Control System Security Conference 2015

JPCERT/CC has successfully hosted the seventh Control System Security Conference on February 12, 2015 at Kokuyo Hall in Tokyo. The event brought together more than 250 attendees, including a cross-section of engineers/managers of ICS vendors and asset owners. The conference has been held annually since 2009 in order to raise awareness on ICS security issues and share the insights and ideas on ICS security. The program for this year has been designed to have the Japanese ICS vendors and asset owners grasp the latest threat landscape and learn about the countermeasures, both existing and developing.

Photo 1: Taken at the Conference Hall – filled with attendees

The conference had a full day program, where morning sessions focused on hot issues in ICS security, and afternoon sessions focused on countermeasures or its hints to deal with such issues. In this blog post, I would like to summarize each presentation from the conference briefly.

Morning Session (Hot Issues in ICS Security)

After the opening remarks by Mr. Hideyuki Ohashi, Deputy Director-General for IT Strategy, Commerce and Information Policy Bureau, Ministry of Economy, Trade and Industry (METI), I had the opportunity to deliver a keynote speech about the following topics on ICS security:

  • Malware and major cyberattack targeting ICS just before the fifth anniversary of the Stuxnet report,
  • Trends and issues on ICS product vulnerabilities and the advancement of the handling framework in Japan,
  • Trends and issues on certification scheme for ICS security in Japan and related international standardization,
  • Major ICS security researcher activities and related news topics, and
  • Big news topics possibly affecting ICS security, including discontinuation of Windows XP support and legislation of the Japanese Cybersecurity Basic Act.
Photo 2: Me delivering the keynote speech

The next speaker, Mr. Masato Matsuoka with Kaspersky Labs Japan talked about the “Crouching Yeti” or the Havex malware. He pointed out that the group of attackers seemed to be based in somewhere in Europe instead of Russia (that’s why Kaspersky call them a yeti instead of a bear) and that Japan had the third most machines infected by Havex, following the U.S. and Spain according to Kaspersky’s research. He mentioned that the attackers are believed to be collecting ICS data for preparing their next movement from various asset owners through the Havex campaign instead of focusing on any specific industries.

Afternoon Session (Countermeasures/Hints to Deal with ICS Security Issues)

Mr. Takeshi Inoue with Yokogawa Electric Corp., who is responsible for Yokogawa’s PSIRT operations, shared their experiences of handling vulnerabilities of their products, including their first security advisory release in March 2014. Yokogawa has developed a policy, rules and procedures to define how they enhance their products and services to protect their customers against cyber threats. This also covers how they handle vulnerabilities in their products.

Mr. Kenji Toda with Advanced Industrial Science and Technology or AIST talked about the “security barrier device” or SBD developed at AIST in cooperation with Control System Security Center or CSSC. The SBD can detect and prevent abnormal memory access and input/output operations at the system layer or at the motherboards. Mr. Toda hopes the SBD could protect ICS from cyber attacks, especially since security patches are extremely difficult to apply in most ICS.

From an asset owner and operator viewpoint, Mr. Masatoshi Takano with Toyota Motor Corp. presented an approach for ICS cyber security incident response by extending troubleshooting procedures. When you revise troubleshooting manuals, it is important to introduce consideration on possibility of cyber security incidents into the procedures in a manner not to disturb handling physical troubles, which are expected to occur far more often than cyber security incidents. In other words, you should replace the part identified as problematic based on physical troubleshooting process and then inspect the possibility of cyber incident instead of tackling unfamiliar cyber incident handling first off to lose time, for example He also recommended “more with less” approach to enhance the security level of ICS. This approach includes locking down, which reduces the number of enabled functions in ICS and its components to only what is necessary, and defense in depth instead of introducing unfamiliar security mechanisms.

Ms. Tomomi Aoyama with Nagoya Institute of Technology discussed what can be learned from security exercises and drills by comparing various security exercises. This was explained in terms of the four basic skills for improving resilience, that is, how to detect an anomaly, how to respond to an anomaly, how to anticipate consequences and future anomalies and how to learn from the experiences. Exercises studied in this research include the so-called red team and blue team exercises conducted by U.S. ICS-CERT, the European Network for Cyber Security or ENCS, and Queensland University of Technology in Australia respectively, cyber security exercise for town gas providers conducted by CSSC, cross-industry cyber security exercise for national critical infrastructure providers conducted by Japanese National center of Incident readiness and Strategy for Cybersecurity or NISC. She concludes her talk by providing some hints for trainees to learn more from those exercises and for trainers to make the exercises more effective.

In the last session, Mr. Daisuke Inoue with National Institute of Information and Communication technology or NICT briefly explained various network monitoring tools developed by NICT and then showed how their network visual analyzer “Nirvana” could be used to detect cyber attacks against ICS. The research of the Nirvana application to detect anomalies in ICS started in 2007 with cooperation from Yokogawa Electric and they have also successfully finished demonstrative trial on production ICS systems. He pointed out the network traffic nature in ICS is repeated monotonically and also highly predictable, was the reason for their success.

Our full day conference ended with a closing note by Mr. Koichi Arimura, Managing Director of JPCERT/CC, responsible for ICS security.

Some of the presentation slides (in Japanese) are available here.

Please contact icsr[at] for any inquiries.

Thank you very much for reading.

- Toshio Miyachi