Published: Apr 9, 2012
>> JAPANESE

Overview

In the past, control systems were believed relatively safe because they were not connected to external networks. However, the use of general-purpose products and standard protocols and the networked environment have spread in control systems and vulnerabilities in control systems have also been pointed out, cyber-attacks against control systems are beginning to become a reality.

URL:http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-020-01.pdf

If an attacker exploits those vulnerabilities in attacks, there is a possibility that he or she could maliciously operate the control systems. Association with the disclosed exploit codes is unclear, but there were some reports about system failure or abnormal behavior in control systems with disclosed vulnerabilities in other countries.

To prevent attacks exploiting known vulnerabilities, businesses that use control systems should check out the following items and pay close attention to the security information released by the control system vendors, and consider and take appropriate measures.

Security Measures for Control Systems

1. See if you use the control system products with the disclosed vulnerabilities that could be exploited by the exploit codes

2. Analyzed the access routes from external networks (Especially if you do use the control system products checked out in 1)

3. Consider and take countermeasures (In case any items in 2 apply)

System Architecture of Control System and Possibility of Connection to External Networks

Since control systems can be connected to the outside world via a USB memory stick or networks, the necessity of considering the security measures that assume that the control systems may be attacked remotely is increasing.

(Appendix)
Effort on Control System Security, Documents and Tools

Based on the understanding that the importance of vulnerability countermeasures and security measures for control systems and embedded systems is increasing, IPA has been working on research and development of guidelines since 2008. Under such circumstances, Stuxnet, a malware said to have found a way into an Iranian nuclear power plant and caused malfunction, was discovered in 2010, and threats to control systems became a reality, making response to the situation imperative. Below, IPA’s effort toward control system security, documents and tools are introduced.

(1)Reports on Trend in Control System Information Security

Based on today’s circumstance where openness of control systems (the used of general-purpose protocols and standard protocols) has brought on cyber-attacks against control systems, IPA conducts yearly research and issues reports on the current situation of control system security. (References)

(2) SCADA Security Good Practices for the Drinking Water Sector

To promote enhancement of SCADA security in the drinking water sector, IPA translated a research report developed by the government of Netherlands and TNO Defense, Security and Safety. The report includes a checklist of thirty-nine measures (good practices) that could measure the current status of your organization’s security level. The checklist has been developed based on the successful security measures taken in the drinking water sector, but is applicable for other critical infrastructures, such as gas and electric industry.

Report on Promotion Measures for Control System Security
URL: URL: http://www.ipa.go.jp/security/fy22/reports/ics_sec/index.html (Japanese)
URL: http://www.tno.nl/downloads/TNO-DV%202008%20C096_web.pdf (English)

(3) JVN iPedia - Vulnerability Countermeasure Information Database

JVN iPedia, a vulnerability countermeasure information database, was launched on April 25, 2007, to enable IT users to easily obtain vulnerability-related information by collecting vulnerability countermeasure information on software and products used in Japan. It also covers the vulnerability information about control systems released on NVD . You can obtain the information by typing “ICSA” and such as a search keyword in JVN iPedia.

Countermeasure information is collected from the following sources and translated as needed.

(4) Task Force for Control System Security

As a response to the intermediate report from the Study Group for Cybersecurity and Economics , Ministry of Economy, Trade and Industry established the Task Force for Control System Security on October 28, 2011 . Under the task force, the Steering Committee, Standardization WG, Evaluation and Accreditation WG, Incident Handling WG, Testbed WG, Human Resource Development WG, and Dissemination and Awareness Raising WG are at work. IPA supervises the Standardization WG and Evaluation and Accreditation WG. With the Standardization WG, IPA promotes research and utilization of international and industry standards and makes recommendation. With the Evaluation and Accreditation WG, IPA promotes adoption of the evaluation and accreditation schemes preceded in Europe and the U.S. to Japanese industries, and establishment of a scheme for international recognition.

(5) Provision of Information and Security Self-Assessment Tool to Those involved with Control Systems

JPCERT/CC (JPCERT Coordination Center) has been providing a security self-assessment tool for those involved with control systems since February 2011. It allows picking up security issues concerning development and operation of a control system and supports to consider security measures against those issues. The tool is under rework to be updated to the next version. Other works involve in sharing the information collected by JPCERT/CC through a community for those involved with control systems or promoting control system security.

Contact