NTT Advanced Technology Co., Ltd.
Launch of “OT Security Assessment Service” for the industrial sector ~A step towards continuing the safe operation of factories and buildings~ ……
NTT Advanced Technology Corporation (hereinafter referred to as NTT-AT, Head Office: Shinjuku-ku, Tokyo, President and Representative Director: Tadashi Ito) is applying the know-how such as security assessment and forensics that it has provided for IT to date, to improve the quality of factories and buildings. From December 13, 2023, we will provide the “OT*1 Security Assessment Service” (hereinafter referred to as the “Service”) for the industrial field, which makes it easier for individual customers to understand what kind of security measures are required according to their current situation. start.
This service allows you to understand the current state of security risks within factories and buildings, and take security measures accordingly. This service is suitable for customers who are concerned about security measures for small-scale factories and buildings, as it is possible to convert the know-how accumulated so far into a tool and provide it efficiently and at low cost.
1. Background of the launch In recent years, the environment surrounding business has changed significantly, and DX (digital transformation) is being actively promoted in the industrial field. As a result of this, the number of IT systems and connections with the Internet has increased, and as a result, not only IT equipment but also control equipment operating in factories and buildings are now considered dangerous as new targets for cyber attacks. In fact, there have been cases in which an automobile manufacturer’s supply chain factory was damaged by a cyber attack, resulting in the suspension of operations at all factories in Japan, and the industry as a whole is becoming increasingly wary of cyber security.
Under these circumstances, as part of the international
standardization movement, ISA (International Society of
Automation)/IEC (International Electrotechnical Commission) has established an international standard for security measures for industrial control systems. ISA/IEC62443 has been published, and in Japan, the Ministry of Economy, Trade and Industry’s Industrial Cyber Security Study Group Factory Sub-Working Group will publish the “Cyber-Physical Security Measures Guidelines for Factory Systems” in November 2022. The 2nd edition of Cyber Physical Security Measures Guidelines for Building Systems was announced in April 2023. In the future, companies in the manufacturing and building maintenance industries that use industrial control systems will need to take security measures in accordance with these guidelines. However, the extent to which security measures should be implemented according to the guidelines is up to the parties involved, and it is also necessary to understand security risks and consider effects and costs, so it is difficult to come up with security measures on your own. There is a problem. 2. About this service This service, which we have recently started offering, helps us understand the security risks of factories, buildings, etc. and supports the implementation of security measures in accordance with those risks. Before using this service, please conduct a simple web diagnosis (free of charge) *2 on the site provided by Fortinet Japan, NTT-AT’s OT security partner, to get an overview of your company’s security measures level. I’ll have it. By using this service based on the simple web diagnosis results, we will help you more effectively implement security measures tailored to the security risks of each factory or building. 3. About the service menu This service provides “OT Security Risk Assessment,” which conducts an assessment according to a checklist set by the Ministry of Economy, Trade and Industry guidelines, and “Real Environment Assessment,” which conducts an assessment based on communication logs flowing through the internal network of factories and buildings. . Each service menu can be provided individually or together. The outline of each service menu is as follows. (1) OT security risk assessment ■Service overview/features
In addition to simple web diagnosis, we use a hearing sheet that includes the requirements of IEC62443 to comprehensively and efficiently grasp the actual situation for each of the 32 checklist items in the Ministry of Economy, Trade and Industry guidelines. Consider current risks in four categories (organization, operation, technology, supply chain)
The series of processes is supervised by experts (CISSP, information security support specialist, IEC62443 related qualifications, etc.) and provides information for formulating specific security measures. ■Example of implementation flow
[Image 1
Implementation flow image
■Price: 1,980,000 yen (tax included) ~ (2) Actual environment assessment ■Service overview/features
Automatically list devices connected to the network using Internal Network Inspector (INI)*3
Compare the ledger with the results of the fact-finding survey and present the IP address and communication period of devices not listed in the ledger.
Identify and pick up devices that perform unnecessary or potentially abnormal communications or devices that have many external
connections.
Presenting security measures based on actual situation survey results *The above four items are limited to devices that communicated on the target network during the survey period.
■Example of installed equipment and installation environment [Image 2
Installation environment image
For visualization of industrial control networks, we use Fortinet’s network security appliance, FortiGate*4.
■Price: 1.48 million yen (tax included) ~ 4. Future plans While providing this service, NTT-AT plans to confirm the security requirements of customers and consider further expansion of its service lineup.
●Endorsement from Fortinet Japan LLC We would like to sincerely welcome NTT Advanced Technology’s “OT Security Assessment Service” for the industrial sector announced today. With the development of a connected society, the number of external connections in factories and building systems has increased, and with the introduction of IT, we have entered an era in which the safety and security of cyberspace is directly linked to business risks. A major feature of this assessment service is that it indicates the direction of security measures to comply with the guidelines by understanding not only technology but also the current situation of organizational structure and operations. In fact, we believe that the main reason for the lack of progress in security measures for factories and building systems is not only technology, but also organizational structure and operational issues. Fortinet Japan has started providing this service together with NTT Advanced Technologies in order to take a comprehensive approach to this issue. In the future, Fortinet Japan will continue to provide security solutions and assessment know-how in NTT Advanced
Technology’s “OT Security Assessment Service” for the industrial sector in the spirit of self-help, mutual help, and public assistance, and together with NTT Advanced Technology, We will support our customers in promoting secure DX.
Hiroshi Sasaki, General Manager of OT Business Development, Fortinet Japan LLC*1 OT: Abbreviation for Operational Technology. Systems such as industrial automation and control system components and their technologies*2 Simple web diagnosis: A check sheet consisting of approximately 30 items provided by Fortinet Japan LLC on the web, which allows you to easily assess the level of response to factory security measures.
https://www.fortinet.com/jp/promos/ot-security-assessment*3 Internal Network Inspector: Software developed by NTT-AT to detect unauthorized devices*4 FortiGate: Integrated threat management appliance developed by Fortinet in the United States
https://www.fortinet.com/jp/solutions/industries/manufacturing *Company and product names listed are trademarks or registered trademarks of each company. *The data listed is as of the date of publication. Please note that this information is subject to change without notice.
: