NHK SCADA Security

Close Up Gendai is a long running, serious and popular program on Japanese national television station NHK. The audience tends to skew older, but everyone in Japan knows Close Up Gendai. So we were pleased to cooperate with the NHK crew when they wanted to do a story on ICS security, Project Basecamp and specifically the issues with the Koyo PLC.

The half hour episode aired last Thursday and an eight minute video excerpt is now available on line (in Japanese of course). Based on my limited Japanese and some friends telling me about the translation, it seems like Close Up Gendai did a great job of focusing on the problem of PLC security and need for a solution.

There have been two events that have jump started ICS security in Japan. The first was malware that infected Mitsubishi Heavy Industries. This lead METI to start a number of ICS security initiatives. The second was the Project Basecamp identifying vulnerabilities and releasing a Metasploit Module that demonstrates the Koyo brute force password recovery. This surprised us because Koyo is a small Japanese vendor with a small deployed base compared to GE, Schneider, and Rockwell Automation.

Unlike the Boreas/rogue firmware upload issue in 2009, Koyo took this exploit module very seriously. They didn’t try to duck the issue. They admitted the security deficiency, even sending Senior Executives to address the issue and the press, including on this Close Up Gendai program. More importantly they quickly released a fix to address the password problems and disabled the web server by default. Koyo still has some work to do, but it’s a good start.

What has been very refreshing is the Japanese attitude that these problems need to be fixed. The reaction is mixed on Project Basecamp, as it is in the rest of the world. The different reaction in this case was this needs to be fixed quickly and a bit of embarrassment that this vulnerability existed in the first place. Not that the goal of Project Basecamp is vendor embarrassment, but one would think this should be the natural reaction when a product you designed falls short in a serious way. It’s a pleasant surprise as opposed to a marketing response of proactive holistic security that does not admit or address security problems.

To temper this optimism, this was an easy case. It was a smallish vendor with a relatively simple fix. We will have to wait until later this year to see if the same reaction takes place with more difficult to fix vulnerabilities in products from large companies such as Hitachi, Toshiba or Mitsubishi crop up.