SYSTEMS SECURITY ENGINEERING
Mission Statement Integrating Security into Every Solution We Deliver Reducing Risk and Providing Fully Reliable and Trusted Solutions Utilizing Best Practices and Rigorous Processes LM Employs a System Security Engineering Process that employs, Cyber security/ia, Anti-Tamper and Secure Supply Chain Integrated. Proactive. Resilient. 2014 Lockheed Martin Corporation 2
Why SSE? Our customers demand secure solutions Our main areas of focus are in defense, space, intelligence, homeland security, and information technology, including cyber security Aeronautics Information Systems & Global Solutions Missiles & Fire Control Mission Systems & Training Space Systems We Never Forgot Who We Are Working For And Neither Do Our Adversaries 2014 Lockheed Martin Corporation 3
Anti-Tamper (Hardware Security) Cyber Security/Information Assurance Secure Supply Chain Secure Processing Privacy Advanced Research Security is an Enterprise-Wide Concern Lockheed Martin System Security Engineering Systems security engineering is comprised of the following sub disciplines: Operations Security Information Security Network Security Physical Security Personnel Security Administrative Security Communications Security Emanation Security Computer Security ISO/IEC 21827 LM has developed a strong, multi-disciplinary approach 2014 Lockheed Martin Corporation 4
Lockheed Martin Strategy System Security Engineering Anti-Tamper (Hardware Security) Information Assurance / Cyber Security Secure Supply Chain Secure Processing Privacy Advanced Research LM Strategy Next Gen Product Base DoD Funding (CRAD / Program) LM Investment (IRAD/ Other Funding) 2014 Lockheed Martin Corporation 5
LM SSE Timeline 2011 Establish SSE IPT for collaboration 2013 Identify technology that needs to be developed 2013 Implement SSE process across programs & captures 2014 Invest in developing the key technology and leverage into DoD Lab CRAD wins 2010 Reduce stove-pipe approach to solving System Security 2012 Create Process that can be used across the corporation 2014+ Leverage CRAD wins into LM s Product Base Enterprise-Wide 2014 Lockheed Martin Corporation 6
Security Development Challenges Understaffed Unclear whose job security is Lack of domain expertise Lack of training & outdated training Heavyweight development approaches Buried in regulations & process compliance Outdated security practices Complexity of large system designs Lack of information sharing No situational awareness Lack of internal & external collaboration No lessons learned Challenge keeping up with new & changing technology Stove piped solutions Time to market 2014 Lockheed Martin Corporation 7 Lockheed Martin Corporation 2012
Security Engineering Procedure LM has implemented a Security Engineering Procedure for use across all lines of business Identifies the security engineering activities, milestones, and work products performed and created throughout the engineering lifecycle from concept to retirement Illustrates how security engineering work products integrate into systems engineering deliverables throughout the engineering lifecycle 2014 Lockheed Martin Corporation 8
Security Engineering Activities & Products throughout the Life Cycle Security Needs Assessment Security Cost Estimates Security RFI Security Technical Solution Security & Privacy Risk Analysis Proposal Security & Privacy Requirements System Security Policy Security Test Cases Security RTVM Requirements Secure Builds & Configuration Static Analysis Security Test Planning Development Approved Security Baseline Sustainment Incident Response Plan Deployment Security Retirement and Transition Plan Safeguard of System Data Retirement Planning Security Operational Concept Security Plan Secure Coding Standards Threat & Vulnerability Analysis C&A Planning POA&M Contingency and DR Planning Design Secure Component Design Secure System Design Attack Surface Analysis/Reduction Test Functional System Security Testing Dynamic Analysis Specialty Security Testing Attack Surface Review Security Test Results & Discrepancy Mitigation SRA Report C&A Package O&M Control Monitoring Secure Upgrades Security Metrics & Reporting Security Reviews, Testing & Scans Contingency & DR Incident Response Security Policy & Plan C&A SATE 2014 Lockheed Martin Corporation 9
Integration of SSE process into other domain s processes for success Business Development /Capture Process RS-BDEV-0009 Program Management Process PM-001-1 SSE Process S-ENGP-0668 Proposal/Program Review Process (PPRP) representatives Risk Review Board 2014 Lockheed Martin Corporation 10
A model created to SEAM together people, process and tools across a system life cycle/organization to reduce cyber security risk to system/program Security Engineering best practices, processes, standards, and checklists/tools Integrates security throughout a systems life cycle Develops a culture of security responsibility within all program and engineering disciplines Rooted in community- and corporaterecognized standards and industry best practices Agile and constantly evolving process to respond to dynamic cyber-threat environment Constant feedback loop where operations provides information back into development as new threats are identified Policy RS-ENGP-0044, System Security Procedure SAT for PPRs & Tech Reviews S-ENGP-0668, Security Engineering Standards Secure Application Development Security Risk Assessment Threat Modeling Security Testing Checklists Checklist Checklist Checklist Checklist SEAM breaks down the Security Engineering policy & procedure into standards and checklists applicable to all program staff (eg. Business development, Program managers, Capture managers, software developers, system engineers) 2014 Lockheed Martin Corporation 11
Security Engineering Domain Advocates CIS SPACE AERO SECURITY ENGINEERING IPT ATL MST IS&GS MFC Security Engineering IPT in place to foster communication & collaboration across all business areas security focused SMEs IPT used to develop, review and communicate system security engineering efforts (eg. Security procedure, standards, SEAM tools) Various eforums, portals and groups for outreach LM Security Engineering Community of Practice Info-Assurance eforum Cyber Fellows Action Team(FACT) eforum AT COE Secure SW Engineering eforum Info System Security WG 2014 Lockheed Martin Corporation 12
What Can NDIA Do? Help Develop Risked-Based Candidate Measures Include leading indicators to help proactive insight Can be tailored for each program (case-by-case) Focus on specific program vulnerabilities Span the types of issues Build on previous measurement efforts (NIST, PSM, INCOSE, NDIA) Work with other industry associations (e.g., INCOSE) to integrate SSE into SE guidance and standards Work with SERC and others on research and pilots, providing industry insight and experience Work with DoD to help with Intelligence awareness of emerging threats Continue to reduce compartmentalization across activities, when appropriate 2014 Lockheed Martin Corporation
Describe what you think SSE needs to be in 5 years It needs to be a more Proactive organization with more agility. Recognized rigorous scientific discipline and supported as such Standard set of base requirements with advanced features implemented/tailorable on a program by program basis. Security Measurement framework developed to inform security engineering and risk management processes Actionable Threat model for risk management & sec engr Must be able to communicate, translate and integrate security engineering to non-technical workforce as well program managers, business development, etc. Foster a security mindset across all disciplines 2014 Lockheed Martin Corporation
Lockheed Martin is Proactive and Mission-Focused with Security Engineering LOCKHEED MARTIN and the STAR DESIGN are either registered marks in the U.S. Patent and Trademark Office and/or other countries throughout the world, or are trademarks and service marks of Lockheed Martin Corporation in the U.S. and/or other countries. All rights reserved. 2014 Lockheed Martin Corporation VF01493_05-07-2014
Definitions Systems Security Engineering Systems Security Engineering is a specialty engineering field strongly related to systems engineering. It applies scientific, engineering, and cybersecurity/information assurance principles to deliver trustworthy security solutions that satisfy stakeholder requirements. Anti-Tamper Systems Engineering Activity intended to impede countermeasure development, unintended technology transfer, or alteration of a system Information Assurance / Cyber Security The measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Supply Chain Risk Management The implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity Secure Processing Design of components that grant a secure environment for processing of information Privacy Appropriate management (data protection) & use of personal information under the circumstances Advanced Research Development of Next Generation Solutions 2014 Lockheed Martin Corporation 16
Security Engineering CoP Portal 2014 Lockheed Martin Corporation 17