JPCERT/CC Eyes

JPCERT/CC organised ICS Security Conference on 5 February 2025. This event aims to share the current threat to ICS both in Japan and overseas and the efforts of stakeholders in the field, as well as to help participants improve their ICS security measures and establish best practices. The conference started in 2009 and now marks its 17th year.

50 participants attended the event onsite and 511 people through live streaming. This article summarises the event composed of 7 presentations along with remarks.

Opening remarks

Nobutaka Takeo, Director, Cybersecurity Division, Ministry of Economy, Trade and Industry (METI)
<Slides (Japanese)>

Mr. Takeo from METI gave an opening remark with the overview of cyber security threat to Japanese businesses.

He identified ransomware and supply chain attacks as the most impactful cyber threats, especially for SMEs in Japan. He also expressed his concern that cyber attack techniques are likely to become more sophisticated due to AI technology and geopolitical risks.

In the global context, the concept of “Secure by Design” is becoming more widely accepted, urging companies to assume responsibility for security measures in their products. Governments are posing even stricter security requirements especially for IoT devices.

Considering this situation, METI aims to strengthen the cyber security measures in the industries, and Mr. Takeo introduced some of such initiatives. They include publishing guidelines on various security measures, offering services to support SMEs, visualizing security measures for supply chain companies, developing IoT device security certification and promoting the use of SBOM.

The speaker also highlighted the human resource development program for cyber security, targeting personnel dispatched from industry companies to enhance their technical capabilities and human network.

Given the increasing danger of cyber attacks, particularly against SMEs, Mr. Takeo concluded his remarks by emphasizing the importance of cyber security measures as a whole country through public and private cooperation to build a safer society.

ICS Security Today and Tomorrow - A Review of the Past Year

Speaker: Toshio Miyachi, Expert Adviser, JPCERT/CC
<Slides (Japanese)>

Mr. Miyachi reviewed the situation surrounding ICS security as of 2025 and explained its trends and changes.

For the overall cyber security situation, he first pointed out that cyber crime is becoming more sophisticated as the geopolitical tension heightens. Particularly, the war in Ukraine and US-China trade war have a significant impact on supply chain, resulting in rising number of supply chain cyber attacks. There is an increasing demand for companies to take measures against these risks.

In terms of ICS security, he claimed that ransomware has been the most intimidating threat, noting that two-thirds of victims are manufacturing industry companies and that a half of them had some impact on their operation and/or production. While the overall number of ransomware cases is on the rise, majority of the reports come from the US and Europe. He noted that many of the recent media reports on ICS incidents lack technical details as they are based on reports submitted to the US Securities and Exchange Commission. With the new Cyber Incident Reporting for Critical Infrastructure Act, which mandates incident reporting to CISA, he expects the situation to improve in two years.

Ransomware is of course not a specific threat to ICS, but there has been a certain number of cases affecting ICS in the manufacturing industry. Despite several successful joint international operations against some actors, new adversaries continue to emerge, which leads to the high intensity of attack activities as a whole.

The speaker also explained about two types of malware targeting ICS: FrostyGoop (identified by Dragos) and IOcontrol (identified by Claroty). In another case, malware which infected an ICS engineering environment was found to have some ICS-specific functions although the developer and its purposes remain unknown. Moving forward, he expects that analysis of these kinds of malware advances.

In terms of the vulnerability in ICS components and IoT devices, the number of CISA advisories increased by 10% in 2024, compared to the past 3 years. Some vendors have been trying to eliminate vulnerabilities from their products. However, due to vulnerabilities that inherit from common libraries, the number of newly discovered vulnerabilities is likely to remain at a high level.

In Europe, many countries are behind the deadline for the adoption of NIS-2 directive. While the EU Cyber Resilience Act has been enacted, he suggested following the latest movement in the respective governments until the detailed regulations are finalised. With regards to the international standardisation, he introduced that the editing process for the IEC 62443 series is moving to a new phase with upcoming revision drafts for some chapters.

In the last part of his presentation, Mr. Miyachi described emerging challenges in ICS security associated with the new technologies. AI technologies and especially generative AI, which have been changing rapidly, are attracting interests in the ICS for its potential use. From the cyber security perspectives, he warned that this may potentially pose vulnerability risks in ICS. In addition, while the quantum computing is expected to be ready for practical use around 2035, some cipher algorithms are likely to be at the risk of compromising. Considering the lifespan of ICS products, he highlighted the importance of strategic transition to new algorithms in the era of quantum computing.

In conclusion, despite the quiet situation in ICS security in 2024, he estimated that the potential security risks arising both from geopolitical tensions and emerging technologies remain high.

Current State of IEC 62443 ICS Security Standards

Speaker: Yukihiro Ichikawa, Cyber Advisory/Specialist Master, Deloitte Tohmatsu Cyber LLC
<Slides (Japanese)>

Mr. Ichikawa introduced various activities in developing regulations and international standardisation to combat cyber attacks targeting ICS, especially ransomware attacks against manufacturing industry. In particular, he focused on the details of IEC 62443 and its new edition, as well as his observation on the future development.

According to ENISA, the number of cyber security incidents that occurred during 2023 and 2024 was 11,079, and ransomware is attracting attentions in particular. About 17% of the victims are manufacturing industry, and Lockbit ransomware was the most common cause of attack, accounting for more than 40% of the damages. In order to deal with the increasing threats, international standards including IEC 62443 have been established, which provide frameworks for cyber security measures and guidelines for effective security management.

IEC 62443 is a set of international cyber security standards for Industrial Automation and Control Systems (IACS), consisting of 4 parts. The first part provides the definition of the entire documents, and the second part is intended for ICS owners (those who maintain factories and plants). Both Part 2 and 3 are relevant to system integrators (owner and system developers), and Part 4 refers to the roles of product suppliers. Recently, the standards have been expanded to 6 parts, including Part 5 on measures outside of ICS and Part 6 on conformity assessment including third-party certification.

IEC 62443-2-1 Edition 2.0 is a revision created after 14 years since its first edition, focusing on the consistency with other major standards such as ISO/IEC 27000. This version specifically lists process requirements for asset owners, based on 8 components and 16 subcategories of security measures. Furthermore, it applies a process maturity model (level 1-4) throughout the entire series, which sets out the guidance for asset owners on maturity level assessment of their security measures.

Moving forward, the IEC 62443 editors are discussing potentially adding conformity assessment for IoT and authentication to the document. The speaker expects that this potential update will allow companies to apply even more effective cyber security measures. He also anticipates that various industries would be able to structure its security measures in a consistent manner if the standards can add better clarification of its correlation between other international standards and regulations.

To conclude, he underscored the importance of international standards, especially the new guidelines in IEC 62443-2-1 Edition 2.0, which help asset owners better understand the status of cyber security in the entire organisation. He is hopeful that such standards will continue to develop and urge the industry to take enhanced measures against threats. He emphasised that cyber security is a common challenge for every company and suggested that all stakeholders deepen their understanding in ICS security to create safer future.

Process Safety Management Framework Considering Cyber Security

Speaker: Masayuki Tanabe, Representative Director, Strategic PSM Initiative Group Co, Ltd./Yokohama National University IMS Visiting Professor
<Slides (Japanese)>

Mr. Tanabe presented the results of their research on risk-based Process Safety Management (PSM) system and cyber security risk assessment.

He first introduced the background of his research group. It started as a part of the Institute of Advanced Sciences in Yokohama National University in 2020 to work on effective introduction of PSM, and it was legally registered in 2023. The group discussed the integration of cyber security and PSM in 2024, which was the main topic of this presentation.

The group conducts PSM by risk-based approaches and in consideration of lifecycle management in IEC61508/61511 and 20 element models defined by CCPS.

The speaker noted that these components were also considered in applying PSM to cyber security. The group approached the integration by understanding the cyber security risk profiling, and he presented the outcomes of the integration.

He described the cyber security risk assessment process as follows: 1) Select the target and collect basic information, 2) Conduct CS-PHA, 3) Conduct CS-HAZOP, 4) Conduct CS-LOPA, 5) Determine Security Level (SL) and system requirements and 6) Determine network structure assessment and measures. He also touched on the detailed method for each phase and assessment results for a sample system.

In the end, he discussed how an organisation should manage the risk assessment results. He recommended companies to create a cyber security-focused PSM team including experts in Process Safety (PS), Occupational Health and Safety (OHS), Environmental Safety (ENV) and Cyber Security (CS) and to develop human resource that can understand both IT and OT for the effective implementation of the team.

ICS Risk Mitigation Based on CTEM

Speaker: Shunsuke Kato, Solution Engineer, Claroty Ltd. APJ Sales
<Slides (Japanese)>

Mr. Kato spoke about Continuous Threat Exposure Management (CTEM) and case studies of its application to ICS.

First, he shared the general challenges in cyber security measures by pointing out the potential impacts of ICS-targeted attacks and the necessity for multi-layer approaches to deal with such impacts. He then explained the details of CTEM, which is a concept proposed by Gartner and contains repetitive processes to improve cyber security. This offers continuous and dynamic operations for organisations to manage various risks based on business impact assessment.

The speaker continued to explain the application of CTEM to ICS along with some recommendations in each phase based on the distinctive nature of ICS.

In Phase 1 (Scoping), he shared some examples of setup for defining the business assets that may be impacted. Phase 2 (Discovery) requires collecting information for the assets defined in Phase 1 from various aspects including the asset profile, connectivity and operation, etc. He explained the status-based approach for Phase 3 (Prioritization), considering the device type, published vulnerabilities and data flow (connectivity) and risk-based prioritisation. For Phase 4 (Validation), users are supposed to evaluate if the attack is actually possible, but he suggested that validation based on evidence (network packets, configuration files etc.) is more realistic considering the impact to the availability of ICS. He also showed some samples of technical measures for Phase 5 (Mobilization) in the endpoint, network base and PLC coding, and recommended that the users engage with stakeholders from the business impact point of view for reporting and implementing measures.

In conclusion, he indicated that CTEM’s consistency, integrity and rationality are its advantages in continuous improvement of ICS security.

Talk session: Lessons Learned from “Incident Response Exercise Scenario for Factories” – Practical Exercises for ICS SIRT personnel – 

Speaker: Kazumasa Araki, Senior Staff , Plant Control Technology Sec., (Kurashiki) Plant Control Dept., Cyber Security Management Dept., JFE Steel Corporation
<Slides (Japanese)>

Kazuyuki Kohno,Senior Analyst, ICS Security,Domestic Coordination Group, JPCERT/CC
<Slides (Japanese)>

This session was conducted in the form of interactive talk session.

First, Mr. Araki from JFE Steel Corporation gave an introduction of their ICS security activities from establishing their team and creating OT security incident handling manual to implementing security measures. His team continues awareness raising activities for its OT security incident handling manual through exercises within the company. Along with other 7 organisations, they participated in the incident handling exercise scenarios under development in the ICS security community (led by JPCERT/CC) and shared their experience in the exercises. His company carried out incident handling exercises at all of its sites in this financial year, which was participated by more than 800 employees including their ICS SIRT (FSIRT) and related personnel.

JPCERT/CC reviewed and evaluated the results of the exercises held at all 8 organisations and shared the feedback from the viewpoint of its strengths and challenges. There were some positive findings; the exercise identified that the participants continue to develop their contact list for security incidents and incident response manuals as well as their structure for information collection. On the other hand, they also faced some challenges such as reports lacking the actionable details and insufficient resources for evidence preservation and business continuity at the same time. In case of production stoppage, participants also struggled with uncertainty about when and how to decide to resume operation.

The presentation was followed by an interactive session, and Mr. Araki answered some questions from the facilitator as follows:

● What was your impression on the 3 components in the exercise, “meaning of the exercise”, “regular implementation” and “external collaboration”?

• He set this exercise as an opportunity for participants to practice their communication and initial response as outlined in their procedures to minimise the damage.
• Just like disaster prevention exercises, he believes it is important to run the exercise regularly and make it as part of their daily operations so that participants can take actions without confusion in case of an incident. Joining the exercise scenario and the aforementioned ICS security community actually lowered his team’s burden for exercise planning and its regular implementation.
• Most of the exercises used to be limited to test internal coordination. By joining the ICS security community, he recognised the importance of the external component in the exercise, including reporting to JPCERT/CC.

● What is the significance of inviting participants from ICS SIRT and other related personnel in the organisation to the exercise?

• ICS SIRT personnel are responsible for ICS incident response and security in general, and the ICS owner division looks after a wide range of facilities and processes. He suggests that, through this exercise, players in these divisions should understand the risks and consider what is necessary in case of emergency.

● Did you find any difference between IT and OT environment during the preparation and actual implementation of the exercise?

• From his experience in OT area, he identified various differences. Especially during the emergency, OT environment tends to require longer time in forensics and recovery, compared to IT systems. He recommends participants to prepare while considering potential impact to the safety and environment.

This discussion called a lot of attention in terms of participation, roles and lessons learned by ICS SIRT and other related teams, which resulted in many questions raised from the audience.

Be prepared for SBOM! Challenges We Faced as a Core Infrastructure Operator

Speaker: Takuya Nishino, Technology Division, Innovation Center, NTT Communications
<Slides (Japanese)>

Mr. Nishino presented the concept, purpose, operation and measures for SBOM. By showing the cyber attack case leveraging the update of SolarWinds products, he explained that SBOM is increasingly required to visualise components included in software products, just like food ingredient labelling. He added that SBOM has also been applied to ensure licence management, vulnerability management and policy/compliance management as well as supply chain security. Some regulations, such as Pharmaceutical and Medical Device Act in Japan and US Presidential Order, mandate developers to provide SBOM, and EU Cyber Resilience Act may also require SBOM for the conformity assessment purposes.

Although SBOM is increasingly demanded from many aspects, the speaker mentioned that it is still inadequately implemented among companies. He also pointed out some challenges in implementing SBOM, which are 1) formats, 2) tools, 3) consistency, 4) generation method, 5) security response and 6) security management. In order to generate SBOM appropriately, he emphasised that software developers, in consensus with its stakeholders, should develop their products in a way that SBOM can be generated according to the purpose of the software.

While suggesting that appropriately generated SBOM enables users to visualise vulnerabilities in OSS applied across the whole organisation, he pointed out that users should also note in which conditions SBOM information was generated. As a use case of vulnerability management, he shared an example where his company applied SBOM and SSVC in manufacturing industries for appliance management, suggesting that SBOM facilitates vulnerability detection and prioritisation in a systematic and realistic manner.

Panel session: Challenges to appropriate asset management for vulnerability response

Presentation & Panel: Naoki Ochi, Supervisor, R&D Division, Platform Development Center, Security Development Dept. Panasonic Automotive Systems Co.,Ltd.,Tetsuya Tanaka, Specialist, IT Governance Department, Digital Transformation Division Headquarters, NSK Ltd.

Facilitator: Kazuyuki Kohno,Senior Analyst, ICS Security,Domestic Coordination Group, JPCERT/CC
<Slides (Japanese)>

One of the challenges in responding to vulnerabilities is asset management from the security point of view. In this session, the two presenters talked about their experience in asset management and its future challenges, followed by a panel discussion.

First, Mr. Kohno from JPCERT/CC presented on current challenges in vulnerability response. Many companies have recognised the importance of security in ICS, including collection of vulnerability information. Nevertheless, he is concerned that some companies may not be able to fully utilise the information collected.

Mr. Ochi indicated that some manufacturing companies who attempted ICS vulnerability matching with their own assets are facing the challenge of inadequate asset management. Although many guidelines define asset management as one of the necessary actions, detailed approaches and measures from the security perspectives depend on each entity, and ICS SIRT personnel and practitioners in the field are dealing with the issue on the ground. He shared some outcomes of the discussions around the approaches to asset management, which he took part in the ICS security community. In particular, he suggested that reducing the risk to business impact is the ultimate goal of vulnerability response, and his group discussed some detailed procedures based on this idea. The proposed methods offer a realistic approach by limiting the workload of information gathering and focusing specifically on critical assets that may deteriorate business impact.

Mr. Tanaka introduced 4 processes of asset management methods proposed by the group, which are: Process I (Judge the priority of business and operation), Process II (Judge the priority of assets), Process III (Provide security requirements) and Process IV (Match vulnerability information). He also described detailed procedures for Process I and II, which they developed during this financial year, by showing the format of asset lists. Process I determines priority of each business and operation based on risks, but the weighting of business impact is different for each company. His group discussed this by comparing with potential risks in other industries. For Process II, he described their approach to prioritise assets (as identified in Process I) based on potential impact in case of anomaly. He also shared some recommendations on how to motivate the frontline personnel to report asset information appropriately.

Based on the presentations above, Mr. Ochi and Mr. Tanaka answered some questions from the facilitator:

● What are your lessons learned from the proposed asset management methods?

• It was their first attempt to collect asset profile using a tool. It was interesting to learn how ICS assets are connected to the physical space, assuming the potential business risks.
• The company has worked on asset management previously, but it was not from the business risk point of view. They are eager to integrate the proposed processes into their asset management cycle.

● Do you think the asset information collected is useful for vulnerability matching?

• The team was not sure if they could match the data appropriately, but actually it worked out quite well. There were some inconsistencies in the name of some assets, which delayed the process.
• The team was concerned about the volume of asset information. The suggested approach focuses on critical assets only, which made the process easier.

● Do you think the suggested approach will facilitate the vulnerability response?

• Yes, it will help the process. By repeating the process and practicing, users will also gain knowledge.
• This can be one of the effective approaches. This method requires cooperation of the frontline personnel, and ideally their workload should be kept to a minimum. Since the business impact is the main focus in this approach, it was also easy for the higher management level to understand the background of the decision making.
  
  

Closing remarks

Takayoshi Shiigi, Board Member, JPCERT/CC

In the closing remarks, Mr. Shiigi mentioned that it was the first hybrid conference with the onsite venue for the first time after 5 years and asked participants for the feedback about the format of the event. Since JPCERT/CC first started this conference back in 2009, the industry’s interest in ICS security has shifted, and now more people are being involved in this area. He emphasised the importance of mutual collaboration among multiple stakeholders, including JPCERT/CC.

He also noted that the JPCERT/CC has organised the conference hoping that it would be a first step for collaboration among frontline personnel in tacking the challenges in ICS security. He concluded his remarks by thanking the speakers and participants.

In Closing

This year’s ICS Security Conference featured presentations on the situation surrounding ICS security from a variety of perspectives, including international standards, ICS vendors, security vendors, and user companies. We hope that this conference will serve as a reference for future activities for all attendees involved in this field. We will continue to improve the content of the conference and will strive to disseminate information and share knowledge that contributes to the improvement of ICS security in Japan.

Yumi Orito
(Translated by Yukako Uchida)