In recent years, global tensions have been rising due to factors such as the Russian invasion of Ukraine and the situation in the Middle East. Cyber-attacks related to these conflicts have also extended their targeting scope to not only the parties directly involved in conflicts but also ally nations and supporters. Cyber-attacks directed at government agencies, medical institutions, financial institutions, and manufacturing supply chains can shut down social infrastructure and cause product shortages. These can have tremendous impacts on people’s lives and develop into major societal problems. These serious impacts make cyber-security an urgent business challenge for companies. In this running feature on control system security, we will learn about control system security trends and Toshiba’s initiatives to improve the cyber-resilience of social infrastructure and plant control systems.

In parts one to three of this running feature, we explained the approach Toshiba is taking to security technologies and its risk assessment methodology ideals. We also explained the attack and defense verification testing that Toshiba performs using emulation environments developed in-house. In this, the fourth and final part of the running feature, we will discuss the key points of security operations, which monitor and analyze security for control systems.

As explained in the previous articles, advances in the use of the IoT and digital transformation (DX) in industrial control systems (ICSs) have resulted in the manufacturing industry and social infrastructure being targeted by cyber-attacks. So how can we protect ICSs from these increasingly common cyber-attacks? Many companies are already dealing with this threat by deploying security products. Once deployed, the next vital element is operation. Even if security products are installed in a system, if they are not operated correctly, the threats they detect could be overlooked, and the systems they are supposed to protect could be damaged. It is important that when security products detect threats and issue alerts, staff can quickly become aware of these alerts, make appropriate decisions, and deal with the issues. In other words, security operations are critical.

First, let us note the features of ICSs which are critical to their security operations. If the ICSs responsible for plant production lines or social infrastructure are stopped, this can have a major impact on business or on society itself. Because of that, even when threats are detected, systems often need to be kept in operation. One of the notable features of ICSs is the emphasis placed on availability. For information systems, on the other hand, emphasis is placed on confidentiality. When a threat is detected, systems and functions are often shut down to prevent information from being leaked.

Due to the high prioritization of availability—that is, due to the fact that shutting down systems is not a feasible approach—it can be difficult to apply patches and update operating systems. This is another distinctive feature of ICSs. Even if a system can be shut down, the changes made to the system could affect future system operation, so often changes are kept to a minimum. As a result, it is not uncommon for systems to be kept in operation without applying patches to protect against vulnerabilities and while using old OS versions (Fig. 1).

Because of these characteristics, it is important that security measures for ICSs preserve system availability while protecting the systems from threats. In other words, ICS security operations must focus on keeping the systems available in the face of threats.

So how can system owners implement availability-focused security operations?

As mentioned earlier, simply deploying security products in ICSs is not enough. Responding to cyber-attacks, which could happen at any time, requires security operations that include becoming aware of the cyber-attacks through alert emails for threats that have been detected by security products and through system log monitoring. These security operations also include triage (prioritization) and analysis in order to make appropriate decisions regarding the threats and how to best deal with them. Let’s look at the five key elements of the security operations of triage and analysis.

Element 1: Alert overviews

Alert overviews define latent threats detected by security products and recommend that these threats are dealt with. Alert classification information, which is defined by security products deployed in ICSs, is confirmed and the threat types and severity are evaluated.

Element 2: Number of alerts

This information indicates how often threats are detected. The number of alerts is compared against the number of alerts that are issued during normal operation, when there are no cyber-attacks, to analyze whether large volumes of alerts are being received in short periods of time or if there is a high number of alerts that are of a different type than the alerts that are normally received.

Element 3: Alert dates/times

This information indicates when the threat alerts were issued. It is used to analyze if the alerts are being issued on different days or at different times than normal, if the alerts are being received outside of business hours, if the alerts are being issued in regular intervals, or the like.

Element 4: Senders/recipients

This information indicates where communications identified as threats are coming from (senders) and what might be affected by them (recipients). The devices that detect the threats and the targets of the threats are identified, and asset information is used to determine if those devices are managed devices.

Element 5: Ports

This information indicates what ports are being used by the threats. The ports being used in communications are identified and asset information is used to determine what applications use those ports and whether or not those applications are permitted for use in business operations.

These five elements are simply some of the key elements of triage and analysis for security threats. It is also important to note that individual sites will have their own security policies, so the way they handle matters will differ. Furthermore, the information received from alert emails and system logs is sometimes not sufficient on its own for threat analysis. In cases such as these, system administrators must use security product consoles (control panels) to check detailed information, they must capture and analyze network communication packets to aid in further investigation, and they must identify the nature of threats.

These security-related monitoring and analysis operations are sometimes performed by information systems departments. However, due to the growing prevalence of cyber-attack and the need to protect systems from them, in recent years a rising number of companies are creating security operation centers (SOCs) as internal organizations specializing in security operations. In SOCs, dedicated expert staff monitor systems and networks and gather related threat information. In addition, they perform triage for detected threats and they carry out detailed, security-oriented analyses that encompass the types and natures of threats, the scale and frequency of attacks, incident timelines, and gaps between this information and asset information.

SOCs for control systems are called Industrial Control System SOCs, or ICS-SOCs. Based on analysis results, ICS-SOCs report security threats to Factory Security Incident Response Teams (FSIRTs). FSIRTs are specialized organizations in each factory that respond to security threats. They are responsible for implementing security measures in factories to maintain their productivity and safety. They are also responsible for minimizing the damage caused by incidents such as cyber-attacks. ICS-SOCs and FSIRTs work together to deal with security threats and ensure system availability (Fig. 2).

Toshiba IT-Services include security operations services for control systems that perform security monitoring and analysis and offer three types of support for dealing with security risks* (Fig. 3). They reduce the security risks posed to customers’ system environments and help raise their security levels.

* The security operations services for ICSs are jointly operated by Toshiba IT-Services Corporation and Toshiba Digital Solutions Corporation.

Support 1: Asset identification and visualization

ICS networks often include assets such as servers, network devices, and client devices that go for long periods of time without use. When these assets are recognized as threats, in the form of newly connected, unknown devices, a response is required. Our services analyze communications conditions and captured packet data to evaluate and report on these assets which have been detected as threats. This assists with asset identification and visualization by identifying assets to be protected.

Support 2: Network visualization

When implementing security measures, it is important to understand the assets on the network and the security risks that apply to each of these assets, and to decide on how to prioritize measures. However, in system environments which have many different types of assets and thus are not thoroughly managed, this can be a difficult process. Our services utilize analyses of communications conditions and captured packet data to clarify the relationships between assets and applications. Based on this, they evaluate and report on the importance of individual assets, given their security risks. This assists with implementing security measures by prioritizing them correctly.

Support 3: Review and revision of response policies

ICS-SOCs and FSIRTs coordinate with each other to deal with threats detected by security products. In doing so, the ICS-SOC takes into consideration the scope of the threat’s impact (the assets involved), the scale of the security risk, operation prioritization, and the like, and it provides proposals on changes to monitoring alert response approaches. Reviewing and revising response policies improves the efficiency of ICS-SOC response processes and enables faster and more accurate response while also helping increase the operational efficiency of the FSIRTs.

Personnel with advanced expertise are essential when setting up an ICS-SOC. It is also important to maintain the operation structure. This places both operational and financial burdens on system owners. This is why we offer security operations services for control systems that leverage the Toshiba Group’s extensive experience from its domestic and overseas sites, its experience with setting up and operating 24/365 operation systems for government agencies and manufacturing companies, and its track record of dealing with the latest forms of cyber-attacks in various sites (Fig. 4).

Customers have wide-ranging control system security needs. We offer detailed security operations tailored to customer needs, including security response in closed networks which are only accessible to limit pools of users, such as within a company or organization, and full-time on-site response in customer factories and business sites nationwide. Please consult with Toshiba IT-Services regarding your ICS-SOC needs.

Reference material

* Fig. 1 Information-technology Promotion Agency (IPA) "Security risk assessment guide for industrial control systems, 2nd edition" (Japanese version) (March 2023)
https://www.ipa.go.jp/security/controlsystem/ssf7ph00000098vy-att/000109380.pdf (PDF)(6.98MB)

• Toshiba’s Cyber Security