April 18, 2019
The Ministry of Economy, Trade and Industry (METI) aims to ensure security in the new supply chains (value creation processes) under “Society 5.0,” a national policy achieved by integrating cyberspace and physical space in a sophisticated manner, and “Connected Industries,” another national policy for creating new value added by connecting a variety of goods, industries and people. As part of the efforts to this end, METI formulated the Cyber/Physical Security Framework (hereinafter referred to as “CPSF”), a well-organized an overview of security measures that industries are required to take.
On February 7, 2018, METI inaugurated a Working Group (WG) 1 (Systems, Technologies and Standardization) under the Study Group for Industrial Cybersecurity, and since then, WG1 has been holding discussions on cyber/physical security measures aiming to achieve security in the new supply chains under the Society 5.0 policy and the Connected Industries policy.
Under the Society 5.0 policy, a super smart society will emerge in which cyberspace and physical space are integrated in a sophisticated manner. This integration will help not only businesses to provide goods or services that meet a variety of demands in a meticulous manner but also help people make a balance between economic development and solutions to social challenges. In addition, under the Connected Industries policy, a variety of goods, industries and people will be connected and this connection will create new value add. As a result of advancing these two policies, industries will face a shift in supply chains from the conventional stereotypical, linear mode to a more flexible, dynamic one.
The WG1 defined such new-mode supply chains as a “value creation process” and has been advancing discussions on formulation of a “Cyber/Physical Security Framework” as guidelines for conducting security required to meet the concept of supply chains that are expected to expand and change under these national policies.
In the process of advancing these discussions, WG1 publicized Japanese and English versions of the draft CPSF and held two rounds of calls for public comments from April 27 to May 28, 2018, and from January 9 to February 28, 2019, respectively, and received many opinions from a wide variety of people inside and outside Japan. In parallel with this, the Cross-Sectoral Sub Working Group (SWG) under WG1 advanced discussions taking into consideration these public comments, opinions of experts, and the consistency of the draft CPSF with international standards.
In light of the results of discussions by WG1 and SWG, METI formulated CPSF Version 1.0. METI expects Japanese industries to make use of the CPSF and thereby to advance their efforts for advancing cybersecurity measures throughout the entire supply chains of Japan.
Aiming to popularize the CPSF in society, and in light of the conventional models that respective industries should maintain from the viewpoints of their industrial structures and business practices as well as the fact that the level of risks that such industries can accept varies, METI will strive to disseminate the CPSF among major industries and to promote discussions on specific security measures that respective industries need. Moreover, it will inaugurate a task force for discussing the issues for which cross-industrial measures are required: [i] security measures tailored to data categories, [ii] security measures required for equipment and systems with a transcription function, and [iii] methods of managing software, including open-source software (OSS)*, etc., and will advance discussions on these issues.
*Note: The term “OSS” is a generic name for software by which users are able to use, research, re-use, correct, expand and redistribute source code regardless of the purposes of the users.
2. Outline of the CPSF
The CPSF presents an overview of security measures for industrial society and targets all entities involved in the value creation process as readers. Furthermore, with an eye on future revision or modification of the CPSF in line with changes in technologies and other situations, METI composed the main section of the CPSF from three parts focusing on concept, policy and method, respectively.
Part I: Concept
From the viewpoint of cybersecurity, this part presents a streamlined explanation of a model, i.e., a three-layer structure and six components thereof, to organize risk sources in the value creation process.
Part II: Policy
This part presents risk sources streamlined by taking advantage of the model shown in Part I and security-measure requirements to address such risk sources.
Part III: Method
This part presents examples of security measures tailored to the security-measure requirements shown in Part II.
Appendices include: use cases where the three-layer model is applied to representative industries; relationships between risk sources and security-measure requirements; examples of security measures tailored to respective security-measure requirements; relationships with major overseas standards; and glossary.
3. Related materials
- Key points of the Cyber/Physical Security Framework Ver. 1.0(PDF:1,373KB)
- Cyber/Physical Security Framework Ver. 1.0(PDF:4,739KB)
- Summary of the Cyber/Physical Security Framework Ver. 1.0 (in Japanese)(PDF:3,100KB)
- Approaches to opinions that METI received through the calls for public comments(PDF:377KB)
4. References (in Japanese)
- Working Group (WG) 1 (Systems, Technologies and Standardization) under the Study Group for Industrial Cybersecurity
- Cross-Sectoral Sub Working Group
Division in Charge
Cybersecurity Division, Commerce and Information Policy Bureau