Control System Security Center

I had an opportunity to meet with much of the Japanese Control System Security Center (CSSC) team on Tuesday. They are impressively moving out fast on their efforts to build and educate the ICS security community in Japan.

The CSSC was established in March of 2012, and is emulating what they view as the successes in the US, UK and other countries. A large area in Tokyo’s Miyagi Recovery Park (a SONY factory was there prior to the earthquake) will house the ICS testbed. There are plans for eight simulated ICS including substation, power plant, factories, building automation and some sort of gas operations. The approach to build them is a bit different than the US tested. In Japan, vendors such as Hitachi, Mitsubishi, Toshiba and Yokogawa will be building the simulated systems with their solutions. I’m sure many readers would like to get some time in that lab, especially with the systems that are rarely seen outside of Japan.

I met six researchers who are already assigned full time to the lab, and more are scheduled to join. They come primarily from the ICS vendors who have seconded them to CSSC for a period of time. It is a great assignment. The only thing missing here were the owner/operators. It is very government and vendor driven, which is a problem that we see in the US and elsewhere as well.

The other big focus besides the testbed is the ICS security training. A number of the CSSC members have attended DHS training, and it sounds like eventually there will be introductory, intermediate and advanced red/blue type courses offered from the CSSC. The facilities and drawings look first rate. It’s clear that METI and participants are spending a good amount of money to jump start this effort.

There is talk of a product certification effort. IPA has partnered with ISASecure so this could be one hint of direction — and also a warning. An ISASecure certified embedded device (level 1 and 2) still is insecure by design with no source or content authentication required for the requests/commands that can cause serious damage. A government sponsored organization putting a certification sticker on a product that is lacking basic security would provide a false sense of security and eventually lead to something very embarrassing. It will bear watching how this effort turns out in Japan, but it is an objective.

In the short term I’m certain the CSSC will be a success. The testbed and training are low risk items that can be accomplished with effort, and it will make a difference. With 300 attendees at the IPA Forum and turning people away, there is some hunger to get smarter on this topic.

The hard part is the medium and long term. This is where the US DHS has really struggled. How does a government sponsored organization best  get vendors and owner/operators to feel the need to spend the time and money to improve ICS security? Here Japan and other governments would be best trying another path rather than the failed US DHS way.

Image by twofourseven