Information Security Report 2018 - Hitachi

2y ago
15 Views
2 Downloads
5.79 MB
60 Pages
Last View : 1m ago
Last Download : 2m ago
Upload by : Troy Oden
Transcription

Information Security Report 2018Hitachi Group

GreetingsThe Hitachi Group is engaged in the social innovation business, where we use digital technologies tocreate new value through collaborative creation with our customers and partners. The foundation of thesocial innovation business is the IoT platform Lumada, which facilitates the use of artificial intelligenceand big data analysis techniques. The Hitachi Group is expanding its social innovation business, withLumada at its core, to contribute to the achievement of the goals of Society 5.0, a project beingimplemented by the Japanese government for the purpose of creating a safe, secure, comfortable, andsustainable next-generation digital society.It is widely recognized that the biggest challenge related to Society 5.0 is information security. As theadvancement of digital technologies accelerates day by day, the severity of threats to information securityincreases at a similarly accelerated pace. Sophisticated and diversified cyberattacks and security threats,such as information exploitation, targeted emails, fake news, manipulation of Internet opinions, anddamage to critical infrastructure facilities, pose a grave threat that fundamentally undermines our trust in adigital society.In May 2017, the Hitachi Group suffered a cyberattack involving a worm-type ransomware program,and some of our internal systems, including the email system, were damaged. Based on this experience, wefurther enhanced our information security framework. We created the position of CISO (Chief InformationSecurity Officer), and an organizational system for global information-security governance, led by theCISO, began operation in October 2017.In March 2018, the Japanese Business Federation published its “Declaration of Cyber SecurityManagement” . This declaration states that efforts related to cybersecurity measures are an importantmanagement issue, both from the perspective of value creation and from the perspective of riskmanagement. The Hitachi Group shares this vision, and is engaged in efforts to improve informationsecurity. Based on our “Information Security Policy” , which was created from a management perspective,we globally apply an information-security PDCA cycle by improving our rules and organizational systems,educating general employees and security experts, monitoring security through audits, and implementingsecurity measures by using IT technologies.Collaboration among industrial, academic, and government sectors is essential to information security.Hitachi Group has made efforts to provide the details of the ransomware incident that occurred in May2017, as well as the lessons we learned from that incident, to external parties. As the Hitachi IncidentResponse Team continues to lead our efforts to accumulate case studies of countermeasures taken withinthe Hitachi Group, we will also continue to share our expertise through various collaborative effortsbetween the private sector and the government. The spirit of collaborative innovation is the core of oursocial innovation business, and by displaying this spirit in our information security efforts, as well, we cancontribute to ensuring trust in Society 5.0.I would be delighted if this report could help with the understanding of our information securityactivities and be of use to society.Keiji KojimaExecutive Vice President and ExecutiveOfficer, CISO Hitachi, Ltd. 1

Information Security ReportINDEXLessons learned from the cyberattack incident and ourefforts to improve the robustness of our internal systems3Hitachi Group information security initiativesBasic approach to information security governance7Information Security Management System8Cyber security vulnerability handling and incident response initiatives14Information security technical initiatives16Cloud computing security initiatives20Physical security initiatives21Initiatives in cooperation with procurement partners22Global information security initiatives23Information security human resources development initiatives24Personal information protection initiatives26Initiatives to ensure information security for our clientsInitiatives to provide information security to our clients30Information security products and services initiatives34Initiatives to provide information security for IT-related products and services34Initiatives to provide information security for software products36Information security initiatives in cloud computing38Efforts to protect privacy when using personal data40Physical security products and services initiatives42Control products and systems initiatives44Initiatives to enhance organizations46Research and development48Company-external information security related activities52Third party assessment and certification54Hitachi Group Overview56〈Overview of this report〉 Scope of this report: This report covers information security initiatives taken by the Hitachi Group inFY 2017 and earlier. Publication of this report: This report was published in September 2018.2

Lessons learned from the cyberattack incident and ourefforts to improve the robustness of our internal systemsLessons learned from the cyberattack incident and ourefforts to improve the robustness of our internal systemsIn May 2017, the Hitachi Group suffered a cyberattack involving a worm-type ransomware program calledWannaCry. This attack resulted in the stoppage of our internal systems, and had an impact both on the HitachiGroup and on external parties. The advent of the IoT era is upon us, and in order to deal with the increasingthreats to cybersecurity, we have decided to handle information security governance as the most importantissue facing our business. In October 2017, we established a special organization for security control. Thisorganization is led by the CISO, and is intended to improve the robustness of our systems in terms ofmanagement and technology.1. IntroductionThe Hitachi Group considers information securitymeasures against new threats such as rapid cyberattacksto be one of our most important business issues. As such,we are promoting both governance-related andtechnological efforts to improve the robustness of oursystems against cyberattacks.The infection started at about 8:00 p.m., and two hourslater, at 11:00 p.m., it reached its saturation point,spreading to all devices for which vulnerabilitycountermeasures were not in place. After that, the numberof infected devices and the number of packetsdecreased, as a result of using antivirus software toquarantine infected devices, and of applying patches.2. Looking back on the cyberattack incident2.1 Overview of the cyberattackOn May 12, 2017, a worm type ransomware programcalled WannaCry spread from Europe to infect systems allover the world. This virus exploits a vulnerability inWindows to spread to other vulnerable Windows systemsvia a network. In an infected system, files are encryptedand a threatening message appears saying that moneymust be paid in exchange for the decryption key. Withinthe Hitachi Group, the virus spread from a test device at asubsidiary in Europe to other devices, including serversfor the internal network. The virus caused damage on aglobal scale.2.2 Scope of impactThis incident impacted various devices that wereconnected to the internal network. Affected devicesincluded everything from business system servers andPCs for office use that were managed by the informationsystems division, to systems such as manufacturing andproduction systems for factories, control devices andwarehouse systems, and access control systems forfacilities. Figure 1 shows the number of packets intendedto spread WannaCry to other devices that were discardedfrom our outgoing firewall during the period beginning onMay 12.3. Lessons learned from the cyberattack incidentWe learned four lessons from the cyberattack incident.The first lesson relates to the structure of the network. Toeliminate segmentation, we had adopted wide-areaEthernet for our internal network, with the assumption thatantivirus measures would be implemented at endpoints.As a result, the worm-type virus was able to spreadquickly once an endpoint had been infected. Anothercause of the infection was the fact that the endpoint inquestion was connected to the network while its securitystatus was unknown. To improve upon these issues, it isimportant for our network to have monitoring functions thatinclude security and recovery as prerequisites.The second lesson we learned is that security measureswere insufficient for server systems that operate 24 hoursa day as a result of globalization. Because someimportant servers could not be stopped, patches couldnot be applied quickly to those systems, even ifvulnerabilities were present. These servers wereparticularly susceptible to damage. It is important tochange our awareness from a baseless mindset where wefeel that patches do not need to be applied, to a mindsetthat considers patch application to be essential, and topromote the application of patches as part of ourcompany-wide system operations.Figure 1. Infection speed of WannaCry 23:00All vulnerable devices in the network were infectedWe started implementing countermeasuresInfectionspread rapidlyin a short timeThe number of infecteddevices decreased20:00 3

Lessons learned from the cyberattack incident and ourefforts to improve the robustness of our internal systemsThe third lesson we learned involves the difficulty ofimplementing security measures for IoT devices. Like thetest device that was the source of the ransomwareinfection, there are many devices for which patchapplication is not considered a requirement, although theyuse Windows, and many devices for which usercomp anies do not think that system updates arenecessary. This lesson made us realize how difficult it willbe to take measures for these devices in the future. Unlikeordinary devices for office use, different countermeasuressuch as network-based countermeasures must be taken,under the assumption that these devices might beinfected with a virus because they have no antivirussoftware and patch application might not be possible.The fourth lesson that we learned is that the businesscontinuity plan for IT (the IT-BCP) that we use for naturaldisasters is totally different from the IT-BCP that is neededfor a cyberattack. In case of a natural disaster, such as anearthquake, we store data in a remote location and alwayssynchronize it with the primary data as a backup forresuming business operations quickly. In the case of theransomware infection, however, the files that wereencrypted by the ransomware were also synchronizedand backup data was destroyed. As a result, recoverytook a great deal of time. When we consider the fact thatmalware such as ransomware can destroy data, itbecomes clear that we must reexamine our way ofthinking about the kind of backup data that is needed forrecovery. In business continuity plans (BCPs) for bothnatural disasters and cyberattacks, measures must beimplemented by assigning top priority to preservinghuman life and to recovering business operations.When handling an incident, the worst possible scenariomust be considered and the possibility of enormousdamage must be kept in mind. To handle thesepossibilities, it is important that we create manuals andtraining programs and improve on-site capabilities basedon anticipated attack scenarios.Based on these lessons, we decided to focus on sixelements of governance, as shown in Figure 2, to improvethe robustness of the Hitachi Group against cyberattacks.A dedicated Group-wide information security division wasestablished to improve our organizational system topromote security governance.Figure 2. Efforts related to governance Figure 3. Organizational system androles surrounding the CISO iDesign of a BCP for handling cyberattacksiiIT measures based on business risk analysisDesign a BCP that takes into account the perspectives of cybersecurityand globalization, in addition to the BCP for handling a natural disaster.Implement IT measures that take into account the comparativeimportance of information assets.iii Mandatory security patch application as a part ofpatch managementEstablishing an organizational structure that can manage not only IoTdevices and physical security but also on-site devices.4. Enhancing the organizational system for security governanceBecause of the increasing threat of new cyberattacksand the expansion of our business into fields such as theIoT and cloud domains, we regard information securitygovernance as one of our most important managementissues. In October 2017, the responsibilities related toinformation security that were formerly assumed by theC IO w e re div ide d, a n d th e n e w po s itio n o f Ch ie fInformation Security Officer (CISO) was created. Adedicated organization for managing the security of theentire Hitachi Group was formed under the CISO tocollectively promote the information security governanceof the whole Hitachi Group.The security control function, which was formerly a partof the IT control function, was thereby clearly separated,and an organizational system was established to enforcegovernance for the entire Group.The control organization reports to the executivecommittee its analysis of the impact of information andcybersecurity risks on business and the status of relevantcountermeasures. It also provides instructions regardingthese measures, thereby ensuring continuousimprovement. When an incident occurs that affects theentire Hitachi Group, the control organization determineswhether to stop systems and provides suggestions. Thisdedicated organization includes the SOC (SecurityOperation Center), which monitors cyberattacks 24 hoursUntil September 2017CEOSince October 2017CEOCIOIT governancedepartmentIT service deploymentdepartmentCIOIT governance departmentIT service deploymentdepartmentCISOiv Establishment of an organizational system forcentralized management, by revising the managementscope and authority of IT managersvCybersecurity technology departmentGlobal governance of security managementExamine our system of governance, including country-based regions.vi Creation of IoT security guidelinesEstablish a dedicated,Group-wide information security division.4Security control organizationRoles of the CISO and the security control organization:a) Continuously implement cybersecurity management and informationsecurity management.b) When an incident occurs that affects the entire Hitachi Group,determine whether to stop systems, and provide suggestions.c) Periodically report to the Hitachi executive committee regarding theimpact of residual risks on management and countermeasuresagainst such risks, and implement the relevant countermeasures.

Lessons learned from the cyberattack incident and our efforts to improve the robustness of our internal systemsa day, 365 days a year, and the HIRT (Hitachi IncidentResponse Team), which enhances incident response.As shown in Figure 4, we have organized the PDCAactivities to be conducted under normal conditions, aswell as an organizational structure for emergencies. Whena cyberattack occurs that affects business activities, anemergency response headquarters straddling allCorporate divisions is established to handle the attack incooperation with the cybersecurity section of eachcompany. As part of the emergency responseheadquarters, each Corporate division works with thecontrol organization to implement specific measures(such as issuing instructions, assessing the situation, orengaging in external relations with entities such as thepolice, the media, or government offices).5. Technical enhancementsAs we enhance our organizational system forgovernance, we are also making technical enhancementsto monitoring and incident handling, in order to detectattacks at an early stage and respond to such incidentsquickly. Since the WannaCry attack, we know that wemust also prepare for possible attacks by its variants. Weplan to introduce enhancements gradually in multiplephases, and steadily carry out our plans.5.1 Measures to improve robustness, Phase IIn Phase I of our measures to improve robustness, weprioritized quick-acting measures, and made effortsbased on our current operations to detect attacks at anearlier stage, and to make decisions and implementresponses more quickly. Because each of our internalnetworks and business systems was independentlyoperated and managed by the department in charge ofthe specific network or system, the monitoring departmentdid not sufficiently understand the structure or details, anddid not monitor the logs acquired for operationalpurposes. In an internal network with a flat structure, theincrease of even a single monitoring point can lead toearly detection. For this reason, we took inventory of thedevices and systems managed by each section to gainan understanding of what was located where. We alsochecked which logs could be acquired and started tomonitor the logs that were useful for detection, thusmaking early detection possible.Because threats have been changing rapidly in recentyears, we need to implement flexible monitoring measuresto handle those changes. The operational procedures thatwere provided by the monitoring department wereincomplete, and described only the common checks andmeasures. They assumed that the reader had expert-levelknowledge, and were abstract. Therefore, if anemergency like the WannaCry incident were to occurwhen no such expert is present, it was likely to take timebefore a response could be implemented, and damagewas likely to spread in that time. By revising theprocedures to be followed in an emergency, we createdmanuals that enable even persons with a basic level ofprerequisite knowledge to quickly and confidently makeFigure 4. Cyberattack warnings and contact system ofthe emergency response headquarters 1. Relationship between cyberattack warning levels andthe responders at each BU or Group company1. Emergency response to an incident2. System of cooperation with the emergency responseheadquarters in the event of an emergencyCorporate divisionsCISOBusiness departments(BUs and Group companies)Emergency response headquartersREDExecutivesHead of the informationsecurity control securityadministratorsYELLOWIT administrators Informationsecurity riskgovernance teamClose cooperation(issuing instructionsand responding toinquiries)Each department (workplace)2. PDCA activities to be conductedunder normal conditionsAction categoryAction description1Emergencymeasures Establish the emergency response headquarters Start the cyber-BCP plan (system protection activities) Provide instructions to employees2Security PDCAactivities to beconducted undernormalcircumstances Implement PDCA for the security management cycles forproducts and services, for development and production,and for OT and IoT devices Implement vulnerability countermeasures Carry out the plan for improving robustness(promote measures for improving robustness,assess residual risks, and understand and report toexecutives the impact of such risks on business) Conduct security-enhancement and awareness-buildingactivities for employeesFunctions for ensuringthe thoroughimplementation ofcybersecurity measuresInformation securitymanagementdepartments Cybersecuritytechnical teamGREENWHITEHeadquarterssecretariatThe emergencyresponseheadquarters providesinstructions andother communicationscollectively to alldepartmentsWhen an emergency occurs for which the cyber-BCP must be launched, establishthe corporate-wide emergency response headquarters and implement measuresthrough collaboration with each BU’ s and Group company’ s functions forensuring the thorough implementation of cybersecurity countermeasures.Each corporate section implements the relevant measures set forth by theemergency response headquarters. 5

Lessons learned from the cyberattack incident and ourefforts to improve the robus

Physical security products and services initiatives 42 Control products and systems initiatives 44 Initiatives to enhance organizations 46 Research and development 48 〈Overview of this report〉 Scope of this report: This report covers information security initiatives taken by the Hitachi Group in FY 2017 and earlier.

Related Documents:

82 hitachi zx200-3, zx225usrlc-3 1033091 sprocket sp-zx200-3 83 hitachi zx240-3 1032489 sprocket 84 hitachi ex300-1/2, ex270-1/2 1010467 sprocket 80 sp-ex300-1 85 hitachi ex300-3,ex270-5 1017928 sprocket 80 sp-ex300-3 86 hitachi ex300-5, ex330-5, zx270, zx330, zx350, zx370 1022168 sprocket 85 sp-ex300-5 87 hitachi

Status Report - BWRX-300 (GE Hitachi and Hitachi GE Nuclear Energy) USA DATE (2019/9/30) The BWR-300 is the 10th generation Boiling Water Reactor (BWR) crated by GE Hitachi Nuclear Energy (GEH). It is a SMR evolution of the ESBWR which is licensed by the US NRC and utilizes many of the components for the operational

HITACHI MELBOURNE HITACHI MELBOURNE 50,000.00 GST 55,000.00 55,000.00 GST 60,500.00 Hitachi ZX48U-5 Excavator VIC, NSW, TAS, SA, ACT Jan 2019 Hitachi ZX48U-5 Excavator ID: D00030942 ROPS CAB, HBP, NEW HYD QH, 300MM, 45

Hitachi TagmaStore Network Storage Controller" omitted from document titles. For example, Hitachi TagmaStore Universal Storage Platform and Hitachi TagmaStore Network Storage Controller Storage Navigator User’s Guide is shortened to Storage Navigator User’s Guide. This user's

Hitachi Virtual Storage Platform Security Target V1.17 Page 2 1.3 TOE overview 1.3.1 TOE type TOE, namely the control program of version 70-03-05-00/00 (R7-02-06A) for Hitachi Virtual Storage Platform (It is also marketed under the name of Hitachi Virtual

Hitachi Rail Corporate Social Responsibility and Sustainability Report 2021 Environmental Environmental vision and targets » Environmental policy Towards a low-carbon society » Hitachi Sets New Target to Contribute to a Net Zero Society » Eco-Design in Hitachi Rail » Social Life Cycle Assessment of products: the first train application

Cisco and Hitachi Adaptive Solutions for SAP HANA Hiroyuki Hayashi, Shinji Osako, and Markus Berg Lab Validation Report. Feedback Hitachi Vantara welcomes your feedback. Please share your thoughts by sending an email message to . Figure2 shows the architecture of Cisco and Hitachi Adaptive Solutions for SAP HANA with Cisco Unified Computing

Test Name Score Report Date March 5, 2018 thru April 1, 2018 April 20, 2018 April 2, 2018 thru April 29, 2018 May 18, 2018 April 30, 2018 thru May 27, 2018 June 15, 2018 May 28, 2018 thru June 24, 2018 July 13, 2018 June 25, 2018 thru July 22, 2018 August 10, 2018 July 23, 2018 thru August 19, 2018 September 7, 2018 August 20, 2018 thru September 1