Cybersecurity for Tokyo 2020

June 2017Ko IKAI

Counsellor

National Center of Incident Readiness and Strategy for Cybersecurity

Cabinet Secretariat

Government of JAPAN

Copyright (c) 2017 National center of Incident readiness and Strategy for Cybersecurity (NISC). All Rights Reserved.

• Rugby World Cup 2019

September 20 to November 2, 2019

• Games of the XXXII Olympiad

July 24 to August 9, 2020

• XVI Paralympic Games

August 25 to September 5, 2020

1

Upcoming Major Events

Tokyo was selected to the host city of the XXXII Olympiad at the 125th

IOC Session in Buenos Aires on September 7, 2013

Copyright (c) 2017 National center of Incident readiness and Strategy for Cybersecurity (NISC). All Rights Reserved. 2

Rugby World Cup 2019

From WikiPedia

Location of the 12 stadia to host rugby matches at the 2019

Copyright (c) 2017 National center of Incident readiness and Strategy for Cybersecurity (NISC). All Rights Reserved. 3

Tokyo 2020 Olympic/Paralympic Games

From Olympic Committee

Society

Overview of Tokyo 2020 and its circumstances

Infrastructure / Public services

Services / Supplies / Venues

The Olympic/

Paralympic

Games• TOCOG / IOC

• Partners

• Suppliers

• Contractors

• (Local/National)

government

• Critical Infrastructure

Operators

• (Local/National)

government

• People(including

audience and foreign

tourists)

Asset owners

(≈ prime responsibility holders)

Mission owners

(≈ prime responsible coordinator)

National government

TOCOG

Copyright (c) 2017 National center of Incident readiness and Strategy for Cybersecurity (NISC). All Rights Reserved. 5

5

About 100 service providers(private companies, public companies, local governments, nat’l government)

Essential Services vs. Critical Infrastructures

Critical Infrastructures(identified in 3rd Basic Policy for CIIP)

Essential Services(for operation of Olympic/ Paralympic Games)

Information & Communication Telecommunication

Broadcasting

Financial Financial

Aviation Aviation

Railroad Railway

Electric power supply Electric power

Gas supply Gas

Gov’t & Admin services (incl. municipal gov’ts) Local Government

Medical

Water Water System

Logistics Logistics

Chemical Industries

Credit Card Credit Card

Petroleum industries

Sewerage

Airport

Traffic Control (Air, Vessel, Road)

Emergency Call (Police, Ambulance, Fire defense)

Weather forecast

CIQ

Expressway (esp. Shuto expwy)

Heat supply

Cybersecurity Measures for Tokyo 2020 Olympic/Paralympic Games

Summary of measures○ Establishment of guidance for self-RA to secure safe and continuous provision of

services.○ Listing-up of essential service providers(ESPs) that can affect Games operation.○ Request for ESPs to conduct self-RA to promote their cybersecurity measures.○ ESPs conducted their self-RA during Oct.-Dec. 2016. About 70 ESPs reported their

result.

○ NISC will request the 2nd self-RA during Aug-Oct 2017.

○ Discussion Group for Cybersecurity Structure of Tokyo 2020 discussed details of information sharing and agreed the fundamental policy.

○ Sent liaisons for G7 Ise-Shima Summit and Rio2016 Olympic/Paralympic Games as large-scale test events and conducted trial operation of the information sharing structure.

○ Continuous discussion of building IT systems for more streamlined information sharing among stakeholders

東京都オリンピック・パラリンピック競技大会推進本部セキュリティ幹事会の下に、NISCが事務局となりサイバーセキュリティワーキングチームを設置。これまでに会合を7回開催し、2020年東京オリンピック・パラリンピック競技大会の（以降「東京大会」という。）サイバーセキュリティの確保に資する具体的な施策について精力的に検討を推進。

6

Government of Japan promotes cybersecurity measures of essential service providers for the Games based on risk assessment and discusses to establish Governmental Olympic/Paralympic CSIRT as a core organization of information sharing among stake holders.

Promotion of cybersecuritymeasures based on risk

assessment(RA)（for appropriate preparation）

Establishment of incident response(IR) structure

（for quick and precise responsesagainst incidents）

FY2015 FY2016 FY2017 FY2018 FY2019 FY2020

Cybers

ecurity

measu

res

base

d

on R

A

Est

abis

hm

ent

of

IR s

tructu

re

Rugby World Cup in Japan Tokyo2020Rio2016 Pyeonchang2018

Continuous revision

Continuous revision

Exercises and trainings

Operation in the Game

timeTrial operation

Establishment of Olympic/Paralympic CSIRT

Discussion of cybersecurity structure

G7 Summit

Trial operation of Info-sharing structure

Coordination among stakeholders

coordinationListing-up of essential services

Drafting of RA procedure

（preliminary exercises）

Cybersecurity measure based on RA（repeated assessment until Tokyo 2020）

Risk assessment by chosen service providers

Discussion of IR supportsDiscussion of info-sharing

today

Cybersecurity Situations in Rio2016 Olympic/Paralympic Games

7

In spite of a lot of cyber-attacks against related sites, there were NO incidents affecting Games operation.

NISC’s activities during Games time

NISC sent two liaisons to Technical Operation Center(TOC) of Rio 2016 Organizing Committee of Olympic/Paralympic Games(ROCOG) HQ. They watched the actual situations with shadowing TOC’s information security managers, and provided threat intelligence found by NISC and cybersecurity community of Japan.

NISC(Intelligence integration)

Cybersecurity Community in

Japan

Rio2016NISCliaison

Infor-sharing

Situations in Rio2016

<Transition of targets during Games time>

Organizations related to the Games

Federal/Local government

Private companies that worked for the Games

✓ Rio2016 Official websites

✓ BOC/BPC websites

✓ Rio2016 portal website of Federal Government

✓ The website of Federal Ministry of Sports✓ Websites of Rio State/City government

✓ Websites of constructor of Games’ venue

✓ A lot of cyber attacks, such as DDoS and web scan, against official and related websites were identified. Information of somewebsites was bleached.• In official website/mobile app, 40 million cyber threats were identified, 23 million threats were blocked and 223 major DDoS

attacks were mitigated, during Olympic Games.• Targets moved from Games relates websites to surrounding websites such as federal/local government’s ones.• Most of identified attacks were noticed and announced in SNS and other media.• Just after the opening ceremony, the peak of attacks came, but it didn’t affect operations because of good preparation.

<TOC, Rio2016 HQ>

Lessons learned from Rio2016 and Brazilian government will be reflected in the cybersecurity preparations of Tokyo2020

Infor-sharing

8

Risk assessment for Tokyo 2020 Olympic/Paralympic Games

<Risk Assessment #1>○ ESPs in Tokyo 23 wards performed RA #1.

• Reports from about 70 ESPsMany ESPs conducted the self-RA in cross-sectional manner under their management.

• Meetings for explanation and experience sharing• Supports from the expert of London2012

<Future plan>○ Preparation and improvement for RA #2

• Revision of the guideline• Expansion of ESPs➢Geographical and sectorial

• Clarifying the required service level for the Games by close cooperation with TOCOG

• Continuous discussion with ESPs• Cooperation with measures for physical security

General explanation meeting Sector Based meeting

Current state

Meetings with ESPs

Abstract

FY2016 3QTokyo 23 wards

FY2017 2QTokyo capital area

FY2018 1QTokyo and local cities

Fy2018 Q4Tokyo and local cities

Fy2016 FY2017 FY2018 FY2019 FY2020

#1 #2 #3 #4～

#1 #2 #3 #4 #5 #6

Tokyo2020

Measures #1

Measures #2

Risk assessment schedule for Tokyo2020

• Based on London2012’s practices, NISC promotes risk assessment for safe and continuous provision of essential services for Tokyo 2020.• NISC requested service providers that can affect the Games’ operation to perform their self assessment.

○ NISC provided the guideline to identify, analyze and assess security risks to promote risk management.

○ Based on regulators’ cooperation, NISC identified essential service providers(ESPs) that can affect Games operation, and requested them to perform the assessment.

○ Several assessments are planned until 2020.・ Expanding of service providers・ Brushing-up of the procedure and risk scenarios

FY2016

1Q 2Q 3Q 4Q

内容

Risk handlings（service providers）Risk Assessment

（service providers）

MeetingsSelection of service providers

（NISC, regulating authorities）

Drafting of risk assessment procedure（NISC）

Result report and Preparation of #2（NISC）

Schedule of Risk Assessment #1

9

Cybersecurity Stakeholders of Tokyo 2020 Games (TBR)

Private Organizations

Critical Infrastructure

Entities(CIE)Tokyo Metropolitan

Government

Cybersecurity

Community

Governmental

Olympic/Paralympic

CSIRT

NISC

Security Intelligence Center

CSIRTCIE Regulators

Tokyo Organizing

Committee for

Olympic/Paralympic Games

CIRT2020

Law Enforcement Agencies

Intelligence Agencies

Partners

Suppliers

TOCOG

National government

Local government

To be established

Private entities

10

Collaboration with physical security measures/organizations

• Combined discussion bodies

Facilitating the streamlined information sharing

among domestic/foreign stakeholders• Modernized info-sharing systems

• Establishment of face-to-face trusty relationship

Securing appropriate human resources for

preparation and incident response during the

Games time• Trainings and exercises

Challenges

11

Thank you for your patience

Ko IKAIIkai-k6i5@cyber.go.jp