In response to the recent increase in cyberattacks on IoT devices, companies that develop and manufacture devices are required to establish PSIRTs that are responsible for security measures throughout the entire product lifecycle, but in many cases, it is difficult to implement and operate such systems on their own due to a lack of human capital with the required security expertise. By utilizing its experience in providing a wide range of solutions as an IT vendor and its proven results and knowledge from building security organizations and improving governance as a manufacturer, Hitachi provides a PSIRT solution that supports customers from implementation to operation of the PSIRT. This article describes Hitachi’s initiatives for ensuring product security and the available solutions.
With the proliferation of Internet-connected home appliances and connected cars, the risk of cyberattacks targeting Internet of Things (IoT) devices that incorporate open source and other technologies is increasing.
A number of vulnerabilities have been found that have a significant impact on manufacturers. For example, a US automaker found a vulnerability that could allow remote control of brakes, engine, and door unlocking and locking, while a medical pacemaker manufacturer identified a vulnerability that could cause heartbeat malfunction.
With this as a backdrop, companies are also required to comply with global security laws and regulations to ensure the security of their products and services, and they are strongly required to establish a system to promptly identify the causes of vulnerabilities and security incidents in their products and services, take action, and disclose information.
This is where the product security incident response team (PSIRT) comes into play. While the computer security incident response team (CSIRT) is an internal system and organization that responds to cyberattacks, the PSIRT is an internal system and organization that responds to security incidents related to the company’s own products.
The role of PSIRTs is to conduct security risk management over the entire product lifecycle and supply chain, including development, manufacturing, and market (after-sales service), and to minimize the damage and impact when incidents occur in shipped products (see Figure 1).
Figure 1 — PSIRT and Product LifecycleSecurity risk management is implemented for the entire product lifecycle, including development, manufacturing, and market (after-sales service).
Since 1998, Hitachi has established a system for PSIRT activities and has been implementing initiatives to deal with vulnerabilities in its products and services and to manage and improve the security quality of its products and services.
PSIRT activities are implemented through coordination and cooperation with the product development departments that provide the products and services, system integration/service departments for customers, the PSIRT department that supports these initiatives, quality assurance departments, information security management departments, and other related departments. The product development departments and system integration/service departments should build security into the product or service, take action on disclosed vulnerabilities, and respond to incidents. The PSIRT department mainly coordinates the technical aspects in PSIRT activities, provides knowledge, and develops security enhancement measures in coordination and cooperation with related departments (see Figure 2).
Figure 2 — Overview of PSIRT Initiative SystemPSIRT activities are implemented through coordination and cooperation with external system integration/service departments, product development departments, PSIRT departments, and related departments.
In support of product development departments and system integration/service departments, the PSIRT department promotes two activities: (1) Pre-emptive measures against cyber threats, and (2) Enhanced resilience to cyberattack. An overview of each initiative is presented below.
Figure 3 — Overview of Hitachi’s PSIRT SolutionHitachi provides consulting solutions aimed at strengthening the governance of customer companies, and platform and operation solutions aimed at reducing the operational burden on customers, speeding up incident response, and eliminating dependence on individual skills.
This chapter describes the Hitachi PSIRT solution, which utilizes Hitachi’s experience in providing solutions as an IT vendor and its expertise in building security organizations and maintaining governance as a manufacturer.
Figure 3 shows an overview of the Hitachi PSIRT solution. The Hitachi PSIRT solution is divided into consulting solutions and platform and operation solutions, and this section provides an overview of each solution type. Examples of customer applications of each solution will also be presented.
Figure 4 — Application Example of PSIRT PlanningTo help customers set up their PSIRT, Hitachi examines how things should be after an assessment of the current situation, and supports the preparation of organizational concepts and various work procedure manuals.
Figure 5 — Application Example of Threat Intelligence Service and Operation PlatformThe work of collecting and sorting information for customers’ PSIRTs is outsourced to Hitachi for providing technical explanations of the collected information in the form of reports.
This article described Hitachi’s own efforts and the solutions it offers to its customers for security measures against threats that are increasing as products become more IoT-compatible and connected.
In the future, Hitachi will expand its solutions by focusing on upgrading and automating PSIRT operation to include a product security operation center (PSOC), which monitors and responds to attacks on products in real time, and security orchestration, automation, and response (SOAR), which monitors security incidents and makes decisions efficiently on a common platform.