The advancing spread and revolution of IoT

Security to support a safe and secure digital age

IndustryEco-System

With the full-blown arrival of the age of IoT (Internet of Things), the use of Internet connecting devices is rapidly expanding in factories, supply chains, automobiles, medical facilities, and even homes. IoT is expected to be active in improving labor shortages and productivity, increasing mobility, and resolving a variety of other social issues. However, connecting fields that had previously had no connection to the Internet also brings about concerns over new security risks and the expanding influence of said risks. Since the diversity of cyberattacks targeting IoT devices continues to increase rapidly, government and business organizations around the world are working on establishing security guidelines that consider the characteristics of IoT, and initiatives in each industry are becoming more active. In addition to corporations developing more IoT products, creating IoT security measures is also a pressing issue for corporate groups aiming to further digitalize their supply chains and manufacturing sites, and NEC places importance on approaching diversifying risks on an organizational scale rather than at the on-site level. This report introduces recent trends and issues, NEC's solutions intended to resolve them, and our thoughts and initiatives for contributing to the realization of a secure and safe IoT society.

Social Value Creation Report

2

Industry Eco-System

Medical

337million devices

20.8%CAGR

2013-30

Commercial &industrial electronics

4.3billion devices

24.3%CAGR

2013-30

Automotive & Transportation

789million devices

21.4%CAGR

2013-30

Consumer

5.2billion devices

13.8%CAGR

2013-30

Communications

14.6billion devices

7.8%CAGR

2013-30

Computer

1.7billion devices

-2%CAGR

2013-30

27 billion

connected IoTdevices in 2017

The number of IoT devices and projected growth rates by field and industry

A social, industrial, and lifestyle revolution driven by IoT

In recent years, the spread of IoT devices throughout the world has been advancing rapidly. For example, marketing research firm IHS Markit estimates that the number of connected IoT devices worldwide will jump from nearly 27 billion in 2017 to 125 billion in 2030. Furthermore, they have also estimated the growth rate in each field and industry (see the figure below). From these figures, we find that the smartphone and communications market, which includes over half of all IoT devices as of 2017, has already somewhat matured. And the projected growth rates from 2013 to 2030 show high growth rates in the following fields: commercial & industrial electronics, the field developing smart factories and smart cities (the highest growth rate at 24.3%); the automotive & transportation industry, where the spread of connected cars containing ICT device functionality is expected; and the medical field, with its expanding digital health care market. Advanced smart factories that utilize IoT to collect manufacturing floor data, analyze and visualize said data, and achieve automatic control, optimization, autonomy, and other capabilities are expected to be the main focus of the next generation of the manufacturing industry. The continued construction of ecosystems centered around smart factories will lead to the realization of mass customization (manufacturing made-to-order products), reform of existing value chains, and the creation of new business models. Various countries are also more actively working toward digitalizing their manufacturing industries.

The website explaining the German government's official Industry 4.0 strategy features more than 180 activities occurring in Germany alone (as of September 2018). Additionally, the international IoT promotion organization IIC*1, which mostly works to accelerate the adoption of the Industrial Internet, has the membership of around 260 companies and government agencies, including some Japanese corporations.

Accelerating initiatives for the industrial revolution and the expansion of IoT devices

Expansion of IoT devices supporting consumer lifestyles also accelerating

In the field of mobility, initiatives for utilizing IoT to develop connected cars and autonomous vehicles are moving forward. Meanwhile in the field of smart homes, in addition to detailed energy management via HEMS, AI speakers with voice assistant functionality are rapidly gaining in popularity due to the variety of services they provide, including controlling IoT home appliances and searching for information online. And in the healthcare field, there are initiatives aiming to allow doctors to monitor their patients' healthcare data in real time by connecting medical devices with healthcare systems and enable adequate remote diagnosis. In these and other ways, IoT is expected to be useful in resolving a multitude of issues, such as by solving labor shortage troubles and increasing productivity in manufacturing, logistics, and retail, or improving mobility and reducing medical costs. However, as IoT permeates throughout society and linkage continues, we must pay close attention to the associated security risks and their range of influence.

*1 IIC: The Industrial Internet Consortium

Source: The Internet of Things: a movement, not a market, IHS Markit* Information is not an endorsement of NEC. Any reliance on these results is at the third party's own risk. Visit technology.ihs.com for more details.

3

Industry Eco-System

Aug. 2016 Mirai, a malware targeting IoT devices, first detected Used as a Bot that performed DDoS attacks on numerous websites. Released as open-source software, subsequently resulting in the creation of multiple variants.

Dec. 2016 Industroyer, a malware targeting circuit breakers at power plants, detected Caused a wide-scale power outage in Ukraine.

May 2017 Ransomware WannaCry wreaks worldwide havoc Significantly affected the IoT (OT) environment, with many infections in the manufacturing industry being reported. Infections to security cameras also noted in Australia.

Sep. 2017 BlueBorne, a type of vulnerability enabling the remote Could affect as many as 5.3 billion Bluetooth devices, including IoT devices. operation of Bluetooth devices, detected

Nov. 2017 Reaper, a malware targeting IoT devices, infects Unlike Mirai, which targets initial passwords, this malware uses a several million network devices variety of vulnerabilities to make IoT devices into Bots.

May 2018 Infection of VPNFilter, a malware targeting IoT devices, spreads Over 500,000 infections reported in 54 countries worldwide.

IoT security incidents in recent years

Month/Year Incident Case

Expanding cyberattacks: IoT systems become a new target

*2 NICTER (Network Incident analysis Center for Tactical Emergency Response): an NICT incident analysis center that performs observation, analysis, and countermeasures of cyberattacks

2016 was an opportunity to rethink security measures for IoT systems. In the past, PCs were used to send packet data to a target all at once to cause a server shutdown in what are called DDoS attacks, but the entry points used for cyberattacks expanded to include household routers, network cameras, and other IoT devices. Large-scale DDoS attacks via the malware Mirai used IoT to drive American corporations that manage addresses required for connection to the Internet into functional incompetence, leading to a variety of Internet services becoming unusable one after another. Mirai made the world aware that the increase of IoT devices will be accompanied by the expansion of DDoS attacks, and a large number of variants have since been developed, with infections spreading in multiple countries. Cyberattacks targeting IoT devices show a tendency to increase alongside the increase in IoT devices themselves. According to NICTER*2 Analysis Report 2017, a surveillance record of large-scale cyberattack observation networks, published by NICT (National Institute of Information and Communications Technology), attacks on IoT devices comprised more than half of all cyberattacks in 2017, and methods of attack are becoming more sophisticated.

In 2017, the ransomware (a type of malware that demands a ransom payment) WannaCry wreaked

New methods of attack for the continuously increasing IoT devices

All IoT devices become the target of cyberattacks

widespread havoc, greatly affecting even the manufacturing industry. The WannaCry attack was not focused on the manufacturing industry, but old PCs which ran OSes that were no longer supported and were used to control production lines, and on-site devices that were not subjected to security maintenance were infected with the ransomware, forcing many factories to shut down. In addition, WannaCry infected digital signage at train stations, ATMs, electronic devices at retail stores, and many other IoT devices, making it clear that any IoT device could be a target of a cyberattack. Even in the promising field of connected cars, demonstrations by American researchers in 2015 showed that the brakes and other parts of automobiles could be hacked into and remotely operated, greatly shocking the automobile industry. The automobile manufacturers that were the subjects of this demonstration had to recall 1.4 million vehicles as a result. Furthermore, numerous threats to IoT devices are becoming apparent, including BlueBorne, a term for vulnerabilities affecting the Bluetooth functions used in many household IoT devices. When fields that previously had no connection to the Internet start becoming connected, completely new threats are generated. In addition to improving legislation and creating various guidelines for IoT device security, working on IoT security measures from the view of manufacturing and supply chains as a whole has become a pressing necessity for corporations.

4

Industry Eco-System

Japan

UnitedStates

Europe

IPA "IoT Safety/Security Development Guidelines"

CCDS "Consumer device security guideline for each field"

MIC/METI "IoT Security Guidelines"

European Union Agency for Network and Information Security (ENISA) "Baseline Security Recommendations for IoT"

Department of Homeland Security "Strategic Principles for Securing

the Internet of Things"

IIC "Industry Internet Security Framework"

OWASP "IoT Security Guidance"

Government and affiliate organization IoT security guidelines

Required security measures that consider the characteristic of IoT systems

*3 IPA: Information-technology Promotion Agency, Japan*4 JAMA: Japan Automobile Manufacturers Association, Inc.*5 JSAE: Society of Automotive Engineers of Japan, Inc.

*6 JASPAR: Japan Automotive Software Platform and Architecture*7 CCDS: Connected Consumer Device Security Council*8 ISO/IEC JTC 1: International Organization for Standards / International Electrotechnical Commission

Joint Technical Committee 1

An increase in security risks has accompanied the rapid spread of IoT devices, which connect things that were previously not connected. IoT security measures must consider the particular characteristics of IoT, requiring wholly new approaches. Furthermore, the effects of IoT vulnerabilities pose a significant danger of becoming widespread, increasing the importance of security measures not only during development, but also following release. In Japan, IPA*3 published the IoT Safety/Security Development Guidelines as a common guide for IoT security in March 2016. Based on this guide, the IoT Security Guidelines were formulated in July 2016 by IoT Acceleration Consortium organized in an industry-academia-government collaboration by the Ministry of Economy, Trade and Industry (METI) and the Ministry of Internal Affairs and Communications (MIC). These guidelines indicate several risks particular to IoT, including the facts that thorough monitoring of IoT devices is difficult to achieve, sufficient equipment of security measure functionality is complicated due to the resource limitations of IoT device functions and performance, and connections that were not considered by the developers may occur. The formation of guidelines that consider the particular characteristics of IoT is underway at a variety of organizations in Japan in an effort to combat the rapid increase in cyberattacks that target IoT devices.

Additionally, in an effort to accelerate IoT security strategies, METI has established the IoT Tax System (Connected Industries Tax System), tax measures meant to support the introduction of the systems and sensors required for initiatives that improve productivity via data linkage and utilizations which adopt fixed cyber security measures.

Hastening security measures for IoT systems

Industries also becoming more active in IoT security initiatives

Initiatives are underway in each industry with the aim of securing IoT security. For example, in an attempt to improve on-board security in the automobile industry, JAMA*4, JSAE*5, and JASPAR*6 are creating policies, criteria, and standards, as well as working to formulate standardized technologies and evaluation methods. CCDS*7 is formulating guidelines in the following four fields: on-board technologies, IoT gateways, financial terminals (ATMs) and settlement terminals (POS). Efforts toward international standardization are also becoming more active, with ISO/IEC JTC 1*8/SC 27/WG 4 working toward standardization based on the IoT Security Guidelines proposed by Japan. To ensure IoT security, IoT product developers, service developers, and service providers must link together, becoming aware of supply chain vulnerabilities and working to create security measures and systems, and it is important for them as well as for users to fulfill their necessary roles.

5

Industry Eco-System

IoT/OT system & servicesIoT/OT devicesSubject

Phase

Plan/Requirement

definitions

Designs

Implementations

Tests

Management/Operation

: Cyber security consulting services

Organizations/People

Consulting services (Formulation of secure development/operation policies and system construction (including PSIRT))

Employee training

Development kit products (Lightweight cryptography, etc.)

Consulting services (threat analysis and risk assessment) (Support for cyber security management guidelines/IoT security guidelines)

Information provision services (IoT vulnerability information management services, etc.)

IoT device management products

OT network countermeasure products (Invasion prevention systems for SDN and OT)

Consulting services (IoT design support services)

IoT diagnosis services (source code diagnosis/vulnerability diagnosis)

Test services (test support services, etc.)

OT diagnosis tools (Technology for automatically identifying the risk of cyberattacks)

IoT/OT cyber security support services

Total support of IoT security measures at corporations

In order for corporations to properly respond to the diversification of risks that accompany IoT, it is important that all parts of their organizations work together on security measures. However, many corporations in the manufacturing industry and others are currently just performing initiatives at the on-site level, having yet to establish companywide security systems and structures. NEC has made efforts toward Secure Development and Operations for the products, systems, and services we offer our customers, as well as constructing organizational systems of promotion for them. Accordingly, we have also responded to the increasing diversity of IoT security risks, analyzing threats to security brought on by IoT device vulnerabilities and considering measures to combat them. While understanding the situations of use, people in charge of IoT/OT*9 device design and products also established methods of identifying threats that consider both functions and operations. We are also standardizing risk assessment methods for IoT systems and specific measures required for each model case, as well as creating and utilizing checklists for confirming execution of security tasks. In addition to the requirements of international security standards and guidelines formulated by government agencies and industrial groups, these checklists reflect security measures to counter new threats in a timely manner. Through these practices, we cultivated the know-

how required to provide our IoT/OT cyber security support services. These services are offered to arrange customer security issues and support the measures to combat these issues. In accordance with IoT security guidelines, we provide upstream security consulting for support of creating rules and building systems, as well as a variety of security services that support development and operation (IoT design support, vulnerability diagnosis, IoT vulnerability information management, etc.). This enables total support for constructing companywide IoT security measures, including risk assessment, operation policy formation, development, and production.

Providing IoT/OT cyber security support services based in practice

Security measures based on IoT system characteristics gain importance

When creating IoT security systems and structures for corporations, measures that consider the characteristics of IoT systems are required. In IoT systems that distribute devices with hardware resource restrictions and various devices that employ network connection methods other than IP communication throughout their construction, including industrial control systems, it is important to strengthen security measures that anticipate the whole system. NEC provides products for IoT device management and OT network measures that respond to these issues, contributing to the realization of secure IoT systems on the customer's site.

*9 OT: Operational Technology

6

Industry Eco-System

Remote managementLabor-saving/Automation

Managementagent

On-siteoperation by

untrained personnel

Common control for a variety of connection methods by means of virtual access control

Real-time malfunction detection/handling

Lightweight certification encrypting product "Lightweight Cryptography Development Kit"

Secure remote management Security skills not required

Handling methods of connecting various devices to each other High-speed processing/low loads with low resource HW

Accuracy of malfunction evaluation and effect localization High-speed processing/low loads with low resource HW

• Managed distributed devices• Sites with the software installed have no ICT personnel

• Various device network connection methods• Connection methods that have no security functions

Device ID/key management software Whitelist style access control/malfunction detection productIoT Device Security Manager

(1) Remote management and automation of device security settings

(2) Access control for a variety of deviceconnection methods

(3) Real-time detection and handling ofmalfunctioning devices

• Unauthorized device connection and misoperation• Device intrusion effects/range expansion

Large scale ID/key/vulnerability management products and operation know-how

Communication technology, SDN control technology

AI technology, SDN control technology, NW quarantine/isolation technique

Detection/HandlingAgent

ID

Vulnerability

Policy

Key

Area of focus

Productsoffered

NECstrengths/

technologies

Providing security measures for devices and the edge layer with insufficient security

NEC products and technologies that support IoT system security

NEC also develops and provides solutions for IoT security-related issues suffered by corporate groups promoting digitalization of supply chains and manufacturing sites, in addition to products to help corporations incorporate their products in IoT. Particular focus is placed on the areas of remote management and automation of device security settings, access control for a variety of device connection methods, and the real-time detection and handling of malfunctioning devices, with the aim of strengthening products and services. The device ID/key management software offered by NEC eliminates previously complicated management and setting workloads, while at the same time enabling secure management that does not require professional skill, meaning that an expert does not need to be installed on-site. It realizes remote/automated management and configuration of IoT device cryptography keys and digital certificates that are required for mutual authentication and encryption intended to prevent unauthorized connections to IoT devices and the IoT systems that control them, which are constructed from gateways and edges that perform distributed processing. Additionally, the Lightweight Cryptography Development Kit is provided for sensors and other devices with hardware resource restrictions, enabling encryption and tamper

detection, realizing security measures over a wide range of devices, which was previously difficult to achieve.

Securely manage a variety of IoT devices and prevent unauthorized connections

Blocking unauthorized access to a variety of IoT devices

NEC provides IoT Device Security Manager, which can visualize and block unauthorized connections and communications to the various devices that make up an IoT system. A strong point of this software is that in addition to IP communications, it also targets connection methods that are not covered by conventional ICT system security measures (USB, Bluetooth Low Energy, etc.), visualizing the connection and communication statuses of devices and enabling access control. It is also possible to set up an "inbound" measure using the whitelist measure which registers devices with connection permission. In addition to the automatic list creation function, focused remote monitoring of the connection and communication statuses of the various distributed devices makes IoT system security management and operation easier, reducing the amount of required labor. Additionally, by incorporating this product into their IoT devices systems, manufacturers can also strengthen the security of their products.

7

Industry Eco-System

Derived attack paths

Attack risk analysis results

Analysisknowledge

Vulnerabilityinformation

Security managerVirtual model construction

Control system

Analysis using preferred conditions possible at any time

Analysisengine Attack implementation

conditions

Attack patterns

Effects of successes

Attack implementationconditions

Attack patterns

Effects of successes

Attack implementationconditions

Attack patterns

Effects of successes

Attack implementationconditions

Attack patterns

Effects of successes

Attack implementationconditions

Attack patterns

Effects of successes

Attack implementationconditions

Attack patterns

Effects of successes

Attack implementationconditions

Attack patterns

Effects of successes

Overview of technology for automatically identifying the risk of cyberattacks

For security to support a society that fuses the cyber world and the real world

*10 Programmable logic controller

NEC will provide a secure and safe environment based on our long-established "Security by Design" concept whereby we introduce security measures from the design phase. We think that NEC is capable of reducing security risks because we have the know-how from developing many different hardware and software products, and because we understand the business configurations of our customers, for whom we have constructed ICT environments for many years. Cyber security measures are not completed just by installing software or introducing systems. In order for increasingly complex IoT systems which connect more and more things to counter cyberattacks as they become more sophisticated and elaborate in response, it is important for security measures to continue strengthening systematically and dynamically. NEC is also working on new initiatives for the IoT era. One of these is the development of a technology for automatically identifying the risk of cyberattacks, which uses simulations to create a comprehensive evaluation of cyberattack risks faced by control systems for important infrastructure, such as electricity, gas, water, and transport facilities, as well as for factories in the manufacturing industry. A virtual model is created by automatically collecting detailed system information necessary for risk analysis from actual systems, such as IT device

Initiatives toward security that supports the future IoT era

structures and software versions/specifications, the hardware information of components peculiar to control systems (PLC*10, etc.), communication settings such as packets and protocols, and methods used for data flow and data transfer even when isolated from the network. This makes it possible to visualize the entire configuration of complicated systems and data flow, which has conventionally been difficult for even the most skilled specialists to understand. As a result, accurate and rapid comprehension of vulnerabilities for risk analysis can be realized. With this technology, attack images can be understood visually and automatically. Further, because the effectiveness of security when measures are taken can be repeatedly confirmed, potential security risks can also be detected. NEC has been connecting people with people, people with things, and things with things, contributing to the development of a safe and prosperous society for many years. The current environment both on- and off-line is exposed to serious risks and threats. NEC will continue to utilize a comprehensive approach involving information, technology, and personnel to create a secure real world and cyber space, support industry and daily life, and lead to a better future. NEC hopes to design new social value that leverages ICT together with customers and to work toward a "Brighter World," while placing importance on the pursuit of intrinsic value for society and for customers. We welcome your comments and questions concerning the content of this report and initiatives by NEC.

8

Industry Eco-System

Please direct any inquiries to the following contact or an NEC marketing representative.

NEC Marketing Strategy Divisionnec-vision@crp.jp.nec.comTEL: +81 (0)3 3454-1111 (main) http://www.nec.com/en/global/about/vision/index.html

©NEC Corporation 2019 Catalog No.19030106E

NEC Group is focusing its efforts on providing “Solutions for Society” by upgrading the social infrastructure with ICT. NEC defined six megatrends based on a structural observation of the global economy and social trends. Based on the six megatrends, NEC formulated seven themes for social value creation as its mission.

This Social Value Creation Report is issued for each of the seven themes listed above and summarizes NEC's concepts, efforts, and proposals, in addition to social issues and global trends. NEC hopes that this report can be the first step in establishing cooperative creative partnerships with customers.

Sustainable EarthEstablish a sustainable lifestyle base by utilizing limited resources effectively and taking measures to prevent damage to the global environment in order to live in harmony with the Earth.

Safer Cities & Public Services

Help emerging countries build safe and secure cities, and help developed countries mature their societies. Establish a "global" administrative service platform through joint initiatives between the public and private sectors.

Lifeline Infrastructure

Establish ICT systems that resolve disparities of area and delivery time, and build safe and efficient lines for travel, utilities, etc. that can support around-the-clock activities in society.

CommunicationBuild a platform for information and communications to support the distribution of information and knowledge, which becomes more important as society advances.

Industry Eco-System

Innovate a new industrial ecosystem including connection of industrial machinery with the Internet, 3D printers, crowdsourcing and reverse innovation.

Work StyleCreate new work style and relationship with society in which people work together with communities and robots regardless of gender and generation.

Quality of LifeBuild a diversified and equal society to support people's enriched and active lives through contributions to education, healthcare and medicine.

The names of products and companies appearing in this document are the trademarks or registered trademarks of their respective companies.