HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (29 Sep 2024)

GB/T 33009.2-2016 PDF in English


GB/T 33009.2-2016 (GB/T33009.2-2016, GBT 33009.2-2016, GBT33009.2-2016)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 33009.2-2016English150 Add to Cart 0-9 seconds. Auto-delivery. Industrial automation and control system security -- Distributed control system (DCS) -- Part 2: Management requirements Valid
Standards related to (historical): GB/T 33009.2-2016
PDF Preview

GB/T 33009.2-2016: PDF in English (GBT 33009.2-2016)

GB/T 33009.2-2016 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 25.040 N 10 Industrial automation and control system security - Distributed control system (DCS) - Part 2. Management requirements ISSUED ON. OCTOBER 13, 2016 IMPLEMENTED ON. MAY 01, 2017 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China Standardization Administration of the People's Republic of China. 3. No action is required - Full-copy of this standard will be automatically & immediately delivered to your EMAIL address in 0~60 minutes. Table of Contents Foreword ... 3  1 Scope .. 5  2 Normative references ... 5  3 Terms, definitions, abbreviations ... 5  3.1 Terms and definitions ... 5  3.2 Abbreviations .. 9  4 DCS security management overview .. 9  4.1 DCS system overview ... 9  4.2 DCS network security management system ... 12  5 DCS security management elements ... 18  5.1 Guidelines, strategies and procedures ... 18  5.2 Management organization ... 19  5.3 Asset management .. 21  5.4 Staff .. 22  5.5 Cryptography ... 23  5.6 Physical and environmental ... 23  5.7 Security control measures ... 24  5.8 Communication security ... 32  5.9 System operation and maintenance .. 33  5.10 Supplier relations ... 35  5.11 Information and document management ... 36  5.12 Business continuity planning .. 37  5.13 Security incident planning and response ... 38  5.14 Compliance ... 39  References ... 40  Foreword GB/T 33009 “Industrial automation and control system security - Distributed control system (DCS)” and GB/T 33008 “Industrial automation and control system security - Programmable logic controller (PLC)” and other standards together constitute the industrial automation and control systems network security series standard. GB/T 33009 “Industrial automation and control system security - Distributed control system (DCS)” is divided into 4 parts. - Part 1. Protection requirements; - Part 2. Management requirements; - Part 3. Assessment guidelines; - Part 4. Risk and vulnerability detection requirements. This part is part 2 of GB/T 33009. This part was drafted in accordance with the rules given GB/T 1.1-2009. This part was proposed by China Machinery Industry Federation. This part shall be under the jurisdiction of the National Industrial Process Measurement, Control and Automation Standardization Technical Committee (SAC/TC 124) and the National Information Security Standardization Technical Committee (SAC/TC 260). The drafting organizations of this part. Zhejiang Institute of Control Technology Co., Ltd., Zhejiang University, Machinery Industry Instrumentation Technology and Economy Institute, Chongqing University of Posts and Telecommunications, Chinese Academy of Sciences Shenyang Institute of Automation, Southwest University, Fujian Institute of Technology, Hangzhou Institute of Science and Technology, Beijing Venus Information Security Technology Co., Ltd., China Electronics Standardization Institute, State Grid Smart Grid Research Institute, China Nuclear Power Engineering Co., Ltd., Shanghai Automation Instrumentation Co., Ltd., Dongtu Technology Co., Ltd., Tsinghua University, Siemens (China) Limited, Schneider Electric (China) Co., Ltd., Beijing Iron and Steel Design and Research Institute, Huazhong University of Science and Technology, Beijing Austin Technology Co., Ltd., Rockwell Automation (China) Co., Ltd., China Instrument Society, Ministry of Industry and Information Technology Electronics Fifth Research Institute, Beijing Haitai Fangyuan Technology Co., Ltd., Qingdao Tofino Information Security Technology Co., Ltd., Beijing Guodian Zhishen Control Technology Co., Ltd., Beijing Likong Huakang Industrial automation and control system security - Distributed control system (DCS) - Part 2. Management requirements 1 Scope This part of GB/T 33009 specifies the specific requirements of the distributed control system network security management system and its related security management elements. This part applies to the security management in the operation and maintenance process of the distributed control system. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this document. GB/T 20984-2007 Information security technology - Risk assessment specification for information security GB/T 22080-2008 Information technology - Security techniques - Information security management systems - Requirements GB/T 30976.1-2014 Industrial control system security - Part 1. Assessment specification ISO/IEC 27002.2013 Information technology - Security techniques - Code of practice for information security controls 3 Terms, definitions, abbreviations 3.1 Terms and definitions The terms and definitions as defined in GB/T 20984-2007 and GB/T 30976.1- 2014 AND the following terms and definitions apply to this document. For ease 3.1.16 Vulnerability Defects or weaknesses in system design, implementation, or operation and management, which can be exploited to compromise system integrity or security policies. [GB/T 30976.1-2014, Definition 3.1.1] 3.1.17 Asset Anything that is valuable to the organization. 3.2 Abbreviations The following abbreviations apply to this document. DCS. Distributed Control System DoS. Denial of Service HSE. Health, Safety and Environmental Management System SMS. Security Management System MES. Manufacturing Execution System PSM. Process Safety Management 4 DCS security management overview 4.1 DCS system overview 4.1.1 General DCS system application network structure DCS system applications are usually a vertical hierarchical network structure, from top to bottom including process monitoring layer, field control layer and field equipment layer. Each layer is connected by a communication network, each equipment in each layer is communicated through a communication network of the same level. The typical network structure is as shown in Figure 1. This part mainly proposes requirements for security requirements of the 4.1.2.3 Security requirements DCS has security requirements. DCS is generally deployed in important production areas, the system does not allow security incidents. 4.1.2.4 Integrity requirements DCS has integrity requirements, it does not allow unauthorized users or malicious programs to alter the information and data. 4.1.2.5 Stability requirements DCS has stability requirements. Once the DCS works unstably, there will be a serious threat, resulting in a large number of unqualified products outflow, AND meanwhile it also exacerbates the loss of equipment. 4.1.2.6 High reliability requirements DCS has reliability requirements. DCS can carry out the control function of its setting under the stipulated conditions for a long time, during which no shutdown is allowed, AND it shall have good durability and maintainability. 4.2 DCS network security management system 4.2.1 General requirements The core of DCS network security management is to establish, maintain and improve the network security management system. Appropriate organization management system should be established in accordance with GB/T 22080- 2008. This part aims to guide the DCS system related enterprises to understand the DCS network security management system establishment and operation process. In clause 5, the necessary management elements and specific requirements for the establishment and operation of the DCS network security management system are defined. The user shall choose to implement it combining the actual conditions of the specific DCS application. The DCS information security management system is designed to guide enterprises or organizations to establish, implement, operate, monitor, review, maintain and improve the documented DCS information security management system (ISMS) within the framework or environment of the existing information security management system. DCS information security management system shall take into account the importance of assets, asset location, system functions, control targets and manufacturers and other factors, to perform zoning management of the control system. a) Determine the scope and boundaries of DCS's ISMS based on characteristics of DCS business, organization structure, physical areas, value assets and technical means; b) Determine the ISMS policies of DCS based on characteristics of DCS business, organization structure, physical areas, value assets and technical means. The ISMS policies of DCS shall. 1) Include the framework for setting the DCS network security objectives and the overall direction and principles for establishing DCS network security work; 2) Consider the requirements of DCS business and related laws and regulations, as well as the security obligations in the contract; 3) Set up DCS risk management framework and establish and maintain ISMS of DCS under the strategic risk management environment of the organization or enterprise; 4) Establish risk assessment criteria to determine the scope of acceptable risk; 5) Obtain approval and support from the organization or business manager. c) Determine the DCS risk assessment methods. 1) Selecting a risk assessment methodology appropriate to DCS's ISMS, which is identified of business network security and laws and regulations, identifying and classifying risks based on the security threats, vulnerabilities, and consequences of DCS assets; 2) Establishing a set of index system for the ranking of DCS business processes and subsystems in terms of risk handling; establishing risk acceptance criteria to identify acceptable risk levels. The risk assessment method chosen shall ensure that the risk assessment produces can produce comparable and reproducible results. d) Identify DCS risks. 1) Create DCS network topology map, collect DCS asset information, identify the assets within the scope of ISMS and its principals; Note. The person in charge identifies the individuals and entities that have obtained the approval from the manager and are responsible for generating, developing, maintaining, using, and securing the assets, not the asset owner. implemented in accordance with documented process flow and whether the selected control measures are deployed, whether they are effective, report the results to the managers for review, including. a) Develop ISMS audit processes and methods; b) Maintain the independence of audit staff; for the audit of a specific DCS system, the required audit staff capacity shall be consistent with the relevant provisions of enterprises or organizations; c) Implement periodic ISMS audits to detect errors in process results, identify attempted and successful security breaches and incidents, ensure that the network security policies and procedures developed are properly implemented, and the network security objectives are met for DCS zoning; d) Monitor ISMS best practices for DCS risk assessment and risk treatment from the organizational structure, technical, DCS business objectives and process flow, identified threats, external issues, etc., conduct regular DCS risk assessments and audit of residual risks and toleration risk; e) Managers shall carry out management reviews on a regular basis, including assessment of the scope of ISMS, stat... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.