D2-02_09D2-02_09

Construction of Next-generation Security Construction of Next-generation Security

Infrastructure to Cope with Next Types of Infrastructure to Cope with Next Types of

Cyber AttacksCyber Attacks

Takehiro

Sueta 　 　 　 　 　 　 　 　 　 　 　 　 　　 　 Kyushu Electric Power Co.,

Inc.

Japan

CIGRE SC D2 ColloquiumCIGRE SC D2 ColloquiumNovember 2013November 2013

Mysore - KARNATAKA – INDIAMysore - KARNATAKA – INDIA

Haruki Terakura

NEC Corporation

Japan

p2Table of Contents

■ Overview of Security Measures and Current Issues in Japan

■ Background and Purpose

■ Construction of Next-generation Security Infrastructure

■ Overview of Outbound Content Security System Functions

■ Operational Status and Evaluation of Outbound Content Security System

■ Summary and Future Issues

■ Special Report Q&A

p3

Overview of Security Measures and Current Issues in Japan■ Transition of server attacks.

Aims of

Attacks

Attackers

Attack

Methods

Mischievous intent,Showing off

technical skills

Financial gain intent,Obstructive behavior

Industrial spy activities,Confidential Information

Individual actionSmall groups,

CriminalsOrganized groups,

Spies

Hacking,Web falsification

DoS attacks,Spam e-mails, etc. Targeted attacks

Attack methods are becoming more sophisticated. This makes it difficult to prevent damage from such attacks by using conventional security measures and therefore, construction of the next-generation security infrastructure is required.

p4Background and Purpose

Company

Public Office

Customer

Inside the Company

Servers

External Network (Internet)

Security functions

PC

Inbound communications

Access to KEPCO’s website, e-mail reception, etc.

Malware check on PC

BlockedBlocked

Illegal access such as an attack against servers

However, since these security measures present the risk of allowing unknown malware not identified by virus definition files to infiltrate the company, security measures need to be strengthened.

Pattern matching based on comparison with virus definition files

■ Security measures in Kyushu Electric Power Company (KEPCO)

p5

Construction of Next-generation Security Infrastructure

Company

Public Office

Customer

Inside the Company

Servers

External Network (Internet)

Security functions

PC

Inbound communications

Outbound communications

Information processing equipment

Access to KEPCO’s website, e-mail reception, etc.

■ KEPCO has introduced an outbound content security system.

This system detects the activities of a PC infected with bot by constantly monitoring and analyzing of communication packets.

Outbound Content Security System

p6

Overview of Outbound Content Security System Functions

Time

Communicationdetected

PC infectedwith bot

Communication with the command

-issuing server

Frequent communication probably by bot and

transmission of internal information

Frequent communicationdetected

Detection by the outbound contentsecurity system

Not detected

Bot activities

■ A bot-infected PC invariably communicate with the command-issuing server before transmission of internal information.

Breaches of confidential information can be prevented by identifying and investigating the PC that may be infected with bot at the point at which communication was first detected.

p7

Operational Status and Evaluation of Outbound Content Security System

Detection of illegal communication

External Network (Internet)

GET / HTTP/1.1USER-AGENT: mozilla/4.0 sbot2.0http://xxx.fjdiso.com/ss/cc/cc?v=3&i=f2a3eac8&r=e382d820391ddbcaddefa873802

GET / HTTP/1.1USER-AGENT: mozilla/4.0 sbot2.0http://xxx.fjdiso.com/ss/cc/cc?v=3&i=f2a3eac8&r=e382d820391ddbcaddefa873802

Identification of PC and investigation

Access to a registered command-issuing

server

Registered communication pattern as communication

from bot

System Administrator

■ KEPCO launched operation of the outbound content security system in August 2012.

■ So far, a number of incidents have been detected. Since the results of investigations of the PCs concerned showed that they were

infected with malware, the malware was eliminated.

The introduction of the outbound content security system has made it possible to discover malware infections from the content of communications, even if the malware is unknown.

p8Summary and Future Issues

■ Summary

The introduction of the outbound content security system has enabled the detection of malware infections even if the malware concerned is unknown and not identified by virus definition files.

As a result, it is now possible to discover the fact of malware infection at an early stage and prevent breaches of confidential information.

■ Future Issues

The outbound content security system overreacts to and detects even normal communications as communications carried out by malware, resulting in increased system operation workload.

=> We will determine optimum detection criteria to reduce incorrect detections caused by overreaction of the system. 　　

p9Special Report Q ＆ A

■ Will standardising communication protocols to support constant exchange of information and control commands between external consumers, their

appliances and utilities, help prevent security incidents?

=> (Answer) No, we don’t think so. We think it will increase the possibility of security incidents.

Because- Acquisition of technical skills related to standardising communication protocols is easier than for unique protocols.- Exploitation techniques will also become common knowledge.

Q2-1

- Presently Attackers use common communication protocols such as HTTP and FTP to issue commands to or exploit confidential information from PCs they have successfully hacked.- In the future If communication protocols are standardized, the possibility of exploitation by attackers will increase as we see nowadays.