the cyber/physical security framework (draft)preface – settling on the cyber/physical security...

The Cyber/Physical Security

Framework (Draft)

Cyber Security Division

Commerce and Information Policy Bureau

Ministry of Economy, Trade and Industry

Table of contents

Preface – Settling on the Cyber/Physical Security Framework 1. Introduction - Changes of Scenery over Cyber Security ............................................. 1

1.1. Society realized by “Society5.0” and “Connected Industries” ........................... 1 1.2. Increase of threats from cyber attacks .............................................................. 4

2. Concept of the Cyber/Physical Security Framework ................................................... 6 2.1. Purpose of developing the framework ............................................................... 6 2.2. Concept of the framework structure .................................................................. 7 2.3. Structure of the framework ............................................................................. 11

3. The Cyber/Physical Security Measures ...................................................................... 12 3.1. [The First Layer] Security measures for connections between companies

(conventional supply chains) ............................................................................ 12 3.2. [The Second Layer] Security measures for connections between physical and

cyber spaces ...................................................................................................... 33 3.3. [The Third Layer] Security measures for connections in cyber space ........... 61

4. Toward Establishing Trust ......................................................................................... 92 4.1. Concepts of securing the trust in framework .................................................. 92

Appendix A: Reference Document List ............................................................................ 93 Appendix B: Comparison with Major International Standards ..................................... 97 Appendix C: Glossary .................................................................................................... 105

Preface – Settling on the Cyber/Physical Security Framework

The Government of Japan proposes the realization of a super smart society named "Society5.0" which provides products and services that closely meet various needs and which provides both of economical development and solutions for social challenges, by highly fusing cyber space and physical space. Furthermore, we, Ministry of Economy, Trade and Industry (METI) proposes a concept named "Connected Industries" which creates new added values toward "Society5.0" based on "connections" between various data, and now we are promoting various actions to realize this concept.

In "Society5.0", cyber attacks will have more impact on physical space than before because cyber space is more closely involved with physical space. The progress of the networking such as "Connected Industries" will increase the opportunity to create new added value by enabling a more flexible and dynamic supply chain configuration different from the conventional one. However, from the perspective of cyber security, it widens the scope of protection from the view of the defending side, while it increases the point of attack from the view of the attackers. Based on the characteristics of cyber attack that a cyber attacker can intrude into a network just by finding only one point of weak security, network intrusion is becoming easier than before.

In these circumstances, the effectiveness of security measures to ensure cyber security by only one company is limited. Therefore, in addition to considering cyber security measures from the planning/designing phase based on a point of view of the security by design in each product and service, etc., as for the whole supply chain including the affiliates and the business partners, it is necessary for each company to tackle cyber security measures taking into consideration the resilience of business activities and security of data circulation which it is difficult for individual entities to strictly control.

In this framework we organize common security measures for all industries in "Society5.0" by classifying them into three categories as "connections between companies (conventional supply chain)", "connections between physical space and cyber space", and "connections in the cyber space", and we describe what should be protected, what are our security risks, and what are the specific measures for them in each category.

The framework shows common security measures for all industries in “Society5.0”, but important assets, human resources, financial resources to be protected, and/or allowable risk level are different between industries and/or companies. Therefore please make good use of the framework to estimate the threat and the risk scenario, make risk assessment, and implement the specific measures according to each actual situation.

1

1. Introduction - Changes of Scenery over Cyber Security

1.1. Society realized by “Society5.0” and “Connected Industries”

While practical uses of networking and IoT (Internet of Things) are advancing now in the world, public and private sectors are beginning cooperating actions to highly utilize IT in the field of manufacturing for leading the revolutionary change of "The Fourth Industrial Revolution" such as the "Industry 4.0" in Germany. Also in Japan, in "The 5th Science and Technology Basic Plan" approved in a Cabinet meeting on January 22, 2016, the government of Japan (GOJ) proposes the realization of a super smart society named "Society5.0" which provides products and services that closely meet various needs and which provides both of economical development and solution for social challenges, by highly fusing cyber space and physical space. Furthermore, we, Ministry of Economy, Trade and Industry (METI) need to develop a new industrial structure to realize the "Connected Industries" which creates new added value toward "Society5.0" based on various connections.

Figure 1 – Illustration of the cyber space and the physical space1

1 This illustration was made based on the report by the Ministry of Economy, Trade and Industry named "The 2015 infrastructure for computerization and a shift towards the service industry of the economic society in Japan (the research for implementation of CPS (cyber physical system) in the water utilities)".

2

“Society5.0” is a new society which follows the hunting society (Society1.0), agricultural society (Society 2.0), industrial society (Society 3.0), and information society (Society 4.0).

In the information society (Society 4.0), sharing necessary knowledge and information was not enough and it was difficult to create new value, and it was also difficult and burdensome to find necessary information from the huge data and analyze it.

In the society realized in “Society5.0”, all people and things are connected by IoT, various knowledge and information are shared and new value is born through analysis of those data. Moreover, “Society5.0” releases humans from burdensome work such as analyzing huge amounts of information by Artificial Intelligence (AI). “Society 5.0” is not a society where economic and organizational systems are prioritized, but becomes a human-centered society that AI, robots, etc. will support a work that human have done so far and provide necessary items and services for necessary people, when necessary, as much as necessary.

Figure 2 - Illustration of the society realized in “Society5.0”2

In “Society5.0”, the supply chain, which is a series of activities to create added value,

mainly for companies, will also change its form. The existing supply chain was a stereotyped, linear structure that a series of activities strictly planned and designed, procuring necessary parts and services based on that, assembling and processing, providing final products and services was deployed in a fixed and stable manner. However, in “Society5.0”, necessary items and services are provided to necessary people when necessary, and the starting point of a series of activities to create added

2 The illustration is quoted from the introduction of “Society5.0” by the Cabinet Office. http://www8.cao.go.jp/cstp/english/society5_0/index.html

3

value is not a fixed as planned and designed by suppliers as before. It is also increasing case that consumers will become the starting point of added value creation activities. The existing activities will change into added value creation activities in which the activity contents are changed in the middle of activities in response to changes in the contents of “necessity” set at the start of a series of activities to create added value, or in which the new activity is incorporated by incorporating the elements when more effective information is obtained. Compared to the conventional stereotyped and linear supply chain, these changed supply chains need to be understood as “Society5.0” type supply chain.

4

1.2. Increase of threats from cyber attacks

In the society of “Society5.0” (human-centered society) realized by IoT, AI and so on, the starting points for cyber attacks increase and the range of the cyber risk expands due to supply chains connected complicatedly. Furthermore, the risk of cyber attacks reaching to physical spaces increases dramatically due to highly fused cyber space and physical space. As the conversion process to digitize information obtained from IoT and the delivery of data created massively are becoming obvious as new attack points in cyber, security measures to support the accuracy, circulation, and cooperation of large quantity of data are also important issue.

Figure 3 – Illustration of connections between components and data and others in Society5.0

In fact, there reported a case example in which data of European company was infected

with a ransomware, it infiltrated a domestic company in Japan via the supply chain, expanded the infection, and some operations stopped as a result.

Furthermore, in other countries, the necessity to protect IoT and ICSs (Industrial Control Systems）by supply chain management is becoming widely recognized. In the United States, revised draft versions of the framework (NIST 3 Cybersecurity

3 National Institute of Standards and Technology

A large quantity of data circulation Importance of data management increases

Fusion of physical and cyber

Cyber attacks reach to physical space Assume attacks on cyber space invading from physical space Intervention in information conversion between physical and cyber

Supply chains connected complicatedly Attacking points expands

5

Framework) were published in January, 2017 and December, 2017 which provided the perspective of cyber security measures especially for the critical infrastructure developed by NIST in February, 2014. In these documents, they added a description on supply chain risk management as a “specific” precaution, and they required to implement preventive measures in whole supply chain and to conduct audits as needed.

6

2. Concept of the Cyber/Physical Security Framework

2.1. Purpose of developing the framework

Toward realization of “Society5.0” and “Connected Industries”, it is necessary to cope with the increase of the threats of cyber attacks following the changes in industrial structure and society, and start preparation for that right now. Therefore, we organized all security measures needed in the industry, and we decided to develope "The Cyber/Physical Security Framework" for use by industries.

The expected effects and features by utilizing this framework are as follows.

1. Expected effects in each company utilizing this framework

Ensuring of security needed for realizing “Society5.0” and “Connected Industries”

Strengthening of competitiveness by enhancing the security quality of products and services into differentiation factors (value)

2. Features of this framework

[1] It can be utilized at the operation levels of security measures implemented in each company It should include not only the concepts to be aimed by our society, but also

the contents which can be utilized when each company implements security measures.

[2] It can make us understand the relation between the necessity of security measures and the costs It should include the contents to ensure that the companies which form the

whole supply chain including small and medium-sized enterprises can imagine the balance between the expected risks and the costs for necessary measures and can actually take measures.

It should contribute to cost reduction without lowering the security level. It should also include the consideration on the risk-scenario-based-concept.

[3] It realizes international harmonization It should incorporate the trend of foreign nations and include the contents to

ensure consistency with major certification systems in the U.S. and Europe, including ISMS and NIST Cybersecurity framework, and promote mutual recognition in order to ensure that the security measures in Japan for products and services are accepted by other countries in the global supply chains.

7

2.2. Concept of the framework structure

- for adaptation to the "Value Creation Process" of “Society5.0” type supply chain

In “Society5.0” (human-centered society) and “Connected Industries” realized by IoT with everything connected and by AI with data creating intelligence, the processes for producing products and services (supply chains) will take atypical form due to various connections, which is different from the conventional stereotyped and linear one.

In this framework we define the “Society5.0” type supply chain as “Value Creation Process” to recognize it distinctly from the conventional supply chain, and show the security guidance required for the supply chain concept extended by “Society5.0” and “Connected Industries”.

The framework can be used as a guide to consider the industrial society where people act for value creation to be of three layers and six elements as follow, and comprehensively sort the security key points, and cope with them.

◆ Three layers In the value creation process, IoT digitalizes information in the physical space and

takes it into the cyber space beyond the area where added value is created by the reliable inter-company connection in the conventional supply chain. Such data freely circulates in cyber space so that various data can generate new data and create new added value. Newly created data also create physical products and services in physical space through IoT. Therefore, in the value creation process, it is necessary to consider such a series of activities for new added value.

In order to accurately identify the security risk of activities that create added value generated from the extension of the activity scope of the conventional supply chain and to show the managing policy, the area where the value creation process occurs is organized into three layers structure as follows.

First layer - Connections between companies (conventional supply chains) Second layer - Connections between physical space and cyber space Third layer - Connections in cyber space

◆ Six elements In order for the framework to be utilized at the operation level, it is required to clarify the elements involved in the value creation process and to show guidelines on what kind of security measures should be taken for each element.

Therefore, in the value creation process, the following elements are involved with the creation of added value.

- Organization, people, component, data, procedure, system

8

Figure 4 - Three layers of the industrial society where value creation processes unwind

9

Significance of the three-layers-approach

The each layers has each function and role that must be secured in the value creation process.

For example, the value creation process will not be effective unless the following things are secured in each layer.

- Produced products, etc. in the first layer – Whether a trustworthy company supplies specified products and services by trustworthy production activities or not.

- Data obtained by sensors, etc. in the second layer – Whether IoT devices such as sensors collectly digitize information in physical space and collectly “transcript” to cyber space or not.

- Data provided by data analysis, etc. in the third layer – Whether it is possible to utilize trustworthy data that has not been falsified in the collecting process and edited in appropriate manner or not.

In the framework, we show the policies for coping with issues in consideration of the features of the values created in each layer.

Figure 5 - Significance of the three layers approach

10

Table 1: Six elements involved in value creation process

Figure 6 - Relationship among six elements

Element Definition

Organizations ・ Companies and organizations that compose value creation processes (especially, generally imaged “supply chain”)

People ・ People belonging to organization

・ People directly participating into value creation process

Components ・ Hardware, software and those parts

Data ・ Information collected in physical space

・ Edited information through sharing, analyzing and simulating above information

Procedures ・ A series of activities to archive defined purpose

Systems ・ Mechanisms or infrastructures configured with components for

services

11

2.3. Structure of the framework

Based on the organization of the previous section, we organize the cyber/physical security measures in each layer of three layer structure as shown in the figure below.

Figure 7 - Overview of the measures in each layer

The framework shows common security measures for all industries in "Society5.0", but important assets, human resources, financial resources to be protected, and/or allowable risk level are different between industries and/or companies.

Therefore, in each industry and each company, please make good use of the framework in order to create profiles listing the security measures based on facts with reference to the contents described in it.

Moreover, please make good use of the framework to clarify the gap between the current profiles with the targeted profile by comparing them and reduce the security risks.

12

3. The Cyber/Physical Security Measures

3.1. [The First Layer] Security measures for connections between companies (conventional supply chains)

L1.001 Development of security policies and preparation of the structures

Risk factor

If the security measures are not consistent throughout an organization, these measures cannot be effective. If people don't understand the measures and their priorities to be applied when a security incident occurs, the start of countermeasures will delay.

Risk impact

・ The delay in countermeasures against security incidents causes spread of security damages.

Overview of the measure

・ Develop and operate a security policy

・ Appoint a chief security officer and establish a security management team

Key aspects of the measure

After established and communicated priorities of organizational missions, objectives, and activities, a security policy should be developed, clarifying roles and responsibilities and the information sharing methods and others. Also, a chief security officer should to be appointed, establishing a security management team, and prepare a system to determine appropriate actions (priorities, scope, etc.) against security incidents. In this way, the organization can prevent expanding security damages due to a delay of countermeasures against the security incidents. Here is the summary:

・ Develop a security policy, clarifying roles and responsibilities for security and the information sharing method in an organization.

・ Appoint a chief security officer, establish a security management team, and prepare a system to conduct security measures in an organization.

・ The security management team should establish a process to collect vulnerability information from internal and external information sources (through internal tests, security information, and security researchers, etc.), analyze the information, and conduct countermeasures.

Developing and implementing a security management system should be effective when introducing this measure.

・ Information Security Management System (ISMS)

・ Cyber Security Management System (CSMS)

Examples of measures for each element

○ Organizations

・ Communicate the information of prioritized organizational missions, objectives, and activities with the relevant stakeholders (suppliers, third-party providers, etc.).

・ Develop a security policy, clarify roles and responsibilities for security and the information sharing method in an organization.

- Designate roles and responsibilities of the relevant person, information sharing methods and compliance matters.

- Identify the roles of your own organization for relevant person and share the information.

13

- Provide the information about operating condition of your own organization to the relevant person depending on the functions your organization provides.

- Ensure that the persons in charge, particularly the privileged users, should correctly understand their roles and responsibilities for security.

・ Appoint a chief security officer, establish a security management team, and prepare a system to conduct security measures in an organization.

- The security management team should continuously collect vulnerability information from internal and external information sources, analyze the information, and determine appropriate actions (priorities, scope, etc.) against the targeted security incidents monitored.

- Establish a process to collect vulnerability information from internal and external information sources (through internal tests, security information, and security researchers, etc.), analyze thee information, and conduct countermeasures.

- Coordinate the roles and the responsibilities for security with relevant person in advance and prepare a mechanism for coordination.

- Ensure that the persons in charge, particularly the privileged users, can correctly understand their roles and responsibilities for security.

- Assign a person in charge of public relations who understand the technical requirements when disclosing the information about security incidents.

○ People

・ Persons in charge should sufficiently understand their roles and responsibilities.

- Especially the privileged persons in charge should correctly understand their roles and responsibilities for security.

・ The security management team should utilize security alerts and advisories to monitor security incidents.

○ Components

(N/A)

○ Data

(N/A)

○ Procedures

・ Publish only the confirmed facts when disclosing the information about security incidents.

○ Systems

(N/A)

14

L1.002 Security risk management

Risk factor

People do not understand details, priorities, and scope of security measures.

Risk impact



・ Conduct risk assessment (identification, analysis, evaluation of possible security risks)

・ Develop security rules (including the rules up on information disclosure)


Prevent critical security incidents and expanding security damages to identify, analyze, and evaluate existing security risks in an organization, and then define details, priorities, and the scope of security measures including security by design in advance. In addition, develop security rules to promote security measures.

・ Conduct risk assessment (identification, analysis, evaluation of security risks)

・ Based on the result of the risk assessment, clearly define details of security measures, sort out the scope and priorities, and develop security rules.

・ An organization should decide the priorities of the security rules and the chief security officer should approve them.





○ Organizations

・ Conduct risk assessment (identification, analysis, evaluation of possible security risks)

- Conduct and document the risk assessments considering risk threats, vulnerability, possibility, and impacts.

- Maintain the structure for self-assessment and prepare the third-party assessments as needed.

- Identify security risks considering threats by internal/external attacks and natural disasters.

- Make sure to cover all aspects of the security risks by using a variety of methods of risk scenario bases.

- Include the issues of supply chains when analyzing security risks.

- Analyze and evaluate security risks according to the security risk tolerance by the roles of the relevant parties.

- Determine own organizational risk tolerance considering relevant supply chain and sector specific risk analysis.

- Share the information of the organizational security risks with relevant person.

- Conduct risk assessment considering actual business operations.

・ Based on the result of the risk assessment, sort out details of countermeasures against security risks, their scope and priorities, and develop security rules.

- Define data classification and criteria how to handle the information (data).

- Document and use the rules to handle privacy information in accordance with the international principles on personal information protection and the privacy protection rule, "OECD's eight core principles)".

15

- Set security rules understanding the applicable laws, notifications, and industry standards for each region.

- Restrict physical accesses to the elements only to the privileged users.

- Keep the records on physical accesses to the elements.

- Define audit logs acquired from the elements.

- When outsiders enter critical facilities, a person responsible should accompany and watching their behavior.

- Define restoration methods for each function estimating details of damages when a disaster would occur in the operational environment.

- Set restrictions on accesses from alternative working sites (e.g. telework sites).

- Document the information about the border of the system, its operating environment, the methods for implementing security requirements, and the methods of connecting to other systems.

- Separate the development and testing environment(s) from the production environment.

- Document the operating procedure such as machine operations and should be available for all users.

- Define a default setting procedure for devices (password, etc.), and a method to update the settings.

- Define disposal procedures for devices.

- Adopt a security measure to support a policy and the policy to manage the risks by using a mobile device.

- Define constraints and environment settings for wireless connections.

- Set a policy and carry it out about the use of the management plan by the cryptography to protect information.

- Ensure that any nonpublic information is not included when disclosing security incident information.

- Utilize cyber insurance according to the security risks as the form of risk transfer.

・ Relevant person should develop, control, and agree with security rules for supply chains after clarifying their scope of responsibilities.

・ An organization should decide the priorities of the security rules and the chief security officer should approve them.

○ People

・ Include human resources related practices such as the role and responsibility changes by personnel transfer (e.g., deactivate access authorization, personnel screening, etc.)

・ Prepare the official disciplinary procedures and publicize the actions for the employee who committed information security violation.

○ Components

・ Introduce a system development life cycle, considering security by design for designing, developing, implementing, and modifying the functions of elements.

○ Data

(N/A)

○ Procedures

・ Document the operating procedure such as machine operations and should be available for all users.

○ Systems

・ Introduce a system development life cycle in considering security by design for designing, developing, implementing, and modifying the functions of elements.

・ Separate the development and testing environment(s) from the production environment.

16

L1.003 Clarification on security incident response

Risk factor

People do not understand details, priorities, and scope of security measures upon the incident occurred. The actions involved in the security incident response, their priorities, and extent are not clear.

Risk impact



・ Create a security operation manual.


The actions are to prevent further security-related damages, expediting the security incident responses and their priorities by creating the security operation manual.

・ Clearly document and use immediately the response procedure in the security operation manual to respond to security incidents whenever they are detected.

・ Select relevant person who use the organization's security operation manual.

・ Share information by the chief security officer with relevant person for the security incidents to get a better understanding on security-related situations.

・ Execute the measure on the security incident response, understanding its purposes, incident alert

criteria, recovery priorities, procedure, and responsibilities.





Organization

・ Clearly document and use immediately the response procedure is clearly documented beforehand in the security operation manual and its use is enforced so that the users will be able to immediately to respond to security incidents whenever they are detected.

- Execute the measure on the security incident response, understanding its purposes, incident alert criteria, recovery priorities, procedure, and responsibilities.

- Describe the procedures for reporting to and sharing information with relevant person in the organization, executive officers, senior management, and senior executives, whenever necessary. Describe the procedure on reporting, for example, detected security incidents, to certain relevant parties with appropriate amount of information.

- Describe a procedure on how to coordinate with other relevant person when responding to security incidents.

・ Select relevant person who use the organization's security operation manual.

・ Share information by the chief security officer with relevant person shares information for the related to security incidents with the relevant person to get a better understanding on security-related situations.

People

・ Execute the measure Regarding on the security incident response, understanding its purposes, incident alert criteria, recovery priorities, procedure, and responsibilities should be understood before acting on the procedure.

17

Component

(N/A)

Data

(N/A)

Procedure

・ Determine incident alert criteria.

System

(N/A)

18

L1.004 Maintenance contracts with suppliers

Risk factor

People do not understand details, priorities, and scope of security measures.

Risk impact of this risk



・ Procedure of finalizing maintenance contracts with supplies for services, system, and devices.


A supplier of services, systems, or devices with well-established inquiry and support services is selected. Also, deterioration of security levels and business and operation efficiency can be prevented by obtaining bug fix programs regularly from the supplies and replacing the parts quickly when a failure occurs.

・ Formulate, manage, and agree upon the security rules related to supply chains by relevant person, after clarifying the scope of responsibilities.

・ Select the suppliers who are in line with the purposes of the security operation manual.

・ Make sure the privileged users correctly understand their security-related roles and responsibilities.

・ When using a system provided by an outside organization, sign a service agreement with this organization and set limitation of the scope of use.

・ Make a list of external information systems.





Organization

・ Formulate, manage, and agree upon the security rules related to supply chains by relevant person, after clarifying the scope of responsibilities.

- Identify and share the information about the role of your organization that plays in the supply chain.

- Make sure the relevant person (the privileged users in particular) correctly understand their security-related roles and responsibilities.

- Share information related to security risks residing within the organization with the relevant person and coordinate with them when there is a security incident.

・ Select the suppliers who are in line with the purposes of the security operation manual.

- Evaluate the suppliers regularly on whether they have fulfilled their contractual obligations.

- Monitor the actions of suppliers to detect potential security incidents.

- Confirm and approve supplier's maintenance tools by the organization.

- Make a list of external information systems.

・ Categorize the information of detected security incidents by the size of security-related impact, penetration vector,

19

and other factors, and store them.

People

・ Make sure the privileged users correctly understand their security-related roles and responsibilities.

・ Restrict access for users who are permitted to connect to external systems.

Component

(N/A)

Data

(N/A)

Procedure

・ When using a system provided by an outside organization, sign a service agreement with this organization and limit the scope of use.

The service contract handles the information transfers between the organization and external personnel keeping the security duties.

System

・ Introduce the security by design concept of system development life cycle considering the design, development, implementation, and modification of functions related to the elements.

・ Document the system boundaries, operation environment, method of implementing the security requirements, and method of connecting to other systems.

・ Make a list of external information systems.

20

L1.005 Implement PDCA cycle for security measures

Risk factor

Incapable of responding to new security incidents.

Risk impact


・ Cause similar security incidents due to inadequate allocation of staff for security measure implementation, lack of staff expertise, and insufficient preparation for recurrence prevention.


・ Implement PDCA cycle on security risks.

・ Continuously gather the latest vulnerability information on components, systems, and other elements.


Implementation of PDCA cycle on security risks and continuous improvement of the security management system allows you to respond quickly to future security incidents.

・ Prepare the structure that continuously improves the process of protecting the elements, learning from the security incident responses and the results of monitoring, measuring, and evaluating the internal and external attacks are assessed.

・ Establish, manage, and agree upon the risk management processes by the organization and the

stakeholders.

・ Obtain the latest vulnerability information and incorporate in the security rules and security operation manual.

・ Conduct risk assessments regularly to check if the security rules for managing the elements are effective and applicable to the components for implementation.

・ Continuously improve the process of detecting security incidents.





Organization

・ Establish, manage, and agree upon the risk management processes by the organization and the stakeholders.

・ Review the security policy as necessary.

・ Assess the lessons learned from the security incident response and the results of monitoring, measuring, and evaluating the internal and external attacks, and then establish a system to continuously improve the processes of protecting the elements.

・ Check if the security rules for managing the elements are effective, including how the components are implemented, conduct a risk assessment on a regular basis.

- Prepare the structure for appropriate self-assessment and the third-party assessment as needed.

- Develop a vulnerability management plan and modify the plan according to the plan.

- Document newly identified vulnerabilities if the risk is tolerable or mitigate the risk for the particular

21

measure.

- Compile procedures on incorporating, for example, how to fix identified problems and how to reduce vulnerabilities, into the security operation manual.

- Based on the lessons learned from the recovery procedure, conduct training and tests on the recovery procedure and update the security operation manual.

・ Continuously improve the process of detecting security incidents.

- Always check and collect publicly available information regarding the elements' latest vulnerabilities and establish the structure handling related issues.

- As part of the monitoring process, test regularly if the functions for detecting security incidents work as intended and verify the validity of these functions.

- Detect security incidents in the monitoring process, in compliance with the applicable local regulations, directives, industry standards, and other rules.

- Monitor the actions of suppliers to detect potential security incidents.

・ Continuously conduct security incident response training for all staff members in the organization and the stakeholders, and regularly test their response capabilities.

・ Provide security awareness training on recognizing and reporting potential indicators of insider threat.

People

(N/A)

Component

(N/A)

Data

(N/A)

Procedure

(N/A)

System

(N/A)

22

L1.006 Regular training and education

Risk factor

The security measures implemented within the organization are not consistent.

Risk impact



・ Education on security measures on a regular basis.

・ Security incident response training on a regular basis.


The training ensures all staff members in the organization understand the operations that take security measures into consideration and the security incident response. The operations and responses are reviewed periodically. This can prevent delay in security incident response and exacerbation of security-related damages.

・ Conduct appropriate training and security education necessary to fulfill their assigned roles and responsibilities for all staff members in the organization, and notify the existence of the security policy, security rules, and security response manuals.





Organization

・ Appropriate training and security education necessary to fulfill their assigned roles and responsibilities are conducted for all staff members in the organization (system owner, systems administrator, users, etc.), and they are notified of the security policy, security rules, and security response manuals.

- Establish the capabilities to respond security incidents, including appropriate preparation, detection, analysis, suppression (containment), recovery, and dealing with clients, are established.

- Prepare the reporting structure for internal fraud, and conduct awareness training for staff members in the organization is conducted. (Examples of internal fraud: Accessing information unrelated to his/her work due to dissatisfaction with the excessive workload, violating the organizational operation rules, etc.)

- Test the organization's response capabilities with suppliers and third-party providers for security incident responses.

- Provide security awareness training on recognizing and reporting potential indicators of insider threats.

People

・ All staff members in the organization receive appropriate training and security education necessary to fulfill their assigned roles and responsibilities, to comprehend the security policy, security rules, and security response manuals.

- Test the response capabilities regularly for the security incident response.

Component

(N/A)

Data

(N/A)

23

Procedure

(N/A)

System

(N/A)

24

L1.007 Management of components, systems, and other assets

Risk factor

Incapable of asset management of devices and others that connect to the cyber space.

Risk impact

・ Existence of the devices and others that were overlooked when security measures were introduced causes security risk allowing unauthorized accesses from the outside or being the source of malware infection.


・ Inventory-taking and asset management of devices and others.

・ Appropriate asset operations with devices and others.


By making sure the configuration management and change management are conducted for devices, you can control the security incidents that exploit unmanaged devices, including the devices used in workplaces without authorization, which may attack other devices.

・ Conduct configuration management and change management of devices and others.

・ Manage the configuration the devices and others, the setting continuously, and document and

save the hardware and software information in the relevant systems.

・ Manage important information such as the IDs (identifiers), private keys and digital certificates after clarifying the management method.

・ Prioritize the hardware and software resource allocation based on type, importance, and business value.





Organization

・ A rule should be clarified in specified use tolerance the information and the assets related with the date processing facilities and documents.

・ Configuration management and change management of assets (devices and others) are conducted.

- Document the procedure on removal, transfer, and disposal of all elements that enter and exit the facilities.

- Create and save the network configuration diagram and data flows of the organization.

- Create, update, and save any changes in an asset (disposal, addition, replacement, etc.) in the configuration management information documents. The retention period of this record is determined based on its application.

- Take approval process considering the past changes, audit on the change, review process, and security-related impacts.

People

・ Authorize the users according to the risks of personal transaction risks (security-related risks for the user, privacy risks, and other organizational risks).

25

Component

・ Regarding the configuration management of the devices and others, the setting information is continuously managed, and management information on hardware and software in the systems are documented and saved. (Hardware management information: Hardware configuration information, name of hardware, serial number, owner, installed location, etc.) (Software management information: Licensing information, version, OS, etc.)

- Attach handling warning labels and distribution restriction labels on external media, if important information is stored in the media and a distribution deadline is set.

- Use of portable storage device is prohibited, if the owner cannot be identified.

・ Each device and others is authenticated according to the risks of each transaction (security-related risks for the user, privacy risks, and other organizational risks).

Data

・ Manage the user and device IDs (identifiers) and important information (private keys, digital certificates, etc.), after clarifying management method (the use, the protection of the critical information and valid duration) in the whole life cycle.

Procedure

(N/A)

System

・ Prioritize the hardware and software resource allocation based on type, importance, and business value.

・ Assign IDs (identifiers) that can uniquely identified for the devices and users.

・ Create and save network configuration diagram and data flows in the organization.

26

L1.008 Implementation of functions and procedures for appropriate detection and analysis of security incidents.

Risk factor

Incapable of correctly identifying security incidents.

Risk impact

・ A delay in discovering a security incident causes the expansion of the security-related damages.


・ Establish a structure for detecting security incidents such as unauthorized access.

・ Perform a correlation analysis when there is an alert notification.

・ Perform a comparison analysis on the detected security incident with the threat information obtained from outside the organization.


Security incident can be identified correctly by implementing an analysis of correlating with other security incidents and comparing with the threat information obtained from outside the organization.

The security incident information should be collected from multiple devices connected in the cyber space. For better accuracy, a holistic approach is used to pick out the information. The information obtained from inside and outside the organization is used for quick discovery of vulnerabilities and threats to consider appropriate countermeasures.

・ Report the security incident to the chief security officer and other relevant person.

・ Determine the impact on the whole organization based on the full account of the security incident and the probable intent of the attacker.

・ Execute the recovery plan based on the configuration information before the security incident occurred.

・ Make an effort of recovery including organization’s reputation after exposing the security incident.





Organization

・ Report the security incident to the chief security officer and other relevant person.

・ Obtain the analysis of security incident from inside and outside the organization and identify the target and determine the method of the attack are identified.

・ Determine the impact on the whole organization based on the full account of the security incident and the probable intent of the attacker.


・ Further minimize security-related damages, and mitigate the impacts.

・ Make an effort of recovery fir the organization’s reputation after exposing a security incident.

27

People

・ Report the security incident to the security administrator and other relevant person.

Component

(N/A)

Data

(N/A)

Procedure

(N/A)

System

・ Use a monitoring function to collect data from each element and packets captured from the network. This information is integrated, and a holistic approach is used for a better accuracy in the analysis of the detected security incident.

28

L1.009 Inclusion in the business continuity plan and contingency plan

Risk factor

Cannot make proper business continuity decisions when a security incident occurs.

Risk impact

・ Lose the reputation of the social functions against the organization given the organization cannot determine the impacts of the security incident and make proper decision whether the business operation be continued or not.


・ Position the security incident response actions in the business continuity plan and contingency plan.


Security incidents should be included in the business continuity plan and contingency plan defining the response actions against a natural disaster, and cyber resilience plan also should be enhanced beforehand to deal with a security incident as one of the disasters to minimize the impacts.

・ Define the business continuity plan and contingency plan based on the configuration information before the security incident occurs.

・ Minimize security-related damages and mitigate the impacts.

・ Utilize the experiences of lessons learned from the past security incident responses and continuously update the recovery plan.


Organization

・ Define the business continuity plan and contingency plan based on the configuration information before the security incident occurs.


・ Minimize security-related damages and mitigate the impacts.

・ Make effort to recover the organization's social functions and reputation after a security incident.

People

(N/A)

Component

(N/A)

Data

(N/A)

Procedure

・ Utilize the experiences of the lessons learned from the past security incident response and continuously update the recovery plan.

System

(N/A)

29

L1.010 Compliance with laws and regulations

Risk factor

Violate laws and regulations in the organization.

Risk impact

・ Violate the compliance in the organization.


・ Draft the security measures with the laws, regulations and industry guidelines taken into consideration.


Formulate the internal rules considering the domestic and foreign laws, including Act on the Protection of Personal Information and Unfair Competition Prevention Act, and industry guidelines, and review and revise continuously these laws, regulations, and industry guidelines. This process allows you to maintain fair business competition even when you share data with other business organizations.

・ Document and manage the security rules, understanding security-related regulations and requirements, including privacy and human rights obligations.





Organization

・ Document and manage the security-related regulations and requirements, understanding privacy and human rights obligations.

- Update the security rules immediately after a change is made in the local laws, ordinances, directives, industry standards, and other rules.

- Detect security incidents in the monitoring process, complying with the applicable local laws, ordinances, directives, industry standards, and other rules.

- Execute an appropriate procedure to ensure the requirements in laws and ordinances, regulation with the use of the software product and intellectual property rights and the contract of ownership.

- Use the encryption function following associated agreements, laws, ordinances and regulation.

People

(N/A)

Component

(N/A)

Data

(N/A)

Procedure

(N/A)

System

(N/A)

30

L1.011 Management of records on produced components

Risk factor

Cannot identify the real issues occurred related to the supply chain.

Risk impact

・ Prolong the operational optimization for production in a supply chain due to the lack of problem identification and solutions for the entire supply chain process to generate your values (components).


・ Define the method to identify the produced components, create the production records, and keep them for certain period of time, so that the information on produced components can be audited later.


Define the method identifying the produced components by assigning the numbers based on the importance of the produced component in the supply chain, create the records of produced date/time and component's condition based on these importance levels, and establish internal controls related to production to keep these records for certain period of time.

・ Share the understanding on the importance level of records on produced components with the partners and maintain an appropriate level of records management along with the internal controls about production on the importance levels, because there may be an auditing process later.


Organization

・ Establish internal control rules for production records.

People

(N/A)

Component

・ Create and keep the records on production records based on the internal control rules.

Data

(N/A)

Procedure

(N/A)

System

(N/A)

31

L1.012 Protection of privacy

Risk factor

Privacy information (data) may be used, collected through the devices in the workplace or through cyber space without the user's consent.

Risk impact

・ Cause privacy issues collecting privacy information (data) into a system without the user's consent.


・ Formulate the rules on how to handle privacy information in compliance with the privacy laws.

・ Confirm the location of the privacy information periodically.


Document and use the rules on how privacy information should be handled in accordance with the OECD's eight core principles on protection of personal information and privacy.

This prevents violation of privacy in the business operation.

・ Clarify the rules on how privacy information should be handled and restrict access to privacy information, with regards to the elements (people, component, procedure, and system).


Organization

・ Document and use the rules on how privacy information should be handled in accordance with the OECD's eight core principles to protect personal information and privacy.

・ Clarify the rules on how privacy information should be handled and restrict access to privacy information with regards to the elements (people, component, procedure, and system).

People

・ Restrict access to privacy information.

Component


Data

(N/A)

Procedure


System


32

L1.013 Appropriate information sharing of the security incident

Risk factor

Unclear security measure contents, priorities, and scope

Risk impact



・ Share appropriate information of the security incidents.


Create a security operation manual and share appropriate information with JPCERT/CC at the time of security incident outbreak. In addition, obtain always the latest security incident information from JPCERT/CC and utilize the information for a security measure.

・ Document clearly and use an information sharing procedure to the security operation manual of

the organization.

・ Obtain the latest security incident information and utilize for security measures.

Developing and implementing a security management system should be effective when introducing

this measure.




Organization

・ Document clearly and use an information sharing procedure to the security use operation manual of the organization.

- Show a procedure to report detected security incidents to the appropriate person in charge with appropriate amount of information. Show a procedure to coordinate with the persons in charge.

・ Obtain the latest security incident information and utilize for a security measures.

People

・ Understand importance of appropriate information sharing of the security incidents and execute the measures clearly.

Component

(N/A)

Data

(N/A)

Procedure

(N/A)

System

(N/A)

.

33

3.2. [The Second Layer] Security measures for connections between physical and cyber spaces

L2.001 Introduction of secure IoT devices

Risk factor

Unauthorized access to IoT devices due to inadequate security measures such as weak access control.

Risk impact

・ Cause malfunction sue to unauthorized operation of an IoT device.


・ Select IoT devices certified by a third-party (e.g., EDSA certification (IEC 62443-4-2)) or IoT devices confirmed by self-attestation for safe and secure use.


Use of IoT devices certified by the third party can prevent malfunction of the IoT devices caused by unauthorized access from external organization.

・ Check known and unacceptable security risks at the planning and designing stages.

・ Execute the measures against known and unacceptable security risks at the planning and designing stage.

・ Introduce the concept of system development life cycle with security taken into consideration for the design, development, implementation, and modification of functions related to IoT devices.


Organization


- Establish a standard to accept the IoT devices and a testing process for new information systems and revised or updated systems.

- Select, protect, and manage the testing data carefully.

People


Component

・ Check Confirmation of the known and unacceptable security risks that it cannot receive from at the a stage of a planning and designing stages.

・ Select IoT devices certified by a third-party (e.g., EDSA certification (IEC 62443-4-2)) or IoT devices confirmed by self-attestation for safe and secure use.

- Evaluate the requirement definitions and design specifications from the security perspectives by the third party at the planning and design stages.

Data

(N/A)

Procedure

(N/A)

System

・ Introduce the concept of system development life cycle with security taken into consideration for the design,

34

development, implementation, and modification of functions related to IoT devices.

35

L2.002 Implementation of security by design into IoT devices

Risk factor

Use of IoT devices which are not going through security considerations.

Risk impact

・ Increase the costs and take longer time to deal with the vulnerabilities on the IoT devices.


・ Select IoT devices implemented considering security risks at the planning and designing stages.


Prevent cost increase in implementing security measures for IoT devices in the operation phase and reworking procedure at the time of the development, by introducing IoT devices considering security risks at the planning and designing stages.


・ Execute the measures against known and unacceptable security risks at the planning and

designing stage.



Organization


People


Component

・ Measures on existing unacceptable security risks are taken from the planning and design phases.

Data

(N/A)

Procedure

(N/A)

System


36

L2.003 Introduction of IoT devices considering functional safety

Risk factor

Use of IoT devices without considering functional safety.

Risk impact

・ Harm the workers by the operations using the IoT devices or damage the devices.


・ Introduce the IoT devices considering functional safety


Use of the IoT devices considering functional safety can prevent the IoT device's operations from harming the workers or damaging the devices, regardless of normal or abnormal operations.


・ Execute the measures against known and unacceptable security risks at the planning and designing stage.


・ Introduce the IoT devices considering functional safety assuming that these devices are connected to the network.


Organization


People


Component

・ Check known and unacceptable security risks at the planning and designing stages. ・ Introduce the IoT devices considering functional safety assuming that these devices are connected to the network.

Data

(N/A)

Procedure

(N/A)

System


37

L2.004 Introducing genuine products into IoT devices

Risk factor

Contaminated with fraud IoT devices and software.

Risk impact

・ Cause contamination with falsified information (data) and frequent machine failures by the low quality and unreliable imitation or counterfeit products (including software used for IoT devices).


・ Introduce the genuine IoT devices that are approved by the device supplier.

・ Introduce the genuine software that is approved by the software supplier.

Key aspects of this measure

Use the genuine IoT devices that can be verified as official IoT devices to prevent contamination with fraud information (data), frequent machine failure and malfunction, deterioration of operational efficiencies, caused by using fraud IoT devices of low quality with low reliability such as counterfeit products. Also, use the software approved as genuine software to prevent deterioration of operational efficiency associated with the infection of malware and the mixture of incorrect information (data) caused by the use of software of low quality with low reliability such as counterfeit products.

・ Check the IDs (identifiers) indicating the uniqueness of each and important information (private key, digital certificate) on the IoT devices and software.

・ Identify and verify the suppliers of each IoT device and software (verification of integrity) in order to confirm the product authenticity.

・ Confirm on a regular basis that IoT devices and software are genuine products (during booting up process).


Organization

・ Introduce the concept of system development life cycle with security taken into consideration for the design, development.

・ Introduce genuine products from the approved suppliers while identify the supplier of each IoT device and software.

・ Identify and verify the suppliers of each IoT device and software (verification of integrity) in order to confirm the product authenticity.

People

(N/A)

Component

・ Check IDs (identifiers) indicating the uniqueness of each and important information (private key, digital certificate etc.) for each of the IoT devices and software.

・ Define the valid date and year (expiry date) with each digital certification.

・ Supply the IoT devices and software detecting (or preventing) the falsification/leakage during shipments. - For hardware shipments, security courier, protection seal, etc. - For digital transfer, encryption, hash of the entire transmitted data, etc.

Data

(N/A)

38

Procedure

・ Identify and approve the suppliers of each IoT device and software in order to confirm the authenticity of each product.

・ Confirm on a regular basis that IoT devices and software are genuine products (during booting up process).

System

・ Introduce a system development life cycle considering security risks in designing, developing, implementing and repairing the functions of IoT devices.

・ Identify the supplier of each IoT device and software, and introduce genuine products from the suppliers.

・ Assign IDs (identifiers) that uniquely identify the IoT device and software.

39

L2.005 Adequate security settings for IoT devices

Risk factor

False operations of the IoT devices.

Risk impact

・ Cause malfunction by unauthorized access to IoT devices.


・ Define the initial setting procedure (password etc.) for the IoT devices.

・ Apply setting values appropriate for the environment where the IoT devices are used, including the suspension of unneeded services.


Prevent the change in settings and malfunction of IoT devices by unauthorized access to IoT devices through the strong password setting and password-sharing among service person and devices, regular changes in passwords, and the use of setting values suitable for the environment.

・ Define the updating methods from the initial setting (password etc.) and the setting values of the IoT devices.

・ Check the initial default setting values before installing the IoT devices.


Organization

・ Define the updating method from the initial setting (password etc.) and the setting values of the IoT devices, and add them to the security rules.

- Enforce a minimum password complexity and change of characters when new passwords are created.

- Prohibit password reuse for a specified number of generations.

- Allow temporary password use for system logons with an immediate change to a permanent password.

People

・ Make settings for IoT devices according to the security rules.

Component

・ Adopt the principle of least functionality to set up IoT devices providing only essential capabilities.

Data

(N/A)

Procedure

・ Confirm the initial default setting values before installing IoT devices.

System

(N/A)

40

L2.006 Restricted access to IoT devices

Risk factor

False operations of IoT devices.

Risk impact

・ Cause malfunction by unauthorized access to IoT devices.


・ Identify, authenticate and authorize the accessing source.

・ Clarify conditions of starting and ending a session in communication.


Prevent unauthorized log-in to IoT devices through appropriate access control by identifying/authenticating the access source to the IoT devices. Moreover, prevent the unintended change in settings and malfunction of IoT devices by clarifying the confirmation items before starting a session of communication and the conditions for terminating (interrupting) the session.

・ Define the conditions for starting and ending a session in communication in advance.

・ Authorize IoT devices and users according to the transaction risks (personal security, privacy risk, and other organizational risks).


Organization

・ Define the conditions for starting and ending a session in communication in advance.


People

・ Authorize users as needed.

Component

・ Authorize IoT devices as needed.

・ Identify the access sources (user, cyber space, IoT devices.) before authorizing access to the system resources and services,

・ Deny access by unauthorized access sources.

Data

(N/A)

Procedure

・ Identify the access sources before authorizing access to the system resources and services

・ Define the responses (suspension, alarm etc.) for the cases of failed authorization and authentication of the access source in advance.

- Suspend/continue operation of devices.

- Give alert/report to the system administrators or the security administrators within the scope of system impacts.


System

・ Start and end a session in communication according to the conditions defined in advance.

41

- End a session in communication when the conditions defined in advance can't be satisfied, such a case as no transmission and reception of data within a specified time.

- Isolate the session-related information by locking the control screen shown immediately before terminating the session or other methods.

・ Prohibit remote activation of collaborative computing devices (e.g. networked white boards, cameras, and microphones) and provide indication of devices in use to the users at the device.4

4 Dedicated video conferencing systems, which rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded.

42

L2.007 Countermeasures against unauthorized log-in to IoT devices

Risk factor


Risk impact

・ Cause malfunction by unauthorized access to IoT devices changing the IoT Device setting or extracting and analyzing information (data) in IoT devices.


・ Respond to failures in log-in authentication.


Prevent unauthorized log-in, unintended change in settings, and malfunction of IoT devices by implementing functions for lockout in the case of a specified times of failed log-in authentications, providing a time interval until the safety is ensured.

・ Define the responses for the case of a specified times of failed log-in authorization and authentication in advance.

・ Define the responses for the case of a specified times of failed log-in authorization and authentications in advance.


Organization

・ Define the responses (suspension, alarm etc.) for the case of failed authentication of the access source in advance.


・ Define the responses (suspension, alarm etc.) for the case of successively failed log-in authentications in advance.


People

・ Grant the user authority required to control the system.

- Record the management work carried out by the user in a document.

- Define the responses when a user who do not have access authorization needs to engage in management work. (Example: The management administrator accompanies and monitors the user’s operations.)

Component

・ Define the responses (suspension, alarm etc.) for the case of successively failed log-in authentications in advance.

- Suspend/continue operation of devices etc.


Data

(N/A)

Procedure

・ Define the responses (suspension, alarm etc.) for the case of failed authentication of the access source in advance.

- Suspend/continue operation of devices.


43

System

(N/A)

44

L2.008 Physical security measures for IoT devices

Risk factor


Risk impact

・ Cause malfunction due to malware infection by unauthorized physical access to IoT devices.


・ Record and monitor physical access by means of surveillance cameras.

・ Restrict physical access by means of locks and entrance/exit controls.


Provide physical security measures for IoT devices and the areas where the devices are installed. By means of the above, prevent unauthorized access to IoT devices and malware infection.

・ Implement measures such as locking the areas where IoT devices, introducing entrance/exit control, biometric authentication, surveillance cameras, and inspection on belongings and body weight, etc.

・ Physically block unnecessary network ports, USBs, and serial ports accessing directly to the main bodies of IoT devices.


Organization

・ Clarify the facilities the staff in charge can enter and exit depending on the role.

・ Provide anti-theft measures (Ex: lock) for important IoT devices.

People

・ Restrict the places the staff in charge can enter and exit depending on the role.

Component

・ Adopt the principle of the minimum functions by setting IoT devices to contribute only basic features.

Data

(N/A)

Procedure

・ Record and monitor physical access by installing surveillance cameras and obligate the person in charge to accompany outsiders when they enter and exit rooms according to the security operation manual.

・ Design and apply the procedure about the work area to keep security.

System

・ Implement measures such as locking the areas where IoT devices, introducing entrance/exit control, biometric authentication surveillance cameras, and inspection on belongings and body weight etc.

・ Provide anti-theft measures (Ex: lock) for important IoT devices.

45

L2.009 Maintaining the availability of IoT devices

Risk factor

Faults and failures of IoT devices.

Risk impact

・ Cause negative impacts to operations due to the failures of functions of IoT devices, communication devices, and the circuit.


・ Secure sufficient systems resources (processing capability, communication bandwidths, storage capacity) so that no service activities will be suspended even in the case of cyber attack such as denial of service attack.

・ Ensure periodical backup, quality management, redundancy, and reserve resources.


Secure sufficient systems resources (processing capability, communication bandwidths, storage capacity) so that no service activities will be suspended even in the case of cyber attack such as denial of service attack. Moreover, maintain availability by ensuring periodical backup, quality management, redundancy, and reserve resources. By means of the above, security damage can be prevented from spreading through immediate identification of the cause and restoration of services even in the case when a failure occurs in the IoT device, communication device or the circuit at the site.

・ Select the supplier of the IoT devices and the services with an established support structure and help desk.

・ Carry out periodical systems backup and quality management, prepare standby devices and uninterruptible power supply as well as redundancy and detection of failure, and conduct replacement work, and software updates for the components (IoT devices, communication devices, and circuits, etc.).

・ Secure sufficient resources for the system (processing capability, communication bandwidths, storage capacity) and realize availability so that no service activities will be suspended even in the case of cyber attack such as denial of service attack.


Organization

・ Select the supplier for IoT devices and services with an established support structure and help desk.

・ Introduce a system development life cycle considering security in designing, developing, implementing and repairing the systems functions.

People

(N/A)

Component

(N/A)

Data

(N/A)

Procedure

(N/A)

46

System


・ Carry out periodical system backup and quality management, prepare standby devices and uninterruptible power supply as well as redundancy and detection of failure, and conduct replacement work, and software updates for the components (IoT devices, communication devices, and circuits, etc.).

・ Secure sufficient resources for the system (processing capability, communication bandwidths, storage capacity) and realize availability so that no service activities will be suspended even in the case of cyber attack such as denial of service attack.

・ Under cyber attack such as denial of service attack, continue actions in the predefined state. (Ex: Normal operation, abnormal operation, or restoration work)

47

L2.010 Appropriate disposal of IoT devices

Risk factor

Dispose IoT devices in an inappropriate procedure.

Risk impact

・ Misuse disposed IoT devices and manufacture fraud IoT devices.


・ Dispose IoT devices in an appropriate procedure.


When disposing of an IoT device, delete (or make unreadable) the information (data) stored in the device and the ID (identifier) uniquely identifying the genuine IoT device as well as important information (private key, digital certificate etc.). By means of the above, prevent the creation of fraud or counterfeited IoT devices.

・ When disposing IoT devices, specify the procedure of deleting information (data) (or for making it unreadable), and define it in the security rules.

・ Make the data unreadable by irreproducible means not only for displays identifiable through sense of sight and touch but also for storage areas and anti-tampering devices.

・ Establish a management procedure including a disposal procedure with disposal means specified by the manufacturer.


Organization

・ When disposing of IoT devices, specify the procedure for deleting information (or data)(or for making it unreadable), and define it in the security rule.

- The above-mentioned provision shall be applied to information (data) stored inside and the IDs (identifiers) uniquely identifying the official IoT devices.as well as important information (private key, digital certificate).

- Make the data unreadable by irreproducible means not only for displays identifiable through sense of sight and touch but also for storage areas and anti-tampering devices.

・ Establish a management procedure including a disposal procedure with disposal means specified by the manufacturer.

People

・ Comply with the disposal procedure based on the security rules.

・ Delete important information in IoT devices before starting maintenance work.

・ Delete backup data with elapsed retention expired.

・ Delete the work history related to the management and disposal of IoT devices.

Component

(N/A)

Data

(N/A)

Procedure

・ Confirm the work history related to the management and disposal of IoT devices.

・ Delete important information in IoT devices before starting maintenance work.

48

・ Specify the retention period of backup data and the treatment of the data after the expiry of the retention period (deletion etc.).

System

(N/A)

49

L2.011 Countermeasures against counterfeit software of IoT devices

Risk factor

False operations of IoT devices

Risk impact

・ Cause malfunction by malware activated during start up process of the IoT devices.


・ Introduce IoT devices equipped with a function after confirming appropriate software start up process.

・ Introduce IoT devices equipped with a function to prevent counterfeit software start up process.


Prevent damage to IoT devices including malfunction caused by the infection of malware by checking the integrity of activated software and preventing the activation of counterfeit software at the start-up of each IoT device.

Meanwhile, it is required to confirm the record of the software start-up process also from remote places.

・ Record the verification results of software integrity.

・ Verify the results of software integrity from the remote places.


Organization

・ Introduce the genuine products from the supplier after identifying the appropriate supplier of each software.

・ Identify and authorize the supplier to confirm the authenticity of the genuine software.

・ Introduce a system development life cycle considering security risks in designing, developing, implementing and repairing the software functions.

People

(None)

Component

・ Activate only the software with verified integrity.

・ Record the verification results of software integrity.

・ Provide a checksum to verify the results of software integrity.

・ Remotely able to verify the result of software integrity from remote places.

Data

・ Provide a checksum to verify the integrity of software and setup data.

Procedure

(None)

System

・ Introduce a system development life cycle considering security risks in designing, developing, implementing and repairing the functions of software.

50

L2.012 Prevention of IoT devices from being infected with malware

Risk factor


Risk impact

・ Cause malfunction due to malware infection by unauthorized access to IoT devices.


・ Conduct virus check on IoT devices.


Prevent the IoT devices at the site from being infected with malware by conducting virus check on a regular basis (at the time of start-up process).

・ Check the existence of any virus infection at the time of update for applying security patch or adding software.

・ Check the existence of any virus infection on a regular basis (at the time of start-up process).

・ Control communications between IoT devices, such as blocking communications except for allowing whitelisted.


Organization


・ Check the existence of any virus infection on a regular basis (at the time of start-up process).

・ Control communications between IoT devices, such as blocking communications except for allowing whitelisted.

People

(N/A)

Component

・ Control communications between IoT devices, such as blocking communications except for whitelisted.

Data

(N/A)

Procedure


・ Check the existence of any virus infection on a regular basis (at the time of start-up).

・ Check the results if any virus infection exists.

System

・ Introduce antivirus software.

51

L2.013 Continuous vulnerability countermeasures for IoT devices

Risk factor


Risk impact

・ Cause malfunction due to malware infection exploiting the vulnerabilities in the IoT devices.


・ Update the security patch for IoT devices periodically.


If the IoT devices having vulnerabilities continue operating, it is likely to cause unauthorized log-in and operations by the outsiders.

Prevent security incidents and the spreading security damages by taking periodical vulnerability countermeasures for IoT devices.

・ Periodically acquire security patches and apply them to IoT devices as needed.

・ Check the update history of the security patches for IoT devices.


Organization

・ Establish a structure to periodically check and collect public information on the vulnerabilities of components as needed.

People

(N/A)

Component

・ Introduce IoT devices that allow applying security patches, software updates, and setting changes.

Data

(N/A)

Procedure

・ Periodically acquire security patches and apply them to IoT devices as needed.

・ Check the update history of the security patches for IoT devices.

System

(N/A)

52

L2.014 Remote update of IoT devices

Risk factor

Take long time to address the cases after finding vulnerabilities in IoT devices (applying security patches).

Risk impact



・ Take immediate vulnerability countermeasures for IoT devices.


Implement a mechanism for remote updates at once (Operating system, driver, application) through remote operations for the IoT devices. By means of the above, quick vulnerability countermeasures are taken immediately for the IoT devices without vulnerable operations.

・ Start remote updates once mutual authentication is complete with the remote place.

・ Carefully handle software updates against wiretapping and tampering.


Organization

・ Establish a structure to periodically check and collect public information on the vulnerabilities of components as needed.

People

(N/A)

Component

・ Implement a mechanism for remote updates at once (Operating system, driver, application) through a remote operations for the IoT devices.

- Ensure to resume or re-start, even if software update operation is suspended in the middle.

Data

・ Watch out wiretapping and tampering during software update operations using appropriate encryption and Message Authentication Code (MAC).

Procedure

・ Start remote updates once mutual authentication is complete with the remote place

System

・ Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate the connections once nonlocal maintenance is complete.

53

L2.015 Management of software introduced for IoT devices

Risk factor

Install counterfeit software in the IoT devices.

Risk impact

・ Cause malfunction due to malware infection by counterfeit software installed in the IoT devices.


・ Check installed software before introducing an IoT device.

・ Restrict adding software to an IoT device.


Prevent malfunction caused by unintended operations of software and creation of false information (data) by IoT devices infected by malware, by introducing the IoT devices equipped with a function to restrict the installation of software requiring a special authority.

・ Restrict the software by using the lists allowing add/delete/update actions in IoT devices (white list) and prohibiting these functions (black list).

・ Restrict the software use and add/delete/update functions by the role of the user.

・ Monitor the addition/deletion/updating actions of software, keep records of the

operation history and audit logs according to the security rules, and review regularly.


Organization

・ Specify the software to be used for each IoT device.

People

・ Restrict the software use and add/delete/update functions by the role of the user.

Component

・ Introduce IoT devices that allow applying software update and change in settings.

Data

(N/A)

Procedure

・ Monitor the addition/deletion/updating actions of software, keep records of the operation history and audit logs according to the security rules, and review regularly.

System

・ Restrict the software by using the lists allowing add/delete/update actions in IoT devices (white list) and prohibiting these functions (black list).

.

54

L2.016 Isolation of the functions of IoT devices.

Risk factor

False operations of the system control functions to manage IoT devices.

Risk impact

・ Cause malfunction due to changes in settings and malware infection by unauthorized access to the systems control functions.


・ Isolate the user functions from the system administrator functions.


Isolate the user functions from the system administrator functions. By means of the above, prevent unauthorized access to the controlling function of the system and malware infection associated with changes in settings.



Organization


People


Component


Data

(N/A)

Procedure


System

(N/A)

55

L2.017 Isolation of IoT devices in the network

Risk factor

False operations of the system control functions to manage IoT devices.

Risk impact

・ Cause malfunction due to changes in settings and malware infection by unauthorized access to the systems control functions.


・ Isolate the networks physically or logically.


Isolate the networks in the organization physically or logically. In addition, use dedicated channel for the data showing the security status (encrypted or unencrypted, security measure status of IoT devices). By means of the above, block the IoT devices having a problem by the incident, and prevent large impact to the entire network in the organization by unauthorized access and network overload.


Organization

・ Isolate the networks physically or logically.

・ Prepare a channel dedicated to the transmission and reception of security-related information (audit log, operating status, IoT device configuration information).

People

(N/A)

Component

(N/A)

Data

(N/A)

Procedure

(N/A)

System

・ The system should be connected only with a specified network (communications partner).

・ Separate the network in an organization from the other networks by a physical or logical method .


56

L2.018 Countermeasures against unauthorized access through a wide-area network to IoT devices

Risk factor


Risk impact



・ Detect cyber attacks by network monitoring.

・ Introduce firewalls, IDS (intrusion detection system), and IPS (intrusion prevention system).

・ Check the existence of any unauthorized connection determined based on by the MAC address of the connection source, installation site of the IoT devices, and access time/frequency.


Install firewalls, IDSs and IPSs and monitor the status at the connection points between the networks in the organization controlling IoT devices and wide-area networks. By means of the above, prevent unauthorized access from wide-area networks and malware infection/cyber attacks.

・ Define the events and conditions for monitoring according to the specifications of the system (protocol, connection destination).

・ Prepare a channel dedicated to the transmission and reception of security-related information (audit log, operating status and IoT device configuration information).

・ Deny the communication using IoT devices as the default setting except for using an authorized protocol.


Organization

・ Isolate the networks in the organization physically or logically.


People

(N/A)

Component

(N/A)

Data

(N/A)

Procedure

・ Define the responses for a case of abnormal communication found in advance.

- Suspension/continuation of operation of devices etc., nullification/retransmission of data.


・ Separate the network controlling IoT devices in an organization from wide-area networks.

System

・ Separate the network controlling IoT devices in an organization from wide-area networks.

57

・ Monitor communication at the connection points between the network controlling IoT devices in an organization from wide-area networks.

・ Deny the communication using IoT devices as the default setting except for using an authorized protocol.

・ Define the events and conditions for monitoring according to the specifications of the system (protocol, connection destination).


58

L2.019 Response to unauthorized wireless connections to IoT devices

Risk factor


Risk Impact



・ Restrict wireless connection through Bluetooth.

・ Enhance authentication of wireless LAN access points


Nullify unneeded wireless connection functions (Bluetooth and wireless LAN, etc.), and restrict unidentified wireless connections to IoT devices. In addition, set appropriate settings for the authorized connection destinations and data encryptions. By means of the above, prevent unauthorized access to IoT devices and malware infection as well as malfunctions.

・ When wireless LAN is used, set up the appropriate environment configuration (ESSID, MAC address filtering, enhanced encryption (WPA2, etc.)).

・ Correctly authorize wireless connection destinations (users and IoT devices).


Organization

・ Define the security rules in the conditions to limit wireless connections and environment configurations in advance.

People

・ Use wireless communication according to the security rules.

Component

・ Nullify unneeded wireless connection functions (Bluetooth and wireless LAN).

・ Restrict unidentified wireless connection destinations (Bluetooth and wireless LAN).

・ Encrypt wireless communication routes and transmitted data itself.

・ Correctly authorize wireless connection destinations (users and IoT devices).

Data

(N/A)

Procedure

・ Start communication after authenticating each wireless connection destination (user and IoT devices).

System

・ Use the authentication functions with the wireless communication partner at the access points.

59

L2.020 Centralized management for IoT devices

Risk factor

Prolong finding operation status of the IoT decides detecting the security incidents.

Risk impact



・ Introduce a centralized mechanism to manage the status information for IoT devices.


Conduct centralized information management for operating status of IoT devices, audit log, device settings, and software configuration from a remote location. By means of the above, understand the operating status and detect security incidents promptly.

・ Define the responses to the cases in advance, when detecting abnormal behavior from remote location.

・ Start centralized management from a remote location once mutual authentication is complete.


Organization

・ Conduct centralized information management for operating status of IoT devices, audit log, device settings, and software configuration from a remote location.

・ Define the responses to the cases in advance, when detecting abnormal behavior from remote location.

- Suspension/continuation of operation of devices etc., nullification/retransmission of data.


・ Isolate the network control IoT devices in the organization from wide-area networks.

People

(N/A)

Component

・ Introduce a centralized mechanism to manage the status information for IoT devices audit log, device settings and software configuration from a remote place.

Data

・ Handle the information (data) on IoT devices according to the security rules.

- Deliver and store important information such as key information used for the user and IoT devices authentication after encryption.

- Provide a checksum to verify the integrity of records including audit log.

Procedure

・ Start cauterized management from a remote location once mutual authentication is complete.

System

・ Assign an ID (identifier) that can uniquely identify each user.

・ Assign an ID (identifier) that can uniquely identify each IoT device.

60

L2.021 Detection of abnormal behavior of IoT devices

Risk factor


Risk impact

・ Harm the workers by the operations using the IoT devices or damage the devices.


・ Suspend the operation detecting abnormal behavior by comparing the instructed behavior of the IoT device with the actual behavior.


Prevent the injuries of the workers on site and minimize the IoT machine failures caused by the malfunction of an IoT devices comparing the instructed behavior of the IoT devices with its actual behavior, by implementing a mechanism for safety function to detect abnormal behavior that can be determined as unauthorized IoT devices.

・ Validate whether the information (data) provided from the cyber space is within the permissible range before operations.

・ Define in advance the responses (suspension, alarm etc.) when determined as out of tolerance range or abnormal.


Organization

・ Transmit and receive information (data) according to the standard defined in the security rules.

・ Define in advance the responses when determined as out of tolerance range or abnormal (outside the permissible range, not unmatched expected values) in advance.


People

(N/A)

Component

・ Validate whether the information (data) provided from the cyber space is within the permissible range before operations.

・ Conduct a comparison verifying the instructed behavior of the IoT devices with its actual behavior.

Data

(N/A)

Procedure

・ Define in advance the responses when determined as out of tolerance range or abnormal (outside the permissible range, not unmatched expected values).

- Suspend/continue operation of device and nullify/retransmit the data.


・ Continue the actions of IoT devices statuses defined in advance.

- Ex: Normal operation, abnormal operation, or restoration work.

System

(N/A)

61

3.3. [The Third Layer] Security measures for connections in cyber space

L3.001 Selection of reliable service suppliers

Risk factor

Occur frequent system shutdowns or prolong in recovery time.

Risk impact

・ Cause adverse business operations due to the lack of information (data) collection and analysis, and feedbacks on IoT devices and the servers.


・ Select the service suppliers that have obtained the certification (ITSMS Certification etc.) by a third-party certification organization.


Select service suppliers that efficiently and effectively operate and manage services and systems operations. By means of the above, prevent decline in business operation efficiency caused by prolonged service suspension period and recurrence of service suspension.

・ Select the suppliers that provide safety products and services confirmed through security assessments by a third-party organization.

・ Let the third-party organization assess the requirement definitions and design results obtained during the planning/designing stage from the security viewpoint.

・ Clarify the role and responsibility of the suppliers in detecting security incidents to explain the accountabilities.


Organization

・ Select the suppliers that provide safety products and services confirmed through security assessments by a third-party organization. (Ex: ITSMS Certification (ISO/IEC 20000))

・ Let the third-party organization assess the requirement definitions and design results obtained during the planning/designing stage from the security viewpoint.

・ Clarify the role and responsibility of the suppliers in detecting security incidents to explain the accountabilities.

People

(N/A)

Component

(N/A)

Data

(N/A)

Procedure

(N/A)

System

(N/A)

62

L3.002 Introduction of IoT devices and servers etc. using anti-tampering devices

Risk factor Browse the information (data) without authorization through the IoT devices and servers.

Risk impact

・ Leak information (data) after the IoT devices and servers, etc. were stolen, analyzing the residual information (data).


・ Select the IoT devices and servers etc. equipped with anti-tampering devices.


Prevent information (data) leak through the stolen server/IoT devices or unauthorized browsing the devices, by using IoT devices and servers etc. equipped with anti-tampering devices.


Organization

・ Define security rules specifying the information (data) classification and handling standards.

People

(N/A)

Component

・ Use the IoT devices and servers etc. equipped with anti-tampering devices for storing important information (private key, digital certificate, etc.).

Data

・ Encrypt the data stored in the IoT devices and servers equipped with anti-tampering devices.

Procedure

(N/A)

System

(N/A)

63

L3.003 Countermeasures against illegal log-in to the cyber space

Risk factor

Access information (data) in the cyber space without authorization.

Risk impact

・ Leak information (data) by extraction and analysis of the information (data) accessing to the system by an unauthorized user.


・ Implement the two-factor authentication function combining two factors of password, biometric authentication, digital certificate, etc.


Adopt the two-factor authentication method combining two factors for logging in to the system for the privileged user.

By means of the above, prevent system information (data) leak accessing to the system by an unauthorized user.

・ Adopt the two-factor authentication method for the privileged user authentication.

・ Adopt an authentication method of checking the existence of the user as one factor of the two for the method.

・ Adopt an authentication method with anti-tampering devices as the other factor of the two for the method.


Organization

・ Grant the user authorization required to control the system.

・ Make the roles and responsibilities of the security understood correctly for relevant persons, especially for the privileged users.

・ Define the security rules in the initial setting procedure (passwords, etc.) for authentication and updating the settings.

- Require a minimum password complexity (character types, number of letters) and change of characters when new passwords are created.

- Prohibit password reuse for a specified number of generations.

- Allow temporary password use for system logons with an immediate change to a permanent password.

People

・ Grant the user authorization required to control the system.

- Record the management work performed by the privileged user in a document.

- Define the responses to the case when an unauthorized user is engaged in management work. (Ex: The management administrator should be accompanied and monitoring the operations.)

・ Adopt authentication mechanisms with adequate strength for privileged users.

- Adopt two-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

- Adopt replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

Component

(N/A)

64

Data

(N/A)

Procedure

(N/A)

System

・ Adopt an authentication method of checking the existence of the user as one factor of the two for the method (Ex: Password matching, biometric identification (by fingerprints), etc.)

・ Adopt an authentication method with anti-tampering devices as the other factor of the two for the method. (Ex: Contactless card, etc.)

・ Require multifactor authentication and terminate the connections when nonlocal maintenance is complete in order to establish nonlocal maintenance sessions via external network connections.

・ Manage access rights separated between privileged user accounts and normal user accounts.

65

L3.004 Identification of the connection destination in the cyber space

Risk factor

Receive communication data from a false connection destination during the transmission of the processed results with the IoT devices and servers in the cyber space as the result.

Risk impact

・ Affect business operations adversely by receiving information (data) from the cyber space different from the originally intended sources.

・ Leak information (data) by incorrect setting of IoT devices and servers transmitting the collected data to the cyber space different from the originally intended recipients.


・ Identify the unique connection destination.


Identify the connection destinations using the ID (identifier) of the connection destinations mutually when IoT devices and servers receive analyzed results obtained in the cyber space, or when IoT devices and servers transmit the information (data) to the cyber space. By means of the above, prevent connections with false destinations and deterioration of business operation efficiency, and leak of information (data) associated with the mixture with incorrect information (data).

・ Have own unique IDs (identifiers) for the user, IoT devices, and servers, etc.

・ Have IDs (identifiers) from appropriate communication partners.

・ Before sending data, identify the communication partner (user, IoT devices and servers, etc.).

・ Define the responses (suspension, alarm) in advance in the case of finding the communication partner to be inappropriate.


Organization

・ Define the responses (suspension, alarm etc.) in advance in the case of finding the communication partner to be inappropriate.

- Give alert/report to the system administrators or the security administrators with the scope of system impacts.

・ Isolate the network control IoT devices and servers in the organization from wide-area networks.

People

・ Have own user IDs (identifiers).

Component

・ Have own IDs (identifiers) for the IoT devices and servers.

・ Have IDs (identifiers) of appropriate communication partners for the IoT devices and servers.

Data

(N/A)

Procedure

・ Before sending data, identify the communication partner (user, IoT devices and servers).

・ Define the responses (suspension, alarm etc.) in advance in the case of successively failed log-in authentications.

- Suspend/continue operations of devices, nullify/retransmit the data.

66


・ Isolate the network controlling IoT devices and servers in the organization from wide-area networks.

System

・ Assign an ID (identifier) that can be uniquely identified for each user.

・ Assign an ID (identifier) that can be uniquely identified for each IoT devices and servers.

67

L3.005 Authentication of the connection destination in the cyber space

Risk factor

Receive communication data by the IoT devices and servers from a false connection destination in the cyber space during the transmission of the processing the result of the IoT devices and servers.

Risk impact


・ Leak information (data) by incorrect setting of IoT devices and servers transmitting the collected data to the cyber space different from the originally intended recements.


・ Authenticate the connection destination by means of mutual authentications.


Authenticate the connection destination by mutual authentications using such as digital certificates for both ways when IoT devices and servers receive analyzed results obtained in the cyber space, or when IoT devices and servers transmit the information (data) to the cyber space. By means of the above, prevent unauthorized access caused by spoofing, deterioration of business operation efficiency due to mixture with incorrect information (data), and leak of information (data).

・ Conduct mutual authentication before sending data.

・ Define the responses in advance in the case of failed authentications.


Organization

・ Define the responses in advance in the case of failed authentications.


People

・ Correspond to user authentication as needed.

Component

・ Conduct mutual authentications before sending data.

Data

(N/A)

Procedure

・ Authorize the user authentication as needed.

・ Conduct mutual authentication before sending data.

- Conduct mutual authentication after successfully identifying the communication destinations.

- Define the responses in advance in the case of failed authentications.

- Suspend/continue operation of devices as necessary


System

・ Correspond to user authentication as needed.

・ Conduct mutual authentications before sending data.

68

L3.006 Physical security measures against unauthorized accesses to IoT devices and servers etc.

Risk factor

Falsely operate the IoT devices and the servers.

Risk impact

・ Leak information (data) through unauthorized physical access to IoT devices and servers.


・ Record and monitor physical access by surveillance cameras, etc.

・ Restrict physical access by locks and entrance and exit controls, etc.


Provide physical security measures for IoT devices and servers as well as the device installed areas. By means of the above, prevent leak of information (data) by preventing unauthorized access to IoT devices and servers.

・ Implement measures such as locking the areas where IoT devices and servers etc. are installed,

introducing entrance and exit control, biometric authentication, surveillance cameras, and

inspection on belongings and body weight.

・ Physically block unnecessary network ports, USBs, and serial ports for the main bodies of IoT devices and servers.


Organization

・ Clarify the facilities the staff in charge can enter and exit depending on the role.

・ Provide anti-theft measures (Ex: lock) for important IoT devices and servers.

People

・ Restrict the places the staff in charged can enter and exit depending on the role.

Component

(N/A)

Data

(N/A)

Procedure

・ Record and monitor physical access by surveillance cameras, and obligate the person in charge to accompany outsiders when they enter and exit rooms according to the security operation manual.

・ Design and apply the procedure about the work area that needs keep proper security.

System

・ Implement measures such as locking the areas where IoT devices and servers etc. are installed, introducing entrance and exit control, biometric authentication, surveillance cameras, and inspection on belongings and body weight.

・ Provide anti-theft measures (Ex: lock) for important IoT devices and servers.

69

L3.007 Detection of transmitted and received false information (data) in the cyber space

Risk factor

Transmit and receive false information (data).

Risk impact

・ Transmit and receive information (data) without authorization due to malware infection and cyber attack.



・ Verify beforehand that the behavior of transmitted and received information (data) is within the permissible range.


Verify beforehand that the behavior of information (data) transmitted and received among systems and IoT devices and servers in the cyber space is within the permissible range, and prevent adverse business operations.

・ Detect whether the behavior of transmitted and received information (data) is within the permissible range.

・ Define the responses (suspension, alarm, etc.) in advance in the case of failed log-in authentications.


Organization

・ Transmit and receive information (data) according to the handling standard defined in the security rules.

・ Define the responses in advance in the case of determined abnormality (outside the permissible range, unmatched expected values, etc.).


People

・ Monitor the behavior of IoT devices and servers, and work according to the security rules and security response manual when an abnormality was observed.

- Control and monitor the use of mobile code, detecting malicious mobile code.

Component

・ Verify beforehand that the behavior of information (data) provided from the cyber space is within the permissible range (determined by the result of analysis on the past data).

・ Use IoT devices and servers equipped with function safety.

Data

(N/A)

Procedure

・ Define the responses in advance in the case of determined abnormality (outside the permissible range, unmatched expected values).

- Suspend/continue operations of devices etc., nullify/retransmit data.

- Give alert/report to the system administrators or the security administrators with the scope of system

70

impacts.

- Separate the network control IoT devices and servers in the organization from wide-area networks.

・ Continue operating IoT devices and servers etc. at the state defined in advance.

- Ex: Normal operation, abnormal operation, or restoration.

System

・ Monitor the behavior of IoT devices and servers.

- Control and monitor the use of mobile code, detecting malicious mobile code.

- Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

71

L3.008 Maintaining the availability of the cyber space

Risk factor

Occur malfunctions and failures in servers, communication devices, and circuits in the cyber space.

Risk impact

・ Affect business operations adversely by suspended functions of servers, communication devices and circuits in the cyber space.


・ Secure sufficient resources for the systems (processing capability, communication bandwidths, storage capacity) so that no service activities will be suspended even in the case of cyber attack such as denial of service attack.

・ Ensure periodical backups, quality management, redundancy, and spare resources.


Secure sufficient resources for the systems (processing capability, communication bandwidths, storage capacity) so that no service activities will be suspended even in the case of cyber attack such as denial of service attack. Moreover, maintain availabilities by securing periodical backups, quality management, redundancy, and spare resources. By means of the above, prevent spreading security damages through immediately identifying the causes and restoring the services even in the case of failures in the servers, communication devices and circuits in the cyber space.

・ Select the supplier for the cyber space, the IoT devices and the services with an established support structure and help desk.

・ Carry out periodical systems backup and quality management, prepare standby devices and uninterruptible power supply as well as redundancy and detection of failure, and conduct replacement work, and software updates for the components (servers, communication devices, and circuits).



Organization

・ Select the supplier for the cyber space, the IoT devices and the services with an established support structure and help desk.


People

(N/A)

Component

(N/A)

Data

(N/A)

Procedure

(N/A)

72

System


・ Carry out periodical systems backup and quality management, prepare standby devices and uninterruptible power supply as well as redundancy and detection of failure, and conduct replacement work, and software updates for the components (servers, communication devices, and circuits).


・ Continue operating IoT devices and servers etc. at the state defined in advance. (Ex: Normal operation, abnormal operation, or restoration work)

73

L3.009 Appropriate disposal of IoT devices and servers etc.

Risk factor

Dispose IoT devices and servers etc. in an inappropriate procedure.

Risk impact

・ Leak residual information (data) inside the IoT devices and servers through misuse of disposed devices.


・ Dispose IoT devices and servers etc. in an appropriate procedure.


When disposing an IoT device and a server, delete (or make unreadable) the information (data) stored and the data ID (identifier) uniquely identifying the genuine IoT devices and servers as well as important information (private key, digital certificate, etc.). By means of the above, prevent leaking residual information (data) in the IoT device and servers.

・ Make the data unreadable by non-reproducible means not only through the sense of visual and touch but also through anti-tampering devices for storage areas.

・ Establish a management procedure including a disposal procedure adopting the methods specified by the manufacturer.


Organization

・ Specify the procedure and define the security rules of deleting information (data) (or making the data unreadable) when disposing IoT devices and servers.

- Apply the rules to information (data) stored inside, the IDs (identifiers) uniquely identifying genuine IoT devices and servers, and important information (private key, digital certificate).

- Make the data unreadable by non-reproducible means not only through the sense of visual and touch but also through anti-tampering devices for storage areas.

・ Establish a management procedure including a disposal procedure adopting the methods specified by the manufacturer

People

・ Comply with the disposal procedure based on the security rules.

・ Delete important information in IoT devices and servers before starting maintenance work.

・ Delete backup data after retention date expired.

・ Retain the work history related to the management and disposal of the IoT devices and servers.

Component

(N/A)

Data

(N/A)

Procedure

・ Confirm the work history related to the management and disposal of IoT devices and servers.

・ Delete important information in IoT devices and servers before starting maintenance work.

・ Specify the retention period of backup data and the data treatment after the expiry of the retention period (delete, etc.).

74

System

(N/A)

75

L3.010 Continuous vulnerability countermeasures for IoT devices and servers etc.

Risk factor

False operations of the IoT devices and the servers.

Risk impact

・ Leak information (data) by misusing the vulnerabilities in IoT devices and servers.


・ Update security patches periodically for IoT devices and servers.


Likely cause unauthorized log-in and operations by outsiders if IoT devices and the servers are used continuously having residual vulnerabilities.

Prevent security incidents and spreading security damages by taking periodical vulnerability countermeasures for IoT devices and servers.

・ Apply security patches as needed, acquiring them periodically to IoT devices and the servers.

・ Check the update history of the security patches for IoT devices and servers.


Organization

・ Establish a structure to deal with the related issues checking and collecting public information on the vulnerabilities regularly.

People

(N/A)

Component

・ Introduce IoT devices and servers allowing for software updates and changes in settings even after applying security patches.

Data

(N/A)

Procedure

・ Apply security patches as needed, acquiring them periodically to IoT devices and the servers.

・ Check the update history of the security patches for IoT devices and servers.

System

(N/A)

76

L3.011 Encryption of stored data in the cyber space

Risk factor

Unauthorized access to the information (data) in the cyber space.

Risk impact

・ Leak the stored information (data) by extraction and analysis of the information (data).


・ Ensure the confidentiality of stored data.


Store information (data) encrypted. By means of the above, prevent leaking information (data) through unauthorized access.

・ Define the security rules specifying the standards of data classification and handling.

・ Encrypt portable storage device or an external medium with a different security key from saving data, when the data or backup data (including checksum) is transferred.


Organization

・ Define the security rules specifying the standards of data classification and handling.

- Stipulate the rules on data saving (backup) and taking out (use of portable storage devices and external media).

・ Handle the information (data) according to the security rules.

・ Share effectiveness of data protection technologies with appropriate parties.

People

(N/A)

Component

(N/A)

Data

・ Handle the information (data) according to the security rules.

- Exchange and store important information such as the key information used for user authentication and IoT devices and servers after encryption.

- Provide a checksum to verify the integrity of records including audit log.

- Encrypt each of the original data and the backup data when taking backup data.

Procedure

・ Encrypt portable storage device or an external medium with a different security key from saving data, when the data or backup data (including checksum) is transferred.

System

(N/A)

77

L3.012 Management of software installation in IoT devices and servers etc.

Risk factor

Install unauthorized software in IoT devices and servers.

Risk impact

・ Cause the leak of information (data) by unauthorized software installed in IoT devices and servers.


・ Check the software before installing in the IoT devices and the servers.

・ Restrict the software to be added after installing in the IoT devices and the servers.


Prevent the unintended operations by the software, information (data) leak by malware infection, and generations of false information (data) by IoT devices or servers through malfunction, by introducing IoT devices and servers quipped with a function to restrict installing software requiring a special authorization.

・ Restrict the software according to the lists of permitted software for add/delete/update in IoT devices and servers (white list), and the list of prohibited software (black list).

・ Restrict the use or add/delete/update of software depending on the role of each user.

・ Monitor the addition/deletion/updating functions of software, keep records of the operation history and audit logs according to the security rules, and review regularly.


Organization

・ Specify the software to be used for each IoT devices and servers.

People

・ Restrict the use or add/delete/update of software depending on the role of each user.

Component

・ Introduce IoT devices and servers allowing software updates and changes in settings.

Data

(N/A)

Procedure

・ Monitor the addition/deletion/updating functions of software, keep records of the operation history and audit logs according to the security rules, and review regularly.

System

・ Restrict the software according to the lists of permitted software for add/delete/update in IoT devices and servers (white list), and the list of prohibited software (black list).

78

L3.013 Separate functions in the cyber space

Risk factor

False operations of the system functions managing IoT devices.

Risk impact

・ Leak information (data) through unauthorized access to management functions of the system.


・ Separate functions that are used by users and used by systems administrators.


Separate functions that are used by users and used by systems administrator. This can prevent unauthorized access to management functions of the system, leading to the prevention of information (data) leakage and malware infection associated with changes in settings.

・ Define different accessible functions depending on user’s roles.


Organization

・ Separate functions that are used by users and used by systems administrator.

・ Define different accessible functions depending on user’s roles.

People

・ Separate functions that are used by users and used by systems administrator from each other.

Component

・ Separate functions that are used by users and used by systems administrator.

Data

(N/A)

Procedure

・ Define different accessible functions depending on user’s role.

System

(N/A)

79

L3.014 Separation of networks

Risk factor

False operations of the systems functions managing IoT devices.

Risk impact

・ Leak information (data) through unauthorized access to the system.


・ Separate networks physically or logically.


Separate networks physically or logically. In addition, handle data showing the security status (e.g. encrypted/unencrypted and security measures on IoT devices and servers) on a dedicated channel. This can prevent unauthorized access, and network load from affecting the entire network, and block the IoT devices having a problem in a case of incident.

・ Separate networks in the organization consisting of IoT devices and servers from the other networks physically or logically.

・ Prepare a dedicated channel to send/receive security-related information (including audit log, operating status and configuration information of IoT devices and servers).


Organization



People

(N/A)

Component

(N/A)

Data

(N/A)

Procedure

(N/A)

System

・ Connect the system only to specified networks (communication destinations).



80

L3.015 Detection of unauthorized access in the cyber space

Risk factor

Unauthorized browse of the information (data) in the cyber space.

Risk impact

・ Cause leak of the stored information (data) through unauthorized access to the system or IoT devices and servers, stealing and analyzing information (data) in elements.


・ Implement audit log for access to the system or IoT devices and servers.


Record audit logs for access to the system or IoT devices, servers, a and review regularly. This can prevent unauthorized browse and leak of information (data), detecting any abnormality checking the operating status.

・ Include audit log information about access for management, start/stop events and failed identification or authorization.

・ Predefine possible actions to be taken if an abnormality is detected when the operating status is checked by using audit log.


Organization

・ Record audit logs for access to the system or IoT devices, servers, a and review regularly.

People

(N/A)

Component

(N/A)

Data

・ Keep audit log information, including: a. Access for management b. Start/stop events c. Failed identification or authorization d. Failed integrity verification on secure communication paths e. Software updates f. Diagnosis results (including anti-virus diagnosis and network diagnosis)

Procedure

・ Predefine possible actions to be taken if an abnormality is detected when the operating status is checked by using audit log.

- Shut down/continue to operate devices; disable/resend data.

- Give an alert/make a report to potentially affected systems administrator or security administrator.

- Separate networks in the organization that manage IoT devices and servers and wide area networks. [Viewpoint of operation check] a. Existence of unexpected records in the audit log b. Trend of observed data (Existence of abnormal values) c. Validity of the correlation between operating instructions and observed data d. Validity of the software component version e. Validity of the operating systems and application configuration files (Existence of falsification) f. Normal operation of the software (No unauthorized software) g. No fraud in audit log at the time of start

81

System

・ Monitor the network to detect security incidents.

・ Encrypt and store audit log.

・ Add a checksum to audit log to verify the integrity.

・ Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps about all associated internal and other security information systems including auditing.

・ Provide audit record centralization and report generation functions to support on-demand analysis and reporting.

82

L3.016 Countermeasures against unauthorized access through wide area networks to IoT devices and servers

Risk factor

False operations of the IoT devices and servers.

Risk impact

・ Leak information (data) through unauthorized access to IoT devices and servers.

・ Cause information (data) leak by malware infection or cyber attacks.


・ Detect cyber attacks through network monitoring.

・ Introduce firewall, IDS (Intrusion Detection System) and IPS (Intrusion Prevention System).

・ Check unauthorized connection based on information about the source MAC address, location of IoT devices and servers, and access time/frequency.


Install firewall, IDS and IPS to perform the network/access monitoring at the contact point between a network in the organization that manages IoT devices and servers, and the wide area network. This can prevent malware infection or cyber attacks, detecting unauthorized access through the wide area network.

・ Separate networks in the organization that manage IoT devices and servers and wide area networks.

・ Monitor communications at the contact point between the network in the organization that manages IoT devices and servers, and the wide area network.

・ Deny communications by default between IoT devices and servers, and allow the specific protocol to be used as the exception.


Organization

・ Separate networks in the organization consisting of IoT devices and servers and the other networks physically and logically.


People

(N/A)

Component

(N/A)

Data

(N/A)

Procedure

・ Predefine possible actions to be taken if an abnormal communication is detected.

- Shut down/continue to operate devices: disable/send data.


・ Separate networks in the organization that manage IoT devices and servers from the wide area networks.

83

System

・ Connect the system only to specified networks (communication destinations).

・ Separate networks in the organization that manage IoT devices and servers from the wide area networks.

・ Monitor communications at the contact point between a network in organization that manages IoT devices and servers, and a wide area network.

・ Deny communications by default between IoT devices and servers, and allow the specific protocol to be used as the exception.

・ Define monitored events and monitoring conditions according to the system specifications (including protocols and connection destinations).


84

L3.017 Protection of communications among IoT devices and servers

Risk factor

Intercepted information (data) sent/received among IoT devices and servers.

Risk impact

・ Leak information (data) on a communication path among IoT devices and servers.


・ Send information (data) using an encrypted communication path.


Encrypt information (data) on a communication path using an encrypted communication functions (including TLS, DTLS, and IPSec etc.) among IoT devices and servers. In addition, prevent falsification adding a digital signature, Message Authentication Code (MAC), and checksum or timestamp.

・ Assign an ID (identifier) to information (data) to be sent

・ Assign a Message Authentication Code (MAC) to information (data) and ID (identifier) to be sent


Organization

・ Send/receive information (data) according to the handling standards defined by security rules.

・ Predefine possible actions to be taken if an abnormality is detected.


People

(N/A)

Component

・ Use communication devices that support encrypted communication (including TLS, DTLS and IPsec etc.).

・ Use IoT devices and servers that encrypt information (data) itself.

・ Use IoT devices and servers that support adding a digital signature, Message Authentication Code (MAC), checksum, or timestamp.

Data

・ Encrypt information (data) itself.

・ Assign an ID (identifier) to information (data) to be sent.

Procedure

・ Predefine possible actions to be taken if authentication fails or an error is detected in ID (identifier). - Shut down/continue to operate devices; disable/resend data. - Give an alert/make a report to potentially affected systems administrator or security administrator. - Separate networks in the organization that manage IoT devices and servers and the wide area networks.

System

・ Use encrypted communication.


・ Use a Message Authentication Code (MAC) that has a uniquely-identifiable identifier in session.

85

L3.018 Encrypted communication in the cyber space

Risk factor

Intercepted information (data) sent/received in the cyber space.

Risk impact

・ Leak information (data) on a communication path.


・ Encrypt send/receive information (data) using an encrypted communication path.


Prevent information (data) leak from interception, by encrypting a communication path using encrypted communication for sending/receiving information (data).

・ Use communication devices that support encrypted communication (including TLS, DTLS and IPsec).

・ Encrypt a communication path after completing the authentication process with the communication destination.


Organization




・ Share effective protection technologies with appropriate parties.

People

(N/A)

Component

・ Use communication devices that support encrypted communication (including TLS, DTLS and IPsec).

Data

(N/A)

Procedure

・ Encrypt a communication path after completing the process with the authentication of the communication destination.

・ Use a Message Authentication Code (MAC) that has a uniquely-identifiable identifier in a session.

・ Delete the session key used for encrypted communication, if the integrity verification of received data is failed.

System

・ Use encrypted communication.

86

L3.019 Encryption of sent/received information (data) in the cyber space

Risk factor

Intercepted information (data) sent/received in the cyber space.

Risk impact

・ Leak information (data) on a communication path.


・ Send and receipt encrypting information (data) itself.


Prevent information (data) leak from interception, by encrypting information (data) itself for sending/receiving.



・ Predefine possible actions to be taken if an encryption/decryption error occurs.


Organization




・ Shae effective protection technologies with appropriate parties.

People

(N/A)

Component


Data


Procedure


- Shut down/continue to operate devices: disable/resend data.


・ Separate networks in the organization that manage IoT devices and servers and the wide area networks.

System


87

L3.020 Countermeasures against falsification of sent/received information (data) and the traceability in the cyber space

Risk factor

Falsified information (data) on a communication path.

Risk impact

・ Falsified information (data) to be sent/received.


・ Add a digital signature, Message Authentication Code (MAC), checksum or timestamp to information (data) to be sent/received to detect falsification.


Protect falsification and secure the traceability of data by adding a digital signature, Message Authentication Code (MAC), checksum or timestamp to information (data) upon sending and receiving.


・ Add a digital signature, Message Authentication Code (MAC), checksum or timestamp to information (data) to be sent/received.



Organization


- Predefine possible actions to be taken if an abnormality is detected.


・ Share effective protection technologies with appropriate parties.

People

(N/A)

Component

・ Use IoT devices and servers that support adding a digital signature, Message Authentication Code (MAC), checksum or timestamp.

Data


Procedure

・ Predefine possible actions to be taken if an encryption/decryption error occurs. Shut down/continue to operate devices: disable/resend data.


・ Separate networks in organization that manage IoT devices and servers etc. from wide area networks.

System


88

L3.021 Response to unauthorized wireless connection

Risk factor

False operations of IoT devices and servers.

Risk impact

・ Leak information (data) through unauthorized access to IoT devices and servers.


・ Restrict wireless connection via Bluetooth.

・ Improve authentication procedure at wireless LAN access point.


Disable unnecessary wireless connection functions (including Bluetooth and wireless LAN) and restrict unspecified connection on IoT devices and servers, etc. In addition, perform appropriate settings including authentication of connection destinations and encryption of data. These can prevent unauthorized access to IoT devices and servers, information (data) leakage, and malware infection.

・ Make environmental settings (e.g. ESSID, MAC address filtering and solid encryption scheme (including WPA2)) for wireless LAN.

・ Properly authorize wireless connection destinations (including users and IoT devices and servers).


Organization

・ Predefine constraint conditions and environmental settings for wireless connection in the security rules.

People

・ Use wireless communications according to the security rules.

Component

・ Disable unnecessary wireless connection functions (including Bluetooth and wireless LAN).

・ Restrict unspecified connection destinations (including Bluetooth and wireless LAN).

・ Encrypt a wireless communication path and encrypt communication data itself.

・ Properly authenticate wireless connection destinations (including users and IoT devices and servers).

Data

(N/A)

Procedure

・ Start communications upon completion of the authentication of wireless connection destinations (including users and IoT devices and servers).

System

・ Use the authentication function of a wireless communication destination at access point.

89

L3.022 Data management based on appropriate classification

Risk factor

Unable to secure the data (e.g. personal information, trade secrets, CUI5) at the appropriately required protection levels depending on the laws, regulations, and agreements.

Risk impact

・ Increase in liability for data leak due to insufficient and inadequate protection and unmanaged data classification, or increase in management cost by excessive data protection due to not meeting required data protection levels depending on the different laws, regulations and agreements.


・ Sort out the data classification methods for meeting each requirement and properly protect data on a classification basis, understanding the required data protection levels accurately depending on laws, regulations and agreements.


Required data protection levels vary depending on laws, regulations and agreements based on reasons for requiring data protection. Organizations or people who hold data must accurately understand the background of enacted laws and regulations, and reasons for agreements among relevant parties, and manage the data so as to meet the required protection level.


Organization

・ Establish rules for data classification and method to manage classified data.

- Restrict only to authorized users to access to information on system media which needs to have its confidentiality protected by laws and agreements.

- Examine individuals prior to authorizing access to organizational systems containing information which needs to have its confidentiality protected by laws and agreements.

- Provide privacy and security notices consistent with applicable laws and agreements.

- Adopt cryptography with adequate strength used to protect the confidentiality of information which needs to be protected by laws and agreements.

- Ensure that organizational systems containing information which needs to have its confidentiality protected by laws and agreements are protected during and after personnel actions such as terminations and transfers.

- Ensure to delete any information, which needs to have its confidentiality protected by laws and agreements, in the IoT devices and servers, then start maintenance jobs.

- Establish sanitize or destroy (cannot be read) procedure of system media containing information which needs to have its confidentiality protected by laws and agreements before disposal or release for reuse, and define it in the security rules.

- Mark the warning on the media or attach the distribution restriction label, which contains information need to have its confidentiality protected by laws and agreements.

- Prohibit the use of portable storage devices without identifiable owner.

・ Determine priorities of resources allocation for equipment (hardware and software) in the asset management of configuration items, based on asset type, importance, and business value.

People

・ Manage data at an appropriate level of protection required for each classification, understanding the necessity of

5 Controlled Unclassified Information. It refers to the critical information which is not defined by the US Federal law as classified categories as Top Secret, Secret, and Confidential.

90

data classification.

・ Ensure to delete any information, which needs to have its confidentiality protected by laws and agreements, in the IoT devices and servers, then start maintenance jobs.

Component

(N/A)

Data

・ Encrypt information need to have its confidentiality protected by laws and agreements on mobile devices and mobile computing platforms, then exchange and save the information.

Procedure

(N/A)

System

・ Adopt cryptography with adequate strength used to protect the confidentiality of information which needs to be protected by laws and agreements.

・ Control the information need to have its confidentiality protected by laws and agreements to be posted or processed on publicly accessible systems.

91

L3.023 Management of authorization on appropriate classification

Risk factor

Unauthorized access to the information (data) in the cyber space.

Risk impact

・ Leak information (data) by extraction and analysis of the information (data) accessing to the system by an unauthorized user.


・ Restrict not only the process accessing to the data by authorized users and the users acting on behalf of authorized users, but also the types of transactions and functions that authorized users are permitted to execute.

・ Restrict not only the process accessing to the data by authorized IoT devices and servers and the devices acting on behalf of authorized devices, but also the types of transactions and functions that authorized devices are permitted to execute.


Need not only authenticate users and IoT devices and servers with adequate strength, but also give minimum authorization on the data (including adding/deleting/updating) access requirements to the assets in the cyber space, depending on the role of user and/or the IoT devices and servers.

・ Manage access authorization adopting the principle of least privilege and segregation of duties.


Organization

・ Clarify, document, and execute the rules on specified tolerance level of the information use and of the asset use for the information and the facilities.

・ Restrict to use and add/delete/update software and the data depending on the role of user and/or IoT devices and servers, and review assigned authorization regularly.

- Restrict audit management functions to a subset of privileged users.

- Authorize remote execution for privileged commands and remote access to security related information.

・ Adopt the principle of least privilege for specific security functions and privileged accounts.

People

・ Segregate the duties of individuals to reduce the risk of malicious activities.

・ Use non-privileged accounts or roles when accessing non-security functions.

Component

(N/A)

Data

(N/A)

Procedure

(N/A)

System

・ Restrict to use and add/delete/update software, data depending on the role of user and/or IoT devices and servers.

92

4. Toward Establishing Trust

4.1. Concept of securing the trust in framework

In order to ensure the security of Cyber/Physical System, achieve security in the whole value creation process by structuring and maintaining Trustworthy Chain through repeated security securement (creation of trustworthiness) and its confirmation (confirmation of trustworthiness) for each element.

1. Creation of Trustworthiness

Creation of components/data that satisfy the security requirements

Verification of target components/data being created with requirements satisfied

2. Confirmation of Trustworthiness

Creation and management of a list (trust list) to certify that target components/data are properly created

Verification of the trustworthiness of target components/data by referring to the trust list

3. Structuring and Maintaining of trustworthy chain

Structuring of trustworthy chain through repeated creation and certification of trust (secured traceability)

Detection of/protection against external attacks to trustworthy chain

Improvement of resilience against attacks

Fig. 8 - Illustration of the relationship among Creation of Trustworthiness, Confirmation of Trustworthiness and Structuring and Maintaining of Trustworthy Chain

93

Appendix A: Reference Document List

Framework for Cyber-Physical Systems [Release 1.0] (NIST Cyber Physical Systems

Public Working Group) (A framework that makes comprehensive analysis of Cyber-Physical system possible)

https://s3.amazonaws.com/nist-sgcps/cpspwg/files/pwgglobal/CPS_PWG_Framework_for_Cyber_Physical_Systems_Release_1_0Final.pdf

Framework for Improving Critical Infrastructure Cybersecurity [Version 1.1 Draft 2] (NIST) (The U.S. guidelines providing security measures to companies involved in critical infrastructure, which are divided into 5 Functions, “Identify”, “Protect”, “Detect”, “Respond” and “Recover”, which are further divided into 22 categories. This is also applicable to non-critical infrastructure companies.)

https://www.nist.gov/sites/default/files/documents/2017/12/05/draft-2_framework-v1-1_without-markup.pdf

The Industrial Internet of Things Volume G1: Reference Architecture [Version 1.8](IIC) (A reference architecture which enables Industrial Internet of Things (IIoT) system designing based on the common framework and concepts.)

http://www.iiconsortium.org/IIC_PUB_G1_V1.80_2017-01-31.pdf

Industrial Internet of Things Volume G4: Security Framework (IIC) (An in-depth cross-industry-focused security framework comprising expert visions, experiences and security best practices.)

http://www.iiconsortium.org/pdf/IIC_PUB_G4_V1.00_PB-3.pdf

IEC 62443 (IEC) (International standards that define security requirements for general-purpose control system, consisting of multiple standard groups including security management standards for control system, security standards that must be met by control system and security standards that must be met by components composing control system.)

ISO/IEC 27002:2013 (ISO/IEC) (An international standard that define the specifications for information management system, providing the best practices for information security management.)

IoT Security Guidelines [ver 1.0] (METI/MIC) (The guidelines clearly specifying basic security strategies on IoT devices, systems and services required from a security perspective based on “Security by Design Principle” with consideration of IoT-specific characteristics and security measures with IoT.)

http://www.meti.go.jp/press/2016/07/20160705002/20160705002.html

ITSMS Conformity Assessment Scheme (JIPDEC) (A third-party conformity assessment scheme for IT service management consistent with international assessment scheme.)

https://isms.jp/isms.html

Draft NISTIR 8200 (NIST) (A report, building upon “NISTIR 8074”, describes 11 cybersecurity core areas and provides examples of relevant standards as well as IoT cybersecurity objectives, risks, and threats analyzing IoT applications for each of the five IoT technology application areas.)

https://csrc.nist.gov/CSRC/media/Publications/nistir/8200/draft/documents/nistir8200-draft.pdf

94

NIST SP800-53 [Rev.4] (NIST) (The U.S. guidelines providing security measures to be taken by the U.S. federal agencies. The Guidelines may have to be applied when providing any cloud service to U.S. federal government agencies.) http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

NIST SP800-161 (NIST) (A publication providing guidance to federal agencies on identifying, assessing, selecting, and implementing risk management processes and mitigating controls throughout their organizations to help manage ICT supply chain risks.)

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf

NIST SP800-171 [Rev.1] (NIST) (The U.S. guidelines providing security measures to be taken for protecting CUI6on non-federal agencies and information systems. The Guidelines may have to be applied when entering into U.S. federal government contracts.) http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf

Secure cross-company communication (Plattform Industrie 4.0) (A publication developed a common position with regard to the basic requirements, security challenges, and approaches for secure communications in Industrie 4.0 environments, which specifically addresses the needs of cross-company value networks.)

https://www.plattform-i40.de/I40/Redaktion/EN/Downloads/Publikation/secure-cross-company-communication.html

Secure Identities (Plattform Industrie 4.0) (A paper providing an overview of security challenges, requirements and approaches for secure identities in Industrie 4.0 environments.)

https://www.plattform-i40.de/I40/Redaktion/EN/Downloads/Publikation/secure-identities.html

Security in RAMI4.0 (Plattform Industrie 4.0) (A publication providing a clear overview of the various security aspects of RAMI4.0 (Reference Architecture Model Industrie 4.0))

http://www.plattform-i40.de/I40/Redaktion/EN/Downloads/Publikation/security-rami40-en.pdf;jsessionid=FF86A6CB8A08538B1325F55506938D36?__blob=publicationFile&v=7

Structure of the Administration Shell (Plattform Industrie 4.0) (A report bundling the technical discussions of the SG “Models and Standards” of the ZVEI in respect to the structure of “Administration Shell”.)

https://www.plattform-i40.de/I40/Redaktion/EN/Downloads/Publikation/structure-of-the-administration-shell.html

Umsetzungsstrategie Industrie 4.0 (Industry 4.0 Implementation Strategy) (Plattform Industrie 4.0) (A research report summarizing the roadmap and structure of components of Industry 4.0, and functional and safety requirements.)

https://www.jetro.go.jp/ext_images/_Reports/01/c982b4b54247ac1b/20150076.pdf

Cybersecurity Management Guidelines [Ver.2.0](METI/IPA) (Approaches to specifically implementing 3 Principles and 10 Important Items of Cybersecurity Management Guidelines)

http://www.meti.go.jp/policy/netsecurity/mng_guide.html

6 This stands for Controlled Unclassified Information. CUI is unclassified information as Secret, Top Secret or Confidential by the US federal government but needs safeguarding.

95

Cybersecurity Strategy (NISC) (A strategy document to create/develop a “free, fair, and secure cyberspace” and subsequently contribute to “improving socio-economic vitality and sustainable development”, “building a society where people can live safe and secure lives”, and “ensuring peace and stability of the international community and national security pursuant to the Basic Act on Cybersecurity.)

http://www.nisc.go.jp/active/kihon/pdf/cs-senryaku.pdf

Cyber Security Management System (CSMS) Conformity Assessment Scheme (JIPDEC)

(A scheme describing a third-party certification scheme for cyber security management systems on the Industrial Automation and Control System (IACS) based on the IEC62443-2 international standard.)

https://isms.jp/csms.html

Information Security Early Warning Partnership Guideline [2017](IPA) (A guideline stating the recommended actions to relevant partners in order to reduce the damages caused by unauthorized computer access, computer viruses and so on by achieving an appropriate flow of vulnerability-related information.)

https://www.ipa.go.jp/security/ciadr/partnership_guide.html

Information Security Management System (ISMS) Conformity Assessment Scheme (JIPDEC)

(A scheme is a third-party certification scheme for information security management systems based on the ISO/IEC27001 international standard.)

https://isms.jp/isms.html

Common Criteria for Information Technology Security Evaluation [CC Version 3.1 Release 5] (IPA) (The Criteria to evaluate if IT-related products and systems are properly designed and the design is appropriately implemented from the perspective of IT security.)

https://www.ipa.go.jp/security/jisec/cc/index.html

IoT Safety/Security Development Guidelines [Second Edition] (IPA) (The Guidelines clearly specifying possible risks and measures that should be considered by IoT product developers in the development phase assuming that IoT products connect to all sorts of things.)

https://www.ipa.go.jp/sec/reports/20160324.html

JVN (IPA, JPCERT/CC)

(The portal site, Japan Vulnerability Notes (JVN), providing vulnerability information and their solutions for software products used in Japan.)

https://jvn.jp/

CSIRT Materials (JPCERT/CC)

(Guidelines that describe the key points to be considered in the concept, establishment, and operation phases in establishing a CSIRT to address incidents in an organized manner.)

https://www.jpcert.or.jp/csirt_material/

Business Continuity Guidelines [August 2013] (Cabinet Office, Government of Japan)

(The Guidelines showing the necessity of business continuity and describe what should be done in order to create and improve Business Continuity Plans.)

http://www.bousai.go.jp/kyoiku/kigyou/pdf/guideline03.pdf

96

SECURITY ACTION (IPA)

(An instituted scheme provided by IPA, encouraging small and medium-size companies to declare their will to work on security measures.)

https://www.ipa.go.jp/security/security-action/

Initiative for Cyber Security Information sharing Partnership of Japan (J-CSIP) (IPA)

(Activities initiated for information sharing and fast response among Critical Manufacturing, Electric Power, Gas, Chemical, Petroleum, Resource Development, Automobile and Credit industries)

https://www.ipa.go.jp/security/J-CSIP/

Related standards such as IEC 61508 are referred although it is not a comprehensive.

97

Appendix B: Comparison with Major International Standards

Various existing standards and guidelines were referred in developing this framework. The table provides a mapping of the security measures in the cyber/physical security framework to the security controls of the following documents;

・ ISO/IEC 27001:2013

・ NIST：「Framework for Improving Critical Infrastructure Cybersecurity Version 1.0」

（CSF V1.0）

・ NIST：「Framework for Improving Critical Infrastructure Cybersecurity Version 1.1」

（CSF V1.1）

・ NIST：「Special Publication 800-171」（SP 800-171）

Table 2: Mapping between the cyber/physical security measures to the relevant security controls in international standards and guidelines

Security

Measures

ID

Documents Subcategory ID

L1.001 ISO/IEC 27001:2013

A.5.1.1, A.7.2.2, A.15.1.3, A.15.2.1, A.15.2.2, A.12.6.1,

A.18.2.3, A.16.1.3

CSF V1.0 DE.CM-1, ID.AM-6, ID.BE-1, ID.BE-2, ID.BE-3,

ID.GV-1, ID.GV-2, ID.RA-1, PR.AT-3, RC.CO-1

CSF V1.1 ID.AM-6, ID.BE-2

SP800-171 3.11.2, 3.12.2, 3.14.3, 3.14.6

L1.002

ISO/IEC 27001:2013

A.6.1.5, A.6.2.1, A.6.2.2, A.7.1.1, A.7.2.3, A.7.3.1,

A.8.1.4, A.8.2.1, A.9.2.6, A.10.1.1, A.11.1.1, A.11.1.2,

A.11.1.4, A.11.1.6, A.11.2.2, A.11.2.3, A.12.1.1, A.12.1.3,

A.12.1.4, A.12.6.1, A.13.1.1, A.13.2.1, A.14.1.1,

A.14.2.1, A.14.2.5, A.14.2.6, A.15.1.1, A.15.1.2,

A.15.1.3, A.15.2.1, A.15.2.2, A.16.1.6, A.18.2.3

CSF V1.0

DE.CM-3, DE.CM-7, ID.AM-5, ID.BE-4, ID.GV-4,

ID.RA-1, ID.RA-3, ID.RA-4, ID.RA-5, ID.RA-6,

ID.RM-2, ID.RM-3, PR.AC-2, PR.AC-3, PR.DS-7,

PR.IP-2, PR.IP-11,

98

CSF V1.1 ID.GV-4, ID.RA-3, ID.RA-4, ID.RA-6, ID.RM-2,

ID.RM-3, ID.SC-1

SP800-171 3.10.1, 3.10.4, 3.11.1, 3.12.4, 3.13.2, 3.13.7, 3.10.6

L1.003 ISO/IEC 27001:2013 A.6.1.1, A.6.1.3, A.16.1.1, A.16.1.2

CSF V1.0 DE.AE-5, DE.DP-1, DE.DP-4, RC.CO-3, RS.CO-1,

RS.CO-2, RS.CO-3, RS.CO-4, RS.CO-5

SP800-171 3.6.1, 3.6.2

L1.004

ISO/IEC 27001:2013

A.6.1.5, A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6, A.13.1.2,

A.13.2.2, A.14.1.1, A.14.2.1, A.14.2.5, A.14.2.7,

A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2,

A.16.1.4, A.16.1.7

CSF V1.0 DE.CM-6, ID.AM-4, PR.IP-2, PR.MA-1, RS.AN-3,

RS.AN-4

CSF V1.1 ID.SC-1, ID.SC-3, ID.SC-4

SP800-171 3.1.20, 3.7.2, 3.13.2, 3.13.7

L1.005

ISO/IEC 27001:2013

A.5.1.2, A.6.1.4, A.7.2.2, A.12.6.1, A.14.2.7, A.14.2.8,

A.15.2.1, A.16.1.1, A.16.1.3, A.16.1.4, A.16.1.6,

A.17.1.3, A.18.1.4, A.18.2.2

CSF V1.0

DE.AE-2, DE.CM-1, DE.CM-6, DE.CM-8, DE.DP-2,

DE.DP-3, DE.DP-5, ID.GV-4, ID.RA-2, ID.RM-1,

PR.IP-7, PR.IP-10, PR.IP-12, RC.IM-1, RC.IM-2,

RS.IM-1, RS.IM-2, RS.MI-3

CSF V1.1 ID.GV-4, ID.RA-2, ID.RM-1, ID.SC-5

SP800-171 3.2.3, 3.10.3, 3.11.1, 3.11.3, 3.12.1, 3.12.3, 3.14.3,

3.14.6

L1.006 ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, A.16.1.5, A.17.1.3

CSF V1.0 PR.AT-1, PR.AT-2, PR.AT-4, PR.AT-5, PR.IP-10,

RS.MI-1

CSF V1.1 ID.SC-5

SP800-171 3.2.1, 3.2.2, 3.6.1, 3.6.3

99

L1.007

ISO/IEC 27001:2013

A.8.1.1, A.8.1.2, A.8.1.3, A.8.2.1, A.8.2.2, A.8.2.3,

A.8.3.1, A.8.3.2, A.8.3.3, A.9.2.1, A.9.2.2, A.9.2.4,

A.9.3.1, A.9.4.2, A.9.4.3, A.10.1.2, A.11.2.7, A.11.2.9,

A.12.1.2, A.12.5.1, A.12.6.1, A.12.6.2, A.13.2.1,

A.14.2.2, A.14.2.3, A.14.2.4, A.18.2.3

CSF V1.0 DE.AE-1, ID.AM-1, ID.AM-2, ID.AM-3, ID.AM-5,

ID.RA-1, PR.AC-1, PR.DS-3, PR.IP-3, PR.PT-2

SP800-171 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.5.2, 3.8.1, 3.8.5,

3.8.7, 3.8.8

L1.008 ISO/IEC 27001:2013 A.12.2.1, A.12.4.1, A.12.4.3, A.16.1.5, A.16.1.6

CSF V1.0

DE.AE-2, DE.AE-3, DE.AE-4, DE.CM-7, ID.RA-3,

RS.AN-1, RS.AN-2, RS.CO-4, RS.MI-1, RS.MI-2,

RS.RP-1

CSF V1.1 ID.RA-3

SP800-171 3.3.5

L1.009 ISO/IEC 27001:2013

A.11.1.4, A.16.1.1, A.16.1.5, A.16.1.6, A.17.1.1, A.17.1.2,

A.17.2.1

CSF V1.0 ID.BE-5, ID.RA-4, PR.IP-9, RC.CO-2, RC.IM-1,

RC.IM-2, RC.RP-1, RS.IM-1, RS.IM-2

CSF V1.1 ID.BE-5, ID.RA-4

L1.010 ISO/IEC 27001:2013 A.18.1.1, A.18.1.2, A.18.1.5

CSF V1.0 ID.GV-3

L1.011 ISO/IEC 27001:2013 A.18.1.3

L1.012

ISO/IEC 27001:2013

A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3,

A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5,

A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2,

A.14.1.3

CSF V1.0 PR.DS-1, PR.DS-5

L1.013 ISO/IEC 27001:2013 A.6.1.4, A.16.1.2

CSF V1.0 ID.RA-2、RS.CO-5

L2.001 ISO/IEC 27001:2013

A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5, A.14.2.6,

A.14.2.9, A.14.3.1

CSF V1.0 PR.IP-2

100

SP800-171 3.13.2

L2.002 ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5, A.14.2.6

CSF V1.0 PR.IP-2

SP800-171 3.13.2

L2.003 ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5, A.14.2.6

CSF V1.0 PR.IP-2

SP800-171 3.13.2

L2.004 ISO/IEC 27001:2013

A.6.1.5, A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2,

A.9.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.14.2.6

CSF V1.0 PR.AC-1, PR.IP-2

SP800-171 3.5.1

L2.005 ISO/IEC 27001:2013

A.9.1.2, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2,

A.14.2.3, A.14.2.4

CSF V1.0 PR.IP-1, PR.PT-3

SP800-171 3.4.6, 3.5.7, 3.5.8, 3.5.9

L2.006 ISO/IEC 27001:2013 A.9.2.2, A.11.2.8

SP800-171 3.1.1, 3.1.10, 3.1.11, 3.5.2, 3.13.9, 3.13.12, 3.14.1,

3.14.7

L2.007 CSF V1.0 DE.CM-3, DE.CM-7

SP800-171 3.1.8, 3.7.6

L2.008 ISO/IEC 27001:2013

A.11.1.1, A.11.1.2, A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6,

A.11.2.1, A.11.2.2, A.11.2.3, A.11.2.8

CSF V1.0 DE.CM-2, DE.CM-3, PR.AC-2, PR.IP-5, PR.PT-3

SP800-171 3.10.2, 3.10.3, 3.10.5

L2.009

ISO/IEC 27001:2013

A.6.1.5, A.11.1.4, A.14.1.1, A.14.2.1, A.14.2.5,

A.14.2.6, A.15.2.1, A.15.2.2, A.17.1.1, A.17.1.2,

A.17.1.3, A.17.2.1, A.18.1.3

CSF V1.0 PR.DS-4, PR.IP-2, PR.IP-4

CSF V1.1 ID.BE-5, ID.SC-2

L2.010 ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7

CSF V1.0 PR.IP-6

SP800-171 3.7.3

101

L2.011 ISO/IEC 27001:2013

A.6.1.5, A.12.2.1, A.12.5.1, A.14.1.1, A.14.1.2, A.14.1.3,

A.14.2.1, A.14.2.5, A.14.2.6

CSF V1.0 PR.DS-6, PR.IP-2

L2.012 ISO/IEC 27001:2013 A.12.2.1

SP800-171 3.7.4, 3.14.5

L2.013 ISO/IEC 27001:2013 A.6.1.4

CSF V1.0 ID.RA-2

L2.014 ISO/IEC 27001:2013 A.6.1.4, A.11.2.4, A.12.6.1, A.15.1.1, A.15.2.1, A.16.1.3

CSF V1.0 DE.CM-8, ID.RA-2, PR.MA-2

CSF V1.1 ID.RA-2

SP800-171 3.7.5, 3.13.15

L2.015 CSF V1.0 DE.CM-7, PR.PT-1

SP800-171 3.1.2, 3.3.1, 3.4.8, 3.4.9

L2.016 SP800-171 3.13.3

L2.017 ISO/IEC 27001:2013 A.12.4.2, A.13.1.1, A.13.1.3, A.13.2.1

CSF V1.0 PR.AC-5, PR.PT-4

L2.018 ISO/IEC 27001:2013 A.12.4.2, A.13.1.1, A.13.1.3, A.13.2.1

CSF V1.0 DE.CM-1, DE.CM-7, PR.AC-5, PR.PT-4

SP800-171 3.1.12, 3.14.1, 3.14.2, 3.14.3, 3.14.6

L2.019 ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3

CSF V1.0 PR.DS-2

SP800-171 3.1.14, 3.1.16, 3.1.17, 3.1.18

L2.020

ISO/IEC 27001:2013

A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3,

A.12.1.2, A.12.2.1, A.12.4.2, A.12.5.1, A.12.6.2,

A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3,

A.14.2.2, A.14.2.3, A.14.2.4

CSF V1.0 PR.AC-1, PR.AC-5, PR.DS-6, PR.IP-1, PR.PT-4

SP800-171 3.1.12, 3.3.2, 3.3.8, 3.5.1, 3.5.10, 3.5.11, 3.5.5, 3.5.5,

3.8.1, 3.8.6, 3.13.10, 3.13.8, 3.14.1

L2.021 ISO/IEC 27001:2013 A.16.1.2, A16.1.5

SP800-171 3.10.6, 3.13.4, 3.14.1

L3.001 ISO/IEC 27001:2013 A.6.1.1, A.15.2.1, A.15.2.2

CSF V1.0 DE.DP-1

102

CSF V1.1 ID.SC-2

L3.002

ISO/IEC 27001:2013

A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3,

A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5,

A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2,

A.14.1.3

CSF V1.0 PR.DS-1, PR.DS-5

SP800-171 3.8.1

L3.003 ISO/IEC 27001:2013 A.9.1.2, A.9.2.2

SP800-171 3.1.7, 3.5.3, 3.5.4, 3.7.6

L3.004 ISO/IEC 27001:2013

A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3,

A.13.1.1, A.13.1.3, A.13.2.1, A.13.1.1, A.13.2.1

CSF V1.0 PR.AC-1, PR.AC-5, PR.PT-4

SP800-171 3.1.12, 3.3.2, 3.14.1

L3.005 ISO/IEC 27001:2013 A.9.1.2, A.9.2.2, A16.1.2

SP800-171 3.13.15, 3.14.1

L3.006 ISO/IEC 27001:2013

A.11.1.1, A.11.1.2, A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6,

A.11.2.1, A.11.2.2, A.11.2.3

CSF V1.0 DE.CM-2, DE.CM-3, PR.AC-2, PR.IP-5

SP800-171 3.4.7, 3.10.2, 3.10.3, 3.10.5

L3.007 ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.13.1.1, A.13.1.3, A.13.2.1

CSF V1.0 DE.CM-4, DE.CM-5, PR.AC-5, PR.PT-4

SP800-171 3.1.3, 3.5.6, 3.13.4, 3.13.13

L3.008

ISO/IEC 27001:2013

A.6.1.5, A.11.1.4, A.12.3.1, A.14.1.1, A.14.2.1, A.14.2.5,

A.14.2.6, A.17.1.1, A.17.1.2, A.17.1.3, A.17.2.1,

A.18.1.3

CSF V1.0 PR.IP-2, PR.IP-4

CSF V1.1 ID.BE-5

SP800-171 3.13.14

L3.009 ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7

CSF V1.0 PR.IP-6

L3.010 ISO/IEC 27001:2013 A.6.1.4, A.12.6.1, A.16.1.3

CSF V1.0 DE.CM-8, ID.RA-2

CSF V1.1 ID.RA-2

103

SP800-171 3.14.4

L3.011

ISO/IEC 27001:2013

A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3,

A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5,

A.12.4.2, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4,

A.14.1.2, A.14.1.3, A.16.1.6

CSF V1.0 PR.DS-1, PR.DS-5, PR.IP-8

SP800-171 3.1.21, 3.8.6, 3.8.9, 3.10.4, 3.13.8, 3.13.10, 3.13.16

L3.012 CSF V1.0 PR.PT-1

SP800-171 3.1.2, 3.3.1, 3.4.7, 3.4.8, 3.4.9

L3.014 ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1


SP800-171 3.13.5

L3.015 ISO/IEC 27001:2013

A.11.1.2, A.11.2.4, A.11.2.5, A.12.4.4, A.13.1.1,

A.13.1.3, A.13.2.1, A.15.1.1, A.15.2.1

CSF V1.0 DE.CM-1, PR.AC-5, PR.MA-1, PR.MA-2, PR.PT-1,

PR.PT-4

SP800-171 3.3.1, 3.3.3, 3.3.4, 3.3.6, 3.3.7

L3.016 ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1

CSF V1.0 DE.CM-1, DE.CM-7, PR.AC-5, PR.AC-5, PR.PT-4

SP800-171 3.13.1, 3.13.6, 3.14.1, 3.14.2

L3.017 ISO/IEC 27001:2013

A.8.2.3, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3,

A.14.1.2, A.14.1.3

CSF V1.0 PR.AC-5, PR.DS-2, PR.PT-4

SP800-171 3.1.3, 3.1.13, 3.5.1, 3.5.5, 3.13.4, 3.13.15

L3.018 ISO/IEC 27001:2013 A.16.1.6

CSF V1.0 PR.IP-8

SP800-171 3.1.3, 3.1.13, 3.13.4

L3.019 ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1, A.16.1.6


SP800-171 3.5.10, 3.5.11, 3.13.4, 3.14.1

L3.020 ISO/IEC 27001:2013 A.16.1.6

CSF V1.0 PR.IP-8

SP800-171 3.13.15, 3.14.1, 3.13.4

104

L3.021 SP800-171 3.5.10, 3.5.11

L3.022

ISO/IEC 27001:2013

A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3,

A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5,

A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2,

A.14.1.3

CSF V1.0 ID.GV-3, PR.DS-1, PR.DS-5

SP800-171 3.1.9, 3.1.19, 3.1.22, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.9.1,

3.9.2, 3.13.11

L3.023 ISO/IEC 27001:2013

A.6.1.2, A.8.1.3, A.9.1.2, A.9.2.3, A.9.2.5, A.9.4.1,

A.9.4.4

CSF V1.0 PR.AC-4

SP800-171 3.1.4, 3.1.5, 3.1.6, 3.1.15, 3.3.9

105

Appendix C: Glossary

(1) Anti-tampering devices Devices which are hard to break-in the internal structure and stored data to analyze.

(2) Audit Systematic, independent and documented processes to collect and evaluate objectively the evidences in order to determine if the cyber security measures have been properly implemented in an organization. The method is varied as follows: Internal audit (by the first party), external audit (by the second or third party), or combined audit (in which more than one domain is audited with combination).

(3) Authentication Task to verify the validity.

(4) Availability

One of the barometers regarding computer systems. It is the condition where those who are authorized can access the information and related assets without interruption when needed.

(5) Biometric authentication Authentication method which identifies person by physical characteristics such as finger patterns, hand vein patterns, iris patterns or voiceprints.

(6) Checksum

One of the error-detecting codes. When data strings are calculated as the sum of integer values and divided by a specified variable, its remainder will be used as the check data.

(7) Chief Security Officer Person who has the highest responsibility in the operation and control of the security management systems in an organization.

(8) Common Criteria Framework to evaluate if products and systems related to information technology are appropriately designed and properly implemented in terms of security. These criteria are defined as the international standard ISO/IEC 15408.

(9) Confidentiality One of the barometers regarding computer systems. State in which only authorized users can access the systems in order to prevent the information leak.

(10) CPS: Cyber-Physical System Data share mechanism which creates value in the physical society. Anyone can gain new awareness and discovery by transcribing the physical society into the cyber space, where the person can utilize the modeled know-how, knowledge or experiences while freely combining the information (or data) with one another.

106

(11) CSMS (Cyber Security Management System) Management system of the cyber security designed for industrial automation and its control systems. The requirements are defined in the international standard IEC62443-2-1.

(12) Cyber attack Intrusion by a malicious attacker into a computer system or network with the intention to steal or destroy its data or run a malicious program.

(13) Cyber security

To prevent the leak or falsification of electronic data as well as the malfunction of IT or control systems against expected behavior.

(14) Cyber space Virtual space prevailing in computer systems or networks. It can generate value utilizing digitalized data.

(15) Digital certificate Data which certifies that the public key for digital signature analysis is authentic, and issued by a certification authority (CA).

(16) EDSA (Embedded Device Security Assurance) certification

Certification scheme regarding the security assurance for control devices. The requirements are defined in the international standard IEC62443-4-2.

(17) Firewall Software, devices or systems installed at the border between a certain computer/network and external network in order to protect the internal network from external attack by relaying and monitoring the internal/external communication.

(18) Function safety State reducing risks and maintain an acceptable security level through security functions and measures.

(19) Hash value Value with the fixed length without regularity, which is calculated through the specific steps based on the original data.

(20) Identifier Name, symbols or numbers to specify the one from a variety of objects.

(21) IDS (Intrusion Detection System)

System which monitors the external communication conducted by a server or network and alerts its controllers via e-mail when detecting unauthorized access (such as attack or intrusion attempt).

(22) Integrity One of the barometers regarding computer systems. It is the state where the information is not destroyed, falsified or deleted.

107

(23) IoT devices Devices operating and connecting to the Internet. They link physical and cyber spaces.

(24) IPS (Intrusion Prevention System)

System which monitors the external communication conducted by a server or network and prevents attack by detecting unauthorized access (such as attack or intrusion attempt).

(25) ISMS (Information Security Management System) Framework to operate a system by determining the required security level, establishing a plan and distributing resources through its own risk assessment in order to manage an organization. The requirements are defined in the international standard ISO/IEC 27001.

(26) ITSMS (IT Service Management System)

Framework designed for IT service providers to maintain or improve their service quality by managing their services based on the PDCA cycle. The requirements to fulfill are defined in the international standard ISO/IEC 20000.

(27) Malware Generic term for malicious programs such as viruses, spyware, or bots which can cause security damage. With intent to execute malicious programs, these programs can intrude into computers without owners’ knowledge (or despite the intentions of users/controllers).

(28) Message authentication

Verifying method to make sure that the data transmitted via a network is not falsified. Short data which is added to transmitted data to authenticate its message is called “Message Authentication Code (MAC)”.

(29) Mutual authentication One of the authentication methods, in which two parties authenticate with each other.

(30) OECD’s eight core principles

8 principles described in “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” which has been adopted by the OECD (Organisation for Economic Co-operation and Development) Council.

(31) PDCA

Abbreviation of Plan-Do-Check-Act. One of well-known methods for quality improvement and environmental management which continually aim to improve business operations by repeating the following steps. 1. Plan: Sort out the problems, set a goal and make a plan to accomplish the goal. 2. Do: Perform the actual operations based on the goal and plan which have been

established in the previous step. 3. Check: Check and evaluate if the operations have been performed in accordance with

the plan while accomplishing the original goal. 4. Act: Improve the operations based on the evaluation results.

(32) Private key

Secret key in the public-private key cryptosystem, a pair of different keys is used for the encryption and decryption. The private key is the one not released to the public.

108

(33) Protocol

Predetermined mass of rules and steps for parties, so that more than one party can smoothly transmit signals, data and information with one another.

(34) Public key Key publicly released in the private-public key cryptosystem, where a pair of different keys (public and private) is used for the encryption and decryption.

(35) Redundancy To deploy spare devices in case of troubles such as failures and malfunctions on computers or systems.

(36) Risk

Defined as the ”effect of uncertainty on objectives” in the international standard ISO/IEC 27000.

(37) Security by design To introduce the measures to ensure security at the planning and designing stages for a device or system.

(38) Security incident Event in which a security risk is found or actually happened in the cyber security domain.

(39) Security measure organization Structure which continuously collects and analyzes the vulnerability information in or out of an organization in order to determine the appropriate scope and priority of measures against a security incident to be monitored.

(40) Security operation manual Document which specifies the prompt preventive measures beforehand against the security incidents to be detected.

(41) Security policy Rules that specify the roles, responsibilities, and information sharing methods among own organization and relevant parties.

(42) Security risk Possibility of some effects on the management of the organization caused by the malfunctions related to security.

(43) Security rule What defines the details on the measures against possible security risks clarifying each scope and priority.

(44) Supplier

Partner or party who provides devices, materials, components, raw materials and service required for an organization’s business.

109

(45) Time stamp Time information given to electronic data as an attribute. It is used as a record of the date and time when the data is created, last updated or last accessed.

(46) Two-factor authentication

Authentication method in which two different types of information are combined. Two of the following will be combined with: Information known by a person, information owned by the person or physical characteristics possessed by the person. It is the higher security level achieved, compared with the authentication methods using a single factor.

(47) Vulnerability

Weakness of systems or IoT devices which can turn into a security incident when abused by an attacker.