Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 37980-2019 English PDF

Q: How long will the true-PDF of English version of GB/T 37980-2019 be delivered?

Upon your order, we will start to translate GB/T 37980-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time.

Q: Can I share the purchased PDF of GB/T 37980-2019_English with my colleagues?

Yes. The purchased PDF of GB/T 37980-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Q: Does the price include tax/VAT?

Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries). Avoidance of Double Taxation Agreements (DTAs) between Singapore and 100+ Countries: https://www.iras.gov.sg/taxes/international-tax

Q: Do you accept my currency other than USD?

Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

US$599.00 · In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 37980-2019: Information security technology - Guide for security inspection of industrial control systems
Status: Valid

Standard ID	USD	BUY PDF	Lead-Days	Standard Title (Description)	Status
GB/T 37980-2019	599	Add to Cart	5 days	Information security technology - Guide for security inspection of industrial control systems	Valid

Similar standards

GB/T 37988 GB/T 37956 GB/T 37973 GB/T 37972 GB/T 37971

Basic data

Standard ID: GB/T 37980-2019 (GB/T37980-2019)
Description (Translated English): Information security technology - Guide for security inspection of industrial control systems
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: L80
Classification of International Standard: 35.040
Word Count Estimation: 30,323
Date of Issue: 2019-08-30
Date of Implementation: 2020-03-01
Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration

GB/T 37980-2019: Information security technology - Guide for security inspection of industrial control systems

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Guide for security inspection of industrial control systems ICS 35.040 L80 National Standards of People's Republic of China Information Security Technology Industrial Control System Safety Inspection Guide 2019-08-30 released 2020-03-01 Implementation State Administration for Market Regulation Issued by China National Standardization Administration

Preface Ⅲ Introduction Ⅳ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Abbreviations 2 5 Inspection method 2 6 Check the workflow 3 7 How to select inspection content 5 8 Check content 5 Appendix A (Informative Appendix) Risk Analysis Method 17 Appendix B (Informative Appendix) Inspection Content Classification Table 22 References 24

Foreword

This standard was drafted in accordance with the rules given in GB/T 1.1-2009. This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). Drafting organizations of this standard. China Information Security Evaluation Center, China Electronics Standardization Institute, China National Petroleum Corporation, Beijing Sanlingweishi Information Security Technology Co., Ltd., Beijing Kuangen Network Technology Co., Ltd., Qingdao Haitian Weiye Process Control Technology Co., Ltd. Co., Ltd., Wangshen Information Technology (Beijing) Co., Ltd., Zhejiang Zheneng Taizhou Second Power Generation Co., Ltd., Huaneng International Power Company limited by shares. The main drafters of this standard. Dai Zhonghua, Peng Yong, Zhao Wei, Han Xuefeng, Xiang Li, Xiong Qi, Di Liqing, Gao Yang, Fan Kefeng, Yao Xiangzhen, Li Lin, Zhou Ruikang, Jing Xiaowei, Teng Zhengcen, Zhang Jianjun, Zhang Dajiang, Su Fengqin, Li Hang, Xia Kechao, Li Hui.

Introduction

With the deep integration of industrialization and informatization, industrial control systems are widely used in nuclear facilities, steel, non-ferrous metals, chemicals, petroleum and petrochemicals, electricity Power, natural gas, advanced manufacturing, water conservancy hubs, environmental protection, railways, urban rail transit, civil aviation, urban water supply, gas and heating, and other countries Areas closely related to the people’s livelihood. Industrial control system refers to the data acquisition, monitoring and control system applied in the industrial field, which is designed by computer The control system composed of equipment, industrial process control components and network is the nerve center of the industrial field. The control systems used in the industrial field include Monitoring and data acquisition system (SCADA), distributed control system (DCS), programmable logic controller (PLC) system, etc. Needle in recent years There are endless attacks on industrial control systems, and the security of industrial control systems will directly affect the production of important national basic industrial facilities. The normal operation of production and the interests of the general public. The purpose of this standard is to guide users of relevant industrial control systems in my country’s national critical infrastructure to carry out industrial control System information security self-assessment work, grasp the overall status of industrial control system information security, and discover problems in industrial control systems in a timely and effective manner And weak links, further improve the industrial control system information security management system, improve the industrial control system information security technical measures, and improve The information security protection capabilities of industrial control systems provide support for the state to carry out information security inspections of industrial control systems in key industries. Now a safer industrial control system and provide help for effective risk management within it. Information Security Technology Industrial Control System Safety Inspection Guide

1 Scope

This standard specifies the scope, method, process, method and content of information security inspection of industrial control systems. This standard is applicable to the information security supervision and inspection of industrial control systems and entrusted inspections. Carry out information security self-inspection of relevant systems within the regiment (system). Note. The scope of inspection applicable to this standard is widely used in nuclear facilities, steel, non-ferrous metals, chemicals, petroleum and petrochemicals, electric power, natural gas, advanced manufacturing, water conservancy hubs, Industrial control systems in environmental protection, steel, urban rail transit, civil aviation, urban water supply, gas and heating, and other fields closely related to the national economy and people's livelihood.

2 Normative references

The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. GB/T 25069-2010 Information Security Technical Terms GB/T 32919-2016 Information Security Technology Industrial Control System Security Control Application Guide

3 Terms and definitions

The following terms and definitions defined in GB/T 25069-2010 and GB/T 32919-2016 apply to this document. 3.1 Industrial Control System It is composed of various automation control components and process control components that collect and monitor real-time data to ensure the industrial foundation A business process control system for facility automated operation, process control and monitoring. Note. The core components of the industrial control system include monitoring and data acquisition systems, distributed control systems, programmable logic controllers, main terminal units, and remote terminals. End unit, host computer, and interface technology to ensure communication between components. 3.2 Monitoring and data acquisition system In the process of industrial production control, centralized data is performed on large-scale long-distance geographically distributed assets and equipment in the WAN environment Control system for acquisition and monitoring management. Note. The SCADA system is based on a computer and monitors and dispatches remote distributed operation equipment. Its main functions include data acquisition, parameter measurement and adjustment. Section, information alarm, etc. The SCADA system generally consists of the main terminal unit (MTU), communication lines and equipment, and remote terminal unit located in the control center. (RTU) and other components. 3.3 Distributed control system Based on the computer, a system for distributed control and centralized management of the production process within the system (inside the unit). Note. DCS generally includes two levels. field control level and control management level. The field control level mainly controls a single process, and the control management level is mainly Data collection, unified scheduling and management of multiple scattered sub-processes. 3.4 Industrial control equipment Equipment for testing and controlling industrial production processes and devices. 3.5 programmable logic controller Electronic equipment that uses programmable memory to control industrial production equipment through digital operations. Note. PLC mainly executes various operations, sequence control, timing execution and other instructions, used to control the actions of industrial production equipment, and is the main part of industrial control systems. Basic unit. 3.6 Main terminal unit The server in the SCADA system is used for centralized control and communicates with the remote terminal unit. 3.7 Remote terminal unit Special computer measurement and control unit with modular structure designed for long communication distance and harsh industrial field environment. 3.8 Host computer A computer that directly issues control commands. 3.9 Control net The control layer network mainly deploys engineer stations, operator stations, and industrial control equipment, which are trusted areas with high security levels. 3.10 Security check Promote by investigation, promote reform by investigation, promote management by investigation, and promote prevention by investigation, aiming to promote the improvement of information security work ability and protection level.

4 Abbreviations

The following abbreviations apply to this document.

5 Inspection method

5.1 Supervision and inspection Supervision and inspection refer to inspections organized by higher-level administrative departments or carried out by relevant national functional departments in accordance with the law. Supervision and inspection can implement a complete information security inspection process in accordance with the requirements of this standard. Supervision and inspection can also implement inspections on key links or key content on the basis of self-inspection. 5.2 Self-check Self-inspection refers to the inspection initiated by the owner, operation or user unit of the information system on the safety status of the industrial control system of the unit. The self-check is implemented under the guidance of this standard and combined with the specific safety requirements of the system. 5.3 Commissioned inspection If the inspected unit or the organization department for supervision and inspection does not have inspection capabilities, it may entrust an institution recognized by the relevant competent authority to carry out the inspection.

6 Check the workflow

6.1 Preparation for inspection 6.1.1 Overview Inspection preparation is the prerequisite and basis for carrying out inspection work and the guarantee of the effectiveness of the entire inspection process. Check whether the preparation is adequate It is directly related to whether the follow-up work can be carried out smoothly. The main content of this stage is to clarify the method, basis, scope and content of the inspection work, and adjust Research the situation of the inspected unit and the inspected system, determine the contact person and contact information of the inspected unit, determine the members of the inspection team and the inspector Develop inspection plan and plan and notify the inspected unit. 6.1.2 Work content of inspection preparation process According to the requirements of inspection work, clarify the methods of security inspection work, including supervision and inspection by regulatory agencies, and self-inspection of corporate information security. Clarify the basis for security inspections, including national information security regulatory documents and standards, industry information security regulatory documents and standards, and the requirements of the competent authority. Clarify the scope of safety inspection work, including the inspected unit, the inspected system, the personnel involved, and the superior unit of the inspected unit Etc., and formed the "Investigation Form for Information Security Inspection of Industrial Control Systems" through research. Clarify the content of safety inspection work. It consists of two parts, one is the basic inspection content, and the relevant requirements are detailed in section 8 of this standard Chapter; the other part is supplementary inspection content, and the inspection agency shall, before each inspection, follow the requirements of the relevant competent unit and the development trend of information security And the development of information security management of the enterprise. The inspection agency organizes and implements the inspection work uniformly, determines the personnel and equipment of the on-site inspection team, and can entrust a third-party information security service agency The inspection agency implements on-site inspection work, and the inspection agency arranges special personnel to accompany it. According to the content of the inspection work, formulate "industrial control system information security inspection plan" and "industrial control system information security inspection plan" And "Industrial Control System Information Security Inspection Worksheet". Before the on-site inspection starts, the inspection team shall submit the "Industrial Control System Information Security Inspection Plan" and "Industrial Control System Information" at least two days in advance. The “Information Safety Inspection Plan” is issued to the inspected unit, and the inspected unit is clearly required to back up the necessary systems and data. Actively cooperate, and provide necessary cooperating personnel and office conditions. 6.1.3 Roles and responsibilities of the inspection preparation process Responsibilities of inspection agencies. a) Introduce the meaning and purpose of safety inspection, inspection process and working methods to the inspected unit; b) Understand the construction status of the industrial control system of the inspected unit; c) Point out the basic information that the inspected unit needs to provide; d) Explain the inspection risks and avoidance methods to the inspected unit; e) Prepare a survey form for the basic situation of the checked system; f) Understand the basic situation of the inspected system; g) Preliminary analysis of the security situation of the system; h) Prepare inspection tools and documents. Responsibilities of the inspected unit. a) Introduce the construction status and development of the unit's industrial control system to the inspection agency; b) Prepare the materials required by the inspection agency; c) Provide support and coordination for the information collection of inspectors; d) According to the specific conditions of the inspected system, such as the peak period of business operation, network layout, etc., provide appropriate suggestions for the inspection schedule; e) Back up data and systems, and develop emergency plans. 6.2 Inspection implementation 6.2.1 Overview Inspection implementation is the core of inspection work. The requirements of this inspection specification are implemented into actual inspections based on the overall requirements of the inspection plan. During work, pass personnel interviews, document review, configuration verification and safety testing of the inspected unit, and read the self-inspection or the last inspection report (If any), collect evidence on the safety protection status of the industrial control system of the inspected unit, and obtain sufficient evidence and data required for analysis and summary activities. 6.2.2 Check the work content of the implementation process The inspector fills in the "Industrial Control System Information Security Inspection Worksheet" on site. After the inspection is completed, the inspected unit must sign and confirm it. After the on-site inspection is completed, the inspected unit needs to confirm the operation status of the "Verification Record" shall be signed and confirmed, and the abnormal operation of the system due to inspection work shall be recorded truthfully and reported to the competent authority in time. The methods and possible risks of on-site inspection are as follows. a) The methods used for on-site inspection mainly include. 1) Personnel interview The inspector obtains evidence to prove through communication, discussion and other activities with relevant personnel (individual/group) of the industrial control system A method for the effectiveness of information system security protection measures. 2) Document review Inspectors pass the safety management system, records and other documents supporting the safe construction and operation and maintenance of industrial control systems for the inspected unit To obtain evidence to prove whether the safety protection requirements of the industrial control system are comprehensive and whether the safety protection regulations are implemented. 3) Configuration verification The inspector obtains evidence to prove the safety of the inspected system by observing, inspecting, and analyzing the inspected system. A way to ensure the effectiveness of protective measures. 4) Safety test The inspector uses predetermined methods/tools to make the inspected system produce specific behaviors, and by viewing and analyzing the results of these behaviors Therefore, it is a method to obtain evidence to prove whether the safety protection measures of industrial control system are effective. It is not necessary to re-inspect Implement safety tests and use existing safety test results. b) The main possible risks at this stage include. 1) The verification test affects the normal operation of the industrial control system. During the on-site inspection, it is necessary to configure the security strategy of the equipment and system. Perform necessary verification tests for the configuration and safety functions. Part of the test content involves the operation of the device, which may affect the operation of the system. It may cause a certain impact, and even the possibility of misoperation. 2) Tool testing affects the normal operation of industrial control systems. During on-site inspections, some technical testing tools are sometimes used Perform vulnerability testing, performance testing and even penetration resistance testing. Tool testing may cause a certain The impact of vulnerability testing and penetration testing may cause certain damage to system data. 3) In principle, the inspector should not touch the inspected system to avoid performing system data change operations, and the cooperating personnel shall follow the operating procedures And the inspection items require verification operations on the inspected system. 6.2.3 Roles and responsibilities of on-site inspection process Responsibilities of inspection agencies. Use personnel interviews, document review, configuration verification and safety testing to check the compliance of the system’s protective measures with the requirements of this standard. Conditions, as well as correctness and effectiveness. Responsibilities of the inspected unit. a) Coordinate the relationship between relevant personnel within the inspected system and cooperate with the inspection work; b) Answer the inquiries of inspectors and operate on the computer for some content that needs to be verified; c) Assist inspectors to implement tool tests and provide effective suggestions to reduce the impact of safety inspections on system operation; d) Assist inspectors to complete inquiries, verification and testing of business-related content; e) Relevant personnel confirm the inspection results. 6.3 Analysis of inspection results 6.3.1 Overview The inspection result analysis is a comprehensive evaluation activity that summarizes the overall safety protection capability of the inspected system, based on the on-site inspection results and this standard The relevant requirements of the positioning system, the gap between the safety protection status of the positioning system and the safety requirements of this standard, and analyze the gaps that lead to the system being inspected Faced with risks, the inspection conclusion is given, and the inspection report and rectification notice are formed. 6.3.2 Work content of inspection result analy......

Image

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 37980-2019_English be delivered?

Answer: Upon your order, we will start to translate GB/T 37980-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 37980-2019_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 37980-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.