Security support device and security support method

A security support device simplifies complex OT security knowledge bases by constructing a tailored security countermeasure model for control systems, enabling effective detection and response to external attacks while prioritizing system availability.

JP7876378B2Active Publication Date: 2026-06-19HITACHI SYST LTD

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Patents
Current Assignee / Owner
HITACHI SYST LTD
Filing Date
2022-08-29
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing knowledge bases for OT (Operational Technology) security measures are complex and difficult to understand, lacking practicality, and there is a need for a system that can effectively utilize these bases to implement Incident Response (IR) to external attacks in control systems while prioritizing system availability.

Method used

A security support device and method that simplifies complex knowledge bases by constructing a unique security countermeasure model, using passive network monitoring to detect anomalies, and creating support information that includes threat and incident response information, tailored for control systems.

Benefits of technology

The solution enables effective detection and response to external attacks in control systems by simplifying complex knowledge bases, improving understanding and practical application, and enhancing human resource development and technological capabilities in security measures.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 0007876378000001
    Figure 0007876378000001
  • Figure 0007876378000002
    Figure 0007876378000002
  • Figure 0007876378000003
    Figure 0007876378000003
Patent Text Reader

Abstract

To monitor a control system using a novel security measure model built based on an existing knowledge base, and to take security measures with priority given to availability of the control system.SOLUTION: An alert reception unit 410 receives an alert from a network monitoring device configured to intercept packets transmitted and received by a control system and output the alert. A threat information identification unit 422 refers to a threat information table 392 of a threat information database 390 that stores information in which threat information and IR information are associated, regarding type information of alerts that can be received from the network monitoring device, and identifies the threat information corresponding to the type information of the alert. An IR information identification unit 423 refers to an IR information table 393 of the threat information database 390 and identifies the IR information corresponding to the threat information. A support information creation unit 425 creates support information including the threat information and the IR information, and a support information output unit 430 outputs the same.SELECTED DRAWING: Figure 5
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to a security measure support device and a security measure support method for supporting security measures of a control system.

Background Art

[0002] Conventionally, an ICS (Industrial Control System) such as a control system that controls production facilities such as social infrastructure systems, factories, and plants has been a closed configuration that does not connect to external systems, so it was considered that it was not exposed to threats such as external attacks. However, in recent years, the opening of ICS has been promoted, and the possibility of being exposed to threats such as external attacks has been increasing.

[0003] A technology for handling information in an open environment such as the Internet is called IT (Information Technology), while a technology for monitoring and operating a control system such as ICS is called OT (Operational Technology). There are significant differences in the concepts between the IT system and the OT system, and there are cases where it is not desirable to apply IT security measures to an OT system such as ICS. For example, as one of the significant differences between the IT system and the OT system, in the IT system, security measures that prioritize data confidentiality while emphasizing the value of information are taken, whereas in the OT system, security measures that prioritize the availability of the control system while emphasizing safe and stable operation are taken. In this specification, a system of the OT system including ICS is described as a "control system".

[0004] Regarding security, organizations such as NIST (National Institute of Standards and Technology) and IPA (Information-technology Promotion Agency) publish guidelines as recommendations and references for security measures, and it is common for companies to implement security measures based on these guidelines. Guidelines for OT (Operational Technology) security are also published by the above organizations, but awareness of these guidelines is lower than that of IT (Information Technology) guidelines, and there are fewer experts in the field, so the current situation is that security measures in accordance with the guidelines are not progressing.

[0005] Furthermore, ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) (a registered trademark in the United States, hereinafter the same), provided by MITRE Inc. in the United States, compiles strategies (tactics) and techniques for attacks that are likely to occur. While ATT&CK also compiles strategies and techniques for attacks related to ICS, ATT&CK aims to compile a knowledge base that comprehensively classifies numerous attacks, and therefore has the challenge of not being necessarily practical for application to OT-based security measures. In this specification, guidelines and knowledge bases published or provided by specific organizations may be collectively referred to as "Knowledge Base (KB)" or "Existing Knowledge Base."

[0006] Furthermore, because OT (Operational Technology) control systems prioritize availability and tend to avoid the burden on the system caused by log collection, it is more difficult to investigate the extent of damage caused by external attacks compared to IT (Information and Communication Technology) systems, which presents a challenge.

[0007] As for security measures in OT control systems, for example, the technology disclosed in Patent Document 1 below is known. Patent Document 1 discloses a technology that calculates an evaluation score for attack tactics / technical information consisting of multiple attack tactics and attack techniques that realize a threat against a target system, and generates a cyberattack scenario that simulates the movements of an attacker based on this evaluation score. [Prior art documents] [Patent Documents]

[0008] [Patent Document 1] Japanese Patent Publication No. 2022-76159 [Overview of the Initiative] [Problems that the invention aims to solve]

[0009] Security knowledge bases are often complex and difficult to understand, posing a significant hurdle when building and developing systems for implementing security measures in control systems. Therefore, there is a need to make these complex and difficult-to-understand knowledge bases easily comprehensible. Furthermore, while existing knowledge bases comprehensively cover various attack tactics, they lack practicality. Therefore, there is a need for the development of a practical system that can utilize the knowledge from existing knowledge bases to appropriately present an Incident Response (IR) to external attacks when they are actually detected.

[0010] The present invention has been made in view of the above problems, and aims to provide a security support device and a security support method that enable monitoring of a control system using a new security support model built on an existing knowledge base, and that enables security measures to be implemented with priority given to the availability of the control system. [Means for solving the problem]

[0011] To achieve the above objective, the security support device of the present invention is a security support device that supports security measures for a control system, and is characterized by comprising: an alert receiving unit that receives an alert from a network monitoring device configured to intercept and analyze packets transmitted and received by the control system, detect anomalies occurring in the control system, and output an alert notifying the anomaly; a threat information database that stores information on which threat information and incident response information related to the alert can be received from the network monitoring device are linked; a threat information identification unit that refers to the threat information database and identifies threat information corresponding to the alert type information received by the alert receiving unit; an incident response information identification unit that refers to the threat information database and identifies incident response information corresponding to the threat information identified by the threat information identification unit; a support information creation unit that creates support information for security measures of the control system, including the threat information identified by the threat information identification unit and the incident response information identified by the incident response information identification unit; and a support information output unit that outputs the support information created by the support information creation unit.

[0012] According to the above configuration, by intercepting packets transmitted and received by the control system, it becomes possible to detect abnormalities in the control system while prioritizing the availability of the control system, identify the threat such as an external attack that caused the abnormality, and create and output support information including threat information related to the threat and incident response information, which is the countermeasure.

[0013] In addition to the above configuration, the security support device of the present invention may also be created based on a security countermeasure model constructed by narrowing down the items necessary for security measures of the control system from an existing knowledge base that summarizes attack strategies and tactics, and then newly grouping each of the narrowed-down items.

[0014] According to the above configuration, by simplifying the complex and difficult-to-understand existing knowledge base and constructing a simplified security countermeasure model that is easy to understand, it becomes possible to construct an appropriate and practical security countermeasure system according to the actual control system environment. Furthermore, by mapping the strategies and tactics of the unique security countermeasure model according to the present invention with strategies and tactics extracted from the existing knowledge base to the extent necessary for network-based security countermeasures, it becomes possible to promote understanding of the complex and difficult-to-understand existing knowledge base, improve basic knowledge of threat-related strategies, tactics, and procedures, and contribute to improving the skills and human resource development of personnel and system developers, as well as promoting and improving the quality of technology development related to security countermeasures.

[0015] In addition to the above configuration, the security support device of the present invention may also have a threat information database in which multiple threat information is associated with the alert type information, the threat information identification unit may refer to the threat information database to identify multiple threat information corresponding to the alert type information received by the alert receiving unit, and the support information creation unit may create support information including the multiple threat information identified by the threat information identification unit.

[0016] According to the above configuration, even if there may be multiple threat intelligences in response to an alert, support information including these multiple threat intelligences can be created, enabling the control system to appropriately implement security measures that take multiple threat intelligences into consideration.

[0017] In addition to the above configuration, the security support device of the present invention may also have a threat information database to which multiple incident response information is associated with the threat information, the incident response information identification unit may identify multiple incident response information corresponding to the threat information identified by the threat information identification unit, and the support information creation unit may create support information including the multiple incident response information identified by the incident response information identification unit.

[0018] According to the above configuration, even if there is a possibility of multiple incident response pieces of information in response to threats such as external attacks, it is possible to create support information that includes these multiple incident response pieces of information, and the control system will be able to appropriately implement security measures that take into account the multiple incident response pieces of information.

[0019] In addition to the above configuration, the security support device of the present invention further associates false positive information with the type of alert information that can be received from the network monitoring device in the threat information database, and has a false positive information identification unit that identifies the false positive information corresponding to the type of alert information received by the alert receiving unit by referring to the threat information database, and the support information creation unit may create the support information including the false positive information identified by the false positive information identification unit.

[0020] With the above configuration, even if the network monitoring device 200 may mistakenly detect the operation of the control system as a threat that is not an external attack, it can create support information including false detection information, and the control system 10 can be appropriately equipped with security measures that take into account the issuance of alerts due to false detections.

[0021] Furthermore, in order to achieve the above objectives, the present invention provides a security support method that is performed by a security support device that supports security measures for a control system, and is characterized by comprising: an alert reception step of receiving an alert from a network monitoring device configured to intercept and analyze packets transmitted and received by the control system, detect anomalies occurring in the control system, and output an alert notifying the anomaly; a threat information identification step of referring to a threat information database that stores information linking threat information and incident response information related to the alert with respect to the alert type information that can be received from the network monitoring device, and identifying threat information corresponding to the alert type information received in the alert reception step; an incident response information identification step of referring to the threat information database and identifying incident response information corresponding to the threat information identified in the threat information identification step; a support information creation step of creating support information for security measures of the control system, including the threat information identified in the threat information identification step and the incident response information identified in the incident response information identification step; and a support information output step of outputting the support information created in the support information creation step.

[0022] According to the above process, by intercepting packets transmitted and received by the control system, it becomes possible to detect abnormalities in the control system while prioritizing the availability of the control system, identify the threat such as an external attack that caused the abnormality, and create and output support information including threat information related to the threat and incident response information, which is the countermeasure. [Effects of the Invention]

[0023] According to the present invention, by eavesdropping on packets transmitted and received in a control system, it is possible to preferentially detect an abnormality in the control system with respect to the availability of the control system, identify an external attack that caused the occurrence of the abnormality, and output threat information and incident response information regarding the attack. It is possible to provide a security countermeasure support device and a security countermeasure support method that can achieve this.

Brief Description of the Drawings

[0024] [Figure 1] It is a diagram for explaining the outline of a kill chain model newly constructed in an embodiment of the present invention. [Figure 2] In an embodiment of the present invention, it is a diagram showing an example of a control system that is a monitoring target for external attacks. [Figure 3] It is a functional block diagram showing an example of the functions of a network monitoring device arranged in the control system shown in FIG. 2. [Figure 4] It is a diagram showing an example of the hardware configuration of a security countermeasure support device in an embodiment of the present invention. [Figure 5] It is a functional block diagram showing an example of the functions of a security countermeasure support device in an embodiment of the present invention. [Figure 6] It is a diagram showing an example of an alert information table referred to by a security countermeasure support device in an embodiment of the present invention. [Figure 7] It is a diagram showing an example of a threat information table referred to by a security countermeasure support device in an embodiment of the present invention. [Figure 8] It is a diagram showing an example of an IR information table referred to by a security countermeasure support device in an embodiment of the present invention. [Figure 9] It is a diagram showing an example of a false detection information table referred to by a security countermeasure support device in an embodiment of the present invention. [Figure 10] It is a flowchart showing an example of a process for creating support information for security countermeasures executed by a security countermeasure support device in an embodiment of the present invention. [Figure 11]This figure shows a first example of support information for security measures created in an embodiment of the present invention. [Figure 12] This figure shows a second example of support information for security measures created in an embodiment of the present invention. [Figure 13] This figure shows a third example of support information for security measures created in an embodiment of the present invention. [Figure 14] This figure shows a fourth example of support information for security measures created in an embodiment of the present invention. [Figure 15] This flowchart shows another example of the process for creating support information for security measures performed by the security support device in an embodiment of the present invention. [Figure 16] This figure shows an example of support information (including false positive information) for security measures created in an embodiment of the present invention. [Modes for carrying out the invention]

[0025] The following describes, with reference to the drawings, a security support device and a security support method according to embodiments of the present invention.

[0026] (A unique security countermeasure model according to the present invention) First, with reference to Figure 1, an overview of the security measures model newly constructed in the embodiment of the present invention will be described. Figure 1 is a diagram illustrating the overview of the security measures model newly constructed in the embodiment of the present invention. Note that the security measures model shown in Figure 1 is just one example, and the security measures model newly constructed in the present invention is not limited to this.

[0027] Figure 1 illustrates a network-based kill chain model that models the structure of an external attack (threat) as an example of a security countermeasure model used in this embodiment.

[0028] On the left side of Figure 1, a network-based kill chain model is illustrated as a security countermeasure model used in this embodiment. This kill chain model is a new security countermeasure model constructed to be applicable to attacks on control systems, and it models the strategic phases of an attack by classifying them into five phases: "Access to ICS," "Persistence & C2," "Discovery & Collection," "Lateral Movement," and "ICS Attack."

[0029] Each strategic phase broadly categorizes the attack strategy, and each strategic phase is set up to include detailed tactics. Specifically, the strategic phase "Access to ICS" includes tactics such as "Remote Service Exploitation." The strategic phase "Persistence & C2" includes tactics such as "Firmware Installation." The strategic phase "Discovery & Collection" includes tactics such as "Device Tag Identification." The strategic phase "Lateral Movement" includes tactics such as "Default Credentials." The strategic phase "ICS Attack" includes tactics such as "Denial of Service (DoS) Attack."

[0030] The tactics belonging to each strategic phase are defined to map to parts of the strategies in the existing knowledge base (e.g., ATT&CK for ICS), which summarizes attack tactics and strategies related to ICS. Specifically, the strategic phase "Access to ICS" is mapped to the strategic phase "Initial Access" in the existing knowledge base. The strategic phase "Persistence&C2" is mapped to the strategic phases "Persistence" and "Command and Control" in the existing knowledge base. The strategic phase "Discovery&Collection" is mapped to the strategic phases "Discovery" and "Collection" in the existing knowledge base. The strategic phase "Lateral Movement" is mapped to the strategic phase "Lateral Movement" in the existing knowledge base. The strategic phase "ICS Attack" is mapped to the strategic phases "Inhibit Response Function" and "Impair Process Control" in the existing knowledge base.

[0031] The existing knowledge base, ATT&CK for ICS, defines 12 strategic phases and multiple tactics belonging to each strategic phase. Because this existing knowledge base aims to comprehensively organize the strategies and tactics of all attacks, it is vast and complex, making it difficult to apply to actual control systems.

[0032] On the other hand, the security countermeasure model used in this embodiment was constructed taking the above-mentioned problems into consideration. It was constructed by utilizing the knowledge compiled in an existing knowledge base, narrowing down the necessary items from the existing knowledge base, and then newly grouping each of the narrowed-down items.

[0033] When prioritizing load reduction on the control system and the availability of the control system, it is preferable to perform passive network monitoring that detects anomalies in the control system by monitoring network traffic. Therefore, the security countermeasure model used in this embodiment is constructed by narrowing down the items necessary for security measures using passive network monitoring from an existing knowledge base that contains a vast amount of information, and as shown in Figure 1, the seven strategic phases that constitute the existing knowledge base are narrowed down and mapped.

[0034] Furthermore, the existing knowledge base does not always have sufficient precision in its strategy-tactical combinations, making it particularly difficult to apply to actual control systems. For this reason, the security countermeasure model used in this embodiment, as shown in Figure 1, is reconfigured to be suitable for application to actual control systems by further grouping the seven strategic phases narrowed down from the existing knowledge base. For example, the strategic phases "Inhibit Response Function" and "Impair Process Control" from the existing knowledge base are newly grouped and mapped to the strategic phase "ICS Attack".

[0035] As described above, by constructing a unique security countermeasure model according to the present invention, rather than using the existing knowledge base as is, and by constructing a security countermeasure model suitable for application to actual control systems, it becomes possible to implement security measures for control systems. Furthermore, by mapping the strategies and tactics of the unique security countermeasure model according to the present invention with strategies and tactics extracted from the existing knowledge base to the extent necessary for network-based security measures, it becomes possible to promote understanding of the existing knowledge base, which is difficult to understand and complex, and to improve basic knowledge of threat-related strategies, tactics, and procedures. This leads to improved skills and human resource development for personnel and system developers, as well as the promotion of technological development and quality improvement related to security measures.

[0036] (The control system to be monitored according to the present invention) An embodiment of the present invention describes a control system that is monitored for external attacks. Figure 2 shows an example of a control system 10 that is monitored for external attacks in an embodiment of the present invention. Note that the control system 10 shown in Figure 2 is just one example, and the configuration of a control system that is monitored for external attacks is not limited to this.

[0037] The control system 10 shown in Figure 2 is equipped with field devices 20. Field devices 20 are devices installed in numerous locations in production facilities such as factories, and include, for example, sensors and actuators. The field devices 20 are connected to a PLC (Programmable Logic Controller) 30, an RTU (Remote Terminal Unit) 40, etc., which monitors, analyzes, and controls the field devices 20.

[0038] Furthermore, the PLC30, RTU40, etc., are connected to a SCADA (Supervisory Control And Data Acquisition) 50. The SCADA 50 is a computer that performs system monitoring and process control. A Human Machine Interface (HMI) may be connected to the SCADA 50, and the HMI may be configured to display data processed by the SCADA 50, allowing the operator to monitor and control the PLC30, RTU40, etc. The SCADA 50 may be provided in each work system (work unit) to monitor and control each work system. Alternatively, each work system may be monitored and controlled by a Distributed Control System (DCS).

[0039] In the control system 10 shown in Figure 2, a firewall 60 is provided at the boundary between the SCADA 50 and the IT network 100. Although simplified in Figure 2, a control system information network or a control system DMZ (DeMilitarized Zone) may be located above or below the firewall 60. The firewall 60 shown in Figure 2 is located at the boundary between the OT system network within the control system 10 and the IT network 100 outside the control system 10.

[0040] The control system 10 shown in Figure 2 is equipped with a network monitoring device 200. The network monitoring device 200 is configured to monitor the traffic of the control system 10, intercept packets (including frames) transmitted and received in the control system 10, and issue (send) an alert if it detects an abnormality in the control system 10 from the intercepted packets. The network monitoring device 200 is positioned to intercept packets transmitted and received within the control system 10, or packets transmitted and received between the control system 10 and the external IT network 100.

[0041] The placement of the network monitoring device 200 is not particularly limited; it just needs to be connected to a communication line (link) connecting any devices (nodes) located in the control system 10 so that it can intercept packets flowing through that communication line. Furthermore, the number of network monitoring devices 200 is not particularly limited; there may be one or multiple devices. In the control system 10 shown in Figure 2, as an example, the network monitoring device 200 is positioned to intercept packets transmitted and received between the PLC 30 or RTU 40 and the SCADA 50, and to intercept packets passing through the firewall 60.

[0042] The control system 10 shown in Figure 2 is equipped with a security support device 300. The security support device 300 is configured to receive alerts issued by one or more network monitoring devices 200. The network monitoring devices 200 and the security support device 300 may be directly connected, or they may be connected via an OT network within the control system 10 or an IT network 100 outside the control system 10. Alternatively, a controller located in the control system 10 may receive alerts issued by the network monitoring devices 200 and forward the received alerts to the security support device 300.

[0043] (Network monitoring device) The network monitoring device 200, which is located in the control system 10, will now be described. Figure 3 is a functional block diagram showing an example of the functions of the network monitoring device 200 located in the control system 10 shown in Figure 2. Note that the network monitoring device 200 used in the present invention may be an existing network monitoring device that detects abnormalities in the control system 10 and issues an alert, and is not limited to the configuration shown in Figure 3.

[0044] The network monitoring device 200 shown in Figure 3 is configured to include a communication unit 210, a network analyzer 220, and an anomaly detection unit 230.

[0045] The communication unit 210 is configured to connect to a desired communication line of the control system 10 and is capable of intercepting packets flowing through the communication line. The communication unit 210 is also capable of transmitting alerts generated by the alert generation unit 234 to a specific device (in this embodiment, the security support device 300).

[0046] The network analyzer 220 has the function of analyzing packets intercepted by the communication unit 210. The network analyzer 220 analyzes not only the header and data portions of the intercepted packets, but also the header and data portions contained in encapsulated packets, and is configured to extract information from the attributes of each field included in all protocols.

[0047] The anomaly detection unit 230 has the function of detecting anomalies that occur in the control system 10 based on information extracted from packets by the network analyzer 220, and issuing an alert when an anomaly is detected.

[0048] The anomaly detection unit 230 is configured, for example, to include a learning unit 231, a link information storage unit 232, a comparison unit 233, and an alert generation unit 234.

[0049] The learning unit 231 has the function of learning the operation of the control system 10 based on information extracted from packets by the network analyzer 220. The learning unit 231 learns the normal operation of the control system 10 in advance and outputs the learning result as link information.

[0050] The link information storage unit 232 is a storage medium for storing link information output by the learning unit 231. The link information includes the learning results from the learning unit 231 and defines the normal operation of the control system 10. The link information includes information related to the links (nodes and arcs) defined by each packet transmitted and received in the control system 10, and the attributes of each field included in all protocols transmitted and received between each link.

[0051] The comparison unit 233 has the function of detecting whether or not abnormal operation is occurring in the control system 10 by comparing the information extracted from the packet by the network analyzer 220 with the link information stored in the link information storage unit 232. For example, the comparison unit 233 compares the information related to the attributes of each field included in all protocols of the intercepted packet with the link information and determines that abnormal operation is occurring in the control system 10 if it contains information that is not normally seen, or if the communication frequency exceeds a predetermined threshold. If the comparison unit 233 detects that abnormal operation is occurring in the control system 10, it notifies the alert generation unit 234 of this fact.

[0052] The alert generation unit 234 has the function of generating an alert when it receives notification from the comparison unit 233 that an abnormal operation has occurred in the control system 10. The alert generation unit 234 can generate an alert that includes an identifier corresponding to the detected abnormality. That is, the alert generated by the alert generation unit 234 includes an identifier for identifying the abnormal operation that occurred in the control system 10, and by referring to the identifier included in the alert, it is possible to identify what kind of abnormality was detected. In addition, the alert generation unit 234 may include security profile information (e.g., "high", "medium", "low", etc.) indicating the degree of risk of the abnormal operation that occurred in the control system 10 in the alert.

[0053] (Hardware configuration of security support device) The security support device 300, which is located in the control system 10 shown in Figure 2, will now be described. Figure 4 is a diagram showing an example of the hardware configuration of the security support device 300 in an embodiment of the present invention. The hardware configuration of the security support device according to the present invention is not limited to the configuration shown in Figure 4.

[0054] As shown in Figure 4, the security support device 300, as an example, includes a processor 310, memory 320, communication unit 330, operation input unit 340, monitor 350, and storage 360, with each component connected via a bus 305.

[0055] The processor 310 has functions for performing data calculations and processing control. The processor 310 may consist of, for example, a CPU (Central Processing Unit), a DSP (Digital Signal Processor) or a GPU (Graphics Processing Unit) that performs data processing specialized for a specific purpose.

[0056] Memory 320 is a volatile memory that temporarily stores programs executed by the security support device 300 and data to be processed. Memory 320 is a main memory such as RAM (Random Access Memory).

[0057] The communication unit 330 has a function for the security support device 300 to communicate with other devices. In the control system 10 shown in Figure 2, the security support device 300 is configured to receive alerts issued by the network monitoring device 200 via the communication unit 330. The security support device 300 may also be configured to transmit security support information to a predetermined device via the communication unit 330.

[0058] The operation input unit 340 has the function of receiving information input from the user and represents, for example, an input device such as a mouse and keyboard. The monitor 350 has the function of outputting visual information to the user and is equipped with a display screen. The security support device 300 can make various settings related to the security support device 300 based on the information input from the user using the operation input unit 340. The security support device 300 may also be configured to display security support information created by receiving alerts on the display screen. The operation input unit 340 and the monitor 350 may be a touch panel type display that integrates their respective functions. In addition to visually displaying and outputting information through the monitor 350, the security support device 300 may also be configured to print information on paper media through a printer (not shown).

[0059] Storage 360 ​​is an auxiliary storage device implemented using, for example, magnetic disks such as HDDs (Hard Disk Drives), semiconductor memory such as SSDs (Solid State Drives), magneto-optical disks, and optical disks.

[0060] The storage 360 ​​may be located in a network storage device or database management device separate from the security support device 300, for example. In this embodiment, the storage 360 ​​includes any data storage device that is accessible to the security support device 300.

[0061] The storage 360 ​​is capable of storing programs and data in which desired processing procedures are described as program instructions. For example, as shown in Figure 4, the storage 360 ​​stores various programs such as an alert processing program 370 that creates support information related to security measures, and a support information output program 380 that outputs support information. The processor 310 reads various programs from the storage 360 ​​as appropriate, loads them into the memory 320, and executes program instructions, thereby enabling the security support device 300 to realize the functions corresponding to each program.

[0062] The various programs according to the present invention may exist independently, or they may exist as a program in which the various programs are linked or integrated. In Figure 4, the alert processing program 370 is represented as a program that integrates an alert analysis program 371 that analyzes an alert received from the network monitoring device 200 and identifies the alert, a threat information identification program 372 that identifies threat information corresponding to the alert, an IR information identification program 373 that identifies IR information corresponding to the threat information, a false positive information identification program 374 that identifies false positive information corresponding to the alert, and a support information creation program 375 that formats and processes the output data.

[0063] Furthermore, storage 360 ​​stores a threat intelligence database 390, which is referenced when creating support information for security measures. The threat intelligence database 390 stores and manages data in a table format, for example, and consists of an alert information table 391, a threat intelligence table 392, an IR information table 393, and a false positive information table 394. Details of the various tables in the threat intelligence database 390 will be described later.

[0064] Furthermore, storage 360 ​​may store various programs and data other than those mentioned above. For example, storage 360 ​​may store various programs such as operating system programs necessary for the operation of the security support device 300, as well as configuration information that defines the communication settings or operation settings of the security support device 300.

[0065] (Functions of security support device) The functions of the security support device 300 shown in Figure 4 will be described. Figure 5 is a functional block diagram showing an example of the functions of the security support device 300 in this embodiment. The functions of the security support device according to the present invention are not limited to the configuration shown in Figure 5.

[0066] The security support device 300 shown in Figure 5 comprises an alert receiving unit 410, an alert processing unit 420, a support information output unit 430, and a threat information database 390.

[0067] The alert receiving unit 410 has the function of receiving alerts issued by the network monitoring device 200. The alert receiving unit 410 corresponds to the communication unit 330 shown in Figure 4.

[0068] The alert processing unit 420 has the function of creating support information for security measures based on the alerts received by the alert receiving unit 410. The alert processing unit 420 is realized when the processor 310 reads the alert processing program 370 from the storage 360 ​​as appropriate, loads it into the memory 320, and executes program instructions.

[0069] The alert processing unit 420 is comprised of an alert analysis unit 421, a threat information identification unit 422, an IR information identification unit 423, a false positive information identification unit 424, and a support information creation unit 425.

[0070] The alert analysis unit 421 analyzes the alerts received by the alert receiving unit 410 and has the function of identifying the type of alert by referring to a pre-configured correspondence table of identifiers included in the alerts and the types of alerts. The alert analysis unit 421 also has the function of referring to the alert information table 391, reading the record corresponding to the identified type of alert and storing it in the memory 320, and notifying the threat identification unit 422 of the threat identification information associated with the record read from the alert information table 391. Furthermore, if the alert contains security profile information indicating the degree of risk of abnormal operation that occurred in the control system 10, processing may be limited to alerts indicating a risk of a predetermined level or higher (e.g., "high").

[0071] Furthermore, the alert analysis unit 421 may also have a function to notify the false detection identification unit 424 of the false detection identification information associated with the record read from the alert information table 391. The alert analysis unit 421 is realized when the processor 310 reads the alert analysis program 371 from the storage 360 ​​as appropriate, loads it onto the memory 320, and executes program instructions.

[0072] The threat information identification unit 422 has the function of referring to the threat information table 392, reading records corresponding to the threat identification information notified by the alert analysis unit 421 and storing them in memory 320, and notifying the IR identification information associated with the records read from the threat information table 392 to the IR information identification unit 423. The threat information identification unit 422 is realized when the processor 310 appropriately reads the threat information identification program 372 from the storage 360, loads it onto memory 320, and executes program instructions.

[0073] The IR information identification unit 423 has the function of referring to the IR information table 393, reading the record corresponding to the IR identification information notified by the threat information identification unit 422, and storing it in the memory 320. The IR information identification unit 423 is realized when the processor 310 appropriately reads the IR information identification program 373 from the storage 360, loads it onto the memory 320, and executes program instructions.

[0074] The false detection information identification unit 424 has the function of referring to the false detection information table 394, reading the record corresponding to the false detection identification information notified by the alert analysis unit 421, and storing it in the memory 320. The false detection information identification unit 424 is realized when the processor 310 appropriately reads the false detection information identification program 374 from the storage 360, loads it onto the memory 320, and executes program instructions.

[0075] The support information creation unit 425 has the function of creating support information for security measures by acquiring records read from the alert information table 391 by the alert analysis unit 421, records read from the threat information table 392 by the threat information identification unit 422, and records read from the IR information table 393 by the IR information identification unit 423 from the memory 320, and appropriately extracting, formatting, and processing the necessary information. In addition, the support information creation unit 425 may acquire records read from the false detection information table 394 by the false detection information identification unit 424 from the memory 320, appropriately extracting the necessary information and including it in the support information for security measures. The support information creation unit 425 is realized when the processor 310 appropriately reads the support information creation program 375 from the storage 360, expands it on the memory 320, and executes program instructions.

[0076] The support information output unit 430 has the function of outputting support information created by the support information creation unit 425. The support information output unit 430 may, for example, display the support information on the monitor 350 of the security support device 300, print the support information as paper media from a printer connected to the security support device 300, or transmit the support information to another device via the communication unit 330. The support information output unit 430 is realized when the processor 310 reads the support information output program 380 from the storage 360 ​​as appropriate, loads it onto the memory 320, and executes program instructions.

[0077] Next, the alert information table 391, threat information table 392, IR information table 393, and false positive information table 394, which are referenced by the security support device 300 in this embodiment, will be described.

[0078] (Alert Information Table) Figure 6 shows an example of an alert information table 391 referenced by the security support device 300 in this embodiment. The alert information table 391 shown in Figure 6 is composed of a table in which each record (row) contains alert information corresponding to each alert, and each column contains various information related to each alert. Only a portion of the records in the alert information table 391 are shown in Figure 6.

[0079] The alert information table 391 includes, as an example, an alert type column 391a (Type_ID in Figure 6), an alert name column 391b (Name in Figure 6), an alert detail column 391c (Detail in Figure 6), a false positive identification column 391d (False_Positive in Figure 6), and a threat identification column 391e (Threat in Figure 6). However, the columns set in the alert information table 391 shown in Figure 6 are just an example and are not limited to these.

[0080] The alert type column 391a is a field for storing alert type information that indicates the type of alert. The alert type information is associated with the type of alert and is identification information that makes it possible to uniquely identify the type of alert.

[0081] When the network monitoring device 200 detects abnormal operation of the control system 10 that can be determined to be an external attack, it issues an alert containing an identifier that identifies the attack. The alert type information corresponds to the identifier included in the alert, and the alert analysis unit 421 can identify the type of alert from the identifier included in the received alert and identify the record containing the alert type information related to that received alert. Alternatively, the alert information table 391 may store the identifier included in the alert along with the alert type information, allowing the system to identify the record (row) containing information about the received alert from the identifier included in the received alert.

[0082] The alert name column 391b is a field for storing information indicating the name of the alert, and the alert details column 391c is a field for storing detailed information indicating the specific content of the alert. The alert name information and alert details information indicate what name the alert is represented by and what specific attack is detected when it is sent.

[0083] The false detection identification column 391d is a field for storing false detection identification information. False detection identification information is associated with cases where the operation of the control system 10, which is not caused by an external attack, is mistakenly detected as an external attack (false detection), and is identification information that uniquely identifies the false detection. This allows the false detection information identification unit 424 to identify the record (row) in the false detection information table 394. Here, the false detection identification information consists of main identification information and sub-identification information, and is expressed in the format "main identification information" - "sub-identification information". Note that one false detection identification information may be stored, or multiple false detection identification information may be stored.

[0084] The network monitoring device 200 is designed to identify abnormal behavior in the control system 10 as a threat such as an external attack and issue an alert. However, even if the abnormal behavior in the control system 10 is not actually caused by an external attack, it may be mistakenly detected as a threat and an alert may be issued. Since there are certain patterns to which the network monitoring device 200 might mistakenly detect an event as a threat, it is possible to associate each alert with the false detections that may cause each alert to be issued.

[0085] The threat identification column 391e is a field for storing threat identification information associated with an external attack that triggered the alert. The threat identification information is associated with an external attack and uniquely identifies that attack, allowing the threat information identification unit 422 to identify the record (row) in the threat information table 392. Here, the threat identification information consists of main identification information and sub-identification information, and is expressed in the format "main identification information" - "sub-identification information". Note that one threat identification information may be stored, or multiple threat identification information may be stored.

[0086] (Threat Intelligence Table) Figure 7 shows an example of a threat information table 392 referenced by the security support device 300 in this embodiment. The threat information table 392 shown in Figure 7 is composed of a table in which each record (row) contains threat information corresponding to each attack, and each column contains various information related to each attack. Only a portion of the records in the threat information table 392 are shown in Figure 7.

[0087] Threat information table 392 includes, as an example, a threat classification column 392a (Category in Figure 7), a threat identification column 392b (Main_ID, Sub_ID in Figure 7), a knowledge base identification column 392c (KB_ID in Figure 7), a knowledge base name column 392d (Name in Figure 7), a threat content column 392e (Contents in Figure 7), a link column 392f (URL in Figure 7), and an IR identification column 392g (IR_ID in Figure 7). However, the columns set in threat information table 392 shown in Figure 7 are just examples and are not limited to these.

[0088] Threat classification column 392a is a field for storing threat classification information that indicates the classification of an external attack. Threat classification information indicates which strategic phase of a newly constructed kill chain model the external attack corresponds to, and the name of the strategic phase of the kill chain model can be used as the threat classification information.

[0089] The threat identification column 392b is a field for storing threat identification information to classify external attacks that triggered the alert. The threat identification information is associated with external attacks and is identification information that makes it possible to uniquely identify the attack. Here, the threat identification information consists of main identification information and sub-identification information. The threat identification information is also stored in the threat identification column 391e of the alert information table 391, so that the threat information identification unit 422 can identify the record (row) in the threat information table 392 from the alert information in the alert information table 391.

[0090] The Knowledge Base Identification column 392c is a field for storing Knowledge Base Identification information that identifies the tactics of an existing knowledge base. Knowledge Base Identification information indicates which tactic in the existing knowledge base corresponds to an external attack. The Knowledge Base Name column 392d is a field for storing the specific name information of the corresponding existing knowledge base tactic, and the Link column 392f is a field for storing a link information to a webpage that contains details of the corresponding existing knowledge base tactic. By associating the newly constructed kill chain model's threat classification information, knowledge base identification information, knowledge base tactic name information, and link information with the same record, the correspondence between the strategies and tactics of the newly constructed kill chain model and the strategies and tactics of the existing knowledge base can be understood.

[0091] Threat content column 392e is a field for storing threat content information that describes the specific nature of an external attack. Threat content information indicates the specific nature of the external attack.

[0092] The IR identification column 392g is a field for storing IR identification information that indicates an IR (Incident Response), which is a countermeasure against external attacks. The IR identification information is associated with an IR and is identification information that makes it possible to uniquely identify the IR, thereby allowing the IR information identification unit 423 to identify the record (row) in the IR information table 393. Here, the IR identification information consists of main identification information and sub-identification information, and is expressed in the format of "main identification information" - "sub-identification information". Note that one IR identification information may be stored, or multiple IR identification information may be stored.

[0093] (IR Information Table) Figure 8 shows an example of the IR information table 393 referenced by the security support device 300 in this embodiment. The IR information table 393 shown in Figure 8 is composed of a table in which each record (row) contains IR information corresponding to each attack, and each column contains various information related to each IR. Only a portion of the records in the IR information table 393 are shown in Figure 8.

[0094] The IR information table 393 includes, as an example, an IR classification column 393a (Category in Figure 8), an IR identification column 393b (Main_ID, Sub_ID in Figure 8), an IR technology column 393c (Technique in Figure 8), and an IR procedure column 393d (Procedure in Figure 8). However, the columns set in the IR information table 393 shown in Figure 8 are just examples and are not limited to these.

[0095] IR classification column 393a is a field for storing IR classification information, which indicates the classification of an IR. IR classification information includes, for example, information that provides an overview of the IR.

[0096] The IR identification column 393b is associated with an IR (Investigative Reaction) performed in response to an external attack and is a column for storing IR identification information that uniquely identifies that IR. Here, the IR identification information consists of main identification information and sub-identification information. The IR identification information is also stored in the IR identification column 392g of the threat information table 392, allowing the record (row) in the IR information table 393 to be identified from the threat information in the threat information table 392.

[0097] IR Technology column 393c is for storing IR technology information related to techniques for responding to external attacks. IR Procedure column 393d is for storing specific IR procedure information for responding to external attacks. IR technology information and IR procedure information refer to specific techniques and procedures for responding to external attacks.

[0098] (False positive information table) Figure 9 shows an example of a false positive information table 394 referenced by the security support device 300 in this embodiment. The false positive information table 394 shown in Figure 9 is composed of a table in which each record (row) contains false positive information corresponding to each false positive, and each column contains various information related to each false positive. Only a portion of the records in the false positive information table 394 are shown in Figure 9.

[0099] The false detection information table 394 includes, as an example, a false detection classification column 394a (Category in Figure 9), a false detection identification column 394b (Main_ID, Sub_ID in Figure 9), and a false detection content column 394c (Contents in Figure 9). However, the columns set in the false detection information table 394 shown in Figure 9 are just examples and are not limited to these.

[0100] Column 394a is a field for storing false detection classification information that indicates the classification of a false detection. False detection classification information includes, for example, information about the action that triggered the false detection (e.g., incorrect configuration, malfunction, maintenance).

[0101] The false detection identification column 394b is associated with false detections and is a field for storing false detection identification information that allows for the unique identification of false detections. Here, the false detection identification information consists of main identification information and sub-identification information. The false detection identification information is also stored in the false detection identification column 391d of the alert information table 391, so that the record (row) in the false detection information table 394 can be identified from the false detection identification information in the alert information table 391.

[0102] Column 394c, which contains the details of a false positive, is a field for storing false positive information. False positive information describes the specific nature of the false positive.

[0103] (Process for creating support information for security measures) The following describes the process for creating support information for security measures performed by the security support device 300 in this embodiment. Figure 10 is a flowchart showing an example of the process for creating support information for security measures performed by the security support device 300 in this embodiment.

[0104] When the alert receiving unit 410 of the security support device 300 receives an alert from the network monitoring device 200, it supplies the received alert to the alert analysis unit 421. In Figure 10, the alert analysis unit 421 identifies the type of alert from the identifier included in the alert issued by the network monitoring device 200 (step S101).

[0105] The alert analysis unit 421 refers to the alert information table 391 to identify the record related to the alert type information identified in step S101, and reads the information of that record (step S103). The alert analysis unit 421 stores the information of the read record in the memory 320.

[0106] The alert analysis unit 421 identifies threat identification information from the threat identification column 391e of the record related to the alert type information identified in step S101 (step S105), and notifies the threat information identification unit 422 of the threat identification information. Note that the threat identification column 391e of the record in the alert information table 391 can store multiple threat identification information. If multiple threat identification information is stored, the alert analysis unit 421 notifies the threat information identification unit 422 of the multiple threat identification information.

[0107] The threat information identification unit 422 refers to the threat information table 392 to identify the record related to the threat identification information notified by the alert analysis unit 421, and reads the information within the record (step S107). The threat information identification unit 422 stores the information of the read record in the memory 320.

[0108] The threat information identification unit 422 identifies IR identification information from the IR identification column 392g of the record related to the threat identification information notified by the alert analysis unit 421 (step S109). Note that the IR identification column 392g of the threat information table 392 can store multiple IR identification information. If multiple IR identification information is stored, the threat information identification unit 422 notifies the IR information identification unit 423 of the multiple IR identification information.

[0109] Since the threat identification column 391e of the records in the alert information table 391 can store multiple threat identification pieces of information, the alert analysis unit 421 may notify the threat information identification unit 422 of multiple threat identification pieces of information. The threat information identification unit 422 determines whether or not multiple threat identification pieces of information have been notified from the alert analysis unit 421 (step S111), and if multiple threat identification pieces of information have been notified, it executes the processes in steps S107 and S109 above for each threat identification piece of information.

[0110] Once processing of all threat identification information is complete, the IR information identification unit 423 refers to the IR information table 393 to identify the record related to the IR identification information notified by the threat information identification unit 422, and reads the information within the record (step S113). The threat identification information unit 422 stores the information of the read record in the memory 320.

[0111] In addition to the fact that the threat identification column 391e of the records in the alert information table 391 can store multiple threat identification information, the IR identification column 392g of the threat information table 392 can store multiple IR identification information, so the threat information identification unit 422 may notify the IR information identification unit 423 of multiple IR identification information. The IR information identification unit 423 determines whether or not multiple IR identification information has been notified from the threat information identification unit 422 (step S115), and if multiple IR identification information has been notified, it executes the process of step S113 above for each IR identification information.

[0112] Once processing of all IR identification information is complete, the support information creation unit 425 refers to the information read from the alert information table 391 in step S103, the information read from the threat information table 392 in step S107, and the information read from the IR information table 393 in step S113, extracts and formats the information of pre-configured items, and further processes it into a predetermined data format to create support information for security measures (step S117). The support information creation unit 425 supplies the created support information to the support information output unit 430, completing the process of creating support information for security measures.

[0113] The process for creating the support information for the security measures mentioned above will be explained in more detail.

[0114] For example, suppose the network monitoring device 200 detects an anomaly in the control system 10 and issues an alert of type "SIGN:ARP:DUP".

[0115] When the alert receiving unit 410 of the security support device 300 receives an alert issued by the network monitoring device 200, it supplies the received alert to the alert analysis unit 421. The alert analysis unit 421 identifies the alert type information "SIGN:ARP:DUP" of the alert received by the alert receiving unit 410 (step S101), and refers to the alert information table 391 to read the information of the record related to the alert type information "SIGN:ARP:DUP" (the first row of the alert information table 391 shown in Figure 6) (step S103).

[0116] The alert analysis unit 421 identifies threat identification information "5-1" from the threat identification column 391e of the record related to the alert type information "SIGN:ARP:DUP" (step S105) and notifies the threat information identification unit 422.

[0117] The Threat Information Identification Unit 422 refers to the Threat Information Table 392 to identify the record related to the threat identification information "5-1" notified by the Alert Analysis Unit 421 (the 5th row of the Threat Information Table 392 shown in Figure 7), and reads the information within the record (step S107). The Threat Information Identification Unit 422 identifies the IR identification information "1-1" from the IR identification column 392g of the record related to the identified threat identification information "5-1" (step S109), and notifies the IR Information Identification Unit 423.

[0118] In this case, the threat information identification unit 422 has only received the threat identification information "5-1" from the alert analysis unit 421, and the records read from the threat information table 392 are only those related to the threat identification information "5-1".

[0119] Next, the IR information identification unit 423 refers to the IR information table 393 to identify the record related to the IR identification information "1-1" notified by the threat information identification unit 422 (the first row of the IR information table 393 shown in Figure 8), and reads the information within the record (step S113). In this case, the IR information identification unit 423 has only been notified of the IR identification information "1-1" by the threat information identification unit 422, and the only record to read from the IR information table 393 is the record related to the IR identification information "1-1".

[0120] As a result of the above operation, the information from the record related to the alert type information "SIGN:ARP:DUP" in the alert information table 391 (the first row of the alert information table 391 shown in Figure 6), the information from the record related to the threat identification information "5-1" in the threat information table 392 (the fifth row of the threat information table 392 shown in Figure 7), and the information from the record related to the IR identification information "1-1" in the IR information table 393 (the first row of the IR information table 393 shown in Figure 8) are read and stored in memory 320. The support information creation unit 425 refers to this information and uses the information of the pre-configured items to create support information for security measures (step S117). The support information creation unit 425 may create support information using only some of the information, or it may create support information using all of the information.

[0121] Figure 11 shows an example of security support information created by the support information creation unit 425 when an alert of type information "SIGN:ARP:DUP" is received. As an example, the support information creation unit 425 creates support information that includes the alert type, alert name, and alert details as alert information, the threat type, KB_ID (knowledge base identification information), KB name (name of the tactic in the knowledge base), and the content of the threat as threat information, and the IR type, method, and procedure as IR information.

[0122] The alert type, alert name, and alert details columns contain information read from the alert information table 391: information in the alert type column 391a, information in the alert name column 391b, and information in the alert details column 391c, respectively.

[0123] The threat type, KB_ID, KB name, and threat content include information from the threat classification column 392a, the knowledge base identification column 392c, and the threat content column 392e, respectively, which are read from the threat information table 392. Furthermore, the support information may include information from the link column 392f, so that, for example, when the support information is displayed on the monitor 350, the link allows access to a webpage containing detailed tactical information from an existing knowledge base.

[0124] The IR type, method, and procedure each include information from the IR classification column 393a, the IR technology column 393c, and the IR procedure column 393d, respectively, which are read from the IR information table 393.

[0125] As another example, suppose the network monitoring device 200 detects an anomaly in the control system 10 and issues an alert of type "SIGN:PROC:MISSING-VAR".

[0126] When the alert receiving unit 410 of the security support device 300 receives an alert issued by the network monitoring device 200, it supplies the received alert to the alert analysis unit 421. The alert analysis unit 421 identifies the alert type information "SIGN:PROC:MISSING-VAR" of the alert received by the alert receiving unit 410 (step S101), and refers to the alert information table 391 to read the information of the record related to the alert type information "SIGN:PROC:MISSING-VAR" (the second row of the alert information table 391 shown in Figure 6) (step S103).

[0127] The alert analysis unit 421 identifies threat identification information "3-1", "3-3", and "3-4" from the threat identification column 391e of the record related to the alert type information "SIGN:PROC:MISSING-VAR" (step S105), and notifies the threat information identification unit 422.

[0128] The threat information identification unit 422 processes all of the multiple threat identification information "3-1", "3-3", and "3-4" notified by the alert analysis unit 421.

[0129] The Threat Information Identification Unit 422 refers to the Threat Information Table 392 to identify the record related to the threat identification information "3-1" notified by the Alert Analysis Unit 421 (the first row of the Threat Information Table 392 shown in Figure 7), and reads the information within the record (step S107). The Threat Information Identification Unit 422 also identifies the IR identification information "6-1" and "6-2" from the IR identification column 392g of the record related to the threat identification information "3-1" notified by the Alert Analysis Unit 421 (step S109), and notifies the IR Information Identification Unit 423.

[0130] The Threat Information Identification Unit 422 refers to the Threat Information Table 392 to identify the record related to the threat identification information "3-3" notified by the Alert Analysis Unit 421 (the third row of the Threat Information Table 392 shown in Figure 7), and reads the information within the record (step S107). The Threat Information Identification Unit 422 also identifies the IR identification information "1-1" from the IR identification column 392g of the record related to the threat identification information "3-3" notified by the Alert Analysis Unit 421 (step S109), and notifies the IR Information Identification Unit 423.

[0131] The Threat Information Identification Unit 422 refers to the Threat Information Table 392 to identify the record related to the threat identification information "3-4" notified by the Alert Analysis Unit 421 (the 4th row of the Threat Information Table 392 shown in Figure 7), and reads the information within the record (step S107). The Threat Information Identification Unit 422 also identifies the IR identification information "1-1" from the IR identification column 392g of the record related to the threat identification information "3-4" notified by the Alert Analysis Unit 421 (step S109), and notifies the IR Information Identification Unit 423.

[0132] The IR information identification unit 423 receives notifications from the alert analysis unit 421 regarding IR identification information "6-1" and "6-2" linked to threat identification information "3-1", IR identification information "1-1" linked to threat identification information "3-3", and IR identification information "1-1" linked to threat identification information "3-4", and processes all of these multiple IR identification information "1-1", "6-1", and "6-2".

[0133] The IR information identification unit 423 refers to the IR information table 393 to identify the record related to the IR identification information "1-1" notified by the threat information identification unit 422 (the first row of the IR information table 393 shown in Figure 8), and reads the information within the record (step S113).

[0134] The IR information identification unit 423 refers to the IR information table 393 to identify the record related to the IR identification information "6-1" notified by the threat information identification unit 422 (the second row of the IR information table 393 shown in Figure 8), and reads the information within the record (step S113).

[0135] The IR information identification unit 423 refers to the IR information table 393 to identify the record related to the IR identification information "6-2" notified by the threat information identification unit 422 (the third row of the IR information table 393 shown in Figure 8), and reads the information within the record (step S113).

[0136] As a result of the above operation, the following information is read and stored in memory 320: the record related to the alert type information "SIGN:PROC:MISSING-VAR" in the alert information table 391 (the second row of the alert information table 391 shown in Figure 6), the records related to the threat identification information "3-1", "3-3", and "3-4" in the threat information table 392 (the first, third, and fourth rows of the threat information table 392 shown in Figure 7), and the records related to the IR identification information "1-1", "6-1", and "6-2" in the IR information table 393 (the first to third rows of the IR information table 393 shown in Figure 8). The support information creation unit 425 refers to this information and uses the information of the pre-configured items to create support information for security measures (step S117). In this case as well, the support information creation unit 425 may create support information using only some of the information, or it may create support information using all of the information.

[0137] Figures 12-14 show examples of security support information created by the support information creation unit 425 when an alert with the alert type information "SIGN:PROC:MISSING-VAR" is received.

[0138] The support information shown in Figures 12 to 14 is composed of the same information as in Figure 11. However, while the support information shown in Figure 11 has one threat information (one record) associated with one alert type information (one record), and one IR information (one record) associated with that threat information, the support information shown in Figures 12 to 14 differs in that multiple threat information (in this case, three records identified by threat identification information "3-1", "3-3", and "3-4") are associated with one alert type information (one record), and multiple IR information (in this case, two records identified by IR identification information "6-1" and "6-2") are associated with one of these three threat information (one record identified by threat identification information "3-1").

[0139] As described above, in this embodiment, threat information is associated with alerts, and IR information is associated with threat information. As a result, the security support device 300 in this embodiment can identify threat information and IR information based on alerts issued by the network monitoring device 200, and create and output support information including this threat information and IR information.

[0140] Furthermore, in this embodiment, considering that there may be multiple threats that trigger alert activation, and that there may be multiple threat indicators (IRs) for each threat, it is possible to associate multiple threat information with one alert and multiple IR information with one threat information. This makes it possible to provide support information that takes into account the various threats and countermeasures that may trigger alert activation.

[0141] The support information output unit 430 may output the support information created by the support information creation unit 425 as described above to the monitor 350, print it out as paper from a printer or the like, or transmit it to another device via the communication unit 330. When outputting to the monitor 350, the support information shown in Figures 12 to 14 may be displayed on a single display screen, or it may be displayed by scrolling or screen transitions.

[0142] By outputting support information in this way, personnel such as those at the security operations center can, for example, review the support information. These personnel can not only see that an alert has been issued from the network monitoring device 200, but also appropriately grasp information about the attack that triggered the alert and information about IR (Indicator of Combustion) that should be taken in response to that attack. Based on the Indicator of Combustion (IoC) identified by inspecting the control system 10, they can take measures to contain the external attack.

[0143] Furthermore, according to the support information, the correspondence between the strategies and tactics of the newly constructed kill chain model and the strategies and tactics of the existing knowledge base can be easily grasped. This will facilitate understanding of the existing knowledge base and improve basic knowledge of TTPs related to threats, leading to improved skills and talent development for personnel and system developers, as well as the acceleration of technological development and quality improvement related to security measures.

[0144] (Process for creating support information for security measures, including false positive information) In the process shown in Figure 10, the security support device 300 creates and outputs support information including threat information and IR information, but it may also create and output support information including false positive information. Figure 15 is a flowchart of another example of the process for creating security support information performed by the security support device 300 in this embodiment. In the following, the explanation of processes similar to those shown in Figure 10 will be simplified or omitted.

[0145] Similar to steps S101 to S105 shown in Figure 10, the alert analysis unit 421 identifies the type of alert information from the identifier included in the alert issued by the network monitoring device 200, refers to the alert information table 391 to identify the record related to the identified alert type information, and reads the information from that record. Then, the alert analysis unit 421 identifies the threat identification information from the threat identification column 391e of the identified record and notifies the threat identification information to the threat information identification unit 422.

[0146] Next, the alert analysis unit 421 identifies false detection identification information from the false detection identification column 391d of the identified record (step S106), and notifies the false detection identification information to the false detection information identification unit 424.

[0147] Similar to steps S107 to S115 shown in Figure 10, the threat information identification unit 422 refers to the threat information table 392 to identify the record related to the threat identification information notified by the alert analysis unit 421, reads the information within the record, and identifies the IR identification information from the IR identification column 392g of the record related to the identified threat identification information. The IR information identification unit 423 also refers to the IR information table 393 to identify the record related to the IR identification information notified by the threat information identification unit 422, and reads the information within the record.

[0148] Next, the false detection information identification unit 424 refers to the false detection information table 394 to identify the record related to the false detection identification information notified by the alert analysis unit 421, and reads the information in the record (step S116a). The false detection information identification unit 424 stores the information of the read record in the memory 320. Note that the false detection identification column 391d of the record in the alert information table 391 can also store multiple false detection identification information, and the alert analysis unit 421 may notify the false detection information identification unit 424 of multiple false detection identification information. The false detection information identification unit 424 determines whether or not multiple false detection identification information has been notified by the alert analysis unit 421 (step S116b), and if multiple false detection identification information has been notified, it executes the process in step S116a for each false detection identification information.

[0149] Once processing of all false positive identification information is complete, the support information creation unit 425 refers to the information read from the alert information table 391 in step S103, the information read from the threat information table 392 in step S107, the information read from the IR information table 393 in step S113, and the information read from the false positive information table 394 in step S116a, extracts and formats information for pre-configured items, and further processes it into a predetermined data format to create support information for security measures (step S117a). The support information creation unit 425 supplies the created support information to the support information output unit 430, completing the support information creation process.

[0150] Figure 16 shows an example of support information, including false positive information, created by the support information creation unit 425 when an alert of type information "SIGN:ARP:DUP" is received. The support information shown in Figure 16 is the same as the support information shown in Figure 11, but with additional false positive information.

[0151] The support information shown in Figure 16 includes various information such as alert type, alert name, and alert details read from alert information table 391, threat type read from threat information table 392, IR type, method, and procedure read from IR information table 393, as well as information in the false positive classification column 394a and the false positive content column 394c read from false positive information table 394.

[0152] Figure 16 shows, as an example, support information for an alert of type "SIGN:ARP:DUP". Here, the alert analysis unit 421 identifies the false detection identification information "1-2" from the false detection identification column 391d of the record related to the alert type information "SIGN:PROC:MISSING-VAR", and the false detection information identification unit 424 reads the record related to the false detection identification information "1-2" (the second row of the false detection information table 394 shown in Figure 9) by referring to the false detection information table 394. The support information creation unit 425 can extract the information in the false detection classification column 394a and the information in the false detection content column 394c of the record related to the false detection identification information "1-2" to create support information including false detection information as shown in Figure 16.

[0153] Although not shown in the illustrations, similar to the support information (multiple threat intelligences and multiple IR information) shown in Figures 12 to 14, if there are multiple false positives, the support information may be created by appropriately formatting and processing it to include these multiple false positives.

[0154] In this way, by including false positive information in the support information, personnel at the security operations center, for example, can inspect the control system 10 considering the possibility of a false positive by the network monitoring device 200 as well as the possibility of an external attack being detected, and take countermeasures against external attacks or false positives. In particular, in order to maintain the security of the control system 10, it is somewhat unavoidable that the network monitoring device 200 will make false positives, but as in this embodiment, by indicating what actions may be taken in the event of a false positive through the support information, it becomes possible to efficiently understand the actions related to the false positive.

[0155] As mentioned above, the security countermeasure model used in this embodiment is constructed by narrowing down the items necessary for passive network monitoring-based security measures from an existing knowledge base containing a vast amount of information. The security support device 300 in this embodiment performs network monitoring, and based on the security countermeasure model, filters and derives threats that are likely to occur. It then uses IR information to suggest additional investigations necessary to identify the derived threats (such as obtaining endpoint logs), thereby supporting the identification and narrowing down of attacks that occur. In this way, the security countermeasure model allows for the grouping and narrowing down of threats that are likely to occur, and by suggesting additional investigations using IR information linked to the threats, it becomes possible to appropriately support security measures for control systems, which present more challenges than IT systems.

[0156] The operation of this embodiment will now be described.

[0157] The security support device 300 in this embodiment supports the security measures of the control system 10 and is configured to include an alert receiving unit 410, a threat information database 390, a threat information identification unit 422, an IR information identification unit 423, a support information creation unit 425, and a support information output unit 430.

[0158] The alert receiving unit 410 is configured to receive alerts from a network monitoring device 200, which is configured to intercept and analyze packets transmitted and received by the control system 10, detect abnormalities occurring in the control system 10, and output alerts notifying of the abnormalities.

[0159] The threat intelligence database 390 is configured to store information that associates the type of alert received from the network monitoring device 200 with the threat intelligence and IR information related to the alert.

[0160] The threat information identification unit 422 is configured to refer to the threat information database 390 and identify threat information corresponding to the type of alert information received by the alert receiving unit 410.

[0161] The IR information identification unit 423 is configured to refer to the threat information database 390 and identify IR information corresponding to the threat information identified by the threat information identification unit 422.

[0162] The support information creation unit 425 is configured to create support information for security measures of the control system 10, including threat information identified by the threat information identification unit 422 and IR information identified by the IR information identification unit 423.

[0163] The support information creation unit 430 is configured to output the support information created by the support information creation unit 425.

[0164] According to the above configuration, by intercepting packets transmitted and received by the control system 10, it becomes possible to detect anomalies in the control system 10 while prioritizing the availability of the control system 10, identify the threat such as an external attack that caused the anomaly, and create and output support information including threat information related to the threat and IR information, which is the countermeasure.

[0165] In this embodiment, the security support device 300 may be created based on a security countermeasure model (see Figure 1) constructed by narrowing down the items necessary for security measures of the control system 10 from an existing knowledge base that summarizes attack strategies and tactics, and then newly grouping each of the narrowed-down items.

[0166] According to the above configuration, by simplifying the complex and difficult-to-understand existing knowledge base and constructing a simplified security countermeasure model that is easy to understand, it becomes possible to construct an appropriate and practical security countermeasure system according to the actual environment of the control system 10. Furthermore, by mapping the strategies and tactics of the unique security countermeasure model according to the present invention with strategies and tactics extracted from the existing knowledge base to the extent necessary for network-based security countermeasures, it becomes possible to promote understanding of the complex and difficult-to-understand existing knowledge base, improve basic knowledge of threat-related strategies, tactics, and procedures, and contribute to improving the skills and human resources of personnel and system developers, as well as promoting and improving the quality of technology development related to security countermeasures.

[0167] In this embodiment, the security support device 300 has a threat information database 390 in which multiple threat information is associated with alert type information, and the threat information identification unit 422 may refer to the threat information database 390 to identify multiple threat information corresponding to the alert type information received by the alert receiving unit 410, and the support information creation unit 425 may create support information including the multiple threat information identified by the threat information identification unit 422.

[0168] According to the above configuration, even if there may be multiple threat intelligences in response to an alert, support information including these multiple threat intelligences can be created, enabling the control system 10 to appropriately implement security measures that take into account the multiple threat intelligences.

[0169] In this embodiment, the security support device 300 has a threat information database 390 to which multiple IR information is associated with threat information. The IR information identification unit 423 identifies multiple IR information corresponding to the threat information identified by the threat information identification unit 422, and the support information creation unit 425 creates support information including the multiple IR information identified by the IR information identification unit 423.

[0170] According to the above configuration, even if there is a possibility of multiple IR (Investigative Reaction) pieces of information in response to threats such as external attacks, support information including such multiple IR pieces of information can be created, and the control system 10 can appropriately implement security measures that take into account the multiple IR pieces of information.

[0171] In this embodiment, the security support device 300 has a threat information database 390 in which false positive information is further associated with alert type information that can be received from the network monitoring device 200, and has a false positive information identification unit 424 that identifies false positive information corresponding to the alert type information received by the alert receiving unit 410 by referring to the threat information database 390, and the support information creation unit 425 may create support information that includes the false positive information identified by the false positive information identification unit 424.

[0172] With the above configuration, even if the network monitoring device 200 may mistakenly detect an operation of the control system 10 that is not a threat such as an external attack as such, it can create support information including false detection information, and the control system 10 can be appropriately equipped with security measures that take into account the issuance of alerts due to false detections.

[0173] Furthermore, the security support method in this embodiment is a method executed by a security support device 300 that supports the security measures of the control system 10. The security support method in this embodiment is characterized by comprising: an alert reception step of receiving an alert from a network monitoring device 200 configured to intercept and analyze packets transmitted and received by the control system 10, detect anomalies occurring in the control system 10, and output an alert notifying the anomaly; a threat information identification step (step S107 in Figure 10) of referring to a threat information database 390 that stores information associating the alert type information with the alert type information that can be received from the network monitoring device 200, and identifying the threat information corresponding to the alert type information received in the alert reception step; an IR information identification step (step S113 in Figure 10) of referring to the threat information database 390 and identifying the IR information corresponding to the threat information identified in the threat information identification step; a support information creation step (step S117 in Figure 10) of creating support information for security measures of the control system 10, including the threat information identified in the threat information identification step and the IR information identified in the IR information identification step; and a step of outputting the support information created in the support information creation step.

[0174] According to the above process, by intercepting packets transmitted and received by the control system 10, the system can prioritize the availability of the control system 10, detect abnormalities in the control system 10, identify the threat such as an external attack that caused the abnormality, and create and output support information including threat information related to the threat and IR information, which is the countermeasure.

[0175] The present invention is not limited to the embodiments described above, and its technical scope includes various modifications and design changes, etc., without departing from the technical spirit of the present invention. [Explanation of symbols]

[0176] 10 Control Systems 20 Field Devices 30 PLC 40 RTU 50 SCADA 60 Firewall 100 IT Networks 200 Network Monitoring Devices 210, 330 Communications Department 220 Network Analyzer 230 Anomaly detection unit 231 Learning Department 232 Link Information Storage Unit 233 Comparison Section 234 Alert Generation Unit 300 Security Support Devices 305 Bus 310 Processor 320 memory 340 Operation Input Section 350 monitors 360 Storage 370 Alert Processing Program 371 Alert Analysis Program 372 Threat Intelligence Identification Program 373 IR Information Identification Program 374 False Positive Information Identification Program 375 Support Information Creation Program 380 Support Information Output Program 390 Threat Intelligence Database 391 Alert Information Table 391a Alert Type Column 391b Alert Name Column 391c Alert Details Column 391d, 394b False positive identification columns 391e, 392b Threat identification columns 392 Threat Intelligence Table 392a Threat classification column 392c Knowledge base identification column 392d Knowledge base name column 392e Threat content column 392f Link Column 392g, 393b IR identification columns 393 IR Information Table 393a IR classification column 393c IR Technology Column 393d IR Procedure Column 394 False Positive Information Table 394a False detection classification column 394c False positive content column 410 Alert Receiver 420 Alert Processing Unit 421 Alert Analysis Department 422 Threat Intelligence Identification Unit 423 IR Information Specialist Department 424 False Detection Information Identification Unit 425 Support Information Creation Department 430 Support Information Output Unit

Claims

1. A security support device that assists in security measures for control systems, An alert receiving unit receives an alert from a network monitoring device configured to intercept and analyze packets transmitted and received by the control system, detect anomalies occurring in the control system, and output an alert notifying the anomaly. A threat information database that stores information linked to the type of alert information that can be received from the network monitoring device, along with threat information and incident response information related to the alert, A threat information identification unit that refers to the aforementioned threat information database and identifies threat information corresponding to the type information of the alert received by the alert receiving unit, An incident response information identification unit that refers to the aforementioned threat information database and identifies incident response information corresponding to the threat information identified by the aforementioned threat information identification unit, A support information creation unit creates support information for security measures of the control system, including the threat information identified by the threat information identification unit and the incident response information identified by the incident response information identification unit; A support information output unit that outputs the support information created by the support information creation unit, A security support device characterized by having the following features.

2. The security support device according to claim 1, characterized in that the threat intelligence database is created based on a security countermeasure model constructed by narrowing down the items necessary for security measures of the control system from an existing knowledge base that summarizes attack strategies and tactics, and then newly grouping each of the narrowed-down items.

3. In the aforementioned threat intelligence database, multiple threat intelligences are associated with the type of alert information. The threat information identification unit refers to the threat information database and identifies multiple threat information items corresponding to the alert type information received by the alert receiving unit. The security support device according to claim 1 or 2, characterized in that the support information creation unit creates the support information including the plurality of threat information identified by the threat information identification unit.

4. In the aforementioned threat intelligence database, multiple incident response pieces of information are associated with the threat intelligence. The incident response information identification unit identifies a plurality of incident response information corresponding to the threat information identified by the threat information identification unit, The security support device according to claim 1 or 2, characterized in that the support information creation unit creates the support information including the plurality of incident response pieces of information identified by the incident response information identification unit.

5. In the aforementioned threat intelligence database, false positive information is further linked to the type of alert information that can be received from the network monitoring device. The system includes a false positive information identification unit that identifies false positive information corresponding to the type of alert information received by the alert receiving unit by referring to the threat information database, The security support device according to claim 1 or 2, characterized in that the support information creation unit creates the support information including the false detection information identified by the false detection information identification unit.

6. A security support method performed by a security support device that assists in the security measures of a control system, An alert reception step includes receiving an alert from a network monitoring device configured to intercept and analyze packets transmitted and received by the control system, detect an anomaly occurring in the control system, and output an alert notifying the anomaly, A threat information identification step involves referring to a threat information database that stores information linking the alert type information received in the alert reception step to the alert type information received in the alert reception step, and identifying the threat information corresponding to the alert type information received in the alert reception step. An incident response information identification step involves referring to the aforementioned threat information database and identifying incident response information corresponding to the threat information identified in the aforementioned threat information identification step, A support information creation step for creating support information for security measures of the control system, which includes the threat information identified in the threat information identification step and the incident response information identified in the incident response information identification step, A support information output step which outputs the support information created in the support information creation step, A method for supporting security measures, characterized by having the following features.