Home Cart Quotation Policy About-Us
www.ChineseStandard.net
SEARCH

GB/T 32919-2016 English PDF

Q: How long will the true-PDF of English version of GB/T 32919-2016 be delivered?

Upon your order, we will start to translate GB/T 32919-2016_English as soon as possible, and keep you informed of the progress. The lead time is typically 9 ~ 13 working days. The lengthier the document the longer the lead time.

Q: Can I share the purchased PDF of GB/T 32919-2016_English with my colleagues?

Yes. The purchased PDF of GB/T 32919-2016_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Q: Does the price include tax/VAT?

Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries). Avoidance of Double Taxation Agreements (DTAs) between Singapore and 100+ Countries: https://www.iras.gov.sg/taxes/international-tax

Q: Do you accept my currency other than USD?

Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

US$2259.00 · In stock
Delivery: <= 13 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 32919-2016: Information security technology -- Application guide to industrial control system security control
Status: Valid

Standard ID	USD	BUY PDF	Lead-Days	Standard Title (Description)	Status
GB/T 32919-2016	2259	Add to Cart	13 days	Information security technology -- Application guide to industrial control system security control	Valid

Similar standards

GB/T 32918.5 GB/T 32918.3 GB/T 32918.2 GB/T 32916 GB/T 32914

Basic data

Standard ID: GB/T 32919-2016 (GB/T32919-2016)
Description (Translated English): Information security technology -- Application guide to industrial control system security control
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: L80
Classification of International Standard: 35.040
Word Count Estimation: 113,181
Date of Issue: 2016-08-29
Date of Implementation: 2017-03-01
Regulation (derived from): National Standard Announcement 2016 No.14
Issuing agency(ies): General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China, Standardization Administration of the People's Republic of China

GB/T 32919-2016: Information security technology -- Application guide to industrial control system security control

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Application guide to industrial control system security control ICS 35.040 L80 National Standards of People's Republic of China Information Security Technology Industry Control System Security Control Application Guide 2016-08-29 released 2017-03-01 implementation General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China China National Standardization Management Committee released Directory Preface Ⅶ Introduction Ⅷ 1 Scope 1 2 normative reference document 1 3 Terms and definitions 1 4 acronym 2 5 Safety Control Overview 3 6 Safety control baselines and their designs 6 7 Safety Control Options and Statutes 7 7.1 Selection and Statute Overview 7 7.2 Safety Control Options 7 7.3 security control cut 8 7.3.1 Crop process 8 7.3.2 Guidance on scope definition 8 7.3.3 Safety Control Compensation 9 7.3.4 Assignment of safety control parameters 9 7.4 Safety Control Supplement 10 7.5 Establish safety control decision document 11 8 Security Control Selection Process Application 12 Appendix A (informative) Safety risks for industrial control systems 13 Comparison of Industrial Control Systems with Traditional Information Systems A.2 Information system security threats and protective measures Impact on industrial control systems 14 A.3 Threats to industrial control systems 15 A.4 Industrial Control System Vulnerability Analysis A.4.1 Overview of Vulnerability in Industrial Control Systems 16 A.4.2 Vulnerability of policies and procedures 16 A.4.3 Network Vulnerability 17 A.4.4 Platform Vulnerability Appendix B (informative) Safety control list for industrial control systems 22 B.1 Planning (PL) 22 B.1.1 SAFETY PLANNING STRATEGY AND PROCEDURE (PL-1) 22 B.1.2 System Security Planning (PL-2) 22 B.1.3 Code of Conduct (PL-3) 23 B.1.4 Information Security Architecture (PL-4) 23 B.1.5 Safety activities planning (PL-5) 24 B.2 Safety Assessment and Authorization (CA) 24 B.2.1 Security Assessment and Authorization Strategies and Procedures (CA-1) 24 B.2.2 Safety assessment (CA-2) 24 B.2.3 ICS Connection Management (CA-3) 26 B.2.4 Implementation Plan (CA-4) 26 B.2.5 Security Authorization (CA-5) 27 B.2.6 Continuous monitoring (CA-6) 27 B.2.7 Permeation Test (CA-7) 28 B.2.8 Internal connection (CA-8) 28 B.3 Risk Assessment (RA) 28 B.3.1 Risk assessment strategies and procedures (RA-1) 28 B.3.2 Safety Classification (RA-2) 29 B.3.3 Risk assessment (RA-3) 29 B.3.4 Vulnerability Scanning (RA-4) 29 B.4 System and Service Acquisition (SA) 30 B.4.1 System and Service Acquisition Policies and Procedures (SA-1) 30 B.4.2 Resource allocation (SA-2) 31 B.4.3 Survival cycle support (SA-3) 31 B.4.4 Service Acquisition (SA-4) 31 B.4.5 System documentation (SA-5) 32 B.4.6 Software Use Restriction (SA-6) 33 B.4.7 User Installation Software (SA-7) 33 B.4.8 Safety Engineering Principles (SA-8) 33 B.4.9 External System Services (SA-9) 34 B.4.10 Configuration Management for Developers (SA-10) 34 B.4.11 Developers' Safety Test (SA-11) 35 B.4.12 Supply Chain Protection (SA-12) 35 B.4.13 Trustworthiness (SA-13) 36 B.4.14 Key system components (SA-14) 36 B.5 Program Management (PM) 36 B.5.1 Program Management Plan (PM-1) 36 B.5.2 Information Security Executive (PM-2) 37 B.5.3 Information security resources (PM-3) 37 B.5.4 Action and Milestone Program (PM-4) 37 B.5.5 List of Safe Assets (PM-5) 37 B.5.6 Safety performance measures (PM-6) 37 B.5.7 Organizational Structure (PM-7) 37 B.5.8 Key Infrastructure Program (PM-8) 38 B.5.9 Risk Management Strategy (PM-9) 38 B.5.10 Security Authorization Process (PM-10) 38 B.5.11 Business Process Definition (PM-11) 39 B.6 Personnel Safety (PS) 39 B.6.1 Personnel safety policies and procedures (PS-1) 39 B.6.2 Job Classification (PS-2) 39 B.6.3 Personnel review (PS-3) 40 B.6.4 Person leaving (PS-4) 40 B.6.5 Personnel Transfer (PS-5) 40 B.6.6 Access Protocol (PS-6) 41 B.6.7 Third Party Personnel Safety (PS-7) 41 B.6.8 Personnel penalties (PS-8) 42 B.7 Physical and Environmental Safety (PE) 42 B.7.1 Physical and Environmental Security Policies and Procedures (PE-1) 42 B.7.2 Physical Access Authorization (PE-2) 42 B.7.3 Physical Access Control (PE-3) 42 B.7.4 Access control of the transmission medium (PE-4) 43 B.7.5 Access control of the output device (PE-5) 43 B.7.6 Physical Access Monitoring (PE-6) 43 B.7.7 Access Log (PE-7) 44 B.7.8 Electrical Equipment and Cables (PE-8) 44 B.7.9 Emergency Shutdown (PE-9) 44 B.7.10 Emergency Power Supply (PE-10) 45 B.7.11 Emergency lighting (PE-11) 45 B.7.12 Fire (PE-12) 45 B.7.13 Temperature and humidity control (PE-13) 45 B.7.14 Waterproof (PE-14) 46 B.7.15 Delivery and removal (PE-15) 46 B.7.16 Alternate Workplace (PE-16) 46 B.7.17 Lightning protection (PE-17) 46 B.7.18 Electromagnetic protection (PE-18) 46 B.7.19 Information Disclosure (PE-19) 47 B.7.20 Personnel and equipment tracking (PE-20) 47 B.8 Contingency Plan (CP) 47 B.8.1 Contingency planning strategies and procedures (CP-1) 47 B.8.2 Contingency Plan (CP-2) 47 B.8.3 Contingency Planning Training (CP-3) 48 B.8.4 Contingency plan testing and exercise (CP-4) 48 B.8.5 Standby storage device (CP-5) 49 B.8.6 Standby processing equipment (CP-6) 49 B.8.7 Communication Services (CP-7) 50 B.8.8 System Backup (CP-8) 50 B.8.9 System Recovery and Reconstruction (CP-9) 50 B.9 Configuration Management (CM) B.9.1 Configuration Management Policies and Procedures (CM-1) 51 B.9.2 Baseline configuration (CM-2) 51 B.9.3 Configuration Change (CM-3) 52 B.9.4 Safety Impact Analysis (CM-4) 53 B.9.5 Change Access Restrictions (CM-5) 53 B.9.6 Configuration Settings (CM-6) 54 B.9.7 Minimal function (CM-7) 54 B.9.8 List of System Components (CM-8) 55 B.9.9 Configuration Management Plan (CM-9) 55 B.10 Maintenance (MA) 56 B.10.1 Maintenance Strategy and Procedures (MA-1) 56 B.10.2 Controlled maintenance (MA-2) 56 B.10.3 Maintenance Tool (MA-3) 57 B.10.4 Remote Maintenance (MA-4) 57 B.10.5 Maintenance Personnel (MA-5) 58 B.10.6 Timely Maintenance (MA-6) 58 B.11 System and Information Integrity (SI) 58 B.11.1 System and Information Integrity Strategies and Procedures (SI-1) 58 B.11.2 Defect repair (SI-2) 59 B.11.3 Malicious Code Protection (SI-3) 59 B.11.4 System Monitoring (SI-4) 60 B.11.5 Safety alarm (SI-5) 61 B.11.6 Safety Function Verification (SI-6) 61 B.11.7 Software and Information Integrity (SI-7) 62 B.11.8 Input Verification (SI-8) 62 B.11.9 Error handling (SI-9) 62 B.11.10 Information processing and retention (SI-10) 63 B.11.11 Predictable failure prevention (SI-11) 63 B.11.12 Output information filtering (SI-12) 63 B.11.13 Memory Protection (SI-13) 64 B.11.14 Fail-safe procedures (SI-14) 64 B.11.15 Intrusion Detection and Protection (SI-15) 64 B.12 Media Protection (MP) 64 B.12.1 Media protection strategies and procedures (MP-1) 64 B.12.2 Media Access (MP-2) 65 B.12.3 Media Marking (MP-3) 65 B.12.4 Media Storage (MP-4) 65 B.12.5 Media Transfer (MP-5) 65 B.12.6 Media Destruction (MP-6) 66 B.12.7 Media Use (MP-7) 66 B.13 Event Response (IR) B.13.1 Incident Response Strategies and Procedures (IR-1) 67 B.13.2 Event Response Training (IR-2) 67 B.13.3 Event Response Test and Exercise (IR-3) 67 B.13.4 Event Handling (IR-4) 68 B.13.5 Event Monitoring (IR-5) 68 B.13.6 Incident Report (IR-6) 69 B.13.7 Event Response Support (IR-7) 69 B.13.8 Incident Response Program (IR-8) 69 B.14 Education and Training (AT) 70 B.14.1 Education and training strategies and procedures (AT-1) 70 B.14.2 Safety awareness training (AT-2) 70 B.14.3 Role-based security training (AT-3) 70 B.14.4 Safety Training Record (AT-4) 71 B.15 Identification and Identification (IA) 71 B.15.1 Identification and identification strategies and procedures (IA-1) 71 B.15.2 Identification and identification of users within the organization (IA-2) 71 B.15.3 Identification and Identification of Equipment (IA-3) 72 B.15.4 Identifier Management (IA-4) 73 B.15.5 Authentication Management (IA-5) 73 B.15.6 Identification feedback (IA-6) 74 B.15.7 Password Module Identification (IA-7) 74 B.15.8 Identification and identification of users outside the organization (IA-8) 75 B.16 Access Control (AC) 75 B.16.1 Access Control Policies and Procedures (AC-1) 75 B.16.2 Account Management (AC-2) 75 B.16.3 Mandatory Access Control (AC-3) 76 B.16.4 Information flow forced access control (AC-4) 77 B.16.5 Separation of duties (AC-5) 78 B.16.6 Minimum authority (AC-6) 78 B.16.7 Failure Login Control (AC-7) 79 B.16.8 System Usage Tips (AC-8) 80 B.16.9 Previous Access Tips (AC-9) 80 B.16.10 Concurrent Session Control (AC-10) 80 B.16.11 Session Lock (AC-11) 80 B.16.12 Session Termination (AC-12) 81 B.16.13 Permission not identified for identification (AC-13) 81 B.16.14 Remote Access (AC-14) 82 B.16.15 Wireless Access (AC-15) 83 B.16.16 Access Control for Mobile Devices (AC-16) 83 B.16.17 Use of external systems (AC-17) 84 Information sharing (AC-18) 84.1 B.17 Audit and Accountability (AU) 85 B.17.1 Audit and Accountability Strategies and Procedures (AU-1) 85 B.17.2 Audit Event (AU-2) 85 B.17.3 Contents of audit records (AU-3) 85 B.17.4 Audit Storage Capacity (AU-4) 86 B.17.5 Audit Failure Response (AU-5) 86 B.17.6 Monitoring, analysis and reporting of audit information (AU-6) 87 B.17.7 Audit Simplification and Report Generation (AU-7) 87 B.17.8 Timestamp (AU-8) 87 B.17.9 Audit Information Protection (AU-9) 87 B.17.10 Anti-Rejection (AU-10) 88 B.17.11 Audit Information Retention (AU-11) 88 B.17.12 Audit Generation (AU-12) 88 B.18 System and Communication Protection (SC) 89 B.18.1 System and Communication Protection Policies and Procedures (SC-1) 89 B.18.2 Application Partition (SC-2) 89 B.18.3 Safety Function Isolation (SC-3) 90 B.18.4 Information in Shared Resources (SC-4) 90 B.18.5 Denial of Service Protection (SC-5) 90 B.18.6 Resource Priority (SC-6) 91 B.18.7 Boundary Protection (SC-7) 91 B.18.8 Transmission integrity (SC-8) 93 B.18.9 Transmission Confidentiality (SC-9) 93 B.18.10 Network interruption (SC-10) 94 B.18.11 Key Establishment and Management (SC-11) 94 B.18.12 Use of cryptographic techniques (SC-12) 94 B.18.13 Public Access Protection (SC-13) 95 B.18.14 Transmission of security attributes (SC-14) 95 B.18.15 Certificate Management (SC-15) 95 B.18.16 Mobile code (SC-16) 95 B.18.17 Session Authentication (SC-17) 96 B.18.18 Failure in known state (SC-18) 96 B.18.19 Remaining Information Protection (SC-19) 97 B.18.20 Execution program isolation (SC-20) 97 Appendix C (normative) Safety control baselines for industrial control systems Reference 105

Foreword

This standard is drafted in accordance with the rules given in GB/T 1.1-2009. This standard is proposed by the National Information Security Standardization Technical Committee (SAC/TC260). The drafting unit of this standard. National Information Technology Security Research Center, China Electronic Technology Standardization Research Institute, China Electricity Regulatory Commission Information Center, China Electric Power Research Institute, Wuxi City with Granville Technology Co., Ltd., Shenzhen 赛 West Information Technology Co., Ltd. The main drafters of this standard. Li Jingchun, Fan Kefeng, Li Bing, Wang Yongzhong, Gong Yafeng, Liu Xiangang, Fang Jinxuan, Yao Xiangzhen, Zhou Ruikang, Tang Youhong, Xu Jinwei, Wei Fangfang, Wang Hong, Ge Peiqin, Liu Hongyun, Hu Hongsheng, Wen Hongzi, Gao Kunlun, Zhao Ting, Chen Xuehong, Zhanxiong, Liang Xiao, Song Bin, Pang Ning, Peng Hengbin.

Introduction

Industrial control systems (ICS) [including monitoring and data acquisition systems (SCADA), distributed control systems (DCS), programmable logic control (PLC) and other products] in nuclear facilities, aerospace, advanced manufacturing, petroleum and petrochemical, oil and gas pipeline network, power systems, transportation, water conservancy New Zealand, urban facilities and other important areas have been widely used. With the development of information technology, especially the deep integration of information technology and industrialization and the rapid development of Internet of Things, industrial control system products More and more common use of common protocols, common hardware and common software, in various ways and the Internet and other public network connection, the traditional information system The threat of viruses, Trojans, etc. is spreading to the field of industrial control systems, and the information security of industrial control systems is increasing. prominent. Industrial control system safety control application guide is for the industry to use the industrial control system given the safety control application of the basic side Method is to guide the selection, tailoring, compensation and supplementation of industrial control systems for safety control, forming a safety control baseline for the organization's needs to meet Organization of industrial control system security needs, to achieve the industrial control system for appropriate and effective risk control management. This standard applies to industrial control system owners, users, design implementers and information security management, industrial control systems Information security design, implementation, rectification work to provide guidance, but also for industrial control system information security operation, risk assessment and security inspection work to mention for reference. Information Security Technology Industry Control System Security Control Application Guide

1 Scope

This standard provides a list of safety controls available for industrial control systems that govern the safety control selection process of industrial control systems to It constructs the safety program of the industrial control system - a conceptual level of security solution. This standard applies to. a) Facilitate the safety function requirements of the industrial control system for safety design (including safety architecture design) and safety Have a strong foundation. b) to guide the adjustment and enhancement of safety capability in the safety and rectification of industrial control systems so that the industrial control system can be kept Full nature. This standard is applicable to the organization responsible for the construction of industrial control systems, responsible for the implementation of information security workers and other Engaged in information security work related personnel.

2 normative reference documents

The following documents are indispensable for the application of this document. For dated references, only the dated edition applies to this article Pieces. For undated references, the latest edition (including all modifications) applies to this document. Information security - Technical information systems - Safety - rating - Guidelines for the protection of GB/T 22240-2008 Information security technical terminology GB/T 25069-2010

3 terms and definitions

GB/T 25069-2010 Definitions and the following terms and definitions apply to this document. 3.1 Industrial control system The Industrial Control System (ICS) is a generic term that includes a variety of control systems used in industrial production, including monitoring and data mining (SCADA), distributed control system (DCS) and other smaller control systems, such as programmable logic controller (PLC), is now wide Widely used in industrial and critical infrastructures. 3.2 Monitoring and data acquisition system supervisorycontrolanddataacquisitionsystem; SCADA In the process of industrial production control, large-scale long-distance geographical distribution of assets and equipment in the wide area network environment for centralized data Acquisition and monitoring management of the control system. It is based on the computer, the remote distribution of equipment to monitor the operation, its main features include Data acquisition, parameter measurement and regulation, signal alarm and so on. The SCADA system is typically a master terminal control unit located in the control center (MTU), communication lines and equipment, remote terminal unit (RTU) and other components. 3.3 Distributed control system distributioncontrolsystem; DCS Based on the computer, within the system (within the organization) on the production process of distributed control, centralized management system. DCS system Generally including the site control level, control and management level two levels, the site control level is mainly a single sub-process control, control management level master ......

Image

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 32919-2016_English be delivered?

Answer: Upon your order, we will start to translate GB/T 32919-2016_English as soon as possible, and keep you informed of the progress. The lead time is typically 9 ~ 13 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 32919-2016_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 32919-2016_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.