The threat of cyber-attacks extends not only to information systems but also control systems and Internet of Things (IoT) systems, and the risk of physical damage to social infrastructure is growing. Amidst concerns of possible cyber-attacks targeting the Olympic and Paralympic Games Tokyo 2020, companies need to create systems that enable them to carry out careful risk evaluations of the safety and security of their internal systems and their products, address various risks in advance, and rapidly respond in the event of incidents.
Toshiba's "Cyber-Security Center," established in October 2017 in response to this growing sense of economic and social danger, is a groundbreaking organization that goes beyond the conventional concepts of corporate security systems. Under the stalwart leadership of the Chief Information Security Officer (CISO), it implements effective measures that integrate information security and product security functions. Let's look at the Cyber-Security Center, which produces systems, technologies, and human resources for tackling the threat of cyber-attacks, and the status of the activities it is carrying out.
The limits of conventional corporate security systems
Backed by the rapid development of the IoT, information technology (IT) and operational technology (OT) are increasingly being fused in social infrastructure systems, and they are beginning to be targeted by cyber-attacks. The Olympic and Paralympic Games will be held in Tokyo in 2020. What measures should we take to address concerns of possible attacks seeking to damage Japan and sow confusion?
Many companies and organizations have created computer security incident response teams (CSIRTs) to respond to security incidents, but manufacturing companies such as Toshiba must also establish product security incident response teams (PSIRTs) to handle security incidents in the products they provide to their customers.
CSIRTs have become well-established parts of various companies and organizations. While their strict definitions vary by company and organization, they generally monitor systems and collect threat information related to cyber-attacks against their own information systems, networks, computers, servers, and other IT devices. They generally identify and evaluate risks and seek to rapidly respond to security incidents, minimizing the damage they cause.
PSIRTs, on the other hand, perform risk management throughout the product lifecycle, from the product development stage to service and disposal of the product, so that the products and systems they manufacture do not suffer security incidents while in use by customers. They also strive to ensure that damage is minimized in the event that a security incident does occur. PSIRTs are primarily being created by companies such as software manufacturers and device manufacturers that do business in the IoT market.
In many cases, the CSIRTs and PSIRTs established by companies and organizations are composed of members from other sections doing dual duties. These members normally spend their time in security incident prevention work, and are only assembled when an incident occurs, like a town fire brigade. However, one problem with this approach is that the coordination processes between members and the chain of command within these organizations fail to function sufficiently when incidents do occur, making it difficult to rapidly respond to security incidents. Even when both CSIRT and PSIRT organizations are created, they are often operated independently. While the scopes of these organizations differ, with CSIRTs focusing on internal information systems while PSIRTs focus on internally-developed products, there are many commonalities in their activities and the knowledge they require, so sharing technologies and personnel between them would make it easier to achieve rapid first response when a security incident occurs and to handle incidents appropriately. It is extremely important that the damage from cyber-attacks be prevented from growing due to initial response or appropriate handling delays. Bringing together the human resources and functions that can achieve this objective is a key challenge.
Aggregating the functions of CSIRTs and PSIRTs under the direct control of the CISO
Toshiba's Cyber-Security Center, established in October 2017, was designed to solve the problems faced by CSIRTs and PSIRTs. It considers security measures and countermeasures to be critical management issues. Directed by powerful leadership, it appropriately manages the Toshiba Group's information security and product security, centrally responding to cyber-attacks (Fig. 1).
At Toshiba, a top-level executive (Corporate Senior Vice President) has been appointed as CISO. The CISO has the authority needed to conduct rapid, appropriate risk management related to cyber-attacks, such as making decisions regarding major security incidents and issuing instructions to split-off businesses. The Cyber-Security Center is an organization under the direct jurisdiction of the CISO. It aggregates functions for the powerful security measures implemented for information systems with those for implementing security measures for products and services. It has full-time staff with expertise regarding each, so its members can work closely together under the leadership of the CISO to take unified action no matter the circumstances. It creates watertight defensive structures, rapidly responds to security incidents, and implements security measures based on vulnerability assessment and risk analysis.
It also serves as a contact point for security-related organizations, both in Japan and abroad, such as the Ministry of Economy, Trade and Industry or JPCERT/CC*, and a coordination contact point for the split-off businesses that serve as Toshiba's business implementing bodies. It centrally aggregates the latest industry information and information regarding cyber-attacks, enabling it to investigate all kinds of potential risks from a variety of angles, and to implement measures through a uniform risk determination policy that encompasses both information security and product security.
* JPCERT/CC: Japan Computer Emergency Response Team / Coordination Center
Rule formulation measures based on a common security platform and company-wide regulations
Cyber-attack risk management is one of the important duties that support company business foundations. Recognizing this, the Cyber-Security Center is actively implementing activities that maximize these functions based on the Center's "Toshiba Cyber Security Vision 2020." Two of the priority measures it is carrying out are the creation of a common security platform and the formulation of company-wide quality regulations through coordination between Toshiba's Corporate Research & Development Center, with its security experts, and Toshiba Digital Solutions Corporation.
The common security platform provides support for security operations such as defense, monitoring and detection, and response and recovery by split-off businesses, Toshiba's business implementing bodies. It is used for detailed and reliable management of the security risks faced by varied internal information systems and products. This is Toshiba's social responsibility and one of its principal missions. However, it is normally extremely difficult to visualize and manage, at software and a component part level, the products and vulnerabilities of internal information systems created by various vendors and manufacturers. The Center develops systems for matching accrued internal information system and individual product composition information with software vulnerability information collected from around the world to automatically determine detailed security risks faced by individual products, prevent vulnerabilities from being built into products at the development stage, and respond to vulnerabilities in shipped products. Our goal is to put a common security risk management platform that encompasses both information and product security into practical use in the fiscal year 2018.
We consider the product security handled by PSIRT as part of our quality management system, and through Toshiba's group governance coordination, PSIRT-related items are listed in the company-wide quality regulations. Taking the idea that accidents "could happen" one step further, assuming instead that accidents "will definitely happen," we have prepared risk response manuals that cover vulnerability information deployment and severe impact potential. We clearly stipulate rules such as methods and processes for responding to product and service vulnerabilities, from the development stage to after shipping, and work to extend them into split-off businesses.
When creating uniform, strict security management implementation systems, one must take into consideration that people are responsible for security. No matter how advanced IT systems or how complete manuals may be, if the convenience of their users is not taken into consideration, they will not function to their full potential. The Cyber-Security Center strives to maximize usability as it implements the above activities. It is creating actual systems that are intuitive and easy for anyone to use, and that can be operated easily by all Toshiba employees (Fig. 2).
Developing advanced security personnel and heightening the mentality of all employees
One of the Cyber-Security Center's activities that it will focus on even more in the future is the development of security personnel. Strengthening Toshiba's security systems and leveraging their abilities to their fullest requires not only the development of specialized personnel with extensive information and product security knowledge, but also the heightening of the security mentality of executives, managers, and employees.
The Center is devoted to personnel development, establishing internal education systems and structures, as well as using the Core Human Resources Development Program offered by the Industrial Cyber Security Center of Excellence, part of the Information-technology Promotion Agency, Japan (IPA). To heighten security mentality, the Cyber-Security Center carries out e-Learning of content which includes specific key security enhancement and security response points tailored to the roles of individual learners, be they sales personnel, technical staff, development engineers, or quality management staff. Through this, the Center seeks to heighten security mentality throughout every part of the company.
It is also developing personnel within the Center with the leadership and management abilities to grasp and implement security measures as management challenges, based on their advanced knowledge and skills. Personnel exchanges and information sharing sessions are held regularly between Toshiba's Corporate Research & Development Center and Toshiba Digital Solutions' Industrial ICT Security Center in order to raise the levels of their respective members.
The Cyber-Security Center has an important mission as a company-wide organization, and expectations for it are rising, both inside and outside the company, as a site that supports the business activities and products of the entire Toshiba Group, and a foundation for the cyber security measures that protect the safety and security of the customers and societies that use Toshiba products and services. Looking ahead to the rapidly expanding IoT age, we will further substantiate aggressive activities to respond to diverse security challenges.
* The corporate names, organization names, job titles and other names and titles appearing in this article are those as of April 2018.