Research Advancements Towards Protecting Critical Assets

Dr. Richard “Rick” RainesCyber Portfolio Manager

Oak Ridge National Laboratory

15 July 2013

The Cyber Defense?

The Economist May 9, 2009

The Threat Landscape

• National intellectual property is being stolen at alarming rates

• National assets are vulnerable to attack and exploitation• Personal Identifiable Information at risk• Competing and difficult national priorities for resources

The Landscape is continually changing

TransportationTransportation

WaterWaterElectric PowerElectric Power

Oil & GasOil & Gas

Communications

Communications

FinancialFinancialEmergency Emergency

Understanding the Challenges

• Dynamic environment with a constant churn– A domain of operations—”within” and “through”– Anytime, anywhere access to data and information– Policy and Statutory lanes emerging

• Agile adversaries– Cyber and Cyber Physical – Overt and covert attacks/exploits

• Data continues to grow– Sensor feeds yield terabytes of raw data– Analyst burdens continue to grow

We Continue to Play Catch Up

Who Are the Threat Actors ?

• Unintended threat actors -- Can be just about anyone??– Target rich environment—people, processes, machines

• Personal gain threat actors -- individual and organized crime– Insiders?

• Ideological threat actors– Hacktivists, extremists and terrorists

• Nation-state threat actors– Intelligence gathering, military actions

The Sophistication of the Actors Continue to Increase

#OpUSA (7 May 13)#OpNorthKorea (25 Jun 13)

Who “Really” Are the Threat Actors?

• Over 90% of threat actors are external to an organization• 55% of the actors associated with organized crime

– Predominantly in U.S. and Eastern Europe

• ~20% of actors associated with nation-state operations– Over 90% attributable to China

• Internal actors: large percentage of events tied to unintentional misconfigurations

But, sophistication not always needed….

Source: www.verizonenterprise.com/DBIR/2013

The Targets• 37% of incidents affected financial organizations

– Organized crime—virtual and physical methods– Since 9/2012, 46 U.S. institutions in over 200 separate intrusions

(FBI)

• 24% targeted individuals in retail environments– 40% of data thefts attributed to employees in the direct

payment chain• Waiters, cashiers, bank tellers—”skimmers” and like-devices

• Organizations will always be targets for who they are and what they do

Actors will continue to look for the “low hanging fruit”

Source: www.verizonenterprise.com/DBIR/2013

Understanding Your Mission• What does cyber Situational Awareness really mean?

– User-defined– Real-time awareness of mission health– Highly relevant information to the decision-maker

• What are the “crown jewels” in your mission space?– The critical components that you can’t operate without– Understanding the interdependencies

• What are the capabilities needed for success?– Revolutionary advances rather than evolutionary

progress– The right talent and enough to ensure success– Partnerships are critical

Mission Assurance = Operational Success

Long Term Grand Challenges

System of systems approach to ensure continuity of operations (COOP)

Identifymission-critical

capabilities

Assesscomplex

attackplanningproblem

Designdefensein depth

Detect/block

attacks

Discover/mitigateattacks

Enablegraceful

degradationof resilient

(self-healing)systems

Operate Through An Outage/Attack

Cyber R&D Challenges

Mission-critical systems available and functional to operate through

Near-real-timesituationalawareness

of the battlespace

Automated/ user-defined

view

Networkmapping

Predictive/self-healing

systems

Anticipatefailure

or attackand react

automatically

Predictive Awareness

Cyber R&D Challenges

Cyber R&D Challenges

Visibility of data and computations without access to specific problem

Approach:Wholly owned/cloud service/public internet

Complexattack

planningproblem

Varietyof securitystructures

Maskingdeception

Continuousmaneuver

Gracefuldegradationof resilient

(self-healing)systems

Security in the Cloud

High user confidence in data and software

Resilientdata

(at rest andin motion)

Protocols:Secure,

resilient,active

Trustworthycomputing

High-user-confidencecheck sum

Hardware-backed

trust

Gracefuldegradationof mission-

critical data to“last known

good”

Self-Protective Data/Software

Cyber R&D Challenges

Bring your own device (disaster?)

Biometric security features

Classified/UNCLAS

encryption

Power and performance

issuesaddressed

Hardware root of

trust

Selfhealing

Data Validated Leakage/Transfer

contained

Security of Mobile Devices

Cyber R&D Challenges

Evidence-based action

Computationalcyber

securityScience-

basedsecurity

Protection and control

Nonclassicallight sources

Quantumsimulation

Application-orientedresearch

Analytics

Informationvisualization

Datamanagement

• Observation-based generative models

• Control of false positives/negatives

• Modeling of adversaries

• Mathematical rigor• Computationally

intensive methods• At scale, near real time

• Statistics vs metrics• Repeatability

and reproducibility• Trend observation

and identification

• Photon pair and continuous variable entanglement

• Comprehensive source design and simulation

• High-performancecomputing resources

• Putting quantum and computing together

• From first principles to real solutions

• Quantum for computing, communication, sensing, and security

• Probabilistic modeling• Social network analysis• Relational learning• Heterogeneous data analysis

• Geospatial and temporal display methods

• Multiple, coordinated visualizations

• User-centered design and user testing

• Online, near-real-time methods

• Graph modeling/retrieval• Distributed storage

and analysis methods

ORNL Cyber Research Strengths

Evidence-based action

Computationalcyber

securityReal-time

Monitoring

Detection, control and wide-area visualization

Standardsdevelopment

Resilient control systems Advanced

components Analytics

Informationvisualization

Datamanagement

• Observation-based generative models

• Control of false positives/negatives

• Modeling of adversaries

• Vulnerability assessments• Mathematical rigor• Computationally

intensive methods• At scale, near real time

• Time synchronized data• Fault disturbances

recorders, PMUs• Voltage, frequency,

phase 3, current

• Industry guidelines• Interoperability

• Physics based protection schemes

• Cyber physical interface

• Fault current limiters• Saturable reactors• Power electronics

• Probabilistic modeling• Social network analysis• Relational learning• Heterogeneous data analysis

• Geospatial and temporal display methods

• Multiple, coordinated visualizations

• User-centered design and user testing

• Online, near-real-time methods

• Graph modeling/retrieval• Distributed storage

and analysis methods

ORNL Control Systems Security Research Strengths

Wide-Area Power Grid Situational Awareness

Impact Models and Data Analysis

Distribution Outages Analysis

• Monitoring Capability– Situational awareness of subset of

transmission lines (above 65 KV)– Situational awareness of distribution

outages (status of approximately 100 Million power customers)

– Social-media feeds ingest– Real-time weather overlays

• Modeling and Analysis– Predictive and post-event impact

modeling and contingency simulation– Automatic forecasts of power recovery– Energy interdependency modeling– Mobile application– Cyber dependency

VERDE: Visualizing Energy Resources Dynamically on Earth

Validation. Software can be analyzed for intended functionality.

Readiness. Software can be analyzed for malicious content.

Instruction semantics can be mathematically combined to compute the functional effect of programs.

Function and security analysis of compiled binaries through behavior computation

HOW IT WORKS:

• Hyperion Protocol technology computes the behavior of compiled binaries.

• Structure theorem shows how to transform code into standard control structures with no arbitrary branching.

• Correctness theorem shows how to express behavior of control structures as non-procedural specifications.

• Computed behavior can be compared to semantic signatures of vulnerabilities and malicious operations.

Current technology provides no practical means to validate the full behavior of software.

Software may contain unknown vulnerabilities and sleeper code that compromise operations.

Program instructions implement functional semantics that can be precisely defined.

Determination of vulnerabilities and malicious content can be carried out at machine speeds.

System for computing behavior of binaries to identify vulnerabilities sleeper codes and malware.

QU

AN

TIT

ATIV

E IM

PAC

TG

OA

L

STA

TU

S Q

UO

NEW

IN

SIG

HTS

Mathematical Foundations developed at IBM SEI/CMU developed Function Extraction (FX)

ORNL developing 2nd Gen FX on HPC

Hyperion Protocol

Oak Ridge Cyber Analytics: Detecting Zero Day Attacks

Approach:• Generalize computer communication behaviors

using machine learning models.• Classify incoming network data in real-time.• Complement signature-based sensor arrays to

focus on attack variants.

Advantages:• No signatures – trains on examples of attacks• Detects attacks missed by the most advanced

OTS intrusion detectors.• Detect zero day attacks that are variants of

existing attack vectors.

DoD Warfighter Challenge evaluation of ORNL’s ORCA: • Supervised Learner (Tweaked AdaBoost):

• Detected 94% of attacks using machine learning methods• False positive rate is only 1.8%

• Semi-supervised Learner (Linear Laplacian RLS):• Detected 60% of attacks using machine learning methods• No false positives

• Detecting both previously seen and never before seen attacks.

Moving Ahead

• Increased national focus on cyber security• Cyber law enforcement capabilities growing – “who”• Digital forensics are improving -- “how”• Information Sharing and Analysis Centers (ISACs) – “what”• Maturing education and training for the professionals• Better education for “the masses”• Rapidly evolving R&D breakthroughs

The Human is still the weakest element in the cyber domain

Questions?rainesra@ornl.gov