Leidos Ramps Up Cyber-Physical Protection of Critical Infrastructure

Criminal groups and nation-states continue to launch successful attacks on critical infrastructure in energy, water, manufacturing and other sectors that provide the backbone for daily life. In hacking infrastructure sites and disrupting operations for ransom or to cause fear, they have used methods ranging from social engineering — tricking an enterprise help desk for network credentials in one high-profile case — to exploiting security flaws in machine controls on plant floors.

The attacks illustrate the skilled and multifaceted ways bad actors have learned to infiltrate infrastructure facilities and degrade physical processes. They also show why enterprises managing the facilities must protect not only business networks but also internet-connected industrial control systems and machinery, referred to as operational technology (OT).

“Many attacks have occurred through spear phishing or where the attackers broke in through an IP camera or the HVAC system,” notes Todd Jaspers, a research scientist in Leidos’ Cyber Accelerator leading the development of critical infrastructure protection solutions. “There are multiple areas of a facility that can be attacked.” 

In defending these important sites against rapidly evolving IT and OT attacks, Leidos sees a “beyond compliance” strategy becoming necessary. Even as critical infrastructure companies maintain their assets to regulatory standards, there still could be unknown gaps, blind spots and vulnerabilities through which sophisticated attackers can gain entry undetected. 

“These companies are in heavily regulated industries and do a great job following a defense-in-depth structure, with multiple levels of firewalls and security protocols,” says Justin Cox, a senior solutions architect in Leidos’ Commercial and International Sector. “As adversaries up their game, the security tools we’re developing are designed to augment protection and shine a light on those darker corners in critical infrastructure environments.”

Leidos understands that advanced persistent threats (APTs) exist for cyber-physical systems and critical infrastructure facilities must be able to withstand them and continue operating. It is developing a modular set of focused solutions to raise the resiliency of these facilities. The suite of tools is intended to be scalable and integrated for layered, defense-in-depth protection. 

Easing the cognitive burden on site operators who must analyze and protect not only large IT but also OT landscapes, the tools will be powered by AI to assist in finding and responding to threats faster. 

Improving the security and resilience of critical infrastructure facilities layer by layer 

Many facilities follow the Purdue Model for securing industrial control systems. Promoting defense-in-depth, it is a framework that segments the OT environment into a hierarchy and apart from business and corporate IT. This can help limit the exposure of attacks. 

“The Purdue Model lets you break down an industrial control system environment into multiple layers and then identify and plug the holes at each layer,” Jaspers says. “We want to protect the business environment at the top couple of layers and the operational environment – the physical plant devices – at every level.” 

Aligned to the Purdue Model, the range of tools handles specific defenses at each IT and OT layer, such as identifying malware, guarding against firewall intrusion attempts, and testing the firmware in hardware devices for bugs and security flaws.  

Many members of the solutions development team have backgrounds in national security and cyberspace operations. Leveraging their offensive cyber expertise to mirror attackers’ thinking and their cybersecurity know-how, they have spent the last several years developing novel defenses in addition to the malware, firewall and firmware tools. 

Leidos owns a pair of facilities for industrial control system technology R&D where the team can evaluate the solutions. One can digitally simulate incident response scenarios in large-scale or microgrid power distribution, while the other features industrial controller hardware and can replicate mechanical and electrical operations. 

Testing at these labs offers critical advantages. The company’s experts in cyber, AI, and network and security operations can convene with, for instance, power delivery designers and engineers to collaborate on built-in rather than bolted-on capabilities. They can bring in utility and manufacturing companies to see how the solutions perform under realistic operating conditions. 

“We have people who know how to design and build infrastructure, who know how attackers can infiltrate infrastructure, and who know how to defend against attacks,” Cox says. “We have people who run security and network operations centers and deal with vulnerabilities daily. All this is feeding into these labs with actual equipment and being put into practice.” 

Crafting new kinds of solutions to address advanced persistent threats

One of the solutions in development defends networks from advanced attacks that utilize exploit chaining. The tool identifies vulnerabilities across connected systems that attackers could link together to create network penetration routes over time. 

Another solution in development is designed to fabricate process control devices and network traffic to serve as stand-ins for their real counterparts and act as a tripwire.

Then there’s a monitoring tool for plant-floor devices that continuously measures temperature and vibration and detects subtle visual and audible changes. Physical monitoring aims to detect anomalies that could indicate sabotage attempts in situations where traditional monitoring cannot be relied on. 

“Attackers are using APTs to go after facilities, and if they spend enough resources and time, they can beat software,” says Nicholas Franklin, an OT cyber researcher in the Cyber Accelerator. “They can find ways to fool good security analysts. But they can’t beat physics.” 

Security tools and techniques get AI power

Deploying machine learning in the set of solutions can enable faster responses to threats. The tools are being built with classification models, which are trained on data associated with cyberattacks and look for telltale patterns and characteristics in operational data. 

AI assistance can free up human analysts’ capacity to focus on overall site situational awareness. Working at machine speeds, AI-powered tools also counteract the shortage of experienced analysts; according to a recent SANS Institute report, more than half of the OT security workforce possess five or fewer years of field experience. 

“Even if a site has the same number of analysts it had two or three years ago, there’s so much more data now to look at,” Cox says. “The number of attacks is going up. With the new capabilities, that same number of analysts can do more with their time.“

The Leidos team’s next steps will be identifying critical infrastructure sites for deployment and real-world validation of the tools. 

There is a sense of urgency, as the Dept. of Homeland Security has warned of credible threats to cause disruptive and destructive attacks on U.S. critical infrastructure. In its ”2025 Homeland Threat Assessment” report, DHS states that it expects adversarial actors will continue to seek access to or pre-position themselves on critical infrastructure networks in the event of a conflict with the U.S.  

“We know that bad actors are out there lying in wait. Some may already be inside,” Cox says. “Energy and water companies see what’s happening. They don’t want to be front-page news.”  

EXPLORE MORE CYBER CAPABILITIES