US 11,921,845 B2
Risk evaluation and countermeasure planning system, and risk evaluation and countermeasure planning method
Takashi Kawauchi, Tokyo (JP); Chinatsu Yamauchi, Tokyo (JP); Yiwen Chen, Tokyo (JP); and Eriko Ando, Tokyo (JP)
Assigned to HITACHI, LTD., Tokyo (JP)
Appl. No. 17/428,678
Filed by Hitachi, Ltd., Tokyo (JP)
PCT Filed Feb. 27, 2020, PCT No. PCT/JP2020/007999
§ 371(c)(1), (2) Date Aug. 5, 2021,
PCT Pub. No. WO2020/202934, PCT Pub. Date Oct. 8, 2020.
Claims priority of application No. 2019-067455 (JP), filed on Mar. 29, 2019.
Prior Publication US 2022/0121739 A1, Apr. 21, 2022
Int. Cl. G06F 21/55 (2013.01)
CPC G06F 21/55 (2013.01) [G06F 2221/033 (2013.01)] 9 Claims
OG exemplary drawing
 
1. A risk evaluation and countermeasure planning system comprising:
a storage apparatus configured to store:
a vulnerability database that stores vulnerability information pertaining to a vulnerability, and
a product information database that stores product information; and
a processing apparatus including a memory and a processor coupled to the memory, the memory storing instructions that when executed by the processor, configures the processor to:
receive an input of design information,
analyze the vulnerability on a basis of the design information to generate an analysis result,
on a basis of the analysis result, analyze a threat to the system and output a threat analysis result,
on a basis of the output threat analysis result and the vulnerability information stored in the vulnerability database, plan a countermeasure plan which reduce an impact of the vulnerability,
plan a security test on a basis of the countermeasure plan,
perform an evaluation on a basis of the security test planned and output an evaluation result,
process the evaluation result, generate a security countermeasure as the product information, and store the security countermeasure as the product information database,
in a case where information regarding new vulnerabilities is input after product shipment, determine, from the information regarding new vulnerabilities and past product information, whether the information regarding new vulnerabilities applies to a product that forms a part of the system,
in a case that a result of the determination is that the information regarding new vulnerabilities applies to the product, evaluate an impact of the new vulnerabilities on the product, and determine whether an additional countermeasure is necessary by comparing the impact of the new vulnerabilities on the system with a requirement with respect to an asset value,
in a case where determination is that the additional countermeasure is necessary, plan the additional countermeasure for reducing the impact of the new vulnerabilities, and
generate the additional countermeasure as the product information, and store the product information in the product information database.