ICS Security Conference 2022

JPCERT/CC held ICS Security Conference 2022 on February 3, 2022. The purpose of the conference is to share the current status of threats in ICS both in Japan and abroad as well as efforts by ICS security stakeholders. It also aims to help participants improve their ICS security measures and establish best practices. The conference has been held annually since 2009, and this year’s was the 14th conference.

The event was held online for the first time last year, and there were participants from all over Japan, especially from the Tokyo metropolitan area. This JPCERT/CC Eyes blog post reports on the conference, including opening and closing remarks and the six presentations.

Opening Remarks

Junichi Eguchi, Deputy Director-General for Cybersecurity and Information Technology, Ministry of Economy, Trade and Industry

Mr. Eguchi, Deputy Director-General for Cybersecurity and Information Technology, Ministry of Economy, Trade and Industry, gave opening remarks. First, he introduced the fact that the operation of the Olympic and Paralympic Games was successfully conducted with risk analysis and preparation of response systems, appropriate information sharing among related parties, drills, and other preparations.

He also said that society is becoming increasingly dependent on the digital world, including changes in work styles through remote working and the growing use of external services such as cloud computing. He pointed out that multiple stakeholders are now involved in the development of software and services, and that it is increasingly important for each party to take responsibility according to their roles for responding to vulnerabilities promptly and building and operating reliable systems. He also mentioned that the government has started to establish guidelines for security measures in the factory sector and revised its cybersecurity strategy. He said that the cooperation of the government, JPCERT/CC and other related organizations, as well as conference participants, will become more important as the cyber security environment will become increasingly severe. 


ICS Security Today and Tomorrow - A Review of the Past Year

Speaker: Toshio Miyachi, Expert Adviser, JPCERT/CC

<Slides (Japanese)>

This presentation reviewed overall trends in ICS security in 2021 and also addressed the major changes surrounding ICS security.

Regarding trends in the industry, Mr. Miyachi pointed out that under the COVID-19 pandemic, there is a division between organizations that have skillfully survived by using DX and are further advancing it and those that have been slow to start and are stuck in a difficult situation with reduced capacity to invest in DX. He said that the use of open technologies, such as partial cloud computing in ICS environments, is becoming more common. He also noted that while cyber attackers are being cracked down on through international collaboration among law enforcement agencies, they are also organizing themselves into what can be called a criminal ecosystem.

Regarding incident trends, while there was no case of attack targeting ICS, he mentioned the case of Colonial Pipeline in the U.S., where the ICS was shut down due to ransomware infection of the IT system. It caused widespread petroleum fuel supply disruptions and a rush of buyers to gas stations, which led to social disruption and political problems. He also pointed out that attacker groups using ransomware are increasingly dividing their labor, and that in overseas, victim organizations tend to accept ransom payments relatively easily because they can compensate the ransom with insurance, which benefits the attackers. He also addressed several incidents at water and wastewater facilities in the U.S. and pointed out that not only in the U.S. but also in other countries, small and medium-sized water facilities have weak security measures, which can be compromised by rudimentary methods.

Regarding vulnerability trends, he pointed out that the number of ICS product vulnerability advisories published by CISA rose by 60% from the previous year to 370, and that a vendor reported finding more than 600 vulnerabilities in the first half of the year alone. He also noted that the number of ICS product vulnerabilities found each year has remained high. In addition, as seen in the log4j case study, the accumulation of inherited vulnerabilities in ICS is increasing, and he expressed his hope for the spread of SBOM (Software Bill of Materials) so that users can recognize whether they are using products affected by these vulnerabilities or not.

He also introduced the revision of international standards that have not been made public documents but are still underway behind the scenes, the movement of cyber security laws and regulations in the U.S., and security issues surrounding the supply chain. 


Research to Ensure Human Safety in Production Systems Using Information and Communication Technology

Speaker: Hiroo Kanamaru, Chief Engineer, System Technology Dept. Advanced Technology R&D Center Mitsubishi Electric Corp.

<Slides (Japanese)>

Mr. Kanamaru introduced his study on the development of a security risk assessment guide for remotely accessible production lines, which aims to ensure safety when introducing new technologies such as ICT into production systems.

With the expected further introduction of new technologies in production systems, security threats are expected to become the new hazard for safety of machinery. Production system designers will be required to analyze safety and security risks and consider risk mitigation measures. In order to avoid the possibility of both measures competing for system resources and reducing the effectiveness of them, he introduced the importance and efforts of clarifying measures that may have conflicting effects, and of integrating both measures to reduce risk.

Risk is determined by the magnitude and probability of damage, but IT security measures alone cannot control damage. By combining the three risk reduction measures (IT security measures, safety measures, and recovery measures), cost-effective security measures can be taken. To confirm the effectiveness of the measures, it is necessary to conduct a risk assessment after the measures have been taken, and it is desirable to include such assessment when the system is handed over to the client. 


Practical ICS Recovery Plan by an ICS Engineer

Speaker: Takayuki Oishi, Digital Technology Section, Digital Technology Department, ABB Bailey Japan Ltd.

<Slides (Japanese)>

Mr. Oishi introduced points to note and preparations for recovery in the event of a cyber incident, based on his knowledge of facilities cultivated over many years as an ICS engineer.

He began by introducing the incident case of Colonial Pipeline in the U.S. and pointed out the issues involved. If preparations had been made well in advance, the control network could have been disconnected and operations could have continued. In addition, if the safety of backups had been ensured, the company might have been able to make a quick decision to restore operations without paying a ransom.

He said it is essential to be prepared to capture the unique characteristics of ICS. Based on the ISA99 control system model, he said it is essential to understand the risks associated with each of the HMI network, communication GW, and controller network characteristics. Assuming these risks, he explained the necessity and points to note for online and offline backup of equipment on the HMI network and the EWS maintenance tool in case the controller network is affected. He also introduced the importance of preparing for recovery using backups and data verification at the time of recovery, as well as points to note at normal times such as acquiring update histories. In addition, he emphasized that a cooperative system both inside and outside the company at normal times should be built to prepare for recovery. 


Cyber Security Risk Demonstration for Local 5G Deployment in the Manufacturing Industry -Intrusion routes and actual damage in an environment simulating a steelworks

Speaker: Yohei Ishihara, Security Evangelist, Global IoT Marketing Office, Trend Micro Inc.

<Slides (Japanese)>

Mr. Ishihara presented a demonstration of an attack in which Trend Micro prepared an environment that simulated a steelworks and leveraged the environment's core network as a steppingstone for the attack. He shared the found modus operandi to destruct manufactured goods and disrupt manufacturing and introduced the security measures against them.

Regarding the configuration of the demonstration environment, he said that PLCs on field networks and HMIs on control networks are connected via two 5G network elements: the "wireless access network" and the "core network". In particular, he mentioned that the core network is an important point responsible for user registration and data processing for the manufacturing process.

The result showed that some attack methods using the core network as a steppingstone can destroy manufactured products or disrupt manufacturing process. He explained four possible intrusion routes into the core network and three interception points in the event of an intrusion into the core network.

He mentioned that the core network processes not only user data but also data related to manufacturing, and that once established, it is difficult to modify and is used for a long period of time. Therefore, he pointed out the importance of implementing security measures from the time of installation based on security by design. 


A Roadmap to Establish ICS Security Guidelines

Speaker: Hajime Sasaki, IT Department, KOBAYASHI Pharmaceutical Co., Ltd.

<Slides (Japanese)>

Mr. Sasaki shared his experience in creating internal guidelines for ICS security and the points to note when working on such process. Kobayashi Pharmaceutical is promoting DX and smart factory, and he received an increasing number of requests and inquiries about network connections of various devices to production facilities. As a part of the ICS security measures, the company took business-related regulations and other factors into consideration when creating the guideline.

The key points in drafting the proposal were: separating networks by purpose, separating devices managed by the business network from those managed by other networks, limiting interconnected communications between these networks, and monitoring communication logs of networks other than the business network. He said that the draft planning was conducted in a cross-sectional manner, having various internal parties involved such as those responsible for the production management systems, CSIRT, networks, and IoT.

There were four phases before the guideline was created and informed throughout the company. The "Analyze Current Status" phase included a close examination of network-connected devices. It was followed by "Interview Other Companies" phase to determine the direction the company should aim for. In the "Create the Guideline" phase, he examined and created the concept, structure, etc. of the guideline, which emphasizes availability unlike information security. Finally, in the "Inform about Guideline" phase, he ensured to make the guideline known in the company. He also shared the difficulties he faced in each phase and then presented his efforts for implementation in the company, which included network isolation at a pilot factory based on the guideline. 


Collection and analysis of vulnerability information on ICS products at JPCERT/CC

Speaker: Mitsutaka Hori, ICS Security Response Group, JPCERT/CC

<Slides (Japanese)>

Mr. Hori presented on the focus points of his work and the vulnerability information that caught his attention. His daily work involves collecting, analyzing, and sharing vulnerability information on ICS products, and the presentation was especially dedicated for security professionals in ICS ​user organizations.

He began by introducing key points of focus in his daily work. First, he actively collects a wide range of public information. He makes efforts to quickly identify vulnerability information on ICS products that have not been publicly disclosed to Japanese users and inform them. He then analyzes from a technical perspective the domestic impact of the vulnerability information he has collected, whether it can be easily diverted into an attack, and the possible consequences if an attack were to be conducted. In addition, he issues security alerts when information that is likely to be used in an attack is released. He also makes sure to annex workarounds and other measures so that ICS user organizations can respond to such cases.

He said that in the first half of FY2021, a lot of vulnerability information released before any countermeasure was ready was related to engineering software. For this reason, using the example of engineering software vulnerability information published on JVN, he explained for ICS user organizations about the vulnerabilities, how to interpret the format of the released vulnerability information, and possible attack scenarios.

When responding to vulnerabilities, all parties involved with the product, including product development vendors and product users, should work together to effectively reduce ICS security risks. His presentation was designed for response at product user organization, but for future improvements, he also asked the audience to share their information gaps, challenges in managements, and incident experiences which ICS user organizations need when responding to vulnerabilities. 


Closing Remarks

Koichi Arimura, Managing Director, JPCERT/CC


Mr. Arimura, the Managing Director of JPCERT/CC, made closing remarks, and he noted that holding the conference in an online mode, which started last year, has taken root in just two years.

He noted that there are signs of more stylistic and environmental changes in manufacturing, such as IoT, DX, and the spread of remote working, and that he is seeing new keywords such as Japanese version of economic security, carbon neutrality, and SDGs more often. He pointed out that taking advantage of these social trends may lead to “increased opportunities to deploy new and diverse ICS” and that the presentation on considerations in local 5G deployment deserved attention.

In addition, mentioning the presentations on creation of ICS security guidelines by the company, tips for practical recovery planning, and considerations of harmonizing safety and security for ICT-based production systems, he said that all of them stimulated the audience's interest and are helpful in dealing with various issues, such as dealing with incidents and accidents.

He also noted that JPCERT/CC provided information on the current status and outlook for ICS security based on their analysis over the past year, as well as on the collection and analysis of vulnerability information on ICS products that they are closely monitoring for trends.

Finally, he concluded by thanking all the external speakers for their cooperation in the activities of JPCERT/CC, mentioning that they would receive JPCERT/CC challenge coin as a token of appreciation. He also thanked all the audience for their enthusiastic viewing until the end of the conference.


In Closing,

Since the conference was held online like last year's, people throughout Japan participated in the event, and also the number of participants exceeded that of the previous year. We believe this proves that interest in ICS security has been continuously high and that the online mode enables many people involved in ICS to participate in the conference. We will continue to improve the content of the conference and dedicate ourselves to widely spread information and share knowledge that will contribute to the improvement of ICS security in Japan.

Thank you for taking your time to read this report on the ICS Security Conference 2022.

Please look forward to the next event.

Kazuyuki Kohno

(Translated by Takumi Nakano)