The Case for Built-In Cybersecurity

The Case for Built-In Cybersecurity

The concept of cyber resiliency can mean multiple things to different people. With so many interpretations in existence, Lockheed Martin established the following description by consolidating definitions from NIST, the Chairman of the Joint Chiefs of Staff, and the Air Force:

"Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to changing conditions to maintain the functions necessary for mission effective capability.” 

Using the Cyber Resiliency Level® Framework

Lockheed Martin and the military have been working shoulder-to-shoulder since day one. The Cyber Resiliency Level® (CRL®) Framework helped a joint team identify a program’s “as-is” state, beginning with a Cyber Table Top (CTT) early in the requirements and architecture definition phase.

CTT is one of several assessment techniques that can be used to assess a system’s resiliency to different kinds of cyber-attacks. The process helps teams think like an adversary and examine all the ways an attacker might try to compromise the platform. Lockheed Martin’s cyber experts conducted CTTs and were able to use the CRL® Framework to drive changes in requirements to make the platform more cyber resilient.

After conducting the CTT exercises, the team used the data to help determine mitigation techniques.

Results

Based on the CTT findings, additional cyber requirements were generated increasing the total number of cyber requirements by approximately 22%. The updated cyber requirements focused on driving the Cyber Resiliency Level® for each category to a program risk-appropriate level, yielding a platform architecture that can be survivable under a cyber-attack.

CRL® provided us with a repeatable process to continuously address and mitigate threats throughout the program's lifecycle," said a representative for the program. "We are now developing new capabilities specifically tailored to counter the threats that the platform faces. Our customer’s participation in the CTT was critical; it's become much easier to see any identified CRL® 2 risks and understand better how to get to CRL® 3, and even CRL® 4 – Adaptive, if technology is mature enough.