key technology and leverage into DoD Lab CRAD wins
2010 2012 2014+ Reduce stove-pipe Leverage CRAD wins into Create Process that can be approach to solving LM’s Product Base used across the System Security Enterprise-Wide corporation
© 2014 Lockheed Martin Corporation 6 Security Development Challenges
• Understaffed • Heavyweight development • Unclear whose job security is approaches • Lack of domain expertise • Buried in regulations & process compliance • Lack of training & outdated training • Outdated security practices • Complexity of large system designs
• Lack of information sharing • Challenge keeping up with • No situational awareness new & changing technology • Lack of internal & external • Stove piped solutions collaboration • Time to market • No lessons learned
© 2014 Lockheed Martin Corporation 7 © Lockheed Martin Corporation 2012 Security Engineering Procedure
LM has implemented a Security Engineering Procedure for use across all lines of business
• Identifies the security engineering activities, milestones, and work products performed and created throughout the engineering lifecycle from concept to retirement • Illustrates how security engineering work products integrate into systems engineering deliverables throughout the engineering lifecycle © 2014 Lockheed Martin Corporation 8 Security Engineering Activities & Products throughout the Life Cycle
Security Needs Assessment Security Cost Security & Privacy Estimates Requirements Security RFI System Security Secure Builds & Security Retirement Policy Security Technical Configuration Approved Security and Transition Plan Solution Security Test Baseline Sustainment Safeguard of Static Analysis Incident Response Security & Privacy Cases System Data Plan Risk Analysis Security RTVM Security Test Planning Proposal Requirements Development Deployment Retirement
Planning Design Test O&M Security Operational Secure Functional System Security Control Monitoring Concept Component Design Testing Secure Upgrades Security Plan Secure System Design Dynamic Analysis Security Metrics & Specialty Security Testing Secure Coding Attack Surface Reporting Security Reviews, Standards Analysis/Reduction Attack Surface Review Testing & Scans Threat & Vulnerability Contingency & DR Analysis Security Test Results & Incident Response C&A Planning Discrepancy Mitigation Security Policy & Plan SRA Report POA&M C&A C&A Package SATE Contingency and DR Planning © 2014 Lockheed Martin Corporation 9 Integration of SSE process into other domain’s processes for success
Business Development /Capture Process RS-BDEV-0009
Program Management Process PM-001-1
SSE Process S-ENGP-0668 Proposal/Program Review Process (PPRP) representatives – Risk Review Board
© 2014 Lockheed Martin Corporation 10 A model created to “SEAM” together people, process and tools across a system life cycle/organization to reduce cyber security risk to system/program • Security Engineering best practices, Policy Procedure Standards Checklists processes, standards, and checklists/tools
Secure Application • Integrates security throughout a systems life Development Checklist SAT for PPRs & cycle Tech Reviews RS-ENGP-0044, Security Risk • Develops a culture of security responsibility System Security Assessment Checklist S-ENGP-0668, within all program and engineering Security Engineering disciplines Threat Modeling Checklist • Rooted in community- and corporate- recognized standards and industry best Security Testing Checklist practices • Agile and constantly evolving process to .SEAM breaks down the Security Engineering respond to dynamic cyber-threat policy & procedure into standards and checklists environment applicable to all program staff (eg. Business • Constant feedback loop where operations development, Program managers, Capture provides information back into development managers, software developers, system as new threats are identified engineers)
© 2014 Lockheed Martin Corporation 11 Security Engineering Domain Advocates • Security Engineering IPT in place to foster communication & collaboration across all business areas security AERO focused SMEs • IPT used to develop, review and CIS IS&GS communicate system security engineering efforts (eg. Security SECURITY procedure, standards, SEAM tools)
ENGINEERING
SPACE IPT MFC • Various eForums, portals and groups for outreach • LM Security Engineering Community of Practice ATL MST • Info-Assurance eForum • Cyber Fellows Action Team(FACT) eForum • AT COE • Secure SW Engineering eForum • Info System Security WG
© 2014 Lockheed Martin Corporation 12 What Can NDIA Do? • Help Develop Risked-Based Candidate Measures – Include leading indicators to help proactive insight – Can be tailored for each program (case-by-case) – Focus on specific program vulnerabilities – Span the types of issues – Build on previous measurement efforts (NIST, PSM, INCOSE, NDIA) • Work with other industry associations (e.g., INCOSE) to integrate SSE into SE guidance and standards • Work with SERC and others on research and pilots, providing industry insight and experience • Work with DoD to help with Intelligence awareness of emerging threats • Continue to reduce compartmentalization across activities, when appropriate
© 2014 Lockheed Martin Corporation Describe what you think SSE needs to be in 5 years • It needs to be a more Proactive organization with more agility. • Recognized rigorous scientific discipline and supported as such • Standard set of base requirements with advanced features implemented/tailorable on a program by program basis. • Security Measurement framework developed to inform security engineering and risk management processes • Actionable Threat model for risk management & sec engr • Must be able to communicate, translate and integrate security engineering to non-technical workforce as well – program managers, business development, etc. • Foster a security mindset across all disciplines
© 2014 Lockheed Martin Corporation . Lockheed Martin is Proactive and Mission-Focused with Security Engineering
LOCKHEED MARTIN and the STAR DESIGN are either registered marks in the U.S. Patent and Trademark Office and/or other countries throughout the world, or are trademarks and service marks of Lockheed Martin Corporation in the U.S. and/or other countries. All rights reserved.
© 2014 Lockheed Martin Corporation VF01493_05-07-2014 Definitions
• Systems Security Engineering – Systems Security Engineering is a specialty engineering field strongly related to systems engineering. It applies scientific, engineering, and cybersecurity/information assurance principles to deliver trustworthy security solutions that satisfy stakeholder requirements. • Anti-Tamper – Systems Engineering Activity intended to impede countermeasure development, unintended technology transfer, or alteration of a system • Information Assurance / Cyber Security – The measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. • Supply Chain Risk Management – The implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity • Secure Processing – Design of components that grant a secure environment for processing of information • Privacy – Appropriate management (data protection) & use of personal information under the circumstances • Advanced Research • Development of Next Generation Solutions
© 2014 Lockheed Martin Corporation 16 Security Engineering CoP Portal
© 2014 Lockheed Martin Corporation 17