Go to the text

Start of demonstration experiment assuming cyber attack on office building

Emergence of security issues in building automation systems and implementation of countermeasures


SoftBank Technology Corp.
Cybertrust Japan Co., Ltd.

SoftBank Technology Corp. (Headquarters: Shinjuku-ku, Tokyo, President: Shinichi Ata, hereinafter referred to as "SBT") and Cybertrust Japan Co., Ltd. (Headquarters: Shinjuku-ku, Tokyo, President: Shinichi Ata, hereinafter referred to as "Cybertrust Japan") are jointly working with Takenaka Corporation (Headquarters: Chuo-ku, Osaka, President: Masahiro Miyashita, hereinafter referred to as "Takenaka Corporation") to develop a building automation system * We are pleased to announce that we will conduct a demonstration experiment of security vulnerability diagnosis of IoT devices in 1 (hereinafter referred to as "building automation").
In this demonstration experiment, we will attempt to intrude into building automation from building automation system-related equipment and in-house systems owned by Takenaka Corporation, and conduct vulnerability assessments assuming unauthorized access and information leakage.

Image diagram of vulnerability diagnosis
Image diagram of vulnerability diagnosis

Background of the demonstration experiment
Nowadays, various devices are connected to the Internet and are used as IoT devices in many situations such as home appliances and social infrastructure. It is expected that social needs for IoT will continue to grow, and the Ministry of Internal Affairs and Communications has announced that the number of IoT devices will increase to 30 billion by 2020. *2 doing.
In buildings, various devices such as air conditioning equipment, electrical equipment, and various sensors are connected to networks, and buildings are becoming increasingly IoT-enabled. As building automation, these devices contribute to the energy saving of the entire building, and it is predicted that the demand for energy saving and the market size for buildings will continue to increase due to compliance with the revised Energy Saving Act and the spread of IoT devices. *3.
However, as devices connect to the Internet, devices that were previously not targets of cyberattacks have become targets of cyberattacks, and there have been reports of damage such as hijacking and suspension of use of IoT devices by exploiting their vulnerabilities. In response, the Ministry of Internal Affairs and Communications conducted vulnerability diagnosis for important IoT devices in September 2017. * 4, and in October 2017, comprehensive measures for IoT security were announced*5, and security measures for IoT devices are gaining momentum.
Under these circumstances, the three companies will conduct IoT vulnerability security diagnosis of building automation, identify security issues with IoT devices in building automation, and consider countermeasures.

Role of each company
■ SBT
After formulating vulnerability hypotheses and diagnosing vulnerabilities for building automation in general, we provide countermeasures and solutions from the device level to the network level and remote monitoring.

■ Cybertrust Japan
Conducting IoT vulnerability diagnosis, reporting results and considering countermeasures.
Providing technical support for cyber exercise procedures and evaluations, as well as high security measures for important equipment.

■Takenaka Corporation
Research and consideration of security focus points in building automation and conduct vulnerability diagnosis in real environments.
Consider countermeasures after vulnerability diagnosis and consider implementing security measures for future new buildings.

Diagnosis overview
■ SBT
Detects vulnerabilities and latent factors hidden in devices, controllers, and networks to prevent unauthorized access and information leaks. The demonstration experiment is scheduled to run from November 2017 to December 2017.

■Main diagnosis items (planned)

1. Research on input/output processing Unauthorized access to sensing information for various subsystems and control controllers, tampering with parameters, etc.
2. Certification research Login forms, login error messages, sending and receiving login/personal information, etc.
3. Investigation regarding authorization Privilege escalation, access to unauthorized information, etc.
Four. Research on control Possibility of starting, stopping, hijacking, and unauthorized control of PLCs, controllers (control panels), and central control room equipment
Five. Research on external ports Intrusion from device serial port, malicious code insertion, possibility of leakage, etc.

About the future
■ SBT
Based on the results of this demonstration experiment, SBT, Cybertrust Japan, and Takenaka Corporation will jointly strengthen security measures for building automation and strive to improve security awareness in the EMS (energy management system) market, including building automation. I'll go.

*1 Building automation system: An information system that comprehensively monitors, manages, and controls a wide variety of equipment in buildings (electrical equipment, air conditioning equipment, disaster prevention and security equipment, mechanical equipment such as elevators). By monitoring the operational status of equipment and recording and managing operational information in an integrated manner, it is possible to ensure safety within buildings, promote energy conservation, strengthen crime prevention, and save labor in administrative tasks.
*2 Ministry of Internal Affairs and Communications “2017 Information and Communications White Paper”: http://www.soumu.go.jp/johotsusintokei/whitepaper/ja/h29/html/nc133100.html
*3 Fuji Keizai: “Investigating the domestic market for BEMS, BAS, ESP, and FEMS energy solutions”: https://www.fuji-keizai.co.jp/market/16081.html
*4 Announced by the Ministry of Internal Affairs and Communications, “Implementation of vulnerability surveys, etc. related to IoT devices”: http://www.soumu.go.jp/menu_news/s-news/02ryutsu03_04000088.html
*5 Announcement of the Ministry of Internal Affairs and Communications “Announcement of “Comprehensive IoT Security Measures””: http://www.soumu.go.jp/menu_news/s-news/01ryutsu03_02000126.html

Contact information for inquiries from media regarding this matter

○ SoftBank Technology Corp. Corporate Planning Department Corporate Communication Group
Email: sbt-pr@tech.softbank.co.jp