GB/T 42445-2023 English PDFUS$1014.00 ยท In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 42445-2023: Security for industrial automation and control systems - Patch management in the IACS environment Status: Valid
Basic dataStandard ID: GB/T 42445-2023 (GB/T42445-2023)Description (Translated English): Security for industrial automation and control systems - Patch management in the IACS environment Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: N10 Classification of International Standard: 25.040 Word Count Estimation: 56,544 Date of Issue: 2023-03-17 Date of Implementation: 2023-10-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 42445-2023: Security for industrial automation and control systems - Patch management in the IACS environment---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. ICS25:040 CCSN10 National Standards of People's Republic of China GB/T 42445-2023/IEC TR62443-2-3:2015 Industrial Automation and Control System Security Patch Management in IACS Environment Released on 2023-03-17 2023-10-01 implementation State Administration for Market Regulation Released by the National Standardization Management Committee table of contentsPreface III Introduction IV 1 Scope 1 2 Normative references 1 3 Terms, Definitions, Abbreviations and Abbreviations 1 3:1 Terms and Definitions 1 3:2 Acronyms and abbreviations 2 4 Industrial Automation and Control Systems Patch 4 4:1 Patching Issues in Industrial Automation and Control Systems 4 4:2 Impact of Poor Patch Management 4 4:3 Patch management mitigations for outdated IACS5 4:4 Patch life cycle status 5 5 Recommended requirements for asset owners6 6 Recommended requirements for suppliers of IACS products7 7 Exchange Patch Information 7 7:1 Overview 7 7:2 Patch information exchange format 8 7:3 Patch Compatibility Information File Name Convention 8 7:4 VPC file schema 8 7:5 VPC file element definition 10 Appendix A (informative) VPCXSD file format 13 A:1 VPCXSD file format specification 13 A:2 Core component types18 Appendix B (Informative) IACS Asset Owner Application Patch Guidelines 21 B:1 Appendix structure 21 B:2 Overview 21 B:3 Information collection 22 B:4 Project planning and implementation 29 B:5 Monitoring and evaluation35 B:6 Patch testing 37 B:7 Patch Deployment and Installation 41 B:8 Running the IACS Patch Management Program 43 Appendix C (Informative) IACS Product Supplier/Service Provider Patch Installation Guidelines 46 C:1 Appendix structure 46 C:2 Vulnerability discovery 46 C:3 Development, Verification and Validation of Security Updates 47 C:4 Release of cybersecurity updates48 C:5 Communication and outreach 48 Reference 49forewordThis document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents" drafting: This document is equivalent to IEC TR62443-2-3:2015 "Industrial Automation and Control System Safety Part 2-3: IACS environment Patch Management for : The file type is adjusted from the IEC technical report to the national standard of our country: The following minimal editorial changes have been made to this document: ---In order to coordinate with the existing standard, the name of the standard is changed to "Patch management in the context of industrial automation and control system security IACS reason": This document is proposed by China Machinery Industry Federation: This document is under the jurisdiction of the National Industrial Process Measurement Control and Automation Standardization Technical Committee (SAC/TC124): This document is drafted by: Dongfang Electric Group Science and Technology Research Institute Co:, Ltd:, Mechanical Industry Instrumentation Comprehensive Technical Economic Research Institute, General Electric Power Planning Institute Co:, Ltd:, Schneider Electric (China) Co:, Ltd:, Siemens (China) Co:, Ltd:, Beijing Sifang Relay Automation Co:, Ltd:, Beijing Guoneng Zhishen Control Technology Co:, Ltd:, North China Electric Power University, Chongqing Xin'an Network Security Level Evaluation Co:, Ltd:, State Power Investment Wuhu Power Generation Co:, Ltd:, PetroChina Tarim Oilfield Branch, Chongqing University of Posts and Telecommunications, Southwest University, Shenyang Institute of Automation, Chinese Academy of Sciences, Huazhong University of Science and Technology, the 30th Research Institute of China Electronics Technology Group Corporation, Shanghai Industrial Automation Instrument Research Institute Co:, Ltd:, the Fifth Electronic Research Institute of the Ministry of Industry and Information Technology, National Industrial Information Security Development Research Center, Rockway Seoul (Shanghai) Co:, Ltd:, Shanghai Electrical Apparatus Research Institute (Group) Co:, Ltd:, Hollysys Technology Group Co:, Ltd:, Ministry of Industry and Information Technology Computer and Microelectronics Development Research Center (China Software Evaluation Center), Xi'an Space Radio Technology Research Institute: The main drafters of this document: Yuan Xiaoshu, Wang Yumin, Shang Yujia, Zhang Jinbin, Wang Yong, Yan Tao, Du Zhenhua, Zhu Jingling, Gong Gangjun, Zhou Yanhui, Cheng Jiarong, Yang Qizhan, Wei Min, Liu Feng, Zhao Jianming, Zhou Chunjie, Lan Kun, Liu Huifang, Liu Jie, Zhao Ran, Gao Jingmei, Ren Yue, Liu Ying, Guo Yongzhen, Wang Aipeng, Sang Zi, Wang Ying, Zhai Wanbo, Yang Xiaoqian, Zhang Yan, Xu Jin, Wang Jia, Hu Bo, Yang Chao:IntroductionIEC 62443 is a series of international standards applied to the safety of industrial automation and control systems: At present, my country has adopted this series of standards to develop Published GB/T 33007-2016 "Industrial Communication Network Network and System Security Establishing Industrial Automation and Control System Security Procedures" (IEC 62443-2-1:2010, IDT), GB/T 35673-2017 "Industrial Communication Network Network and System Security System Security Requirements and Security Level" (IEC 62443-3-3:2013, IDT), GB/T 40211-2021 "Industrial Communication Network Network and System Security Terms, Overview and Models Type" (IEC 62443-1-1:2009, IDT), GB/T 40218-2021 "Industrial Communication Network Network and System Security Industrial Automation and Control System Information Security Technology" (IEC TR62443-3-1:2009, IDT), GB/T 40682-2021 "Industrial Automation and Control System Network Cybersecurity Part 2-4: Security Program Requirements for IACS Service Providers (IEC 62443-2-4:2015, IDT) and this document, these standards The quasi-cooperatively constitute a series of national standards applied to the safety of industrial automation and control systems: Cybersecurity is an increasingly important topic in modern organizations: Many information technology (IT) and business organizations have sustained Focus on cyber security and comply with ISO /IEC 27001 and ISO /IEC 27002 to establish an Information Security Management System (ISMS): These management systems provide organizations with a means to protect their assets from cyber-attacks Methods: Currently, industrial automation and control system (IACS) suppliers and owners use in their daily activities commercial off-the-shelf (COTS) technology: As the COTS system is more widely known and used, its application in IACS also improves the quality of IACS equipment: Chances of being attacked by a network: New research on IACS security has also found vulnerabilities in many devices: Successful Attacks on Industrial Systems May cause health, safety and environmental (HSE) consequences: Organizations may attempt to address IACS security with commercial cybersecurity policies without understanding the consequences: Although the Many solutions can be applied to IACS, but they need to be applied in the correct way to eliminate unintended consequences: This document addresses the issue of patch management for IACS cybersecurity: Patch management is part of an overall network security strategy, it Increase network security by installing patches, which are also known as software updates, software upgrades, firmware upgrades, service packs, patches, Basic Input Output System (BIOS) updates and other digital electronic updates that address defects, operability, reliability, and cybersecurity vulnerabilities Program update: This document addresses the many issues and industries that asset owners and IACS product vendors have with regard to IACS patch management Concerns, and the impact of poor patch management on the reliability and/or operability of the IACS: Industrial Automation and Control System Security Patch Management in IACS Environment1 ScopeThis document describes the requirements for asset owners who have established and are maintaining an industrial automation and control system (IACS) patch management plan and IACS product supplier requirements: This document recommends a well-defined format for asset owners and IACS product vendors to distribute security patch information, and defines Some related activities such as the development of patch information by IACS product suppliers and the deployment and installation of patches by asset owners: determined The defined exchange format and activities are primarily used for security-related patches: Interchange formats and activities are defined for security-related patches, but can also be Can be applied to non-security related patches or updates: This document does not distinguish between operating system (OS), application, or device patches, nor does it differentiate between providing infrastructure components or IACS applications The product vendor of the program, but instead provides guidance for all patches applicable to IACS: In addition, patch types can be used to address defects, Reliability issues, operability issues, or security vulnerabilities: Note 1: Discovering and disclosing security vulnerabilities affecting IACS is a general issue outside the scope of this document, and this document does not provide ethical standards and treatment in this regard: methodological guidance: Unless otherwise specified, "security" in this document refers to "information security": NOTE 2: This document does not provide guidance on how to mitigate a vulnerability from discovery to creation of a patch for the vulnerability: Multiple Compensation Measures to Mitigate Security Risks The implementation is part of the IACS Safety Management System (IACS-SMS): If you need guidance on this content, please refer to B:4:5, Appendix B of this document: B:4:6 and B:8:5 and other parts of the IEC 62443 series of standards:2 Normative referencesThe contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to this document: IEC TS62443-1-1 Industrial communication network network and system security Part 1-1: Terms, concepts and models (Industrial els) Note: GB/T 40211-2021 Industrial Communication Network Network and System Security Terms, Concepts and Models (IEC TS62443-1-1:2009, IDT) IEC 62443-2-1 Industrial communication network network and system security Part 2-1: Establishing industrial automation and control system security Note: GB/T 33007 industrial communication network network and system security establishes security procedures for industrial automation and control systems (IEC 62443-2-1: 2010, IDT) 3 Terms, Definitions, Abbreviations and Abbreviations 3:1 Terms and Definitions The terms and definitions defined in IEC TS62443-1-1 and IEC 62443-2-1 and the following terms apply to this document: ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 42445-2023_English be delivered?Answer: Upon your order, we will start to translate GB/T 42445-2023_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 42445-2023_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 42445-2023_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
