1 / 22

Research Advancements Towards Protecting Critical Assets

Research Advancements Towards Protecting Critical Assets. Dr. Richard “Rick” Raines Cyber Portfolio Manager Oak Ridge National Laboratory 15 July 2013. The Cyber Defense?. The Economist May 9, 2009. Financial. Electric Power. Emergency . Transportation. Oil & Gas. The Threat Landscape.

hovan
Download Presentation

Research Advancements Towards Protecting Critical Assets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Research Advancements Towards Protecting Critical Assets Dr. Richard “Rick” Raines Cyber Portfolio Manager Oak Ridge National Laboratory 15 July 2013

  2. The Cyber Defense? The Economist May 9, 2009

  3. Financial Electric Power Emergency Transportation Oil & Gas The Threat Landscape • National intellectual property is being stolen at alarming rates • National assets are vulnerable to attack and exploitation • Personal Identifiable Information at risk • Competing and difficult national priorities for resources Water The Landscape is continually changing Communications

  4. Understanding the Challenges • Dynamic environment with a constant churn • A domain of operations—”within” and “through” • Anytime, anywhere access to data and information • Policy and Statutory lanes emerging • Agile adversaries • Cyber and Cyber Physical • Overt and covert attacks/exploits • Data continues to grow • Sensor feeds yield terabytes of raw data • Analyst burdens continue to grow We Continue to Play Catch Up

  5. Who Are the Threat Actors ? • Unintended threat actors -- Can be just about anyone?? • Target rich environment—people, processes, machines • Personal gain threat actors -- individual and organized crime • Insiders? • Ideological threat actors • Hacktivists, extremists and terrorists • Nation-state threat actors • Intelligence gathering, military actions #OpUSA (7 May 13) #OpNorthKorea (25 Jun 13) The Sophistication of the Actors Continue to Increase

  6. Who “Really” Are the Threat Actors? • Over 90% of threat actors are external to an organization • 55% of the actors associated with organized crime • Predominantly in U.S. and Eastern Europe • ~20% of actors associated with nation-state operations • Over 90% attributable to China • Internal actors: large percentage of events tied to unintentional misconfigurations Source: www.verizonenterprise.com/DBIR/2013 But, sophistication not always needed….

  7. The Targets • 37% of incidents affected financial organizations • Organized crime—virtual and physical methods • Since 9/2012, 46 U.S. institutions in over 200 separate intrusions (FBI) • 24% targeted individuals in retail environments • 40% of data thefts attributed to employees in the direct payment chain • Waiters, cashiers, bank tellers—”skimmers” and like-devices • Organizations will always be targets for who they are and what they do Source: www.verizonenterprise.com/DBIR/2013 Actors will continue to look for the “low hanging fruit”

  8. Understanding Your Mission • What does cyber Situational Awareness really mean? • User-defined • Real-time awareness of mission health • Highly relevant information to the decision-maker • What are the “crown jewels” in your mission space? • The critical components that you can’t operate without • Understanding the interdependencies • What are the capabilities needed for success? • Revolutionary advances rather than evolutionary progress • The right talent and enough to ensure success • Partnerships are critical Mission Assurance = Operational Success

  9. Long Term Grand Challenges

  10. Cyber R&D Challenges Operate Through An Outage/Attack • Identifymission-criticalcapabilities Assesscomplexattackplanningproblem Designdefensein depth Detect/blockattacks Discover/mitigateattacks Enablegracefuldegradationof resilient(self-healing)systems System of systems approach to ensure continuity of operations (COOP)

  11. Cyber R&D Challenges Predictive Awareness Near-real-timesituationalawarenessof the battlespace Automated/ user-definedview Networkmapping Predictive/self-healingsystems Anticipatefailureor attackand reactautomatically Mission-critical systems available and functional to operate through

  12. Cyber R&D Challenges Security in the Cloud • Approach:Wholly owned/cloud service/publicinternet Varietyof securitystructures Maskingdeception Continuousmaneuver Gracefuldegradationof resilient(self-healing)systems Complexattackplanningproblem Visibility of data and computations without access to specific problem

  13. Cyber R&D Challenges Self-Protective Data/Software • Resilientdata(at rest andin motion) Protocols:Secure,resilient,active Trustworthycomputing High-user-confidencecheck sum Hardware-backedtrust Gracefuldegradationof mission-critical data to“last knowngood” High user confidence in data and software

  14. Cyber R&D Challenges Security of Mobile Devices Power and performance issues addressed Classified/ UNCLAS encryption Self healing Data Validated Leakage/ Transfer contained Biometric security features Hardware root of trust Bring your own device (disaster?)

  15. ORNL Cyber Research Strengths • Mathematical rigor • Computationally intensive methods • At scale, near real time • Observation-based generative models • Control of false positives/negatives • Modeling of adversaries • Statistics vs metrics • Repeatability and reproducibility • Trend observation and identification Computationalcybersecurity Science-basedsecurity Evidence-based action • Photon pair and continuous variable entanglement • Comprehensive source design and simulation • Online, near-real-time methods • Graph modeling/retrieval • Distributed storage and analysis methods Nonclassicallight sources Datamanagement Protection and control Quantumsimulation Informationvisualization • Geospatial and temporal display methods • Multiple, coordinated visualizations • User-centered design and user testing • High-performancecomputing resources • Putting quantum and computing together Application-orientedresearch Analytics • From first principles to real solutions • Quantum for computing, communication, sensing, and security • Probabilistic modeling • Social network analysis • Relational learning • Heterogeneous data analysis

  16. ORNL Control Systems Security Research Strengths • Vulnerability assessments • Mathematical rigor • Computationally intensive methods • At scale, near real time • Observation-based generative models • Control of false positives/negatives • Modeling of adversaries • Time synchronized data • Fault disturbances recorders, PMUs • Voltage, frequency, phase 3, current Computationalcybersecurity Real-time Monitoring Evidence-based action • Industry guidelines • Interoperability • Online, near-real-time methods • Graph modeling/retrieval • Distributed storage and analysis methods Standards development Datamanagement Detection, control and wide-area visualization Resilient control systems Informationvisualization • Physics based protection schemes • Cyber physical interface • Geospatial and temporal display methods • Multiple, coordinated visualizations • User-centered design and user testing Advanced components Analytics • Fault current limiters • Saturable reactors • Power electronics • Probabilistic modeling • Social network analysis • Relational learning • Heterogeneous data analysis

  17. VERDE: Visualizing Energy Resources Dynamically on Earth • Monitoring Capability • Situational awareness of subset of transmission lines (above 65 KV) • Situational awareness of distribution outages (status of approximately 100 Million power customers) • Social-media feeds ingest • Real-time weather overlays • Modeling and Analysis • Predictive and post-event impact modeling and contingency simulation • Automatic forecasts of power recovery • Energy interdependency modeling • Mobile application • Cyber dependency Wide-Area Power Grid Situational Awareness Impact Models and Data Analysis Distribution Outages Analysis

  18. Mathematical Foundations developed at IBM SEI/CMU developed Function Extraction (FX) ORNL developing 2nd Gen FX on HPC Hyperion Protocol Software may contain unknown vulnerabilities and sleeper code that compromise operations. Validation. Software can be analyzed forintended functionality. Readiness. Software can be analyzed formalicious content. • Determination of vulnerabilities and malicious content can be carried out at machine speeds. • HOW IT WORKS: • Hyperion Protocol technology computes the behavior of compiled binaries. • Structure theorem shows how to transform code into standard control structures with no arbitrary branching. • Correctness theorem shows how to express behavior of control structures as non-procedural specifications. • Computed behavior can be compared to semantic signatures of vulnerabilities and malicious operations. STATUS QUO Current technology provides no practical means to validate the full behavior of software. QUANTITATIVE IMPACT Instruction semantics can be mathematically combined to compute the functional effect of programs. Program instructions implement functional semantics that can be precisely defined. NEW INSIGHTS System for computing behavior of binaries to identify vulnerabilities sleeper codes and malware. GOAL Function and security analysis of compiled binaries through behavior computation

  19. Oak Ridge Cyber Analytics: Detecting Zero Day Attacks • DoD Warfighter Challenge evaluation of ORNL’s ORCA: • Supervised Learner (Tweaked AdaBoost): • Detected94% of attacks using machine learning methods • False positive rate is only 1.8% • Semi-supervised Learner (Linear Laplacian RLS): • Detected60% of attacks using machine learning methods • No false positives • Detecting both previously seen and never before seen attacks. • Approach: • Generalize computer communication behaviors using machine learning models. • Classify incoming network data in real-time. • Complement signature-based sensor arrays to focus on attack variants. • Advantages: • No signatures – trains on examples of attacks • Detects attacks missed by the most advanced OTS intrusion detectors. • Detect zero day attacks that are variants of existing attack vectors.

  20. Moving Ahead • Increased national focus on cyber security • Cyber law enforcement capabilities growing – “who” • Digital forensics are improving -- “how” • Information Sharing and Analysis Centers (ISACs) – “what” • Maturing education and training for the professionals • Better education for “the masses” • Rapidly evolving R&D breakthroughs The Human is still the weakest element in the cyber domain

  21. Questions?rainesra@ornl.gov

More Related