JAMA/JAPIA Cybersecurity Guidelines
—Further Development of Cybersecurity Measures in the Automobile Industry—
Ver. 1.0
December 1, 2020
Japan Automobile Manufacturers Association Japan Auto Parts Industries Association General Policy Committee IT Committee ICT Subcommittee Cyber Security Subcommittee Cyber Security Expert Group
Revision History
Version Date Issued Revision Details Ver. 0.9 March 31, 2020 First version
Ver. 1 December 1, 2020 Issued as Ver. 1 based on the trial version Ver. 0.9
1
Table of Contents 1. Background and Purpose ...... 3 2. Intended Audience for These Guidelines ...... 4 3. Structure of These Guidelines ...... 5 4. How to Utilize These Guidelines ...... 6 5. Requirements and Conditions for Achievement ...... 7 6. Glossary ...... 35 Afterword ...... 38
2
1. Background and Purpose
The automobile industry is currently entering a once-in-a-century period of technological change—as represented by the acronym CASE (Connected, Autonomous, Shared & Services, Electric)—during which the entire industry is promoting the utilization of information technology to realize a mobile society. However, as more information systems managed by companies, such as IT infrastructure environments and factory control systems, are connected to the Internet, the threat of internet-based cyberattacks to in-house IT environments is increasing and concerns in recent years regarding cyberattacks on supply chains—including unauthorized access by attackers to the networks of affiliated companies and business partners in the process of reinforcing security measures, attacks via B2B networks, or unauthorized embedding of programs into software or products used by target companies—have shown that the cybersecurity risks faced by the automobile industry are growing more serious in nature. In order for the automobile industry to realize a mobile society that is safe, secure, and prosperous while achieving sustainable development in an environment where cybersecurity risks are increasing, it is essential for the entire industry to gain an accurate understanding of the cybersecurity risks it faces and take appropriate measures against those risks. Furthermore, in response to these evolving cybersecurity risks, Japan’s Ministry of Land, Infrastructure, Transport and Tourism (MLIT) has required that the industry harmonize its cybersecurity measures using a cybersecurity certification system (UN WP29, CS/SU certification). Likewise, in order to improve supply chain security levels, Japan’s Ministry of Economy, Trade and Industry (METI) has introduced its "Cyber/Physical Security Framework (CPSF)" which requires the creation of standard industry guidelines for the information systems field. These guidelines—which are based on the background described above and take the unique cybersecurity risks faced by automobile manufacturers and companies that make up supply chains in the automobile industry into consideration—seek to clarify a three-year framework for cybersecurity measures and industry-wide self-assessment criteria aimed at enhancing cybersecurity measures throughout the entire automobile industry while promoting efficient inspections of cybersecurity levels.
3
2. Intended Audience for These Guidelines
These guidelines are intended for all companies related to the automobile industry, with the assumed readers being officers and employees of the following departments involved in security operations at each company. ・ CISOs (Chief Information Security Officers) ・ Risk Management Departments ・ Audit Departments ・ Security Support Departments ・ Information System Development/Operation Departments ・ Data Management Departments ・ Purchasing/Procurement Departments responsible for supply chain management
The scope of the first version of these guidelines is enterprise domains common to all operations (office automation environments that serve as a base for business operations), regardless of specific operations domain.
Companies related to the automobile industry
Factory Sales Connected Target scope of domains domains domains future versions
Enterprise domains Target scope of (office automation environments that serve as a the first version base of the entire company)
4
3. Structure of These Guidelines
Because improving the security of the entire automotive industry supply chain is considered a priority, these guidelines were structured by narrowing down important items that should be prioritized across the entire automobile industry—regardless of company size—to enable their use by all companies, including small and medium-sized enterprises. Furthermore, a checklist is attached as an appendix to be used for confirming achievement status.
• Guidelines (this document) This document clarifies the background and purpose of these guidelines and includes descriptions on the scope of these guidelines, their structure, how they are to be utilized, requirements/conditions for achievement, as well as a glossary.
• Appendix: Checklist A checklist to be used for confirming requirements and conditions for achievement
These guidelines are centered on the “Cyber/Physical Security Framework (CPSF)” from Japan’s Ministry of Economy, Trade and Industry (METI) and were created by benchmarking “NIST Cybersecurity Framework v1.1”, “ISO 27001”, “AIAG Cyber Security 3rd Party Information Security 1st Edition” and “IPA Guidelines for IT Security Measures for Small and Medium Sized Businesses”.
5
4. How to Utilize These Guidelines
We propose that these guidelines be used by all companies that support the automobile industry supply chain to improve security within their own organizations. This can be done by using them on a regular (once or more per year recommended) or as-needed basis to check for gaps in basic security measures. Furthermore, the implementation of security measures based on common guidelines coupled with the subsequent assessment of those measures is expected to simplify and enhance the effectiveness of assessment processes aimed at constructing a chain of security and trust between companies and their business partners.
(1) Establishment of security policies at companies and implementation of security measures The requirements and achievement criteria shown in the attached checklist can be referenced by companies in their efforts to establish security policies and implement security measures.
(2) Utilization of guidelines to construct a chain of trust in the automobile industry By using a common security checklist to confirm the implementation status of security measures, these guidelines can be used to construct a chain of security and trust for B2B transactions in the complex automobile industry.
(3) Utilization of guidelines by companies for security education/training activities These guidelines can be used by companies to assess the state of their in-house security, as well as for security education and training activities.
6
5. Requirements and Conditions for Achievement
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is not a Achievement requirement.)
[Examples of items contained in an information security policy] Management responsibility: Activities to ensure, maintain, and continually improve information security are promoted under the An in-house leadership of management. An in-house information security information Compliance with laws: Laws regarding information security are 1 policy shall be established and security policy complied with. documented is established [Example of officers responsible for establishment and documentation] As a company, Management demonstrate An in-house Board of Directors basic concepts information and policies security policy regarding shall be [Rule(s)] Policies security and established The in-house information [Examples of easily accessible formats] enhance and security policy shall be in a Posted on wall posters, etc. awareness of communicated format that is easily accessible Posted on the company intranet information within the
security within organization [Applies to] The information [Examples of communication within the organization] the organization Executives, employees, outside security policy Company-wide emails employees (including temporary 2 is communicated Announcements at morning meetings employees, etc.) within the When new executives or employees join the company
organization [Frequency] [Examples of officers responsible for communication within the The in-house information organization] security policy shall be Management communicated within the Board of Directors organization regularly and whenever revised
7
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is not a Achievement requirement.) [Examples of non-disclosure rules] Employees will not share company information with other parties, except when necessary for business operations [Rule(s)] When outsourcing operations related to the handling of confidential Non-disclosure rules shall be information, a non-disclosure agreement must be entered established and documented When an employee resigns or their contract date expires, they will Prevent the Explanations regarding non- return all company computers and documents leakage of disclosure rules are provided confidential when new employees (including [Examples of explaining confidentiality and monitoring its In-house rules information by Non-disclosure outside employees) join the observance] to ensure Rules for defining rules rules are company Confidential information is collected when an employee resigns or security for handling for handling explained to Confidential information shall their contract date expires, and their post-resignation obligations are confidential 3 confidential confidential employees and not be carried outside the provided to them in written or spoken form information information information and their observance company when an employee A template non-disclosure agreement is created and signed by shall be communicating monitored resigns or their contract date employees when joining the company defined those rules expires Rules regarding non-disclosure of confidential information are within the clarified in company regulations organization [Applies to] Penalties for violations of non-disclosure rules are included in Executives, employees, outside company regulations employees (including temporary A procedure for confirming items not to be disclosed is included in employees, etc.) employee exit manuals A “confidentiality management month” is set up, during which voluntary workplace inspections are conducted to confirm non- disclosure
8
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is not a Achievement requirement.) [Rule(s)] Rules for the usage of IT equipment/devices (computers, [Examples of items included in rules for the usage of IT servers, communications equipment/devices] equipment, storage media, smart Rules for the Rules permitting or prohibiting the use of personal devices (BYOD) devices, etc.) shall be established usage of IT Rules prohibiting the use of apps from sources such as the Apple that include procedures for equipment/ Store, or only allowing the use of work-related apps on company- starting/ending usage, items to devices provided smart devices be observed/prohibited during employed for usage, and procedures for when business [Examples of communication within the organization] such equipment/devices are lost operations are Explanations to users when the use of IT equipment/devices is started Rules for the usage of IT 4 defined and When new executives, employees, or temporary employees join the equipment/devices shall be in a communicated company format that is easily accessible within the Employees are to undergo e-Learning courses on usage rules for IT
organization equipment/devices once per year [Applies to] (including rules Rules for using IT equipment/devices are clarified in company Executives, employees, outside for personal regulations and are posted on the company intranet in a format where employees (including temporary devices they can be viewed whenever necessary employees, etc.) [BYOD]) Applications for usage of IT equipment/devices can be submitted via
a company-wide electronic application system [Frequency] Application documents are posted on the company portal site Rules shall be communicated within the organization regularly and whenever revised
9
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is not a Achievement requirement.) [Rule(s)] In-house rules shall be established to ensure compliance with laws regarding information security Established in-house rules shall be communicated within the To ensure organization and education In-house rules compliance with provided on those rules shall be laws regarding Information is collected regarding information security laws and established to information [Applies to] regulations such as the Act on the Protection of Personal Information, ensure security, rules Executives, employees, outside GDPR, and Unfair Competition Prevention Act compliance 5 are established employees (including temporary Established rules incorporate stipulations regarding the frequency of with laws and education/ regarding employees, etc.) education and communication performed within the organization As a company, communication information Education is implemented via e-Learning (once per year) comply with are provided security [Frequency] Compliance laws regarding within the (Examples of (Education) information organization laws: Act on Whenever a new employee joins security the Protection the company and once per year of Personal (Communication within the Information, organization) Unfair Rules shall be communicated Competition within the organization regularly Prevention and whenever revised Act) Rules are [Frequency] Relevant departments confirm that rules comply with any changes reviewed as Once per year, or whenever made to laws (once per year) 6 necessary in revisions to laws are Established rules incorporate stipulations regarding rule review accordance with announced/enforced frequencies changes to laws
10
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is not a Achievement requirement.)
The system, [Rule(s)] roles and The roles and responsibilities of the responsibilities A “management system” for information security measure executive that presides over information (incl. criteria is established security (CISO, etc.) and those of the 7 information A “Confidentiality Committee” is established and operating department in charge of information security officers) System diagrams and lists of required contact persons clearly security shall be clarified during normal documented A list of contact persons shall be situations are established clarified
Clarify An systems and [Frequency] information roles for Once per year, or when a serious security The system for information information security incident/accident system for use normal security and occurs in normal situations is The system during normal situations is reviewed in line with thoroughly 8 Or, when changes are made to the situations shall reviewed company reorganization System enact and department or officer responsible for be constructed regularly or as (Normal) reinforce protecting/managing various information, to enable the necessary measures for including customer information, due to collection and cybersecurity company reorganization, etc. sharing of and information protecting [Rule(s)] without against data In accordance with the system for normal incident leakage New methods of situation, examples of information security cyberattacks or incidents/accidents and corresponding leaking security measures shall be shared with Information sources such as those below are used to alert the information are departments in the company company before long holidays detected and 9 corresponding [Applies to]
11
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is not a Achievement requirement.)
A system for [Rule(s)] [Examples of response systems] responding to The roles and responsibilities of the A “Confidentiality Committee” is established information executive that presides over information A system for responding to information security security security (CISO, etc.) and those of the incidents/accidents is established in the form of a Computer incidents/ department in charge of information 10 Security Incident Response Team (CSIRT) accidents and its security shall be clarified
corresponding Criteria for information security [Examples of officers] roles and incidents/accidents shall be clarified, as CEO responsibilities shall contact persons inside/outside the CISO is clarified company and contact routes thereof Clarify systems and roles for information [Examples of information contained in initial response flows] A system for security and Information See the examples shown in No. 13 to No. 16 responding to minimize security information damage in incidents/ [Examples of reporting flows when an incident/accident occurs] System security the event of accidents that [Rule(s)] See the examples shown in No. 13 to No. 16 (adverse incidents/accid an incident/ occur are An initial response flow for information situations) ents and its accident to responded to security incidents/accidents shall be [Examples of items in reporting formats] corresponding 11 enable and an overview established Date and time occurred officers shall recovery to of the accident A reporting format for information security Problem be clarified normal and its incidents/accidents shall be established Operations impacted operations as impact/response Causes quickly as measures are Provisional response (control measures and recovery) possible recorded Permanent measures (recurrence prevention) Date and time (of completion of permanent measures)
The system for [Examples of review] adverse [Frequency] Reviews performed when starting projects, when making situations is Once per year, or when a serious personnel changes, or during company reorganizations 12 reviewed information security incident/accident performed at the beginning of the fiscal year regularly or as occurs, etc. Reviews performed when an information security necessary incident/accident occurs]
12
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is not a Achievement requirement.)
[Examples of items to be included in response procedures] Detailed description of measures to be taken Ex.: Networks are to be immediately segregated following detection of a suspected virus infection or unauthorized access [Rule(s)] Response system, contact persons Procedures If necessary, the organization shall include Methods of investigating the status of information security (initial the following procedures in response incidents/accidents (target logs, operating procedures) procedures, procedures Work flows for studying methods of implementing technical system recovery (1) Procedures for reporting discovery of measures (primary isolation of causes) procedures, etc.) incidents/accidents, (2) Initial procedures, In-house reporting procedures (forms, work flows) 13 for responding (3) Investigation/response procedures, (4) Examples of items to be reported: Date and time discovered, to information Recovery procedures, (5) Final reporting scope of impact, details, causes Procedures for security procedures Methods of announcing to customers via the Public Relations addressing incidents/ Department information accidents are [Applies to] Procedures security (forms, work flows) Same as defined Cyberattacks and leaks of internal in adverse incidents/ above information situations accidents at an [Examples of response procedure handing methods] early stage Response procedures are posted using electronic media in a shall be format where they can be viewed whenever necessary, as well as clarified stored on paper format
[Rule(s)] If necessary, the organization shall include [Examples of response procedures] the following procedures or responding to Procedures for Procedures are defined in which networks are immediately virus infections in response procedures responding to segregated following detection of a suspected virus infection or 14 (1) Procedures for reporting discovery of virus infections unauthorized access on a client computer, after which persons incidents/accidents, (2) Initial procedures, are defined responsible for the reporting of information security (3) Investigation/response procedures, (4) incidents/accidents are contacted Recovery procedures, (5) Final reporting procedures
13
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is not a Achievement requirement.)
[Examples of education] Group education when new employees, mid-career hires, outside employees join the company, etc. [Rule(s)] Education via e-Learning Education on preventing computer viruses Viewing of training videos provided by IPA, security vendors, or via email shall be provided by made in-house, etc. distributing/posting educational materials, Distribution or posting of educational materials provided by IPA, In-house e-Learning, or group education, etc. security vendors, or made in-house, etc. education is Explanations regarding risks when using email and Have provided [Applies to] 15 corresponding measures via user manuals, etc. employees regarding virus Executives, employees, outside employees Training on targeted emails and explanations thereof understand infections via (including temporary employees, etc.) who
the risks email use email [Examples of education frequencies] surrounding When new employees, mid-career hires, outside employees join computer [Frequency] the company viruses and Whenever a new employee joins the Education via e-Learning once per year confidential company and once or more per year Notifications requesting employees to review any updates to information, Employees educational materials/manuals, etc., are sent once per year Daily as well as the shall be Targeted email training once per year education correct educated to be handling aware of risks [Examples of education] methods [Rule(s)] Education when new employees, mid-career hires, outside thereof, in Education on preventing computer viruses employees join the company, etc. order to during online browsing shall be provided Education via e-Learning prevent by distributing/posting educational Viewing of training videos provided by IPA, security vendors, or information materials, e-Learning, or group education, made in-house, etc. In-house security etc. Distribution or posting of education materials provided by IPA, education is incidents/ security vendors, or made in-house, etc. provided accidents 16 [Applies to] Explanations regarding risks when connecting to the internet and regarding Executives, employees, outside employees corresponding measures via user manuals, etc. internet (including temporary employees, etc.) who connections use the internet [Examples of education frequencies] When new employees, mid-career hires, outside employees join [Frequency] the company Whenever a new employee joins the Education via e-Learning once per year company and once or more per year Notifications requesting employees to review any updates to educational materials/manuals, etc., are sent once per year
14
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is not a Achievement requirement.)
[Examples of education] [Rule(s)] Education when new employees, mid-career hires, outside Education on confidentiality classifications employees join the company, etc. and the handling thereof shall be provided Education via e-Learning Education is by distributing/posting educational Viewing of training videos provided materials, e-Learning, or group education, Distribution or posting of education materials regarding the etc. Explanations regarding definitions of confidentiality handling of 17 classifications and the handling thereof via manuals, etc. information [Applies to]
based on Executives, employees, outside employees [Examples of education frequencies] confidentiality (including temporary employees, etc.) When new employees, mid-career hires, outside employees join classification the company [Frequency] Education via e-Learning once per year Whenever a new employee joins the Notifications requesting employees to review any updates to company and once or more per year educational materials/manuals, etc., are sent once per year
15
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is not a Achievement requirement.)
[Examples of education/training] Education when new employees, mid-career hires, outside [Rule(s)] employees join the company, etc. Education and training on responding to Education via e-Learning information security incidents/accidents Viewing of training videos shall be provided by Distribution or posting of education materials distributing/posting educational Make Explanations regarding definitions of confidentiality materials, e-Learning, or group advanced Education/training classifications and the handling thereof via manuals, etc. preparations education, etc. Education/ for responding to Tabletop exercises are implemented for conceivable accident for prompt and training on 18 information security scenarios appropriate [Applies to] Education/ information incidents/accidents responses Executives, employees, outside training for security is provided [Examples of frequencies] aimed at employees (including temporary responding incidents/ When new employees, mid-career hires, outside employees preventing employees, etc.) to accidents join the company further damage information and methods Education via e-Learning once per year to enable [Frequency] security of Notifications requesting employees to review any updates to prompt Whenever a new employee joins the incidents/ minimizing educational materials/manuals, etc., are sent once per year recovery when company and once or more per year accidents their impact Training for accident responses via an emergency framework an information of shall be (CSIRT) is provided once per year security provided incident/ accident occurs [Examples of frequencies] Education/training [Frequency] Reviews of company regulations and information security 19 content is reviewed Before/after education and training, guidelines are conducted once per year, with reviews of as necessary or once or more per year education/training content being performed as necessary Content is reviewed annually before and after education
16
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is Achievement not a requirement.)
[Rule(s)] [Examples of exchanges] Methods of Methods of handling confidential A non-disclosure agreement is entered if confidential handling information shall be exchanged before information is to be handled confidential starting business Exchanges made include the clarification of officers, 20 information personnel management (non-disclosure rules), physical Prevent the between [Applies to] control measures, technical measures, handling of leakage of Information companies are Information Companies that share confidential subcontracting, and methods of handling confidential confidential security clarified security information information upon completion of business information in requirements requirements the supply chain for the supply between and enable chain shall be companies prompt response clarified Roles and [Examples of roles and responsibilities in each to accidents responsibilities [Rule(s)] company] when an When sharing confidential information, the Business contracts contain details regarding reporting to information roles and responsibilities of each company outsourcers in the event of an accident and 21 security incident/ when an information security responsibility for cooperation in responding to accident occurs incident/accident occurs shall be accidents, etc. are clarified with documented Information on contact persons in the event of an other companies accident are exchanged
17
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is Achievement not a requirement.)
[Rule(s)] Management rules shall be defined to include the following: An application/approval system shall be used for issuing, changing, and revoking access rights [Examples of management rules] Rules for Granted room entry permissions and access Procedures for granting, changing and revoking access managing access rights shall be limited to the scope rights are described in administrative procedures for rights (room and necessary personnel changes system access Methods of taking inventory for room entry 22 Locations where confidential documents in print form rights) in the rights and access rights shall be defined are stored and rules regarding their locking are defined event of personnel Applications and ledgers for granted room in management rules transfers are entry permissions and access rights shall be Inventory is taken once per year and the procedures defined managed thereof are defined Prevent unauthorized [Applies to] Access rights access to Systems used for business operations and (room and confidential user IDs for logging onto computers system access Access rights areas or systems Locations or rooms in which considerations rights) shall be due to for confidentiality are required managed inadequacies in appropriately [Examples of inspections] access right A checklist for confirming the compliance status of settings management rules is created, inspections are performed Access rights are once per year using that checklist, and corrective issued, changed, [Rule(s)] actions are taken in the event irregularities or violations disabled, or Inspections of the compliance status of the 23 are found revoked in management rules defined in No. 22 shall Records of applications, approvals and settings are accordance with be performed checked to inspect whether management rules are being management rules followed Access rights settings are checked and modified when periodic personnel changes occur
An inventory of [Rule(s)] [Taking inventory] access rights is In accordance with the rules defined in No. Room entry rights and system access rights shall be 24 taken regularly or 22, an inventory of access rights shall be inspected once per year and modifications made if as necessary taken regularly or as necessary access right setting irregularities are found
18
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is Achievement not a requirement.) [Examples of management rules] Both electronic and paper-based media are subject to management [Rule(s)] A stamp is applied clearly indicating that confidential Management rules shall be defined to documents are confidential include the following: Implementation of document risk assessments Identification of confidentiality Management rules A document ledger is established Determinations of labels for confidentiality are defined for Regulations clearly state the following: classifications and their application 25 information based Confidential information to be managed, confidential Classification-based handling methods on confidentiality information, information classification, type of Handling area classifications and classification confidential information, handling of confidential restrictions information, management responsibilities of
departments that handle confidential information [Applies to] Confidentiality Confidential management classifications are defined Information assets (information) classifications and rules are defined in list format for Management rules are clearly specified in regulations information Appropriately for information based on confidentiality classification assets shall be manage [Rule(s)] Management set and information This list shall include the target of information understood, information, administrator name, assets to prevent [Examples of list creation] assets and A list is created of department name, storage location, storage the leakage of Lists of information assets with high confidentiality (information) information information assets period, persons disclosed to, contact confidential classifications are created by each department that managed in (information) with persons, etc. information 26 manages information accordance high Each department created a list of information assets and with those confidentiality [Target information] reviews it once per year confidentiality classifications Information assets applicable to a high Lists are created using a dedicated format classifications level of confidentiality among the confidentiality classifications defined in No. 25 Management of [Rule(s)] information assets Inspections of the compliance status of the (information) is management rules defined in No. 25 shall performed in be performed and corrective actions taken [Examples of inspections] 27 accordance with in the event irregularities or violations are A checklist for confirming the compliance status of management rules found management rules is created based on confidentiality [Frequency] classification Once or more per year
19
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is Achievement not a requirement.)
Management rules [Rule(s)] [Examples of security patch application rules] for IT equipment/ Management rules shall be defined that Vulnerability patches are automatically applied using devices, OS, and 28 include equipment/device adoption, terminal management tools software are installation, network connections, Vulnerable IT equipment/devices are regularly defined based on application of security patches, etc. identified using an asset management system IT equipment/ importance devices owned by the Appropriately company and A list is created of manage IT information IT equipment/ assets to reduce (version devices and the risks information, information [Rule(s)] associated with Management administrator, (version A list of information for IT [Examples of management items] information of information administrating information, equipment/devices, OS and software shall Equipment/device management number, security 29 assets department, administrator, be created that includes version equipment/device name, IP address, location installed, incidents/ (equipment/ location administrating information, administrators, administrating user name, contact person, software version information accidents and devices) installed, etc.) department, departments, locations installed, etc. shorten response on the OS and location installed, times when an software used etc.) on OS and information by the software security accident equipment/ occurs device shall be Management of [Rule(s)] managed information assets Management shall be performed in appropriately (equipment/ accordance with management rules defined [Examples of management] devices) is in No. 28 Corrective actions shall be taken Checks to confirm that management is being performed 30 performed in in the event irregularities or violations are in accordance with management rules is performed accordance with found once per year and corrective actions taken for any management rules irregularities that are discovered based on [Frequency] importance Once or more per year
20
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is Achievement not a requirement.) [Rule(s)] The impact on operations when an information security incident/accident Risks are occurs to the target information asset shall [Examples of methods for understanding impact on identified when be understood in terms of scope of impact operations] the three elements and frequency of occurrence Performing risk assessments of information
31 assets— [Applies to] [Examples of frequencies] confidentiality, Information assets identified in No. 26 When systems are updated integrity, and When business processes are changed Measures for availability— Identify [Frequency] When systems are changed information cannot be ensured information When reviewing important information security risks asset security assets shall be taken risks and take or once or more per year within the organizational [Rule(s)] Risk response organization measures as a Methods of measures for the impact on (organizational company to Impacts on operations understood in No. 31 and plans operations also minimize operations and thereof shall be formulated and include impacts to their measures are reported/shared outsourced operations reported to Any instructions received from executives [Example of measure methods] operations) management as when reporting shall be shared with If personal information is leaked, management and necessary and relevant departments employees/departments that handle personal 32 shared with information will be notified regarding the necessity to internal [Applies to] notify authorities (Personal Information Protection departments Relevant departments, executives (if Commission) involved in necessary) security operations [Frequency] When instructed by executives or as necessary
21
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these is Achievement not a requirement.) [Rule(s)] In addition to appropriately implementing the measures and plans created in No. 32, it Management of shall be confirmed that any impact to [Examples of confirmation] measures for operations was reduced, and corrective Records of responses for leakages of personal impacts on actions taken for any irregularities that are information examined to verify whether notifications to 33 operations are discovered authorities and reporting to relevant executives were performed in performed in accordance with previously established accordance with [Applies to] measure methods formulated plans Impact to information asset operations
[Frequency] Once or more per year [Rule(s)] Prevent Information This list shall include information assets information assets exchanged/used during transactions, as well leakages, etc., exchanged A list is created [Examples of list creation] as how they are handled, and mutually during the over the for the The information exchanged with each business partner understood by the business partner course of course of information and the methods used are included
Understanding business business exchanged with [Applies to] details of transactions by transactions each company and [Examples of handing methods] Business partners with which important business clarifying what with each 34 the methods used Rules for handing confidential information are defined information assets (such as the highly transactions methods are business (methods of in contracts signed with business partners with which confidential information assets defined in and methods used to partner, as well exchanging important information is exchanged No. 25) are shared exchange as the methods information, such When providing confidential information to business
information used for such as for receiving/ partners, a password is applied to any PowerPoint or [Frequency] assets and with transactions, sending orders) Excel files, etc., used for that purpose When starting business transactions or what business shall be when changes are made to information partners understood exchanged and methods used
22
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these Achievement is not a requirement.) [Examples of usage rules] [Rule(s)] If using external services that handle confidential Usage rules shall be defined to company information, such as accounting include the following: information, the information security specifications of Non-disclosure agreements are that service are confirmed before usage entered into with entities that In-house rules stipulate that business partners must External connect with external enter into a basic business contract that includes Rules for using information information systems provisions related to non-disclosure before business external information systems (such as Security requirements for using transactions are started 35 systems connected those of external information systems are The selection and contracting of contractors is to organizational customers, defined managed based on company-wide standards in the assets are defined Ensure safety and trust subsidiaries, Service details are checked to form of “Information System Management when using external affiliated Understanding conform that security Regulations” (Items included in regulations: Non- information systems, companies, the statuses of requirements for using external disclosure agreement, information security while enabling prompt contractors, external information systems are met and requirements, SLA, BCP support) response to information cloud services, connections evidence of the approval thereof In-house rules regarding the use of cloud services security incidents/ external is saved clearly state restrictions and a series of procedures up accidents information to the start of use services) shall [Examples of listed items] be clarified and Contract signatures, contractors, contract date, their usage contract end date and managing department are listed status managed A list of external as management items appropriately [Rule(s)] information systems 36 A list of external information that are used is [Example of creation methods] systems shall be created created Creating a ledger on a spreadsheet and storing it as data Storing a list of systems used on a usage application system for external systems
23
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these Achievement is not a requirement.) [Rule(s)] In addition to regularly taking [Examples of methods of taking inventory] inventory, new external In-house rules require reporting whenever usage is information systems shall be started The list of external added to the list and those for The usage statuses of external systems included in the information systems which usage has stopped list are confirmed by the administrator once per year 37 is reviewed removed from the list Internet communication logs are checked to confirm regularly or as whether external information systems for which necessary [Frequency] applications were not submitted are being used Once or more per year and Taking of inventory based on information registered whenever use of new system to the usage application system for external systems starts or use of a system stops
24
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these Achievement is not a requirement.) [Examples of connection rules for equipment/devices such as computers and servers] An application/approval system shall be used for connections to internal networks Connection rules for Measures to prevent virus infections shall be equipment/devices such as implemented on computers and servers that connect to computers and servers: internal networks
Approval shall be obtained when any changes are [Rule(s)] made to the contents of the application Rules regarding connections to Only company IT equipment/devices or IT internal networks shall be equipment/devices to which the specified security defined measures have been applied can connect to internal
networks [Applies to] When Connection by private devices is not permitted All equipment/devices that connecting to Connected equipment is managed using a ledger connect directly to in-house internal Only company-provided communication methods are networks Minimize damage, such networks, used (personal Wi-Fi routers or tethering not Rules for Including standard company as that caused by measures shall permitted) connecting IT equipment/devices and In-house information leakage and be implemented Although, in principle, visitors will not be able to equipment/devices equipment/devices brought in connection virus infections, by to minimize 38 connect to internal networks using their devices, when used for business to from the outside rules appropriately managing unauthorized it is necessary for them to connect to internal internal networks the usage of internal usage of networks for the purpose of performance maintenance are defined networks information operations, etc., they will be allowed to do so Additional rules for connecting systems and IT providing all security requirements are implemented from external to internal equipment/ networks: devices [Example of rule for using wireless LAN]
User authenticated (WPA-Enterprise) usage of [Rule(s)] wireless LAN is possible, but use with a passcode Rules for using remote access (WPA-Personal) is prohibited shall be defined
[Examples of additional rules for connecting from [Applies to] external to internal networks] All equipment/devices that Remote access mechanisms and users are managed connect to internal networks An application system is used for remote connections from outside the company via from outside the company and is only possible used public internet or leased lines permitted IDs Personal devices cannot be used to access internal networks from outside the company Remote access is possible only by using a VPN 25
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these Achievement is not a requirement.)
[Examples of persons with access] Employees who have received approval from the administrator in advance Persons with access [Rule(s)] Officers and employees responsible for in-house to areas where Persons with access to areas system operation/maintenance, maintenance vendors 39 equipment such as where equipment such as servers In such cases, a ledger must be used to record servers are installed are installed shall be defined entry/exit times of persons who enter such areas, are defined approval is be obtained from company officers on each such occasion, and a company employee with Prevent information Physical security access must be present leakage, unauthorized measures shall modifications, and be implemented Physical system stoppages due to for areas where security [Rule(s)] unauthorized operation of equipment such Areas where equipment such as [Examples of locking] critical equipment such as servers are servers are installed shall be Locks or other A physical lock is used for locking that must be as servers installed locked devices are used to opened by the administrator each time access is If servers are installed in an area restrict access to necessary 40 where locking is not possible, areas where Security cards are used for locking, with the servers shall instead be installed equipment such as management of rights performed by the administrator on a dedicated rack that is then servers are installed A passcode is used for locking that must be entered by locked the administrator each time access is necessary An administrator responsible for locking shall be designated
26
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these Achievement is not a requirement.)
[Examples of rules to prevent the sharing of user IDs] [Rule(s)] In principle, the sharing of user IDs is prohibited. If User IDs shall not be shared the sharing of IDs is unavoidable, usage records are to If the sharing of user IDs is be kept. unavoidable, it shall be possible
Unique user IDs are to identify the user of the shared ・ Prevent information [Examples of rules for the sharing of IDs] 41 assigned to each ID leakage/unauthorized If the sharing of IDs is unavoidable, users are to be person modification and managed and clarified using a ledger [Applies to] ensure stable A monitoring camera is to be installed to enable users User IDs for logging onto information system of shared IDs to be identified systems and computers used for operation by Authentication Simultaneous usage of IDs is prohibited to enable business operations preventing and approval users of shared IDs to be identified unauthorized usage or measures shall Authentication unauthorized be used for /Approval operation/modification information of information systems systems and IT equipment/ [Practical examples] ・ Enable the causes of devices IDs with system administrative rights are only used information leakage, for administrative purposes and are issued separately unauthorized from individual user IDs modification, or [Rule(s)] OS administrators and database administrators are system stoppages to be System managers and officers only granted the rights necessary investigated Different rights are shall be defined An application/permission system is used for the use granted to user IDs Employees with administrative of IDs with system administrative rights, the usage of 42 and system rights shall be limited which is normally locked administrator IDs The minimal rights necessary for Server administrators and officers are defined and a roles to be performed shall be work flow application process is used in which server granted administration work is performed by first obtaining approval from an officer Administrative rights are only granted to a limited number of employees using the work flow application process
27
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these Achievement is not a requirement.) [Examples of password setting rules] Passwords contain 6- to 8-digits and combine three or [Rule(s)] more types of uppercase/lowercase letters and Password rules shall define numbers number of digits, letter Passwords contain 8 or more digits and combine two combinations, and expiration or more types of uppercase/lowercase letters, symbols dates and numbers Rules for the setting Easily guessed passwords, such Passwords contain 10 or more digits and the use of 43 of passwords are as repeated numbers or letters, complex character strings is required defined shall be avoided
[Examples of settings for password expiration dates] [Applies to] Settings require users to change passwords every 90 Passwords for logging onto days, with the user IDs of users who fail to change systems and computers used for their password for 90 or more days being locked or business operations their logging on being prevented until a change is made [Practical examples of taking inventory] [Rule(s)] An inventory of IDs for each system is taken once or Rules for implementing more per year, with unnecessary IDs being deleted inventory taking that clearly A company-wide taking of inventory is performed An inventory of specify when such inventory regularly once per year, with unnecessary IDs being user IDs and system taking is to take place shall be deleted IDs is taken defined and unnecessary IDs An application/approval system is used for ID 44 regularly or as deleted issuance, changes and deletion, with an inventory necessary, during being taken once every 6 months which unnecessary [Applies to] Officers take inventory of outsourced operations once IDs are deleted User IDs and system every 3 months administrator IDs for logging When accounts become unnecessary, applications to onto systems and computers delete main accounts are drafted and processed used for business operations IDs are deleted the day following an employee’s resignation or expiration of their contract date
28
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these Achievement is not a requirement.) [Examples of application standards] Emergency security patches and updates from Microsoft are applied Windows Updates are applied every month [Rule(s)] Emergency or critical security patches and updates The application of security Security patches from IPA and the JPCERT Coordination Center are patches and updates shall be and updates are applied Measures shall implemented using established Applying Reduce the risk of properly applied for be taken for standards and deadlines patches and unauthorized access and 45 information [Examples of application deadlines] published updates virus infection systems, IT Security patches and updates are applied within one vulnerabilities [Applies to] equipment/devices, month of being published Computers, smartphones, tablets, and software Emergency security patches and updates are applied servers, network equipment, within two weeks and critical security patches and software, etc. updates are applied within one month Security patches that could not be applied by the deadline are recorded using an application management table [Practical examples] Anti-virus software must be installed on computers and servers connected to networks [Rule(s)] Anti-virus software shall be used [Practical examples of scanning] on each computer and server Regular scans are scheduled once per week for Anti-virus Software (anti-virus Prevent information Scans shall be performed by computers and once per month for servers measures shall software) is used on leakage, unauthorized specifying scan scops and Real-time scanning is enabled Anti-virus be implemented computers and modifications, and 46 frequencies appropriate for the Scan scope is limited to folders identified as having a software to quickly detect servers to detect system stoppages due to equipment/device high risk of infection security viruses and provide virus infections abnormalities notifications [Applies to] [Examples of actions to be taken if the use of anti- All computers and servers virus software is not possible] connected to networks A USB virus scan tool is used to perform scans once per week Communications with computers and servers are limited using a firewall
29
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these Achievement is not a requirement.)
[Practical examples] Anti-virus software pattern files are updated once or more per day Users are taught to update pattern files when [Applies to] restarting work after long holidays Same as No. 46
Anti-virus software [Examples of actions to be taken if pattern files 47 pattern files are [Pattern file update frequency] cannot be updated] updated regularly Once or more on days Network connections are established once per week computers/servers are booted for the purpose of updating pattern files and used A USB virus scan tool is used to perform scans once per week Communications with computers and servers is protected using a firewall
[Examples of data, etc., subject to backup] Measures shall Documents saved on file servers and settings be taken to Mail on mail servers and settings Minimize the impact of minimize the system stoppages and damage to [Rule(s)] [Examples of backup frequencies] Backups are Backup/ data loss on business important Data, etc., subject to back up and Data backup is performed daily, and settings (system 48 performed at Restore operations, and enable information and backup frequencies shall be image backup) are backed up when configurations are appropriate times operations to resume impact to system defined changed quickly operations Data on servers and server settings are subject to caused by backup at a frequency of once per day and retained for cyberattacks three or more generations or for a period as stipulated by law
30
Examples at Other Companies Condition(s) for Label Purpose Requirement No. Achievement Criteria (Listed below are reference cases. Full compliance with these Achievement is not a requirement.) [Examples information contained in restore procedure manuals] Definitions of target systems of high importance Target recovery times [Rule(s)] Restore procedures to achieve target recovery times Restore procedure manuals shall Restore tests are regularly performed based on restore Restore procedures 49 be established for each type of procedures are established data, etc., subject to backup as defined in No. 48 [Examples of methods used to store restore procedure manuals] Restore procedure manuals are stored in print form in a location where they can be quickly accessed in the event of failure [Examples of alternative means] Emergency telephone contacts are established for use if communication means such as e-mail are Alternative means interrupted that can be used to Procedures to share information with our business [Rule(s)] perform business partners by e-mail, fax, etc., and continue supply are Viable alternative means shall be 50 operations in the established for use if production arrangement system established for use in the event event of a system stoppages occur systems are down stoppage are Procedures and systems for performing manual prepared production are established for factories in which safety stock cannot be used to sufficiently supplement deliveries in the event of manufacturing instruction/execution system stoppages
31
6. Glossary
No. Term Description 1 BYOD Refers to employees using personal portable devices to perform work. (BYOD: Bring Your Own Device)
2 CASE An acronym that expresses trends in the automobile industry. Connected: Connecting cars and data to analyze information and provide services Autonomous: Automation that automatically gets drivers and vehicles to their destinations Shared: As in “Ride-sharing” Electric: Electrification aimed at popularizing electric vehicles that are 100% powered by electricity
3 CS/SU regulations Regulations regarding Cybersecurity (CS) and Software Updates (SU) being considered for adoption in UN WP29. A revised proposal was released in September 2019 and work is underway for its adoption. 4 IPA IPA (Information-technology Promotion Agency) is an independent administrative agency in Japan promotes that conducts research/provides information on computer viruses and security.
5 JVN An organization that provides information and measures for vulnerabilities found in software, etc., used in Japan. Acronym for “Japan Vulnerability Notes”
6 MAC address A unique identifier for the network adapters of network equipment, computers, and servers applied at the manufacturing stage.
7 OEM Automobile manufacturers Acronym for “Original Equipment Manufacturer”
8 OS Acronym for “Operating System”. Refers to the basic software on which computers run. Examples include Microsoft Windows, Apple macOS, and Linux. 9 UN WP29 The 29th working party of the World Forum for Harmonization of Vehicle Regulations. As the world’s only organization dedicated to the harmonization of vehicle regulations, it conducts activities such as the study of regulation proposals. 10 Windows Update A function that delivers programs to repair Windows vulnerabilities. 11 Access rights System usage authority settings for system users and user groups. Access rights are used to control access and allow or deny usage based on settings.
35
No. Term Description 12 Encryption scheme Encryption is a method of converting information into a form that cannot be understood by third parties. Various encryption schemes for performing such encryption exist, such as WPA, WPA2, and WPA3 in the case of wireless LAN, and encryption schemes that are secure must be selected. 13 Virus A generic name used for malicious programs designed to harm security. In addition to viruses, spyware and bots also exist.
14 External information An information service that does not own information equipment service within the organization. Such services may be provided online or via other related organizations. 15 Availability Property of information being accessible to required users when necessary. 16 Integrity Property of information being complete and accurate. 17 Confidentiality Classifications of confidentiality. Examples include “Top secret” and classification “Company secret”. 18 Confidential Information owned by a company that is not scheduled for external information disclosure. Disclosure of such information could result in a loss to the company. 19 Confidentiality Refers to information that is not to be used or disclosed without permission.
20 Cloud service An information service that does not own information equipment within the organization. Services are mainly provided online. (includes some external information services) 21 Cyber/Physical A framework established by Japan’s Ministry of Economy, Trade and Security Framework Industry (METI) in April 2019 that summarizes the overall picture of security measures required for industry.
22 Cybersecurity risk The risk of cyberattacks causing problems such as leakage or unauthorized modification of electronic data or the risk of IT systems and control systems not fulfilling their intended functions, etc. 23 Supply chain In general, a series of processes starting with the procurement of raw materials /parts for products and including manufacturing, inventory control, delivery, sales, and consumption.
24 IT equipment/device Equipment and devices used for processing and transmitting information. Includes computers, servers, smartphones and their peripheral devices.
36
No. Term Description 25 Information asset Important information owned by a company that is to be protected and the equipment/devices used to handle such important information. Examples: Information assets (information): Confidential information, personal information, etc. Information assets (equipment/devices): Servers, computers, network equipment, OS, software, etc. 26 Information security Refers to when vulnerabilities inherent in information assets have incident/accident been exploited and manifested by various threats facing information assets.
27 Initial response The first actions or operations performed when an information security incident/accident occurs.
28 Control system An information system used for controlling industrial processes such as manufacturing, product sales, production and sales. Control systems include supervisory control and data acquisition systems (SCADA) used to manage geographically dispersed assets, distributed control systems (DCS), and systems that perform control using local programmable logic controllers (PLC) that are smaller in scale that both SCADA and DCS systems.
29 Vulnerability Information security flaws that occur due to program defects or design errors.
30 Security patch Programs that resolve defects caused by problems and vulnerabilities found in software.
31 Security policy The intention and orient for organizational security as officially expressed by top management and the regulations established by the organization for implementing security measures based on that intention and orient. 32 Software Programs used to operate information systems. These often refer to applications used for performing certain tasks.
33 Authentication The use of methods to ensure that the identity of an entity is as claimed. 34 Wireless LAN Networks established using wireless technology instead of physical cables. Also referred to as “Wi-Fi”.
35 Restore The act of returning data to its normal operating state using backup data when a failure occurs.
37
Afterword
In recent years, the number of cyberattacks targeting not only corporate IT environments but also supply chains is increasing, and the cybersecurity risks facing the automobile industry are becoming more serious. In order for the automobile industry to realize a mobile society that is safe, secure, and prosperous while achieving sustainable development in such an environment, it is essential for the entire industry to gain an accurate understanding of the cybersecurity risks it faces and take appropriate and continuous measures against those ever-increasing risks. For this reason, the Japan Automobile Manufacturers Association (JAMA) and Japan Auto Parts Industries Association (JAPIA) have jointly formulated these security guidelines—which take the unique cybersecurity risks faced by automobile manufacturers and companies that make up supply chains in the automobile industry into consideration—to clarify a framework for cybersecurity measures and industry-wide self-assessment criteria aimed at enhancing cybersecurity measures throughout the entire automobile industry while promoting efficient inspections of cybersecurity levels.
These guidelines are expected to assist in enhancing cybersecurity measures throughout the entire automobile industry.
38
Contributing Committee Members (shown in alphabetical order of company name)
Japan Automobile Manufacturers Association General Policy Committee / ICT Subcommittee / Cyber Security Subcommittee / CS Guidelines Study Taskforce Role Company name Name Leader Toyota Motor Corporation Toshiya Ban Sub-Leader Honda Motor Co., Ltd. Atsushi Kubo Committee Member Daihatsu Motor Co., Ltd. Nobuyuki Sakata Committee Member Honda Motor Co., Ltd. Akitoshi Honda Committee Member Mazda Motor Corporation Kazuhiro Kikuchi Committee Member Mitsubishi Motors Corporation Kenji Taki Committee Member Nissan Motor Co., Ltd. Shuntaro Torii Committee Member Subaru Corporation Hidemasa Ito Committee Member Suzuki Motor Corporation Hideaki Suzuki Committee Member Toyota Systems Corporation Mitsuru Yoshiike Committee Member Toyota Systems Corporation Noboru Taniguchi
Japan Auto Parts Industries Association IT Committee / Cyber Security Subcommittee Role Company name Name Subcommittee Chair DENSO Corporation Shunjiro Goto Deputy Subcommittee Chair Hitachi Automotive Systems, Ltd. Takayuki Nakao Deputy Subcommittee Chair Marelli Corporation Kenichi Suzuki Committee Member Aisan Industry Co., Ltd. Kenji Niina Committee Member Aisin Seiki Co., Ltd. Hiroyuki Onishi Committee Member ALPS ALPINE Co., Ltd. Hiroyuki Ando Committee Member DENSO Corporation Koji Hara Committee Member JTEKT Corporation Takashi Hikosaka Committee Member Koito Manufacturing Co., Ltd. Yasushi Noyori Committee Member KYB Corporation Hidetomo Sugo Committee Member Mitsuba Corporation Yusuke Irie Committee Member NGK Spark Plug Co.,Ltd. Hiroaki Kato Committee Member NHK Spring Co.,Ltd. Koji Suzuki Committee Member NOK Corporation Tsubasa Motozawa Committee Member NOK Corporation Toshiyuki Nagasawa Committee Member Showa Corporation Seiki Toshima
39
Role Company name Name Committee Member Stanley Electric Co., Ltd. Tomoaki Tanaka Committee Member Tokairika Co., Ltd. Naoki Masuda Committee Member Toyoda Gosei Co., Ltd. Yukiyoshi Matsui Committee Member Toyota Boshoku Corporation Mitsuhiro Osako Committee Member Transtron Inc. Yuji Sho Committee Member Yazaki Corporation Katsunori Uematsu
Contact address: Technology Management Department, Japan Automobile Manufacturers Association, Inc. (JAMA)
Jidosha Kaikan, 1-30, Shiba Daimon 1-chome, Minato-ku, Tokyo 105-0012 Japan TEL:03-5405-6125 FAX:03-5405-6136
Copyright: Japan Automobile Manufacturers Association, Inc.
40