Feature Articles: Cybersecurity-related R&D to Counter Global Threats
Efforts to Achieve a Joint Risk Management Support System
At NTT Secure Platform Laboratories, we are developing technology to support joint risk management and incident response based on unified chain of command and control in order to respond to the expanding global threat of cyber-attacks and physical emergencies such as natural disasters and accidents. This article introduces our efforts aimed at implementing a risk management/incident response management support system that can be applied in the event of risks of any kind.
Keywords: risk management, incident response, WebEOC
Throughout the world, great losses are suffered due to the frequent occurrence of large-scale natural disasters, accidents, and terrorist incidences. It is necessary to achieve cooperation between organizations and governments, and consequently, there is a growing movement to standardize incident response measures. Thus, in autumn 2011, the ISO*1 22320 international standard was established to define the requirements for incident response . In 2013, this was also adopted as a Japanese standard (JIS*2 Q 22320), and it is thought that it will form the basis for future standardization in Japan’s domestic incident response measures, which have so far been implemented in a non-unified way by various local governments and institutions. To respond to the threat of natural disasters such as floods, volcanic eruptions, and major earthquakes, it is important that government, businesses, and people work together to implement disaster risk reduction and mitigation measures.
With the arrival of the Internet of Things (IoT), in which more and more objects are being connected to the Internet, and the cyber-physical integrated society, where cyberspace and the physical world are integrated in an advanced fashion, the Japanese government is working on the implementation of a new cybersecurity strategy . In particular, during large-scale international events such as the Olympic and Paralympic Games, there is an urgent need for countermeasures to the increased threat of global terrorist cyber-attacks that involve both physical-world and cyberspace elements.
In the past, various organizations have responded to different types of emergencies such as natural disasters, terrorism, and cyber-attacks, but in the future it will be necessary to develop risk management and incident response mechanisms that have a broader outlook and draw no distinction between physical-world and cyberspace incidents. In this article, we discuss the concept of joint risk management as the way forward for risk management and incident response measures, and we introduce our research and development (R&D) efforts aimed at realizing systems to support this concept.
2. Preparing for complex crises
Thus far, different types of emergencies have been handled by different organizations. For example, cyber-attacks are handled by security operation centers, natural disasters and accidents are dealt with by emergency operation centers, and pandemics are dealt with by general affairs departments. However, with the arrival of the IoT and the increasing sophistication of cyber-attack techniques, we can expect to see an increased incidence of complex crises such as cyber-attacks launched on top of natural disasters, or cyber-attacks causing other physical-world incidents. For example, an attacker might take advantage of a sudden unexpected downpour (natural disaster) during an event such as the Olympic and Paralympic Games in order to launch a cyber-attack on the organizations responding to this disaster. This might be carried out by crafting malware designed to attack infrastructure organizations and sending it in a targeted email supposedly connected with the disaster response efforts, thereby damaging the infrastructure facilities and creating further confusion (Fig. 1). Even though these individual events should be dealt with by the corresponding organizations and departments, the occurrence of this sort of complex crisis could cause responders to lose focus by making it impossible to grasp the overall incident situation, resulting in suspension of the event and huge human and financial losses.
3. Joint risk management concept
The occurrence of complex crises involving cyber-attacks coupled with physical-world events such as disasters and accidents is expected to increase in the future, so it is important to deal with this sort of incident with a joint response that takes a bird’s-eye view of the entire situation beyond the boundaries between separate organizations.
An illustration of the joint risk management concept is shown in Fig. 2. By joining and centralizing the handling of operational information (information for the implementation of response measures) and knowledge (external information that adds value to disaster response efforts) that was previously handled by separate organizations, it is possible to achieve efficient cooperation between these organizations. Furthermore, incorporating the conventional response organizations into a joint intelligence center makes it possible to carry out operations under a unified command.
To turn this joint risk management concept into reality, it is essential to consider the following viewpoints:
(1) To achieve unified command through cooperation between multiple organizations, we need to establish management processes to coordinate activities between organizations and implement effective decision-making and response measures based on a standardized management flow.
(2) To share information efficiently between organizations, we need to establish a standard operating procedure (SOP) for field activities and implement field operations using unified tools.
(3) To implement a common operational picture (COP) of the situation across multiple organizations, it is necessary to present operational information and knowledge in an integrated manner.
4. Plan, Do, See system concept
At NTT’s laboratories, we have already developed an emergency management support system to increase the efficiency of responding to incidents, especially natural disasters . This system implements management functions conforming to the ISO 22320 international standard based on crisis management software that runs on the web (WebEOC).
The operational information needed for incident response is broadly divided into fixed-format (collected using information-gathering forms) and free-format (free description) types, and is presented as an overview from three views (Plan, Do, and See) to support an efficient incident response.
In implementing joint risk management, we should build on the functions achieved with this system in order to strengthen the cooperation between organizations by expanding their scope to encompass risks of all kinds (including cyber-attacks). This system concept is illustrated in Fig. 3.
(1) Plan (What should we do now?)
To support overall management, an Operational Planning “P” (an international standard incident response process) is developed with a checklist (SOP) for each phase (Fig. 4). This process must be organized so that policies and planning decisions can be made in a unified manner by all related organizations, regardless of the type of incident.
(2) Do (What are we doing now?)
By introducing unified management of free-format information that was previously conveyed by phones (oral communication), white boards, and the like in field operations, we can provide status checks and displays based on an operational flow defined as an SOP so that the state of progress can be rapidly ascertained. The way in which this information is used is thought to differ according to the characteristics of the incident. For example, in the case of a natural disaster, a huge amount of work is created at the time of the incident, so it is important to support viewpoints that prevent leakage of shared information. In the case of cyber-attacks, however, small-scale events have to be dealt with on a daily basis, so it is thought to be necessary to support objectives such as increasing the efficiency of progress management and optimizing the control of access to shared information.
(3) See (What is happening now?)
An overall view of the damage situation and response status is facilitated by presenting information in the form of maps and dashboards. When complex crises occur, there will be a need for information presentation methods that can provide a joint overview of the current situation to the organizations responding to each incident.
5. Future prospects
At NTT’s laboratories, in addition to advancing our R&D aimed at achieving joint risk management by solving the above issues, we aim to enable the NTT Group to provide total risk management and incident response solutions that facilitate efficient cooperation between organizations by allowing existing NTT Group products to cooperate with the products of other vendors that conform to a wide variety of standard specifications. We will also make use of this technology and other incident response know-how cultivated by the NTT Group in order to contribute to the realization of a society resilient to disasters.