The Cyber/Physical Security Framework (Draft) Cyber Security Division Commerce and Information Policy Bureau Ministry of Economy, Trade and Industry

Transcription

1 The Cyber/Physical Security Framework (Draft) Cyber Security Division Commerce and Information Policy Bureau Ministry of Economy, Trade and Industry

2 Table of contents Preface Settling on the Cyber/Physical Security Framework 1. Introduction - Changes of Scenery over Cyber Security Society realized by Society5.0 and Connected Industries Increase of threats from cyber attacks Concept of the Cyber/Physical Security Framework Purpose of developing the framework Concept of the framework structure Structure of the framework The Cyber/Physical Security Measures [The First Layer] Security measures for connections between companies (conventional supply chains) [The Second Layer] Security measures for connections between physical and cyber spaces [The Third Layer] Security measures for connections in cyber space Toward Establishing Trust Concepts of securing the trust in framework Appendix A: Reference Document List Appendix B: Comparison with Major International Standards Appendix C: Glossary

3 Preface Settling on the Cyber/Physical Security Framework The Government of Japan proposes the realization of a super smart society named "Society5.0" which provides products and services that closely meet various needs and which provides both of economical development and solutions for social challenges, by highly fusing cyber space and physical space. Furthermore, we, Ministry of Economy, Trade and Industry (METI) proposes a concept named "Connected Industries" which creates new added values toward "Society5.0" based on "connections" between various data, and now we are promoting various actions to realize this concept. In "Society5.0", cyber attacks will have more impact on physical space than before because cyber space is more closely involved with physical space. The progress of the networking such as "Connected Industries" will increase the opportunity to create new added value by enabling a more flexible and dynamic supply chain configuration different from the conventional one. However, from the perspective of cyber security, it widens the scope of protection from the view of the defending side, while it increases the point of attack from the view of the attackers. Based on the characteristics of cyber attack that a cyber attacker can intrude into a network just by finding only one point of weak security, network intrusion is becoming easier than before. In these circumstances, the effectiveness of security measures to ensure cyber security by only one company is limited. Therefore, in addition to considering cyber security measures from the planning/designing phase based on a point of view of the security by design in each product and service, etc., as for the whole supply chain including the affiliates and the business partners, it is necessary for each company to tackle cyber security measures taking into consideration the resilience of business activities and security of data circulation which it is difficult for individual entities to strictly control. In this framework we organize common security measures for all industries in "Society5.0" by classifying them into three categories as "connections between companies (conventional supply chain)", "connections between physical space and cyber space", and "connections in the cyber space", and we describe what should be protected, what are our security risks, and what are the specific measures for them in each category. The framework shows common security measures for all industries in Society5.0, but important assets, human resources, financial resources to be protected, and/or allowable risk level are different between industries and/or companies. Therefore please make good use of the framework to estimate the threat and the risk scenario, make risk assessment, and implement the specific measures according to each actual situation.

4 1. Introduction - Changes of Scenery over Cyber Security 1.1. Society realized by Society5.0 and Connected Industries While practical uses of networking and IoT (Internet of Things) are advancing now in the world, public and private sectors are beginning cooperating actions to highly utilize IT in the field of manufacturing for leading the revolutionary change of "The Fourth Industrial Revolution" such as the "Industry 4.0" in Germany. Also in Japan, in "The 5th Science and Technology Basic Plan" approved in a Cabinet meeting on January 22, 2016, the government of Japan (GOJ) proposes the realization of a super smart society named "Society5.0" which provides products and services that closely meet various needs and which provides both of economical development and solution for social challenges, by highly fusing cyber space and physical space. Furthermore, we, Ministry of Economy, Trade and Industry (METI) need to develop a new industrial structure to realize the "Connected Industries" which creates new added value toward "Society5.0" based on various connections. Figure 1 Illustration of the cyber space and the physical space 1 1 This illustration was made based on the report by the Ministry of Economy, Trade and Industry named "The 2015 infrastructure for computerization and a shift towards the service industry of the economic society in Japan (the research for implementation of CPS (cyber physical system) in the water utilities)". 1

5 Society5.0 is a new society which follows the hunting society (Society1.0), agricultural society (Society 2.0), industrial society (Society 3.0), and information society (Society 4.0). In the information society (Society 4.0), sharing necessary knowledge and information was not enough and it was difficult to create new value, and it was also difficult and burdensome to find necessary information from the huge data and analyze it. In the society realized in Society5.0, all people and things are connected by IoT, various knowledge and information are shared and new value is born through analysis of those data. Moreover, Society5.0 releases humans from burdensome work such as analyzing huge amounts of information by Artificial Intelligence (AI). Society 5.0 is not a society where economic and organizational systems are prioritized, but becomes a human-centered society that AI, robots, etc. will support a work that human have done so far and provide necessary items and services for necessary people, when necessary, as much as necessary. Figure 2 - Illustration of the society realized in Society5.0 2 In Society5.0, the supply chain, which is a series of activities to create added value, mainly for companies, will also change its form. The existing supply chain was a stereotyped, linear structure that a series of activities strictly planned and designed, procuring necessary parts and services based on that, assembling and processing, providing final products and services was deployed in a fixed and stable manner. However, in Society5.0, necessary items and services are provided to necessary people when necessary, and the starting point of a series of activities to create added 2 The illustration is quoted from the introduction of Society5.0 by the Cabinet Office. 2

6 value is not a fixed as planned and designed by suppliers as before. It is also increasing case that consumers will become the starting point of added value creation activities. The existing activities will change into added value creation activities in which the activity contents are changed in the middle of activities in response to changes in the contents of necessity set at the start of a series of activities to create added value, or in which the new activity is incorporated by incorporating the elements when more effective information is obtained. Compared to the conventional stereotyped and linear supply chain, these changed supply chains need to be understood as Society5.0 type supply chain. 3

7 1.2. Increase of threats from cyber attacks In the society of Society5.0 (human-centered society) realized by IoT, AI and so on, the starting points for cyber attacks increase and the range of the cyber risk expands due to supply chains connected complicatedly. Furthermore, the risk of cyber attacks reaching to physical spaces increases dramatically due to highly fused cyber space and physical space. As the conversion process to digitize information obtained from IoT and the delivery of data created massively are becoming obvious as new attack points in cyber, security measures to support the accuracy, circulation, and cooperation of large quantity of data are also important issue. Figure 3 Illustration of connections between components and data and others in Society5.0 A large quantity of data circulation Importance of data management increases Fusion of physical and cyber Cyber attacks reach to physical space Assume attacks on cyber space invading from physical space Intervention in information conversion between physical and cyber Supply chains connected complicatedly Attacking points expands In fact, there reported a case example in which data of European company was infected with a ransomware, it infiltrated a domestic company in Japan via the supply chain, expanded the infection, and some operations stopped as a result. Furthermore, in other countries, the necessity to protect IoT and ICSs (Industrial Control Systems)by supply chain management is becoming widely recognized. In the United States, revised draft versions of the framework (NIST 3 Cybersecurity 3 National Institute of Standards and Technology 4

8 Framework) were published in January, 2017 and December, 2017 which provided the perspective of cyber security measures especially for the critical infrastructure developed by NIST in February, In these documents, they added a description on supply chain risk management as a specific precaution, and they required to implement preventive measures in whole supply chain and to conduct audits as needed. 5

9 2. Concept of the Cyber/Physical Security Framework 2.1. Purpose of developing the framework Toward realization of Society5.0 and Connected Industries, it is necessary to cope with the increase of the threats of cyber attacks following the changes in industrial structure and society, and start preparation for that right now. Therefore, we organized all security measures needed in the industry, and we decided to develope "The Cyber/Physical Security Framework" for use by industries. The expected effects and features by utilizing this framework are as follows. 1. Expected effects in each company utilizing this framework Ensuring of security needed for realizing Society5.0 and Connected Industries Strengthening of competitiveness by enhancing the security quality of products and services into differentiation factors (value) 2. Features of this framework [1] It can be utilized at the operation levels of security measures implemented in each company It should include not only the concepts to be aimed by our society, but also the contents which can be utilized when each company implements security measures. [2] It can make us understand the relation between the necessity of security measures and the costs It should include the contents to ensure that the companies which form the whole supply chain including small and medium-sized enterprises can imagine the balance between the expected risks and the costs for necessary measures and can actually take measures. It should contribute to cost reduction without lowering the security level. It should also include the consideration on the risk-scenario-based-concept. [3] It realizes international harmonization It should incorporate the trend of foreign nations and include the contents to ensure consistency with major certification systems in the U.S. and Europe, including ISMS and NIST Cybersecurity framework, and promote mutual recognition in order to ensure that the security measures in Japan for products and services are accepted by other countries in the global supply chains. 6

10 2.2. Concept of the framework structure - for adaptation to the "Value Creation Process" of Society5.0 type supply chain In Society5.0 (human-centered society) and Connected Industries realized by IoT with everything connected and by AI with data creating intelligence, the processes for producing products and services (supply chains) will take atypical form due to various connections, which is different from the conventional stereotyped and linear one. In this framework we define the Society5.0 type supply chain as Value Creation Process to recognize it distinctly from the conventional supply chain, and show the security guidance required for the supply chain concept extended by Society5.0 and Connected Industries. The framework can be used as a guide to consider the industrial society where people act for value creation to be of three layers and six elements as follow, and comprehensively sort the security key points, and cope with them. Three layers In the value creation process, IoT digitalizes information in the physical space and takes it into the cyber space beyond the area where added value is created by the reliable inter-company connection in the conventional supply chain. Such data freely circulates in cyber space so that various data can generate new data and create new added value. Newly created data also create physical products and services in physical space through IoT. Therefore, in the value creation process, it is necessary to consider such a series of activities for new added value. In order to accurately identify the security risk of activities that create added value generated from the extension of the activity scope of the conventional supply chain and to show the managing policy, the area where the value creation process occurs is organized into three layers structure as follows. First layer - Connections between companies (conventional supply chains) Second layer - Connections between physical space and cyber space Third layer - Connections in cyber space Six elements In order for the framework to be utilized at the operation level, it is required to clarify the elements involved in the value creation process and to show guidelines on what kind of security measures should be taken for each element. Therefore, in the value creation process, the following elements are involved with the creation of added value. - Organization, people, component, data, procedure, system 7

11 Figure 4 - Three layers of the industrial society where value creation processes unwind 8

12 Significance of the three-layers-approach The each layers has each function and role that must be secured in the value creation process. For example, the value creation process will not be effective unless the following things are secured in each layer. - Produced products, etc. in the first layer Whether a trustworthy company supplies specified products and services by trustworthy production activities or not. - Data obtained by sensors, etc. in the second layer Whether IoT devices such as sensors collectly digitize information in physical space and collectly transcript to cyber space or not. - Data provided by data analysis, etc. in the third layer Whether it is possible to utilize trustworthy data that has not been falsified in the collecting process and edited in appropriate manner or not. In the framework, we show the policies for coping with issues in consideration of the features of the values created in each layer. Figure 5 - Significance of the three layers approach 9

13 Table 1: Six elements involved in value creation process Element Organizations People Definition Companies and organizations that compose value creation processes (especially, generally imaged supply chain ) People belonging to organization People directly participating into value creation process Components Data Hardware, software and those parts Information collected in physical space Edited information through sharing, analyzing and simulating above information Procedures Systems A series of activities to archive defined purpose Mechanisms or infrastructures configured with components for services Figure 6 - Relationship among six elements 10

14 2.3. Structure of the framework Based on the organization of the previous section, we organize the cyber/physical security measures in each layer of three layer structure as shown in the figure below. Figure 7 - Overview of the measures in each layer The framework shows common security measures for all industries in "Society5.0", but important assets, human resources, financial resources to be protected, and/or allowable risk level are different between industries and/or companies. Therefore, in each industry and each company, please make good use of the framework in order to create profiles listing the security measures based on facts with reference to the contents described in it. Moreover, please make good use of the framework to clarify the gap between the current profiles with the targeted profile by comparing them and reduce the security risks. 11

15 3. The Cyber/Physical Security Measures 3.1. [The First Layer] Security measures for connections between companies (conventional supply chains) L1.001 Development of security policies and preparation of the structures If the security measures are not consistent throughout an organization, these measures cannot be effective. If people don't understand the measures and their priorities to be applied when a security incident occurs, the start of countermeasures will delay. Risk impact The delay in countermeasures against security incidents causes spread of security damages. Develop and operate a security policy Appoint a chief security officer and establish a security management team Key aspects of the measure After established and communicated priorities of organizational missions, objectives, and activities, a security policy should be developed, clarifying roles and responsibilities and the information sharing methods and others. Also, a chief security officer should to be appointed, establishing a security management team, and prepare a system to determine appropriate actions (priorities, scope, etc.) against security incidents. In this way, the organization can prevent expanding security damages due to a delay of countermeasures against the security incidents. Here is the summary: Develop a security policy, clarifying roles and responsibilities for security and the information sharing method in an organization. Appoint a chief security officer, establish a security management team, and prepare a system to conduct security measures in an organization. The security management team should establish a process to collect vulnerability information from internal and external information sources (through internal tests, security information, and security researchers, etc.), analyze the information, and conduct countermeasures. Developing and implementing a security management system should be effective when introducing this measure. Information Security Management System (ISMS) Cyber Security Management System (CSMS) Organizations Communicate the information of prioritized organizational missions, objectives, and activities with the relevant stakeholders (suppliers, third-party providers, etc.). Develop a security policy, clarify roles and responsibilities for security and the information sharing method in an organization. - Designate roles and responsibilities of the relevant person, information sharing methods and compliance matters. - Identify the roles of your own organization for relevant person and share the information. 12

16 - Provide the information about operating condition of your own organization to the relevant person depending on the functions your organization provides. - Ensure that the persons in charge, particularly the privileged users, should correctly understand their roles and responsibilities for security. Appoint a chief security officer, establish a security management team, and prepare a system to conduct security measures in an organization. - The security management team should continuously collect vulnerability information from internal and external information sources, analyze the information, and determine appropriate actions (priorities, scope, etc.) against the targeted security incidents monitored. - Establish a process to collect vulnerability information from internal and external information sources (through internal tests, security information, and security researchers, etc.), analyze thee information, and conduct countermeasures. - Coordinate the roles and the responsibilities for security with relevant person in advance and prepare a mechanism for coordination. - Ensure that the persons in charge, particularly the privileged users, can correctly understand their roles and responsibilities for security. - Assign a person in charge of public relations who understand the technical requirements when disclosing the information about security incidents. People Persons in charge should sufficiently understand their roles and responsibilities. - Especially the privileged persons in charge should correctly understand their roles and responsibilities for security. The security management team should utilize security alerts and advisories to monitor security incidents. Components Data Procedures Publish only the confirmed facts when disclosing the information about security incidents. Systems 13

17 L1.002 Security risk management People do not understand details, priorities, and scope of security measures. Risk impact The delay in countermeasures against security incidents causes spread of security damages. Conduct risk assessment (identification, analysis, evaluation of possible security risks) Develop security rules (including the rules up on information disclosure) Key aspects of the measure Prevent critical security incidents and expanding security damages to identify, analyze, and evaluate existing security risks in an organization, and then define details, priorities, and the scope of security measures including security by design in advance. In addition, develop security rules to promote security measures. Conduct risk assessment (identification, analysis, evaluation of security risks) Based on the result of the risk assessment, clearly define details of security measures, sort out the scope and priorities, and develop security rules. An organization should decide the priorities of the security rules and the chief security officer should approve them. Developing and implementing a security management system should be effective when introducing this measure. Information Security Management System (ISMS) Cyber Security Management System (CSMS) Organizations Conduct risk assessment (identification, analysis, evaluation of possible security risks) - Conduct and document the risk assessments considering risk threats, vulnerability, possibility, and impacts. - Maintain the structure for self-assessment and prepare the third-party assessments as needed. - Identify security risks considering threats by internal/external attacks and natural disasters. - Make sure to cover all aspects of the security risks by using a variety of methods of risk scenario bases. - Include the issues of supply chains when analyzing security risks. - Analyze and evaluate security risks according to the security risk tolerance by the roles of the relevant parties. - Determine own organizational risk tolerance considering relevant supply chain and sector specific risk analysis. - Share the information of the organizational security risks with relevant person. - Conduct risk assessment considering actual business operations. Based on the result of the risk assessment, sort out details of countermeasures against security risks, their scope and priorities, and develop security rules. - Define data classification and criteria how to handle the information (data). - Document and use the rules to handle privacy information in accordance with the international principles on personal information protection and the privacy protection rule, "OECD's eight core principles)". 14

18 - Set security rules understanding the applicable laws, notifications, and industry standards for each region. - Restrict physical accesses to the elements only to the privileged users. - Keep the records on physical accesses to the elements. - Define audit logs acquired from the elements. - When outsiders enter critical facilities, a person responsible should accompany and watching their behavior. - Define restoration methods for each function estimating details of damages when a disaster would occur in the operational environment. - Set restrictions on accesses from alternative working sites (e.g. telework sites). - Document the information about the border of the system, its operating environment, the methods for implementing security requirements, and the methods of connecting to other systems. - Separate the development and testing environment(s) from the production environment. - Document the operating procedure such as machine operations and should be available for all users. - Define a default setting procedure for devices (password, etc.), and a method to update the settings. - Define disposal procedures for devices. - Adopt a security measure to support a policy and the policy to manage the risks by using a mobile device. - Define constraints and environment settings for wireless connections. - Set a policy and carry it out about the use of the management plan by the cryptography to protect information. - Ensure that any nonpublic information is not included when disclosing security incident information. - Utilize cyber insurance according to the security risks as the form of risk transfer. Relevant person should develop, control, and agree with security rules for supply chains after clarifying their scope of responsibilities. An organization should decide the priorities of the security rules and the chief security officer should approve them. People Include human resources related practices such as the role and responsibility changes by personnel transfer (e.g., deactivate access authorization, personnel screening, etc.) Prepare the official disciplinary procedures and publicize the actions for the employee who committed information security violation. Components Introduce a system development life cycle, considering security by design for designing, developing, implementing, and modifying the functions of elements. Data Procedures Document the operating procedure such as machine operations and should be available for all users. Systems Introduce a system development life cycle in considering security by design for designing, developing, implementing, and modifying the functions of elements. Separate the development and testing environment(s) from the production environment. 15

19 L1.003 Clarification on security incident response People do not understand details, priorities, and scope of security measures upon the incident occurred. The actions involved in the security incident response, their priorities, and extent are not clear. Risk impact The delay in countermeasures against security incidents causes spread of security damages. Create a security operation manual. Key aspects of the measure The actions are to prevent further security-related damages, expediting the security incident responses and their priorities by creating the security operation manual. Clearly document and use immediately the response procedure in the security operation manual to respond to security incidents whenever they are detected. Select relevant person who use the organization's security operation manual. Share information by the chief security officer with relevant person for the security incidents to get a better understanding on security-related situations. Execute the measure on the security incident response, understanding its purposes, incident alert criteria, recovery priorities, procedure, and responsibilities. Developing and implementing a security management system should be effective when introducing this measure. Information Security Management System (ISMS) Cyber Security Management System (CSMS) Organization Clearly document and use immediately the response procedure is clearly documented beforehand in the security operation manual and its use is enforced so that the users will be able to immediately to respond to security incidents whenever they are detected. - Execute the measure on the security incident response, understanding its purposes, incident alert criteria, recovery priorities, procedure, and responsibilities. - Describe the procedures for reporting to and sharing information with relevant person in the organization, executive officers, senior management, and senior executives, whenever necessary. Describe the procedure on reporting, for example, detected security incidents, to certain relevant parties with appropriate amount of information. - Describe a procedure on how to coordinate with other relevant person when responding to security incidents. Select relevant person who use the organization's security operation manual. Share information by the chief security officer with relevant person shares information for the related to security incidents with the relevant person to get a better understanding on security-related situations. People Execute the measure Regarding on the security incident response, understanding its purposes, incident alert criteria, recovery priorities, procedure, and responsibilities should be understood before acting on the procedure. 16

20 Component Data Procedure Determine incident alert criteria. System 17

21 L1.004 Maintenance contracts with suppliers People do not understand details, priorities, and scope of security measures. Risk impact of this risk The delay in countermeasures against security incidents causes spread of security damages. Procedure of finalizing maintenance contracts with supplies for services, system, and devices. Key aspects of the measure A supplier of services, systems, or devices with well-established inquiry and support services is selected. Also, deterioration of security levels and business and operation efficiency can be prevented by obtaining bug fix programs regularly from the supplies and replacing the parts quickly when a failure occurs. Formulate, manage, and agree upon the security rules related to supply chains by relevant person, after clarifying the scope of responsibilities. Select the suppliers who are in line with the purposes of the security operation manual. Make sure the privileged users correctly understand their security-related roles and responsibilities. When using a system provided by an outside organization, sign a service agreement with this organization and set limitation of the scope of use. Make a list of external information systems. Developing and implementing a security management system should be effective when introducing this measure. Information Security Management System (ISMS) Cyber Security Management System (CSMS) Organization Formulate, manage, and agree upon the security rules related to supply chains by relevant person, after clarifying the scope of responsibilities. - Identify and share the information about the role of your organization that plays in the supply chain. - Make sure the relevant person (the privileged users in particular) correctly understand their security-related roles and responsibilities. - Share information related to security risks residing within the organization with the relevant person and coordinate with them when there is a security incident. Select the suppliers who are in line with the purposes of the security operation manual. - Evaluate the suppliers regularly on whether they have fulfilled their contractual obligations. - Monitor the actions of suppliers to detect potential security incidents. - Confirm and approve supplier's maintenance tools by the organization. - Make a list of external information systems. Categorize the information of detected security incidents by the size of security-related impact, penetration vector, 18

22 and other factors, and store them. People Make sure the privileged users correctly understand their security-related roles and responsibilities. Restrict access for users who are permitted to connect to external systems. Component Data Procedure When using a system provided by an outside organization, sign a service agreement with this organization and limit the scope of use. The service contract handles the information transfers between the organization and external personnel keeping the security duties. System Introduce the security by design concept of system development life cycle considering the design, development, implementation, and modification of functions related to the elements. Document the system boundaries, operation environment, method of implementing the security requirements, and method of connecting to other systems. Make a list of external information systems. 19

23 L1.005 Implement PDCA cycle for security measures Incapable of responding to new security incidents. Risk impact The delay in countermeasures against security incidents causes spread of security damages. Cause similar security incidents due to inadequate allocation of staff for security measure implementation, lack of staff expertise, and insufficient preparation for recurrence prevention. Implement PDCA cycle on security risks. Continuously gather the latest vulnerability information on components, systems, and other elements. Key aspects of the measure Implementation of PDCA cycle on security risks and continuous improvement of the security management system allows you to respond quickly to future security incidents. Prepare the structure that continuously improves the process of protecting the elements, learning from the security incident responses and the results of monitoring, measuring, and evaluating the internal and external attacks are assessed. Establish, manage, and agree upon the risk management processes by the organization and the stakeholders. Obtain the latest vulnerability information and incorporate in the security rules and security operation manual. Conduct risk assessments regularly to check if the security rules for managing the elements are effective and applicable to the components for implementation. Continuously improve the process of detecting security incidents. Developing and implementing a security management system should be effective when introducing this measure. Information Security Management System (ISMS) Cyber Security Management System (CSMS) Organization Establish, manage, and agree upon the risk management processes by the organization and the stakeholders. Review the security policy as necessary. Assess the lessons learned from the security incident response and the results of monitoring, measuring, and evaluating the internal and external attacks, and then establish a system to continuously improve the processes of protecting the elements. Check if the security rules for managing the elements are effective, including how the components are implemented, conduct a risk assessment on a regular basis. - Prepare the structure for appropriate self-assessment and the third-party assessment as needed. - Develop a vulnerability management plan and modify the plan according to the plan. - Document newly identified vulnerabilities if the risk is tolerable or mitigate the risk for the particular 20

24 measure. - Compile procedures on incorporating, for example, how to fix identified problems and how to reduce vulnerabilities, into the security operation manual. - Based on the lessons learned from the recovery procedure, conduct training and tests on the recovery procedure and update the security operation manual. Continuously improve the process of detecting security incidents. - Always check and collect publicly available information regarding the elements' latest vulnerabilities and establish the structure handling related issues. - As part of the monitoring process, test regularly if the functions for detecting security incidents work as intended and verify the validity of these functions. - Detect security incidents in the monitoring process, in compliance with the applicable local regulations, directives, industry standards, and other rules. - Monitor the actions of suppliers to detect potential security incidents. Continuously conduct security incident response training for all staff members in the organization and the stakeholders, and regularly test their response capabilities. Provide security awareness training on recognizing and reporting potential indicators of insider threat. People Component Data Procedure System 21

25 L1.006 Regular training and education The security measures implemented within the organization are not consistent. Risk impact The delay in countermeasures against security incidents causes spread of security damages. Education on security measures on a regular basis. Security incident response training on a regular basis. Key aspects of the measure The training ensures all staff members in the organization understand the operations that take security measures into consideration and the security incident response. The operations and responses are reviewed periodically. This can prevent delay in security incident response and exacerbation of security-related damages. Conduct appropriate training and security education necessary to fulfill their assigned roles and responsibilities for all staff members in the organization, and notify the existence of the security policy, security rules, and security response manuals. Developing and implementing a security management system should be effective when introducing this measure. Information Security Management System (ISMS) Cyber Security Management System (CSMS) Organization Appropriate training and security education necessary to fulfill their assigned roles and responsibilities are conducted for all staff members in the organization (system owner, systems administrator, users, etc.), and they are notified of the security policy, security rules, and security response manuals. - Establish the capabilities to respond security incidents, including appropriate preparation, detection, analysis, suppression (containment), recovery, and dealing with clients, are established. - Prepare the reporting structure for internal fraud, and conduct awareness training for staff members in the organization is conducted. (Examples of internal fraud: Accessing information unrelated to his/her work due to dissatisfaction with the excessive workload, violating the organizational operation rules, etc.) - Test the organization's response capabilities with suppliers and third-party providers for security incident responses. - Provide security awareness training on recognizing and reporting potential indicators of insider threats. People All staff members in the organization receive appropriate training and security education necessary to fulfill their assigned roles and responsibilities, to comprehend the security policy, security rules, and security response manuals. - Test the response capabilities regularly for the security incident response. Component Data 22

26 Procedure System 23

27 L1.007 Management of components, systems, and other assets Incapable of asset management of devices and others that connect to the cyber space. Risk impact Existence of the devices and others that were overlooked when security measures were introduced causes security risk allowing unauthorized accesses from the outside or being the source of malware infection. Inventory-taking and asset management of devices and others. Appropriate asset operations with devices and others. Key aspects of the measure By making sure the configuration management and change management are conducted for devices, you can control the security incidents that exploit unmanaged devices, including the devices used in workplaces without authorization, which may attack other devices. Conduct configuration management and change management of devices and others. Manage the configuration the devices and others, the setting continuously, and document and save the hardware and software information in the relevant systems. Manage important information such as the IDs (identifiers), private keys and digital certificates after clarifying the management method. Prioritize the hardware and software resource allocation based on type, importance, and business value. Developing and implementing a security management system should be effective when introducing this measure. Information Security Management System (ISMS) Cyber Security Management System (CSMS) Organization A rule should be clarified in specified use tolerance the information and the assets related with the date processing facilities and documents. Configuration management and change management of assets (devices and others) are conducted. - Document the procedure on removal, transfer, and disposal of all elements that enter and exit the facilities. - Create and save the network configuration diagram and data flows of the organization. - Create, update, and save any changes in an asset (disposal, addition, replacement, etc.) in the configuration management information documents. The retention period of this record is determined based on its application. - Take approval process considering the past changes, audit on the change, review process, and securityrelated impacts. People Authorize the users according to the risks of personal transaction risks (security-related risks for the user, privacy risks, and other organizational risks). 24

28 Component Regarding the configuration management of the devices and others, the setting information is continuously managed, and management information on hardware and software in the systems are documented and saved. (Hardware management information: Hardware configuration information, name of hardware, serial number, owner, installed location, etc.) (Software management information: Licensing information, version, OS, etc.) - Attach handling warning labels and distribution restriction labels on external media, if important information is stored in the media and a distribution deadline is set. - Use of portable storage device is prohibited, if the owner cannot be identified. Each device and others is authenticated according to the risks of each transaction (security-related risks for the user, privacy risks, and other organizational risks). Data Manage the user and device IDs (identifiers) and important information (private keys, digital certificates, etc.), after clarifying management method (the use, the protection of the critical information and valid duration) in the whole life cycle. Procedure System Prioritize the hardware and software resource allocation based on type, importance, and business value. Assign IDs (identifiers) that can uniquely identified for the devices and users. Create and save network configuration diagram and data flows in the organization. 25

29 L1.008 Implementation of functions and procedures for appropriate detection and analysis of security incidents. Incapable of correctly identifying security incidents. Risk impact A delay in discovering a security incident causes the expansion of the security-related damages. Establish a structure for detecting security incidents such as unauthorized access. Perform a correlation analysis when there is an alert notification. Perform a comparison analysis on the detected security incident with the threat information obtained from outside the organization. Key aspects of the measure Security incident can be identified correctly by implementing an analysis of correlating with other security incidents and comparing with the threat information obtained from outside the organization. The security incident information should be collected from multiple devices connected in the cyber space. For better accuracy, a holistic approach is used to pick out the information. The information obtained from inside and outside the organization is used for quick discovery of vulnerabilities and threats to consider appropriate countermeasures. Report the security incident to the chief security officer and other relevant person. Determine the impact on the whole organization based on the full account of the security incident and the probable intent of the attacker. Execute the recovery plan based on the configuration information before the security incident occurred. Make an effort of recovery including organization s reputation after exposing the security incident. Developing and implementing a security management system should be effective when introducing this measure. Information Security Management System (ISMS) Cyber Security Management System (CSMS) Organization Report the security incident to the chief security officer and other relevant person. Obtain the analysis of security incident from inside and outside the organization and identify the target and determine the method of the attack are identified. Determine the impact on the whole organization based on the full account of the security incident and the probable intent of the attacker. Execute the recovery plan based on the configuration information before the security incident occurred. Further minimize security-related damages, and mitigate the impacts. Make an effort of recovery fir the organization s reputation after exposing a security incident. 26

30 People Report the security incident to the security administrator and other relevant person. Component Data Procedure System Use a monitoring function to collect data from each element and packets captured from the network. This information is integrated, and a holistic approach is used for a better accuracy in the analysis of the detected security incident. 27

31 L1.009 Inclusion in the business continuity plan and contingency plan Cannot make proper business continuity decisions when a security incident occurs. Risk impact Lose the reputation of the social functions against the organization given the organization cannot determine the impacts of the security incident and make proper decision whether the business operation be continued or not. Position the security incident response actions in the business continuity plan and contingency plan. Key aspects of the measure Security incidents should be included in the business continuity plan and contingency plan defining the response actions against a natural disaster, and cyber resilience plan also should be enhanced beforehand to deal with a security incident as one of the disasters to minimize the impacts. Define the business continuity plan and contingency plan based on the configuration information before the security incident occurs. Minimize security-related damages and mitigate the impacts. Utilize the experiences of lessons learned from the past security incident responses and continuously update the recovery plan. Organization Define the business continuity plan and contingency plan based on the configuration information before the security incident occurs. Execute the recovery plan based on the configuration information before the security incident occurred. Minimize security-related damages and mitigate the impacts. Make effort to recover the organization's social functions and reputation after a security incident. People Component Data Procedure Utilize the experiences of the lessons learned from the past security incident response and continuously update the recovery plan. System 28

32 L1.010 Compliance with laws and regulations Violate laws and regulations in the organization. Risk impact Violate the compliance in the organization. Draft the security measures with the laws, regulations and industry guidelines taken into consideration. Key aspects of the measure Formulate the internal rules considering the domestic and foreign laws, including Act on the Protection of Personal Information and Unfair Competition Prevention Act, and industry guidelines, and review and revise continuously these laws, regulations, and industry guidelines. This process allows you to maintain fair business competition even when you share data with other business organizations. Document and manage the security rules, understanding security-related regulations and requirements, including privacy and human rights obligations. Developing and implementing a security management system should be effective when introducing this measure. Information Security Management System (ISMS) Cyber Security Management System (CSMS) Organization Document and manage the security-related regulations and requirements, understanding privacy and human rights obligations. - Update the security rules immediately after a change is made in the local laws, ordinances, directives, industry standards, and other rules. - Detect security incidents in the monitoring process, complying with the applicable local laws, ordinances, directives, industry standards, and other rules. - Execute an appropriate procedure to ensure the requirements in laws and ordinances, regulation with the use of the software product and intellectual property rights and the contract of ownership. - Use the encryption function following associated agreements, laws, ordinances and regulation. People Component Data Procedure System 29

33 L1.011 Management of records on produced components Cannot identify the real issues occurred related to the supply chain. Risk impact Prolong the operational optimization for production in a supply chain due to the lack of problem identification and solutions for the entire supply chain process to generate your values (components). Define the method to identify the produced components, create the production records, and keep them for certain period of time, so that the information on produced components can be audited later. Key aspects of the measure Define the method identifying the produced components by assigning the numbers based on the importance of the produced component in the supply chain, create the records of produced date/time and component's condition based on these importance levels, and establish internal controls related to production to keep these records for certain period of time. Share the understanding on the importance level of records on produced components with the partners and maintain an appropriate level of records management along with the internal controls about production on the importance levels, because there may be an auditing process later. Organization Establish internal control rules for production records. People Component Create and keep the records on production records based on the internal control rules. Data Procedure System 30

34 L1.012 Protection of privacy Privacy information (data) may be used, collected through the devices in the workplace or through cyber space without the user's consent. Risk impact Cause privacy issues collecting privacy information (data) into a system without the user's consent. Formulate the rules on how to handle privacy information in compliance with the privacy laws. Confirm the location of the privacy information periodically. Key aspects of the measure Document and use the rules on how privacy information should be handled in accordance with the OECD's eight core principles on protection of personal information and privacy. This prevents violation of privacy in the business operation. Clarify the rules on how privacy information should be handled and restrict access to privacy information, with regards to the elements (people, component, procedure, and system). Organization Document and use the rules on how privacy information should be handled in accordance with the OECD's eight core principles to protect personal information and privacy. Clarify the rules on how privacy information should be handled and restrict access to privacy information with regards to the elements (people, component, procedure, and system). People Restrict access to privacy information. Component Restrict access to privacy information. Data Procedure Restrict access to privacy information. System Restrict access to privacy information. 31

35 L1.013 Appropriate information sharing of the security incident Unclear security measure contents, priorities, and scope Risk impact The delay in countermeasures against security incidents causes spread of security damages. Share appropriate information of the security incidents. Key aspects of the measure Create a security operation manual and share appropriate information with JPCERT/CC at the time of security incident outbreak. In addition, obtain always the latest security incident information from JPCERT/CC and utilize the information for a security measure. Document clearly and use an information sharing procedure to the security operation manual of the organization. Obtain the latest security incident information and utilize for security measures. Developing and implementing a security management system should be effective when introducing this measure. Information Security Management System (ISMS) Cyber Security Management System (CSMS) Organization Document clearly and use an information sharing procedure to the security use operation manual of the organization. - Show a procedure to report detected security incidents to the appropriate person in charge with appropriate amount of information. Show a procedure to coordinate with the persons in charge. Obtain the latest security incident information and utilize for a security measures. People Understand importance of appropriate information sharing of the security incidents and execute the measures clearly. Component Data Procedure System. 32

36 3.2. [The Second Layer] Security measures for connections between physical and cyber spaces L2.001 Introduction of secure IoT devices Unauthorized access to IoT devices due to inadequate security measures such as weak access control. Risk impact Cause malfunction sue to unauthorized operation of an IoT device. Select IoT devices certified by a third-party (e.g., EDSA certification (IEC )) or IoT devices confirmed by self-attestation for safe and secure use. Key aspects of the measure Use of IoT devices certified by the third party can prevent malfunction of the IoT devices caused by unauthorized access from external organization. Check known and unacceptable security risks at the planning and designing stages. Execute the measures against known and unacceptable security risks at the planning and designing stage. Introduce the concept of system development life cycle with security taken into consideration for the design, development, implementation, and modification of functions related to IoT devices. Organization Introduce the concept of system development life cycle with security taken into consideration for the design, development, implementation, and modification of functions related to IoT devices. - Establish a standard to accept the IoT devices and a testing process for new information systems and revised or updated systems. - Select, protect, and manage the testing data carefully. People Check known and unacceptable security risks at the planning and designing stages. Component Check Confirmation of the known and unacceptable security risks that it cannot receive from at the a stage of a planning and designing stages. Select IoT devices certified by a third-party (e.g., EDSA certification (IEC )) or IoT devices confirmed by self-attestation for safe and secure use. - Evaluate the requirement definitions and design specifications from the security perspectives by the third party at the planning and design stages. Data Procedure System Introduce the concept of system development life cycle with security taken into consideration for the design, 33

37 development, implementation, and modification of functions related to IoT devices. 34

38 L2.002 Implementation of security by design into IoT devices Use of IoT devices which are not going through security considerations. Risk impact Increase the costs and take longer time to deal with the vulnerabilities on the IoT devices. Select IoT devices implemented considering security risks at the planning and designing stages. Key aspects of the measure Prevent cost increase in implementing security measures for IoT devices in the operation phase and reworking procedure at the time of the development, by introducing IoT devices considering security risks at the planning and designing stages. Check known and unacceptable security risks at the planning and designing stages. Execute the measures against known and unacceptable security risks at the planning and designing stage. Introduce the concept of system development life cycle with security taken into consideration for the design, development, implementation, and modification of functions related to IoT devices. Organization Introduce the concept of system development life cycle with security taken into consideration for the design, development, implementation, and modification of functions related to IoT devices. People Check known and unacceptable security risks at the planning and designing stages. Component Measures on existing unacceptable security risks are taken from the planning and design phases. Data Procedure System Introduce the concept of system development life cycle with security taken into consideration for the design, development, implementation, and modification of functions related to IoT devices. 35

39 L2.003 Introduction of IoT devices considering functional safety Use of IoT devices without considering functional safety. Risk impact Harm the workers by the operations using the IoT devices or damage the devices. Introduce the IoT devices considering functional safety Key aspects of the measure Use of the IoT devices considering functional safety can prevent the IoT device's operations from harming the workers or damaging the devices, regardless of normal or abnormal operations. Check known and unacceptable security risks at the planning and designing stages. Execute the measures against known and unacceptable security risks at the planning and designing stage. Introduce the concept of system development life cycle with security taken into consideration for the design, development, implementation, and modification of functions related to IoT devices. Introduce the IoT devices considering functional safety assuming that these devices are connected to the network. Organization Introduce the concept of system development life cycle with security taken into consideration for the design, development, implementation, and modification of functions related to IoT devices. People Check known and unacceptable security risks at the planning and designing stages. Component Check known and unacceptable security risks at the planning and designing stages. Introduce the IoT devices considering functional safety assuming that these devices are connected to the network. Data Procedure System Introduce the concept of system development life cycle with security taken into consideration for the design, development, implementation, and modification of functions related to IoT devices. 36

40 L2.004 Introducing genuine products into IoT devices Contaminated with fraud IoT devices and software. Risk impact Cause contamination with falsified information (data) and frequent machine failures by the low quality and unreliable imitation or counterfeit products (including software used for IoT devices). Introduce the genuine IoT devices that are approved by the device supplier. Introduce the genuine software that is approved by the software supplier. Key aspects of this measure Use the genuine IoT devices that can be verified as official IoT devices to prevent contamination with fraud information (data), frequent machine failure and malfunction, deterioration of operational efficiencies, caused by using fraud IoT devices of low quality with low reliability such as counterfeit products. Also, use the software approved as genuine software to prevent deterioration of operational efficiency associated with the infection of malware and the mixture of incorrect information (data) caused by the use of software of low quality with low reliability such as counterfeit products. Check the IDs (identifiers) indicating the uniqueness of each and important information (private key, digital certificate) on the IoT devices and software. Identify and verify the suppliers of each IoT device and software (verification of integrity) in order to confirm the product authenticity. Confirm on a regular basis that IoT devices and software are genuine products (during booting up process). Organization Introduce the concept of system development life cycle with security taken into consideration for the design, development. Introduce genuine products from the approved suppliers while identify the supplier of each IoT device and software. Identify and verify the suppliers of each IoT device and software (verification of integrity) in order to confirm the product authenticity. People Component Check IDs (identifiers) indicating the uniqueness of each and important information (private key, digital certificate etc.) for each of the IoT devices and software. Define the valid date and year (expiry date) with each digital certification. Supply the IoT devices and software detecting (or preventing) the falsification/leakage during shipments. - For hardware shipments, security courier, protection seal, etc. - For digital transfer, encryption, hash of the entire transmitted data, etc. Data 37

41 Procedure Identify and approve the suppliers of each IoT device and software in order to confirm the authenticity of each product. Confirm on a regular basis that IoT devices and software are genuine products (during booting up process). System Introduce a system development life cycle considering security risks in designing, developing, implementing and repairing the functions of IoT devices. Identify the supplier of each IoT device and software, and introduce genuine products from the suppliers. Assign IDs (identifiers) that uniquely identify the IoT device and software. 38

42 L2.005 Adequate security settings for IoT devices False operations of the IoT devices. Risk impact Cause malfunction by unauthorized access to IoT devices. Define the initial setting procedure (password etc.) for the IoT devices. Apply setting values appropriate for the environment where the IoT devices are used, including the suspension of unneeded services. Key aspects of the measure Prevent the change in settings and malfunction of IoT devices by unauthorized access to IoT devices through the strong password setting and password-sharing among service person and devices, regular changes in passwords, and the use of setting values suitable for the environment. Define the updating methods from the initial setting (password etc.) and the setting values of the IoT devices. Check the initial default setting values before installing the IoT devices. Organization Define the updating method from the initial setting (password etc.) and the setting values of the IoT devices, and add them to the security rules. - Enforce a minimum password complexity and change of characters when new passwords are created. - Prohibit password reuse for a specified number of generations. - Allow temporary password use for system logons with an immediate change to a permanent password. People Make settings for IoT devices according to the security rules. Component Adopt the principle of least functionality to set up IoT devices providing only essential capabilities. Data Procedure Confirm the initial default setting values before installing IoT devices. System 39

43 L2.006 Restricted access to IoT devices False operations of IoT devices. Risk impact Cause malfunction by unauthorized access to IoT devices. Identify, authenticate and authorize the accessing source. Clarify conditions of starting and ending a session in communication. Key aspects of the measure Prevent unauthorized log-in to IoT devices through appropriate access control by identifying/authenticating the access source to the IoT devices. Moreover, prevent the unintended change in settings and malfunction of IoT devices by clarifying the confirmation items before starting a session of communication and the conditions for terminating (interrupting) the session. Define the conditions for starting and ending a session in communication in advance. Authorize IoT devices and users according to the transaction risks (personal security, privacy risk, and other organizational risks). Organization Define the conditions for starting and ending a session in communication in advance. Authorize IoT devices and users according to the transaction risks (personal security, privacy risk, and other organizational risks). People Authorize users as needed. Component Authorize IoT devices as needed. Identify the access sources (user, cyber space, IoT devices.) before authorizing access to the system resources and services, Deny access by unauthorized access sources. Data Procedure Identify the access sources before authorizing access to the system resources and services Define the responses (suspension, alarm etc.) for the cases of failed authorization and authentication of the access source in advance. - Suspend/continue operation of devices. - Give alert/report to the system administrators or the security administrators within the scope of system impacts. Authorize IoT devices and users according to the transaction risks (personal security, privacy risk, and other organizational risks). System Start and end a session in communication according to the conditions defined in advance. 40

44 - End a session in communication when the conditions defined in advance can't be satisfied, such a case as no transmission and reception of data within a specified time. - Isolate the session-related information by locking the control screen shown immediately before terminating the session or other methods. Prohibit remote activation of collaborative computing devices (e.g. networked white boards, cameras, and microphones) and provide indication of devices in use to the users at the device. 4 4 Dedicated video conferencing systems, which rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded. 41

45 L2.007 Countermeasures against unauthorized log-in to IoT devices False operations of IoT devices. Risk impact Cause malfunction by unauthorized access to IoT devices changing the IoT Device setting or extracting and analyzing information (data) in IoT devices. Respond to failures in log-in authentication. Key aspects of the measure Prevent unauthorized log-in, unintended change in settings, and malfunction of IoT devices by implementing functions for lockout in the case of a specified times of failed log-in authentications, providing a time interval until the safety is ensured. Define the responses for the case of a specified times of failed log-in authorization and authentication in advance. Define the responses for the case of a specified times of failed log-in authorization and authentications in advance. Organization Define the responses (suspension, alarm etc.) for the case of failed authentication of the access source in advance. - Give alert/report to the system administrators or the security administrators within the scope of system impacts. Define the responses (suspension, alarm etc.) for the case of successively failed log-in authentications in advance. - Give alert/report to the system administrators or the security administrators within the scope of system impacts. People Grant the user authority required to control the system. - Record the management work carried out by the user in a document. - Define the responses when a user who do not have access authorization needs to engage in management work. (Example: The management administrator accompanies and monitors the user s operations.) Component Define the responses (suspension, alarm etc.) for the case of successively failed log-in authentications in advance. - Suspend/continue operation of devices etc. - Give alert/report to the system administrators or the security administrators within the scope of system impacts. Data Procedure Define the responses (suspension, alarm etc.) for the case of failed authentication of the access source in advance. - Suspend/continue operation of devices. - Give alert/report to the system administrators or the security administrators within the scope of system impacts. 42

46 System 43

47 L2.008 Physical security measures for IoT devices False operations of IoT devices. Risk impact Cause malfunction due to malware infection by unauthorized physical access to IoT devices. Record and monitor physical access by means of surveillance cameras. Restrict physical access by means of locks and entrance/exit controls. Key aspects of the measure Provide physical security measures for IoT devices and the areas where the devices are installed. By means of the above, prevent unauthorized access to IoT devices and malware infection. Implement measures such as locking the areas where IoT devices, introducing entrance/exit control, biometric authentication, surveillance cameras, and inspection on belongings and body weight, etc. Physically block unnecessary network ports, USBs, and serial ports accessing directly to the main bodies of IoT devices. Organization Clarify the facilities the staff in charge can enter and exit depending on the role. Provide anti-theft measures (Ex: lock) for important IoT devices. People Restrict the places the staff in charge can enter and exit depending on the role. Component Adopt the principle of the minimum functions by setting IoT devices to contribute only basic features. Data Procedure Record and monitor physical access by installing surveillance cameras and obligate the person in charge to accompany outsiders when they enter and exit rooms according to the security operation manual. Design and apply the procedure about the work area to keep security. System Implement measures such as locking the areas where IoT devices, introducing entrance/exit control, biometric authentication surveillance cameras, and inspection on belongings and body weight etc. Provide anti-theft measures (Ex: lock) for important IoT devices. 44

48 L2.009 Maintaining the availability of IoT devices Faults and failures of IoT devices. Risk impact Cause negative impacts to operations due to the failures of functions of IoT devices, communication devices, and the circuit. Secure sufficient systems resources (processing capability, communication bandwidths, storage capacity) so that no service activities will be suspended even in the case of cyber attack such as denial of service attack. Ensure periodical backup, quality management, redundancy, and reserve resources. Key aspects of the measure Secure sufficient systems resources (processing capability, communication bandwidths, storage capacity) so that no service activities will be suspended even in the case of cyber attack such as denial of service attack. Moreover, maintain availability by ensuring periodical backup, quality management, redundancy, and reserve resources. By means of the above, security damage can be prevented from spreading through immediate identification of the cause and restoration of services even in the case when a failure occurs in the IoT device, communication device or the circuit at the site. Select the supplier of the IoT devices and the services with an established support structure and help desk. Carry out periodical systems backup and quality management, prepare standby devices and uninterruptible power supply as well as redundancy and detection of failure, and conduct replacement work, and software updates for the components (IoT devices, communication devices, and circuits, etc.). Secure sufficient resources for the system (processing capability, communication bandwidths, storage capacity) and realize availability so that no service activities will be suspended even in the case of cyber attack such as denial of service attack. Organization Select the supplier for IoT devices and services with an established support structure and help desk. Introduce a system development life cycle considering security in designing, developing, implementing and repairing the systems functions. People Component Data Procedure 45

49 System Introduce a system development life cycle considering security in designing, developing, implementing and repairing the systems functions. Carry out periodical system backup and quality management, prepare standby devices and uninterruptible power supply as well as redundancy and detection of failure, and conduct replacement work, and software updates for the components (IoT devices, communication devices, and circuits, etc.). Secure sufficient resources for the system (processing capability, communication bandwidths, storage capacity) and realize availability so that no service activities will be suspended even in the case of cyber attack such as denial of service attack. Under cyber attack such as denial of service attack, continue actions in the predefined state. (Ex: Normal operation, abnormal operation, or restoration work) 46

50 L2.010 Appropriate disposal of IoT devices Dispose IoT devices in an inappropriate procedure. Risk impact Misuse disposed IoT devices and manufacture fraud IoT devices. Dispose IoT devices in an appropriate procedure. Key aspects of the measure When disposing of an IoT device, delete (or make unreadable) the information (data) stored in the device and the ID (identifier) uniquely identifying the genuine IoT device as well as important information (private key, digital certificate etc.). By means of the above, prevent the creation of fraud or counterfeited IoT devices. When disposing IoT devices, specify the procedure of deleting information (data) (or for making it unreadable), and define it in the security rules. Make the data unreadable by irreproducible means not only for displays identifiable through sense of sight and touch but also for storage areas and anti-tampering devices. Establish a management procedure including a disposal procedure with disposal means specified by the manufacturer. Organization When disposing of IoT devices, specify the procedure for deleting information (or data)(or for making it unreadable), and define it in the security rule. - The above-mentioned provision shall be applied to information (data) stored inside and the IDs (identifiers) uniquely identifying the official IoT devices.as well as important information (private key, digital certificate). - Make the data unreadable by irreproducible means not only for displays identifiable through sense of sight and touch but also for storage areas and anti-tampering devices. Establish a management procedure including a disposal procedure with disposal means specified by the manufacturer. People Comply with the disposal procedure based on the security rules. Delete important information in IoT devices before starting maintenance work. Delete backup data with elapsed retention expired. Delete the work history related to the management and disposal of IoT devices. Component Data Procedure Confirm the work history related to the management and disposal of IoT devices. Delete important information in IoT devices before starting maintenance work. 47

51 Specify the retention period of backup data and the treatment of the data after the expiry of the retention period (deletion etc.). System 48

52 L2.011 Countermeasures against counterfeit software of IoT devices False operations of IoT devices Risk impact Cause malfunction by malware activated during start up process of the IoT devices. Introduce IoT devices equipped with a function after confirming appropriate software start up process. Introduce IoT devices equipped with a function to prevent counterfeit software start up process. Key aspects of the measure Prevent damage to IoT devices including malfunction caused by the infection of malware by checking the integrity of activated software and preventing the activation of counterfeit software at the start-up of each IoT device. Meanwhile, it is required to confirm the record of the software start-up process also from remote places. Record the verification results of software integrity. Verify the results of software integrity from the remote places. Organization Introduce the genuine products from the supplier after identifying the appropriate supplier of each software. Identify and authorize the supplier to confirm the authenticity of the genuine software. Introduce a system development life cycle considering security risks in designing, developing, implementing and repairing the software functions. People (None) Component Activate only the software with verified integrity. Record the verification results of software integrity. Provide a checksum to verify the results of software integrity. Remotely able to verify the result of software integrity from remote places. Data Provide a checksum to verify the integrity of software and setup data. Procedure (None) System Introduce a system development life cycle considering security risks in designing, developing, implementing and repairing the functions of software. 49

53 L2.012 Prevention of IoT devices from being infected with malware False operations of IoT devices. Risk impact Cause malfunction due to malware infection by unauthorized access to IoT devices. Conduct virus check on IoT devices. Key aspects of the measure Prevent the IoT devices at the site from being infected with malware by conducting virus check on a regular basis (at the time of start-up process). Check the existence of any virus infection at the time of update for applying security patch or adding software. Check the existence of any virus infection on a regular basis (at the time of start-up process). Control communications between IoT devices, such as blocking communications except for allowing whitelisted. Organization Check the existence of any virus infection at the time of update for applying security patch or adding software. Check the existence of any virus infection on a regular basis (at the time of start-up process). Control communications between IoT devices, such as blocking communications except for allowing whitelisted. People Component Control communications between IoT devices, such as blocking communications except for whitelisted. Data Procedure Check the existence of any virus infection at the time of update for applying security patch or adding software. Check the existence of any virus infection on a regular basis (at the time of start-up). Check the results if any virus infection exists. System Introduce antivirus software. 50

54 L2.013 Continuous vulnerability countermeasures for IoT devices False operations of IoT devices. Risk impact Cause malfunction due to malware infection exploiting the vulnerabilities in the IoT devices. Update the security patch for IoT devices periodically. Key aspects of the measure If the IoT devices having vulnerabilities continue operating, it is likely to cause unauthorized log-in and operations by the outsiders. Prevent security incidents and the spreading security damages by taking periodical vulnerability countermeasures for IoT devices. Periodically acquire security patches and apply them to IoT devices as needed. Check the update history of the security patches for IoT devices. Organization Establish a structure to periodically check and collect public information on the vulnerabilities of components as needed. People Component Introduce IoT devices that allow applying security patches, software updates, and setting changes. Data Procedure Periodically acquire security patches and apply them to IoT devices as needed. Check the update history of the security patches for IoT devices. System 51

55 L2.014 Remote update of IoT devices Take long time to address the cases after finding vulnerabilities in IoT devices (applying security patches). Risk impact The delay in countermeasures against security incidents causes spread of security damages. Take immediate vulnerability countermeasures for IoT devices. Key aspects of the measure Implement a mechanism for remote updates at once (Operating system, driver, application) through remote operations for the IoT devices. By means of the above, quick vulnerability countermeasures are taken immediately for the IoT devices without vulnerable operations. Start remote updates once mutual authentication is complete with the remote place. Carefully handle software updates against wiretapping and tampering. Organization Establish a structure to periodically check and collect public information on the vulnerabilities of components as needed. People Component Implement a mechanism for remote updates at once (Operating system, driver, application) through a remote operations for the IoT devices. - Ensure to resume or re-start, even if software update operation is suspended in the middle. Data Watch out wiretapping and tampering during software update operations using appropriate encryption and Message Authentication Code (MAC). Procedure Start remote updates once mutual authentication is complete with the remote place System Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate the connections once nonlocal maintenance is complete. 52

56 L2.015 Management of software introduced for IoT devices Install counterfeit software in the IoT devices. Risk impact Cause malfunction due to malware infection by counterfeit software installed in the IoT devices. Check installed software before introducing an IoT device. Restrict adding software to an IoT device. Key aspects of the measure Prevent malfunction caused by unintended operations of software and creation of false information (data) by IoT devices infected by malware, by introducing the IoT devices equipped with a function to restrict the installation of software requiring a special authority. Restrict the software by using the lists allowing add/delete/update actions in IoT devices (white list) and prohibiting these functions (black list). Restrict the software use and add/delete/update functions by the role of the user. Monitor the addition/deletion/updating actions of software, keep records of the operation history and audit logs according to the security rules, and review regularly. Organization Specify the software to be used for each IoT device. People Restrict the software use and add/delete/update functions by the role of the user. Component Introduce IoT devices that allow applying software update and change in settings. Data Procedure Monitor the addition/deletion/updating actions of software, keep records of the operation history and audit logs according to the security rules, and review regularly. System Restrict the software by using the lists allowing add/delete/update actions in IoT devices (white list) and prohibiting these functions (black list).. 53

57 L2.016 Isolation of the functions of IoT devices. False operations of the system control functions to manage IoT devices. Risk impact Cause malfunction due to changes in settings and malware infection by unauthorized access to the systems control functions. Isolate the user functions from the system administrator functions. Key aspects of the measure Isolate the user functions from the system administrator functions. By means of the above, prevent unauthorized access to the controlling function of the system and malware infection associated with changes in settings. Isolate the user functions from the system administrator functions. Organization Isolate the user functions from the system administrator functions. People Isolate the user functions from the system administrator functions. Component Isolate the user functions from the system administrator functions. Data Procedure Isolate the user functions from the system administrator functions. System 54

58 L2.017 Isolation of IoT devices in the network False operations of the system control functions to manage IoT devices. Risk impact Cause malfunction due to changes in settings and malware infection by unauthorized access to the systems control functions. Isolate the networks physically or logically. Key aspects of the measure Isolate the networks in the organization physically or logically. In addition, use dedicated channel for the data showing the security status (encrypted or unencrypted, security measure status of IoT devices). By means of the above, block the IoT devices having a problem by the incident, and prevent large impact to the entire network in the organization by unauthorized access and network overload. Organization Isolate the networks physically or logically. Prepare a channel dedicated to the transmission and reception of security-related information (audit log, operating status, IoT device configuration information). People Component Data Procedure System The system should be connected only with a specified network (communications partner). Separate the network in an organization from the other networks by a physical or logical method. Prepare a channel dedicated to the transmission and reception of security-related information (audit log, operating status, IoT device configuration information). 55

59 L2.018 Countermeasures against unauthorized access through a widearea network to IoT devices False operations of the IoT devices. Risk impact Cause malfunction due to malware infection by unauthorized access to IoT devices. Detect cyber attacks by network monitoring. Introduce firewalls, IDS (intrusion detection system), and IPS (intrusion prevention system). Check the existence of any unauthorized connection determined based on by the MAC address of the connection source, installation site of the IoT devices, and access time/frequency. Key aspects of the measure Install firewalls, IDSs and IPSs and monitor the status at the connection points between the networks in the organization controlling IoT devices and wide-area networks. By means of the above, prevent unauthorized access from wide-area networks and malware infection/cyber attacks. Define the events and conditions for monitoring according to the specifications of the system (protocol, connection destination). Prepare a channel dedicated to the transmission and reception of security-related information (audit log, operating status and IoT device configuration information). Deny the communication using IoT devices as the default setting except for using an authorized protocol. Organization Isolate the networks in the organization physically or logically. Prepare a channel dedicated to the transmission and reception of security-related information (audit log, operating status, IoT device configuration information). People Component Data Procedure Define the responses for a case of abnormal communication found in advance. - Suspension/continuation of operation of devices etc., nullification/retransmission of data. - Give alert/report to the system administrators or the security administrators within the scope of system impacts. Separate the network controlling IoT devices in an organization from wide-area networks. System Separate the network controlling IoT devices in an organization from wide-area networks. 56

60 Monitor communication at the connection points between the network controlling IoT devices in an organization from wide-area networks. Deny the communication using IoT devices as the default setting except for using an authorized protocol. Define the events and conditions for monitoring according to the specifications of the system (protocol, connection destination). Prepare a channel dedicated to the transmission and reception of security-related information (audit log, operating status, IoT device configuration information). 57

61 L2.019 Response to unauthorized wireless connections to IoT devices False operations of the IoT devices. Risk Impact Cause malfunction due to malware infection by unauthorized access to IoT devices. Restrict wireless connection through Bluetooth. Enhance authentication of wireless LAN access points Key aspects of the measure Nullify unneeded wireless connection functions (Bluetooth and wireless LAN, etc.), and restrict unidentified wireless connections to IoT devices. In addition, set appropriate settings for the authorized connection destinations and data encryptions. By means of the above, prevent unauthorized access to IoT devices and malware infection as well as malfunctions. When wireless LAN is used, set up the appropriate environment configuration (ESSID, MAC address filtering, enhanced encryption (WPA2, etc.)). Correctly authorize wireless connection destinations (users and IoT devices). Organization Define the security rules in the conditions to limit wireless connections and environment configurations in advance. People Use wireless communication according to the security rules. Component Nullify unneeded wireless connection functions (Bluetooth and wireless LAN). Restrict unidentified wireless connection destinations (Bluetooth and wireless LAN). Encrypt wireless communication routes and transmitted data itself. Correctly authorize wireless connection destinations (users and IoT devices). Data Procedure Start communication after authenticating each wireless connection destination (user and IoT devices). System Use the authentication functions with the wireless communication partner at the access points. 58

62 L2.020 Centralized management for IoT devices Prolong finding operation status of the IoT decides detecting the security incidents. Risk impact The delay in countermeasures against security incidents causes spread of security damages. Introduce a centralized mechanism to manage the status information for IoT devices. Key aspects of the measure Conduct centralized information management for operating status of IoT devices, audit log, device settings, and software configuration from a remote location. By means of the above, understand the operating status and detect security incidents promptly. Define the responses to the cases in advance, when detecting abnormal behavior from remote location. Start centralized management from a remote location once mutual authentication is complete. Organization Conduct centralized information management for operating status of IoT devices, audit log, device settings, and software configuration from a remote location. Define the responses to the cases in advance, when detecting abnormal behavior from remote location. - Suspension/continuation of operation of devices etc., nullification/retransmission of data. - Give alert/report to the system administrators or the security administrators within the scope of system impacts. Isolate the network control IoT devices in the organization from wide-area networks. People Component Introduce a centralized mechanism to manage the status information for IoT devices audit log, device settings and software configuration from a remote place. Data Handle the information (data) on IoT devices according to the security rules. - Deliver and store important information such as key information used for the user and IoT devices authentication after encryption. - Provide a checksum to verify the integrity of records including audit log. Procedure Start cauterized management from a remote location once mutual authentication is complete. System Assign an ID (identifier) that can uniquely identify each user. Assign an ID (identifier) that can uniquely identify each IoT device. 59

63 L2.021 Detection of abnormal behavior of IoT devices False operations of the IoT devices. Risk impact Harm the workers by the operations using the IoT devices or damage the devices. Suspend the operation detecting abnormal behavior by comparing the instructed behavior of the IoT device with the actual behavior. Key aspects of the measure Prevent the injuries of the workers on site and minimize the IoT machine failures caused by the malfunction of an IoT devices comparing the instructed behavior of the IoT devices with its actual behavior, by implementing a mechanism for safety function to detect abnormal behavior that can be determined as unauthorized IoT devices. Validate whether the information (data) provided from the cyber space is within the permissible range before operations. Define in advance the responses (suspension, alarm etc.) when determined as out of tolerance range or abnormal. Organization Transmit and receive information (data) according to the standard defined in the security rules. Define in advance the responses when determined as out of tolerance range or abnormal (outside the permissible range, not unmatched expected values) in advance. - Give alert/report to the system administrators or the security administrators within the scope of system impacts. People Component Validate whether the information (data) provided from the cyber space is within the permissible range before operations. Conduct a comparison verifying the instructed behavior of the IoT devices with its actual behavior. Data Procedure Define in advance the responses when determined as out of tolerance range or abnormal (outside the permissible range, not unmatched expected values). - Suspend/continue operation of device and nullify/retransmit the data. - Give alert/report to the system administrators or the security administrators within the scope of system impacts. Continue the actions of IoT devices statuses defined in advance. - Ex: Normal operation, abnormal operation, or restoration work. System 60

64 3.3. [The Third Layer] Security measures for connections in cyber space L3.001 Selection of reliable service suppliers Occur frequent system shutdowns or prolong in recovery time. Risk impact Cause adverse business operations due to the lack of information (data) collection and analysis, and feedbacks on IoT devices and the servers. Select the service suppliers that have obtained the certification (ITSMS Certification etc.) by a third-party certification organization. Key aspects of the measure Select service suppliers that efficiently and effectively operate and manage services and systems operations. By means of the above, prevent decline in business operation efficiency caused by prolonged service suspension period and recurrence of service suspension. Select the suppliers that provide safety products and services confirmed through security assessments by a third-party organization. Let the third-party organization assess the requirement definitions and design results obtained during the planning/designing stage from the security viewpoint. Clarify the role and responsibility of the suppliers in detecting security incidents to explain the accountabilities. Organization Select the suppliers that provide safety products and services confirmed through security assessments by a thirdparty organization. (Ex: ITSMS Certification (ISO/IEC 20000)) Let the third-party organization assess the requirement definitions and design results obtained during the planning/designing stage from the security viewpoint. Clarify the role and responsibility of the suppliers in detecting security incidents to explain the accountabilities. People Component Data Procedure System 61

65 L3.002 Introduction of IoT devices and servers etc. using anti-tampering devices Browse the information (data) without authorization through the IoT devices and servers. Risk impact Leak information (data) after the IoT devices and servers, etc. were stolen, analyzing the residual information (data). Select the IoT devices and servers etc. equipped with anti-tampering devices. Key aspects of the measure Prevent information (data) leak through the stolen server/iot devices or unauthorized browsing the devices, by using IoT devices and servers etc. equipped with anti-tampering devices. Organization Define security rules specifying the information (data) classification and handling standards. People Component Use the IoT devices and servers etc. equipped with anti-tampering devices for storing important information (private key, digital certificate, etc.). Data Encrypt the data stored in the IoT devices and servers equipped with anti-tampering devices. Procedure System 62

66 L3.003 Countermeasures against illegal log-in to the cyber space Access information (data) in the cyber space without authorization. Risk impact Leak information (data) by extraction and analysis of the information (data) accessing to the system by an unauthorized user. Implement the two-factor authentication function combining two factors of password, biometric authentication, digital certificate, etc. Key aspects of the measure Adopt the two-factor authentication method combining two factors for logging in to the system for the privileged user. By means of the above, prevent system information (data) leak accessing to the system by an unauthorized user. Adopt the two-factor authentication method for the privileged user authentication. Adopt an authentication method of checking the existence of the user as one factor of the two for the method. Adopt an authentication method with anti-tampering devices as the other factor of the two for the method. Organization Grant the user authorization required to control the system. Make the roles and responsibilities of the security understood correctly for relevant persons, especially for the privileged users. Define the security rules in the initial setting procedure (passwords, etc.) for authentication and updating the settings. - Require a minimum password complexity (character types, number of letters) and change of characters when new passwords are created. - Prohibit password reuse for a specified number of generations. - Allow temporary password use for system logons with an immediate change to a permanent password. People Grant the user authorization required to control the system. - Record the management work performed by the privileged user in a document. - Define the responses to the case when an unauthorized user is engaged in management work. (Ex: The management administrator should be accompanied and monitoring the operations.) Adopt authentication mechanisms with adequate strength for privileged users. - Adopt two-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. - Adopt replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. Component 63

67 Data Procedure System Adopt an authentication method of checking the existence of the user as one factor of the two for the method (Ex: Password matching, biometric identification (by fingerprints), etc.) Adopt an authentication method with anti-tampering devices as the other factor of the two for the method. (Ex: Contactless card, etc.) Require multifactor authentication and terminate the connections when nonlocal maintenance is complete in order to establish nonlocal maintenance sessions via external network connections. Manage access rights separated between privileged user accounts and normal user accounts. 64

68 L3.004 Identification of the connection destination in the cyber space Receive communication data from a false connection destination during the transmission of the processed results with the IoT devices and servers in the cyber space as the result. Risk impact Affect business operations adversely by receiving information (data) from the cyber space different from the originally intended sources. Leak information (data) by incorrect setting of IoT devices and servers transmitting the collected data to the cyber space different from the originally intended recipients. Identify the unique connection destination. Key aspects of the measure Identify the connection destinations using the ID (identifier) of the connection destinations mutually when IoT devices and servers receive analyzed results obtained in the cyber space, or when IoT devices and servers transmit the information (data) to the cyber space. By means of the above, prevent connections with false destinations and deterioration of business operation efficiency, and leak of information (data) associated with the mixture with incorrect information (data). Have own unique IDs (identifiers) for the user, IoT devices, and servers, etc. Have IDs (identifiers) from appropriate communication partners. Before sending data, identify the communication partner (user, IoT devices and servers, etc.). Define the responses (suspension, alarm) in advance in the case of finding the communication partner to be inappropriate. Organization Define the responses (suspension, alarm etc.) in advance in the case of finding the communication partner to be inappropriate. - Give alert/report to the system administrators or the security administrators with the scope of system impacts. Isolate the network control IoT devices and servers in the organization from wide-area networks. People Have own user IDs (identifiers). Component Have own IDs (identifiers) for the IoT devices and servers. Have IDs (identifiers) of appropriate communication partners for the IoT devices and servers. Data Procedure Before sending data, identify the communication partner (user, IoT devices and servers). Define the responses (suspension, alarm etc.) in advance in the case of successively failed log-in authentications. - Suspend/continue operations of devices, nullify/retransmit the data. 65

69 - Give alert/report to the system administrators or the security administrators with the scope of system impacts. Isolate the network controlling IoT devices and servers in the organization from wide-area networks. System Assign an ID (identifier) that can be uniquely identified for each user. Assign an ID (identifier) that can be uniquely identified for each IoT devices and servers. 66

70 L3.005 Authentication of the connection destination in the cyber space Receive communication data by the IoT devices and servers from a false connection destination in the cyber space during the transmission of the processing the result of the IoT devices and servers. Risk impact Affect business operations adversely by receiving information (data) from the cyber space different from the originally intended sources. Leak information (data) by incorrect setting of IoT devices and servers transmitting the collected data to the cyber space different from the originally intended recements. Authenticate the connection destination by means of mutual authentications. Key aspects of the measure Authenticate the connection destination by mutual authentications using such as digital certificates for both ways when IoT devices and servers receive analyzed results obtained in the cyber space, or when IoT devices and servers transmit the information (data) to the cyber space. By means of the above, prevent unauthorized access caused by spoofing, deterioration of business operation efficiency due to mixture with incorrect information (data), and leak of information (data). Conduct mutual authentication before sending data. Define the responses in advance in the case of failed authentications. Organization Define the responses in advance in the case of failed authentications. - Give alert/report to the system administrators or the security administrators with the scope of system impacts. People Correspond to user authentication as needed. Component Conduct mutual authentications before sending data. Data Procedure Authorize the user authentication as needed. Conduct mutual authentication before sending data. - Conduct mutual authentication after successfully identifying the communication destinations. - Define the responses in advance in the case of failed authentications. - Suspend/continue operation of devices as necessary - Give alert/report to the system administrators or the security administrators with the scope of system impacts. System Correspond to user authentication as needed. Conduct mutual authentications before sending data. 67

71 L3.006 Physical security measures against unauthorized accesses to IoT devices and servers etc. Falsely operate the IoT devices and the servers. Risk impact Leak information (data) through unauthorized physical access to IoT devices and servers. Record and monitor physical access by surveillance cameras, etc. Restrict physical access by locks and entrance and exit controls, etc. Key aspects of the measure Provide physical security measures for IoT devices and servers as well as the device installed areas. By means of the above, prevent leak of information (data) by preventing unauthorized access to IoT devices and servers. Implement measures such as locking the areas where IoT devices and servers etc. are installed, introducing entrance and exit control, biometric authentication, surveillance cameras, and inspection on belongings and body weight. Physically block unnecessary network ports, USBs, and serial ports for the main bodies of IoT devices and servers. Organization Clarify the facilities the staff in charge can enter and exit depending on the role. Provide anti-theft measures (Ex: lock) for important IoT devices and servers. People Restrict the places the staff in charged can enter and exit depending on the role. Component Data Procedure Record and monitor physical access by surveillance cameras, and obligate the person in charge to accompany outsiders when they enter and exit rooms according to the security operation manual. Design and apply the procedure about the work area that needs keep proper security. System Implement measures such as locking the areas where IoT devices and servers etc. are installed, introducing entrance and exit control, biometric authentication, surveillance cameras, and inspection on belongings and body weight. Provide anti-theft measures (Ex: lock) for important IoT devices and servers. 68

72 L3.007 Detection of transmitted and received false information (data) in the cyber space Transmit and receive false information (data). Risk impact Transmit and receive information (data) without authorization due to malware infection and cyber attack. Affect business operations adversely by receiving information (data) from the cyber space different from the originally intended sources. Verify beforehand that the behavior of transmitted and received information (data) is within the permissible range. Key aspects of the measure Verify beforehand that the behavior of information (data) transmitted and received among systems and IoT devices and servers in the cyber space is within the permissible range, and prevent adverse business operations. Detect whether the behavior of transmitted and received information (data) is within the permissible range. Define the responses (suspension, alarm, etc.) in advance in the case of failed log-in authentications. Organization Transmit and receive information (data) according to the handling standard defined in the security rules. Define the responses in advance in the case of determined abnormality (outside the permissible range, unmatched expected values, etc.). - Give alert/report to the system administrators or the security administrators with the scope of system impacts. People Monitor the behavior of IoT devices and servers, and work according to the security rules and security response manual when an abnormality was observed. - Control and monitor the use of mobile code, detecting malicious mobile code. Component Verify beforehand that the behavior of information (data) provided from the cyber space is within the permissible range (determined by the result of analysis on the past data). Use IoT devices and servers equipped with function safety. Data Procedure Define the responses in advance in the case of determined abnormality (outside the permissible range, unmatched expected values). - Suspend/continue operations of devices etc., nullify/retransmit data. - Give alert/report to the system administrators or the security administrators with the scope of system 69

73 impacts. - Separate the network control IoT devices and servers in the organization from wide-area networks. Continue operating IoT devices and servers etc. at the state defined in advance. - Ex: Normal operation, abnormal operation, or restoration. System Monitor the behavior of IoT devices and servers. - Control and monitor the use of mobile code, detecting malicious mobile code. - Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. 70

74 L3.008 Maintaining the availability of the cyber space Occur malfunctions and failures in servers, communication devices, and circuits in the cyber space. Risk impact Affect business operations adversely by suspended functions of servers, communication devices and circuits in the cyber space. Secure sufficient resources for the systems (processing capability, communication bandwidths, storage capacity) so that no service activities will be suspended even in the case of cyber attack such as denial of service attack. Ensure periodical backups, quality management, redundancy, and spare resources. Key aspects of the measure Secure sufficient resources for the systems (processing capability, communication bandwidths, storage capacity) so that no service activities will be suspended even in the case of cyber attack such as denial of service attack. Moreover, maintain availabilities by securing periodical backups, quality management, redundancy, and spare resources. By means of the above, prevent spreading security damages through immediately identifying the causes and restoring the services even in the case of failures in the servers, communication devices and circuits in the cyber space. Select the supplier for the cyber space, the IoT devices and the services with an established support structure and help desk. Carry out periodical systems backup and quality management, prepare standby devices and uninterruptible power supply as well as redundancy and detection of failure, and conduct replacement work, and software updates for the components (servers, communication devices, and circuits). Secure sufficient resources for the systems (processing capability, communication bandwidths, storage capacity) so that no service activities will be suspended even in the case of cyber attack such as denial of service attack. Organization Select the supplier for the cyber space, the IoT devices and the services with an established support structure and help desk. Introduce a system development life cycle considering security in designing, developing, implementing and repairing the systems functions. People Component Data Procedure 71

75 System Introduce a system development life cycle considering security in designing, developing, implementing and repairing the systems functions. Carry out periodical systems backup and quality management, prepare standby devices and uninterruptible power supply as well as redundancy and detection of failure, and conduct replacement work, and software updates for the components (servers, communication devices, and circuits). Secure sufficient resources for the systems (processing capability, communication bandwidths, storage capacity) so that no service activities will be suspended even in the case of cyber attack such as denial of service attack. Continue operating IoT devices and servers etc. at the state defined in advance. (Ex: Normal operation, abnormal operation, or restoration work) 72

76 L3.009 Appropriate disposal of IoT devices and servers etc. Dispose IoT devices and servers etc. in an inappropriate procedure. Risk impact Leak residual information (data) inside the IoT devices and servers through misuse of disposed devices. Dispose IoT devices and servers etc. in an appropriate procedure. Key aspects of the measure When disposing an IoT device and a server, delete (or make unreadable) the information (data) stored and the data ID (identifier) uniquely identifying the genuine IoT devices and servers as well as important information (private key, digital certificate, etc.). By means of the above, prevent leaking residual information (data) in the IoT device and servers. Make the data unreadable by non-reproducible means not only through the sense of visual and touch but also through anti-tampering devices for storage areas. Establish a management procedure including a disposal procedure adopting the methods specified by the manufacturer. Organization Specify the procedure and define the security rules of deleting information (data) (or making the data unreadable) when disposing IoT devices and servers. - Apply the rules to information (data) stored inside, the IDs (identifiers) uniquely identifying genuine IoT devices and servers, and important information (private key, digital certificate). - Make the data unreadable by non-reproducible means not only through the sense of visual and touch but also through anti-tampering devices for storage areas. Establish a management procedure including a disposal procedure adopting the methods specified by the manufacturer People Comply with the disposal procedure based on the security rules. Delete important information in IoT devices and servers before starting maintenance work. Delete backup data after retention date expired. Retain the work history related to the management and disposal of the IoT devices and servers. Component Data Procedure Confirm the work history related to the management and disposal of IoT devices and servers. Delete important information in IoT devices and servers before starting maintenance work. Specify the retention period of backup data and the data treatment after the expiry of the retention period (delete, etc.). 73

77 System 74

78 L3.010 Continuous vulnerability countermeasures for IoT devices and servers etc. False operations of the IoT devices and the servers. Risk impact Leak information (data) by misusing the vulnerabilities in IoT devices and servers. Update security patches periodically for IoT devices and servers. Key aspects of the measure Likely cause unauthorized log-in and operations by outsiders if IoT devices and the servers are used continuously having residual vulnerabilities. Prevent security incidents and spreading security damages by taking periodical vulnerability countermeasures for IoT devices and servers. Apply security patches as needed, acquiring them periodically to IoT devices and the servers. Check the update history of the security patches for IoT devices and servers. Organization Establish a structure to deal with the related issues checking and collecting public information on the vulnerabilities regularly. People Component Introduce IoT devices and servers allowing for software updates and changes in settings even after applying security patches. Data Procedure Apply security patches as needed, acquiring them periodically to IoT devices and the servers. Check the update history of the security patches for IoT devices and servers. System 75

79 L3.011 Encryption of stored data in the cyber space Unauthorized access to the information (data) in the cyber space. Risk impact Leak the stored information (data) by extraction and analysis of the information (data). Ensure the confidentiality of stored data. Key aspects of the measure Store information (data) encrypted. By means of the above, prevent leaking information (data) through unauthorized access. Define the security rules specifying the standards of data classification and handling. Encrypt portable storage device or an external medium with a different security key from saving data, when the data or backup data (including checksum) is transferred. Organization Define the security rules specifying the standards of data classification and handling. - Stipulate the rules on data saving (backup) and taking out (use of portable storage devices and external media). Handle the information (data) according to the security rules. Share effectiveness of data protection technologies with appropriate parties. People Component Data Handle the information (data) according to the security rules. - Exchange and store important information such as the key information used for user authentication and IoT devices and servers after encryption. - Provide a checksum to verify the integrity of records including audit log. - Encrypt each of the original data and the backup data when taking backup data. Procedure Encrypt portable storage device or an external medium with a different security key from saving data, when the data or backup data (including checksum) is transferred. System 76

80 L3.012 Management of software installation in IoT devices and servers etc. Install unauthorized software in IoT devices and servers. Risk impact Cause the leak of information (data) by unauthorized software installed in IoT devices and servers. Check the software before installing in the IoT devices and the servers. Restrict the software to be added after installing in the IoT devices and the servers. Key aspects of the measure Prevent the unintended operations by the software, information (data) leak by malware infection, and generations of false information (data) by IoT devices or servers through malfunction, by introducing IoT devices and servers quipped with a function to restrict installing software requiring a special authorization. Restrict the software according to the lists of permitted software for add/delete/update in IoT devices and servers (white list), and the list of prohibited software (black list). Restrict the use or add/delete/update of software depending on the role of each user. Monitor the addition/deletion/updating functions of software, keep records of the operation history and audit logs according to the security rules, and review regularly. Organization Specify the software to be used for each IoT devices and servers. People Restrict the use or add/delete/update of software depending on the role of each user. Component Introduce IoT devices and servers allowing software updates and changes in settings. Data Procedure Monitor the addition/deletion/updating functions of software, keep records of the operation history and audit logs according to the security rules, and review regularly. System Restrict the software according to the lists of permitted software for add/delete/update in IoT devices and servers (white list), and the list of prohibited software (black list). 77

81 L3.013 Separate functions in the cyber space False operations of the system functions managing IoT devices. Risk impact Leak information (data) through unauthorized access to management functions of the system. Separate functions that are used by users and used by systems administrators. Key aspects of the measure Separate functions that are used by users and used by systems administrator. This can prevent unauthorized access to management functions of the system, leading to the prevention of information (data) leakage and malware infection associated with changes in settings. Define different accessible functions depending on user s roles. Organization Separate functions that are used by users and used by systems administrator. Define different accessible functions depending on user s roles. People Separate functions that are used by users and used by systems administrator from each other. Component Separate functions that are used by users and used by systems administrator. Data Procedure Define different accessible functions depending on user s role. System 78

82 L3.014 Separation of networks False operations of the systems functions managing IoT devices. Risk impact Leak information (data) through unauthorized access to the system. Separate networks physically or logically. Key aspects of the measure Separate networks physically or logically. In addition, handle data showing the security status (e.g. encrypted/unencrypted and security measures on IoT devices and servers) on a dedicated channel. This can prevent unauthorized access, and network load from affecting the entire network, and block the IoT devices having a problem in a case of incident. Separate networks in the organization consisting of IoT devices and servers from the other networks physically or logically. Prepare a dedicated channel to send/receive security-related information (including audit log, operating status and configuration information of IoT devices and servers). Organization Separate networks in the organization consisting of IoT devices and servers from the other networks physically or logically. Prepare a dedicated channel to send/receive security-related information (including audit log, operating status and configuration information of IoT devices and servers). People Component Data Procedure System Connect the system only to specified networks (communication destinations). Separate networks in the organization consisting of IoT devices and servers from the other networks physically or logically. Prepare a dedicated channel to send/receive security-related information (including audit log, operating status and configuration information of IoT devices and servers). 79

83 L3.015 Detection of unauthorized access in the cyber space Unauthorized browse of the information (data) in the cyber space. Risk impact Cause leak of the stored information (data) through unauthorized access to the system or IoT devices and servers, stealing and analyzing information (data) in elements. Implement audit log for access to the system or IoT devices and servers. Key aspects of the measure Record audit logs for access to the system or IoT devices, servers, a and review regularly. This can prevent unauthorized browse and leak of information (data), detecting any abnormality checking the operating status. Include audit log information about access for management, start/stop events and failed identification or authorization. Predefine possible actions to be taken if an abnormality is detected when the operating status is checked by using audit log. Organization Record audit logs for access to the system or IoT devices, servers, a and review regularly. People Component Data Keep audit log information, including: a. Access for management b. Start/stop events c. Failed identification or authorization d. Failed integrity verification on secure communication paths e. Software updates f. Diagnosis results (including anti-virus diagnosis and network diagnosis) Procedure Predefine possible actions to be taken if an abnormality is detected when the operating status is checked by using audit log. - Shut down/continue to operate devices; disable/resend data. - Give an alert/make a report to potentially affected systems administrator or security administrator. - Separate networks in the organization that manage IoT devices and servers and wide area networks. [Viewpoint of operation check] a. Existence of unexpected records in the audit log b. Trend of observed data (Existence of abnormal values) c. Validity of the correlation between operating instructions and observed data d. Validity of the software component version e. Validity of the operating systems and application configuration files (Existence of falsification) f. Normal operation of the software (No unauthorized software) g. No fraud in audit log at the time of start 80

84 System Monitor the network to detect security incidents. Encrypt and store audit log. Add a checksum to audit log to verify the integrity. Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps about all associated internal and other security information systems including auditing. Provide audit record centralization and report generation functions to support on-demand analysis and reporting. 81

85 L3.016 Countermeasures against unauthorized access through wide area networks to IoT devices and servers False operations of the IoT devices and servers. Risk impact Leak information (data) through unauthorized access to IoT devices and servers. Cause information (data) leak by malware infection or cyber attacks. Detect cyber attacks through network monitoring. Introduce firewall, IDS (Intrusion Detection System) and IPS (Intrusion Prevention System). Check unauthorized connection based on information about the source MAC address, location of IoT devices and servers, and access time/frequency. Key aspects of the measure Install firewall, IDS and IPS to perform the network/access monitoring at the contact point between a network in the organization that manages IoT devices and servers, and the wide area network. This can prevent malware infection or cyber attacks, detecting unauthorized access through the wide area network. Separate networks in the organization that manage IoT devices and servers and wide area networks. Monitor communications at the contact point between the network in the organization that manages IoT devices and servers, and the wide area network. Deny communications by default between IoT devices and servers, and allow the specific protocol to be used as the exception. Organization Separate networks in the organization consisting of IoT devices and servers and the other networks physically and logically. Prepare a dedicated channel to send/receive security-related information (including audit log, operating status and configuration information of IoT devices and servers). People Component Data Procedure Predefine possible actions to be taken if an abnormal communication is detected. - Shut down/continue to operate devices: disable/send data. - Give an alert/make a report to potentially affected systems administrator or security administrator. Separate networks in the organization that manage IoT devices and servers from the wide area networks. 82

86 System Connect the system only to specified networks (communication destinations). Separate networks in the organization that manage IoT devices and servers from the wide area networks. Monitor communications at the contact point between a network in organization that manages IoT devices and servers, and a wide area network. Deny communications by default between IoT devices and servers, and allow the specific protocol to be used as the exception. Define monitored events and monitoring conditions according to the system specifications (including protocols and connection destinations). Prepare a dedicated channel to send/receive security-related information (including audit log, operating status and configuration information of IoT devices and servers). 83

87 L3.017 Protection of communications among IoT devices and servers Intercepted information (data) sent/received among IoT devices and servers. Risk impact Leak information (data) on a communication path among IoT devices and servers. Send information (data) using an encrypted communication path. Key aspects of the measure Encrypt information (data) on a communication path using an encrypted communication functions (including TLS, DTLS, and IPSec etc.) among IoT devices and servers. In addition, prevent falsification adding a digital signature, Message Authentication Code (MAC), and checksum or timestamp. Assign an ID (identifier) to information (data) to be sent Assign a Message Authentication Code (MAC) to information (data) and ID (identifier) to be sent Organization Send/receive information (data) according to the handling standards defined by security rules. Predefine possible actions to be taken if an abnormality is detected. - Give an alert/make a report to potentially affected systems administrator or security administrator. People Component Use communication devices that support encrypted communication (including TLS, DTLS and IPsec etc.). Use IoT devices and servers that encrypt information (data) itself. Use IoT devices and servers that support adding a digital signature, Message Authentication Code (MAC), checksum, or timestamp. Data Encrypt information (data) itself. Assign an ID (identifier) to information (data) to be sent. Procedure Predefine possible actions to be taken if authentication fails or an error is detected in ID (identifier). - Shut down/continue to operate devices; disable/resend data. - Give an alert/make a report to potentially affected systems administrator or security administrator. - Separate networks in the organization that manage IoT devices and servers and the wide area networks. System Use encrypted communication. Encrypt information (data) itself. Use a Message Authentication Code (MAC) that has a uniquely-identifiable identifier in session. 84

88 L3.018 Encrypted communication in the cyber space Intercepted information (data) sent/received in the cyber space. Risk impact Leak information (data) on a communication path. Encrypt send/receive information (data) using an encrypted communication path. Key aspects of the measure Prevent information (data) leak from interception, by encrypting a communication path using encrypted communication for sending/receiving information (data). Use communication devices that support encrypted communication (including TLS, DTLS and IPsec). Encrypt a communication path after completing the authentication process with the communication destination. Organization Send/receive information (data) according to the handling standards defined by security rules. Predefine possible actions to be taken if an abnormality is detected. - Give an alert/make a report to potentially affected systems administrator or security administrator. Share effective protection technologies with appropriate parties. People Component Use communication devices that support encrypted communication (including TLS, DTLS and IPsec). Data Procedure Encrypt a communication path after completing the process with the authentication of the communication destination. Use a Message Authentication Code (MAC) that has a uniquely-identifiable identifier in a session. Delete the session key used for encrypted communication, if the integrity verification of received data is failed. System Use encrypted communication. 85

89 L3.019 Encryption of sent/received information (data) in the cyber space Intercepted information (data) sent/received in the cyber space. Risk impact Leak information (data) on a communication path. Send and receipt encrypting information (data) itself. Key aspects of the measure Prevent information (data) leak from interception, by encrypting information (data) itself for sending/receiving. Send/receive information (data) according to the handling standards defined by security rules. Use IoT devices and servers that encrypt information (data) itself. Predefine possible actions to be taken if an encryption/decryption error occurs. Organization Send/receive information (data) according to the handling standards defined by security rules. Predefine possible actions to be taken if an abnormality is detected. - Give an alert/make a report to potentially affected systems administrator or security administrator. Shae effective protection technologies with appropriate parties. People Component Use IoT devices and servers that encrypt information (data) itself. Data Encrypt information (data) itself. Procedure Predefine possible actions to be taken if an encryption/decryption error occurs. - Shut down/continue to operate devices: disable/resend data. - Give an alert/make a report to potentially affected systems administrator or security administrator. Separate networks in the organization that manage IoT devices and servers and the wide area networks. System Encrypt information (data) itself. 86

90 L3.020 Countermeasures against falsification of sent/received information (data) and the traceability in the cyber space Falsified information (data) on a communication path. Risk impact Falsified information (data) to be sent/received. Add a digital signature, Message Authentication Code (MAC), checksum or timestamp to information (data) to be sent/received to detect falsification. Key aspects of the measure Protect falsification and secure the traceability of data by adding a digital signature, Message Authentication Code (MAC), checksum or timestamp to information (data) upon sending and receiving. Send/receive information (data) according to the handling standards defined by security rules. Add a digital signature, Message Authentication Code (MAC), checksum or timestamp to information (data) to be sent/received. Predefine possible actions to be taken if an encryption/decryption error occurs. Organization Send/receive information (data) according to the handling standards defined by security rules. - Predefine possible actions to be taken if an abnormality is detected. - Give an alert/make a report to potentially affected systems administrator or security administrator. Share effective protection technologies with appropriate parties. People Component Use IoT devices and servers that support adding a digital signature, Message Authentication Code (MAC), checksum or timestamp. Data Add a digital signature, Message Authentication Code (MAC), checksum or timestamp to information (data) to be sent/received. Procedure Predefine possible actions to be taken if an encryption/decryption error occurs. Shut down/continue to operate devices: disable/resend data. - Give an alert/make a report to potentially affected systems administrator or security administrator. Separate networks in organization that manage IoT devices and servers etc. from wide area networks. System Add a digital signature, Message Authentication Code (MAC), checksum or timestamp to information (data) to be sent/received. 87

91 L3.021 Response to unauthorized wireless connection False operations of IoT devices and servers. Risk impact Leak information (data) through unauthorized access to IoT devices and servers. Restrict wireless connection via Bluetooth. Improve authentication procedure at wireless LAN access point. Key aspects of the measure Disable unnecessary wireless connection functions (including Bluetooth and wireless LAN) and restrict unspecified connection on IoT devices and servers, etc. In addition, perform appropriate settings including authentication of connection destinations and encryption of data. These can prevent unauthorized access to IoT devices and servers, information (data) leakage, and malware infection. Make environmental settings (e.g. ESSID, MAC address filtering and solid encryption scheme (including WPA2)) for wireless LAN. Properly authorize wireless connection destinations (including users and IoT devices and servers). Organization Predefine constraint conditions and environmental settings for wireless connection in the security rules. People Use wireless communications according to the security rules. Component Disable unnecessary wireless connection functions (including Bluetooth and wireless LAN). Restrict unspecified connection destinations (including Bluetooth and wireless LAN). Encrypt a wireless communication path and encrypt communication data itself. Properly authenticate wireless connection destinations (including users and IoT devices and servers). Data Procedure Start communications upon completion of the authentication of wireless connection destinations (including users and IoT devices and servers). System Use the authentication function of a wireless communication destination at access point. 88

92 L3.022 Data management based on appropriate classification Unable to secure the data (e.g. personal information, trade secrets, CUI 5 ) at the appropriately required protection levels depending on the laws, regulations, and agreements. Risk impact Increase in liability for data leak due to insufficient and inadequate protection and unmanaged data classification, or increase in management cost by excessive data protection due to not meeting required data protection levels depending on the different laws, regulations and agreements. Sort out the data classification methods for meeting each requirement and properly protect data on a classification basis, understanding the required data protection levels accurately depending on laws, regulations and agreements. Key aspects of the measure Required data protection levels vary depending on laws, regulations and agreements based on reasons for requiring data protection. Organizations or people who hold data must accurately understand the background of enacted laws and regulations, and reasons for agreements among relevant parties, and manage the data so as to meet the required protection level. Organization Establish rules for data classification and method to manage classified data. - Restrict only to authorized users to access to information on system media which needs to have its confidentiality protected by laws and agreements. - Examine individuals prior to authorizing access to organizational systems containing information which needs to have its confidentiality protected by laws and agreements. - Provide privacy and security notices consistent with applicable laws and agreements. - Adopt cryptography with adequate strength used to protect the confidentiality of information which needs to be protected by laws and agreements. - Ensure that organizational systems containing information which needs to have its confidentiality protected by laws and agreements are protected during and after personnel actions such as terminations and transfers. - Ensure to delete any information, which needs to have its confidentiality protected by laws and agreements, in the IoT devices and servers, then start maintenance jobs. - Establish sanitize or destroy (cannot be read) procedure of system media containing information which needs to have its confidentiality protected by laws and agreements before disposal or release for reuse, and define it in the security rules. - Mark the warning on the media or attach the distribution restriction label, which contains information need to have its confidentiality protected by laws and agreements. - Prohibit the use of portable storage devices without identifiable owner. Determine priorities of resources allocation for equipment (hardware and software) in the asset management of configuration items, based on asset type, importance, and business value. People Manage data at an appropriate level of protection required for each classification, understanding the necessity of 5 Controlled Unclassified Information. It refers to the critical information which is not defined by the US Federal law as classified categories as Top Secret, Secret, and Confidential. 89

93 data classification. Ensure to delete any information, which needs to have its confidentiality protected by laws and agreements, in the IoT devices and servers, then start maintenance jobs. Component Data Encrypt information need to have its confidentiality protected by laws and agreements on mobile devices and mobile computing platforms, then exchange and save the information. Procedure System Adopt cryptography with adequate strength used to protect the confidentiality of information which needs to be protected by laws and agreements. Control the information need to have its confidentiality protected by laws and agreements to be posted or processed on publicly accessible systems. 90

94 L3.023 Management of authorization on appropriate classification Unauthorized access to the information (data) in the cyber space. Risk impact Leak information (data) by extraction and analysis of the information (data) accessing to the system by an unauthorized user. Restrict not only the process accessing to the data by authorized users and the users acting on behalf of authorized users, but also the types of transactions and functions that authorized users are permitted to execute. Restrict not only the process accessing to the data by authorized IoT devices and servers and the devices acting on behalf of authorized devices, but also the types of transactions and functions that authorized devices are permitted to execute. Key aspects of the measure Need not only authenticate users and IoT devices and servers with adequate strength, but also give minimum authorization on the data (including adding/deleting/updating) access requirements to the assets in the cyber space, depending on the role of user and/or the IoT devices and servers. Manage access authorization adopting the principle of least privilege and segregation of duties. Organization Clarify, document, and execute the rules on specified tolerance level of the information use and of the asset use for the information and the facilities. Restrict to use and add/delete/update software and the data depending on the role of user and/or IoT devices and servers, and review assigned authorization regularly. - Restrict audit management functions to a subset of privileged users. - Authorize remote execution for privileged commands and remote access to security related information. Adopt the principle of least privilege for specific security functions and privileged accounts. People Segregate the duties of individuals to reduce the risk of malicious activities. Use non-privileged accounts or roles when accessing non-security functions. Component Data Procedure System Restrict to use and add/delete/update software, data depending on the role of user and/or IoT devices and servers. 91

95 4. Toward Establishing Trust 4.1. Concept of securing the trust in framework In order to ensure the security of Cyber/Physical System, achieve security in the whole value creation process by structuring and maintaining Trustworthy Chain through repeated security securement (creation of trustworthiness) and its confirmation (confirmation of trustworthiness) for each element. 1. Creation of Trustworthiness Creation of components/data that satisfy the security requirements Verification of target components/data being created with requirements satisfied 2. Confirmation of Trustworthiness Creation and management of a list (trust list) to certify that target components/data are properly created Verification of the trustworthiness of target components/data by referring to the trust list 3. Structuring and Maintaining of trustworthy chain Structuring of trustworthy chain through repeated creation and certification of trust (secured traceability) Detection of/protection against external attacks to trustworthy chain Improvement of resilience against attacks Fig. 8 - Illustration of the relationship among Creation of Trustworthiness, Confirmation of Trustworthiness and Structuring and Maintaining of Trustworthy Chain 92