Under the Cabinet Office's leadership, Japan's national project, the “Strategic Innovation Promotion Program (SIP),” is underway through co-creation among industry, academia, and government to achieve important science and technology innovations that are essential to strengthen Japan's economic and industrial competitiveness. One important project theme is information security. The threat of cyber attacks on critical infrastructure, particularly electric power equipment and communication equipment, is increasing. During the conference, Fujitsu will showcase the outcomes of R&D activities among industry, academia, and the government. These activities provide cyber security for the critical infrastructure that SIP aims to build. Fujitsu will also introduce its role in the program.
[Fujitsu Forum 2017 Conference Report]
Outcomes of Research on “Ensuring Cyber Security for Critical Infrastructure” by the Cabinet Office's SIP
To start the conference, Fujitsu's Taishu Ohta noted the significant expansion in the scope of security to be covered. Then, he raised the issue of “how should work in the field and IoT as well as office IT systems in general be protected in the future?”
With respect to the Strategic Innovation Promotion Program (SIP), which is being carried out under the Cabinet Office's leadership, Ohta explained the conference's purpose: “The Cabinet Office, NTT, and Fujitsu have carried out activities for this program over the past year, and we will report the outcomes.”
Making Domestic Infrastructure Resilient to Enhance Japan's Reputation
The Council for Science, Technology, and Innovation (CSTI) is chaired by Japanese Prime Minister Shinzo Abe. It develops plans and serves as a general coordinator for Japan's general and basic scientific technology as well as innovation policies. By making full use of this 'control tower' function, CSTI engages in SIP and ImPACT (the Impulsing PAradigm Change through disruptive Technologies program).
The mission of SIP is not merely to conduct basic research, but to serve people by applying the resulting technology to society. One of the eleven ongoing programs is 'ensuring cyber security for critical infrastructure, 'for which I act as program director. By joining the forces of industry, academia, and government--in other words, the power of Japan--we will strive to develop technologies that help ensure security for the critical infrastructure in the future.
Today's cyber attacks also target critical infrastructure; examples include the cyber attacks on Iranian nuclear facilities in 2010 and the recent large-scale blackout in the Ukraine.
Now is the time for infrastructure operators to once again consider 'are we secure?' If we have an assumption that things are OK without perception of security loopholes, we would fall into pitfalls. Cyber-security measures for critical infrastructure must support all aspects: control networks for the infrastructure, office automation environments that manage the networks, terminal systems for maintenance and management, supply chains for delivering equipment, etc.
Also, the results of the 2020 Tokyo Olympic and Paralympic Games will significantly affect Japan's reputation. Japan must be able to self-support security technology for critical infrastructure and its operation in order to enhance global collaboration as well. This is what SIP aims at in this time.
To apply developed technologies to society, SIP approves their suitability and performs evaluation verification of them while sharing information and developing human resources. SIP has developed technologies through collaborations right from the start with critical infrastructure operators and other organizations. SIP has been developing the preceding version of technology to support even more secure Tokyo 2020 Olympic Games. At the same time, it is developing enhanced versions of this technology to expand the market for the entire industries of the critical infrastructure, IT, and security industries after the Games.
I also think that there are two points to ensure cyber security for critical infrastructure. One is 'self-support for technology and its operation,' which I previously mentioned. This is important in terms of ensuring the independence of security. Meanwhile, it is also important as a receptor for best practices to establish a platform that facilitates the integration of excellent security technologies and know-how developed through global collaboration.
The second point is the issue of 'cyber trash' and the boiling frog in the age of loT. loT devices tend to create a risky situation without administrators. We have seen a case that poorly managed IoT devices were hacked and misused for attacks. This means that in the age of loT, the large number of vulnerable loT devices may cause an environmental problem in the form of 'cyber trash' in cyberspace.
There are security industry keywords 'frog boiling attack.' 'Boiling frog' refers to the state in which a frog is being boiled gradually in a pot without perception of increasing temperature. In other words, it means that people are less likely to notice an increase in the number of vulnerable loT devices, or 'cyber trash.' After the revelation of undesirable facts has come out, it might be too costly to subsequently respond to malicious attacks against vulnerable devices growing in numbers. In the age of loT, in which various loT devices are incorporated into critical infrastructure, I believe it is important to ensure security at the design stage. I also think it is necessary to have a proper supply chain mechanism for preventing such devices from becoming cyber trash in the absence of administrators.
To take further cyber-security measures for critical infrastructure, I think it is essential that industry, academia, and the government continue to make united efforts with the Cabinet Office's SIP.
Preventing Attacks and Intrusions by Behavior Monitoring/Analysis and Authenticity Determination
In the large-scale DDoS attacks* brought about by the Mirai IoT botnet and vulnerabilities in Deutsche Telekom customer routers, many IoT devices have been used to carry out attacks. In light of these cases, in the future proactive measures must be taken by analyzing the characteristics of IoT malware attacks and understanding the big picture. To this end, darknet, honeypots, flow information, and IDS** logs should be monitored in order to organize information for taking measures.
In the meantime, critical infrastructure shutdowns caused by malware have already become an actual security issue in other countries. In addition, as equipment virtualization progresses, support with conventional technology and operations becomes more difficult. Also, there are many cases in which insufficient thought has been given to implementing security functionality into infrastructure due to the lack of a perspective on 'Security by Design.' When taking into account the current situation in which attacks are becoming increasingly sophisticated, I believe it is impossible to completely prevent all attacks.
Moreover, since more and more parts of critical infrastructure are used for general purposes and have been made open source, attackers can now obtain the necessary vulnerability information more easily. When the scale of infrastructure increases and more complex interlocking systems are used, even a single successful attack in one location has increased risk of affecting a large area.
Faced with these challenges, we developed behavior monitoring and analysis technology and conducted research on 'Detection & Response' that assumed a successful cyber attack. We also conducted research on authenticity determination technology to prevent abnormal operation by continuously monitoring unauthorized additions to devices' functions and unauthorized modifications.
As part of the cyber security research conducted by SIP, where Mr. Goto serves as program director, NTT has been developing technologies in two directions, namely the 'development of behavior monitoring/analysis technology' and the 'development of authenticity determination technology.'
As part of our IoT behavior monitoring and analysis technology, we have been developing two technologies: 'IoT-GW implementation technology' for automatically detecting IoT devices and efficiently monitoring massive numbers of devices, and 'IoT anomaly detection technology' for using AI technology to automatically respond to the diversification of IoT devices. The former achieves performance for signal monitoring and transfer processing by linking software processing and a packet transfer engine in a compact size and at low cost. The latter enables us to respond to heretofore unknown attacks by adopting teacher-less learning that does not require prior learning of abnormalities.
As for the authenticity determination technology, we have been developing a 'root of trust' implementation technology and a 'chain of trust' construction technology. The former strongly protects the base data for authenticity determination by making maximal use of the latest security chip TPM2.0 and encryption technology. The latter supports server devices for managing several thousands of terminals, enabling authenticity determination across the entire facility.
The secure boot function starts the hardware, OS, and authenticity determination software with integrity verified through the root of trust. The authenticity determination software then periodically verifies the integrity of general software applications. In addition, the chain of trust, in hierarchical architecture, allows lower-level devices to automatically obtain verification information registered with higher-level devices securely to use for authenticity determination.
These development initiatives are underway based on a five-year plan, and the initial version for the Tokyo 2020 Olympics first provides a system that includes operational functions. Thereafter, we will continue to work on an enhanced version aimed at achieving commercial quality and enhancing said quality.
*: DDoS attack: Denial of Service attack
**: IDS: Intrusion Detection System
Supporting Service Continuity for Critical Infrastructure with Four Technologies
It is of increasing importance to protect information communication platforms that support critical infrastructure while simultaneously constructing an environment for using the latest ICT securely and safely. Points to take into account include the use of general-purpose technologies such as devices and cloud computing; to ensure facilities and the internal design for critical infrastructure cannot be changed easily; and the fact that both new and old devices will be mixed together due to long service lives.
Given the recent evolutions in attacks, it is important to assume the presence of internal threats. Thus, measures for internal threats that are strongly dependent on internal critical infrastructure design should be developed as a made-in-Japan technology. This will also become a source of export competitiveness for Japanese infrastructure.
In terms of security threats, issues include longer dormant phases and the spread of threats. Even if an intrusion can be found, the virus may self-destruct simply upon being isolated from the network. So, its overall behavior must be observed before making a quick decision to terminate it. When considering information communication platforms, support for NFV (Network Functions Virtualization) is necessary to ensure that communication data is obtained even in cloud environments. Moreover, high-speed communication as represented by 5G technology and larger capacities are also required.
Besides this, to ensure service continuity, which is the top priority for critical infrastructure, appropriate measures and escalation according to threat level are necessary. This technology development will assist SOC/CSIRT security experts and enhance the entire system's resilience.
Fujitsu conducts R&D on “Health Check Technology Based on Traffic Analysis of Information and Control Network Component Devices” as part of SIP's “Ensuring Cyber Security for Critical Infrastructure.”
The collection, storage, analysis, and control recommendation functions of the functional cycle for internal threat measures assists users in taking measures. The collection function features high-speed virtual TAP and high-speed capture. The virtual TAP has increased the speed by ten times to 10 Gbps compared with the previous version. High-speed capture now enables up to 100 Gbps of data to be obtained from both new and old environments. The storage function achieves a performance in excess of 100 Gbps with a less expensive configuration in which general-purpose servers are arranged in parallel. By performing collective behavior model analysis, system-wide communication is analyzed comprehensively. The control recommendation function reduces the burden imposed on SOC/CSIRT experts by suggesting the degree of emergency based on the degree of impact as well as appropriate implementation of investigations and measures.
Linking these technologies with NTT's authenticity determination technology and adding the authenticity determination used for virtual communication devices' communication application to them will ensure flexibility and security for such devices. This flexibility and security integrated into virtual communication devices will evolve as a standard in the age of the cloud.
The Need for “Japanese Rules” on Cyber Security
At the end of the conference, Fujitsu's Ohta returned to the podium with these words: “Fujitsu will work with the other parties to create security technologies using our own power and then ensure that the technologies make good business sense. I believe this will lead to their use in Society 5.0 and other innovations which will be tackled by the entire country as safe, secure services. We will strive to engage in such co-creation activities.”
Ohta then indicated the direction that Fujitsu will take in the future: “Fujitsu needs engineers who can provide customers with IoT, AI, cloud, and other services that ensure 'Security by Design.' For this reason, we develop human resources based on the 'Security Master Certification System,' and we have already certified 1,931 engineers. We will further increase the number of certified engineers to 10,000 to ensure trouble-free security design and operation of customers' systems. Meanwhile, we will optimize the operation of newly created systems using our new technologies.”
Ohta also identified the lack of “rules” in Japan: “In the United States, they are now creating international rules that require countries to provide a certain level of cyber security. In Europe, they are working to adopt these rules. Given the circumstances in which rules applicable to all of global society are being formed, Japan has yet to create any rules to follow. While developing technologies and human resources under SIP, Fujitsu will also commit to undertaking such efforts at any cost.” He then concluded the conference with this statement: “We will work together with you to apply technologies made in Japan to society and to engage in preparing new rules to allow such technologies to support Japan's ICT industry.”
Atsuhiro Goto Program Director for SIP, Cabinet Office,
Government of Japan
President and Professor,
Institute of Information Security
Kazuhiko Okubo Vice President,
Head of NTT Secure Platform Laboratories
Masaaki Kato Senior Director, Network Solutions Business Unit,
Taishu Ohta Evangelist,
Cyber Security Business Strategy Unit,