cybersecurity for tokyo 2020 - oasis...• most of identified attacks were noticed and announced in...
TRANSCRIPT
Cybersecurity for Tokyo 2020
June 2017Ko IKAI
Counsellor
National Center of Incident Readiness and Strategy for Cybersecurity
Cabinet Secretariat
Government of JAPAN
Copyright (c) 2017 National center of Incident readiness and Strategy for Cybersecurity (NISC). All Rights Reserved.
• Rugby World Cup 2019
September 20 to November 2, 2019
• Games of the XXXII Olympiad
July 24 to August 9, 2020
• XVI Paralympic Games
August 25 to September 5, 2020
1
Upcoming Major Events
Tokyo was selected to the host city of the XXXII Olympiad at the 125th
IOC Session in Buenos Aires on September 7, 2013
Copyright (c) 2017 National center of Incident readiness and Strategy for Cybersecurity (NISC). All Rights Reserved. 2
Rugby World Cup 2019
From WikiPedia
Location of the 12 stadia to host rugby matches at the 2019
Copyright (c) 2017 National center of Incident readiness and Strategy for Cybersecurity (NISC). All Rights Reserved. 3
Tokyo 2020 Olympic/Paralympic Games
From Olympic Committee
Society
Overview of Tokyo 2020 and its circumstances
Infrastructure / Public services
Services / Supplies / Venues
The Olympic/
Paralympic
Games• TOCOG / IOC
• Partners
• Suppliers
• Contractors
• (Local/National)
government
• Critical Infrastructure
Operators
• (Local/National)
government
• People(including
audience and foreign
tourists)
Asset owners
(≈ prime responsibility holders)
Mission owners
(≈ prime responsible coordinator)
National government
TOCOG
Copyright (c) 2017 National center of Incident readiness and Strategy for Cybersecurity (NISC). All Rights Reserved. 5
5
About 100 service providers(private companies, public companies, local governments, nat’l government)
Essential Services vs. Critical Infrastructures
Critical Infrastructures(identified in 3rd Basic Policy for CIIP)
Essential Services(for operation of Olympic/ Paralympic Games)
Information & Communication Telecommunication
Broadcasting
Financial Financial
Aviation Aviation
Railroad Railway
Electric power supply Electric power
Gas supply Gas
Gov’t & Admin services (incl. municipal gov’ts) Local Government
Medical
Water Water System
Logistics Logistics
Chemical Industries
Credit Card Credit Card
Petroleum industries
Sewerage
Airport
Traffic Control (Air, Vessel, Road)
Emergency Call (Police, Ambulance, Fire defense)
Weather forecast
CIQ
Expressway (esp. Shuto expwy)
Heat supply
Cybersecurity Measures for Tokyo 2020 Olympic/Paralympic Games
Summary of measures○ Establishment of guidance for self-RA to secure safe and continuous provision of
services.○ Listing-up of essential service providers(ESPs) that can affect Games operation.○ Request for ESPs to conduct self-RA to promote their cybersecurity measures.○ ESPs conducted their self-RA during Oct.-Dec. 2016. About 70 ESPs reported their
result.
○ NISC will request the 2nd self-RA during Aug-Oct 2017.
○ Discussion Group for Cybersecurity Structure of Tokyo 2020 discussed details of information sharing and agreed the fundamental policy.
○ Sent liaisons for G7 Ise-Shima Summit and Rio2016 Olympic/Paralympic Games as large-scale test events and conducted trial operation of the information sharing structure.
○ Continuous discussion of building IT systems for more streamlined information sharing among stakeholders
東京都オリンピック・パラリンピック競技大会推進本部セキュリティ幹事会の下に、NISCが事務局となりサイバーセキュリティワーキングチームを設置。これまでに会合を7回開催し、2020年東京オリンピック・パラリンピック競技大会の(以降「東京大会」という。)サイバーセキュリティの確保に資する具体的な施策について精力的に検討を推進。
6
Government of Japan promotes cybersecurity measures of essential service providers for the Games based on risk assessment and discusses to establish Governmental Olympic/Paralympic CSIRT as a core organization of information sharing among stake holders.
Promotion of cybersecuritymeasures based on risk
assessment(RA)(for appropriate preparation)
Establishment of incident response(IR) structure
(for quick and precise responsesagainst incidents)
FY2015 FY2016 FY2017 FY2018 FY2019 FY2020
Cybers
ecurity
measu
res
base
d
on R
A
Est
abis
hm
ent
of
IR s
tructu
re
Rugby World Cup in Japan Tokyo2020Rio2016 Pyeonchang2018
Continuous revision
Continuous revision
Exercises and trainings
Operation in the Game
timeTrial operation
Establishment of Olympic/Paralympic CSIRT
Discussion of cybersecurity structure
G7 Summit
Trial operation of Info-sharing structure
Coordination among stakeholders
coordinationListing-up of essential services
Drafting of RA procedure
(preliminary exercises)
Cybersecurity measure based on RA(repeated assessment until Tokyo 2020)
Risk assessment by chosen service providers
Discussion of IR supportsDiscussion of info-sharing
today
Cybersecurity Situations in Rio2016 Olympic/Paralympic Games
7
In spite of a lot of cyber-attacks against related sites, there were NO incidents affecting Games operation.
NISC’s activities during Games time
NISC sent two liaisons to Technical Operation Center(TOC) of Rio 2016 Organizing Committee of Olympic/Paralympic Games(ROCOG) HQ. They watched the actual situations with shadowing TOC’s information security managers, and provided threat intelligence found by NISC and cybersecurity community of Japan.
NISC(Intelligence integration)
Cybersecurity Community in
Japan
Rio2016NISCliaison
Infor-sharing
Situations in Rio2016
<Transition of targets during Games time>
Organizations related to the Games
Federal/Local government
Private companies that worked for the Games
✓ Rio2016 Official websites
✓ BOC/BPC websites
✓ Rio2016 portal website of Federal Government
✓ The website of Federal Ministry of Sports✓ Websites of Rio State/City government
✓ Websites of constructor of Games’ venue
✓ A lot of cyber attacks, such as DDoS and web scan, against official and related websites were identified. Information of somewebsites was bleached.• In official website/mobile app, 40 million cyber threats were identified, 23 million threats were blocked and 223 major DDoS
attacks were mitigated, during Olympic Games.• Targets moved from Games relates websites to surrounding websites such as federal/local government’s ones.• Most of identified attacks were noticed and announced in SNS and other media.• Just after the opening ceremony, the peak of attacks came, but it didn’t affect operations because of good preparation.
<TOC, Rio2016 HQ>
Lessons learned from Rio2016 and Brazilian government will be reflected in the cybersecurity preparations of Tokyo2020
Infor-sharing
8
Risk assessment for Tokyo 2020 Olympic/Paralympic Games
<Risk Assessment #1>○ ESPs in Tokyo 23 wards performed RA #1.
• Reports from about 70 ESPsMany ESPs conducted the self-RA in cross-sectional manner under their management.
• Meetings for explanation and experience sharing• Supports from the expert of London2012
<Future plan>○ Preparation and improvement for RA #2
• Revision of the guideline• Expansion of ESPs➢Geographical and sectorial
• Clarifying the required service level for the Games by close cooperation with TOCOG
• Continuous discussion with ESPs• Cooperation with measures for physical security
General explanation meeting Sector Based meeting
Current state
Meetings with ESPs
Abstract
FY2016 3QTokyo 23 wards
FY2017 2QTokyo capital area
FY2018 1QTokyo and local cities
Fy2018 Q4Tokyo and local cities
Fy2016 FY2017 FY2018 FY2019 FY2020
#1 #2 #3 #4~
#1 #2 #3 #4 #5 #6
Tokyo2020
Measures #1
Measures #2
Risk assessment schedule for Tokyo2020
• Based on London2012’s practices, NISC promotes risk assessment for safe and continuous provision of essential services for Tokyo 2020.• NISC requested service providers that can affect the Games’ operation to perform their self assessment.
○ NISC provided the guideline to identify, analyze and assess security risks to promote risk management.
○ Based on regulators’ cooperation, NISC identified essential service providers(ESPs) that can affect Games operation, and requested them to perform the assessment.
○ Several assessments are planned until 2020.・ Expanding of service providers・ Brushing-up of the procedure and risk scenarios
FY2016
1Q 2Q 3Q 4Q
内容
Risk handlings(service providers)Risk Assessment
(service providers)
MeetingsSelection of service providers
(NISC, regulating authorities)
Drafting of risk assessment procedure(NISC)
Result report and Preparation of #2(NISC)
Schedule of Risk Assessment #1
9
Cybersecurity Stakeholders of Tokyo 2020 Games (TBR)
Private Organizations
Critical Infrastructure
Entities(CIE)Tokyo Metropolitan
Government
Cybersecurity
Community
Governmental
Olympic/Paralympic
CSIRT
NISC
Security Intelligence Center
CSIRTCIE Regulators
Tokyo Organizing
Committee for
Olympic/Paralympic Games
CIRT2020
Law Enforcement Agencies
Intelligence Agencies
Partners
Suppliers
TOCOG
National government
Local government
To be established
Private entities
10
Collaboration with physical security measures/organizations
• Combined discussion bodies
Facilitating the streamlined information sharing
among domestic/foreign stakeholders• Modernized info-sharing systems
• Establishment of face-to-face trusty relationship
Securing appropriate human resources for
preparation and incident response during the
Games time• Trainings and exercises
Challenges