In recent years, the number of cyberattacks targeting control systems in industries such as the energy industry has been growing worldwide. Unlike attacks on information systems, which primarily result in the leakage of corporate and private information, cyberattacks on control systems have the potential to lead to accidents which threaten the business continuity of a company, such as equipment failure, power outages, and shutdowns. Many companies are now striving to create Cyber-Physical Systems (CPS) that use the virtual world (cyber) to analyze data obtained from the real world (physical) and create knowledge from it, so that this knowledge can be used to help solve social problems. To do this, closed control system networks in sites such as factories and plants must be connected to the outside world, such as information networks and the internet. However, being connected to an external network puts you at the constant risk of cyberattacks. In this article, we introduce a solution for detecting and analyzing the threat of cyberattacks on existing control systems.

The number of cyber threats to control systems is rising every year

Every year, cyberattacks pose an even greater threat to control systems. Over the past 10 years, there have been numerous reports of malware and other attacks targeting critical industrial infrastructure such as power companies, nuclear power facilities, and production plants.

Security measures which in the past were focused primarily on information systems will become increasingly necessary for a wide range of fields, such as manufacturing and production infrastructure, products, systems, solutions, and services. Based on the perspective of “cyber resilience” -- the systems and capabilities used to minimize the impact cyberattacks have on systems and to rapidly restore those systems to their initial state -- the Toshiba Group has developed and provides various security solutions for protecting critical industrial infrastructure.

* The importance of cyber resilience and examples of solutions for achieving it are introduced in detail in the first article of this article.

Allow us to introduce the CyberX Platform, or “CyberX,” a cyber-security platform for control systems that visualizes control system assets and vulnerabilities and detects threats in real time.

CyberX has already been deployed in over 3,000 sites around the world, and is in use on control system frontlines. It uses the adaptive security architecture advocated by research and advisory firm Gartner, in which security incidents are dealt with through the four processes of “predict,” “prevent,” “detect,” and “respond.” It is also a security product that covers the five framework cores (identification, defense, detection, response, and recovery) of the cyber-security framework issued by the U.S. National Institute of Standards and Technology (NIST).

Why CyberX is chosen

We introduce at the functions offered by CyberX. CyberX provides four functions to support all stages of security operation: asset identification and visualization, automatic vulnerability report generation, attack route prediction and countermeasure support, and equipment threat and abnormality detection.

In security operation, you can’t protect what you don’t know about. That’s why visualizing assets (devices) is essential to protecting them. This visualization is made simple by the first function, asset identification and visualization. Simply by connecting it to the mirror port of a network switch, CyberX can automatically detect all devices connected to the control system network and visually represent which devices are communicating with which devices, in real time, on a network configuration diagram (Fig. 1).

This is done by through passive network analysis, so it places no load on the network or devices. This visualization function makes it easy to determine the current state of control systems that have been expanded through the years with the addition of various devices. After CyberX is deployed, it assesses network conditions on an ongoing basis, which not only enables it to immediately detect the connection of unauthorized devices, but also supports smooth operation when making changes to the current system and when responding to and recovering from incidents.

The second function is the automatic vulnerability report generation function. CyberX diagnoses control systems based on the control system-specific threat information identified by CyberX’s dedicated team of threat research and analysis, and automatically generate reports of overall system vulnerability information and individual response measures. Diagnosis results are reported using quantitative scores, enabling users to make objective decisions. 

The third function is the attack route prediction and countermeasure support function. Attackers sometimes attempt to attack and enter control systems by combining multiple vulnerabilities, each of which is a low-risk vulnerability on its own. Because of this, identifying individual vulnerabilities alone is not sufficient for implementing appropriate countermeasures. CyberX uses unique threat modeling technology to predict attack routes with a high potential for use in targeted ICS (Industrial Control Systems) attacks. It also indicates the attack routes and devices for which countermeasures should be prioritized, taking into consideration individual levels of security risk, such as which devices are the most important for the control system and which would be the most impacted by attacks (Fig. 2).

The last is the equipment threat and abnormality detection function. Many control systems use proprietary communication protocols developed by control device manufacturers. This normally makes it difficult to identify threats from communications. CyberX offers HORIZON, a system for supporting these proprietary protocols using plug-ins. This makes it a solution that can be used no matter of the control device manufacturer. CyberX also uses five analysis engines to detect abnormalities, leveraging the world’s foremost knowledge regarding cyberattacks on ICS. This enables it to deal with both known and unknown threats. It detects abnormal ICS behavior and unauthorized activity in real time and shows methods for responding to it.

Why Toshiba offers CyberX

The advantage of deploying CyberX is that, through the use of these four functions, it makes it possible to assess the current state of control system networks, monitoring unauthorized connections, detecting abnormal communications, and analyzing their causes, all in real time. This helps reduce the cost of managing control system assets and minimize downtime. In order to fully have these advantages, it is essential to have a Security Operation Center (SOC) to monitor security threats and a Security Incident Response Team (SIRT) to deal with them.

To support companies wishing to establish an SOC and SIRT, we offer consulting to assist with their creation and services that support their operation. Toshiba Group also provides ICS-SOC services that monitor mission-critical infrastructure on behalf of enterprises, 24 hours a day, 365 days a year.

* ICS-SOC services are introduced in detail in the third article of this article.

Toshiba’s strengths lie in its experience as a control device manufacturer in creating control systems, the knowledge it has accrued through this experience, its knowledge regarding diverse security solutions, developed through its close-knit alliances with CyberX and other leading overseas solution development companies, and our ability to combine security solutions optimized for customers together with in-house infrastructure services.

The first step in security measures for control systems is identifying where threats lie. Introducing CyberX is an effective way of visualizing system assets and detecting threats in real time. We use our experience in providing customers with a wide range of security solutions to analyze current conditions based on control system security standards, propose optimized improvement measures, and offer security assessment services. Please feel free to contact us if you are considering security measures.

  • The corporate names, organization names, job titles and other names and titles appearing in this article are those as of February 2021.

>> Related information

Related articles