GB/T 37953-2019 English PDFUS$839.00 · In stock
Delivery: <= 7 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 37953-2019: Information security technology - Security requirements and evaluation approaches for industrial control network monitor Status: Valid
Basic dataStandard ID: GB/T 37953-2019 (GB/T37953-2019)Description (Translated English): Information security technology - Security requirements and evaluation approaches for industrial control network monitor Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 42,478 Date of Issue: 2019-08-30 Date of Implementation: 2020-03-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 37953-2019: Information security technology - Security requirements and evaluation approaches for industrial control network monitor---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information security technology - Security requirements and evaluation approaches for industrial control network monitor ICS 35.040 L80 National Standards of People's Republic of China Information security technology industrial control network monitoring Safety technical requirements and test evaluation methods 2019-08-30 released 2020-03-01 Implementation State Administration for Market Regulation Issued by China National Standardization Administration Table of contentsForeword Ⅰ Introduction Ⅱ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Abbreviations 2 5 Product description 2 6 Safety technical requirements 2 6.1 Safety function requirements 2 6.2 Safety assurance requirements 7 7 Evaluation method 11 7.1 Safety function evaluation method 11 7.2 Security Assurance Evaluation Method 22 Appendix A (Normative Appendix) Classification of technical requirements for industrial control network monitoring and safety and its requirements 29 Appendix B (Normative Appendix) Classification and evaluation items of industrial control network monitoring and evaluation methods 32 Appendix C (Normative Appendix) Industrial Environment Application Requirements 35 Reference 39ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents. This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). Drafting organizations of this standard. China Electronics Standardization Institute, Shenyang Institute of Automation, Chinese Academy of Sciences, Shenzhen Saixi Information Technology Co., Ltd., Beijing University of Technology, the Third Research Institute of the Ministry of Public Security, Zhejiang Zheneng Taizhou Second Power Generation Co., Ltd., China Information Security Evaluation Center, Shanghai Sanling Information Security Co., Ltd., Shanghai Jiaotong University, National Information Technology Security Research Center, Hollysys Group, Beijing Venus Star Information Security Technology Co., Ltd., Fengtai Technology (Beijing) Co., Ltd., State Grid Zhejiang Electric Power Co., Ltd. Electric Power Research Institute, Huada Semiconductor Co., Ltd., China Power Engineering Consulting Group Southwest Electric Power Design Institute Co., Ltd., China Ping An Insurance (Group) Co., Ltd. Co., Ltd., Beijing Kuangen Network Technology Co., Ltd. The main drafters of this standard. Fan Kefeng, Zhou Ruikang, Yao Xiangzhen, Li Lin, Liu Xiangang, Gong Jiezhong, Zhang Dajiang, Shang Wenli, Lai Yingxu, Gu Jian, Lu Zhen, Zou Chunming, Xia Kechao, Zhu Qingguo, Xie Feng, Di Liqing, Dai Zhonghua, Zhao Jianming, Wu Dakui, Gu Dawu, Xia Zhengmin, Li Bing, Wang Tao, Meng Yahui, Gong Lianghua, Wei Qinzhi, Luo Zhihao, Lan Tian, Zhang Jinbin, Yu Jingtao, Bi Siwen.IntroductionWith the deep integration of industrialization and informatization, security threats from information networks are gradually causing great security to industrial control systems. All threats, general-purpose network monitoring products are incapable of facing the security protection of industrial control systems, so they need a solution that can be applied to industrial control systems. The network monitoring products of the industrial control environment protect the industrial control system. The main differences between network monitoring products used in industrial control environments and general network monitoring products are reflected in. ---General network monitoring products mainly analyze and respond to common Internet protocols. Network monitoring applied in industrial control environment In addition to the ability to analyze some common Internet protocols, the test products also have in-depth analysis capabilities for industrial control protocols, without Analyze common protocols that will not be used in industrial control systems. ---Network monitoring products used in industrial control environments may have some components that need to be deployed in industrial field environments, so they are more Network monitoring products have higher environmental adaptability. ---Network monitoring products used in industrial control environments have higher availability, reliability and stability than general network monitoring products Qualitative. Information security technology industrial control network monitoring Safety technical requirements and test evaluation methods1 ScopeThis standard specifies the safety technical requirements and test evaluation methods for industrial control network monitoring products. This standard applies to the design and manufacturer of industrial control network monitoring products to provide guidance on its design, development and evaluation, and it can also provide The industrial control system design, construction and operation and maintenance parties provide guidance for the safety protection of industrial control systems.2 Normative referencesThe following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. GB/T 2423.5-1995 Environmental testing of electrical and electronic products Part 2.Test method Test Ea and guideline. Impact GB/T 2423.8-1995 Environmental testing of electrical and electronic products Part 2.Test method Test Ed. Free fall GB/T 2423.10-2008 Environmental testing of electric and electronic products Part 2.Test method Test Fc. Vibration (sinusoidal) GB/T 4208-2017 Enclosure protection grade (IP code) GB/T 17214.4-2005 Working conditions of industrial process measurement and control devices Part 4.Corrosion and erosion effects GB/T 18336.1-2015 Information Technology Security Technology Information Technology Security Assessment Criteria Part 1.Introduction and General model GB/T 22239-2019 Information Security Technology Network Security Level Protection Basic Requirements GB/T 25069-2010 Information Security Technical Terms GB/T 32919-2016 Information Security Technology Industrial Control System Security Control Application Guide3 Terms and definitionsGB/T 25069-2010, GB/T 32919-2016 and GB/T 18336.1-2015 and the following terms and definitions are applicable Used in this document. 3.1 Industrial Control System A variety of control systems used in industrial production. Note. Including monitoring and data acquisition systems (SCADA), distributed control systems (DCS) and other smaller control systems, such as programmable logic controllers (PLC), has been widely used in industrial sectors and critical infrastructure. 3.2 Industrial control network monitoring Deployed in the industrial control network to realize the security event monitoring, auditing and management functions of the network behavior in the industrial control network Technology. Note 1.It is used to monitor and analyze the data messages in the industrial control network, and to find violations of security policies, abnormal operations, and traces of attacks on industrial control equipment Elephants, or signs that industrial production has been affected. Note 2."Industrial control network monitoring" referred to in this standard is "industrial control network monitoring products". Industrial control network monitoring products are deployed in industrial control networks In the network, the equipment product used to realize the monitoring function of the industrial control network.4 AbbreviationsThe following abbreviations apply to this document.5 Product descriptionIndustrial control network monitoring products are used in industrial control environments. By monitoring data messages in the industrial control network, data can be obtained in real time. In-depth analysis according to the package, monitoring of intrusion behavior and abnormal behavior in the industrial control network, and timely warning equipment. The equipment needs to meet special Determine the industrial environment and safety function requirements, and can monitor the boundary of the industrial control network or between different control areas within the industrial control network Protection, detection of illegal intrusion activities, and real-time alarm and response based on the monitoring results, so as to actively detect intrusion activities and ensure network security. of. The equipment product can be implemented in the form of hardware or software. In accordance with the strength of the safety function requirements of industrial control network monitoring products, this standard divides industrial control network monitoring products into basic level and increased The strength level, the strength of the safety function and the level of safety assurance requirements are the specific basis for the classification. Among them, the basic level safety function requirements should be equipped GB/T 22239-2019 second level safety protection capability, enhanced level safety function requirements should have GB/T 22239-2019 third level Security protection capabilities. The new requirements in the enhanced level will be marked in bold. For the classification of industrial control network monitoring safety technical requirements and its requirements, see Appendix A, the classification of industrial control network monitoring and evaluation methods See Appendix B for grade and its evaluation items, and Appendix C for industrial environment application requirements.6 Safety technical requirements6.1 Safety function requirements 6.1.1 Functional requirements 6.1.1.1 Security incident monitoring 6.1.1.1.1 Flow Monitoring The product should have the function of flow monitoring, and specifically meet the following requirements. a) It should be able to monitor the traffic data packets in the network, obtain the data packets in real time for detection and analysis, and do not affect the normal operation of the industrial control equipment run. b) It should be able to monitor the traffic data packets of the designated protocol or IP address without affecting the normal operation of industrial control equipment. 6.1.1.1.2 Analysis of Industrial Control Protocol For the data packets obtained in the industrial control network, the product should be able to analyze the industrial control protocol messages it carries to meet one of the following Claim. a) Analyze the following (but not limited to) general protocols. Modbus/TCP protocol, OPCClassic protocol, DNP3.0 protocol, IEC -60875-5-104 protocol, SIEMENSS7Comm protocol, PROFINET protocol, EtherNet/IP protocol; b) An industry-specific protocol, for example, IEC -61850MMS protocol, IEC -61850GOOSE protocol, IEC -61850SV protocol Negotiation, rail transit professional agreement, etc. 6.1.1.1.3 Internet Protocol Analysis For the Internet protocol traffic acquired in the industrial control network, the product should be able to analyze the data packets it carries, and analyze the following (but Not limited to) Internet protocol messages. a) HTTP; b) FTP; c) TELNET; d) SNMP. 6.1.1.1.4 Attack behavior monitoring Products should be able to analyze, compare and other methods, including but not limited to discovering the following attacks. a) Industrial protocol vulnerability attacks; b) Industrial control application vulnerability attacks; c) Operating system vulnerability attacks; d) Vulnerability attacks on industrial control equipment; e) It should be able to monitor the occurrence of attacks such as worms and Trojan horses in the network without affecting the normal operation of industrial control equipment. Note. For security vulnerabilities and attacks, please refer to the information released by the National Information Security Vulnerability Sharing Platform. 6.1.1.2 Security incident response 6.1.1.2.1 Event Alarm For aggressive behavior or abnormal behavior, the product should classify the incident according to the severity of the incident, and adopt intuitive and effective screen real-time prompts. Ways to convey warning messages. 6.1.1.2.2 Alarm filtering The product should allow administrators to define security policies and not to alert on specified events in the industrial control network. 6.1.1.2.3 Event merge The product should combine alarms for the same security incidents that occur frequently to avoid alarm storms. 6.1.1.2.4 Custom response The product should allow administrators to define security policies and customize response methods to events in the industrial control network. 6.1.1.3 Security configuration management 6.1.1.3.1 Security Policy Configuration The product should provide security policy configuration functions. 6.1.1.3.2 Industrial Control Vulnerability Knowledge Base The product should have a built-in knowledge base of industrial control vulnerabilities, and the content should include industrial control protocol vulnerabilities, industrial control application vulnerabilities, and operating system leaks. Hole and industrial control equipment vulnerabilities, detailed vulnerability repair programs and possible countermeasures. 6.1.1.3.3 Industrial control detection feature library Products should have built-in industrial control detection feature library, detailed repair schemes and possible countermeasures. 6.1.1.3.4 Industrial control protocol port settings In addition to supporting industrial control network protocol analysis based on the default port, the product should be able to support existing industrial control protocols and extended industrial control The protocol port is reset. 6.1.1.3.5 Custom Attack Event The product should allow administrators to customize attack events, and the customized content should include attack targets, attack characteristics and event levels. 6.1.1.3.6 Industrial control protocol extension In addition to supporting the default industrial control network protocol, the product should support the addition of new industrial control protocols. 6.1.1.4 Product function management 6.1.1.4.1 Interface Management The product should provide a friendly administrator interface for management and configuration. The management configuration interface should contain all the functions needed to configure and manage the product. 6.1.1.4.2 Hardware Management 6.1.1.4.2.1 Distributed deployment and centralized management The product should be capable of distributed deployment. The product should be set up with a centralized management platform for unified management of the same series of different types of monitoring equipment. 6.1.1.4.2.2 Port separation The monitoring equipment should be equipped with different physical ports for configuration management and network data monitoring. 6.1.1.4.2.3 Product self-inspection When the product starts and works normally, it should have a self-checking mechanism for running status, including hardware working status monitoring and component connection status monitoring Etc. to verify whether the product itself is normal. 6.1.1.4.2.4 Clock synchronization The product should provide the function of clock synchronization with an external clock server. 6.1.1.4.2.5 Clock setting The product should provide the function of manually setting the clock so that the correct time can be set when there is no external clock server. 6.1.1.4.2.6 Power redundancy The product should provide power redundancy. 6.1.1.4.2.7 Power-down physical conduction When deployed in series, the product should be able to automatically realize the physical conduction of each pair of input and output communication ports in the case of sudden power failure. 6.1.1.4.2.8 Hardware fault handling The product should be able to monitor whether its own hardware is working properly, and promptly alert the administrator when a failure occurs. 6.1.1.4.3 Configuration information recovery After replacing the monitoring equipment, the product should be able to restore configuration information locally or remotely. 6.1.1.4.4 Data storage space management When the storage space is about to run out, the product should automatically generate an alarm. The remaining storage space limit that triggers an alarm should be set by the administrator. set. The product should take measures to ensure the availability of stored event records and the storage of subsequent event records (e.g., dump existing event records, only Record important event data, etc.). The product should allow the user to set a processing strategy when the space is exhausted. 6.1.1.4.5 Upgrade management 6.1.1.4.5.1 Library upgrade The product should have the function of locally and remotely upgrading the industrial control vulnerability knowledge base and industrial control detection signature database. The product should have the industrial control vulnerability knowledge base and industrial control detection feature database of the monitoring equipment through the console or management platform. Unified upgrade function. 6.1.1.4.5.2 Product upgrade The product should have the ability to upgrade locally and remotely. 6.1.1.4.5.3 Unified product upgrade The product should have the function of uniformly upgrading the monitoring equipment through the console or management platform. 6.1.1.4.5.4 Upgrade package verification The product should ensure the safety of the event library and product upgrades, and should have an upgrade package verification mechanism to prevent incorrect or forged upgrades package. The upgrade process requires two-way identification. 6.1.1.4.6 User Management 6.1.1.4.6.1 Logo management The product should support the division of authority and set the security attribute information for each user, including identification, authentication data, authorization information or management group information Information, other security attributes, etc. 6.1.1.4.6.2 Timeout setting The product shall have the function of re-authentication after user login timeout. Without any operation within the time period set by the security policy, To lock or terminate the session, you need to authenticate again before you can log in again. 6.1.1.4.6.3 Console authentication The product should authenticate the console before the user performs any safety-related operations on the monitoring equipment through the console. 6.1.1.4.6.4 Session Lock The product should allow the user to lock the current interactive session. After the lock is locked, the identity authentication is required to be able to log in again. 6.1.1.4.6.5 Authentication data protection The product shall protect the authentication data from unauthorized access and modification. 6.1.1.5 Communication security 6.1.1.5.1 Communication confidentiality If the product is composed of multiple components, the confidentiality of communication between the components should be guaranteed. 6.1.1.5.2 Communication integrity If the product consists of multiple components, the integrity of the communication between the components should be ensured. If the integrity of the data is compromised, the product should ensure Discover and notify the administrator in time. 6.1.2 Own safety requirements 6.1.2.1 User managemen......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 37953-2019_English be delivered?Answer: Upon your order, we will start to translate GB/T 37953-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 7 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 37953-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 37953-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
