A study made by the Ministry of Internal Affairs and Communications (MIC) found that 150 IoT devices set up for remote monitoring of dams, railways, and other critical infrastructure have inadequate cybersecurity systems. There were even cases where no password was set. The MIC plans to conduct a more detailed survey in 2019 to promote better cybersecurity measures for infrastructure that are important for the people’s everyday life.
The MIC, Yokohama National University, and other entities conducted a study of critical infrastructure from September 2017 to March 2018.
In this study conducted on the Internet to detect vulnerabilities, 150 IoT monitoring devices for water levels at dams, volcanic gas alarms, monitoring devices for electricity consumption at railways and other public work construction sites, and so forth were found to have inadequate defense against cyberattacks.
For the 77 devices for which information was obtained on the facility administrators or operators of local governments, companies, and other organizations, a more detailed study was made on 36 devices whose overseers could be contacted. As a result, 27 devices were found to have no passwords or using default passwords that could easily be deduced. In nine cases, the password authentication page was made available on the Internet.
Terrorists and other criminals may make use of cyberattacks on IoT devices of critical infrastructure. However, the facility administrators have insufficient awareness of the threat posed by cyberattacks and responsible officials have not even been assigned for the IoT devices.
In 2016, there was a case in which the attackers tried the default IDs and passwords to hijack IoT devices and launch massive cyberattacks from there. The MIC will take advantage of the amended National Institute of Information and Telecommunications Technology Law passed in the current Diet session to use the same techniques employed by cyberattackers, a method which used to be prohibited, to conduct a study in 2019.