An Internal Affairs and Communications Ministry survey has found evidence of 150 cases of cybersecurity flaws in devices that are linked to the internet of things, or IoT (see below), and are used to remotely monitor the country’s crucial infrastructure such as dams and railways.
In some cases security passwords of devices were not set. The ministry will conduct a thorough inspection in 2019 in order to reinforce security measures for infrastructure that is closely connected to people’s daily lives.
The recent survey was conducted from September 2017 to March 2018 by a research team on the country’s crucial infrastructure. The team included members from the ministry and Yokohama National University.
The team used the internet to track down any flaws in cybersecurity and found that preparations against cyber-attacks were not sufficient in 150 cases involving IoT equipment, such as ones to monitor water levels at dams, gas alarm systems set up at volcanoes and devices to monitor power consumption at sites of railways and other public works.
Of 77 cases in which information was available on the devices’ operators, such as municipalities, companies and organizations, the research team further checked the circumstances of 36 cases in which they were able to have direct contact with operators. As a result, they found 27 IoT devices for which passwords either were not set or had not been changed from an initial setting and thus could be easily guessed. There were also nine cases in which log-in screens could be viewed online by the public.
If IoT devices installed in crucial infrastructure are exposed to cyber-attacks, they can be misused for terrorism and other purposes. However, their administrators were not fully aware of cyber threats and also had not clarified where responsibility lies, according to the ministry.
In 2016, hackers took over hundreds of thousands of IoT devices by attempting to log in with default IDs and passwords, which served as a stepping-stone to launching a massive cyber-attack.
The communications ministry plans to apply the revised National Institute of Information and Communications Technology law, which was passed during the current Diet session, and will conduct a further inspection in 2019 by trying to “hack” their own systems, an approach that has been previously banned.