Published: Apr 9, 2012
In the wake of disclosure of several control system vulnerabilities, Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has decided to issue a security alert to warn control system operators.
In the past, control systems were believed relatively safe because they were not connected to external networks. However, the use of general-purpose products and standard protocols and the networked environment have spread in control systems and vulnerabilities in control systems have also been pointed out, cyber-attacks against control systems are beginning to become a reality.
If an attacker exploits those vulnerabilities in attacks, there is a possibility that he or she could maliciously operate the control systems. Association with the disclosed exploit codes is unclear, but there were some reports about system failure or abnormal behavior in control systems with disclosed vulnerabilities in other countries.
To prevent attacks exploiting known vulnerabilities, businesses that use control systems should check out the following items and pay close attention to the security information released by the control system vendors, and consider and take appropriate measures.
According to the security alert from the U.S. ICS-CERT , exploit codes that could be used to attack six products of five Japanese, European or the U.S. vendors have been disclosed. See if you are in used of those products.
If it is difficult to apply security patch, check out the network environment to see if there is any attack route used to attack control systems from the outside.
If your business operation requires any situations listed in 2, consult with the vendor and take countermeasures like the following.
Since control systems can be connected to the outside world via a USB memory stick or networks, the necessity of considering the security measures that assume that the control systems may be attacked remotely is increasing.
Based on the understanding that the importance of vulnerability countermeasures and security measures for control systems and embedded systems is increasing, IPA has been working on research and development of guidelines since 2008. Under such circumstances, Stuxnet, a malware said to have found a way into an Iranian nuclear power plant and caused malfunction, was discovered in 2010, and threats to control systems became a reality, making response to the situation imperative. Below, IPA痴 effort toward control system security, documents and tools are introduced.
Based on today痴 circumstance where openness of control systems (the used of general-purpose protocols and standard protocols) has brought on cyber-attacks against control systems, IPA conducts yearly research and issues reports on the current situation of control system security. (References)
Report on Control System Information Security 2010
URL: http://www.ipa.go.jp/security/fy22/reports/ics_sec/index.html (Japanese)
Report on Promotion Measures for Control System Security
URL: http://www.ipa.go.jp/security/fy21/reports/ics_sec/index.html (Japanese)
To promote enhancement of SCADA security in the drinking water sector, IPA translated a research report developed by the government of Netherlands and TNO Defense, Security and Safety. The report includes a checklist of thirty-nine measures (good practices) that could measure the current status of your organization痴 security level. The checklist has been developed based on the successful security measures taken in the drinking water sector, but is applicable for other critical infrastructures, such as gas and electric industry.
Report on Promotion Measures for Control System Security
URL: URL: http://www.ipa.go.jp/security/fy22/reports/ics_sec/index.html (Japanese)
URL: http://www.tno.nl/downloads/TNO-DV%202008%20C096_web.pdf (English)
JVN iPedia, a vulnerability countermeasure information database, was launched on April 25, 2007, to enable IT users to easily obtain vulnerability-related information by collecting vulnerability countermeasure information on software and products used in Japan. It also covers the vulnerability information about control systems released on NVD . You can obtain the information by typing 的CSA� and such as a search keyword in JVN iPedia.
Countermeasure information is collected from the following sources and translated as needed.
As a response to the intermediate report from the Study Group for Cybersecurity and Economics , Ministry of Economy, Trade and Industry established the Task Force for Control System Security on October 28, 2011 . Under the task force, the Steering Committee, Standardization WG, Evaluation and Accreditation WG, Incident Handling WG, Testbed WG, Human Resource Development WG, and Dissemination and Awareness Raising WG are at work. IPA supervises the Standardization WG and Evaluation and Accreditation WG. With the Standardization WG, IPA promotes research and utilization of international and industry standards and makes recommendation. With the Evaluation and Accreditation WG, IPA promotes adoption of the evaluation and accreditation schemes preceded in Europe and the U.S. to Japanese industries, and establishment of a scheme for international recognition.
JPCERT/CC (JPCERT Coordination Center) has been providing a security self-assessment tool for those involved with control systems since February 2011. It allows picking up security issues concerning development and operation of a control system and supports to consider security measures against those issues. The tool is under rework to be updated to the next version. Other works involve in sharing the information collected by JPCERT/CC through a community for those involved with control systems or promoting control system security.
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)