A Status of Control System Security in Japan

Control System Security Center

A STATUS OF CONTROL SYSTEM SECURITY IN JAPAN

Dr. Seiichi SHIN Professor University of Electro-Communications President Control System Security Center

1 Control System Security Center Activities on Control System Security in Japan 2010 2011 2012 2013 2014-

STUXNET APT to Japan Shamoon (MHI,・・Government）

Cyber Security and Economy

METI by the Study Group （Dec 2010～Aug 2011） Cyber security exercise Task force to study the in area of Cyber security exercise security of control systems electronics, gas, building in area of electronics, （Oct 2011～Apr 2012） gas, building, chemical will be continued in CSS-Base6 est. 28 May, Tohoku Tagajo Headquarter Control System 2013 Testbed（CSS-Base6) Security Center R&D, testing, Awareness・・ (CSSC) Tokyo Research Center （est. March ・EDSA certification ・EDSA ertification 2012） pilot project empirical service

◇To ensure ICS security of Japanese critical infrastructure ◇Evaluation and certification for ICS product exporters in Japan

2 Control System Security Center Industrial Control System Network

Internet Maintenance／services, related factories, sales

Office network Firewall

Infrastructure Industrial Control System network (factories, building, filter plant, sewage plant, disaster control center) DCS PLC opening/closing valve Monitoring room(SCADA) controlling temperature, pressure Engineering PC and robot Parameter configuration Evaluation

DCS: Distributed Control System PLC: Programmable Logic Controller SCADA: Supervisory Control And Data Acquisition

3 Control System Security Center

Threat against Industrial Control System (ICS)

 Cyber attack targeted ICS which surveils and controls power stations and plan operation •Oversea case that plant shutdown for a week overseas •Japanese cases that infected 100 PCs of plant facility or shutdown of automation factory systems Big earthquake in 2011 Occurred Events

・System halt

・Non-producible products

・Defective products Stuxnet in 2010 ・Disappearance of products design/manufacturing information

Occurrences are same

4 Control System Security Center Control System Security Center (CSSC)

■Organizational overview

Control System Security Center Total 26 corporations (As of Sep, 2014) *8 starting member corporations (Abbreviation) CSSC • Advanced Institute of Science and Technology* • ALAXALA Networks Corporation Name • Azbil Corporation * ※A corporation authorized by the • Fuji Electric Co., Ltd. Minister of Economics, Trade and • FUJITSU LIMITED • Hitachi, Ltd.* Industry • Information Technology Promotion Agency • Japan Audit and Certification Organization for Establis Environment and Quality March 6, 2012 (The registration date) Association • Japan Quality Assurance Organization hed • LAC Co., Ltd., members • McAfee Co.,Ltd. • Mitsubishi Electric Corporation (In • Mitsubishi Heavy Industries Ltd.* alphabetical • Mitsubishi Research Institute Inc.* [Tohoku Tagajo Headquarters • Meidensha Corporation (TTHQ)] order) • Mori Building Co., Ltd.* F21-6F 4-1 sakuragi 3-chome • NEC Corporation • NRI Secure Technologies Ltd. Tagajo city, Miyagi 985-0842 JAPAN • NTT Corporation Location • OMRON Corporation • The University of Electro-Communications, [Tokyo Research Center (TRC)] • Tohoku Information Systems Company, Atago Green Hills MORI tower 21F, 5-1, Incorporated Atago 2-chome, Minato-ku, Tokyo 105-6221, • Toshiba Corporation* Japan • Toyota InfoTechnology Center Co., Ltd. • Trend Micro Incorporated • Yokogawa Electric Corporation* http://www.css-center.or.jp/en/aboutus/index.html

5 Control System Security Center International Collaboration

Test Bed and Training

Education and Training

6 Control System Security Center

OVERVIEWS OF CONTROL SYSTEM SECURITY CENTER（CSSC）

Tohoku Tagajo Headquarters (TTHQ)

Tagajyo

Tokyo

Tokyo Research Center (TRC) Established in March 2013

http://www.css-center.or.jp/en/index.html 7 Control System Security Center Seven Test beds in CSS-base 6

Gas Plant Sewage Plant

 Research, Development, Promotion, Training, Exercise, etc.

Assemble Plant Chemical Plant

Building Plant

Smart City） Electric Power Plant 8 Control System Security Center

More Two Test Beds

Assemble Plant II Building Plant II

9 Control System Security Center Defense in Depth

Anti Virus Software Firewall Intrusion Detection  White List Logging System and Analysis Zoning Network Monitoring Model Based detection Authentication More

10 Control System Security Center Cyber Security Exercise for Gas, Electric Power, Building, and Chemical Industries. Gas Plant

Control Panel

Engineering Station

Tank and Valve

11 Control System Security Center Training  FY2013-- – Developing Red/Blue training materials – 3 days training for people interested in “functional safety” & control system security (Nov. 20-22) The training is funded by a government agency The training material is based on IEC 62443 and using CSS-Base6 to experience cyber threats and their mitigations. The material will be reused to promote EDSA in Japan – Training program on enhancing Information security for ASEAN (Jan. 20-29, 2014） Focusing on ISMS and ICS Security Managers in electric power system plans Heads of ASEAN Power Utilities/ Authorities (HAPUA)

12 Control System Security Center Testing & Certification(Cont’d) ISA/IEC62443 and ISA/ISCI ISASecure

Target of general-purpose Certification assures Defense in Depth on Security Standardization control system Petroleum/and Supply on World Wide SCM. Chemical plant

IEC62443 -2-1 By JIPDEC, Organization CSMS C Mitsubishi Chemical Engineering Yokogawa Solution Service Corporation ISCI IEC SSA System 62443 C Start of Pilot Project in 2015

component ISCI ＥＤＳＡ By CSSC from July 2014 C Yokogawa, Hitachi, Azbil

13 Control System Security Center Testing & Certification(Cont’d)

Certification Services Start of applying ISCI certification -CSSC established Chartered Laboratory last August -Apply to Japan Accreditation Board (JAB) -ISCI associate member for ISASecure certification -Pilot projects of EDSA certification -JAB’ reviews for an appropriate certification body. 2014.4-

＜Domestic Evaluation and Certification Trial＞＜International Recognition Scheme＞＜Utilization of Research Output＞

Trial operation of a domestic Establishment of an international Utilization of evaluation and certification scheme recognition scheme for an the output of ISCI/ISASecure-based certification CSSC research

ISCI：ISA Secure Compliance Institute 14 Control System Security Center Testing & Certification(Cont’d)

ISASecure® Scheme owner：ISCI Started from 2014.4.1 USA International ANSI/ACLASS Mutual Japan Accreditation Recognition Board

Accreditation Accreditation USA CSSC exida Certification Laboratory

CENTUM VP of Yokogawa Certification in Japan Vendors in Japan by Japanese

Harmonas by Azbil HISEC 04/R900E by Hitachi

15 Control System Security Center Conclusion

•CSSC will work for cyber security of critical infrastructure. •CSSC will continue global collaboration.