In recent years, global tensions have been rising due to factors such as the Russian invasion of Ukraine and the situation in the Middle East. Cyber-attacks related to these conflicts have also extended their targeting scope to not only the parties directly involved in conflicts but also ally nations and supporters. Cyber-attacks directed at government agencies, medical institutions, financial institutions, and manufacturing supply chains can shut down social infrastructure and cause product shortages. These can have tremendous impacts on people’s lives and develop into major social problems. These serious impacts make cyber-security an urgent business challenge for companies. In this running feature on control system security, we will learn about control system security trends and Toshiba’s initiatives to improve the cyber-resilience of social infrastructure and plant control systems.

In Part 1, we looked at the risks and regulatory trends surrounding security for control systems, along with the direction Toshiba is taking with its security technologies. In Part 2, we discussed the methods used to conduct risk assessment for social infrastructure and plant control systems. Here, in Part 3, we will explain the initiatives used to verify both the attack and defense sides of industrial control system security. This is made possible by the use of emulation environments that leverage the strengths of Toshiba as a developer and supplier of control systems.

As we explained in Part 1, Toshiba’s aim is to produce “cyber-resilience”—that is, preparing for incidents, minimizing their impact, rapidly recovering, and continuing business operations. In general, the risk of information leakage is treated as the greatest risk to information systems. On the other hand, the industrial control systems (ICSs) used in social infrastructure or plants need cyber-resilience that takes into consideration requirements of these systems that set them apart from information systems, such as the need to ensure safety and to prevent operations from being affected.

There have been cases of cyber-attacks on ICSs resulting in large-scale power outages, attempted contamination of the water supply, and shutdowns of production lines. These attacks have caused significant real-world damage, such as impeding people’s living safety, costing companies tens of billions of yen, and harming companies’ business continuity^[1]. Because of this, we are working to develop technologies for providing cyber-resilience that takes into consideration the requirements of ICSs. One of the major challenges in developing ICS security technologies is verifying their effectiveness. This is because actual systems in operation cannot be used to conduct technical evaluations. In evaluating security technologies developed for information systems, it is common to apply the technologies to portions of system environments that are in actual use, or to use test environments that are equivalent to the actual systems. However, with ICSs, it is vital to avoid the risk of impacting people’s lives or customer business—that is, actual operations. That makes it difficult to evaluate the effectiveness of developed technologies by emulating attacks on systems that are in operation.

To solve the problems involved in verifying the effectiveness of these technologies, we build emulation environments that are equivalent to actual ICSs. We can do this thanks to the experience and expertise we have cultivated over the years by supplying the national government and corporations with a wide variety of ICSs, such as power plants and transformer substation systems. By using these emulation environments (ICS testbeds), we can verify products and services related to ICS security, research and develop new technologies, and train security personnel, all without affecting people’s lives or customer business.

ICS testbeds are being used in technical verification projects aimed at elevating the level of security monitoring services for ICSs^[2]. We have created environments for four fields: substation systems, thermal power generation systems, virtual power plants (VPPs), and water and sewage systems (Fig. 1).

When verifying the effectiveness of technologies in emulation environments such as ICS testbeds, you want to ensure that the verification results do not differ significantly from the results that would be produced in real-world environments. In general, when conducting verification, simulators are better than theoretical calculations^*1, emulators are better than simulators^*2, and actual customer environments are better than emulators at producing verification results that are more accurate and closer to real-world results. Our ICS testbeds are emulators^*3 that use software and hardware equivalent to those used in actual customer environments to better emulate those environments. Initiatives using environments that emulate these actual ICSs are being carried out by the Control System Security Center (CSSC) and the Industrial Cyber Security Center of Excellence (ICSCoE), part of the Information-technology Promotion Agency, Japan (IPA)^[3][4]. We are collaborating in two of these initiatives to improve the security of social infrastructure as a whole.

*1: In this article, a “simulator” is defined as a system that only performs simulation on a virtual model and does not replicate actual attacks or communications.
*2: In this article, an “emulator” is defined as a system that physically emulates another system and replicates actual attacks and communications.
*3: When it is not possible to use actual equipment, such as a massive turbine, mock devices or simulators may sometimes be used in their place.

We split up our verification personnel into an attack team (red team) and a defense team (blue team) and verify the effectiveness of security-related technologies and measures using ICS testbeds. The red team deliberates and verifies attacks that achieve an attacker’s objective of causing damage to the target’s ICS. The team identifies each type of potential damage that could be caused, investigates methods of attack that could cause that damage and potential attack surface. The team also verifies if those attacks would actually be feasible. The blue team, on the other hand, deliberates and verifies methods of defending ICSs from diverse attacks. In addition to cyber-attacks, it also investigates, from the perspective of an ICS developer or operator, whether or not various security measures and responses would affect ICS operation or safety (Fig. 2).

First, let’s look at what the red team does. Defending an ICS from an attacker requires knowledge of as many cyber-attack vectors as possible. This is because in recent years there has been a rise in the number of cases in which attackers perform a chain of multiple attacks, such as those in a cyber kill chain^[5], to achieve their ultimate target of stealing information or denial of services. Red teams are needed to deliberate attack scenarios from the perspective of an attacker. An attack scenario refers to a series of attack methods and attack paths that lead from the entry point to the final damage. Additionally, the red teams are needed knowledge to deliberate attack methods and attack goals, taking into account the specific characteristics of ICSs. To do so, it is vital that the red team is knowledgeable about the latest cyber-attack trends and has a high level of skill and know-how regarding ICS security. That is why our researchers and engineers—security experts who are well-versed in trends and technologies—are members of these red teams.

Red teams are using the knowledge they gain through these activities in a growing number of ICS development sites. The Toshiba Group develops a wide range of products and systems, supplying them to customers. Efficiently investigating potential attacks on all Toshiba products and systems is a vital task for ensuring their safety and security.

We are currently researching and developing methods for automated attack path planning and validation based on attackers’ perspectives and the characteristics of ICSs. This is being done by leveraging the expertise of red teams and detailing processes for investigating the ICS attack scenarios thought up by attackers. Specifically, we are automatically generating attack scenarios based on system configuration and vulnerability information and, when it is possible within these scenarios to use existing attack modules, performing these attacks automatically to investigate the strength of system security.  We are researching and developing these technologies under the theme of “cyber-attack emulation technologies.”^[6]

Engineers who develop products and systems can use ICS testbeds with these technologies to evaluate security measures from an attacker’s perspective. Furthermore, by building up hands-on experience with ICS security, we aim to develop an even higher level of ICS security experts.

Next, let’s look at what the blue team does. The blue team investigates and verifies measures for identifying and protecting against the attack surface of sequences of cyber-attacks thought up by the red team, for rapidly identifying and responding to attacks, for minimizing their impact, and for quickly recovering from them. Conducting verification for sequences of attacks is also important in verifying the effectiveness of defense in depth. In addition to this, the blue team is also responsible for verifying the impact on ICS operation and safety that results from implementing security measures for protecting ICSs and from responding to incidents by taking steps such as disconnecting networks.

Specifically, the blue team embeds Toshiba security solutions and the security solutions of startups with cutting-edge technologies in ICS testbeds and evaluates those solutions. For example, the blue team embeds an intrusion detection system for ICSs in the environment and investigates rules and configurations that would enable it to accurately detect cyber-attacks. By doing this, we are developing methods for determining, with a greater level of accuracy, if ICS behavior that is out of the ordinary is non-problematic or it is abnormal behavior caused by a cyber-attack. ICS testbeds are used to launch attacks on new security-related products and services with plans for future commercial release to verify that they provide the benefits expected of them.

In this way, we use its ICS knowledge to create ICS testbeds that make it easy to verify security-related solutions and technologies for ICSs whose real-world environments are not well-suited to verification. These environments, which have evolved as a result of our ongoing security initiatives, have become spaces where we can efficiently and effectively evaluate sequences of attacks from the perspectives of attackers, taking into consideration the characteristics of ICSs. In addition, building up a track record of these evaluation projects has also made them spaces for effectively nurturing security experts. They are also helping accelerate our technology development. Toshiba aims to establish cyber-resilience capable of dealing with any contingence by using these ICS testbeds to develop highly secure ICS solutions and services.

In this part, we discussed the difficulties presented by security measures for ICSs, along with security verification using ICS testbeds. In Part 4, the last part of this running feature, we will turn our eyes to the Industrial Control System - Security Operation Center (ICS-SOC), which provides remote cyber-attack monitoring.

Reference materials
[1] Supplementary Materials for Guide to Control System Security Risk Analysis: “Examples of Control System-related Cyber-incidents” Series | Information Security | Information-technology Promotion Agency (IPA)
[2] https://www.global.toshiba/content/dam/toshiba/jp/technology/corporate/review/2022/03/a04.pdf (PDF)(493KB)
[3] https://www.css-center.or.jp/en/index.html
[4] https://www.ipa.go.jp/icscoe/index.html
[5] https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
[6] https://www.toshiba-clip.com/en/detail/p=2688

• Toshiba’s Cyber Security