Over in Tokyo this week visiting customers and old friends, and it’s good to see the level of interest and concern in ICS security is growing. Like the US and rest of the world there still is a long way to go.
A high percentage of the Japanese critical infrastructure SCADA and DCS are made in Japan for Japan and not seen anywhere else in the world. This “our systems are different” has been used as a hyper security by obscurity excuse for most of the last ten years. It would take someone like Reid a bit longer to figure them out and break them, but the same attack principles apply.
Three positive signs:
- JPCERT puts on an annual ICS security conference. This year 250 people attended (a record) and 80% of them were engineers.
- The Japanese Government METI has an ICS Security Task Force with four different working groups: incident handling, standardization, training/people resources and enlightenment. JPCERT is leading incident handling and IPA is heading up standardization. I wish my Japanese was better so I could participate in enlightenment.
- 3 years ago their was zero interest or response from Koyo when we demonstrated uploading rogue firmware on their PLC (Boreas vuln). This year they have engaged with ICS-CERT and JPCERT to address the Project Basecamp issues.
I still have a few meetings with reporters and other groups this week, so stay tuned for more from Japan.