Control System Security Center
A STATUS OF CONTROL SYSTEM SECURITY IN JAPAN
Dr. Seiichi SHIN Professor University of Electro-Communications President Control System Security Center
1 Control System Security Center Activities on Control System Security in Japan 2010 2011 2012 2013 2014-
STUXNET APT to Japan Shamoon (MHI,・・Government)
Cyber Security and Economy
METI by the Study Group (Dec 2010~Aug 2011) Cyber security exercise Task force to study the in area of Cyber security exercise security of control systems electronics, gas, building in area of electronics, (Oct 2011~Apr 2012) gas, building, chemical will be continued in CSS-Base6 est. 28 May, Tohoku Tagajo Headquarter Control System 2013 Testbed(CSS-Base6) Security Center R&D, testing, Awareness・・ (CSSC) Tokyo Research Center (est. March ・EDSA certification ・EDSA ertification 2012) pilot project empirical service
◇To ensure ICS security of Japanese critical infrastructure ◇Evaluation and certification for ICS product exporters in Japan
2 Control System Security Center Industrial Control System Network
Internet Maintenance/services, related factories, sales
Office network Firewall
Infrastructure Industrial Control System network (factories, building, filter plant, sewage plant, disaster control center) DCS PLC opening/closing valve Monitoring room(SCADA) controlling temperature, pressure Engineering PC and robot Parameter configuration Evaluation
DCS: Distributed Control System PLC: Programmable Logic Controller SCADA: Supervisory Control And Data Acquisition
3 Control System Security Center
Threat against Industrial Control System (ICS)
Cyber attack targeted ICS which surveils and controls power stations and plan operation •Oversea case that plant shutdown for a week overseas •Japanese cases that infected 100 PCs of plant facility or shutdown of automation factory systems Big earthquake in 2011 Occurred Events
・System halt
・Non-producible products
・Defective products Stuxnet in 2010 ・Disappearance of products design/manufacturing information
Occurrences are same
4 Control System Security Center Control System Security Center (CSSC)
■Organizational overview
Control System Security Center Total 26 corporations (As of Sep, 2014) *8 starting member corporations (Abbreviation) CSSC • Advanced Institute of Science and Technology* • ALAXALA Networks Corporation Name • Azbil Corporation * ※A corporation authorized by the • Fuji Electric Co., Ltd. Minister of Economics, Trade and • FUJITSU LIMITED • Hitachi, Ltd.* Industry • Information Technology Promotion Agency • Japan Audit and Certification Organization for Establis Environment and Quality March 6, 2012 (The registration date) Association • Japan Quality Assurance Organization hed • LAC Co., Ltd., members • McAfee Co.,Ltd. • Mitsubishi Electric Corporation (In • Mitsubishi Heavy Industries Ltd.* alphabetical • Mitsubishi Research Institute Inc.* [Tohoku Tagajo Headquarters • Meidensha Corporation (TTHQ)] order) • Mori Building Co., Ltd.* F21-6F 4-1 sakuragi 3-chome • NEC Corporation • NRI Secure Technologies Ltd. Tagajo city, Miyagi 985-0842 JAPAN • NTT Corporation Location • OMRON Corporation • The University of Electro-Communications, [Tokyo Research Center (TRC)] • Tohoku Information Systems Company, Atago Green Hills MORI tower 21F, 5-1, Incorporated Atago 2-chome, Minato-ku, Tokyo 105-6221, • Toshiba Corporation* Japan • Toyota InfoTechnology Center Co., Ltd. • Trend Micro Incorporated • Yokogawa Electric Corporation* http://www.css-center.or.jp/en/aboutus/index.html
5 Control System Security Center International Collaboration
Test Bed and Training
Education and Training
6 Control System Security Center
OVERVIEWS OF CONTROL SYSTEM SECURITY CENTER(CSSC)
Tohoku Tagajo Headquarters (TTHQ)
Tagajyo
Tokyo
Tokyo Research Center (TRC) Established in March 2013
http://www.css-center.or.jp/en/index.html 7 Control System Security Center Seven Test beds in CSS-base 6
Gas Plant Sewage Plant
Research, Development, Promotion, Training, Exercise, etc.
Assemble Plant Chemical Plant
Building Plant
Smart City) Electric Power Plant 8 Control System Security Center
More Two Test Beds
Assemble Plant II Building Plant II
9 Control System Security Center Defense in Depth
Anti Virus Software Firewall Intrusion Detection White List Logging System and Analysis Zoning Network Monitoring Model Based detection Authentication More
10 Control System Security Center Cyber Security Exercise for Gas, Electric Power, Building, and Chemical Industries. Gas Plant
Control Panel
Engineering Station
Tank and Valve
11 Control System Security Center Training FY2013-- – Developing Red/Blue training materials – 3 days training for people interested in “functional safety” & control system security (Nov. 20-22) The training is funded by a government agency The training material is based on IEC 62443 and using CSS-Base6 to experience cyber threats and their mitigations. The material will be reused to promote EDSA in Japan – Training program on enhancing Information security for ASEAN (Jan. 20-29, 2014) Focusing on ISMS and ICS Security Managers in electric power system plans Heads of ASEAN Power Utilities/ Authorities (HAPUA)
12 Control System Security Center Testing & Certification(Cont’d) ISA/IEC62443 and ISA/ISCI ISASecure
Target of general-purpose Certification assures Defense in Depth on Security Standardization control system Petroleum/and Supply on World Wide SCM. Chemical plant
IEC62443 -2-1 By JIPDEC, Organization CSMS C Mitsubishi Chemical Engineering Yokogawa Solution Service Corporation ISCI IEC SSA System 62443 C Start of Pilot Project in 2015
component ISCI EDSA By CSSC from July 2014 C Yokogawa, Hitachi, Azbil
13 Control System Security Center Testing & Certification(Cont’d)
Certification Services Start of applying ISCI certification -CSSC established Chartered Laboratory last August -Apply to Japan Accreditation Board (JAB) -ISCI associate member for ISASecure certification -Pilot projects of EDSA certification -JAB’ reviews for an appropriate certification body. 2014.4-
<Domestic Evaluation and Certification Trial> <International Recognition Scheme> <Utilization of Research Output>
Trial operation of a domestic Establishment of an international Utilization of evaluation and certification scheme recognition scheme for an the output of ISCI/ISASecure-based certification CSSC research
ISCI:ISA Secure Compliance Institute 14 Control System Security Center Testing & Certification(Cont’d)
ISASecure® Scheme owner:ISCI Started from 2014.4.1 USA International ANSI/ACLASS Mutual Japan Accreditation Recognition Board
Accreditation Accreditation USA CSSC exida Certification Laboratory
CENTUM VP of Yokogawa Certification in Japan Vendors in Japan by Japanese
Harmonas by Azbil HISEC 04/R900E by Hitachi
15 Control System Security Center Conclusion
•CSSC will work for cyber security of critical infrastructure. •CSSC will continue global collaboration.
16