Powered by Google www.ChineseStandard.net Database: 189760 (20 Apr 2024)

GB/T 33009.1-2016 (GB/T33009.1-2016)

Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 33009.1-2016English150 Add to Cart 0-9 seconds. Auto-delivery. Industrial automation and control system security -- Distributed control system (DCS) -- Part 1: Protection requirements Valid

Standards related to: GB/T 33009.1-2016

GB/T 33009.1-2016: PDF in English (GBT 33009.1-2016)

GB/T 33009.1-2016
ICS 25.040
N 10
Industrial automation and control system security -
Distributed control system (DCS) -
Part 1. Protection requirements
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of
3. No action is required - Full-copy of this standard will be automatically &
immediately delivered to your EMAIL address in 0~60 minutes.
Table of Contents
Foreword ... 4 
1 Scope .. 6 
2 Normative references ... 6 
3 Terms, definitions, abbreviations ... 7 
3.1 Terms and definitions ... 7 
3.2 Abbreviations ... 11 
4 DCS security overview .. 11 
4.1 DCS system overview ... 11 
4.2 DCS protection overall requirements and principles ... 14 
5 Physical access control requirements .. 17 
6 Process monitoring network security ... 18 
6.1 Zone division ... 18 
6.2 Access and use control .. 19 
6.3 Intrusion prevention ... 21 
6.4 Identification and certification ... 22 
6.5 Security audit ... 23 
6.6 Resource control ... 24 
6.7 Data security ... 25 
7 Field control layer network security ... 27 
7.1 Zone division ... 27 
7.2 Access and use control .. 27 
7.3 Intrusion prevention ... 29 
7.4 Identity authentication and certification ... 30 
7.5 Security audit ... 30 
7.6 Resource control ... 31 
7.7 Data security ... 31 
8 Field equipment layer network security ... 32 
8.1 Zone division ... 32 
8.2 Access and use control .. 33 
8.3 Intrusion prevention ... 33 
8.4 Identity authentication and certification ... 34 
8.5 Security audit ... 34 
8.6 Data security ... 35 
References ... 36 
GB/T 33009 “Industrial automation and control system security - Distributed
control system (DCS)” and GB/T 33008 “Industrial automation and control
system security - Programmable logic controller (PLC)” and other standards
together constitute the industrial automation and control systems network
security series standard.
GB/T 33009 “Industrial automation and control system security - Distributed
control system (DCS)” is divided into 4 parts.
- Part 1. Protection requirements;
- Part 2. Management requirements;
- Part 3. Assessment guidelines;
- Part 4. Risk and vulnerability detection requirements.
This part is part 1 of GB/T 33009.
This part was drafted in accordance with the rules given GB/T 1.1-2009.
This part was proposed by China Machinery Industry Federation.
This part shall be under the jurisdiction of the National Industrial Process
Measurement, Control and Automation Standardization Technical Committee
(SAC/TC 124) and the National Information Security Standardization Technical
Committee (SAC/TC 260).
The drafting organizations of this part. Zhejiang University, Zhejiang Institute of
Control Technology Co., Ltd., Machinery Industry Instrumentation Technology
Institute of Economics, Chongqing University of Posts and Telecommunications,
Chinese Academy of Sciences Shenyang Institute of Automation, Southwest
University, Fujian Institute of Technology, Hangzhou Institute of Technology,
Beijing Venus Information Security Technology Co., Ltd., China Electronics
Standardization Institute, State Grid Smart Grid Research Institute, China
Nuclear Power Engineering Co., Ltd., Shanghai Automation Instrumentation
Co., Ltd., Dongtu Technology Co., Ltd., Tsinghua University, Siemens (China)
Limited, Schneider Electric (China) Co., Ltd., Beijing Iron and Steel Design and
Research Institute, Huazhong University of Science and Technology, Beijing
Austin Technology Co., Ltd., Rockwell Automation (China) Co., Ltd., China
Instrument Society, Ministry of Industry and Information Technology Electronics
Five Research Institute, Beijing Haitai Fangyuan Science and Technology Co.,
Ltd., Qingdao Tofino Information Security Technology Co., Ltd., Beijing Guodian
Zhoushen Control Technology Co., Ltd., Beijing Lihua Huakang Technology Co.,
Industrial automation and control system security -
Distributed control system (DCS) -
Part 1. Protection requirements
1 Scope
This part of GB/T 33009 specifies the security capabilities, protection technical
requirements, and division of security protection zones of the distributed control
system in the operation and maintenance process, AND proposes specific
requirements for the key protection items, protection equipment, and protection
techniques of the process monitoring layer, field control layer and field
equipment layer.
This part applies to all the key infrastructure areas related to the security
protection of distributed control systems such as electricity, petroleum,
chemicals, water conservancy, metallurgy, building materials and so on, to
guide the business users to improve the security of the distributed control
system in service and newly established, which can also be used as the system
security design guide for the distributed control system manufacturer and
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this document.
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/T 30976.1-2014 Industrial control system security - Part 1. Assessment
[GB/T 20984-2007, Definition 3.5]
Control system security
The goal is to protect the control system availability, integrity, and,
confidentiality, also including real-time, reliability and stability.
Human machine interface
A set of methods that employees (users) can interact with specific machines,
equipment, computer programs, or other complex tools (systems).
Note. In many cases, these include video or computer terminals, buttons,
audible feedback, flashing lights, and so on. The human machine interface
provides methods that include. input (allowing the user to control the
machine), output (allowing the machine to notify the user).
The process of identifying and discerning an assessment element.
[GB/T 30976.1-2014, Definition 3.1.2]
Security risk
The occurrence of security incident and its influence onto organizations due
to the threat use of vulnerability in man-made or natural systems and their
management systems.
[GB/T 20984-2007, Definition 3.6]
Characteristics that ensure that information and information systems are not
altered or broken by unauthorized persons, including data integrity and
system integrity.
[GB/T 20984-2007, Definition 3.10]
Potential causes of unwanted accidents that can cause harm to the system
or organization.
[GB/T 20984-2007, Definition 3.17]
Defects or weaknesses in system design, implementation, or operation and
management, which can be exploited to compromise system integrity or
security policies.
[GB/T 30976.1-2014, Definition 3.1.1]
3.2 Abbreviations
The following abbreviations apply to this document.
DCS. Distributed Control System
MES. Manufacturing Execution System
DoS. Denial of Service
4 DCS security overview
4.1 DCS system overview
4.1.1 Network structure of common DCS system application
DCS system applications are usually a vertical hierarchical network structure,
from top to bottom including process monitoring layer, field control layer and
field equipment layer. Each layer is connected by a communication network,
and each equipment in each layer is communicated through a communication
network of the same level. The typical network structure is as shown in Figure
1. This part mainly proposes requirements for security requirements of the
process monitoring layer, field control layer network, and field equipment layer
network in the DCS system. The description of each layer is as follows. External network isolation requirements
DCS user enterprise topological structure may be deployed in hierarchical
manner. If the DCS system network is directly or indirectly interconnected with
the external network (other networks than such DCS system network as the
enterprise management network, the internet), physical or logic isolation
technical measures shall be used between the DCS system network and
external network for protection. Network link requirements
For DCS system applications deployed in multiple zones and interconnected by
networks, the resources of the internet link shall be sufficient. That is, when the
business traffic reaches the maximum peak, the link data communication is
normal, and the network delay still meets the requirements of the DCS system.
For enterprise users with high requirements on network interoperability and
stability, link redundancy technologies and means can be adopted to ensure
that the enterprise network can maintain basic communication in the event of a
network failure, so that when one link fails, the other link can provide network
protection of the normal production and operation of enterprises.
Enterprise users having higher network interoperability and stability can deploy
enterprise core business networks, backbone networks, core control networks
in a physical line redundancy method, and the redundant line network can be
constructed by other network construction methods different from the main
network. Data backup requirements
General DCS system shall have real-time data, OPC data, configuration data,
control programs and other important data real-time backup and regular backup
measures; for DCS system applications having high data security requirements,
it may take measures of complete backup of the system normal operation data,
the backup period shall be not more than 3 months; for the DCS system
applications having higher data security requirements, it may establish remote
disaster backup center with communication lines, network equipment and data
processing equipment required for disaster recovery.
4.2.2 System protection principles
In the industrial control system area, industrial control systems emphasize the
intelligent control, monitoring and management of industrial automation
processes and related equipment. They are quite different from common IT
information systems in terms of system architecture, equipment operating
system, data exchange protocol and the like. It pays more attention to the
system real-time and business continuity. In other words, the industrial control
Technical protection mainly refers to the use of technical means to
perform DCS security protection, such as access control, border
management, pipeline communication, etc. Before the application of
protection technology, strict system test shall be carried out on the same
DCS system by means of offline test to avoid the availability, real-time,
reliability and security of normal DCS operation from affected after being
on-line; if there is significant risk which affects system availability, real-
time, reliability and security, the deployment of protective software which
affects the system is revoked.
d) The principle of defense in depth
A single security product, technology, or solution cannot protect DCS
effectively, so a multi-layered protection strategy with two or more
different mechanisms is needed. The defense strategy arc...
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.