This was the 7th year that JPCERT put on an ICS Security Conference in Tokyo. The conference hall had a capacity of 300 people, and it was sold out weeks before the event. Of course the price was very appealing — free. Great to see the increased interest having participated in some of the earlier versions with about 50 attendees.
Miyaji-san of JPCERT had a very frank opening session on the state of ICS security. For example, “some Japanese ICS experts said that ICS protocols are implemented robustly but this is only a dream”. He gave a fast paced overview of the vulns (highlighting the DNP3 vulns), JPCERT/IPA efforts, standards, certifications and other items that had occurred over the last 12 months.
There was an interesting tidbit … an anti-virus vendor claimed that 30% of the ICS in Japan had a malware incident at some time. There was no study or detail provided. I don’t doubt the number, as much as I do 30% of the asset owners admitting that to an entity.
Kobayashi-san, formerly of IPA and now with CSSC, was the next speaker. It’s noteworthy that the first two speakers were two of the ICS security pioneers in Japan, having focused on it for 5+ years.
I need to add a couple of days to a Japan trip to go out to Tagajo and see the CSSC lab. The pictures are amazing and probably make INL jealous.
A major thrust of CSSC is developing an ISASecure certification capability in Japan. The agreements are in place with ISCI, so now the effort is to gear up for the testing. Kobayashi-san said “CSSC will have to incorporate Japanese proprietary protocols in the Communication Robustness Testing”. This would exceed the current CRT for ISASecure certification that does not address the ICS protocols.
Loyal readers know I have mixed feelings on ISASecure. The organization and approach is sound, but the bar is so low in the functional security and increasingly in the communications robustness testing areas. I still wonder how a PLC can have an ISASecure sticker on it, in English or Japanese, and still be insecure by design. CSSC is also likely to certify to the System Security Assessment (SSA) standard as soon as ISCI finalizes this effort.
The morning had two more Japanese speakers, and I should note JPCERT kindly provides simultaneous translation English – Japanese and Japanese – English as applicable.
Mu-Chun Chang of Taiwan Power Company went into some detail about their control systems, OPSEC alert. This session was probably quite useful for IT Security types that didn’t understand the components, topology and redundancy in a large SCADA system.
Ralph Langner expanded on his RIPE approach. It is a completely different talk than you typically hear at these events. Even knowing Ralph well and studied the RIPE paper I pulled a few nuggets out.
- My favorite was the house of cards analogy. You have build an impressive house of cards, but a gust of wind, a dog bumping into it or a number of other things could cause it to tumble. We could spend time identifying the threats to the house of cards and deal with them. Seal windows, put a leash on the dog, … Or we could focus on dealing with the fragility and add robustness and resiliency to the structure.
- “As an attacker, I’m not interested in attacking your ICS”; the attacker is interested in attacking the process, eg explosion, chem spill
- The translation of a Taguchi on Quality quote to Langner on ICS Security – “ICS Security is evaluated by loss of predictability defined as the amount of functional variation of process control plus all possible negative effects, such as environmental damages and operational costs”
Simeon Simes of AusCERT discussed there procedures for sharing ICS vulnerability information as well as other information sharing. Likely an appropriate session given it was a JPCERT event. Interesting note that Queensland University and Edith Cowan University provide control system security courses.
The last session focused on a JPCERT survey of 300 ICS owner/operators. This kind of data is helpful and very rare. The survey was not anonymous, which could affect the answers, but only cumulative results were provided. It would be interesting to see it further broken down by sector. 7% of the respondents admitted to having a malware incident in the last year on their ICS. 80% said they never had a cyber security incident on the ICS and believe they will never have an incident. Great end of event session.
Nice job by JPCERT on the event. Well run and appreciate being allowed to attend.