“By using CYFIRMA’s threat intelligence service, DeCYFIR, we have become able to respond proactively to cyberthreats and risks. While leveraging CYFIRMA’s advisories, we will continue to consider various use scenarios going forward.”
About Kansai Electric Power (KEPCO):
Since the founding in 1951, KEPCO group has primarily focused on energy business while also developing a wide range of business activities that support daily life, our economy, and industry, including information and communications and lifestyle and business solutions. In recent years, we have strengthened internal controls and advanced organizational culture reform, steadily promoting KX (Kanden Transformation) with frontline workplaces and the entire group working together as one. Going beyond “Kansai” and “electric power,” we will continue to be a corporate group that provides a resilient social infrastructure through a deepened KX—“KX toward 2040”—that delivers new value to customers and society.
KEPCO Team
What challenges did you face as a critical infrastructure operator?
Critical infrastructure operators, including electric utilities, support the foundation of society and economic activity, and the systems that support their operations are required to have extremely high reliability. From a cybersecurity perspective, while all three elements of “Confidentiality, Integrity, and Availability (CIA)” discussed in general information systems are important, it is necessary to note that the weighting of each element varies significantly depending on the business environment.
At our company as well, as a critical infrastructure operator that supplies electricity, we place emphasis on availability for systems that contribute to stable supply.
In recent years, digitalization and technological evolution, including promotion of DX, have been accelerating. We are also promoting DX as a unified company, and various business reforms and utilization of IT technologies are being advanced across different business divisions. However, with the mission of delivering electricity “safely” and “stably,” in terms of cybersecurity, it is essential to continuously maintain a high level of security in order to respond to increasing number of cyberattacks and threats accompanying technological innovation.
We believe that boundary defense with the internet and external networks will become increasingly important. Through digitalization and DX initiatives such as data utilization, remote operations, and cloud adoption, we will have more points of contact with external environments, which is expected to increase a likelihood of being targeted by attackers. Therefore, understanding the boundary domain and strengthening security have become more important than ever.
For critical infrastructure operators, appropriate security enhancement aligned with digitalization of core businesses and DX promotion is not merely a technical issue but an important issue for fulfilling social responsibility. While adhering to the fundamental principles of critical infrastructure businesses that prioritize availability, how to realize future data utilization and value creation through DX is not something that can be solved overnight. However, we believe that critical infrastructure operators going forward are required to accumulate careful and strategic considerations.
How KEPCO knew CYFIRMA?
The opportunity came through an introduction from another organization. We were introduced through the electricity ISAC in which we participate, which led us to consider and begin using the service.
Challenges before using DeCYFIR
First, we were unable to visualize how our company was seen by external threat actors, which was a problem. Although we regularly conducted vulnerability assessments and gathered information internally, it was necessary to understand how servers and network devices accessible from the internet were actually exposed and what kinds of vulnerabilities and misconfigurations they contained. Furthermore, it was necessary to obtain intelligence on whether those assets could become targets of attackers and to understand related threats.
In addition, up to that point, our operations had been reactive, responding to security issues only after detections occurred. It is extremely important to understand uncertain cyberthreats at an early stage and determine whether a response is required internally, but we needed intelligence for proactive threat response, such as what kinds of threats are occurring and becoming prominent globally, whether there are trends among them, and through which paths access might occur.
What are strengths of CYFIRMA, and what changes and benefits have you realized after the implementation?
There are three main points.
The first is that, as mentioned in the pre-implementation challenges, we were able to visualize “our organization as seen from attacker’s perspective,” which had previously not been possible. We feel that this was the biggest change. With conventional baseline assessments, even if we could identify weaknesses within our organization, it was difficult to determine whether they were vulnerabilities or threats that could actually lead to an attack.
After implementing CYFIRMA’s DeCYFIR, by conducting dark web monitoring and ASM, we were able to visualize where assets that could be targeted by attackers exist and how close threats are. Before implementation, when a new threat emerged, it took time for initial investigation to determine whether it could be exploited against our company. Through dark web monitoring, we are now able to detect and understand whether attackers are attempting to target our company, including signs and communications, allowing us to recognize that threats are approaching imminently. Regarding ASM, we can confirm not only software vulnerabilities but also the status of open ports. Since introducing DeCYFIR, we have become able to proactively understand our own assets, determine whether vulnerabilities are visible to attackers and whether they are likely to be targeted, and respond based on priority.
For example, for assets identified on our attack surface, we have made it possible to identify the responsible department. Based on this, we compile a list of how those assets appear externally, along with issues and vulnerability information, and connect this to actions such as confirmation of owned assets and risk assessment by the responsible departments. Since DeCYFIR provides intelligence for determining response priority, we believe we are able to operate while minimizing the burden on those departments.
The second point is that we have become able to respond proactively to threats.
Before implementation, our approach was mainly reactive, triggered by detections from security products or system anomalies. However, now, before any impact reaches our company, we can proactively recognize what kinds of threats and threat actors are attracting attention in the world, as well as what attack methods, infrastructure, and malware are being used, enabling us to consider countermeasures based on that understanding.
At our company, based on IoC information such as IP addresses and malware hashes used by threat actors and analyzed by DeCYFIR, we are able to proactively register them as blocking and detection information across various security products. Through this, we feel that we are now able to take preemptive actions against threats.
Furthermore, we are also utilizing the recently released generative AI feature “Ask DeCYFIR.” With this function, we can directly query in Japanese for intelligences we want to know and extract knowledge at the appropriate level of detail at the necessary timing. For example, from information gathering such as “Are there any threat, cyberattack, or incident cases related to electric power companies in the past month?” to understanding new threats and their countermeasures, we can quickly grasp the results as analyses that include CYFIRMA’s proprietary intelligence, which is extremely helpful.
The third point is the comprehensive support provided by Japan Customer Success Team.
Through monthly regular meetings with us, it is extremely helpful to receive insights based on latest cyber threat landscape and observations related to our organization.
In the security field, there are many overseas products and vendors, and when making inquiries, conducting additional investigations of analysis results, or proposing improvements, it may be necessary to confirm through resellers or overseas expert teams. This tends to create burdens in terms of time and effort for the users. However, with CYFIRMA, we can quickly resolve questions through inquiries to Customer Success. The responsiveness is truly remarkable. Through these day-to-day interactions and regular meetings, we feel that our own level and cybersecurity awareness have improved. Furthermore, with the implementation of the AI function, we have become able to utilize threat intelligence even more quickly and accurately.
We are satisfied that DeCYFIR, which provides a wide range of functions, achieves excellent cost performance despite offering such comprehensive support.
Future outlook and expectations for CYFIRMA (including generative AI)
As Kansai Electric Power Group, we plan to expand the utilization of threat intelligence, including DeCYFIR. In particular, we aim to eliminate dependency on individuals while promoting labor savings and automation. For example, IoC information is already automatically integrated, but we would like to enable seamless integration of information and intelligence such as newly emerging threats, risks, vulnerabilities, and attack methods into other systems by utilizing AI agents and similar technologies.
In addition, demand from our senior management regarding cyber threats is increasing, and we would like to actively create reports not only for our executives but also for stakeholders across group companies, utilizing intelligence obtained from DeCYFIR. While leveraging CYFIRMA’s advice, we will continue to consider further utilization going forward.
