The 4th Economic Security Seminar" held
On November 25, 2024, the "4th Economic Security Seminar" was held in web format, hosted by the Economic Security Task Force (Economic Security TF) of the Pharmaceutical Manufacturers Association of Japan (PMAJ) Industrial Policy Committee. Aimed at companies that are members of the Pharmaceutical Manufacturers Association of Japan (PMAJ), the seminar was attended by 82 people. Mr. Hayato Sasaki, Policy Director and Early Warning Group Manager, JPCERT Coordination Center (JPCERT/CC), gave a presentation on "The Latest Trends of Cyber Threats and the Pharmaceutical Industry".
Background of the Meeting
The Economic Security TF was established in October 2021, and has been focusing on the impact of a wide range of economic security issues on the industry. The TF has established three sub-teams (Supply Chain, R&D, and Cyber Security) to exchange opinions with relevant ministries and agencies, respond to public comments on laws and regulations, and provide information to member companies by holding seminars.
Among these, cyber security risks have recently become a major risk to corporate management in terms of economic security, and the cyber security team has taken the lead in organizing a seminar for the member companies of the Pharmaceutical Association of Japan.
Opening remarks
On the occasion of the "4th Economic Security Seminar
Michihisa Tanifuji, Chairman, Industrial Policy Committee
We have experienced a global pandemic for a little more than three years since 2020. We realized the importance of prompt research and development of medicines such as vaccines and treatments, and the supply chain to ensure their delivery to everyone around the world. With our outings further restricted, we enjoyed the benefits of digital technology and the Internet, but we also faced new threats from the abuse and misuse of cyberspace. Cyber security is now a management-level risk. I am confident that this presentation will be thought-provoking for all of you.
Lecture
Latest Trends of Cyber Threats and the Pharmaceutical Industry
Threat Analyst, Director of Policy and Manager of Early Warning Group, JPCERT Coordination Center (JPCERT/CC),
Specially Appointed Researcher, Cyber Security Office, Policy Research Department, National Institute for Defense Studies
Mr. Hayato Sasaki
Today's presentation will focus on how to minimize damage in the unfortunate event of a cyber attack.
First, I would like to introduce JPCERT/CC. In many countries around the world, neutral organizations exist spontaneously to promote the improvement of information security in their countries, and JPCERT/CC is the Japanese version of such organizations. JPCERT/CC is responsible for operations and contact points that require initial emergency response and international cooperation in the event of an information security-related incident (Figure 1).
Figure 1. Introduction of JPCERT/CC
In terms of the relationship between economic security and pharmaceutical companies, several antimicrobial agents have been designated as Specified Critical Goods in the context of supply chain resilience, and the Ministry of Health, Labour and Welfare (MHLW) has published a "Policy for Measures to Ensure Stable Supply of Antimicrobial Substance Preparations". The policy also includes a section on ensuring cyber security, but we do not believe that simply responding to this section is sufficient to deal with the threats that are now before your very eyes. Therefore, we believe it is necessary to take measures from a slightly different perspective, which we will introduce here.
First, I will explain cyber-attacks that have an impact on security.
The upper part of "Purpose of attack/type of actor" on the left of Figure 2 is related to state-level armed attacks and exploitation of sensitive information, and these attack groups may plan and execute attacks without regard to profitability compared to criminal groups with financial objectives.
On the other hand, the lower part is about information exploitation for monetary purposes and ransomware attacks, which are determined by specific groups based on cost-effectiveness.
Figure 2. What is a cyber attack affecting security?
In the United States, three years ago, a ransomware attack on Colonial Pipeline Company, which is responsible for about half of the fuel supply on the East Coast of the United States, shut down one of the largest pipelines in the country. The attack was probably carried out for monetary or other purposes. This was the beginning of a growing concern about the relationship between supply chains and cybersecurity in the U.S. from an economic security perspective. Thus, even a cyber attack by a non-state criminal group can affect national security. Generally, such criminal groups launch multiple attacks in a cost-effective manner. In response to such attacks, we tend to unconsciously imagine our own "probability of being attacked," but there is a gap in our perception of the "encounter rate" of attacks here. For example, when a vulnerability is discovered in a certain network device, it is often announced that "XX% of the devices have been attacked. However, the attack continues even after the announcement. If the company that uses the device does not promptly address the vulnerability, the likelihood that it will eventually become a victim will increase. In other words, just because the "encounter rate" is low does not mean that the risk of damage is also low; it is "just a matter of time" before a breach occurs and damage is sustained. Recently, damage tends to occur not only in organizations that hold confidential information such as personal data, but also in a wider range of organizations. The reason for this is the increasing number of attacks that exploit the vulnerabilities of network devices. It is important to be aware of all network devices connected to the Internet, and to manage and deal with them appropriately.
The number of cases in which vulnerabilities are exploited has also changed. In the past, it was common for companies to take corrective action within a few days after an alert was issued by the manufacturer or a specialized organization. However, the timing of vulnerability exploits is accelerating. Under these circumstances, it is important to investigate whether or not a vulnerability has been compromised at the same time as responding to the vulnerability, as it may have already been compromised.
Here are some trends in attacks and criminal groups.
Figure 3 is an excerpt from a report issued by CISCO in May 2012.
The group named "Lilac Squid" has been active since around 2009. A number of attacks targeting U.S. software vendors, the European energy sector, and Asian pharmaceutical companies have been confirmed.
Figure 3. APTs targeting the pharmaceutical industry: LilacSquid
Furthermore, from the Mandiant report in Figure 4, we present APT43, a criminal group organized in North Korea, which is believed to have been engaged in activities to collect Corona-related information, as it targeted healthcare-related organizations and pharmaceutical companies around 2009. We hypothesize that they may be concentrating their targeting according to the interests of higher-level organizations (e.g., governments).
Figure 4: APTs targeting the pharmaceutical industry: APT43
One of the recent trends among these criminal groups for the purpose of information exploitation is that they are also involved in ransomware attacks for the purpose of self-financing their activities. There is also a possibility that ransomware attacks may be launched to cover their tracks or to disrupt the attacked organization after the exploitation has been completed. The situation is becoming more complex.
Against this background, when a company is hit by a ransomware attack, it is necessary to identify the ransomware and actors as much as possible and investigate whether or not information has been exploited before attempting to recover it.
I will then speak from the perspective of active cyber defense (ACD), which is being promoted by the government (Figure 5).
Figure 5: What will change with "active cyber defense
The 2022 National Security Strategy indicates that "telecommunication data held by telecommunication carriers should be used to detect signs of cyber attacks earlier," "the information coordination system between the public and private sectors should be strengthened so that the government can receive information earlier," and further, "if signs of an attack are detected earlier, the attack should be stopped/ rendered harmless. It is indicated that This is a proactive approach that minimizes damage by detecting and responding to cyber attacks at an early stage, rather than preventing them altogether. There have already been cases announced, mainly in North America, where telecommunication carriers and network equipment providers have been able to detect attacks at an early stage based on the information they possess, preventing the spread of damage.
However, by detecting and responding to attacks at an early stage, there are more cases where companies and sites do not leave sufficient traces of the attacks. As a result, it is difficult to present a complete picture when reporting damage to authorities. Specifically, there is an increased possibility of miscommunication due to differences in the positions of the cyber experts who claim to have minimized the damage caused by the attack, the authorities who claim that the attack itself took place, and the companies that stand in between. I think it is also necessary for the authorities to rethink their approach to attacks and damage.
In March 2011, the "Guidance for Sharing and Disclosure of Information on Cyber Attack Damage" was released with the aim of preventing problems such as miscommunication (Figure 6). (Figure 6) It provides guidance on what kind of information to share and when to share and disclose it, and to whom. Please take a look at it.
Figure 6. "Guidance for Sharing and Publicizing Information on Cyber Attack Damage
In addition, in March 2023, the Ministry of Economy, Trade and Industry (METI) and we (JPCERT/CC) jointly prepared and published "Guidance on Handling and Utilization of Attack Technical Information. The former guidance is written from the perspective of victim organizations. On the other hand, the latter guidance is from the perspective of security vendors and system maintenance vendors who support the affected organizations. The latter guidance is intended to help vendors who support the affected organizations to deal with the attacks more quickly by sharing information with security organizations and other vendors on behalf of the affected organizations.
JPCERT/CC provides such guidance and guidance, and has also established a consultation service for "first responders" such as IT vendors who support initial response. We hope that you will use us as a second opinion in gathering information on cyber risks and resolving cyber attacks as early as possible.
Questions and Answers
After the lecture, the participating companies asked Mr. Sasaki many questions, and he provided the following valuable comments.
- In the process from the initial response to cyber attack to the disclosure of damage, risk management and legal departments, in addition to IT departments, often have contact with JPCERT/CC.
- When a cyber-attack is confirmed, "sharing" the information to JPCERT/CC and other specialized security organizations to obtain risk and technical information will lead to early resolution of the problem.
- Since many criminal groups target specific industries, it is effective to share risk information within the industry.
- It is important to communicate with authorities on a regular basis so that reports of cyber attacks can be communicated to the competent authorities without miscommunication.
(Katsuhito Iwai, Cyber Security Subteam, Economic Security Task Force, Industrial Policy Committee)