ICS Security Conference 2021
JPCERT/CC held the ICS Security Conference on 12 February (Japanese website). This annual conference started in 2009 in the hope of developing security measures and the best practices for ICS. Since then, the conference has been facilitating the exchange of up-to-date knowledge on both domestic and worldwide threats against ICS and the latest security practices in the related industries. In its 12 years of history, this year was the first time to hold the event online, and 427 people throughout Japan participated. 6 presentations were given, among which two were selected from the CFP process. This article presents the brief summary of each presentation.
In the Opening Remarks, Junichi Eguchi, the Deputy Director-General for Cybersecurity and Information Technology Management at the Ministry of Economy, Trade and Industry (METI), mentioned that the work style of a large population changed in the current pandemic and pointed out that the impact can be seen in the increase in cyber attacks which take advantage of the confusion. He emphasized the need for security measures that cover supply chain with a strong leadership of managers. He also introduced the training program for core human resources which IPA Industrial Cyber Security Center of Excellence (ICSCoE) offers.
Review of the Current ICS Security and Looking Forward
Speaker: Toshio Miyachi, Expert Advisor, JPCERT/CC
Toshio presented on trends in ICS security and cyber security overall, reviewing some events in 2020.
At first, he argued that cyber security measures are not keeping up with the actual business, whose style changed rapidly in the current pandemic, and technological progress of ICS.
He described some major cyber security incidents in 2020 such as the attack on a water supply facility in Israel and that on Iran’s port facility, while noting that there was no incident that is considered as a new type of attack. He said that ransomware attacks that target manufacturing industry and government agencies are increasing, and he expects that ransomware will be further developed.
As for ICS vulnerability trends, he explained the idea of “N-day vulnerability.” It refers to the vulnerabilities in ICS or IIoT products left unpatched even after they are disclosed, and such case happens to some embedded devices and systems.
Finally, he discussed the risk that supply chain has, describing the attack against SolarWinds Inc. last year. In this case, users of Orion servers suffered from malware infection.
Safety and Security Issues in Remote-controlled Smart Home Appliances and Change toward Safe Product Design
Speaker: Takenori Mikasa, Executive Specialist, NTT Data Institute of Management Consulting, Inc.
Takenori presented the current issues and on-going discussions on safety and security of smart home appliances.
The more smart home appliances are used in the society, the more important it is to consider the risks of cyber attacks when designing the products. Remote-controllable smart home appliances can harm the users, and thus he emphasized the importance of products’ integrity, authenticity, and safety features. He pointed out that the current regulations and standards such as Electrical Appliances and Materials Safety Act and IEC60335-1 do neither cover the cases in which the users are harmed indirectly through remote-controlled environment nor when the harms are caused due to the users’ overestimation of the remote-controllable products. Moreover, harms caused by cyber attacks are also out of the scope of those regulations. .
He said the discussion on preventing indirect harms, which refer to harms against the people around remote-controlled products, and keeping the safety of products throughout their lifecycle by software updates are active in Japan. He mentioned that some conventional safety features, such as a display or alarm to notify that the product is remote-controlled, are considered applicable to smart home appliances.
Common Flaws in ICS Security – Insights from Penetration Tester’s Perspective
Speaker: Koji Yasui, Offencive Security Group, Cyber Defense Institute, Inc.
Koji shared his knowledge, such as common security flaws and cost-effective security measures, gained from his experience as a penetration tester.
First, he addressed a loophole that people often miss when placing intrusion prevention from USB ports. He demonstrated that a USB cable can still be used to intrude the target system even when its USB ports reject USB flash memory. He explained the points to note when putting such security measures and the importance of saving backups and testing backup restoration.
Next, he discussed the importance of using encryption of communication channels and separating the network into segments. He demonstrated that ICS network can be intruded even when the devices are protected in a restricted area as long as there is a LAN cable exposed outside the area. He also showed that attackers can intercept the communication and manipulate the ICS after the intrusion.
Overlooked Security Risks in Smart Factories – 3 Intrusion Routes and Attack Scenarios
Speaker: Yohei Ishihara, Security Evangelist, Trend Micro Inc.
Yohei presented on possible scenarios of cyber attacks targeting smart factories and necessary security measures. These findings were obtained through the joint research of Trend Micro and Polytechnic University of Milan on smart factory security. They developed a testing environment similar to the actual manufacturing environment and conducted penetration tests there.
They found new intrusion routes to smart factories, among which three were described as the most crucial: intrusion to EWS through Manufacturer’s application store, intrusion to MES system through ERP system, and intrusion to EWS through a malicious open source library. Based on these findings, Yohei described possible attack scenarios, partially demonstrating the intrusion routes. He considers that the security of MES and EWS is particularly important because they are essential for smart factories and can cause serious damage once attacked.
Finally, he argued that smart factories would require a security strategy in which the whole supply chain is involved, not only the companies that own smart factories. He said this is because many people are involved in the security of smart factories, and it is expected that software supply chain will become more complicated. For this reason, he also puts an importance on the idea of security by design and zero-trust.
Cyber security of Vessels in Shipping Industry
Speaker: Jungo Shibata, Manager of Marine IoT Team, Maritime & Logistics Technology Group, MTI Co., Ltd.
Jungo presented on the current cyber security efforts and situation in shipping industry, particularly showing the result of their penetration test to vessels last year, in which multiple shipping companies were involved.
First, he discussed the increasing risks of cyber attacks and the needs for security and safety measures in shipping industry. Nowadays, many vessels are always connected to the internet, and the amount of data exchanged through this land‐ship communication is increasing. At the same time, he said, the more computers are used in the equipment, the higher risks of cyber attacks such as malware infection and unauthorized access they have. Therefore, the industry needs to protect their OT devices from attackers who attempt to hijack vessels or stop the operations. He also summarized the current situation and discussions in shipping industry regarding cyber security, such as the roles of various businesses, safety guidelines for vessels, and the trend of certifications.
Next, he showed the result of the said penetration test to vessels. The test consists of 3 attack scenarios and was conducted to two types of OT network. One of them is connected to the equipment related to vessels’ location information. The other is connected to the equipment related to vessels’ power and energy system. He said that the penetration test was very useful and effective because they gained insights in their coordination system and procedure, not only identifying the flaws and rooms for improvement in their cyber security measures.
Challenges in Introducing an ICS Security Policy and Some Helpful Tips
Speaker: Fumito Masaki, Global Information Security & Governance Group, Information Systems Division, Santen Pharmaceutical Co., Ltd.
Fumito shared his experience in introducing an ICS security policy to Santen Pharmaceutical’s factories and discussed some challenges and points to note in different phases of such project, such as creating a policy, introducing it to factories, and adjusting the policy to the actual operation.
First, Fumito discussed some points to consider in the phase of creating a security policy in the context of ICS, where availability is particularly important. He discussed some actions to consider, such as conducting a risk assessment, consulting vendors, and/or making the policy conform to the existing guidelines.
In the phase of introducing the guideline, he emphasized the importance of close communications between the factory operators and the staffs in charge of ICS security. In doing so, they can exchange honest opinions and questions. Next, he mentioned that, in the phase of ensuring that the policy actually works, there might be some rules that cannot be followed in the context of ICS, where availability is prioritized. Therefore, he argued that the 4 actions, changing the process, making exceptions, conducting an alternative plan, and waiting until further actions can be made, are important to give flexibility.
In addition to the said points, he said companies can consider conducting security assessment to third parties such as important suppliers, verification and comparison of ICS security products, and ICS security education.
In the Closing Remarks, Koichi Arimura, the Managing Director of JPCERT/CC, expressed his gratitude to all the speakers and other participants of the conference. He said he presented JPCERT/CC’s challenge coin to the speakers.
He said this year’s conference, being held online for the first time, provided a great opportunity for the participants throughout Japan to learn the latest findings on ICS security, while asking the participants for feedbacks for further improvements.
This year’s ICS Security Conference was successfully held online, having more participants than before. JPCERT/CC will continue to improve the contents and presentation style to include more people in the related industry throughout Japan and provide them with opportunities to share insights in ICS security.
Thank you for reading.
(Translated by Takumi Nakano)