GB/T 42457-2023 English PDFUS$874.00 ยท In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 42457-2023: Security for industrial automation and control systems - Secure product development lifecycle requirements Status: Valid
Basic dataStandard ID: GB/T 42457-2023 (GB/T42457-2023)Description (Translated English): Security for industrial automation and control systems - Secure product development lifecycle requirements Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: N10 Classification of International Standard: 25.040 Word Count Estimation: 48,441 Date of Issue: 2023-03-17 Date of Implementation: 2023-10-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 42457-2023: Security for industrial automation and control systems - Secure product development lifecycle requirements---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. ICS25:040 CCSN10 National Standards of People's Republic of China GB/T 42457-2023/IEC 62443-4-1:2018 Information security for industrial automation and control systems Product Security Development Lifecycle Requirements Released on 2023-03-17 2023-10-01 implementation State Administration for Market Regulation Released by the National Standardization Management Committee table of contentsPreface V Introduction VI 1 Scope 1 2 Normative references 1 3 Terms, Definitions, Abbreviations and Conventions 1 3:1 Terms and Definitions 1 3:2 Abbreviations 5 3:3 Practice 6 4 General principles 6 4:1 Concept 6 4:2 Maturity Model 7 5 Practice 1---Safety Management 9 5:1 Purpose 9 5:2 SM-1: Development Process 9 5:3 Rationale and additional guidance 9 5:4 SM-2: Define Responsibilities 9 5:5 SM-3: Identify Applicability 10 5:6 SM-4 Security Expertise 10 5:7 SM-5: Process Scoping 10 5:8 SM-6: Document Integrity 11 5:9 SM-7: Development Environment Security 11 5:10 SM-8: Private key control 11 5:11 SM-9: Security Requirements for Externally Provided Components 11 5:12 SM-10: Custom-developed components from third-party suppliers 12 5:13 SM-11: Assess and resolve safety-related issues 12 5:14 SM-12: Process Validation 13 5:15 SM-13: Continuous Improvement 13 6 Practice 2 --- Security Requirements Specification 14 6:1 Purpose 14 6:2 SR-1: Product Security Context 14 6:3 SR-2: Threat Model 15 6:4 SR-3: Product Security Requirements 16 6:5 SR-4: Product Security Requirements Content 16 6:6 SR-5: Security Requirements Review 16 7 Practice 3---Safety Design 17 7:1 Purpose 17 7:2 SD-1: Safe Design Principles 17 7:3 SD-2: Defense in Depth Design 18 7:4 SD-3: Security Design Review 19 7:5 SD-4: Security Design Best Practices 19 8 Practice 4---Security Implementation 20 8:1 Purpose 20 8:2 Applicability 20 8:3 SI-1: Security Implementation Review 20 8:4 SI-2: Secure Coding Standard 20 9 Practice 5---Security Verification and Confirmation Test 21 9:1 Purpose 21 9:2 SVV-1: Security Requirements Test 21 9:3 SVV-2: Threat Mitigation Test 21 9:4 SVV-3: Vulnerability Test 22 9:5 SVV-4: Penetration Testing 22 9:6 SVV-5: Independence of testers 23 10 Practice 6---Management of Security Related Issues 24 10:1 Purpose 24 10:2 DM-1: Receive Notification of Security-Related Issues 24 10:3 DM-2: Review of safety-related issues 24 10:4 DM-3: Assessing safety-related issues 25 10:5 DM-4: Address security-related issues 26 10:6 DM-5: Disclosure of Security-Related Issues 27 10:7 DM-6: Periodic Review of Security Defect Management Practices 27 11 Practice 7---Security update management 27 11:1 Purpose 27 11:2 SUM-1: Security update eligibility criteria 27 11:3 SUM-2: Security Update Documentation 28 11:4 SUM-3: Dependent Component or Operating System Security Update Documentation 28 11:5 SUM-4: Security Update Delivery 29 11:6 SUM-5: Timely Delivery of Security Patches 29 12 Practice 8 --- Safety Guideline 29 12:1 Purpose 29 12:2 SG-1: Product Defense in Depth 30 12:3 SG-2: Anticipated defense-in-depth measures in the environment 30 12:4 SG-3: Security Hardening Guidelines 30 12:5 SG-4: Guidelines for Safe Disposal 31 12:6 SG-5: Guidelines for safe handling 31 12:7 SG-6: Account Management Guidelines 32 12:8 SG-7: Documentation Review 32 APPENDIX A (INFORMATIVE) POSSIBLE INDICATORS33 Appendix B (Informative) Requirements Table 35 Reference 37forewordThis document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents" drafting: This document is equivalent to IEC 62443-4-1:2018 "Information Security for Industrial Automation and Control Systems - Part 4-1: Product Security Development Occurrence Lifecycle Requirements": The following minimal editorial changes have been made to this document: ---In order to coordinate with existing standards, change the name of the standard to "Industrial Automation and Control System Information Security Product Security Development Life Cycle Period Requirements": This document is proposed by China Machinery Industry Federation: This document is under the jurisdiction of the National Industrial Process Measurement Control and Automation Standardization Technical Committee (SAC/TC124): This document is drafted by: Beijing Winnut Technology Co:, Ltd:, the Institute of Comprehensive Technology and Economics of Machinery Industry Instrumentation, and the General Manager of Electric Power Planning Institute Co:, Ltd:, Schneider Electric (China) Co:, Ltd:, Siemens (China) Co:, Ltd:, Beijing Sifang Jibao Automation Co:, Ltd:, Beijing Guoneng Zhishen Control Technology Co:, Ltd:, North China Electric Power University, Chongqing Xin'an Network Security Level Evaluation Co:, Ltd:, Chongqing University of Posts and Telecommunications, Southwest University, Huazhong University of Science and Technology, the 30th Research Institute of China Electronics Technology Group Corporation, Beijing Guangli Nuclear System Engineering Co:, Ltd:, Liaoning University Tang International New Energy Co:, Ltd:, State Grid Liaoning Electric Power Co:, Ltd: Maintenance Branch, CRRC Zhuzhou Electric Locomotive Research Institute Co:, Ltd:, Beijing Beijing South Jiaotong University Shengyang Technology Co:, Ltd:, Traffic Control Technology Co:, Ltd:, Hangzhou Dianzi University, China FAW Group Co:, Ltd: Co:, Ltd:, Xi'an Thermal Engineering Research Institute Co:, Ltd:, Shanghai Industrial Automation Instrument Research Institute Co:, Ltd:, the Fifth Research Institute of Electronics of the Ministry of Industry and Information Technology Research Institute, National Industrial Information Security Development Research Center, Rockwell (Shanghai) Co:, Ltd:, Shanghai Electrical Apparatus Research Institute (Group) Co:, Ltd: Division, Hollysys Technology Group Co:, Ltd:, Xi'an Institute of Space Radio Technology: The main drafters of this document: Huang Min, Wang Yumin, Shang Yujia, Wang Chunxia, Zhang Jinbin, Yang Jianping, Long Guodong, Zhang Dongqi, Wang Yong, Yan Tao, Du Zhenhua, Zhu Jingling, Gong Gangjun, Zhou Yanhui, Wei Min, Liu Feng, Zhou Chunjie, Lan Kun, Mo Changyu, Zhao Zhipeng, Wang Xinming, Zeng Yang, Wang Jin, Tang Jun, Zou Zhirong, Yang Binmao, Yang Xuetao, Yang Qingwen, Xu Xianghua, Wang Ran, Li Lei, Zhang Zijia, Yang Yuan, Liu Huifang, Liu Jie, Zhao Ran, Gao Jingmei, Ren Yue, Liu Ying, Wang Aipeng, Wang Ying, Zhang Yan, Xu Jin, Wang Jia, Hu Bo, Yang Chao:IntroductionIEC 62443 is a series of international standards applied to the safety of industrial automation and control systems: At present, my country has adopted this series of standards Published GB/T 33007-2016 "Industrial Communication Network Network and System Security Establishing Industrial Automation and Control System Security Procedures" (IEC 62443-2-1:2010, IDT), GB/T 35673-2017 "Industrial Communication Network Network and System Security System Security Requirements and Security Level" (IEC 62443-3-3:2013, IDT), GB/T 40211-2021 "Industrial Communication Network Network and System Security Terms, Overview and Model" (IEC 62443-1-1:2009, IDT), GB/T 40218-2021 "Industrial Communication Network Network and System Security Industry Automation and Control System Information Security Technology" (IEC /T R62443-3-1:2009, IDT), GB/T 40682-2021 "Industrial Automation and Control system cybersecurity Part 2-4: Security program requirements for IACS service providers" (IEC 62443-2-4:2015, IDT) and this document: These standards together constitute a series of national standards applied to the safety of industrial automation and control systems: This document is part of a series of standards addressing security in industrial automation and control systems (IACS): This document describes the industry's information security-related development life cycle requirements for products used in automation and control system environments, and describe how each element is met Ask for guidance: Much of this document is derived from the ISA Security Compliance Institute (ISCI) Security Development Lifecycle Assessment (SDLA) Certification Requirements [26]: The SDLA program is based on the following sources: ---ISO /IEC 15408-3 (General Standard) [18]; --- Open Web Application Security Project (OWASP), Comprehensive Lightweight Application Security Process (CLASP) [36]; --- Security Development Lifecycle by Michael Howard and Steve Lipner [43]; --- IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems [24]; and --- RCTADO-178B Software Considerations in Airborne Systems and Equipment Certification [28]: Therefore, all of these can be considered sources for this document: The information security requirements contained in this document can be used as a reference for developers of any automation and control products when considering information security issues: guide: Figure 1 illustrates the relationship between the different parts of IEC 62443: Figure 1 Parts of the IEC 62443 series Figure 2 illustrates how developed products relate to the maintenance and integration capabilities defined in IEC 62443-2-4 and asset owner operations Associated: The product supplier develops the product using a process consistent with this document: These products may be individual components such as embedded controllers, Or a set of components that work together as a system or subsystem: System integrators use a process compliant with IEC 62443-2-4 to integrate products into in an automated solution: Automated solutions are then deployed at specific sites and become part of the IACS: one of These functions refer to the safety measures defined in IEC 62443-3-3 [10], and the service provider ensures that the automation solution (as a product feature) These safeguards are supported in the context of gender or compensation mechanisms): This document only deals with the process used to develop the product; it does not deal with automated solutions or Design, deployment or operation of IACS: In Figure 2, an automation solution consists of one or more subsystems and optional supporting components, such as advanced control components: Dotted Box Table indicates that these components are "optional": An automation solution typically consists of a product, but is not limited to it: In some industries, a hierarchical product structure may exist: one In general, an automation solution is a set of hardware and software independent of product packaging that controls a physical process defined by the asset owner (e:g: continuous process or manufacturing process): If the service provider supplies the products used in the automation solution, the service provider fulfills the product provider's duty: Figure 2 Example of product life cycle Information security for industrial automation and control systems Product Security Development Lifecycle Requirements1 ScopeThis document specifies the process requirements for the development of information security for industrial automation and control system products: It defines a The Security Development Lifecycle (SDL) for developing and maintaining secure products: This life cycle includes security requirements definition, security design, security implementation implementation (including coding guidelines), verification and validation, defect management, patch management, and product retirement: These requirements can be applied to new or existing Process to develop, maintain and retire new or existing product hardware, software or firmware: These requirements apply to product developers and maintainers caregivers, but not integrators or users of the product: A summary list of requirements for this document is provided in Appendix B:2 Normative referencesThe contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to this document: IEC 62443-2-4 Industrial automation and control system information security Part 2-4: IACS service provider information security program requirements Note: GB/T 40682-2021 Industrial Automation and Control System Security IACS Service Provider Security Program Requirements (IEC 62443-2-4:2015, IDT) IEC TR62443-1-2 Safety of industrial automation and control systems Part 1-2: Basic vocabulary of terms and abbreviations breviations) 3 Terms, Definitions, Abbreviations and Conventions The ISO and IEC terminology databases can be accessed at: ---ISO : http://www:iso:org/obp: 3:1 Terms and Definitions The following terms and definitions as defined in IEC TR62443-1-2 apply to this document: 3:1:1 Abuse use case abusecase A test case for performing negative actions: NOTE: Abuse case testing is usually based on simulated attacks based on threat models: An abuse use case is a complete interaction between a system and one or more actors A type in which the result of the interaction is intentionally harmful to the system, one of the actors, or a stakeholder in the system: 3:1:2 accesscontrol< protection> accesscontrol< protection> Protect system resources from unauthorized access: 3:1:3 accesscontrol< process> accesscontrol< process> The process of managing the use of system resources according to a security policy, and only authorized users who comply with the policy are allowed: ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 42457-2023_English be delivered?Answer: Upon your order, we will start to translate GB/T 42457-2023_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 42457-2023_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 42457-2023_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
