Protecting the entire supply chain from cyber attacks
January 30, 2019
Many players are involved in the manufacturing supply chain. The wider the scale of the supply chain, the greater is the risk of cyber attacks. The development and production of defense equipment encompass a wide-scale supply chain connecting the private and public sector, wherein risks can be directly connected to national security. The C&C User Forum & iEXPO2018 Special Seminar entitled “Latest trends in cyber security and compliance with U.S. NIST security standards” tackled specific initiatives for avoiding those risks.
Strengthening the security of the defense industry
“The defense industry is built on a supply chain that includes many private companies. There is a need to strengthen cyber security of this supply chain.”
These were the opening words of Mr. Toshihiko Fujii, who was the first to give his lecture. Mr. Fujii is the Assistant Commissioner of the Acquisition, Technology and Logistics Agency, an extra-ministerial bureau of the Ministry of Defense in-charge of development and procurement of defense equipment.
“Japan, which is an ally of the United States, is working with the U.S. along many fronts in carrying out development, research, and manufacturing related to defense equipment. This means that information on defense equipment is shared not only between the Japanese and U.S. governments, but also among private companies in the two countries. There is therefore a need for the cyber security standards of the supply chains of the two countries to be at comparable levels.”
According to Mr. Fujii, the new procurement standards to be adopted by the Acquisition, Technology and Logistics Agency next fiscal year are equivalent to the “NIST SP800-171.” NIST stands for National Institute of Standards and Technology, which is known for devising the SP-800 series of standards related to information security.”
“The U.S. applies the SP800-171 standards to cases where enterprises related to the federal government are handling CUI. The level of these security standards is higher than ISO/IEC270001, which is the current international standard in information security management system authentication. A major feature of the SP-800-171 is that it fully covers not only incident identification and defense, but also the detection, response, and recovery after incident occurrence.”
“CUI,” which stands for Controlled Unclassified Information, is the type of unclassified information protected by the standards, the leakage of which carries risks of causing national security problems.
These security initiatives being carried out by the national government in the defense industry are examples of security measures that can be implemented in private sector supply chains in various domains, according to Mr. Fujii.
Implementing cyber security for all government activities
The U.S. is now taking the lead in formulating international security standards for the cloud. These initiatives are premised on the use of the cloud as a standard policy for the U.S. government. FedRAMP, the U.S. government’s cloud procurement standard, is foreseen to become a global standard.
“When companies in contract with the government use external cloud services for storage, processing, and transmission of CUI, the cloud service providers are required to comply with the FedRAMP security levels.”
The Japanese government, which aims to implement “digital government” operations through digitalization and cloud migration, is expected to carry out the same measures as those implemented by the U.S. government, according to Mr. Fujii. In December last year, the Ministry of Economy, Trade and Industry, in collaboration with other related ministries, established the “Study Group for Industrial Cyber Security.” Likewise, the Acquisition, Technology and Logistics Agency has also established the “Public-Private Study Group on Enhancement of Information Security in Defense Procurement” in cooperation with 23 companies and 4 organizations in February last year. Going forward, the Japanese government plans to expand these cyber security measures across all government agencies.
“The current challenges are to implement cyber security measures at lower costs, to have Japanese cloud service providers comply with security standards that are at the same level as those of the U.S., and to properly address the needs of small and medium enterprises joining the supply chain. Our goal is to overcome these challenges and move forward with establishing Japan’s defense industry security.”
The keyword is “cyber resilience”
Next on stage was Ronald S. Ross, a Fellow of NIST, which was also mentioned in Mr. Fujii’s lecture.
“We live in a generation where so many people are dependent on computers for everyday life. The world of computers is composed of a complex system interconnecting the OS, firmware, applications, etc. Terrorists, organized crimes, and other people with malicious intent, or those who can be considered as our “enemies,” launch attacks against the weak points of this complex system. Our enemies steal information and send malicious codes to computers to disrupt the system. We are constantly exposed to these dangers.”
These were the words of Ronald Ross. Cyber security measures are essential in avoiding these dangers. How should we implement cyber security measures? Ronald Ross explained that we need to implement “effective multidimensional strategies.” In other words, we need to establish countermeasures in three dimensions; namely, by “setting boundaries to protect targets,” “minimizing damage caused by attacks,” and “establishing resiliency from attacks.”
The keyword is “resilience.” Ronald Ross defined resilience as the “capacity to anticipate, withstand, recover, and adapt to cyber attacks.” Other than as “the capacity to recover,” resilience is variously translated in Japanese as “elasticity,” “flexibility,” “supple strength,” etc. It refers to the capacity to flexibly respond in case of infiltration by viruses, to keep the damage to the minimum, and to promptly recover from the damage. Ronald Ross explained that incorporating these mechanisms makes the system more robust.”
The need for public-private partnerships
The above concepts are also reflected in the information security standards (SP800 series) created by NIST. The SP800-171 in particular, which Japan wants to use as its own security standard, is aimed at protecting CUI being handled by organizations outside the U.S. federal government, such as subcontractors, local government units, and academic and research institutions.
“The handling of CUI, which includes 82 different categories, by companies and organizations outside the federal government is protected by the SP800-171 security framework. We created rules for protecting CUI and submitted them to the federal government and its related organizations. Our rules have been adapted by the government after going through a long period of study. The federal government is currently in contract with more than 1 million external organizations, which all comply with the SP800-171 standards.”
Operators having transactions with the federal government are not required to protect all of their company’s systems in accordance with these standards. Compliance to the standards can be achieved at low costs by “isolating” all information falling under CUI in one domain.
According to Ronald Ross, the worst cyber attacks at present are advanced persistent threats (APT), which attack targets continually over an extended period. He emphasized that the entire supply chain must be protected from these kinds of attacks.
“A sophisticated national defense can be achieved by integrating public and private sector initiatives as a unified set of measures. A solid relationship of trust between the public and private sector is therefore critical. We believe that achieving transparency and traceability of information in both directions enables creating a partnership based on trust.”
Ronald Ross concluded his lecture with a reassuring message: “Please contact NIST anytime. Let’s work together to create a better society and a better future for both of our countries.”