In recent years, the number of ransomware attacks targeting societal infrastructure, factories, and plants has been on the rise. The most common type of attack has been to encrypt information and then demand a ransom to decrypt it, but recently these attacks have become even more vicious, with attackers threatening to leak stolen data if the ransom is not paid, or repeatedly threatening the same victims. When a single factory manufacturing site is attacked, it can result in massive damage, such as by affecting other companies and clients in the same supply chain. How can these situations be prevented? In this issue, we will look at Toshiba Digital Solutions’ control system security, which provides integrated support for everything from customer situation analysis to monitoring and operation in order to protect customers from various cyber-attacks, and Claroty, which plays an important role in this control system security.

According to 10 major information security threats of 2024^*1, for four consecutive years, the number one threat for organizations has been damage due to ransomware. For two consecutive years, the number two threat has been attacks targeting supply chain weak points. In 2022, the number of ransomware attacks targeting industry rose 87% compared to the previous year. It was reported that 72% of all ransomware attacks targeted the manufacturing industry, and that 83% of the industrial control devices in plants have some form of vulnerability^*2. Ransomware attacks are becoming more sophisticated and harmful. In the past, attacks consisted of encrypting data and then demanding ransoms to decrypt it, but there has been a rise in multi-extortion attacks, which not only demand ransoms for decryption but also threaten to leak the stolen data to the dark web.

*1: Published by the Information-technology Promotion Agency, Japan (IPA)
*2: Source: 2022 ICS/OT Cybersecurity Year In Review Executive Summary

Why are a growing number of cyber-attacks targeting the manufacturing industry? This is the result of the application of the IoT to Operational Technology (OT) and the promotion of digital transformation (DX). OT, which was previously isolated within plants, is now connected to Information Technology (IT) and external parties such as cloud services. This is done to visualize and optimize their operation, raise productivity, and improve the efficiency of maintenance operations using remote connections. At the same time, the number of potential intrusion points has risen, and these intrusion points have grown more complex, causing higher security risks and making the manufacturing industry more likely to be targeted. There are also the dangers of systems being infected by malware transmitted by the connecting of unauthorized computers or USB memory, and of hidden routes by which systems can be connected to the outside world, such as vendor maintenance lines or unauthorized wireless LAN access points. As with information systems, general-purpose operating systems and protocols have started to be used in control systems, which is another factor that has made these systems more susceptible to cyber-attacks.

Due to factors such as these, we are now in an age where we must assume that factory OT and OT networks could be attacked, so security measures must be put in place.

While security measures are becoming more important for OT, actually implementing them is no easy matter. Doing so requires for the current status of entire systems to be accurately understood, but determining current conditions in manufacturing sites is said to be a difficult process.

In general, OT tends to have longer service lives than information systems. It is not unusual for devices to be used for 10 years, 20 years, or even longer. Security measures are sometimes left at the same level as they were when the devices were first installed. Personnel change, and assets are not always managed with sufficient rigor, so it is often unclear what devices and equipment there are in sites or what kinds of communications they engage in. The first step is thus to visualize what devices are present and their current status, thereby performing an accurate assessment of the current situation.

Along with visualizing devices, companies must also determine the security risks faced by individual devices. You can only begin preparing to protect devices from cyber-attacks once you have identified the versions of operating systems and firmware used on devices, confirmed what patches have been applied, etc., and accurately managed risk.

The next question is how to deal with attacks. Lateral movement is an attack technique in which attackers who have penetrated a network lay quiet for some time and expand the range of targets they will attack. Dealing with this kind of attack requires a system for detecting dangerous attacks on critical devices when a network is compromised.

Of course, when organizations suffer cyber-attacks, they need to respond immediately. They have to be able to detect abnormalities before there are any incidents, such as the theft of important design or manufacturing data, the encryption of data, or the shutting down of systems by overloading control system networks. To prevent incidents such as these, it is important to accurately identify signs of attacks and implement response measures.

To meet these requirements for visualizing devices, identifying security risks, detecting attacks, and assessing attacks, Toshiba Digital Solutions provides Claroty. Claroty is a cyber-security solution for XIoT, used as part of control system security.

This solution from U.S.-based Claroty Ltd. is already being used by over 10,000 companies worldwide. We decided to use Claroty after comparing and verifying numerous security solutions. The deciding factor was the quantity of protocols it supports. For OT security, the level of protocol support is critical. This is because OT often uses proprietary protocols that are unique to each manufacturer. As of 2024, Claroty supports roughly 400 protocols, performing its own analysis to detect abnormalities. In addition to typical field networks, it also supports proprietary manufacturer protocols. Not only does it support numerous protocols, but it is also a great fit for our measures that seek to improve the resilience of the manufacturing industry as a whole thanks to its future potential to evolve and its ability to coordinate with our own systems.

We provide a wide range of solutions and services that enable the implementation of OT security measures across the entire lifetimes of our customers’ system environments. Claroty is one of these solutions, and we use it to assist with the entire lifecycle from field assessment to deployment, operation, and maintenance.

Claroty provides functions that meet the four aforementioned requirements of “identifying and visualizing assets,” “automatically evaluating vulnerabilities and risks,” “performing monitoring and issuing alerts using virtual zoning,” and “detecting security threats and equipment abnormalities” (Fig. 1).

When deploying OT security, one key point is to do so without stopping the operation of manufacturing equipment already in use at the site. Claroty collects communication data simply by connecting it to the mirror port of a network switch within OT network. That means it can be deployed without stopping site operation. It collects communications data, analyzes it, visualizes existing assets and network conditions in an easy to understand way, and detects latent threats and abnormalities, all without affecting the plant environment (Fig. 2).

In its asset identification and visualization, it analyzes the communications traffic it acquires and displays devices on the network, which it detects automatically, as information assets shown on its dashboard. It contributes to a more accurate understanding of the status of networked devices by displaying details such as device operating systems, manufacturers, model names, and versions.

It also automatically evaluates the vulnerabilities of the assets it visualizes. Specifically, based on the vulnerability, threat, importance, ease of access, and spillover impact, it automatically calculates an envisioned risk score. For example, it uses common vulnerability identifiers such as the identifiers of the Common Vulnerabilities and Exposures (CVE), a global information security standard, to determine if devices on the network have vulnerabilities and to automatically evaluate them. This makes it possible to assign priorities to the high number of devices on OT networks and effectively implement security measures.

Many vulnerabilities are reported to security organizations every day. Searching through each and every one of these items of public information would present a tremendous challenge to field personnel. Understanding this security information also requires a great deal of skill. CVE can be used to significantly reduce the workload placed on site personnel.

Now, let’s discuss “performing monitoring and issuing alerts using virtual zoning” and “detecting security threats and device abnormalities.” Claroty automatically divides control system networks into virtual zones and generates communications rules for each zone. If it detects anomalous behavior that violates these communication rules, it rapidly issues an abnormal communications alert and displays a chronology of the issue. For example, if there were an indiscriminate port scan occurring, it would detect this as anomalous behavior—a sign of a potential attack. It would alert the user and urge rapid response and would display a timeline showing what devices were connected to what devices, along with what activity had taken place. This would assist the user in determining the cause of the activity.

In this way, deploying Claroty makes it possible to visualize the current state of devices and networks in manufacturing sites, identify risks, and detect attacks and abnormalities.

We have set up many diverse systems and networks, both internally and for outside customers, and built up a wealth of expertise. We use this expertise to provide customers with a full range of services from security consulting to the design and construction of countermeasure solutions, as well as monitoring and operation services, using an integrated approach. Instead of offering solutions and services such as Claroty as isolated products, we are confident that our integrated approach brings out the true potential and value of these solutions and services, enhancing the resilience of customer environments.

In our consulting, we conduct interviews to gain an accurate understanding of customer situations, and security experts perform assessments in which they analyze deviations between regulations and actual conditions. We have been implementing initiatives, such as offering consulting services regarding international security standards (ISO/IEC), on a continuous basis since the early 2000s. We have also taken part in the drafting of security guidelines by national governments and organizations, helping formulate regulations. For example, we took part in the formulation of the Ministry of Economy, Trade and Industry’s Cyber/Physical Security Guidelines for Factory Systems and the Japan Electric Association’s Guidelines for Power Control System Security.

After assessing the situation through consulting, we consider appropriate measures and how to prioritize them, designing and building concrete countermeasure solutions using security products with proven global track records. Following deployment, we offer a security monitoring and operation service (our OT Security Operation Center (OT-SOC)) and an incident response service (our Security Incident Response Team (SIRT)). These integrated services protect customers from cyber-attacks.

Our lives and our societal infrastructure are becoming increasingly connected to networks. While this enables us to enjoy the benefits of digital technology, it also presents society as a whole with greater security threats. We aim to improve the resilience of critical infrastructure and the manufacturing industry. We will accomplish this by contributing as a hub that connects critical infrastructure providers, manufacturers, and their entire supply chains, including affiliates, with security vendors, IT system integration partners, and OT system integration partners (Fig. 3).

Security is not a competitive field, it is a cooperative field. It is vital to protect each and every company within a supply chain. Start with our assessment to protect your company, and society as a whole, from cyber-attacks.

• Toshiba’s Cyber Security