June 17, 2019
As part of the efforts for securing cybersecurity by industry, the Ministry of Economy, Trade and Industry (METI) focused on the field of buildings with a number of control devices, e.g., elevators and air conditioners, and formulated the Guidelines for Cyber-Physical Security Measures for Building Systems (First Version), a systematic compilation of points to be focused on and specific requirements in taking measures for cybersecurity, aiming to secure cybersecurity for building systems.
In December 2017, METI launched the Study Group for Industrial Cybersecurity aiming at identifying challenges that Japanese industrial players are facing in the field of cybersecurity and at promoting related policy measures. In addition, on February 7, 2018, METI established Working Group 1 (Systems, Technologies and Standardization) under the study group and started a series of discussions concerning a Cyber/Physical Security Framework (CPSF), aiming to achieve secured cybersecurity in overall new supply chains in a society under the Society 5.0 policy and the Connected Industries policy. In response, METI launched a Sub-working Group for Buildings under Working Group 1, as an effort for discussing industry-based policies for cybersecurity. Since its first meeting held in February 28, 2018, the sub-working group has been holding discussions on cybersecurity measures for building systems.
The sub-working group brought together many stakeholders with experience in buildings with a number of control devices (for e.g., elevators and air conditioners), including building owners, representatives of construction companies, architectural design offices and vendors involved in a variety of facilities and equipment for buildings and experts in the field of control system security. Through its nine meetings so far, the group held discussions on guidelines for cybersecurity measures for building systems. In the process of these discussions, the sub-working group compiled an interim outcome titled “Guidelines for Cyber-Physical Security Measures for Building Systems (β Version)” as a draft version, publicized it and called for public comments and received them from a wide range of people. In addition, it also conducted a survey targeting overseas countries for studying trends in cybersecurity measures for building systems and a survey targeting stakeholders involved in building systems for uncovering their awareness of cybersecurity, and organized consistencies between supply chains of entire industrial players and the CPSF, a framework for securing cybersecurity. Following these efforts, the sub-working group compiled their discussion results into the Draft Guidelines for Cyber-Physical Security Measures for Building Systems (First Version), called for another round of public comments from March 11 to April 9, 2019, and received comments from a wide range of people anew and brushed up the draft version of the guidelines.
METI hereby announces that the sub-working group formulated the Guidelines for Cyber-Physical Security Measures for Building Systems (First Version), as an outcome based on past discussions, amendments and other work. The guidelines, a compilation of cybersecurity measures for building systems, is a pioneering effort. The industry of building systems is rapidly changing its features toward a new society under the Society 5.0 policy as it is facing an increase in buildings that need to be connected to external networks, as seen in demand for addressing building and energy management systems (BEMS), introducing cloud computing technology and making use of IoT. In this trend, the importance of cybersecurity measures has been continually growing, and against this backdrop, the guidelines are expected to help readers advance their efforts for securing cybersecurity for all building systems ranging from newly constructed buildings with cutting-edge facilities to other existing buildings.
2. Overview of the Guidelines for Cyber-Physical Security Measures for Building Systems (First Version)
The guidelines focus on expected threats to building systems, categorize these threats by target site and equipment and explain possible incidents, risk sources and the requirements for providing cybersecurity measures for respective sites and equipment, all of which are streamlined by policy level. Following this, the guidelines go on to explanations of the life cycles of buildings and building systems, which are based on the policies mentioned above, and offer a compilation of necessary streamlined measures to be taken for cybersecurity by phase of the life cycle. Providing these key points, the guidelines aim to help people involved in procurement, construction and operation of building systems by offering realistic measures that meet, as closely as possible, the approaches that they have been taking at sites. In addition, the guidelines present explanations on the current situations of control systems, including buildings, that have been affected by cyber attacks and approaches that the guidelines adopt for offering streamlined measures against such attacks. Through these explanations, the guidelines aim to encourage readers to raise their awareness of the current situations where building systems need cybersecurity measures and to learn about basic approaches to conducting cybersecurity measures.
- 1.1. Purpose of formulating the guidelines
- 1.2. Targets and position of the guidelines
- 1.3. Compositions of the guidelines
- 2. Changes surrounding building systems
- 2.1. Characteristics of control systems in general, including building systems, and an increase in threats to them
- 2.2. Case examples of cyber attacks on building systems
- 2.3. Impacts of cyber attacks on building systems
- 3. Approaches to cybersecurity measures for building systems
- 3.1. Schemes for cybersecurity measures in general
- 3.2. Overview of structures of building systems
- 3.3. Characteristics of building systems
- 3.4. Policies for organizing cybersecurity measures for building systems
- 3.5. Examples of expected use of the guidelines
- 4. Risks that building systems may face and policies for addressing them
- 4.1. Overall management
- １．Configuration information / management information
- ２．Backed-up data / business continuity
- ３．Companies / staff management
- ４．Establishment of systems, etc.
- 4.2. Device-based management measures
- １．Networks (cloud computing, information networks, BACnet)
- ２. Monitoring centers (central control rooms)
- ３．Machine rooms / control board boxes
- ４．Wiring routes (MDF rooms, EPSs, racks in the ceiling)
- ５. Sites at which terminal devices should be installed
- 4.1. Overall management
- 5. Cybersecurity measures taking into consideration life cycles of facilities, equipment, etc.
- (List of Annexes; the compositions thereof is the same as Chapter 4 above.)
- Supplementary materials, terminology, etc.
3. Related documents
- Guidelines for Cyber-Physical Security Measures for Building Systems (First Version)(PDF:3,405KB)
- Appendix to the Guidelines for Cyber-Physical Security Measures for Building Systems (First Version)(PDF:169KB)
- METI’s opinions on submitted public comments(PDF:970KB)
*English version of Guideline and the Appendix has been posted on February 4.
Division in Charge
Cybersecurity Division, Commerce and Information Policy Bureau