• No results found

SYSTEMS SECURITY ENGINEERING

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SYSTEMS SECURITY ENGINEERING"

Copied!
17
0
0

Loading.... (view fulltext now)

Download now ( 17 Page )

Full text

(1)
(2)

Mission Statement

Integrating Security into Every Solution We

Deliver

– Reducing Risk and Providing Fully Reliable and

Trusted Solutions

Utilizing Best Practices and Rigorous Processes

– LM Employs a System Security Engineering Process

that employs, Cyber security/IA, Anti-Tamper and

Secure Supply Chain

2

Integrated. Proactive. Resilient.

© 2014 Lockheed Martin Corporation

(3)

Space Systems Aeronautics Information Systems &

Global Solutions

Missiles & Fire Control

Mission Systems & Training

We Never Forgot Who We Are Working For… And Neither Do Our Adversaries

Our main areas of focus are in defense, space, intelligence, homeland

security, and information technology, including cyber security

3

Why SSE? Our customers demand secure solutions

(4)

Security is an Enterprise-Wide Concern

Systems security engineering

is comprised of the following

sub disciplines:

Operations Security

Information Security

Network Security

Physical Security

Personnel Security

Administrative Security

Communications Security

Emanation Security

Computer Security

ISO/IEC 21827

4

An

ti

-T

amper

(Har

dw

ar

e

Sec

uri

ty)

Se

cur

e

Pr

oc

es

sing

Ad

vanced

R

es

ea

rch

Lockheed Martin

System Security Engineering

Cyber

Se

curit

y/In

form

ati

on

Assur

ance

Se

cur

e

Supp

ly Chain

Priv

ac

y

LM has developed a strong, multi-disciplinary approach

(5)

Anti-Tamper (Hardware Security)

System Security Engineering

Secure Processing

Advanced Research

Information Assurance /

Cyber Security

LM Strategy

LM Investment (IRAD/ Other

Funding)

DoD Funding (CRAD /

Program)

Next Gen

Product Base

Secure Supply Chain

Privacy

Lockheed Martin Strategy

(6)

LM SSE Timeline

2014+

Leverage CRAD wins into

LM’s Product Base

Enterprise-Wide

2014

Invest in developing the key

technology and leverage into

DoD Lab CRAD wins

2013

Implement SSE process across programs &

captures

2013

Identify technology that needs to be

developed

2012

Create Process that can be

used across the

corporation

2011

Establish SSE

IPT for

collaboration

2010

Reduce stove-pipe

approach to solving

System Security

(7)

© Lockheed Martin Corporation 2012

Security Development Challenges

Understaffed

Unclear whose job security is

Lack of domain expertise

Lack of training & outdated

training

Heavyweight development

approaches

Buried in regulations & process

compliance

Outdated security practices

Complexity of large system

designs

Lack of information sharing

No situational awareness

Lack of internal & external

collaboration

No lessons learned

Challenge keeping up with

new & changing technology

Stove piped solutions

Time to market

(8)

Security Engineering Procedure

Identifies the security engineering activities, milestones, and work products

performed and created throughout the engineering lifecycle from concept

to retirement

Illustrates how security engineering work products integrate into systems

engineering deliverables throughout the engineering lifecycle

LM has implemented a Security Engineering Procedure for

use across all lines of business

(9)

Security Engineering Activities &

Products throughout the Life Cycle

Proposal Planning Requirements Design Development Test Deployment O&M Retirement

Secure Builds & Configuration Static Analysis Security Test Planning Security Operational Concept Security Plan

Threat & Vulnerability Analysis Secure Coding Standards C&A Planning POA&M Contingency and DR Planning

Functional System Security Testing

Dynamic Analysis Specialty Security Testing Attack Surface Review Security Test Results & Discrepancy Mitigation SRA Report

C&A Package

Control Monitoring Secure Upgrades Security Metrics & Reporting Secure

Component Design Secure System Design Attack Surface Analysis/Reduction

Security Retirement and Transition Plan Safeguard of System Data Approved Security Baseline Sustainment Incident Response Plan

Security & Privacy Requirements System Security Policy Security Test Cases Security RTVM Security Needs Assessment Security Cost Estimates Security RFI Security Technical Solution

Security & Privacy Risk Analysis

Security Reviews, Testing & Scans Contingency & DR

Incident Response Security Policy & Plan C&A

SATE

(10)

Integration of SSE process into other

domain’s processes for success

SSE Process

S-ENGP-0668

Business Development

/Capture Process

RS-BDEV-0009

Program

Management

Process

PM-001-1

Proposal/Program Review Process

(PPRP) representatives – Risk

Review Board

(11)

A model created to “SEAM” together people,

process and tools across a system life

cycle/organization to reduce cyber security

risk to system/program

Security Engineering best practices,

processes, standards, and checklists/tools

Integrates security throughout a systems life

cycle

Develops a culture of security responsibility

within all program and engineering

disciplines

Rooted in community- and

corporate-recognized standards and industry best

practices

Agile and constantly evolving process to

respond to dynamic cyber-threat

environment

Constant feedback loop where operations

provides information back into development

as new threats are identified

Checklists Standards Procedure Policy RS-ENGP-0044, System Security

SAT for PPRs & Tech Reviews S-ENGP-0668, Security Engineering Secure Application Development

Checklist

Security Risk Assessment

Checklist

Threat Modeling

Checklist

Security Testing

Checklist

SEAM breaks down the Security Engineering

policy & procedure into standards and checklists

applicable to all program staff (eg. Business

development, Program managers, Capture

managers, software developers, system

engineers)

(12)

Security Engineering Domain

Advocates

• Various eForums, portals and groups

for outreach

• LM Security Engineering

Community of Practice

• Info-Assurance eForum

• Cyber Fellows Action

Team(FACT) eForum

• AT COE

• Secure SW Engineering eForum

• Info System Security WG

• Security Engineering IPT in place to

foster communication & collaboration

across all business areas security

focused SMEs

• IPT used to develop, review and

communicate system security

engineering efforts (eg. Security

procedure, standards, SEAM tools)

© 2014 Lockheed Martin Corporation 12

AERO

ATL

MST

MFC

SPACE

CIS

IS&GS

SECURITY

ENGINEERING

IPT

(13)

What Can NDIA Do?

Help Develop Risked-Based Candidate Measures

– Include leading indicators to help proactive insight

– Can be tailored for each program (case-by-case)

– Focus on specific program vulnerabilities

– Span the types of issues

– Build on previous measurement efforts (NIST, PSM, INCOSE,

NDIA)

Work with other industry associations (e.g., INCOSE) to

integrate SSE into SE guidance and standards

Work with SERC and others on research and pilots, providing

industry insight and experience

Work with DoD to help with Intelligence awareness of

emerging threats

Continue to reduce compartmentalization across activities,

when appropriate

(14)

Describe what you think SSE

needs to be in 5 years

It needs to be a more Proactive organization with more agility.

Recognized rigorous scientific discipline and supported as such

Standard set of base requirements with advanced features

implemented/tailorable on a program by program basis.

Security Measurement framework developed to inform security

engineering and risk management processes

Actionable Threat model for risk management & sec engr

Must be able to communicate, translate and integrate security

engineering to non-technical workforce as well – program

managers, business development, etc.

Foster a security mindset across all disciplines

(15)

© 2014 Lockheed Martin Corporation VF01493_05-07-2014 LOCKHEED MARTIN and the STAR DESIGN are either registered

marks in the U.S. Patent and Trademark Office and/or other countries throughout the world, or are trademarks and service marks of Lockheed Martin Corporation in the U.S. and/or other countries. All rights reserved.

Lockheed Martin is Proactive and

(16)

Definitions

Systems Security Engineering

– Systems Security Engineering is a specialty engineering field strongly related to systems engineering. It applies scientific, engineering, and cybersecurity/information assurance principles to deliver trustworthy security

solutions that satisfy stakeholder requirements.

Anti-Tamper

– Systems Engineering Activity intended to impede countermeasure development, unintended technology transfer, or alteration of a system

Information Assurance / Cyber Security

– The measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

Supply Chain Risk Management

– The implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity

Secure Processing

– Design of components that grant a secure environment for processing of information

Privacy

– Appropriate management (data protection) & use of personal information under the circumstances

Advanced Research

• Development of Next Generation Solutions

(17)

Security Engineering CoP Portal

References

Download now ( PDF - 17 Page - 1.52 MB )

Related documents

People People: Social Capital and the Labor-Market Outcomes of Underrepresented Groups

We then explore several data sets from the United States, Britain, and Germany to understand the role of interpersonal interactions in explaining task assignment, wages and

Estimating the Impact of Monetary Policy Surprises on Fixed-Income Markets

Following Kohn and Sack (2003), we can interpret this lack of response in longer rates as a signal that market participants are reacting to policy-timing changes (i.e.,

Permeable Interlocking Concrete Pavements

9 Design Considerations for Pedestrians and Disabled Persons ...10 Infiltration Rates of Permeable Interlocking Concrete Pavement Systems ...10 Site Design Data ...11

Image fusion and reconstruction of compressed data: A joint approach

The contribution of this work is threefold: i) We present a model that jointly deals with the problem of reconstruction from compressed sources and image fusion; differently from

Media in the Workplace

employees do have professional contacts within their social net- work, before sharing a comment, post, picture, or video through any type of social media or

Interprofessional Education in the Context of Feeding and Swallowing

The interactive experience provided by this IPE event was an opportunity for students to practice professional collaboration around the topic of food intake, which is best

A new generation of early warning systems for coastal risk: the iCoast project

These maps provide a rough estimate of forecast scenarios along the Catalan coast from which the vulnerability and risk levels will be determined, suggesting also the areas that

Spatial Profit Differential of Yam Marketing in Gombe Metropolis, Gombe State, Nigeria.

In comparison of the four (4) selected markets in the study area, the result shows that the maximum average selling price and as well as the average profit were obtained in