1. D2-02_09 Construction of Next-generation Security Infrastructure to Cope with Next Types of Cyber Attacks Takehiro Sueta Kyushu Electric Power Co., Inc. Japan CIGRE SC D2 Colloquium November 2013 Mysore - KARNATAKA – INDIA Haruki Terakura NEC Corporation Japan

2. p1 Table of Contents ■ Overview of Security Measures and Current Issues in Japan ■ Background and Purpose ■ Construction of Next-generation Security Infrastructure ■ Overview of Outbound Content Security System Functions ■ Operational Status and Evaluation of Outbound Content Security System ■ Summary and Future Issues ■ Special Report Q&A

3. p2 Overview of Security Measures and Current Issues in Japan ■ Transition of server attacks. Aims of Attacks Attackers Attack Methods Mischievous intent, Showing off technical skills Financial gain intent, Obstructive behavior Industrial spy activities, Confidential Information Individual action Small groups, Criminals Organized groups, Spies Hacking, Web falsification DoS attacks, Spam e-mails, etc. Targeted attacks Attack methods are becoming more sophisticated. This makes it difficult to prevent damage from such attacks by using conventional security measures and therefore, construction of the next-generation security infrastructure is required.

4. p3 Background and Purpose Company Public Office Customer Inside the Company Servers External Network (Internet) Security functions PC Inbound communications Access to KEPCO’s website, e-mail reception, etc. Malware check on PC Blocked Illegal access such as an attack against servers However, since these security measures present the risk of allowing unknown malware not identified by virus definition files to infiltrate the company, security measures need to be strengthened. Pattern matching based on comparison with virus definition files ■ Security measures in Kyushu Electric Power Company (KEPCO)

5. p4 Construction of Next-generation Security Infrastructure Company Public Office Customer Inside the Company Servers External Network (Internet) Security functions PC Inbound communications Outbound communications Information processing equipment Access to KEPCO’s website, e-mail reception, etc. ■ KEPCO has introduced an outbound content security system. This system detects the activities of a PC infected with bot by constantly monitoring and analyzing of communication packets. Outbound Content Security System

6. p5 Overview of Outbound Content Security System Functions Time Communication detected PC infected with bot Communication with the command -issuing server Frequent communication probably by bot and transmission of internal information Frequent communication detected Detection by the outbound content security system Not detected Bot activities ■ A bot-infected PC invariably communicate with the command-issuing server before transmission of internal information. Breaches of confidential information can be prevented by identifying and investigating the PC that may be infected with bot at the point at which communication was first detected.

7. p6 Operational Status and Evaluation of Outbound Content Security System Detection of illegal communication External Network (Internet) GET / HTTP/1.1 USER-AGENT: mozilla/4.0 sbot2.0 http://xxx.fjdiso.com/ss/cc/cc?v=3&i=f2a3 eac8&r=e382d820391ddbcaddefa873802 GET / HTTP/1.1 USER-AGENT: mozilla/4.0 sbot2.0 http://xxx.fjdiso.com/ss/cc/cc?v=3&i=f2a3 eac8&r=e382d820391ddbcaddefa873802 Identification of PC and investigation Access to a registered command-issuing server Registered communication pattern as communication from bot System Administrator ■ KEPCO launched operation of the outbound content security system in August 2012. ■ So far, a number of incidents have been detected. Since the results of investigations of the PCs concerned showed that they were infected with malware, the malware was eliminated. The introduction of the outbound content security system has made it possible to discover malware infections from the content of communications, even if the malware is unknown.

8. p7 Summary and Future Issues ■ Summary The introduction of the outbound content security system has enabled the detection of malware infections even if the malware concerned is unknown and not identified by virus definition files. As a result, it is now possible to discover the fact of malware infection at an early stage and prevent breaches of confidential information. ■ Future Issues The outbound content security system overreacts to and detects even normal communications as communications carried out by malware, resulting in increased system operation workload. => We will determine optimum detection criteria to reduce incorrect detections caused by overreaction of the system.

9. p8 Special Report Q ＆ A ■ Will standardising communication protocols to support constant exchange of information and control commands between external consumers, their appliances and utilities, help prevent security incidents? => (Answer) No, we don’t think so. We think it will increase the possibility of security incidents. Because - Acquisition of technical skills related to standardising communication protocols is easier than for unique protocols. - Exploitation techniques will also become common knowledge. Q2-1 - Presently Attackers use common communication protocols such as HTTP and FTP to issue commands to or exploit confidential information from PCs they have successfully hacked. - In the future If communication protocols are standardized, the possibility of exploitation by attackers will increase as we see nowadays.