JPCERT/CC Eyes

JPCERT/CC held the ICS Security Conference 2026 on February 10, 2026. This conference aims to share the current threat landscape surrounding Industrial Control System (ICS) in Japan and abroad, as well as initiatives undertaken by stakeholders in ICS security. It also seeks to help participants strengthen their security measures and establish best practices. Since its launch in 2009, the conference has been held annually, and this year marked the 18th conference.

This year’s conference was held as an in-person only event, with 137 attendees participating out of 216 registrants. In this article on JPCERT/CC Eyes, we introduce the opening and closing remarks along with six presentations delivered at the conference. Presentation videos, except for the panel session, are available on YouTube, and links are provided in this article.

Opening remarks

Speaker: Katsukuni Hashimoto, Director, Cybersecurity Division, Ministry of Economy, Trade and Industry (METI)
<Slides (Japanese)>
<YouTube (Japanese)>

The conference opened with remarks from Mr. Hashimoto of METI’s Cybersecurity Division, Commerce and Information Policy Bureau.

Referring to the IPA’s Top 10 Information Security Threats 2026 and related developments, Mr. Hashimoto noted that ransomware remains a major threat and that its impact continues to expand, particularly in the manufacturing sector.

He also introduced recent policy developments in Japan, including the establishment of the SCS scheme to raise the baseline of security measures across the supply chain; the formulation of OT security guidelines for semiconductor device factories; the launch of JC-STAR (labeling scheme based on Japan Cyber-Security Technical Assessment Requirements) and moves to incorporate it into government procurement requirements; and Japan’s endorsement of international joint guidance on SBOM.

In closing, he emphasized that, in light of the enactment of legislation to strengthen cyber response capabilities, it is essential to advance the development of an active cyber defense framework through public-private cooperation in order to protect the industrial base and people’s daily lives. He concluded by stressing the importance of steadily advancing effective initiatives across society as a whole.

ICS Security Today and Tomorrow - A Review of the Past Year

Speaker: Toshio Miyachi, Expert Adviser, JPCERT/CC
<Slides (Japanese)>
<YouTube (Japanese)>

Mr. Miyachi reviewed the state of ICS security in 2025 and explained major trends and changes over the past year. At the outset, he noted that 2025 marked 15 years since the discovery of Stuxnet and 10 years since the Ukraine power outage incidents. Against this backdrop, he provided a broad overview of how growing geopolitical tensions are increasingly affecting cyber space as integration between ICS and IT continues to deepen.

Looking at incidents over the past year, ransomware remained a persistent threat, with especially serious impacts in manufacturing, including production shutdowns sand shipment delays. Using cases involving a UK automotive manufacturer and major Japanese companies, he highlighted the structural risk whereby compromises in IT environments can ultimately have major consequences for OT and production activities. He also discussed attacks by state-sponsored actors and hacktivists targeting critical infrastructure, as well as incidents involving renewable energy facilities, dams, and hydroelectric power plants, showing that cyber attacks with physical consequences are becoming increasingly realistic.

Regarding vulnerability trends, he pointed to the growing number of ICS-related advisories published by CISA and reports indicating an increase in Internet-exposed ICS/OT devices. He also touched on confusion surrounding the operation of the CVE Program and emerging efforts in Europe to establish a new vulnerability database, noting that global vulnerability information management is entering a period of transition.

He further reviewed developments in regulations and standards, including the EU’s NIS2 Directive, revisions to the IEC 62443 series, and progress related to CIRCIA in the United States. At the same time, he noted that policy developments in various countries and organizational instability affecting CISA in the United States are having an impact on ICS security. He also addressed challenges posed by rapidly advancing technologies such as AI and migration to post-quantum cryptography, underscoring the importance of preparing long-lived ICS environments for these changes.

Overall, while 2025 did not appear to be a year marked by frequent large-scale destructive attacks, he concluded that significant changes are steadily unfolding, suggesting the arrival of a new era: the broader spread of ransomware, the security implications of escalating interstate tensions, the reorganization of standards and institutional frameworks, and the need to respond to emerging technologies.

Learning Incident Response for ICS from the “Preparedness” Factories Have Practiced for Decades

Speaker: Shunsuke Kato, Senior Solution Engineer, Claroty Ltd. APJ Sales.
<Slides (Japanese)>
<YouTube (Japanese)>

Mr. Kato looked back on recent OT security incidents and explained how the concept of “preparedness,” long cultivated in factories, can be applied to cyber incident response.

He explained that roughly 80% of incidents are IT-originated “indirect OT outages”: even when control itself is not destroyed, operations can still be halted by disruptions to dependent IT systems.

He then explained that concepts long applied in factories at the design, implementation, and operations stages, such as inherently safe design, redundancy, and fail-safe mechanisms, can also function effectively against cyber attacks. He illustrated this point using examples such as the TRITON incident. He further shared concrete examples, including the Fukushima Daiichi nuclear power plant accident and cases from overseas manufacturers, illustrating how businesses were able to continue operations even when digital capabilities were lost by relying on non-digital means such as paper records, human senses, and manual operations.

Using the cases of Colonial Pipeline and Maersk, he showed that business operations can come to a standstill when IT functions such as billing and logistics fail, even if the ICS itself remains intact. This highlights the importance of designing operations with degraded functionality in mind. He also referred to recovery efforts enabled through mutual assistance and public support beyond the boundaries of individual companies, suggesting that collaboration beyond competition becomes critical in times of crisis.

Finally, he presented a framework for restart decisions from three perspectives: MVA (Minimum Viable Architecture), MVP (Minimum Viable Process), and MVC (Minimum Viable Control). He stressed the importance of organizing response options in advance, including analog continuity, backup digital recovery, and external support. He concluded that a deep understanding of OT ultimately strengthens effective incident response capabilities for ICS.

Security Challenges and Defense Methods for Digital Twins in the Automotive Industry

Speaker: Chizuru Toyama, Threat Research / Senior Threat Researcher, TXOne Networks Inc.
<Slides (Japanese)>
<YouTube (Japanese)>

Ms. Toyama provided a systematic overview of the security challenges associated with the growing use of digital twins in the automotive industry, as well as practical defense methods.

She began by organizing definitions and standards related to digital twins, confirming that they are a concept for reproducing real-world products, facilities, and processes in virtual space for use in simulation, monitoring, and optimization. Against the backdrop of the automotive industry undergoing what is often described as a once-in-a-century transformation driven by CASE (Connected, Autonomous, Shared, and Electric), she showed that digital twins are playing an increasingly important role as a foundational technology supporting more advanced development, production, and operations.

Specific examples introduced included Toyota’s optimization of factory sensors, Honda’s energy management initiatives in anticipation of V2G/V1G strategies, and Hyundai’s smart factories. These examples illustrated benefits such as improved quality, lower costs, and more flexible production systems. At the same time, she pointed out that bidirectional connections between the physical and virtual worlds expand the attack surface. She outlined possible attack scenarios such as network reconnaissance, data injection, delay attacks, and model tampering, and showed how these could cascade into high-risk outcomes including incorrect control, production　shutdowns, and intellectual property theft.

She also emphasized the importance of role-specific defensive measures and their limitations, the development of incident response playbooks, and security design throughout the entire lifecycle from development to operations. She emphasized that rigorous Secure-by-Design practices, continuous monitoring, and multilayered defense including coordination with the SOC are key to achieving sustainable safety and security in the automotive industry in the era of digital twins.

Promoting Integrated Safety and Security Design for Cyber Attack Response

Speaker: Taito Sasaki, Representative Member, Forehacks LLC /Visiting Researcher, Institute for Manufacturing and Innovation DX Laboratory, Nagoya Institute of Technology
<Slides (Japanese)>
<YouTube (Japanese)>

Mr. Sasaki proposed an approach that integrates safety and security in ICS across the entire lifecycle. This approach responds to increasingly sophisticated cyber attacks and stronger regulatory requirements.

He pointed out that, as the number of vulnerabilities continues to rise and organizations respond to frameworks such as the EU Cyber Resilience Act (CRA), consistent management is required from development through operations and maintenance. Under these conditions, conventional siloed organizational structures and fragmented document management approaches are reaching their limits.

As a solution, he introduced a framework in which the Data Flow Diagram (DFD) serves as a common structural model, allowing safety requirements, security requirements, and SBOMs to be managed together in a single repository. By converting the DFD into JSON and using node_id and dataflow_id as indexes, design intent, analysis results, test requirements, decision histories, and SBOM information can all be linked together to realize a Single Source of Truth (SSOT). He also introduced a mechanism for ensuring traceability through the use of MANIFEST files to manage the overall state and history of the project.

Using the development of an autonomous wheelchair as a case study, he showed how safety analysis (HARA) and security analysis (TARA) can be conducted on the same model to design countermeasures for sensor failures and spoofing attacks in a consistent manner. He also presented an audit process in which generative AI detects “ghost flows” not present in the original design during implementation and prompts corrective action by evaluating differences from the design JSON. In the operational phase, he emphasized the importance of linking SBOM and CVE information to enable tracing vulnerability impacts by ID and recording the rationale for risk acceptance and response decisions.

Throughout the presentation, he emphasized that ensuring safety and security in future ICS requires organizing system structures around the DFD and incorporating generative AI as an intelligence layer in an integrated design platform. This enables people to make decisions based on clear evidence.

International Trends in Vulnerability Information and CVD-Related Activities Amid Growing Interest Driven by European Regulations and Other Legal Requirements

Speaker: Tomotaka Ito, Global CVD Project Lead, Global Coordination Division, JPCERT/CC
<Slides (Japanese)>
<YouTube (Japanese)>

Mr. Ito organized international trends, issues, and expected stakeholder responses related to vulnerability handling, an area of growing interest in light of evolving European regulations. The discussion focused on Coordinated Vulnerability Disclosure (CVD), CVE, and SBOM.

He explained that vulnerability information must be properly managed not only in terms of technical accuracy, but also in operational aspects such as  receiving, coordinating, and disclosing vulnerability information. Otherwise, new risks can emerge, including zero-day exploitation and response delays. For this reason, he emphasized the importance of CVD, in which reporters, vendors, users, coordinators, and others work together.

Regarding the CVE Program, he shared recent developments such as the growth in the number of CVE Numbering Authorities (CNA) and Roots and confusion surrounding the National Vulnerability Database (NVD), pointing out the need for data quality, enrichment, and proper handling. He also noted that JPCERT/CC supports organizations in Japan as both a CNA and a Root. On SBOM, he explained that it is a means of improving transparency and serves as a foundation for vulnerability management by identifying components and matching them against CVEs. He also noted that international discussions are underway on issues such as identifier harmonization, coverage, and differences among tools.

He further explained that the EU Cyber Resilience Act (CRA) and the NIS2 Directive require measures such as the establishment of vulnerability disclosure policies, reporting of exploited vulnerabilities within 24 hours, and preparation of SBOMs, suggesting that these requirements could also affect companies outside the EU. In light of these developments, he called on vendors to establish vulnerability handling processes and disclosure policies, improve supply chain visibility, and consider CVE assignment. He also encouraged users to improve asset visibility, make use of SBOMs, and adopt prioritization methods such as SSVC and EPSS. He concluded by stressing the importance of building a balanced ecosystem in which vulnerability information can be shared and used effectively across countries and stakeholder groups.

Closing remarks

Speaker: Takayoshi Shiigi, Board Member, JPCERT/CC

The closing remarks were delivered by Mr. Shiigi, a board member of JPCERT/CC.

He noted that this conference marked the 18th event since the inaugural conference in 2009. He also reported that this year’s conference was held as an in-person event with archived distribution of selected presentations, and that much of the event’s operation was handled by JPCERT/CC.

He also noted that, as the term “cyber security” has become more widely used, its scope has expanded beyond IT and networks to include “the business itself,” including the ICS at the core of business operations.

He concluded by encouraging practitioners facing challenges in a changing environment to make use of this conference and JPCERT/CC’s activities as a forum for experimentation. He also expressed his gratitude to the speakers and all participants.

In Closing

At this year’s ICS Security Conference, speakers from a variety of sectors, including ICS vendors, visiting researchers at university-affiliated institutes, and user companies, shared their perspectives on the evolving landscape surrounding ICS security. We hope that this conference will serve as a useful reference for all attendees involved in ICS in their future work. We will continue working to improve the conference while sharing information and knowledge that contribute to the advancement of ICS security in Japan.

Thank you for reading this event report on the ICS Security Conference 2026.  We look forward to seeing you at the next conference.

Yumi Orito
(This article was machine-translated and manually reviewed.)