CAPP Events: 2004

Archive: CAPP Events
2009 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002

Cyber Security Discussed Among RAND and Japanese Electric Industry Representatives

Utility executives representing 10 Japanese electric companies met with members of RAND in Santa Monica on November 18 to discuss ways to improve cyber security among the electric power industry in Japan. Attendees from RAND included Bob Anderson, Wally Baer, and Rachel Swanger.

Specifically, the purpose of the meeting was to make meaningful and productive improvements to an upcoming simulation of a cyber terrorist attack on the Japanese electric power industry. The Japanese Ministry of Economy, Trade, and Industry (METI) is conducting the simulation exercise to give first-hand experience to the operators of Japanese utilities.

Shinichi Takahashi of the Federation of Electric Power Companies briefed attendees on the simulation exercises designed to test the effectiveness of countermeasures within that sector. The simulation includes three teams: the operator team, which would defend a model computer system against the attack team, and the coordination team, which would manage progress and document experiences of both the attackers and defenders.

Bob Anderson then briefed the group on various RAND research, including that from a recent monograph titled "Finding and Fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology" (MR-1601). Anderson explained that most cyber security countermeasures hinge on a "bottom-up" approach, that is, they address specific weaknesses discovered from previous experiences. The problem, he noted, is that bottom-up thinking doesn't allow for the "unimaginable."

Anderson detailed the monograph's vulnerability assessment and mitigation methodology, based on a “top-down” approach from first principles, and uses a matrix to map vulnerabilities against security mitigation techniques. Using this matrix, noted Anderson, organizations can expand their thinking in terms of identifying new or potential vulnerabilities.

After two hours of discussions, the Japanese utilities executives agreed that the vulnerability matrix could be "very valuable" to METI in conducting the simulation. At the close of the meeting, Anderson invited the executives to download an Excel spreadsheet to aid in using the VAM approach from the RAND web site and provide further feedback. Anderson further highlighted various opportunities for cooperation between RAND and METI.