Many companies are now striving to create Cyber-Physical Systems (CPS) that use the virtual world (cyber) to analyze data obtained from the real world (physical) and create knowledge from it, so that this knowledge can be used to help solve social problems. Cyber resilience -- minimizing the impact of cyberattacks and rapidly restoring systems -- is vital when creating CPS. The Toshiba Group aims to be one of the world’s leading CPS technology companies. It has been a pioneer in the development of cyber resilience, providing solutions for comprehensive and seamless management and operation of information security, control system security, product security, and data security. In this article, we look at what makes cyber resilience so important and how Toshiba’s solutions achieve it.

In recent years, Night Dragon cyberattacks aimed at the world’s energy industry and the DUQU malware, which targets industrial control systems, have made waves in Europe, the Middle East, and Asia. There have also been ongoing cyberattacks aimed at vital industrial infrastructure such as nuclear power plants, power companies, water treatment facilities, steelworks, and manufacturing plants. In Japan, as well, the news of a ransomware attack on an automotive manufacturer is still fresh in peoples’ memory.

Much of the industrial infrastructure that is essential to peoples’ lives consists of two types of systems: information systems (IT) and control systems (OT). The networks connecting them are composed of three layers: an information system network, a control information system network, and a control network (Fig. 1).

What concrete measures are necessary for achieving cyber resilience?

We have defined three parameters for minimizing the impact of incidents on systems. These parameters are system uptime "Prepare (P)", incident loss "Mitigate (M)", and response / recovery time "Response & Recovery (R)". P must be extended, M decreased, and R made shorter (Fig. 2).

We introduce at three measures for extending P. The first is maintaining the health of systems. To IT, regular updates and timely patching are applied OS and software. To OT, periodic maintenance is performed, furthermore, the health of systems is kept by visualizing a risk and continuous monitoring. The second is reinforcing preventive capabilities and defensive measures. This includes using defense in depth at the border between IT and OT, introducing systems for protecting OT legacy devices, and providing systems with redundancy. The third is using threat intelligence to predict risk. Detecting discussions and actions by attackers and implementing countermeasures before being attacked are important elements of proactive response.

There are two main means of decreasing M. The first is real-time incident detection. It is important to detect irregularities and to analyze the correlation between initial attacks and the continuous attacks that often follow them. This can be effectively achieved by deploying Intrusion Detection Systems (IDS), establishing Security Operation Centers (SOCs) that continuously monitor IT and OT, using Security Information and Event Management tools to analyze correlations between incidents and event log contents, and implementing Security Orchestration, Automation and Response (SOAR) solutions for visualizing incidents and automating response. Impact is localized and minimized through zoning -- systems are segmented, or zoned, in units of networks and functions, and monitoring is performed of the states within zones and connection points, or conduits, between zones to detect any abnormalities.

* Zoning is introduced in detail in the fourth article of Vol. 25.

Lastly, to shorten R, it is important to make incident response more efficient by using a playbook approach and automation. It is also important that using logs and preparing the forensic team. The knowledge and experience of individuals are codified (turned into playbooks) and used in SOAR to respond to incidents. Some parts of this response are automated, improving overall incident handling efficiency. For attacks similar to past logs, correlation analysis between response logs and incidents is useful for an immediate response. On the other hand, for novel attacks, it is essential to prepare the system that can make detail (forensic) investigations in order to restore systems rapidly. Of course, to achieve this, it is vital that incident response knowledge be continuously accrued.

At Toshiba, SOC, CSIRT(Computer Security Incident Response Team), and PSIRT(Product Security Incident Response Team) work together to operate the life cycle management of responding Prepare, Mitigate, Response & Recovery on an ongoing basis. Through this, we are increasing the maturity of our cyber resilience. To automate and improve the efficiency of this lifecycle, we collect threat intelligence and asset logs in SOAR, and we have used them to create a cyber resilience operation platform.

We introduce at some of the solutions the Toshiba Group offers to enable customers to achieve cyber resilience.

One of the effective solutions for extending P is the Waterfall One-way Security Gateway (hereafter, “Waterfall”). Waterfall is used for one-way communications by physically blocking transmissions in the opposite direction. It supports various applications and protocols, such as industrial applications and standard file systems. Because of this, it can be deployed without requiring almost any changes to existing application systems. The need for one-way communication like this stems from a problem with firewalls. Even if a firewall only allows outward-facing traffic, it also generates reverse-facing transmission data such as acknowledgements (Acks). This response can be leveraged by attackers to infect systems with malware. Furthermore, if there are any vulnerabilities or configuration errors in the firewall itself, they can also be used to provide attackers with access into systems.

Another effective tool for extending P is CYTHEMIS. CYTHEMIS is an IoT security solution that makes it easy to communicate securely, as if over a dedicated line compact device and management system that externally connects to devices you wish to communicate with. It is compact device and management system that externally connects to devices you wish to communicate with. For example, CYTHEMIS can be used with devices that cannot be connected to networks for safety reasons, such as legacy devices that are hard to replace and upgrade, or to devices which would present risks if connected to networks. It enables these devices to connect and communicate securely.  This is done using CYTHEMIS’s mutual authentication and whitelist functions. Data senders, data receivers, and communication methods are defined in advance, and all communications that are not specified in the permitted communications list are blocked. This solution applying the security technologies Toshiba has developed through its IC card business.

The last solution we’d like to introduce for extending P is the “CyberX Platform (CyberX),” a cyber security platform for control systems.

It is one of the Intrusion Detection System for OT (OT-IDS). CyberX automatically detects devices connected to control information networks and control networks, and visualizes network connections in real time. One of its notable features is that it has no impact on worksite control system operation. In the energy industry, the introduction of CyberX has made it possible to identify and visualize assets.

* CyberX is introduced in detail in the second article of this article.

Deploying OT-IDS is effective in reducing M and shortening R. For example, in one case in which OT-IDS was deployed in a transformer substation, both unknown and known threats were analyzed using control system behavior, and control protocol-specific abnormality detection and countermeasure proposals were issued.

SOAR is also effective for reducing M and shortening R. One manufacturing industry customer uses SOAR in their PSIRT. This has improved the efficiency of its response and made it possible to visualize the status of incidents and responses related to the company.

We also operate an ICS-SOCs (SOCs for industrial control systems) as part of our efforts to reduce M and shorter R. The ICS-SOCs uses Toshiba Group’s expertise and operation knowledge regarding systems and devices, developed through its history in the manufacturing industry, together with threat intelligence based in part on threat information from sources outside the company, to perform more advanced, faster, and more accurate analysis and abnormality detection.

* The ICS-SOCs is introduced in detail in the third article of this article.

In the data security field, we are carrying out R&D on secure data processing technologies for safely distributing industrial data. Needless to say, we are also improving our product security. For example, for all Toshiba Group products, we have created security checklists, corresponding quality assurance guidelines, and evaluation and verification platforms that cover the entire product lifecycle, from initial inquiry to requirement definitions, development and design, manufacturing and testing, installation and inspection, operation, and disposal.

* Our secure data processing technologies are introduced in detail in the fourth article of Vol. 34.

In this way, Toshiba Group supplies a variety of cyber security solutions. One of the strengths of Toshiba Group is that, as a member of the manufacturing industry itself, it posses OT and products and has accrued and integrated knowledge and experience regarding information security, control sytem security, product security, and data security. Now, we are working on a new initiative for building and implementing zero trust networks, in which access control and monitoring are performed for all devices. Protecting the present while continually working towards the future. This is a vital part of cyber security, and cyber security is an important element in Toshiba Group’s growth as an infrastructure service company.

* Toshiba’s zero trust network initiatives are introduced in detail in the fourth article of this article.

There are still few companies that can develop and implement seamless, total security measures like our cyber resilience measures. Cyber resilience for industrial infrastructure is an area in which we can leverage the strengths of the Toshiba Group, polished through our CPS technology experience.

Investing where necessary, when necessary, is also an important aspect of security measures, so we wish to help prevent customers from excessive investment by deploying security solutions with overlapping functions. That’s why we perform assessments before deploying solutions. These assessments enable us to propose optimized solutions.

Please contact us if you are considering implementing cyber resilience in your industrial infrastructure. We will provide solutions that offer seamless, total management and operation of security optimized for your company.

• Our vision of “Making society better with Digital Solutions”