GB/T 30976.1-2014 PDF EnglishUS$560.00 · In stock · Download in 9 seconds
GB/T 30976.1-2014: Industrial control system security - Part 1: Assessment specification Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid
Similar standardsGB/T 30976.1-2014: Industrial control system security - Part 1: Assessment specification---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT30976.1-2014GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 25.040 N 10 Industrial control system security – Part 1.Assessment specification Issued on. JULY 24, 2014 Implemented on. FEBRUARY 01, 2015 Issued by. General Administration of Quality Supervision, Inspection and Quarantine; Standardization Administration of the People's Republic of China. Table of ContentsForeword... 4 1 Scope... 6 2 Normative references... 6 3 Terms, definitions and abbreviations... 6 4 Industrial control system information security overview... 10 5 Organization management assessment... 17 6 System capability (technology) assessment... 144 7 Assessment procedures... 188 8 Risk assessment at various stages of the industrial control system life cycle ... 194 9 Format requirements of assessment report... 200 Appendix A (Normative) Management assessment list... 202 Appendix B (Normative) System capability (technology) assessment list... 209 Appendix C (Informative) Risk assessment tools and common testing content of industrial control systems... 213 References... 2211 ScopeThis part of GB/T 30976 specifies the objectives, assessment contents and implementation process of the information security assessment of industrial control systems (SCADA, DCS, PLC, PCS, etc.). This part applies to system designers, equipment manufacturers, system integrators, engineering companies, users, asset owners, and assessment and certification agencies to perform assessment against the information security of the industrial control systems. [Translator. In Chinese, words “security [3.1.14]” and “safety [3.1.13]” are identical. For simplicity, “security” is used for Clause 5.5 and other Clauses in this translated standard.]2 Normative referencesThe following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB/T 22081-2008 Information technology - Security techniques - Code of practice for information security management (ISO/IEC 27002.2005, IDT) IEC 62443-3-3-2013 Industrial communication networks - Network and system security - Part 3-3.System security requirements and security levels (SL)3 Terms, definitions and abbreviations3.1 Terms and definitions The following terms and definitions apply to this document. 3.2 Abbreviations The following abbreviations apply to this document. CL. Capability level DCS. Distributed control system ERP. Enterprise resource planning FR. Foundational requirement4 Industrial control system information security overview4.1 General The information security features of industrial control systems depend on various factors such as their design, management, robustness, and environmental conditions. The assessment of system information security shall include all activities related to the system during all phases of design, 4.2 Hazard introduction points Hazard introduction points are access points for industrial control systems and non-security equipment, systems, and networks. 4.3 Transmission routes Hazard source may cause harm to the recipient through the route of transmission. Usually, a single transmission route can be identified, but in most cases, a complete transmission route is a combination of several single types of transmission routes. Transmission routes are generally divided into the following categories, but are not limited to. 4.4 Hazard consequence recipient and its influence The hazard consequence recipient refers to the object which is compromised when it is destroyed, including the following three aspects. 4.5.2 Assessment of industrial control system capability (technique) The purpose of the system capability (technique) assessment is to ensure that the system is technically immune from attack. For a well-functioning system, it shall meet both operational and security requirements. 4.5.3 Links with other security measures In an industrial control system environment, the assessor shall fully understand the company's computer security policies, procedures, health, security, and environmental risks associated with specific facilities and/or industrial operations. Care shall be taken to ensure that the assessment does not interfere with the control functions provided by the industrial control system equipment and that the system may need to be taken offline before the assessment can be implemented.5 Organization management assessment5.1 Security policy 5.1.1 Information security policy Objectives. Provide management guidance and support information security based on business requirements and related laws and regulations. 5.2.1.2 Information security coordination Control measures. 5.2.1.3 Allocation of information security responsibility Control measures. All information security responsibilities shall be clearly defined. Assessment guide. 5.2.1.4 Information processing facility authorization process Control measures. A management authorization process shall be defined and implemented for new information processing facilities. Assessment guide. 5.2.1.5 Confidentiality agreement Control measures. The requirements for confidentiality or non-disclosure agreements that reflect the needs of the organization's information protection shall be identified and regularly reviewed. 5.2.2 External parties Objective. To maintain the security of information and information processing facilities where organizations are accessed, processed, managed by external parties or communicated with external parties. 5.2.2.2 Handling customer-related security issues Control measures. All defined security requirements shall be processed before allowing customers to access organizational information or assets. 5.3 Asset management 5.3.1 Be responsible for assets Objective. To achieve and maintain appropriate protection of the organization's assets.6 System capability (technology) assessment6.1 Description of fundamental requirements (FR), system requirements (SR), and system capability level (CL) 6.1.1 Description of fundamental requirements (FR) and system requirements (SR) 6.1.2 Description of system capability level (CL) 6.2 FR1.Identification and authentication control 6.2.1 SR1.1.Identification and certification of users (persons) The control system shall provide the ability to identify and authenticate all users (person). This capability shall be implemented on all access interfaces of the access control system, to support separation of duties and least privilege principles in accordance with corresponding security policies and procedures. Assessment objectives. 6.2.1.2 SR1.1 RE (2). Multi-factor authentication for untrusted networks When a person accesses (for example, remotely accesses) a control system through an untrusted network, the control system shall provide him with the ability to multi-factor authentication. 6.2.1.3 SR1.1 RE (3). Multifactor authentication for all networks The control system shall provide multi-factor authentication for all user (person) to access control systems. 6.2.4 SR1.4.Identifier management The control system shall provide the ability to manage identifiers (e.g. user ID) in accordance with user, group, role, and/or control system interfaces. Assessment objectives. 6.2.4.1 SR1.4 RE None. 6.2.5 SR1.5.Authentication code management The control system shall provide the following capabilities. 6.2.11 SR1.11.Failed login attempt The control system shall provide the ability to limit the number of consecutive invalid access attempts for any user (person, software process, and device) over a configurable period of time to a configurable number. The control system shall provide the ability to deny access within a specified time or until unlocked by the administrator if the number of unsuccessful attempts exceeds the upper limit within a configurable time period. 6.3.1.2 SR2.1 RE (2). Mapping permits to roles The control system shall provide the asset owner with the ability to modify the mapping of permissions to roles. 6.3.4 SR2.4.Mobile code The control system shall provide the ability to limit the use of mobile code technology based on the potential for mobile code to break the control system, including monitoring the use of mobile code.7 Assessment procedures7.1 Assessment work process For the specific object of the assessment, because of its size, nature, complexity, and other related factors, the following is a brief introduction of its main process, see Table 3. 7.2 Determination of assessment methods 7.2.1 General Choosing the right risk assessment method is very subjective. Many methods are available in the market. Some of them are free. 7.2.5 Qualitative and quantitative risk assessment Qualitative risk assessment relies on the opinions of experienced employees or experts, to provide information on the likelihood and severity of a particular risk affecting a particular asset. In addition, different levels of probability and severity are identified by general levels such as high, medium, and low, rather than specific possible outcomes and economic impacts. Quantitative risk assessment is more practical in the absence of reliable information, which is the overall assessment of the impact of a given risk on a specific asset or the impact of a specific asset damage.8 Risk assessment at various stages of the industrial control system life cycle8.1 Life cycle overview Risk assessment shall be conducted throughout the life cycle of the industrial control system. 8.2 Risk assessment at planning stage The purpose of the risk assessment at the planning stage is to identify the business strategy of the system, to support the information security requirements and security strategies of the industrial control system. The assessment of the planning stage shall be able to describe the role of the information system after it is completed for the existing business model, including system capabilities (technology), management, etc., and determine the security objectives that the system construction shall achieve based on its role. 8.5 Risk assessment at operation maintenance stage The purpose of risk assessment at the operation and maintenance stage is to understand and control the security risks in the process of operation, which is a relatively comprehensive risk assessment. The assessment includes all aspects of real-world industrial control systems, systems (assets), threats, and vulnerabilities. 8.6 Risk assessment at decommissioning stage When information security of industrial control systems cannot meet existing requirements, the information security system enters the decommissioning stage. In accordance with the decommissioning degree, it is further divided into two sub-stages. partial decommissioning stage and full decommissioning stage. The risk assessment at this stage focuses on the following aspects.9 Format requirements of assessment reportAt a minimum, the assessment report shall include the following. ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of English version of GB/T 30976.1-2014 be delivered?Answer: The full copy PDF of English version of GB/T 30976.1-2014 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.Question 2: Can I share the purchased PDF of GB/T 30976.1-2014_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 30976.1-2014_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 30976.1-2014 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.How to buy and download a true PDF of English version of GB/T 30976.1-2014?A step-by-step guide to download PDF of GB/T 30976.1-2014_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).Step 2: Search keyword "GB/T 30976.1-2014". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9 |
