Leidos Ramps Up Cyber-Physical Protection of Critical Infrastructure

Improving the security and resilience of critical infrastructure facilities layer by layer

Many facilities follow the Purdue Model for securing industrial control systems. Promoting defense-in-depth, it is a framework that segments the OT environment into a hierarchy and apart from business and corporate IT. This can help limit the exposure of attacks.

"The Purdue Model lets you break down an industrial control system environment into multiple layers and then identify and plug the holes at each layer," Jaspers says. "We want to protect the business environment at the top couple of layers and the operational environment - the physical plant devices - at every level."

Aligned to the Purdue Model, the range of tools handles specific defenses at each IT and OT layer, such as identifying malware, guarding against firewall intrusion attempts, and testing the firmware in hardware devices for bugs and security flaws.

Many members of the solutions development team have backgrounds in national security and cyberspace operations. Leveraging their offensive cyber expertise to mirror attackers' thinking and their cybersecurity know-how, they have spent the last several years developing novel defenses in addition to the malware, firewall and firmware tools.

Leidos owns a pair of facilities for industrial control system technology R&D where the team can evaluate the solutions. One can digitally simulate incident response scenarios in large-scale or microgrid power distribution, while the other features industrial controller hardware and can replicate mechanical and electrical operations.

Testing at these labs offers critical advantages. The company's experts in cyber, AI, and network and security operations can convene with, for instance, power delivery designers and engineers to collaborate on built-in rather than bolted-on capabilities. They can bring in utility and manufacturing companies to see how the solutions perform under realistic operating conditions.

"We have people who know how to design and build infrastructure, who know how attackers can infiltrate infrastructure, and who know how to defend against attacks," Cox says. "We have people who run security and network operations centers and deal with vulnerabilities daily. All this is feeding into these labs with actual equipment and being put into practice."

Crafting new kinds of solutions to address advanced persistent threats

One of the solutions in development defends networks from advanced attacks that utilize exploit chaining. The tool identifies vulnerabilities across connected systems that attackers could link together to create network penetration routes over time.

Another solution in development is designed to fabricate process control devices and network traffic to serve as stand-ins for their real counterparts and act as a tripwire.

Then there's a monitoring tool for plant-floor devices that continuously measures temperature and vibration and detects subtle visual and audible changes. Physical monitoring aims to detect anomalies that could indicate sabotage attempts in situations where traditional monitoring cannot be relied on.

"Attackers are using APTs to go after facilities, and if they spend enough resources and time, they can beat software," says Nicholas Franklin, an OT cyber researcher in the Cyber Accelerator. "They can find ways to fool good security analysts. But they can't beat physics."

Security tools and techniques get AI power

Deploying machine learning in the set of solutions can enable faster responses to threats. The tools are being built with classification models, which are trained on data associated with cyberattacks and look for telltale patterns and characteristics in operational data.

AI assistance can free up human analysts' capacity to focus on overall site situational awareness. Working at machine speeds, AI-powered tools also counteract the shortage of experienced analysts; according to a recent SANS Institute report, more than half of the OT security workforce possess five or fewer years of field experience.

"Even if a site has the same number of analysts it had two or three years ago, there's so much more data now to look at," Cox says. "The number of attacks is going up. With the new capabilities, that same number of analysts can do more with their time."

The Leidos team's next steps will be identifying critical infrastructure sites for deployment and real-world validation of the tools.

There is a sense of urgency, as the Dept. of Homeland Security has warned of credible threats to cause disruptive and destructive attacks on U.S. critical infrastructure. In its "2025 Homeland Threat Assessment" report, DHS states that it expects adversarial actors will continue to seek access to or pre-position themselves on critical infrastructure networks in the event of a conflict with the U.S.

"We know that bad actors are out there lying in wait. Some may already be inside," Cox says. "Energy and water companies see what's happening. They don't want to be front-page news."

EXPLORE MORE CYBER CAPABILITIES