In recent years, global tensions have been rising due to factors such as the Russian invasion of Ukraine and the situation in the Middle East. Cyber-attacks related to these conflicts have also extended their targeting scope to not only the parties directly involved in conflicts but also ally nations and supporters. Cyber-attacks directed at government agencies, medical institutions, financial institutions, and manufacturing supply chains can shut down social infrastructure and cause product shortages. These can have tremendous impacts on people’s lives and develop into major societal problems. These serious impacts make cyber-security an urgent business challenge for companies. In this running feature on control system security, we will learn about control system security trends and Toshiba’s initiatives to improve the cyber-resilience of social infrastructure and plant control systems.

Part 1 will focus on the risks and regulatory trends surrounding security for control systems, and the direction of security technologies that Toshiba aims for.

Over the past few years, the number of ransomware attacks targeting the manufacturing industry and social infrastructure has climbed rapidly. Just imagine it—one evening, you’re in your plant, working on a computer, when suddenly the screen goes black, and you can’t control the computer at all. This computer is responsible for controlling every piece of machinery in the plant. All of the data on it has been encrypted, and you have no way to decrypt it. And it’s not just this one computer—many of the computers in your company have also been infected with this virus, and their data has also been encrypted. You have no choice but to shut down the plant. The damage is immeasurably enormous. In today’s times, this isn’t just something that happens to other companies. It could happen to yours, too.

In the past, attacks on control systems were often politically motivated. However, from the late 2010s onward, there has been a rapid rise in the number of financially motivated ransomware attacks. It is now reported that many of these attacks are targeting manufacturing and infrastructure enterprises. The rise in the number of ransomware attacks on the manufacturing sector has been particularly prominent in recent years. According to a recently published report, 70% of ransomware attacks are now targeting the manufacturing sector (Fig. 1).

What are the causes of this situation? One factor is that cyber-attacks have both tremendous financial and societal impacts. In the manufacturing industry, attacking a single company affects all of the other companies in its supply chain, so it carries the risk of major financial damage. In addition, attacks on social infrastructure such as rail or energy infrastructure can cause disruptions and damage to business activities and people’s live by shutting down transportation, power supply and other functions. Therefore, attacks targeting companies can  have a large and wide-ranging impact. This is believed to be one reason that manufacturers and social infrastructure companies are increasingly likely to be targeted.

For example, in 2018, Taiwan Semiconductor Manufacturing Company Limited (TSMC), a Taiwanese semiconductor manufacturer, was attacked by the WannaCry ransomware. The attack affected many of the company’s computers and manufacturing devices, and it forced the company to shut down production for three days. TSMC is said to have suffered up to 19 billion yen in lost operating profit as a result^[1].

In May 2021, Colonial Pipeline, one of the U.S.’s largest fuel pipeline companies, suffered its own ransomware cyber-attack. The pipeline was shut down for six consecutive days and roughly 81% of the gas stations in Washington, D.C., ran out of gasoline. The attack had a major impact on people’s lives^[2].

Under these circumstances, various security regulations are being introduced for factory systems and manufacturing equipment in the manufacturing sector, which includes the automotive and semiconductor. The automotive industry has begun enhancing security by having automobile suppliers acquire certification from the German Association of the Automotive Industry, using this as an industry-wide certification. In the semiconductor industry, major manufacturers have taken the lead in standardizing cyber-security countermeasures for the manufacturing equipment used in plants. These measures are starting to be included as requirements when procuring new devices. Advances are also being made in national regulations in Japan. The Japanese Ministry of Economy, Trade and Industry has issued Cyber/Physical Security Guidelines for Factory Systems^[3] that outline approaches and methods for security measures essential for promoting the digital transformation (DX) of factory systems. We were involved in the creation of these guidelines.

The manufacturing industry is not the only one in which regulations are being introduced and guidelines are being created. The Economic Security Promotion Act mandates the application and appropriate operation of security measures in specific critical equipment used by essential infrastructure businesses in 14 fields, including power, water, and rail. The Act’s security risk measures for supply chains do not just apply to core infrastructure operators, but also to manufacturers that create control systems and other equipment that are designated as specific critical equipment. The Act requires these manufacturers to implement security measures for equipment involved in the monitoring of power supply and demand equipment, the monitoring of water purification equipment, and train operation management. It also requires the implementation of security measures in the manufacturing environments of subcontractors, such as the companies that manufacture the parts used in this equipment. These requirements will go into effect in May 2024*.

* Information as of April 2024, when the Japanese version of this article was issued.

The reason that manufacturing companies and social infrastructure are increasingly being targeted is the growing use of the IoT and DX in control systems. In the past, these control systems (operational technology, or OT) consisted of closed network environments, isolated from the internet, and used propriety operating systems and protocols. However, as these systems evolved, it became more common for them to use the general-purpose operating systems (such as Windows or Linux) also used by information systems (information technology, or IT). The use of general-purpose protocols meant that these systems could be damaged by the same kinds of attacks as those performed on information systems. In addition, the use of IT in control systems led to greater interconnectedness between control systems and operation systems, which increased the number of potential intrusion points. The greater the number of external connections, such as cloud connections for leveraging data, remote connections for operation and maintenance, or connections used in system integration across supply chains, the greater the number of potential intrusion points and the greater the security risk (Fig. 2).

To deal with these threats, enterprises and operators can separate their operational networks and control networks, and they can strengthen the borders between IT and OT. Before doing that, however, they must implement measures to prevent hidden bypass connections in plants via wireless LANs (Local Area Networks) or mobile routers, together with measures to prevent the connection of unauthorized computers or USB drives by production line operators and maintenance personnel. Furthermore, as remote manufacturing equipment operation and maintenance has become more widespread in recent years, it has also become essential to implement measures to protect against attacks targeting vulnerabilities in manufacturing equipment and in the VPN (Virtual Private Network) devices that are used for remote connectivity.

In light of this situation, the two key concepts of Toshiba’s control system security are “cyber-resilience” and “zero trust.”

We use the cyber-resilience concept to provide total security, including information, product, control, and data security for entire supply chains. This concept can also be applied to factories and plants. We define cyber-resilience as “the ability to prepare for incidents, minimize their impact, rapidly recover, and continue business operations” (Fig. 3).

The first step in building cyber-resilience is to prepare for the possibility of cyber-attacks. An effective means of dealing with all kinds of latent attacks is to perform comprehensive risk assessments, in which risks are assessed and risk levels are evaluated. This is also true for plants with numerous control systems. Evaluating and visualizing risks makes it possible to formulate countermeasures.

The next key concept in improving cyber-resilience is “zero trust.” Traditionally, the protection of internal assets was focused on security measures based on perimeter defense—preventing external parties from gaining access to company systems or plants. However, the rise in the use of remote connections for operation and maintenance, along with greater use of cloud connectivity, has increased the number of potential intrusion points. Once inside an environment, attackers would have free access to the assets within the environment, and it would be impossible to prevent further damage. The limits of perimeter defense measures became apparent.

This is why the “zero trust” model was adopted. The zero trust model requires that all access be initially distrusted, and authentication and authorization be performed at all times. Only authorized parties are allowed to establish connections, and these connections are constantly monitored. If there is any suspicious behavior, prompt action is taken, such as issuing warnings or severing connections, to minimize any damage. We are employing this zero trust model in factories and plants, as well. Let’s look at the “OT zero trust” used in factories and plants (Fig. 4).

First, any party that attempts to connect to a plant network is investigated and tested. None are trusted by default. For example, if a piece of manufacturing equipment is installed or a device is brought into a worksite, it is always inspected and tested for vulnerabilities. Malicious equipment and devices are prevented from being connected to the plant network. Any equipment or device connected to the plant network is then constantly visualized and monitored, making it possible to rapidly detect any abnormalities in plant assets or networks. When an abnormality is detected, it is responded to quickly to restore service and minimize impact. This rapid response to abnormalities is made possible by taking steps in advance such as using zoning or defense in depth to limit potential impacts, setting up an incident response structure, and conducting training. We use approaches such as these to apply the zero trust model to OT.

The introduction of OT zero trust reduces the occurrence of incidents in plants and mitigates the impact of any incidents that may occur by addressing them rapidly. This minimizes control system downtime and improves system performance continuity, so it helps enhance the cyber-resilience of systems.

In Part 1 of this running feature, we focused on recent trends surrounding control system security, along with the direction Toshiba is taking with its control system security technologies. In Part 2, we will look at risk assessment technologies that improve cyber-resilience. Don’t miss it.

Up next: (Part 2) Risk assessment methods for control systems

Reference materials
[1] https://www.ipa.go.jp/security/controlsystem/ug65p900000197wa-att/000085317.pdf (PDF)(979KB)
[2] https://www.ipa.go.jp/security/controlsystem/ug65p900000197wa-att/000093825.pdf (PDF)(937KB)
[3] https://www.meti.go.jp/policy/netsecurity/wg1/factorysystems_guideline.html

• Toshiba’s Cyber Security