Recently, there has been growing interest in leveraging the untapped industrial data buried in industry infrastructures as management resources. Industrial infrastructure is being linked to cyber-physical systems (CPS), and control systems are becoming increasingly open. This is producing a dramatic increase in the amount of data being generated. At the same time, the open control systems are increasing cyber-security risks to industry infrastructure. Dealing with these risks has become an urgent priority. However, the security measures used for information systems cannot be applied to control systems. Measures with the potential to impede continuous system operation cannot be used. Engineers often lack detailed knowledge of control system security technologies. It is unclear how much should be spent on control system security measures. The number of difficulties and issues involved is tremendous. In this article, we introduce Toshiba’s Security Operation Monitoring Service for Control Systems, which was created to solve the problems faced by control system security measures.

The further advancement of society will require to fuse technologies of the real (physical) and virtual (cyber) worlds, and need the unfettered distribution of data, the use of open industry infrastructure, and globalization. Until now, industrial infrastructure control systems (OT) such as social infrastructure and factories have used closed networks, proprietary protocols, and proprietary platforms. In recent years, though, this closed world has been changing. Control systems are becoming more open for the purpose of reducing a cost adopting the common technology such as the general-purpose OS and protocols, utilizing the enormous amount of data in industrial infrastructure as an effective management resource and improving such as a productivity. While this use of open control systems has many potential benefits, it is also resulting in a steadily growing number of cyber-attacks on the industrial infrastructure where control systems and information systems (IT) are connected to the internet.

Some of these cyber-attacks shut down important industrial infrastructure, and the number of these incidents, which have a major impact on our lives, is on the rise. However, the security measures for them have been still under developing. There are several reasons for this.

First, many of these systems present technical challenges. For example, although the use of general-purpose operating systems and protocols is on the rise, many systems still use proprietary technologies that must be accommodated on an individual basis. Also, for systems which cannot be stopped, maintenance must be performed while the systems are still running. There are also operational difficulties.  In some operation structures, engineers cannot be assigned for both control systems and security, so if a system abnormality occurs, it is not possible to make immediate decisions regarding how to respond. Also, control system lifecycles tend to be long, making it difficult to rapidly respond to evolving attacks.

Around the world, security regulations are being strengthened to counter the threats posed by cyber-attacks. In Japan, as well, related ministries, coordinated by the National center of Incident readiness and Strategy for Cybersecurity (NISC), are making progress with the development of cyber-security regulations in individual industrial fields. These regulations require secure operation throughout system lifecycles.

To meet these regulatory requirements and keep pace with global trends, the Toshiba Group is strengthening its security approaches and product security. It is leveraging its years of security experience and expertise to enhance security services for the control systems used in industrial infrastructure. We have recently fielded a growing number of consultation requests from customers concerning system operation and monitoring, so we have developed support systems and services that meet these needs (Fig. 1).

Among its security services for industrial infrastructure control systems, Toshiba is dedicating special efforts to its Industrial Control System - Security Operation Center, or ICS-SOC, service. With this service, the Toshiba SOC remotely monitors the information systems and control systems used in customer industrial infrastructure, such as factories and plants, and predicts and detects abnormalities. If an abnormality is detected, the Security Information and Event Management (SIEM) is used to efficiently analyze it and assist with speedy decision-making. The service also uses our worksite system and device expertise to provide customers with response and recovery approach proposals.

To provide ICS-SOC services, it is first necessary to define normal operating conditions. Defining normal operating conditions makes it possible to distinguish them from abnormal conditions. Furthermore, when an abnormality is detected, it is vital to determine whether it is the result of a cyber-attack or a device failure, and whether it should be addressed by shutting down the control system, which should be kept running without interruption, or if it can be handled without stopping the system. This decision-making must be performed rapidly.

Toshiba’s ICS-SOC service achieves this by using an implementation structure in which the SOC coordinates with Security Incident Response Team (SIRT). The service draws on the expertise of the product departments responsible for SIRTs to design optimized problem isolation rules for monitoring alerts. Standards are created that enable the SOC to determine whether or not systems are operating correctly. When an abnormality does occur, the SIRT takes the impact on the system into consideration and provides the SOC with proposals for responding to the situation appropriately, based on actual conditions (Fig. 2).

When the SOC receives notice of an abnormality, security operation and monitoring staff use the monitoring alert isolation rules to determine if the cause is an equipment failure or a security incident. In the event of a serious security incident, the SIRT decides on a response policy, and that policy is used to provide instructions to the maintenance staff of the product system. So they can carry out a correct and precise incident handling.

The greatest strength of our service is the way that specialists in both the SOC and the SIRTs coordinate with each other to handle issues.

The ICS-SOC service is already in use by customers in the energy industry. Monitoring alert isolation rules are currently designed by personnel, but in the future, everything from rule design to incident response will be performed automatically using Security Orchestration, Automation and Response (SOAR) technology. SOAR technology, which has drawn growing interest recently, automates security operation and improves efficiency. Furthermore, by continuing to accrue expertise regarding control security incident response, we plan to develop this service into an even more advanced and refined one.

While this service was first rolled out to customers in the energy industry, we plan to gradually extend it to other industries as well, such as the petrochemical, sewerage and water, and transportation industries. Overseas, especially in ASEAN markets, security regulations for critical infrastructure are very strict. Operation must be performed at a very high level, and many customers are reaching the limits of what they can handle in-house. This is driving the gradual expansion of use of external security operation and monitoring services. There are signs of growing demand worldwide, so Toshiba plans to further expand its deployment track record and enhance the reputation of the ICS-SOC service.

Overseas, security services for industrial infrastructure control systems are a new type of service that is starting to see greater adoption at long last. In Japan, the Toshiba Group has taken a pioneering role in providing these services.

In the future, we plan to turn these security services for industrial infrastructure into common security services that span the entire Toshiba Group. They will become one of the strengths of our infrastructure services, providing added value. To achieve this, the Toshiba Cyber-security Technology Center will continue to develop security technologies and solutions and enhance its structure.

Toshiba has many years of experience supplying systems and devices to customers with critical infrastructure. We have extensive knowledge of control systems. Furthermore, we can provide customers our track record of experience as an infrastructure service company. We consider it our mission to use these three strengths to protect systems from cyber-attacks through a comprehensive approach that combines both cyber and physical aspects.

Modern society is changing at a dizzying speed. Let us work together to take on the threats of today and the future so that your business can continue to flourish and we can create a richer society.

• Our vision of “Making society better with Digital Solutions”