ICS Security Conference 2023

JPCERT/CC held ICS Security Conference 2023 on February 9, 2023. The purpose of the conference is to share the current status of threats in ICS both in Japan and abroad as well as efforts by ICS security stakeholders. It also aims to help participants improve their ICS security measures and establish best practices. The conference has been held annually since 2009, and this year’s was the 15th conference.

This is the 3rd time that the conference was held online, and there were 436 participants from all over Japan. This JPCERT/CC Eyes blog post reports on the conference, including opening and closing remarks and the seven presentations.

Opening Remarks

Masahiro Uemura, Deputy Director-General for Cyber Security and Information Technology, Ministry of Economy, Trade and Industry (METI)

Masahiro Uemura, Deputy Director-General for Cyber Security and Information Technology, Ministry of Economy, Trade and Industry (METI), gave opening remarks. 

He first pointed out that ICS security is becoming increasingly important and that in addition to the traditional CIA (Confidentiality, Integrity, and Availability), the scope of security targets whose risk should be managed from the perspective of BC (Business Continuity), SQDC (Security, Quality, Delivery, and Cost), and management is expanding. Furthermore, given that ICS is an important component of Society 5.0, which is a data-driven economy and society that creates new value one after another, he said it is extremely important to accurately identify risks, assess threats, and improve security measures.

He then introduced 5 METI initiatives: revision of “Cyber Security Management Guidelines,” development of “Guidelines for Cyber Physical Security Measures for Factory Systems,” study for the spread of SBOM, study for the development of security conformity assessment system for IoT products, and capacity building for ICS.

He also said collaborating with various professional organizations and to promote information sharing through community activities are important and beneficial to ICS security measures.

ICS Security Today and Tomorrow - A Review of the Past Year

Speaker: Toshio Miyachi, Expert Adviser, JPCERT/CC

<Slides (Japanese)>

Toshio reviewed overall trends in ICS security in 2022 and addressed the major changes surrounding ICS security.

The COVID-19 pandemic forced new modes of operation and caused economic disruption. On the other hand, it accelerated the digital revolution and the changes in system structure that accompanied them. The ICS network architecture changed as IIoT and cloud computing became more widely used, and as a result, the hierarchical Purdue University model is becoming obsolete. In addition, Russia’s invasion of Ukraine has led to cyber attacks that accompany military actions, breaking the norms of cyberspace, and consequently, countries started to believe that cyberspace is also a battlefield.

In terms of incident trends, two new types of malware targeting ICS were reported in April, and ransomware threats to critical infrastructure continued. Although ransomware is not specifically targeting ICS, it is the most likely and damaging cyber threat to ICS today, and attackers may perceive the manufacturing industry as the target that they can demand high ransom.

Regarding the trend of vulnerabilities in ICS-related products, more vulnerabilities were reported than ever before. Vulnerabilities inherited through the software supply chain are accumulating, which is now a security risk in using IIoT devices. For this reason, there is a growing demand for SBOMs (Software Bill of Materials) to help product users know the inheritance of vulnerabilities, and the May 2021 U.S. Presidential Executive Order requires federal agencies to include SBOMs as a requirement during procurement.

Finally, he presented trends on standardization, certification, regulations, and official guidance. EU had adopted the NIS2 Directive to strengthen security measures for critical infrastructure, and it came into force in January 2023. All the member states are required to have corresponding national legislation in place by October 17, 2024. This regulation applies uniformly to all critical service providers over a certain size that offer services in Europe, regardless of where they are based.

IEC 62443 ICS Security Standard: Introducing Overview and Latest Status

Speaker: Hiroshi Hoshino, IEC/TC65/WG10 International Expert, Cyber Security Management Department, Lifecycle Services Division, Digital Solutions Headquarters, Yokogawa Electric Corporation

<Slides (Japanese)>

Hiroshi presented an overview and the latest status of IEC 62443, the international standard for ICS security.

He cited the “Action Plan for Cyber Security related to Critical Infrastructure” by National center of Incident readiness and Strategy for Cybersecurity (NISC), noting that cyber security of critical infrastructure providers is a business risk-related issue that needs to be incorporated into the organizational governance. He said cyber security requires addressing security risks throughout the supply chain and that the international standard IEC 62443, which is related to the entire supply chain of ICS, is becoming increasingly important.

He then provided an overview of IEC 62443 and the status of publication and revision of documents. IEC 62443 is an international standard developed by ISA (International Society of Automatic Control) and IEC (International Electrotechnical Commission) to ensure the security of industrial automation and control systems (IACS). The standardization process began in 2002 with ISA, followed by a cyber attack on ICS by Stuxnet in 2011, and then in 2013, ISA and IEC began joint development of the standard. It is mainly used in the chemical, oil, gas, pipeline, equipment manufacturing, electric power, railroad, building automation, and medical equipment sectors. He said, at this point in time, the main standards documents have been published, and there are documents for which revision work to the next edition is planned and underway. He also mentioned that a third-party evaluation and certification system based on the standard documents is being promoted and that activities for JIS standardization have been initiated in Japan.

He further explained the situation surrounding IEC 62443 and the latest status of the standardization. The overall concept model of IEC 62443 is being discussed in response to market trends such as the progress of digital transformation, the expansion of cloud services, and the development of IT/OT inter-organizational collaboration. The next edition (2.0) of IEC 62443-1-1 will consolidate the previous concept models. In addition, the use and reference of IEC 62443 may expand, as exemplified by its use in third-party evaluations and certifications in various countries, such as ISASecure and IECEE’s 62443-related certifications, as well as the trends in laws and regulations, such as the NIS2 Directive in Europe and cyber security laws. Furthermore, in terms of the use of IEC 62443 for OT devices other than industrial automation, discussions are underway on the horizontal standardization of OT security, the roadmap for IEC 62443 as a whole, and the organization and review of requirement items.

Difficulties in Detection and Response in an ICS Environment and Examples of Solutions

Speaker: Takahiro Shigeyama, Technology & Digital Consulting Digital Trust Senior Manager, PwC Consulting, LLC

<Slides (Japanese)>

Takahiro explained the difficulties of detecting and responding to incidents in an ICS environment and gave examples of how to detect and respond to them.

While the importance of enhancing the security of ICS environments is increasing, there are various challenges when implementing technical proactive security measures. This is related to the fact that production shutdowns cannot be easily accepted, and some measures cannot be easily implemented due to their impact on regulations that are critical to business operations. Therefore, he introduced a strategy that focuses on incident detection and response for effective ICS security measures.

He raised some challenges when focusing on detection and response: lack of manpower and expertise, difficulty in internal and external stakeholder coordination, and lack of measures that can send alerts because no defensive measures are in place. He suggested that countermeasures should be focused on systems that are easily targeted by attackers and used frequently. He also said that functions such as logs that come standard with the system should be used to the maximum extent possible. Based on these directions, he suggested that a possible method is to focus on Windows and develop a system for incident detection and response targeting the OS because it can be the initial point of penetration and has a large number of installations across factories and laboratories.

He presented an example of implementing an incident detection mechanism, using the standard Windows remote administration API to monitor event logs and performance. Some factories and laboratories have an established routine process. Therefore, deviations such as using accounts and starting services that are not used for business purposes or spikes in CPU or memory use can be considered possible incidents. He also shared an example of how IT, ICS, headquarters, and factories/laboratories worked together to promote the implementation of incident detection and response procedures and training. First, response procedures and training for investigation, containment, and coordination were developed by the promotion team. After that, trials were conducted, and finally the procedures and training were implemented at specific factories and laboratories.

Challenges and Functions Required for Remote Connection in ICS

Speaker: Shunsuke Kato, APJ Sales Solution Engineer, Claroty Ltd.

<Slides (Japanese)>

Shunsuke explained the challenges, required functions, and case studies of implementation in remote connection in ICS.

He first summarized the current status and benefits of remote connectivity. With remote connections, response can be started earlier after a failure has occurred. This is expected to save time and cost and resolve failures more quickly, and MTTR (mean time to repair) can also be reduced. In addition, since the frequency of inspections can be increased, failures can be prevented, which may lead to an improvement in MTBF (mean time between failures). According to the published survey report, the implementation rate of such remote maintenance is 69.7%, of which 31.0% is for critical systems. This indicates that remote connections are widely used.

Next, he introduced the threats surrounding remote connections. First, two incidents of unauthorized ICS operation via remote connections were introduced. He also pointed out that “penetration from remote access” is one of the 10 major security threats published by BSI (Federal Office for Information Security) of Germany. He also mentioned the increasing exposure of ICS to the Internet and stressed the need for security measures. He then introduced the requirements for remote connectivity described in the international standard IEC 62443 3-3, NIST’s SP800-82, NERC’s CIP, a North American regulation for electric utilities, and METI’s Guidelines for Cyber Physical Security Measures in Factory Systems. Based on these materials, he summarized the functions required for secure use of remote connections: access to intermediate systems via encrypted communications, use of multi-factor authentication, and ability to limit connection by groups, identify users, notify, monitor, and block connections when connecting to terminals. He presented an example of a configuration that includes the abovementioned functions, in which a base server (protocol GW) is installed in the ICS network in addition to the intermediate system to centralize the whole administration.

How Can We Continuously Improve the ICS While Maintaining its Availability?

Speaker: Takayuki Oishi, Application Design Department, ABB Bailey Japan

<Slides (Japanese)>

Takayuki explained the difficulties users face in implementing security measures for ICS while ensuring availability, and then he proposed a solution from the perspective of an ICS vendor.

He first discussed why continuous security maintenance can be challenging. For ICS users to perform such maintenance, best practices include efficient and strict application of security patches, proactive collection of information, and updating facilities following their support expirations. In reality, however, these actions have not widespread among users, yet. He said this is because many users are concerned about the impact on availability.

Despite this situation, vendors do not have enough staff to handle all updates, and as a result, they have no choice but to leave the decision to each user whether to implement an update. However, he pointed out that vendors have not been able to strongly recommend security updates to users because they cannot be responsible for problems that may occur when users make their own decisions to update their systems. As a result, with limited budget, time, and human resources, most users do not take measures unless the vendor strongly recommend them. ICS left without security measures for such reasons are vulnerable in many parts, and when penetrated, they can be exploited and directly lead to damage. He noted that such incidents are likely to increase in the future.

Next, he discussed the practical improvements necessary for ICS users to implement updates with confidence. He said it is important to always apply updates that have been verified by the ICS vendor. He pointed out that providing secure updates to users who have concerns about availability is a prerequisite that vendors must guarantee. In addition, the vendor and user must collaborate on the timing of implementation. He proposed a collaborative approach between the ICS vendor and user, in which vendors are responsible for patch validation, risk assessment, procedures, and operational constraints while the users implement security updates as a part of routine maintenance based on information provided by the vendor.

To conduct the abovementioned measures, he said it is also important to review contractual agreements in some cases as well as vendor maintenance details if necessary. He said vendors and users are expected to cooperate with each other to maintain security, which is the first step toward continuous security measures while maintaining availability.

The Future of ICS Security – What Should We Do?

Speaker: Fumito Masaki, Global Cyber Security Manager, Digital & IT Division, Santen Pharmaceutical Co.

<Slides (Japanese)>

Fumito presented on Santen Pharmaceutical’s security measures for its ICS. He previously spoke at this conference about the company’s security policy development. This time, he presented the challenges in implementing the policy and the countermeasures, as well as the challenges to further security improvements.

He first introduced the ICS security measures that Santen is taking on a daily basis to implement the policy. He then listed eight areas that have been identified as challenges to address in implementing the policy: USB memory management, asset management, password configuration, remote connection, security training, human resources for security, vulnerability handling, and physical security. He described the actual measures taken to address these issues.

He then identified the following challenges to further advance ICS security measures:

  1. Organizational challenges: secure ICS security budgets and understand the causes of security issues
  2. Operational challenges: centralize IT and OT management and address difficulties in changing configurations
  3. Technical challenges: Implement security alerts in the ICS, connect OT to the network for better protection and monitoring, and diversify the implementation patterns of services used in the ICS
  4. Challenges of the supply chain: use SOC services for ICS and manage security of contractors

He concluded by saying that 6S (security), adding another S (security) to the 5S (Sorting, Setting-in-Order, Shining, Standardizing, and Sustaining the discipline), needs to be well-promoted so that ICS security awareness permeates the manufacturing site.

Issues identified through analysis of vulnerability information on ICS-related products

Speaker: Mitsutaka Hori, Industrial Control System Security Response (ICSR) Group, JPCERT Coordination Center

<Slides (Japanese)>

Mitsutaka presented a case study of analyzing vulnerability information on ICS-related products and presented two vulnerability analysis methods obtained from an ICS user organization. These methods provide insights to the issues and points to be aware of when handling vulnerability information and are helpful in managing vulnerabilities.

He first provided a detailed explanation of the CODESYS vulnerability (CVE-2021-34593) discussed in the “ICS Vulnerability Analysis Report - First Half of FY2022” as an example of analyzing vulnerability information on ICS-related products. He first provided a detailed explanation of the CODESYS vulnerability (CVE-2021-34593) discussed in the “ICS Vulnerability Analysis Report - First Half of FY2022” as an example of analyzing vulnerability information on ICS-related products. He discussed the expected impact by the vulnerability, details of the CVSS v3 basic evaluation criteria, and availability of updates and then shared the analysis results of the impact on the entire ICS based on the verification results.

He then reviewed the analysis results and organized the information which ICS users need when making a decision on whether or not to address each vulnerability. There are two points particularly difficult for users to determine: probability of an attacker to exploit the vulnerability and impacts to their organization if the vulnerability is actually exploited. For the former, he discussed a list of factors to determine the probability of attacks, introducing the security alerts released by JPCERT/CC as an example.

He introduced CISA SSVC and ICS-Patch as tools to help determine how critical these vulnerabilities are and when they should be addressed, considering the abovementioned circumstances surrounding vulnerabilities. CISA SSVC is a decision tree for vulnerability analysis customized for government agencies and critical infrastructure in the United States. The CISA SSVC Calculator, a tool available on the web, shows the decision based on the circumstances that the user select for each factor ICS-Patch is an SSVC-based decision tree that takes into account ICS-specific circumstances. It calculates decisions using factors based on ICS asset information and CVSS v3 scores.

Finally, he introduced “J-CLICS based on Attack tree analysis.” This is a self-assessment tool created by the SICE/JEITA/JEMIMA Security Research Joint WG and used in the next step from “J-CLICS STEP1/STEP2,” which JPCERT/CC published. The tool visualizes the implementation status of countermeasures from the attacker’s point of view, clarifies the effects of implementation and the priority of the countermeasures, and examines the countermeasures to be implemented in the future.

The tool was published on March 7, 2023, and it is available on the JPCERT/CC website. You can download it from here (Japanese only).

Closing Remarks

Koichi Arimura, Managing Director, JPCERT/CC

Koichi Arimura, a Managing Director of JPCERT/CC made the closing remarks.

He mentioned that various business risks have emerged, such as the prolonged impact of COVID-19 and that the use of remote access, including remote support, and the increased use of cloud environments are more prevalent at manufacturing sites than ever before. He pointed out that strengthening ICS security measures further is becoming increasingly important as such environmental change continues. He said the conference provided technical and management tips for these changes and concluded by thanking the speakers and all the participants.

In Closing

At this year’s ICS Security Conference, speakers from a variety of perspectives, including international standards, ICS vendors, security vendors, and user companies, discussed the situation surrounding ICS security. We hope that this conference will serve as a reference for future activities for all participants involved in ICS. We will continue to improve the conference and share information and knowledge for the improvement of ICS security.

Thank you for taking your time to read this report on the ICS Security Conference 2023.
Please look forward to the next event.

Mitsuru Ota
(Translated by Takumi Nakano)