GB/T 30976.1-2014 PDF English
Search result: GB/T 30976.1-2014 English: PDF (GB/T30976.1-2014)
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
| GB/T 30976.1-2014 | English | 560 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Industrial control system security - Part 1: Assessment specification
| Valid |
PDF Preview: GB/T 30976.1-2014
GB/T 30976.1-2014: PDF in English (GBT 30976.1-2014) GB/T 30976.1-2014
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 25.040
N 10
Industrial control system security –
Part 1. Assessment specification
ISSUED ON. JULY 24, 2014
IMPLEMENTED ON. FEBRUARY 01, 2015
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 4
1 Scope ... 6
2 Normative references ... 6
3 Terms, definitions and abbreviations ... 6
3.1 Terms and definitions ... 6
3.2 Abbreviations ... 9
4 Industrial control system information security overview ... 10
4.1 General ... 10
4.2 Hazard introduction points ... 11
4.3 Transmission routes ... 11
4.4 Hazard consequence recipient and its influence ... 12
4.5 Overview of information security assessment of industrial control systems
... 13
4.6 Assessment results ... 15
5 Organization management assessment ... 17
5.1 Security policy... 17
5.2 Information security organization ... 19
5.3 Asset management ... 33
5.4 Human resource security ... 37
5.5 Physical and environmental security ... 45
5.6 Communication and operation management ... 56
5.7 Access control ... 83
5.8 Information system acquisition, development and maintenance ... 107
5.9 Information security incident management ... 123
5.10 Business continuity management ... 129
5.11 Compliance ... 135
6 System capability (technology) assessment ... 144
6.1 Description of fundamental requirements (FR), system requirements (SR),
and system capability level (CL) ... 144
6.2 FR1. Identification and authentication control ... 145
6.3 FR2. Using control ... 156
6.4 FR3. System integrity ... 167
6.5 FR4. Data confidentiality... 174
6.6 FR5. Limited data flow ... 177
6.7 FR6. Timely response to events ... 181
6.8 FR7. Resource availability ... 182
7 Assessment procedures ... 188
7.1 Assessment work process ... 188
7.2 Determination of assessment methods ... 190
8 Risk assessment at various stages of the industrial control system life cycle
... 194
8.1 Life cycle overview... 194
8.2 Risk assessment at planning stage ... 194
8.3 Risk assessment at design stage ... 195
8.4 Risk assessment at implementation stage ... 196
8.5 Risk assessment at operation maintenance stage ... 198
8.6 Risk assessment at decommissioning stage ... 199
9 Format requirements of assessment report ... 200
Appendix A (Normative) Management assessment list ... 202
Appendix B (Normative) System capability (technology) assessment list ... 209
Appendix C (Informative) Risk assessment tools and common testing content
of industrial control systems ... 213
References ... 221
Foreword
GB/T 30976 “Industrial control system security” is divided into two parts.
- Part 1. Assessment specification;
- Part 2. Acceptance specification.
This part is part 1 of GB/T 30976.
This part was drafted in accordance with the rules given in GB/T 1.1-2009.
This part was proposed by China Machinery Industry Federation.
This part shall be under the jurisdiction of the National Standardization
Technical Committee for Industrial Process Measurement and Control (SAC/TC
124) and the National Standardization Technical Committee for Information
Security (SAC/TC 260).
The drafting organizations of this part. Machinery Industry Instrumentation
Institute of Integrated Technology and Economics, China Electronics
Standardization Institute, Beijing Hollysys System Engineering Co., Ltd., China
Nuclear Power Engineering Co., Ltd., Shanghai Automation Instrumentation
Co., Ltd., Dongtu Technology Co., Ltd. , China Electric Power Research Institute,
Tsinghua University, Siemens (China) Co., Ltd., Zhejiang University, Southwest
University, Chongqing University of Posts and Telecommunications, Schneider
Electric (China) Co., Ltd., Beijing Iron and Steel Design and Research Institute,
Huazhong University of Science and Technology, Beijing Austin Technology Co.,
Ltd., Rockwell Automation (China) Co., Ltd., China Institute of Instrumentation,
Chinese Academy of Sciences Shenyang Institute of Automation, National
Engineering Laboratory for Wireless Network Security Technologies, Xi'an
Xidian Jietong Wireless Network Communication Co., Ltd., Central Office
Electronics Institute of Science and Technology, Beijing Haitai Fangyuan
Technology Co., Ltd., Qingdao Tofino Information Security Technology Co., Ltd.,
Beijing Guodian Zhishen Control Technology Co., Ltd., Beijing Likang Huakang
Technology Co., Ltd., Guangdong Hangyu Satellite Technology Co., Ltd., North
China Electric Power Design Institute Engineering Co., Ltd., Huawei
Technologies Co., Ltd., Mitsubishi Electric Automation (China) Co., Ltd.,
Zhongbiao Software Co., Ltd., Yokogawa Electric (China) Co., Ltd. Beijing R&D
Center.
The main drafters of this part. Wang Yumin, Tang Yihong, Yan Aifen, Luo An, Lv
Dongbao, Zhang Jianjun, Xue Baihua, Chen Xiaoyi, Gao Kunlun, Wang Xue,
Feng Dongqin, Liu Feng, Wang Hao, Zhou Chunjie, Chen Xiaofeng, Hua Rong,
Zhang Li, Song Yan, Li Qin, Xia Dehai, Hu Ya’nan, Wang Xiong, Hu Boliang,
Mei Ke, Liu Anzheng, Tian Yucong, Fang Liang, Ma Xinxin, Zhang Jianxun,
Industrial control system security –
Part 1. Assessment specification
1 Scope
This part of GB/T 30976 specifies the objectives, assessment contents and
implementation process of the information security assessment of industrial
control systems (SCADA, DCS, PLC, PCS, etc.).
This part applies to system designers, equipment manufacturers, system
integrators, engineering companies, users, asset owners, and assessment and
certification agencies to perform assessment against the information security of
the industrial control systems. [Translator. In Chinese, words “security [3.1.14]”
and “safety [3.1.13]” are identical. For simplicity, “security” is used for Clause
5.5 and other Clauses in this translated standard.]
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 22081-2008 Information technology - Security techniques - Code of
practice for information security management (ISO/IEC 27002.2005, IDT)
IEC 62443-3-3-2013 Industrial communication networks - Network and
system security - Part 3-3. System security requirements and security levels
(SL)
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions apply to this document.
3.1.1
Vulnerability
3.1.9
Risk assessment
The entire process of risk analysis and risk assessment.
3.1.10
Risk management
The coordinated activities of guiding and controlling the relevant risks of an
organization.
3.1.11
Risk treatment
The process of selecting and implementing measures to change the risk.
3.1.12
Industrial control system; ICS
A collection of personnel, hardware, and software that contribute to and
influence the industrial production process safety, information security, and
reliable operation.
Note. The system includes, but is not limited to.
1) Industrial control systems include distributed control system (DCS),
programmable logic controller (PLC), intelligent electronic device (IED),
supervisory control and data acquisition (SCADA) system, motion control
(MC) system, network electronic transmission sensing and control,
monitoring and diagnostic systems [In this standard, whether physically
separated or integrated, process control systems (PCS) include basic
process control systems and safety instrumented systems (SIS)].
2) Relevant information systems such as advanced control or multivariable
control, online optimizer, special equipment monitor, graphical interface,
process history, manufacturing execution system (MES) and enterprise
resource planning (ERP) management system.
3) Associated department, personnel, network, or machine interfaces, which
provide control, security, and manufacturing operations for continuous,
batch processing, discrete, and other processes.
3.1.13
Safety
ML. Management level
PCS. Process control system
RE. Requirement enhancement
SLC. Programmable logic controller
SCADA. Supervisory control and data acquisition
SIS. Safety instrumented system
SL. Security level
SR. System requirements
VPN. Virtual private network
4 Industrial control system information security
overview
4.1 General
The information security features of industrial control systems depend on
various factors such as their design, management, robustness, and
environmental conditions. The assessment of system information security shall
include all activities related to the system during all phases of design,
development, installation, operation and maintenance, and exit from use within
the system life cycle. It must be recognized that the risks faced by the system
will change throughout the life cycle.
When evaluating the security features of system information, it shall consider
the following aspects.
a) Hazard introduction points;
b) Recipients of dangerous consequences and their effects;
c) The route of transmission;
d) Measures to reduce risks;
e) Environmental conditions;
f) Organization management.
4.5.2 Assessment of industrial control system capability (technique)
The purpose of the system capability (technique) assessment is to ensure that
the system is technically immune from attack. For a well-functioning system, it
shall meet both operational and security requirements. It is up to the company
to decide in advance when it is time to develop a project test and what level of
assurance the supplier and integrator needs for the network security device or
system. The level of assurance for a particular device or system will determine
the requirements for the realization of system capabilities. Vendors may
recommend test methods for specific equipment and systems, but users will
need to determine whether these techniques meet the security requirements.
Ideally, all the status of the system is evaluated for capabilities to ensure that
each security measure can meet or be aware of its remaining risks. Although a
complete system assessment is theoretically possible, most certifications
cannot be obtained due to financial and human constraints. Therefore, the
problem now facing is to decide the acceptable level of risk and to perform an
assessment of acceptable risks. The content of this part is mainly shown in
clause 4 to clause 10 of IEC 62443-3-3.2013, corresponding to clause 6 and
Appendix B of this part, respectively.
4.5.3 Links with other security measures
In an industrial control system environment, the assessor shall fully understand
the company's computer security policies, procedures, health, security, and
environmental risks associated with specific facilities and/or industrial
operations. Care shall be taken to ensure that the assessment does not
interfere with the control functions provided by the industrial control system
equipment and that the system may need to be taken offline before the
assessment can be implemented.
Information security, physical security, and functional security may be closely
related. In some cases, other security measures may provide a separate layer
of protection for information security, whilst additional information security
measures may also undermine the integrity of other security measures.
Therefore, in the specific risk assessment activities, the potential interactions
among them three and their consequences shall be considered.
4.5.4 Process environment constraints
When assessing the information security features of industrial control systems,
consideration shall be given to the constraints of process environmental
conditions, in particular the industrial automation control systems in service, the
impact of field testing and the introduction of security technology measures on
the normal production process shall be considered. Before implementing field
testing and introducing security technology measures, the following process
the importance of security under permitting information sharing
mechanisms;
b) The statement of managerial intent, to support information security goals
and principles consistent with business strategy and objectives;
c) Set up the framework of control objectives and control measures, including
the structure of risk assessment and risk management;
d) A brief description of the security policies, principles, standards, and
compliance requirements that are particularly important to the
organization, including.
1) Requirements to comply with laws and regulations and contract;
2) Security education, training and awareness requirements;
3) Business continuity management;
4) Consequences of violating the information security policy.
e) The definition of general and specific responsibilities for information
security management (including the reporting of information security
incidents);
f) References to supporting policy documents, such as more detailed security
policies and procedures for specific information systems, or security rules
to be followed by the users.
5.1.1.2 Review of information security policy
Control measures.
Information security policy reviews shall be conducted at planned intervals or
when significant changes occur, to ensure continued suitability, adequacy and
effectiveness.
Assessment guide.
The information security policy shall be handled by a special person. He has
the management responsibilities for setting, reviewing, and evaluating security
policies. The review shall include assessing opportunities for improvement of
the organization’s information security policy and managing information security
to adapt to changes in the organizational environment, business conditions,
legal conditions, or technological environment.
The information security policy review shall consider the results of the
management review. Define management review procedures, including
Managers shall approve information security policies, assign security roles, and
coordinate and review the implementation of security throughout the
organization.
If necessary, set up an expert information security advice library within the
organization and make it available within the organization. Develop contacts
with external security experts or organizations (including relevant authorities) to
keep up with industry trends, track standards and assessment methods, and
provide appropriate contact points when dealing with information security
incidents.
5.2.1.1 Information security management commitments
Control measures.
Managers shall actively support security within the organization through clear
instructions, verifiable commitments, and clear assignments and confirmations
of information security responsibilities.
Assessment guide.
Recommendation managers.
a) Ensure that information security goals are identified, meet organizational
requirements, and have been integrated into relevant processes;
b) Develop, review and approve information security policies;
c) Review the effectiveness of the implementation of the information security
policy;
d) Provide clear direction and support for safe start-up;
e) Provide the necessary resources for information security;
f) Approve the allocation of specific roles and responsibilities for information
security throughout the organization;
g) Initiate plans and procedures to maintain information security awareness;
h) Ensure that the implementation of information security controls throughout
the organization is coordinated (see 5.2.1.2).
The manager identifies the need for information security advice from internal
and external experts, and reviews and coordinates the results of expert
recommendations throughout the organization.
Depending on the size of the organization, these responsibilities can be borne
by a dedicated management coordination group or by an existing agency (such
Assessment guide.
The allocation of information security responsibilities should be consistent with
the information security policy (see 5.1). The responsibility for the protection of
individual assets and the execution of specific security processes must be
clearly identified. Supplement these duties as necessary to provide more
detailed guidance for specific locations and information processing facilities.
The local responsibilities of asset protection and implementation of specific
security processes, such as business continuity plans, are clearly defined.
Persons assigned security responsibilities can delegate security tasks to other
personnel, but they cannot be relieved of their responsibilities, to ensure that
any delegated tasks have been performed correctly.
The areas of personal responsibility are clearly defined, in particular, the
following work.
a) The assets and security processes associated with each particular system
shall be identified and clearly defined;
b) It shall assign the entity responsibility for each asset or security process,
and the details of the responsibilities shall be documented (see 5.3.1.2);
c) The level of authorization shall be clearly defined and documented.
In many organizations, an information security manager shall be appointed to
take overall responsibility for the development and implementation of security
and to support the identification of control measures.
However, the responsibility for providing control resources and implementing
these controls is often attributed to individual managers. A common practice is
to assign a person responsible for each asset to be responsible for the day-to-
day protection of the asset.
5.2.1.4 Information processing facility authorization process
Control measures.
A management authorization process shall be defined and implemented for new
information processing facilities.
Assessment guide.
The authorization process considers the following guidelines.
a) The new facility must have appropriate user management authorizations
to approve its application and use; it must also obtain the authorization
from the managers responsible for maintaining the local system's security
termination of the agreement;
j) Measures expected to be taken if the agreement is violated.
Based on the security requirements of the organization, other factors may be
required in confidentiality or non-disclosure agreements.
Confidentiality and non-disclosure agreements comply with all applicable laws
and regulations for the jurisdiction to which it applies (see 5.11.1.1). Make
periodic review of confidentiality and non-disclosure agreement requirements,
when there are changes that affect these requirements, it shall also make
review.
Confidentiality and non-disclosure agreements protect organizational
information and inform the signatory of their responsibilities, so as to protect,
use and disclose information in an authorized and responsible manner.
For an organization, it may be necessary to use different formats of
confidentiality or non-disclosure agreements in different environments.
5.2.1.6 Contact with government departments
Control measures.
It shall maintain proper contact with relevant government departments.
Assessment guide.
The organization's procedures shall specify when to contact with which
department (e.g., law enforcement, firefighting department, and regulatory
authorities), and how to report in a timely manner if it is suspected that the
identified information security incident may have violated the law.
Organizations under attack from the Internet may require external third parties
(such as Internet service providers or telecom operators) to take measures to
respond to the attack.
Maintaining such contacts may be required to support information security
incident management (see 5.9.2) or business continuity and emergency
planning processes (5.10). The contact with the regulatory authorities helps to
know in advance the expected changes in the laws and regulations that the
organization must follow, and to prepare for these changes. Contacts with other
related departments include public facilities, emergency services and security
supervision departments.
5.2.1.7 Independent review of information security
Control measures.
products or services.
Any access by external parties to the organization's information processing
facilities, processing and communication of information assets shall be
controlled.
If there is a business need to work with an external party, it may request access
to the organization's information and information processing facilities, obtain
products and services from external parties, or provide products and services
to external parties. Risk assessment shall be conducted to determine the
security information involved as well as the control requirements. It is advisable
to agree and define control measures in the agreements signed with external
parties.
5.2.2.1 Identification of risks associated with external parties
Control measures.
It shall identify the risks of information and information processing facilities
involving industrial control systems in the business processes of external
parties, implement appropriate control measures before allowing access.
Assessment guide.
When it is necessary to allow external parties to access information processing
facilities or information of the organization, risk assessment shall be conducted
to identify the requirements of specific control measures. For the identification
of the risks associated with external party access, it is recommended to
consider the following issues.
a) Information processing facilities that external parties need to access.
b) Types of access to information and information processing facilities by
external parties, such as.
1) Physical access, such as access to the central control room, control
field, electronic equipment room, archives;
2) Logical access, such as access to control systems, configuration
information, databases;
3) The network connection between the organization and external parties,
for example, fixed connection, remote access;
4) On-site visit or off-site visit.
c) The value and sensitivity of the information involved, and the criticality of
the operation of the business.
different external parties. For example, the recommendations include.
a) Service providers (e.g. internet service providers), network providers,
telephone services, maintenance and support services;
b) Managed security services;
c) Customers;
d) Outsourcing of facilities and/or operations;
e) Managers, business consultants and auditors;
f) Developers and providers, such as developers and providers of software
products and ICS information security systems;
g) Cleaning, catering and other outsourcing support services;
h) Temporary staff, interns and other temporary short-term arrangements.
These agreements help reduce the risks associated with external parties.
5.2.2.2 Handling customer-related security issues
Control measures.
All defined security requirements shall be processed before allowing customers
to access organizational information or assets.
Assessment guide.
When setting security issues before allowing customers to access any assets
of the organization (depending on the type and scope of the access, it does not
need to apply all the terms), the following issues shall be fully considered.
a) Asset protection, including.
1) Procedures for the protection of organizational assets (including
information and software) and the management of known
vulnerabilities;
2) Procedures for determining whether an asset has been damaged (such
as losing data or modifying data);
3) Integrity;
4) Restrictions on copying and disclosure of information.
b) Description of the product or service to be provided.
A third-party agreement that involves accessing, processing, or managing an
organization's information or information processing facilities and
communication, or third-party agreement that adds products or services to
information processing facilities, shall cover all relevant security requirements.
Assessment guide.
The agreement ensures that there is no misunderstanding between the
organization and the third party. Third-party guarantees meet the organization's
own needs.
In order to meet the identified security requirements (see 5.2.2.1), it is advisable
to consider including the following in the agreement.
a) Information security policy;
b) Control measures to ensure asset protection, including.
1) Procedures for the protection of organizational assets (including
information, software and hardware);
2) All necessary physical protection control measures and mechanisms.
3) Control measures that protect against malware (see 5.6.4.1);
4) Procedures for determining whether an asset is damaged (e.g. loss or
modification of information, software and hardware);
5) Control measures to ensure the return or destruction of information and
assets at a certain time agreed between the parties at the termination
of the agreement or during the execution of the contract;
6) Integrity, availability, confidentiality and any other relevant asset
attributes;
7) Restrictions on the use of copies and disclosures, and the use of
confidentiality agreements (see 5.2.1.5).
c) Training of users and administrators in methods, procedures and security;
d) Ensure that users are aware of information security responsibilities and
issues;
e) If appropriate, provisions for the transfer of personnel;
f) Responsibilities regarding hardware and software installation and
maintenance;
g) A clear reporting structure and agreed reporting formats;
account the legal systems of different countries (see also 5.11.1);
t) Intellectual property rights (IPR) and copyright transfer (see 5.11.1.2) and
protection of any collaborative works (see 5.2.1.5);
u) When involving third parties with sub-contractors, it shall implement
security control measures for these sub-contractors;
v) Conditions for renegotiating/terminating the agreement.
1) Provide a contingency plan to deal with situations in which a party's
institution wishes to terminate the partnership before the agreement
expires;
2) If the security requirements of the organization change, the
renegotiation of the agreement;
3) Current documents of asset lists, licenses, agreements or rights related
to them.
Agreements vary greatly depending on the type of organization and third-party
organization. Therefore, it is important to note that all identified risks and
security requirements are included in the agreement (see 5.2.2.1). When
necessary, expand the required control measures and procedures in the
secu......
......
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|