PPP (Public-Private Partnership)-Based Cyber Resilience Enhancement Efforts for National Critical Infrastructures Protection in Japan

Abstract

Emerging vulnerability of the national critical infrastructures (CIs) against to the cyber risk including cyberattacks and unintentional large-scale information system or network failures have increased frequency and the scale of socioeconomic impacts to our society. As dependencies among critical infrastructures have increased rapidly, the impact of a single cyber incident at a certain critical infrastructure tends to spread very quickly and widely to external systems and networks in other critical infrastructures or areas through widely connected networks. Considering the situation, PPP (Public-Private Partnership) efforts between critical infrastructure service providers and responsible governmental agencies have become very important to protect critical infrastructures from cyber risks. Based on this recognition, PPP-based cybersecurity exercises for critical infrastructure protection (CIP) have been executed for the last decade in Japan. This paper summarizes the over 10 years joint efforts of the Japanese government and critical infrastructure service providers and discusses the lessons learned and challenges to be shared with other countries to collaborate in the cybersecurity field.

1 Background of the Critical Infrastructure Protection (CIP) in Japan

In the last few decades, remarkable developments in ICT (Information and Communication Technology) and OT (Operational Technology) have been promoted and a variety of hardware, software or networks have been implemented to the operations and controls of the national critical infrastructure (CI) services. In addition to this trend, many CI service providers have been aggressive in introducing outsourcing, multi-platform technologies, open-architecture design, cloud computing, big data analysis, or IoT (Internet of Things) to achieve more effective and flexible operations with less costs and more efficiency. As a result, our society is enjoying higher value-added and flexible CI services but at the same time, the dependency of CI operations and service delivery on ICT and OT have been increased dramatically. We have started to experience critical disruptions of CI services caused by ICT and/or OT failures and also by intentional cyberattacks.

Direct causes for the ICT and OT disruptions vary by case but root causes can be considered as increase of systems complexity, enlarged patchy systems, open or networked system architectures and interdependency among systems. With those concerns, the Japanese Government established the National Information Security Center (NISC) in 2005 and defined critical infrastructures to be protected. The original “NISC” turned into the National center of Incident readiness and Strategy for Cybersecurity (NISC) in 2015 along with the enforcement of the “Basic Act on Cybersecurity”. The NISC defined the current set of 13 CI sectors [1] (see Table 1).

Table 1.

Defined 13 critical infrastructure sectors and major systems (Cybersecurity Policy for Critical Infrastructure Protection, 2017)

../images/477940_1_En_13_Chapter/477940_1_En_13_Tab1_HTML.png

The 10 of the current set of 13 CI sectors were originally defined in 2005 as below;

(1)
Information and Communication Services
(2)
Financial Services (Banking/Insurance/Securities)
(3)
Aviation Services
(4)
Railway Services
(5)
Electric Power Supply Services
(6)
Gas Supply Services
(7)
Government and Administrative Services
(8)
Medical Services
(9)
Water Services
(10)
Logistics Services (Freight and Shipping)
In 2016, the following three CI sectors were added considering increasing socioeconomic impact of its disruptions;
(11)
Chemical Industries
(12)
Credit Card Services
(13)
Petroleum Industries

and Airport Services (including terminal operations, ground handling, and immigration/customs operations) will be added as the 14th CI in 2018 which are separated from the Aviation Services, the third defined CI.

2 Challenges of the PPP (Public-Private Partnership) and Intensive Efforts Through Annual Cross-Sector Cybersecurity Exercises

The NISC started arrangement of PPP-based cross-sector cybersecurity exercises. The first exercise was held in 2006. The objective of the first three exercises based on the National CI Information Security Measures Action Plan I (1st Edition) was establishment and feasibility building of the PPP structures in CIP (see Table 2).

Table 2.

Overview of the cross-sector cybersecurity exercises in 2006–2008 (based on published data from NISC)

../images/477940_1_En_13_Chapter/477940_1_En_13_Tab2_HTML.png

In the 2006 exercise, 90 people participated from the original ten CI sectors and their regulatory agencies. The motivation of the participating CI service providers was not so high because of the presence of their responsible regulatory agencies.

The next series of the cross-sector cybersecurity exercises were held between 2009 and 2013. Those exercises focused on interoperable capability among CIs within their framework of BCM (Business Continuity Management) [2] (see Table 3).

Table 3.

Overview of the cross-sector cybersecurity exercises in 2009–2013 (based on published data from NISC)

../images/477940_1_En_13_Chapter/477940_1_En_13_Tab3_HTML.png

The exercises which were held in this period also included cascading effects (dependencies) among the CIs and their widely distributed supply chains. Some of the exercise scenarios were based on the research done by NISC’s assigned Technical Committee for Interdependency Analysis in 2007 that reported increasing dependencies among CIs as were verified by several researches on the natural disaster such as 2007 Niigata Chuetsu-Oki Earthquake case study. (Aung and Watanabe 2009) [3] (see Fig. 1).

../images/477940_1_En_13_Chapter/477940_1_En_13_Fig1_HTML.png — Fig. 1.
Result of dependencies among CIs (NISC, 2007 translated by Z. Aung.)

The case study analyzed cascaded incidents among CIs after the earthquake hit and evaluated interdependency of each CI and dependencies among CIs. (The solid arrows indicate clearly recognized dependencies and the dotted arrows indicate partially recognized dependencies)

The committee’s analysis works examined and utilized the existing frameworks and methodologies including an analytical planning framework for hypothesizing, formulating, and mitigating vulnerability in CIs [4, 5].

The next period between 2014 and 2016 focused more on the capabilities and interoperability in incident responses among CIs and their regulatory agencies (see Table 4).

Table 4.

Overview of the cross-sector cybersecurity exercises in 2014–2016 (based on published data from NISC)

../images/477940_1_En_13_Chapter/477940_1_En_13_Tab4_HTML.png

Following to the three editions of national policy, the Japanese Government issued the Cybersecurity Policy for Critical Infrastructure Protection (4th Edition) in 2017 with the following objectives:

Maintenance and Promotion of the Safety Principles
Enhancement of Information Sharing System
Enhancement of Incident Response Capability
Implement Risk Management Framework and Preparation of Incident Readiness
Enhancement of the Basis for CIP

and The Cybersecurity Strategic Headquarters strongly recommended CI service providers to apply PDCA (Plan-Do-Check-Act) management cycle in their cybersecurity enhancement efforts with BCM (Business Continuity Management) framework and at the same time, the annual cross-sector cybersecurity exercises have been aggressively enriched in scenario and operations. The fundamental objectives of the exercises were almost same and included information sharing among stakeholders in the public and private sectors related to the CIs. The establishment of interoperability for the coordinated incident responses was promoted.

Each CI sector has their own information sharing structure called CEPTOR (Capability for Engineering of Protection, Technical Operation, Analysis and Response). Inbound/outbound information flows are integrated into NISC in the Cabinet Secretariat through responsible government agencies for each industry sector to share information during an incident [1] (see Fig. 2).

../images/477940_1_En_13_Chapter/477940_1_En_13_Fig2_HTML.png — Fig. 2.
“To Be” structure for Information Sharing and Shared Incident Response (Cybersecurity Policy for Critical Infra-structure Protection, 2017)

The cross-sector cybersecurity exercise 2017 was held on December 13th, 2017 with over 2,600 participants from the defined 13 CI sectors and their responsible governmental agencies on sites in Tokyo, Osaka, and Fukuoka and additionally, on private remote sites at each organization that shared the same scenario and timeline. The participants used the same synchronized set of scenarios such as DDoS (Denial of Service) attacks, Malware Infection at network devices, and Malware Infection at SCADA (Supervisory Control And Data Acquisition) systems. However, they could add any original scenario as extension based on their real situations and business environment. A “hot wash” session was held following to the exercise and their lessons learned were shared among participants such as:

Need to learn how to devise a wide range of response patterns based on limited information
Need to consider response with limited resources to attacks that occur late at night or in the weekend
Need to apply lessons identified in the exercises to improve CIP or CIIP (Critical Infrastructure Information Protection) at each CI service provider.

Those outcomes have been reflected on the Developing Guideline for Safety Standards at Critical Infrastructures to Assure Information Security [6].

3 Limitations of NISC’s Cross-Sector Cybersecurity Exercises and Alternative Approaches that Complement It

NISC’s over ten years’ arrangement for the cross-sector cybersecurity exercises have had limitations in designing advanced scenarios for experienced CI service providers and in dynamic on-site scenario arrangements along with each response of the exercise players. This is because the basic scenario of NISC’s exercise is to raise awareness on the necessity of building PPP-based interoperability in cyber incident responses with broadening the horizon of participants from CI service providers. As a result, the scenario which is used at the exercises has been pre-set and shared with all participants with a few options which will be provided by sub-controllers assigned for each CI sector.

On more thing is the lack of aspect of “region” because the basic structure of the exercise arrangements are made by industry in collaboration with their applicable responsible governmental agencies. This situation makes it difficult to assure interoperability across the CIs in responding to chained cyber incidents caused by dependencies among CIs in a specific region.

In order to compliment the limitations, CIs in Nagoya (4th largest city in Japan) district have started region-focused cross-sector cybersecurity exercises with dynamic dependent scenario while working with local police and municipal governments. The range of participants is wider than NISC’s definition and include major manufacturing industries (mainly automotive) which the area heavily depend on to keep up its economy and employment. Their first exercise was on the same date of the NISC’s exercise in 2017 and based on NISC’s scenario but many customized additional scenarios injected. One of the major injection forced one of the CIs to shut down their system proactively and required the CI to notify other CIs and also local governments to evacuate and shelter the citizens.

Basically the operations and systems for CIs have been designed and implemented with the requirements such as;

Stability: Stable services with expected quality and state
Robustness: Capable of performing without failure under a wide range of conditions
Availability: Assured quality or state of being available
Expandability: Capacity to increase the extent, number, volume, or scope
Safety: Condition of being safe from external intrusions and internal leakages
Flexibility: Ready capability to adapt to new, different, or changing requirements
Reliability: Quality or state of being reliable

to have resilience of its operations even in the severe incidents caused by natural disasters, system failure, human errors or cyberattacks (see Fig. 3).

../images/477940_1_En_13_Chapter/477940_1_En_13_Fig3_HTML.png — Fig. 3.
Functional requirements for CI operations and systems

In the natural disaster cases, CIs basically try to keep their systems using the aspects of robustness and availability with business continuity framework to recover CI services as soon as possible (Fig. 4). In the cyberattack cases especially in those targeting control systems (such as SCADA), however, CI operators sometimes have to make decisions to shut down their critical systems proactively to keep their social responsibility in stability, reliability, and safety (Fig. 5). The decision to stop CI services are sometime difficult for CI service providers because of its critical socioeconomic impact. However, they have to stop their services certainly before losing system control by cyberattacks.

../images/477940_1_En_13_Chapter/477940_1_En_13_Fig4_HTML.png — Fig. 4.
Functional requirements in the case of natural disasters

../images/477940_1_En_13_Chapter/477940_1_En_13_Fig5_HTML.png — Fig. 5.
Functional requirements in the case of cyberattacks targeting CI control systems

In the Nagoya’s exercise, planning members tried to put injections into the scenario to force the participants to escalate symptoms to higher management, to share with other local CIs and local police (cyber police division), and to take necessary immediate actions in risk communication to the public and local governments. Each decision required their processes of BIA (Business Impact Analysis) and SIA (Social Impact Analysis) to decide about the emergency level along with their pre-determined command and control structure [7] (see Fig. 6).

../images/477940_1_En_13_Chapter/477940_1_En_13_Fig6_HTML.png — Fig. 6.
Cyber incident response structure by pre-determined emergency level

Many Japanese CI service providers had experiences in emergency response to the severe situations caused by the large-scale natural disasters in the past such as earthquake, typhoon, or flood with the command and control structure headed by their CEO. However, in the exercise with a cyberattack scenario, several hesitations had been observed in escalation or reporting, and decision making for proactive shutdown of their control systems because of its impact to the socioeconomic activities and the citizen’s life.

4 Conclusions and the Next Steps and Challenges of CIP with PPP-Based Cyber Resilience Enhancement in Japan

With the intensive efforts in the CIP lead by the Japanese Government, readiness for cybersecurity incidents in CIs has been enhanced during the last over ten years. However, at the same time, CIs’ dependencies on ICT and OT have increased and cyberattack techniques have advanced. The Japanese PPP-based efforts for cybersecurity in CIs are facing the following challenges for which the CI service providers and government sectors have to work together more tightly to make next steps dynamically to enhance cyber resilience of our society:

(1) Dynamic and interoperable PPP-based operations

Need more organic and trust–based information sharing and coordinated incident responses among stakeholders in the CI service providers, responsible government agencies, and major CI users. Bilateral CI-CI exercises and region-focused exercises such as the Nagoya’s exercise addition to the centralized NISC’s exercises will be effective to make the PPP-based operations more dynamic and interoperable.

(2) Proactive incident response structure at CI service providers

Leverage existing CSIRTs (Computer Security Incident Response Teams) and SOCs (Security Operation Centers) in the process of BIA (Business Impact Analysis) and SIA (Social Impact Analysis) and make them as “interpreters” between cybersecurity operational level and enterprise management judgement level. Some of the CI service providers have already integrated their incident response operations for cybersecurity and for natural disasters.

(3) Professional development and networking

Develop professionals who understand cybersecurity, business administration, and emergency response in order to achieve (1) and (2). In 2017, the Japanese Government has launched an one year intensive professional development course that invited full-time participants from major CI service providers and the first 50 graduates are expected in June, 2018. Mid-long term career development strategy will be required and also a networking scheme among professionals in the stakeholder organizations of CI service providers and responsible governmental agencies is necessary.

(4) Local government involvement for regional cyber resilience enhancement

Considering the emerging possibility of cyberattacks targeting disruptions of CI services and social disorders in a specific city or in a specific event period, information sharing and shared incident response structure with interoperability among stakeholders in a specific city or area are necessary. In this structure, it is very important to involve local governments to protect safety and well-being of the people (residents, workers, and visitors) [8]. In 2018, local governments (prefectures and cities) and more local police departments are expected to join the Nagoya’s region-focused cross-sector exercise.

References

1.
Cybersecurity Strategic Headquarters (Government of Japan): The Cybersecurity Policy for Critical Infrastructure Protection (4th Edition, Tentative Translation), 18 April 2017. https://www.nisc.go.jp/eng/pdf/cs_policy_cip_eng_v4.pdf
2.
ISO 22301:2012 Societal security – Business continuity management systems—Requirements, International Organization for Standardization (2012)
3.
Aung, Z.Z., Watanabe, K.: A framework for modeling interdependencies in japan’s critical infrastructures. In: Palmer, C., Shenoi, S. (eds.) ICCIP 2009. IAICT, vol. 311, pp. 243–257. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04798-5_17
4.
Hellström, T.: Critical infrastructure and systemic vulnerability: towards a planning framework. Saf. Sci. 45, 415–430 (2007)
5.
Zimmerman, R.: Decision-making and the vulnerability of interdependent critical infrastructure, CREATEREPORT, Report#04-005 (2004)
6.
Cybersecurity Strategic Headquarters (Government of Japan): The Developing Guideline for Safety Standards at Critical Infrastructures to Assure Information Security, 5th edn. (2018). (in Japanese)
7.
ISO/TS 22317:2015 Societal Security – Business continuity management systems – Guidelines for business impact analysis (BIA)
8.
Watanabe, K., Hayashi, T.: PPP (Public-Private Partnership)-Based Business Continuity of Regional Banking Services for Communities in Wide-Area Disasters. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds.) CRITIS 2015. LNCS, vol. 9578, pp. 67–76. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33331-1_6