Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 42456-2023 English PDF

US$1484.00 · In stock
Delivery: <= 8 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 42456-2023: Security for industrial automation and control systems - Technical security requirements for IACS components
Status: Valid
Standard IDUSDBUY PDFLead-DaysStandard Title (Description)Status
GB/T 42456-20231484 Add to Cart 8 days Security for industrial automation and control systems - Technical security requirements for IACS components Valid

Similar standards

GB/T 41295.3   GB/T 41295.2   GB/T 41295.4   GB/T 20965   GB/T 42457   

Basic data

Standard ID: GB/T 42456-2023 (GB/T42456-2023)
Description (Translated English): Security for industrial automation and control systems - Technical security requirements for IACS components
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: N10
Classification of International Standard: 25.040
Word Count Estimation: 82,894
Date of Issue: 2023-03-17
Date of Implementation: 2023-10-01
Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration

GB/T 42456-2023: Security for industrial automation and control systems - Technical security requirements for IACS components


---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
ICS25:040 CCSN10 National Standards of People's Republic of China GB/T 42456-2023/IEC 62443-4-2:2019 Information security for industrial automation and control systems Safety Technical Requirements for IACS Components Released on 2023-03-17 2023-10-01 implementation State Administration for Market Regulation Released by the National Standardization Management Committee

table of contents

Preface V Introduction VI 1 Scope 1 2 Normative references 1 3 Terms, Definitions, Abbreviations and Conventions 2 3:1 Terms and Definitions 2 3:2 Abbreviations 7 3:3 Practice 9 4 General principles10 4:1 Overview 10 4:2 CCSC1: Basic Function Support 10 4:3 CCSC2: Compensatory countermeasures10 4:4 CCSC3: Least Privilege 10 4:5 CCSC4: Software Development Process 10 5 FR1---Identification and authentication control 10 5:1 Purpose and description of SL-C (IAC) 10 5:2 Reason 11 5:3 CR1:1---personnel identification and identification 11 5:4 CR1:2---Software process and equipment identification and authentication 12 5:5 CR1:3---Account Management 12 5:6 CR1:4---Identifier Management 13 5:7 CR1:5 --- discriminator management 14 5:8 CR1:6---Wireless Access Management 15 5:9 CR1:7---Password-based authentication strength 15 5:10 CR1:8---Public Key Infrastructure (PKI) Certificate 15 5:11 CR1:9---Strength based on public key authentication 16 5:12 CR1:10---Discriminator Feedback 17 5:13 CR1:11---Failed login attempt 17 5:14 CR1:12---System usage tips 18 5:15 CR1:13---Access through untrusted network 19 5:16 CR1:14---Strength based on symmetric key authentication 19 6 FR2---Using Control 20 6:1 Purpose and description of SL-C(UC) 20 6:2 Rationale and additional guidance 20 6:3 CR2:1---Authorization to execute 20 6:4 CR2:2---Wireless usage control 21 6:5 CR2:3---Portable and mobile device use control 22 6:6 CR2:4 --- Mobile Code 22 6:7 CR2:5---Session Lock 22 6:8 CR2:6---Remote session termination 22 6:9 CR2:7---concurrent session control 23 6:10 CR2:8---Audit event 23 6:11 CR2:9---Audit storage capacity 24 6:12 CR2:10 --- Audit processing failure response 25 6:13 CR2:11---time stamp 25 6:14 CR2:12---non-repudiation 26 6:15 CR2:13---Physical diagnosis and use of test interface 26 7 FR3---System Integrity 26 7:1 Purpose and description of SL-C(SI) 26 7:2 Fundamentals 27 7:3 CR3:1---communication integrity 27 7:4 CR3:2---Malicious code protection 28 7:5 CR3:3---Information security function verification 28 7:6 CR3:4---Software and Information Integrity 29 7:7 CR3:5---Input inspection 29 7:8 CR3:6---Deterministic output 30 7:9 CR3:7---error handling 30 7:10 CR3:8---Session Integrity 31 7:11 CR3:9 --- Audit information protection 32 7:12 CR3:10 --- Support update 32 7:13 CR3:11---Physical vandalism and detection 32 7:14 CR3:12---Provide the root of trust for product suppliers 32 7:15 CR3:13---Provide the asset owner's root of trust 32 7:16 CR3:14---Start process integrity 32 8 FR4---Data Confidentiality 33 8:1 Purpose and description of SL-C(DC) 33 8:2 Fundamentals 33 8:3 CR4:1---Information Confidentiality 33 8:4 CR4:2 --- Remaining information 34 8:5 CR4:3 --- use of encryption 34 9 FR5---Restricted data flow 35 9:1 Purpose and SL-C(RDF) description 35 9:2 Fundamentals 35 9:3 CR5:1---Network Segmentation 35 9:4 CR5:2---Regional boundary protection 36 9:5 CR5:3 --- general purpose inter-personal communication restrictions 36 10 FR6---Timely Response to Events 36 10:1 Purpose and SL-C(TRE) description 36 10:2 Rationale and additional guidance 37 10:3 CR6:1---Audit log accessibility 37 10:4 CR6:2---Continuous monitoring 37 11 FR7---Resource Availability 38 11:1 Purpose and SL-C(RA) Description 38 11:2 Origin 38 11:3 CR7:1 --- Denial of service protection 38 11:4 CR7:2---Resource Management 39 11:5 CR7:3---Control system backup 39 11:6 CR7:4---Control system recovery and reconstruction 40 11:7 CR7:5---emergency power supply 40 11:8 CR7:6---Network and security configuration settings 40 11:9 CR7:7---minimum function 41 11:10 CR7:8---Inventory of control system components 41 12 Software Application Requirements 42 12:1 Purpose 42 12:2 SAR2:4 --- Mobile Code 42 12:3 SAR3:2---Malicious code protection 43 13 Embedded Device Requirements 43 13:1 Purpose 43 13:2 EDR2:4 --- Mobile Code 43 13:3 EDR2:13---using physical diagnosis and test interface 44 13:4 EDR3:2---Malicious code protection 45 13:5 EDR3:10 --- Support update 45 13:6 EDR3:11---Physical vandalism and detection 46 13:7 EDR3:12---provisioning product vendor root of trust 46 13:8 EDR3:13---provisioning the asset owner's root of trust 47 13:9 EDR3:14---Boot process integrity 48 14 Host Device Requirements 48 14:1 Purpose 48 14:2 HDR2:4 --- Mobile Code 48 14:3 HDR2:13---using physical diagnosis and test interface 49 14:4 HDR3:2---Malicious code protection 50 14:5 HDR3:10 --- support update 50 14:6 HDR3:11---Physical anti-vandalism and detection 51 14:7 HDR3:12---provision product supplier trust root 51 14:8 HDR3:13---provision root of trust for asset owner 52 14:9 HDR3:14---Boot process integrity 53 15 Network Equipment Requirements 53 15:1 Purpose 53 15:2 NDR1:6---Wireless Access Management 54 15:3 NDR1:13---Access through untrusted network 54 15:4 NDR2:4 --- Mobile Code 55 15:5 NDR2:13---Using physical diagnosis and test interface 56 15:6 NDR3:2---Malicious code protection 56 15:7 NDR3:10---Support update 57 15:8 NDR3:11---Physical vandalism and detection 57 15:9 NDR3:12---provision product supplier root of trust 58 15:10 NDR3:13 --- provisioning asset owner's root of trust 58 15:11 NDR3:14---Boot process integrity 59 15:12 NDR5:2---Regional boundary protection 60 15:13 NDR5:3 --- general purpose inter-personal communication restrictions 60 Appendix A (Informative) Equipment Classification 62 A:1 Overview 62 A:2 Device Classification: Embedded Devices 62 A:3 Equipment Classification: Network Equipment 63 A:4 Device Classification: Host Device/Application 63 Appendix B (Informative) Mapping of CR and RE to FRSL1~4 64 B:1 Overview 64 B:2 SL mapping table 64 References 70

foreword

This document is drafted in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents": This document is equivalent to IEC 62443-4-2:2019 "Information Security for Industrial Automation and Control Systems Part 4-2: Security Technical Requirements for IACS Components": The following minimal editorial changes have been made to this document: --- In order to coordinate with existing standards, change the name of the standard to "Security Technical Requirements for IACS Components of Industrial Automation and Control System Information Security": Please note that some contents of this document may refer to patents: The issuing agency of this document assumes no responsibility for identifying patents: This document is proposed by China Machinery Industry Federation: This document is under the jurisdiction of the National Industrial Process Measurement Control and Automation Standardization Technical Committee (SAC/TC124): This document is drafted by: Dongfang Electric Group Science and Technology Research Institute Co:, Ltd:, Mechanical Industry Instrumentation Comprehensive Technical Economic Research Institute, General Electric Power Planning Institute Co:, Ltd:, Schneider Electric (China) Co:, Ltd:, Siemens (China) Co:, Ltd:, Beijing Sifang Relay Automation Co:, Ltd:, Beijing Guoneng Zhishen Control Technology Co:, Ltd:, North China Electric Power University, Chongqing Xin'an Network Security Level Evaluation Co:, Ltd:, Chengdu Venus Information Security Technology Co:, Ltd:, PetroChina Tarim Oilfield Branch, Chongqing University of Posts and Telecommunications Science, Southwest University, Shenyang Institute of Automation, Chinese Academy of Sciences, Huazhong University of Science and Technology, 30th Research Institute of China Electronics Technology Group Corporation, Shanghai Sea Industry Automation Instrument Research Institute Co:, Ltd:, the Fifth Electronic Research Institute of the Ministry of Industry and Information Technology, and the National Industrial Information Security Development Research Center Xin, Rockwell (Shanghai) Co:, Ltd:, Shanghai Electrical Apparatus Research Institute (Group) Co:, Ltd:, Hollysys Technology Group Co:, Ltd:, China Soft Software Evaluation Center (Software and Integrated Circuit Promotion Center of the Ministry of Industry and Information Technology), Phoenix Asia Pacific Electric (Nanjing) Co:, Ltd: The main drafters of this document: Yuan Xiaoshu, Wang Yumin, Shang Yujia, Zhang Jinbin, Wang Yong, Yan Tao, Du Zhenhua, Zhu Jingling, Gong Gangjun, Zhou Yanhui, Wang Rui, Yang Jinhua, Wei Min, Liu Feng, Zhao Jianming, Zhou Chunjie, Lan Kun, Liu Huifang, Liu Jie, Zhao Ran, Gao Jingmei, Ren Yue, Liu Ying, Guo Yongzhen, Wang Aipeng, Sang Zi, Wang Ying, Zhai Wanbo, Yang Xiaoqian, Zhang Yan, Pan Xuelong:

Introduction

0:1 Overview IEC 62443 is a series of standards applied to the safety of industrial automation and control systems: At present, my country has adopted this series of standards to issue GB/T 33007-2016 "Industrial Communication Network Network and System Security Establishing Industrial Automation and Control System Security Procedures" (IEC 62443-2-1:2010, IDT), GB/T 35673-2017 "Industrial Communication Network Network and System Security System Security Requirements and Security Level" (IEC 62443-3-3:2013, IDT), GB/T 40211-2021 "Industrial Communication Network Network and System Security Terms, Overview and Model" (IEC /T S62443-1-1:2009, IDT), GB/T 40218-2021 "Industrial Communication Network Network and System Security Industrial Automation and Control System Information Security Technology" (IEC /T R62443-3-1:2009, IDT), GB/T 40682-2021 "Industrial Automation Network security of automation and control systems Part 2-4: Security program requirements for IACS service providers" (IEC 62443-2-4:2015, IDT), GB/T 42445-2023 "Patch Management in Industrial Automation and Control System Security IACS Environment" (IEC /T R62443-2-3: 2015, IDT), GB/T 42457-2023 "Industrial Automation and Control System Information Security Product Security Development Life Cycle Requirements" (IEC 62443-4-1:2018, IDT) and this document: These standards together constitute a series of national standards applied to the safety of industrial automation and control systems: Industrial automation and control system (IACS) organizations are increasingly using inexpensive, efficient and highly automated commercial-off-the-shelf (COTS) Internet equipment: For sound business reasons, control systems are also increasingly interconnected with non-IACS networks: These devices, open Networking technologies and increased connectivity present control system hardware and software with increasing opportunities for cyber-attacks: This weakness can A range of health, safety and environmental (HSE), financial and/or reputational consequences that can result in deployed control systems: Organizations utilizing commercial information technology (IT) cybersecurity solutions to address IACS security concerns may not fully understand this the result of the decision: At the same time, many business IT applications and security solutions can be applied to IACS and thus need to be applied in an appropriate manner These are solutions to eliminate unintended consequences: For this reason, the approach to defining system requirements considers both functional requirements and risk assessment: assessment, often including awareness of operational issues as well: IACS security countermeasures include contingency procedures that should avoid the possibility of loss of essential services and functions (commonly utilized IT security Countermeasures do have this potential): IACS safety objectives focus on control system availability, plant protection, plant operation (even in degraded mode) and time-critical system responses: IT security goals often do not place equal weight on these factors; they may be more Focus on protecting information rather than physical assets: Regardless of the degree of plant integration, these various goals need to be clearly articulated as safety goals mark: According to the requirements of IEC 62443-2-1, a key step in the risk assessment should be to determine which services and functions are really important to the operation: Essential (for example, engineering support may be identified as a non-essential service or function in some facilities): and essential services or functions should not be subject to Adverse effects vary, and in some cases information security measures that may result in a temporary loss of non-essential services or functions are acceptable: This document provides cybersecurity requirements for the components that make up the IACS, in particular embedded devices, network components, host components, and software applications: use: Appendix A describes the classification of commonly used IACS equipment: The requirements of this document refer to the IACS system safety described in IEC 62443-3-3 Require: The purpose of this document is to specify security functions that enable components to be integrated into a system environment with a given security level (SL): appendix The table in B summarizes the requirements defined in this document and the SLs for enhanced requirements: The main goal of the IEC 62443 series of standards is to provide a flexible framework that can help address current and future vulnerabilities of IACS security and apply necessary mitigations in a systematic and defensible manner: The purpose of IEC 62443 is to build a system that adapts to the needs of enterprise IT systems It is important to extend the security of the enterprise and combine it with the unique requirements of high integrity and availability required by IACS: 0:2 Purpose and target audience The intended readers of this document in the IACS community are asset owners, system integrators, product suppliers and, where appropriate, compliance departments: combine Regulatory agencies include government agencies and regulators with statutory powers that can conduct audits to verify compliance with laws and regulations: System integrators will use this document to assist them in sourcing the control system components that make up the IACS solution: This document will help the department System integrators specify the appropriate level of security capabilities for the individual components they are procuring: The main standards that system integrators refer to are IEC 62443-2-1, IEC 62443-3-2 and IEC 62443-3-3, which provide the organizational and operational requirements for a safety management system and guide the system The system integrator completes the process of defining security areas and defines the target safety capability level (SL-T) for these areas: Once each region is defined SL-T, components that provide the necessary functions to be able to realize SL-T for each area: Product suppliers will use this document to understand the requirements for control system components with specific SL-C requirements: Components themselves may not mention provide security capabilities, but may be designed to be integrated with a higher-level entity, thereby benefiting from the capabilities of that entity—for example, the embedded device itself May not have the ability to maintain user directories, but may be integrated into systems with authentication and authorization services, thus still meeting the requirements for providing personal Requirements for human user authentication, authorization and management capabilities: This document will guide product suppliers on which requirements can be assigned and which requirements require built into the component: According to Practice 8 of IEC 62443-4-1, the product supplier will provide information on how to correctly integrate components into the system to comply with specific SL-T documents: The component requirements (CR) in this document refer to the system requirements (SR) in IEC 62443-3-3: The requirements in IEC 62443-3-3 are called For SR, it is derived from the overall Fundamental Requirements (FR) defined in IEC 62443-1-1: CR can also include a set of enhancement requirements (RE): The combination of CR and RE will determine the target safety level that the component can achieve: This document provides requirements for four types of components: software applications, embedded devices, host devices, and network devices: Therefore, each group The CR of the piece will be designated as follows: ● Software Application Requirements (SAR); ● Embedded Device Requirements (EDR); ● Host Device Requirements (HDR); ● Network Device Requirements (NDRs): Most of the requirements of this document are the same for the four types of components, hence the abbreviation CR: When there are unique component specific requirements When , the general requirement will state that the requirement is component-specific and is located in the component-specific requirements clause of this document: Figure 1 shows a graphical representation of the IEC 62443 series of standards at the time of writing: Figure 1 IEC 62443 standard system Information security for industrial automation and control systems Safety Technical Requirements for IACS Components

1 Scope

This document provides detailed technical control system components related to the seven Fundamental Requirements (FR) described in IEC TS62443-1-1 Requirements (CR), including requirements defining the control system capability safety level and its components SL-C (components): According to the regulations of IEC TS62443-1-1, there are seven FRs in total: a) Identification and Authentication Control (IAC), b) Usage Control (UC), c) system integrity (SI), d) Data Confidentiality (DC), e) Restricted Data Flow (RDF), f) Timely Response to Incidents (TRE), g) Resource Availability (RA): These seven requirements (FR) are the basis for defining the security capability level of the control system: The main objective of this document is to define the control system components The level of security capability, while SL (SL-T) or how to achieve SL (SL-A), is not within the scope of this document: Note 1: To fully realize the SL goal of the control system, it is also necessary to refer to a series of non-technical, program-related CR capabilities specified in IEC 62443-2-1: like Unless otherwise specified, "security" in this document refers to "information security": Note 2: The trademarks and product names mentioned in this document are only for the convenience of users: This information does not constitute an endorsement by IEC of the products mentioned:

2 Normative references

The contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references, Only the version corresponding to the date applies to this document; for undated references, the latest version (including all amendments) applies to this document: GB/T 35673-2017 Industrial Communication Network Network and System Security System Security Requirements and Security Levels IEC TS62443-1-1 Industrial communication network network and system security Part 1-1: Terminology, concepts ......
Image     

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 42456-2023_English be delivered?

Answer: Upon your order, we will start to translate GB/T 42456-2023_English as soon as possible, and keep you informed of the progress. The lead time is typically 5 ~ 8 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 42456-2023_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 42456-2023_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.