Home   Cart   Quotation   Policy   About-Us
www.ChineseStandard.net
SEARCH

GB/T 36323-2018 English PDF

US$999.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 36323-2018: Information security technology -- Security management fundamental requirements for industrial control systems
Status: Valid
Standard IDUSDBUY PDFLead-DaysStandard Title (Description)Status
GB/T 36323-2018999 Add to Cart 6 days Information security technology -- Security management fundamental requirements for industrial control systems Valid

Similar standards

GB/T 36630.1   GB/T 36635   GB/T 36627   GB/T 36324   GB/T 36322   

Basic data

Standard ID: GB/T 36323-2018 (GB/T36323-2018)
Description (Translated English): Information security technology -- Security management fundamental requirements for industrial control systems
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: L80
Classification of International Standard: 35.040
Word Count Estimation: 50,580
Date of Issue: 2018-06-07
Date of Implementation: 2019-01-01
Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration

GB/T 36323-2018: Information security technology -- Security management fundamental requirements for industrial control systems


---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology--Security management fundamental requirements for industrial control systems ICS 35.040 L80 National Standards of People's Republic of China Information security technology Basic requirements for safety management of industrial control systems Published on.2018-06-07 2019-01-01 implementation State market supervision and administration China National Standardization Administration issued

Content

Foreword III Introduction IV 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 2 5 ICS Safety Management Basic Framework and Key Activities 2 5.1 ICS Security Management Basic Framework 2 5.2 Top Level Commitment 3 5.3 Planning Evaluation 4 5.4 Resource Support 4 5.5 Strategy Implementation 4 5.6 Performance Evaluation 5 5.7 Continuous Improvement 5 6 ICS security management basic control measures 5 6.1 Classification of safety control measures 5 6.2 Security Assessment and Authorization (CA) 6 6.3 System and Service Acquisition (SA) 8 6.4 Personnel Safety (PS) 11 6.5 Planning (PL) 12 6.6 Risk Assessment (RA) 13 6.7 Emergency Planning (CP) 14 6.8 Physical and Environmental Safety (PE) 17 6.9 Configuration Management (CM) 20 6.10 System and Information Integrity (SI) 22 6.11 Media Protection (MP) 25 6.12 Incident Response (IR) 26 6.13 Awareness and Training (AT) 28 6.14 Access Control (AC) 29 6.15 Maintenance (MA) 33 6.16 Audit and verifiability (AU) 34 6.17 Identification and Identification (IA) 37 Appendix A (informative) Basic requirements for ICS security management at different security levels Table 40 Reference 45

Foreword

This standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents. This standard is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). This standard was drafted. China Electronics Technology Standardization Research Institute, National Information Technology Security Research Center, the Third Institute of the Ministry of Public Security, China East Normal University, China Electronics Technology Group Corporation 30th Institute, China Information Security Research Institute Co., Ltd., Shanghai Sanzhi Guardian Information Security Co., Ltd., Beijing Shenzhou Lvmeng Information Security Technology Co., Ltd., Venus Star Information Technology Co., Ltd., Fujian and Taiwan Technology (North) Beijing) Co., Ltd., Zhejiang Zheneng Taizhou Second Power Generation Co., Ltd., Beijing University of Technology, State Grid Zhejiang Electric Power Company Institute, Huaneng Power International Co., Ltd. Changxing Power Plant, Guilin University of Electronic Science and Technology, Xi'an University of Electronic Science and Technology, Zhejiang University, China Science Institute of Shenyang Institute of Automation, Hollysys Group, Global Energy Internet Research Institute, Shenji (Shanghai) intelligent system research and development design Company, Shenzhen Saixi Information Technology Co., Ltd., Guangzhou CNC Equipment Co., Ltd., Beijing Jiangnan Tianan Technology Co., Ltd., Zhongjing Tianyu Branch Technology (Beijing) Co., Ltd., Beijing Yuen Network Technology Co., Ltd. The main drafters of this standard. Fan Kefeng, Liu Xiangang, Li Lin, Yao Xiangzhen, Zhou Ruikang, Li Bing, Gu Jian, Shangguan Xiaoli, Xu Dongyang, Gong Jiezhong, Wang Huili, Liu Hongyun, He Daojing, Gong Lianghua, Shang Wenli, Yang Chen, Cai Lei, Yan Dakui, Liu Shuo, Zhang Jianjun, Wang Xiaopeng, Xu Kechao, Zhou Shenxue, Yin Feng, Chen Shengjun, Yan Wei, Yang Zhen, Gao Kunlun, Lai Yingxu, Shen Yulong, Zhao Qingyi, Xu Chuanpei, Chen Guanzhi, Liang Shu, Wang Yong, Huang Yunying, Yang Tangyong, Yu Pei.

Introduction

With the development of computer and network technology, especially the deep integration of informationization and industrialization and the rapid development of the Internet of Things, industrial control Systems, including distributed control systems (DCS), monitoring and data acquisition (SCADA) systems, and programmable logic controllers (PLCs) Widely used in nuclear facilities, aerospace, advanced manufacturing, petroleum and petrochemical, oil and gas pipeline networks, power systems, transportation, water conservancy hubs, urban facilities And other important areas of the country. Industrial Control Systems (ICS) move from stand-alone to open, from closed to open, from automation to intelligent Accelerating, making the information security of industrial control systems increasingly prominent, once the industrial control system is attacked, it will seriously threaten people's lives. Property security and state power are stable. In this regard, the National Information Security Standardization Technical Committee (SAC/TC260) has established industrial control Systematic system information security classification, management requirements, control application guidelines and many other standards. This standard addresses the common characteristics of the safety management activities of industrial control systems in various industries, and proposes the basic management of industrial control systems. Framework, standardizing the safety management activities of industrial control systems from the aspects of leadership, planning, support, operation, performance evaluation and continuous improvement Sex requirements, and give the basic control measures for safety management and the safety of industrial control systems at all levels to achieve the basic framework of safety management. Manage the basic control measures correspondence table to meet the organization's safety management requirements for industrial control systems at all levels, in order to achieve industrial control systems Provides a reference for effective security management control. Information security technology Basic requirements for safety management of industrial control systems

1 Scope

This standard specifies the basic framework for the safety management of industrial control systems and the key activities contained in the framework, and proposes to achieve this security. The basic control measures for the safety management of industrial control systems required to manage the basic framework. On this basis, the safety of industrial control systems at all levels is given. Management Basic Control Measures Correspondence Table (see Appendix A) for basic control of safety management for safety management of industrial control systems at all levels Claim. This standard is applicable to industrial control systems for the construction, operation, use and management of industrial control systems that are not related to state secrets. The planning and implementation of safety management can also be used as a reference for the safety assessment and safety inspection of industrial control systems.

2 Normative references

The following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article. Pieces. For undated references, the latest edition (including all amendments) applies to this document. GB/T 25069-2010 Information Security Technology Terminology GB/T 22080-2016 Information Technology Security Technology Information Security Management System Requirements GB/T 22081-2016 Information Technology Security Technology Information Security Control Practice Guide GB/T 32919-2016 Information Security Technology Industrial Control System Safety Control Application Guide

3 Terms and definitions

GB/T 22080-2016, GB/T 22081-2016, GB/T 25069-2010 and the following terms and definitions apply to This document. 3.1 Industrial control system industrialcontrolsystem; ICS Control systems used in industrial production, including monitoring and data acquisition systems (SCADA), distributed control systems (DCS), and others Smaller control systems, such as programmable logic controllers (PLCs). 3.2 Distributed control system distributedcontrolsystem; DCS A computer-based system for distributed control and centralized management of production processes within the system (within the unit). Note. The DCS system generally includes two levels. the field control level and the control management level. The field control level mainly controls the individual sub-processes, and controls the management level. It is mainly for data collection, centralized display, unified scheduling and management of multiple distributed sub-processes. 3.3 Monitoring and data acquisition system supervisorycontrolanddataacquisitionsystem In the process of industrial production control, centralized data collection for large-scale and long-distance geographically distributed assets and equipment in the WAN environment Set and control management system. Note. It is based on computer and monitors and dispatches remotely distributed running equipment. Its main functions include data acquisition, parameter measurement and adjustment, and signal alarm. Wait. The SCADA system generally consists of a Master Terminal Control Unit (MTU), a communication line and equipment, and a Remote Terminal Unit (RTU) located in the control center. 3.4 Programmable logic controller programmablelogiccontroler;PLC An electronic device that uses programmable memory to control industrial production equipment through digital operations. Note. PLC mainly performs various types of calculations, sequence control, timing and other instructions for controlling the movement of industrial production equipment. It is the basic unit of industrial control system. 3.5 Security control baseline securitycontrolbaseline The security controls the starting point of the selection process and the selection base point. Note. The Safety Control Baseline is the minimum safety basis developed to help organizations select the most cost-effective and appropriate safety control set to meet safety requirements. Guidelines.

4 Abbreviations

The following abbreviations apply to this document. AC. Access Control (AccessControl) AT. Awareness and Training (AwarenessandTraining) AU. Audit and Accountability (AuditandAccountability) CA. Security Assessment and Authorization (SecurityAssessmentandAuthorization) CM. Configuration Management (ConfigurationManagement) CP. Contingency Planning (ContingencyPlanning) DCS. Distributed Control System (DistributedControlSystem) IA. Identification and Authentication (Identification and Authentication) ICS. Industrial Control System (Industrial Control System) IR. Incident Response (IncidentResponse) MA. Maintenance MP. Media Protection (MediaProtection) PE. Physical and Environmental Protection (PhysicalandEnvironmentalProtection) PL. Planning PLC. Programmable Logic Controller (ProgrammableLogicControler) PS. Personnel Security (PersonnelSecurity) RA. Risk Assessment (RiskAssessment) SA. System and Service Acquisition (SystemandServicesAcquisition) SCADA. Data Monitoring and Data Acquisition System (SupervisoryControlandDataAcquisition) SI. System and Information Integrity

5 ICS Safety Management Basic Framework and Key Activities

5.1 ICS Security Management Basic Framework Many important differences between industrial control systems (ICS) and traditional information technology (IT) systems determine that ICS should be planned and managed. Consider the characteristics of ICS itself in the information security process. Refer to the traditional information security management system, combined with the characteristics of ICS, the security needs Seeking integration into ICS, formed the basic framework of ICS security management (as shown in Figure 1). The framework is in determining the specific intent of ICS security management, Based on understanding the requirements of the requirements and clarifying the scope of the ICS system, the ICS security management activities are divided into top-level commitments, planning assessments, and resource support. Six aspects of holding, strategy implementation, performance evaluation, and continuous improvement. Among them, the top-level commitment requires the organization to obtain management’s commitment to determine The ICS security management policy clearly defines the roles and responsibilities of all relevant members in ICS management activities; the organization should determine the rules in the planning assessment General rules, conduct ICS security risk assessment and disposal, clarify objectives and achieve planning; in the resource support part of the organization should guarantee ICS security Resources needed, providing capacity and awareness training, identifying communication mechanisms and establishing a documented system; organization of strategy implementation should be planned, implemented and controlled The specific process of meeting the requirements of ICS safety management activities, and regularly carry out ICS safety risk assessment and disposal; in the performance evaluation stage, The organization conducts monitoring, measurement, analysis and evaluation of ICS, conducts internal audits and management reviews on a regular basis, and organizes responses to ICS in the continuous improvement phase. The safety is continuously monitored, and corrective actions are taken and improved continuously in the event of an ICS safety anomaly. Figure 1 ICS security management basic framework In order to realize the security functions of each stage of the basic framework of ICS security management, this standard gives the basics of ICS security management in Chapter 6. The basic control measures required at each stage of the framework, and the safety management requirements for different levels of industrial control systems are given in Appendix A. It should be used to guide the organization to select the basic control measures for safety management according to the different safety levels of its industrial control system, and according to industrial control System system safety control application guide, safety grading and other related standards, tailoring and selecting the basic control measures for selected safety management. 5.2 Top-level commitment 5.2.1 Management commitment The organization shall make a commitment to ICS security in accordance with 5.1 of GB/T 22080-2016. 5.2.2 Policy The organization shall establish a policy applicable to ICS security in accordance with 5.2 of GB/T 22080-2016. In addition, the corresponding ICS shall be formulated accordingly. The safety policy is consistent with the overall policy of organizing information security and serves as an integral part of it. 5.2.3 Establishing ICS Security Joint Management Team To ensure the implementation of ICS security, the organization should. a) Establish an inter-departmental, cross-functional ICS security joint management team; b) The management team shall include at least IT personnel, control engineers, control system operators, network and information system security experts, and management Representatives of the physical layer and representatives of the physical security department; c) Top management shall ensure that the team has the rights and responsibilities for ICS security management activities and provides corresponding commitments. 5.2.4 Roles, responsibilities and authorities of the organization Top management should ensure that responsibilities and authorities for ICS information security related roles are assigned and communicated. Top management should assign responsibilities and authority to achieve the following objectives. a) ensure that the basic framework of ICS security management meets the requirements of this standard; b) report to the top management the basic framework performance of the ICS security management; c) Accept regular reports from the joint management team. 5.3 Planning assessment 5.3.1 Measures to address risks and opportunities 5.3.1.1 General The organization shall make a general rule for ICS in accordance with 6.1.1 of GB/T 22080-2016, and shall also include ICS security in the general rules. Expectations of operation and maintenance. 5.3.1.2 ICS Information Security Risk Assessment The organization shall define and apply the risk assessment process for ICS in accordance with 6.1.2 of GB/T 22080-2016, and shall also fully demonstrate The consequences of the risk assessment process on the availability and stability of ICS to ensure the proper conduct of industrial production activities. 5.3.1.3 ICS information security risk disposal The organization shall define and apply the ICS information security risk disposal process in accordance with 6.1.3 of GB/T 22080-2016. 5.3.2 ICS Information Security Objectives and Implementation Planning The organization shall establish a target for ICS information security and its implementation plan in accordance with 6.2 of GB/T 22080-2016. 5.4 Resource support 5.4.1 Resources The organization shall identify and provide the resources needed to establish, implement, maintain and continually improve the ICS Information Security Management System. 5.4.2 Ability See 7.2 in GB/T 22080-2016. 5.4.3 Consciousness Education and training should be carried out on a regular basis and personnel working under the control of the organization should be made aware of. a) ICS information security policy; b) its contribution to the effectiveness of the basic framework of ICS security management, including the benefits of improving ICS information security performance; c) Does not meet the impact of the ICS security management basic framework requirements. 5.4.4 Communication See 7.4 of GB/T 22080-2016. 5.5 Policy implementation 5.5.1 Operation planning and control The organization shall carry out operational planning and control work for ICS information security in accordance with 8.1 of GB/T 22080-2016, and shall also. a) A detailed assessment of the hazards that this safety control may pose to ICS before implementing safety control measures against ICS; b) Authorization of safety control measures should be obtained prior to the implementation of safety control measures. 5.5.2 ICS Information Security Risk Assessment The organization shall conduct risk assessment work for ICS information security in accordance with 8.1 of GB/T 22080-2016. In the risk assessment process In accordance with the contents of Appendix A of GB/T 32919-2016, fully consider the difference between ICS and traditional information systems. 5.5.3 ICS Information Security Risk Disposal See 8.3 of GB/T 22080-2016 and carry out risk disposal according to the characteristics of ICS. 5.6 Performance evaluation 5.6.1 Monitoring, measurement, analysis and evaluation See 9.1 of GB/T 22080-2016, and should also continuously monitor the implemented safety control measures, identify safety violations, and detect The occurrence of a security anomaly in ICS. 5.6.2 Internal Audit See 9.2 of GB/T 22080-2016 and carry out internal audit according to the characteristics of ICS. 5.6.3 Management Review See 9.3 of GB/T 22080-2016 and carry out management review according to the characteristics of ICS. 5.7 Continuous improvement 5.7.1 Non-compliance and corrective actions See 10.1 of GB/T 22080-2016 and take corrective actions based on the charact......
Image     

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 36323-2018_English be delivered?

Answer: Upon your order, we will start to translate GB/T 36323-2018_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 36323-2018_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 36323-2018_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.