IoT Security Measures

October 25th, 2019

Office of the Director-General for CybersecurityMinistry of Internal Affairs and Communications (MIC)

JAPAN

1

• Chief Cabinet Secretary (Chief)• Relevant Ministers• Experts

Cybersecurity Strategic Headquarters

METI (Information Policy)

MIC (Telecommunications and Network Policy)

MOD (National defense)

NPA (Cybercrimes and attacks)

Ministries under HQ Members

(Secretariat)National Center of Incident Readiness

and Strategy for Cybersecurity(NISC)

MOFA (Diplomacy and security)

Ministries responsible for critical infrastructures- FSA (financial organizations)- MIC (local governments, information and communication)

- MHLW (medical services, water supply)- METI (electricity, gas, chemistry, credit, petroleum)

- MLIT (railway, aviation, logistics, airport)Other related ministries- MEXT (security education), etc.

Government organizations

Critical infrastructureBusinesses, etc. Companies Individuals

Cabinet Prime Minister

Cooperation

Cooperation

IT Strategic Headquarters

Cooperation

National Security Council(NSC)

Cooperation

Cybersecurity Structure of Japanese Government

Critical Infrastructure Expert Panel

Technological Strategy Expert

Panel

Human Resources Expert Panel for

Dissemination and Enlightenment

CybersecurityMeasures Promotion Committee

Government Security Operation

Coordination Team(GSOC)

Cyber Incident Mobile Assistant Team

(CYMAT)

2Cyberattacks Observed by NICTER

National Institute of Information and Communications Technology (NICT) is observing cyber attacks globally by monitoring 300,000+ unused IP addresses (NICTER).

■ TCP SYN ■ TCP SYN/ACK ■ TCP ACK ■ TCP FIN■ TCP RESET ■ TCP PUSH ■ TCP Other ■ UDP ■ICMP

3Attacks on IoT Devices (Observed by NICTER)

Number of cyberattacksobserved by NICTER in one year

128,8256,6

545,1

1 281 1 504

2 121

0

400

800

1200

1600

2000

2400

2013 2014 2015 2016 2017 2018

100 million packets

3.9 timesincrease

About half of attacks targeted at IoT devices!

IoTdevices,

48%

Others, 41%

Targets of cyber attacks observed by NICTER

IoT Devices: Router, Web Camera, Sensor, etc.

File Sharing, Databases, etc.

4

On October 21, 2016, the Dyn’s DNS server in the United States experienced two large-scale DDoS attacks

A number of companies that use Dyn’s DNS service were also affected due to communications failure

The attacks originated on a large number of IoT devices infected with malware called “Mirai”

A large volume of communication targeting the Dyn’s system was generated from over 100,000 IoT devices infected with malware

It reportedly reached 1.2 Tbps. Many leading Internet services and news sites using

Dyn’s DNS service were affected

Large-scale DDoS Attacks due to IoT devices

Many infected devices with simple and weak ID and PW

ID: root password: 1234

Status of System Failure

DynAirbnbNETFLIX

Amazon

The Wall Street Journal

The New York Times

Twitter

5Reasons why IoT Devices are Targeted by Cyberattacks

(1) The extent and degree of impact by attacks is severe.

(2) The life cycle of IoT devices is long-term.

(3) IoT devices are not well-monitored.

(4) Interoperability of IoT devices and network is not sufficient.

(5) Functions and performance of IoT devices are limited.

(6) IoT devices can be connected in a way that the developers have never expected.

6Comprehensive Package of IoT/5G Security Measures MIC published the “comprehensive package of IoT/5G security measures” in August 2019. It is the revised version of the “comprehensive package of IoT security measures” released in October

2017, on the basis of the situational changes in cyberspace, such as the launch of 5G services, increasingimportance for data flow and management, and increasing necessity for supply chain risk management.

Items to be considered Framework of Comprehensive Package

Key measures to each important fieldof ICT services and networks

R&D Human Resource Development

Awareness Raising

International Cooperation

Information Sharing

Information Disclosure

IoT, 5G, cloud services, and smartcity security, etc

Studies on ideal method for trustservices, etc

Hardware vulnerability

AI Cryptography

etc

New risks associated with the launch of 5G services Virtualization, software, and mobile edge computing Operation of IoT devices for industrial use

1

Human resource development for Tokyo 2020 Games

Regional human resource development

etc

Informationsharing platform

Promotion of information disclosure

etc

Collaboration with ASEAN member states

International standardization

etc

Supply chain risk management Risks in the whole supply chain process of ICT products and services Cases of attacks where contractors are used as steppingstones

2

Data flow and management for the realization of Society 5.0 Security for cloud services and smart cities Trust services

3

AI utilization in cybersecurity Importance of promoting cybersecurity measures utilizing AI

4

Possibility of practical use of large-scale quantum computers

Necessity of studying new recommended cryptography with considerationof the large-scale quantum computers in the future

5

Large-scale international events Measures for the Rugby World Cup, the 2020 Tokyo Olympic and

Paralympic Games, and significant events afterward

6

7IoT Security Measure by Government

Effective Measure

Identify vulnerable IoT devices, such as ones with default ID/password setting, and alert the users of these devices to change the setting.

It is prohibited to access IoT devices on the Internet without permission of users.

Amended the law in May 2018 to implement the measure without violating the law, and started the measure, “NOTICE” project, in February 2019.

Challenge

Government Action

8Outline of the “NOTICE” Project

Starting on February 20, 2019, the Ministry of Internal Affairs and Communications (MIC) andNICT, in cooperation with Internet Service Providers (ISPs), conduct the “NOTICE”* project tosurvey vulnerable IoT devices and to alert users to the problem. This project is implemented incompliance with the amendment of the NICT Act.

<Overview of the “NOTICE” Project>(1) NICT surveys IoT devices on the Internet and identifies vulnerable devices, which are those with

weak ID/password settings.(2) NICT provides the information of the identified vulnerable devices to ISPs.(3) The ISPs identify the users of the devices and alert users.

*National Operation Towards IoT Clean Environment

NICT

Used for cyberattacks in the past

E.g., the same alphanumeric

characters used

1) Try to loginIoT devices

2) Providing information Telecommunications carriers (ISPs)

3) Alerting users Support Center

Device usersIoT devices in Japan

“NOTICE” support center helps users to address the vulnerabilities.

9Project to Alert Users of IoT Devices Infected with Malware

<Overview of the project>

(1) NICT identifies the devices generating the malware-infected traffic by using NICTER system.

(2) NICT provides the information of the malware infected devices to ISPs.

(3) The ISPs identify the users of the devices and alert users.

Telecommunications carriers (ISPs)

1) Observing malware-infected traffic

2) Providing information

3) Alerting users

Device users

NICT

Support Center

User Support

Along with NOTICE, MIC and the NICT, in cooperation with ISPs, conduct the projectto identify devices infected with malware by using NICTER system and notify theISPs so that they can alert users of the infected devices from mid June 2019.

10Progress on the Projects

Among 200 million IP addresses in Japan, approximately 90 million IP addressesmanaged by 33 ISPs that are participating in the projects have been investigated.

(1) Results of NOTICE(2) Results of the project to

alert users of malware-infected IoT devices

Approx. 31,000-42,000

Number of IP addresses in which ID and password could be entered

Total 147

In the above, the number of those which were successfully logged-in to with weak password settings and were subject to user alert

112-155 per day

Number of IP addresses which seem to be infected with malware and were subject to user alert

The number of Internet Service Providers participating in the project is 33.In addition to these measures, a proactive measure is required.

(⇒next page)

11Proactive measure for IoT security

Amendment of the Technical Condition of Terminal Equipment for IoT Security

Terminal equipment that is directly connected to telecommunication network through internet protocol is required to have:1) access control on the remote control function, 2) feature to encourage its user to change the default IDs/passwords3) firmware update feature for the future security fixes,or any equivalent/better security measures to/than above.

The requirement does not apply to personal computers or smartphones that are generally protected by other security measures such as anti-virus software.

Schedule

The amended Technical Condition will be enforced on April 1, 2020. After this, the type approval will be given to only the terminal equipment that conform to the Technical Condition.

MIC published the guideline for the security requirements of the Technical Condition, which describes the scope of device types, details of the requirements, etc.

12International Cooperation is Required

Since the botnets are formed globally and cyber attacks are conductedacross borders, the security measures should be taken in all country.

To realize a safe and secure cyberspace, it is important that manycountries share the best practices with each other and implement IoTsecurity measures.

In Japan, we are implementing three security measures for IoT devices (1),(2) and (3).

[Proposal]We would be happy to cooperate with each other such as by

sharing Japanese IoT security measures and providing relevantinformation of malware-infected devices observed by oursystem (NICTER).

We would also appreciate it if you could share the informationof IoT security measures conducted in your country.

13Cybersecurity Human Resource Development(National Cyber Training Center)

Practical cyber exercises for cybersecurity staff involved in the Tokyo 2020 Olympic and Paralympic Games*A total of 74 people in FY2017 and 137 people in FY2018 attended. In FY2019, a maximum of 400 people will participate in the exercises. (to be held until the Tokyo 2020 Games)

292 215 208

1 539

3 0092 666

3 000

0

1 000

2 000

3 000

estimated

Practical cyber defense exercises for administrative organizations and critical infrastructure providers*Total of 3,000 attendees with 100 sessions held annually*Held across Japan (not only the Tokyo metropolitan area)*Planning to establish new semi-advanced courses for offense and defense, and to introduce online courses in FY2020

One-year high-level cybersecurity training program to develop young innovators under 25 years old* 39 trainees in FY2017 and 46 trainees in FY2018 completed the one-year course. 46 trainees have been selected for the FY2019 program.

Numbers of CYDER participants

MIC and NICT* have been conducting cybersecurity exercises at the National Cyber Training Center to develop cybersecurity human resources with practical capabilities to deal with increasingly complicated and sophisticated cyberattacks.

*National Institute of Information and Communications Technology