Safety and Security in corporate activities is an old and new theme. For companies, security & resilience is the top of the agenda. Cyber Attacks have become more sophisticated and intricate, rendering perfect security impossible. Therefore, companies must become resilient, which means that they need strategies to detect attacks quickly, to keep damage localized, and to restore operations safely. Under the theme of security resilience, we interviewed a representative from Tohoku Electric Power and four consultants from Fujitsu Research Institute (FRI). (Date of interview: February 14, 2018)
*This article was published in Chisounomori 2018, vol. 3 (May 25, 2018 edition). Chisounomori is an information magazine published by Fujitsu Research Institute (FRI).
Speakers (from the left)* Affiliations and titles are as of the interview date.
Ryosuke Miura: Chief Senior Consultant, Business Resilience Group, Fujitsu Research Institute
Shinichiro Yamashita: Manager, Cyber Security Business Strategy Unit, Fujitsu Limited
Yoichi Otomo: Manager in charge of Information Security, Information Systems and Communications Department, Internal Services Division, Tohoku Electric Power Co., Inc.
Takeru Fujimoto: Principal Consultant, Business Resilience Group, Fujitsu Research Institute
Kazuhiro Hosoi: Executive Consultant, Fujitsu Research Institute (moderator)
Meeting Halfway, IT Systems and OT Systems Protect Business Together
― Business operations and IT Systems are more tightly integrated than ever before. We use the term "security & resilience" to refer to cybersecurity to support business continuity. From the point of view of cyber strategy, do you think that information departments are now assigned a wider range of missions?
Otomo: My current missions include security policy and plan development, security education and awareness-raising activities, inspections and monitoring, and maintaining the security of the power control system. The power control system's security is ensured only if the IT and OT (Operational Technology) systems work together. Thus, our IT department approached the OT department and increased the volume of information we share with each other. More monitoring resulted in more frequent detection of security incidents, and we needed to simultaneously handle incidents and strengthen monitoring. This led us to launch the Security Incident Response Team (SIRT)* and the Security Operation Center (SOC)**. Since we need management to understand the effectiveness of security measures and risk management, we promote our activities through “the Information Communication Strategy Committee”.
Figure 1: Strengthening capabilities to handle security incidents at Tohoku Electric Power
― What made you think security needed attention?
Otomo: The main missions of security team had been to protect personal information and to implement the security PDCA cycle. When I took over responsibility for security, however, there had not been sufficient consideration of security measures, counter-cyberattack preparation, or real-time management methods for OT system. The role of security team covers not only recognizing the necessity of these strategies but also explaining to management, during the planning stage, how many employees will work on each task and what kind of effects can be expected. Thinking that strengthening the security structure would increase the IT department's value and contribution to management, I wanted more attention put on security and to lay the groundwork for continuously implementing the security strategy.
― Considering the scope of the information systems department, I would imagine it was difficult for you to get involved in control systems such as the OT system. How did you get involved?
Manager in charge of Information Security,
Information Systems and Communications Department
Internal Services Division
Tohoku Electric Power Co., Inc.
Otomo: Although creation of security measures for the OT system required basic IT knowledge, IT personnel did not know how the OT system worked or how it was used to carry out business. If a line was drawn between the departments, there would be an area left untouched, which would grow into a major risk. Therefore, the IT department proactively approached the OT department and created a structure for collaboration. This gave our activities momentum.
Yamashita: Fujitsu launched the Fujitsu Cloud Computer Emergency Response Team (Fujitsu Cloud CERT) in 2010 to centrally manage the cloud services we offer our clients. Initially, the team provided (1) information security measures such as vulnerability diagnoses and monitoring, (2) emergency responses including analysis and incident handling, and (3) information security management. Now, as an emergency incident response team, Fujitsu Cloud CERT offers a full range of services and handles numerous events calmly and resolutely. Since the security monitoring service's global rollout, the team has begun offering digital forensics, malware analysis, and vulnerability diagnosis services. The vulnerability diagnosis service is named the Red Service and involves infiltrating client systems.
Furthermore, as an emergency security incident response team, the team globally offers Cyber Threat Intelligence (CTI), which encompasses a full range of services including collection and analysis of cyber threat information. The team's current challenge is human resource development. Meanwhile, in 2013, Fujitsu launched the Security Meister Certification Program. This program certifies engineers who have security skills. It is a modified version of the human resource development framework called the National Initiative for Cybersecurity Education (NICE) created by the National Institute of Information and Communications Technology (NICT). The program divides engineers into three levels—Field, Expert, and High Master—and defines different types of education and certification criteria per level. Within our corporate group, 10,000 engineers have undertaken the program (Figure 2).
Figure 2: Human resource types in the Security Meister Certification Program
Fujimoto: FRI has been working on business continuity by improving resilience, namely the ability to quickly restore business activities based on the assumption that risk events will occur. Against this backdrop, we have spent three years studying how to prepare for cyber risks given that risk events will occur. Defense against sophisticated cyberattacks is of course important, but our focus is security resilience, which means strengthening the capabilities of the SOC and CSIRT to detect and address cyberattacks assuming that they will occur. Recently, we put our efforts into risk assessment. Protection and preparation for emergencies are necessary, but for companies, doing so perfectly with limited resources is unrealistic. It is thus important to assess the risks first, to identify which cyber risks actually require prevention or preparation, and to assign priorities to them (Figure 3).
Figure 3: Security & resilience process
Miura: I would like to introduce two projects led by the National Center of Incident Readiness and Strategy for Cybersecurity (NISC). One is the cross-sectoral exercises. Fujitsu has supported the organizer's office since 2015, and 2,600 individuals from Critical Infrastructures (13 sectors) in this cybersecurity exercise. The other is the Investigation and Examination of Creating the Cybersecurity Incident Response Coordination Center***. Both projects focus on information sharing. There is a limit to how well individual companies can respond to incidents. The issue here is how companies should share information with other companies and security organizations as well as how companies should handle incidents. Active sharing of information on damage situations and handling of vulnerabilities will raise the level of companies' security measures.
Issues in Sharing Cyber Information among Organizations: Actual Attacks, Human Error, and Vulnerability Information
― I understand that security issues must be addressed by the government, industry, and groups of companies because they are too much for individual companies to handle. What issues do our customers need to consider when launching their own SOC or CSIRT?
Service Delivery Department, GMSS Development Division
Cyber Security Business Strategy Unit, Fujitsu Limited
Yamashita: The key is to clearly identify which functions are needed and which core skills they should retain. Being unable to do this is often an issue. The point is to select and grow core skills while outsourcing others.
Fujimoto: It is unrealistic to outfit the CSIRT with a full range of functions from the beginning. The unit should start small. In the case of Tohoku Electric Power, the company will undergo dramatic changes before the company splits up in 2020. From a mid-term perspective, we discussed which type of operation capabilities should be given to the CSIRT, the timing for doing so, which functions should be outsourced, and which ones to retain.
Yamashita: In global business, decisions must be made such as "We will outsource these tasks but we will always take charge of risk control given the business impact" because in some cases, companies use a 'follow the sun' model in which they divide the world into three areas, passing monitoring tasks to the next area every eight hours in line with their business hours.
― We've talked about information sharing. There have been discussions about, when a natural disaster occurs, what kind of information is needed to provide the necessary resources to those in need in a timely manner without waiting for them to request such information. These discussions have been held because it has been pointed out that the affected concentrate on helping themselves, cannot predict what they will need, and feel hesitant to ask for help. For this reason, in our drills, our customers experience a disaster and emergency site. Through this experience, we train their ability to imagine what kind resources the affected parties will need.
Miura: The Cybersecurity Incident Response Coordination Center agrees that provision of information sharing tools alone does not lead to active information sharing. Incident information is confidential. Companies cannot casually announce the fact that they are under attack or their damage situations. For companies to share information with third parties, there must be a system in place to control the scope of disclosure. For example, companies may choose to disclose information only to selected relevant government agencies. The center also considers it important to prepare laws to promote information sharing.
Yamashita: Companies will stop using information sharing systems if such systems fail to collect valuable information. How to encourage companies to enter valuable information quickly is the key. Information from a week ago is of no use. For the system to work, users' motivation to input valuable information, confidentiality guarantees, and disclosure level settings that match the characteristics of each participating organization are likely necessary.
Security Design Must Provide for Daily Operation
― Recently, what issues have you noticed or themes are you focusing on?
Otomo: I occasionally come to learn that a system that a department or business unit introduced independently, rather than a system readily categorized as an IT system or a OT system, is in fact linked to another important system, making it highly valuable because it connects to major clients or controls. It is therefore necessary to implement rules on procedures, such as extracting data from a client's system and processing it for business purposes using a department-purchased PC. Data in our control system is protected by the Programmable Logic Controller (PLC) protocol, but there is also an efficiency improvement mechanism that converts data from the system for easy processing. Failure to manage such procedures raises risks because information on the previous administrator or issues in the previous generation will not be passed on to the next generation.
Fujimoto: Digitization of business and workstyle innovation should be promoted aggressively. However, at the same time it is important to understand the threat of cyberattacks. In areas that need higher security resilience, it must be improved alongside digitization of business and workstyle innovation. For customers of other key infrastructure providers as well, Fujitsu offers visualization and risk analysis services for company-wide management of control systems in addition to systems not recognized by the IT department.
Chief Senior Consultant,
Business Resilience Group
Fujitsu Research Institute
Miura: Many IT departments manage the assets that they introduce but cannot manage all of the company's assets. Security is questionable if some of the assets introduced by a business department are not managed properly. Also, in traditional asset management, inventory is checked only once a year. This pace does not match the speed of business. The issue is how to maintain the same security level between regular assets and those used only for a short time.
Otomo: Recent cloud service proposals are often advertised as being "ready to use." This may sound like a good business promotion, but if such services continue to be used in regular business operations after the trial period, we must understand what kind of risks are involved, know the type of information handled, and decide who will manage it. This requires information sharing, and I think that is an important role of the IT department.
HR Training Must Focus on Producing Autonomous Employees
― Security will require constant efforts going forward as well. From your point of view, what aspects of security need to be strengthened?
Yamashita: As we approach 2020, security investment will increase. Attackers are motivated and have reasons for their actions, and attacker profiling is important. At Fujitsu, we have a research facility that specializes in cyber intelligence, the FUJITSU Advanced Artifact Analysis Laboratory. This laboratory collects information such as attack methods and campaign types while making efforts to raise employees' skills. It also runs the Security Meister program, under which ideal images of security engineers are prepared based on workplace needs, the target number of engineers to train for each field is set, and training is provided.
― For engineers to be able to think about actual implementation, besides skills they need the mindset that security issues are not a distant concern. We are attempting to raise awareness through drills.
Yamashita: Among the three levels, the Field level that engages with customers has the largest number of security engineers, such as SEs who develop systems and SEs who manage systems with customers. Through training, we are developing their incident handling abilities from the perspective of skills and mindset. Meanwhile, we are training them to notice problems because when they feel there is an abnormality that does not resemble a bug, it is important for them to quickly decide whether it is a cyberattack and promptly escalate the case.
Fujimoto: As a consultant, my activities have two themes. The first, as I mentioned at the start, is optimization of security resilience based on risk assessment. More specifically, this consists of business impact analysis and ICT infrastructure risk analysis (Figure 4). The second is strengthening incident handling abilities. How risk management structures, including but not limited to the CSIRT, SOC, or Cybersecurity Incident Response Coordination Center, work together is important. Therefore, I strive not only to strengthen the CSIRT but also to share roles with the Risk Management Unit, enhance collaboration flows, and implement collaboration drills.
Figure 4: Risk-based approaches to security resilience optimization
Otomo: The legally required split-up of electric power companies in 2020 will have a significant impact. When the company is divided, both the holding company and the transmission/distribution company must have IT and security capabilities. Since there will be no dramatic increase in the number of employees, tasks must be carried out by those already there now. We will use the network we have, and if the resources are insufficient, we will tap the skills of our partners and manufacturers. What we must focus on now is creating the basic framework such as the rules and structures as well as actively sharing information. I think our priority is to strike a good balance between autonomous activities and organic collaboration while making the most of technologies such as the IoT and AI.
[Moderator] Kazuhiro Hosoi
Corporate Vice President
Fujitsu Research Institute
― The key point is employees who act autonomously.
Otomo: The supervising division plans to educate and train human resources to act independently. The ICT department wants to develop human resources with the message that they must make a plan, adjust the plan, and finish implementing the plan. Our project's pace has increased since FRI joined because on our own we were unable to prepare new plans and had insufficient knowledge.
― Thank you for your time today.
*: Security Incident Response Team (SIRT): A generic term for a unit that monitors computers and networks to check for problems (primarily security problems) and, if a problem occurs, analyzes causes and investigates the scope of impact.
**: Security Operation Center (SOC): A role or specialized unit within an organization (e.g., a company) that monitors and analyzes threats to information systems.
***: Cybersecurity Incident Response Coordination Center： The core unit that collects and provides information on and coordinates support to handle cybersecurity threats and incidents targeting organizations (e.g., government agencies and important service providers). NISC is preparing such a center.