HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (11 Jan 2025)

GB/T 33009.1-2016 PDF English


Search result: GB/T 33009.1-2016_English: PDF (GB/T33009.1-2016)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 33009.1-2016English150 Add to Cart 0-9 seconds. Auto-delivery. Industrial automation and control system security -- Distributed control system (DCS) -- Part 1: Protection requirements Valid
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 33009.1-2016     Related standards: GB/T 33009.1-2016

PDF Preview: GB/T 33009.1-2016


GB/T 33009.1-2016: PDF in English (GBT 33009.1-2016)

GB/T 33009.1-2016 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 25.040 N 10 Industrial automation and control system security - Distributed control system (DCS) - Part 1. Protection requirements ISSUED ON. OCTOBER 13, 2016 IMPLEMENTED ON. MAY 01, 2017 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China; Standardization Administration of the People's Republic of China. 3. No action is required - Full-copy of this standard will be automatically & immediately delivered to your EMAIL address in 0~60 minutes. Table of Contents Foreword ... 4  1 Scope .. 6  2 Normative references ... 6  3 Terms, definitions, abbreviations ... 7  3.1 Terms and definitions ... 7  3.2 Abbreviations ... 11  4 DCS security overview .. 11  4.1 DCS system overview ... 11  4.2 DCS protection overall requirements and principles ... 14  5 Physical access control requirements .. 17  6 Process monitoring network security ... 18  6.1 Zone division ... 18  6.2 Access and use control .. 19  6.3 Intrusion prevention ... 21  6.4 Identification and certification ... 22  6.5 Security audit ... 23  6.6 Resource control ... 24  6.7 Data security ... 25  7 Field control layer network security ... 27  7.1 Zone division ... 27  7.2 Access and use control .. 27  7.3 Intrusion prevention ... 29  7.4 Identity authentication and certification ... 30  7.5 Security audit ... 30  7.6 Resource control ... 31  7.7 Data security ... 31  8 Field equipment layer network security ... 32  8.1 Zone division ... 32  8.2 Access and use control .. 33  8.3 Intrusion prevention ... 33  8.4 Identity authentication and certification ... 34  8.5 Security audit ... 34  8.6 Data security ... 35  References ... 36  Foreword GB/T 33009 “Industrial automation and control system security - Distributed control system (DCS)” and GB/T 33008 “Industrial automation and control system security - Programmable logic controller (PLC)” and other standards together constitute the industrial automation and control systems network security series standard. GB/T 33009 “Industrial automation and control system security - Distributed control system (DCS)” is divided into 4 parts. - Part 1. Protection requirements; - Part 2. Management requirements; - Part 3. Assessment guidelines; - Part 4. Risk and vulnerability detection requirements. This part is part 1 of GB/T 33009. This part was drafted in accordance with the rules given GB/T 1.1-2009. This part was proposed by China Machinery Industry Federation. This part shall be under the jurisdiction of the National Industrial Process Measurement, Control and Automation Standardization Technical Committee (SAC/TC 124) and the National Information Security Standardization Technical Committee (SAC/TC 260). The drafting organizations of this part. Zhejiang University, Zhejiang Institute of Control Technology Co., Ltd., Machinery Industry Instrumentation Technology Institute of Economics, Chongqing University of Posts and Telecommunications, Chinese Academy of Sciences Shenyang Institute of Automation, Southwest University, Fujian Institute of Technology, Hangzhou Institute of Technology, Beijing Venus Information Security Technology Co., Ltd., China Electronics Standardization Institute, State Grid Smart Grid Research Institute, China Nuclear Power Engineering Co., Ltd., Shanghai Automation Instrumentation Co., Ltd., Dongtu Technology Co., Ltd., Tsinghua University, Siemens (China) Limited, Schneider Electric (China) Co., Ltd., Beijing Iron and Steel Design and Research Institute, Huazhong University of Science and Technology, Beijing Austin Technology Co., Ltd., Rockwell Automation (China) Co., Ltd., China Instrument Society, Ministry of Industry and Information Technology Electronics Five Research Institute, Beijing Haitai Fangyuan Science and Technology Co., Ltd., Qingdao Tofino Information Security Technology Co., Ltd., Beijing Guodian Zhoushen Control Technology Co., Ltd., Beijing Lihua Huakang Technology Co., Industrial automation and control system security - Distributed control system (DCS) - Part 1. Protection requirements 1 Scope This part of GB/T 33009 specifies the security capabilities, protection technical requirements, and division of security protection zones of the distributed control system in the operation and maintenance process, AND proposes specific requirements for the key protection items, protection equipment, and protection techniques of the process monitoring layer, field control layer and field equipment layer. This part applies to all the key infrastructure areas related to the security protection of distributed control systems such as electricity, petroleum, chemicals, water conservancy, metallurgy, building materials and so on, to guide the business users to improve the security of the distributed control system in service and newly established, which can also be used as the system security design guide for the distributed control system manufacturer and integrator. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this document. GB/T 20984-2007 Information security technology - Risk assessment specification for information security GB/T 30976.1-2014 Industrial control system security - Part 1. Assessment specification [GB/T 20984-2007, Definition 3.5] 3.1.6 Control system security The goal is to protect the control system availability, integrity, and, confidentiality, also including real-time, reliability and stability. 3.1.7 Human machine interface A set of methods that employees (users) can interact with specific machines, equipment, computer programs, or other complex tools (systems). Note. In many cases, these include video or computer terminals, buttons, audible feedback, flashing lights, and so on. The human machine interface provides methods that include. input (allowing the user to control the machine), output (allowing the machine to notify the user). 3.1.8 Identification The process of identifying and discerning an assessment element. [GB/T 30976.1-2014, Definition 3.1.2] 3.1.9 Security risk The occurrence of security incident and its influence onto organizations due to the threat use of vulnerability in man-made or natural systems and their management systems. [GB/T 20984-2007, Definition 3.6] 3.1.10 Integrity Characteristics that ensure that information and information systems are not altered or broken by unauthorized persons, including data integrity and system integrity. [GB/T 20984-2007, Definition 3.10] 3.1.21 Threat Potential causes of unwanted accidents that can cause harm to the system or organization. [GB/T 20984-2007, Definition 3.17] 3.1.22 Vulnerability Defects or weaknesses in system design, implementation, or operation and management, which can be exploited to compromise system integrity or security policies. [GB/T 30976.1-2014, Definition 3.1.1] 3.2 Abbreviations The following abbreviations apply to this document. DCS. Distributed Control System MES. Manufacturing Execution System DoS. Denial of Service 4 DCS security overview 4.1 DCS system overview 4.1.1 Network structure of common DCS system application DCS system applications are usually a vertical hierarchical network structure, from top to bottom including process monitoring layer, field control layer and field equipment layer. Each layer is connected by a communication network, and each equipment in each layer is communicated through a communication network of the same level. The typical network structure is as shown in Figure 1. This part mainly proposes requirements for security requirements of the process monitoring layer, field control layer network, and field equipment layer network in the DCS system. The description of each layer is as follows. 4.2.1.2 External network isolation requirements DCS user enterprise topological structure may be deployed in hierarchical manner. If the DCS system network is directly or indirectly interconnected with the external network (other networks than such DCS system network as the enterprise management network, the internet), physical or logic isolation technical measures shall be used between the DCS system network and external network for protection. 4.2.1.3 Network link requirements For DCS system applications deployed in multiple zones and interconnected by networks, the resources of the internet link shall be sufficient. That is, when the business traffic reaches the maximum peak, the link data communication is normal, and the network delay still meets the requirements of the DCS system. For enterprise users with high requirements on network interoperability and stability, link redundancy technologies and means can be adopted to ensure that the enterprise network can maintain basic communication in the event of a network failure, so that when one link fails, the other link can provide network protection of the normal production and operation of enterprises. Enterprise users having higher network interoperability and stability can deploy enterprise core business networks, backbone networks, core control networks in a physical line redundancy method, and the redundant line network can be constructed by other network construction methods different from the main network. 4.2.1.4 Data backup requirements General DCS system shall have real-time data, OPC data, configuration data, control programs and other important data real-time backup and regular backup measures; for DCS system applications having high data security requirements, it may take measures of complete backup of the system normal operation data, the backup period shall be not more than 3 months; for the DCS system applications having higher data security requirements, it may establish remote disaster backup center with communication lines, network equipment and data processing equipment required for disaster recovery. 4.2.2 System protection principles In the industrial control system area, industrial control systems emphasize the intelligent control, monitoring and management of industrial automation processes and related equipment. They are quite different from common IT information systems in terms of system architecture, equipment operating system, data exchange protocol and the like. It pays more attention to the system real-time and business continuity. In other words, the industrial control Technical protection mainly refers to the use of technical means to perform DCS security protection, such as access control, border management, pipeline communication, etc. Before the application of protection technology, strict system test shall be carried out on the same DCS system by means of offline test to avoid the availability, real-time, reliability and security of normal DCS operation from affected after being on-line; if there is significant risk which affects system availability, real- time, reliability and security, the deployment of protective software which affects the system is revoked. d) The principle of defense in depth A single security product, technology, or solution cannot protect DCS effectively, so a multi-layered protection strategy with two or more different mechanisms is needed. The defense strategy arc... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.