METI

Realizing a World-ClassRealizing a World-Class

“Highly Reliable Society”“Highly Reliable Society”

November 25, 2004

Yutaka HayamiDirector, Office of IT Security Policy

Ministry of Economy, Trade and Industry (METI)JAPAN

2

METIContents

BackgroundComprehensive Strategy on Information

SecurityMETI Cyber-Security Policy

– Improving Security Technology– Improving Security Management– Information Security Early Warning

Partnership– Critical Infrastructure Protection

Closing

METI

BackgroundBackground

4

METIBackground

Efficient work style,competitiveness

2000

Use

rs

National security,calculation use

Reliability of systems

E-commerceEconomic infrastructure

Lifelines for society, economy, and daily life

Exclusive systems Big, host types C/S types PC, Internet Broadband

Government

Banking, transportation, energy sectors

Large enterprises

Small/mediumenterprises

Personal useRole of information systems

Direction of IT security

Protection of military data.

Availability for critical infrastructure

Availability for IT systems in corporations

Network security for e-commerce

Security for e-government

Safe/reliable society

1950

5

METI

# of Vulnerability# of Vulnerability

Release of Release of vulnerability vulnerability information information and remedyand remedy

Appearance Appearance of Exploit of Exploit

CodeCode

Attack day of Attack day of virus, etc.virus, etc.

MS02-039 2002/7/29 2 months 2002/9/254

months2003/1/25

SQL Slammer

MS03-026 2003/7/17 10 days 2003/7/27 16 days2003/8/12

Blaster

MS03-039 2003/9/11 4 days 2003/9/155

months2004/2/11Welchia.B

MS03-043 2003/10/16 3 days 2003/10/19 ？ ？

MS03-049 2003/11/12 1 day 2003/11/132

months2004/2/11Welchia.B

MS04-007 2004/2/11 3 days 2004/2/14 ？ ？

MS04-011 2004/4/14 11 days 2004/4/25 6 days2004/5/1Sasser

Attacks targeting vulnerabilities happen more and more rapidly.

Background

6

METIBackground

【 Source: Information-Technology Promotion Agency, Japan （ IPA）】

0

5,000

10,000

15,000

20,000

25,000

1998

1999

2000

2001

2002

2003 2004（ through August

）

30,000

Number of Virus Reports

Sasser,Netsky, et

c.

Blaster, etc.

7

METI

0

1000

2000

3000

4000

1998 1999 2000 2001 2002 2003 2004

Background

【 Source: Japan Computer Emergency Response Team Coordination Center （ JPCERT/CC ）】

（ through September ）

Number of Unauthorized Access Reports

8

METIBackground In recent years, IT has developed rapidly and diffused

widely. The economy and society are highly dependent on IT

systems, which are becoming increasingly complex, global, and interdependent.

IT has already become the ““nervous systemnervous system”” of the economy and society.

We need to make extensive efforts: (1)(1) to prevent IT incidentsto prevent IT incidents(2)(2) to keep damage to a minimumto keep damage to a minimum (3)(3) to implement immediate recovery measuresto implement immediate recovery measures

“IT incidents will inevitably occur”

METI

Comprehensive Strategy on Comprehensive Strategy on Information SecurityInformation Security

10

METIWhere does it come from?

【 June 2003 】 “Information Security Committee” established under Industrial

Structure Council (METI’s Advisory Council), and began discussions on realizing a “Highly Reliable Society.”

【 October 2003 】 Information Security Committee concluded its “Comprehensive

Strategy on Information Security.”

Outstanding security

Commitment to manufacturing and qualityIndustrial infrastructure with device technologies

Society founded on outstanding ethics and uniform and smooth communication

Highly reliable ITinfrastructure & IT use

Reinforcement of economic competitiveness

Improvement in general security of Japan

as economic and cultural power

“Highly Reliable Society ”

Outstanding security

Commitment to manufacturing and qualityIndustrial infrastructure with device technologies

Society founded on outstanding ethics and uniform and smooth communication

Highly reliable ITinfrastructure & IT use

Reinforcement of economic competitiveness

Improvement in general security of Japan

as economic and cultural power

“Highly Reliable Society ”

11

METI“Comprehensive Strategy on Information Security”

Basic Goal: Development of world-class “Highly Reliable Society”Strategy 1: Development of self-recoverable “social system prepared for

accident/incident occurrences" (assurance of outstanding recoverability and localization of damage)

Reinforcement of preventive measures Exhaustive reinforcement of measures to address accidents/incidents

Strategy 2: Public-sector action aimed at taking advantage of "High Reliability" as strength

Strategy 3: Coordinated action to empower the Cabinet Office

Basic goal: Development of world-class “highly reliable society”

Strategy 1Development of self-recoverable

“social system prepared for accident/incident occurrences”（ assurance of outstanding recoverability & localization

of damage）

Strategy 2Public-sector action aimed at taking advantage of “high

reliability” as strength

Strategy 3Coordinated action to empower Cabinet

Office

12

METI

Relationship between Past and Future Measures

Preventive measures

Measures to address

accidents/ incidents

Foundation for general support

National/local governments

Critical infrastructure

Businesses and private individuals

Existing preventive measures

Reinforcement of foundation supporting entire nation from the national-interest perspective

Exhaustive reinforcement of measures to prevent “impending accidents” in national/local govts. and key i

nfrastructures

New preventive measures for businesses and private

individuals

Reinforcement of preventive measures of

international/local governments and key

infrastructures

Exhaustive reinforcement of measures to prevent “impending

accidents” for business and private individuals

Enrichment and reinforcement

Strategy Strategy １（１）１（１）

Strategy Strategy １（１）１（１）

Strategy Strategy １（２）１（２）

Strategy Strategy １（２）１（２）

Strategy Strategy ２２Strategy Strategy ２２

Segments

METI

METI Cyber-Security PolicyMETI Cyber-Security Policy-Overview--Overview-

14

METI

Normal Status

Emergency Status

Computer Viruses, Unauthorized Access, DoS Attack…

METI Cyber-Security Policy

4. Critical Infrastructure ProtectionInformation Security Measures in the Electricity Sector　　 Plan to execute a cyber-exercise to prevent cyber-terrorism in the electricity sector.

2. Improving Security Management Conformity Assessment Scheme for Information Security Management System (ISMS)Information Security AuditPromotion of IT Security Governance within companies

１． Improving Security TechnologyISO/IEC15408 (IT Security Evaluation)Cryptography Evaluation & PKIR&D

3. Information Security Early Warning Partnership (1) Incident Response, (2) Traffic Monitoring, and (3) Vulnerability Handling

Development of a world-class “highly reliable society”Development of a world-class “highly reliable society”

(1) Prevent IT incidents

(2) keep damage to a minimum, and (3) implement immediate recovery measures

METI

Improving Security TechnologyImproving Security Technology

16

METISecurity Technology

ISO/IEC 15408 IT Security Evaluation/Certification scheme– Member of CCRA since October 2003– Recommendation of evaluated/certified products for gov’t procurem

ent Cryptography Research and Evaluation Committee

s (CRYPTREC)– Maintain a list of recommended cryptographic algorithms for gov’t pr

ocurement.– Discuss CMVP scheme (Cryptographic Module Validation Program)

PKI (Public Key Infrastructure), etc.– Verification experiments on actual services– Study of authentication gateway

R&D– Next-generation technology (forecasting incidents, new access cont

rol methods, etc.)

METI

Improving Security ManagementImproving Security Management

18

METIISMS Conformity Assessment Scheme

ISMS: Information Security Management System

JIPDEC: Japan Information Processing Development Corporation

Promotes continuous improvement to information security management of organizations

Based on ISO/IEC 17799:2000 and BS 7799-2

JIPDEC began Conformity Assessment Scheme in April 2002

Certified organizations: 522 (as of 5 October 2004)

19

METIIT Security Audits

Independent auditors audit IT security measures in a company.

Standards are prescribed objectively. IT security audits have two types of evaluation:

assurance and suggestion. Started in April 2003. JASA (Japan Association of Security Audits) will provide

qualified auditors to maintain high quality of audits.

AuditorAuditor

Audit report

Info Security Mgmt. Std.Info Security Audit Std.

AssuranceAuditees (natl. govt., local govt., companies)Auditees (natl. govt., local govt., companies)

Clients

Customers

GeneralPublic

Trust

Improvements

Improved IT security measures

Suggestion

Standards

20

METIIT security standards (METI’s notice)

Standards which include management items and details on the improvement process when auditors perform audit. Information Security Management Standards

Standards which prescribe rules for auditors such as independence, evaluation of audit trails, and so on.

Information Security Audit Standards

•Although they are not legal rules like audits for financial accounting, METI provides “standards,” which help promote the reliability of audit results.

•These standards facilitate accumulation of IT security audit practices, and help clarify legal responsibilities.

21

METIInformation Security Governance

Information Security Governance “To develop and promote a coherent governance framework to

drive implementation of effective information security programs” (Corporate Governance Task Force Report, April 2004)

The Committee of Information Security Governance at METI (established September 2004)– Goal: To promote information security governance within corpo

rate management– Measures (under discussion):

• IT security benchmarks for effective security investment by CIOs/CEOs

• A guideline for Business Continuity Plan to prevent security incidents/unauthorized access

• An appropriate format for Information Security Report to stakeholders

etc.

METI

Information Security Early Information Security Early Warning PartnershipWarning Partnership

23

METIInformation Security Early Warning Partnership

METI has responded to security breaches in cooperation with IPA & JPCERT/cc since 1990.

However, Exploit Codes come out in a shorter time after disclosure of vulnerability information than before. Therefore, just keeping the damage to a minimum is not enough.

(1) Incident Response: Computer viruses and unauthorized access reports (begun in 1990s)

Keep damage to a minimum

Need to prevent damage proactively

(2) Traffic Monitoring (begun in 2003)

Gather information about damage caused by computer viruses, and announce it to the public right after the incident

Grasp the current situation by observing traffic on the Internet, and detecting trouble on a network simultaneously

(3) Vulnerability Handling Framework (begun in July 2004)

Information Security Early Warning Partnership

24

METIOutline of the Partnership

ReportingReporting

ReceivingReceivingOrganizationOrganizationDiscovererDiscoverer

(JPCERT/CC)(JPCERT/CC)

CoordinatingCoordinatingOrganizationsOrganizations

NotificationNotification UsersUsers

[Web Applications][Web Applications]

ReportingReporting NotificationNotification

[Software Products][Software Products]

VendorsVendors

Coordination

Website Website Operation Operation ManagerManager

ForeignCERTs

SystemSystemIntegratorsIntegrators

CoordinateCoordinate SPREADSPREAD

PublicityPublicity

Portal Site Portal Site (JPN: JP Vendor (JPN: JP Vendor

Status Notes) Status Notes)

Publicity*Publicity*

(IPA)(IPA)

(IPA)(IPA)

AnalysisAnalysis

AnalyzingAnalyzingOrganizationOrganization

- Governments- Governments- Companies- Companies- Individuals- Individuals

＊：When personal data has leaked.

METI

Critical Infrastructure ProtectionCritical Infrastructure Protection

26

METIInformation Security Measures in Electricity Sector

The Federation of Electric Power Companies (FEPC) and the Central Research Institute of the Electric Power Industry (CRIEPI) will conduct simulated cyber-attacks on the information systems of electric companies starting in November 2004.

Construct a model office network system including interfaces with control systems for electric power plants.

Create scenarios of attacks on the model system.

Try to access the model system to see whether the interface with the control systems can be reached, according to the scenarios.

Accumulate expertise to protect electric power infrastructure systems.

Construct a model office network system including interfaces with control systems for electric power plants.

Create scenarios of attacks on the model system.

Try to access the model system to see whether the interface with the control systems can be reached, according to the scenarios.

Accumulate expertise to protect electric power infrastructure systems.