HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (5 Oct 2024)

GB/T 37378-2019 PDF in English


GB/T 37378-2019 (GB/T37378-2019, GBT 37378-2019, GBT37378-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 37378-2019English185 Add to Cart 0-9 seconds. Auto-delivery. Transportation -- Information security specification Valid
Standards related to (historical): GB/T 37378-2019

Preview PDF (Powered by Google. Reload if blank, scroll for next page)

GB/T 37378-2019: PDF in English (GBT 37378-2019)

GB/T 37378-2019 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 03.220.20 R 85 Transportation - Information Security Specification ISSUED ON: MAY 10, 2019 IMPLEMENTED ON: DECEMBER 1, 2019 Issued by: State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of Contents Foreword ... 3  1 Scope ... 4  2 Normative References ... 4  3 Terms and Definitions ... 4  4 Abbreviations ... 7  5 Transport Information System Security Technology Architecture ... 7  6 General Security Technology Requirements of Transport Information System ... 8  7 Security Technology Requirements for User Terminal ... 11  8 Security Technology Requirements for Vehicle Side Unit ... 13  9 Security Technology Requirements for Infrastructure Side Unit ... 15  10 Security Technology Requirements for Computing Center ... 17  11 Security Technology Requirements for Network and Communication ... 21  Bibliography ... 25  Transportation - Information Security Specification 1 Scope This Standard stipulates transport information security technology architecture and general technology requirements, including general and special technology requirements for information security of various basic constituent parts that constitute transport information system, such as: user terminal, vehicle side unit, infrastructure side unit, computing center, network and communication. This Standard is applicable to guide operators of transport information system to propose specific information security standards, specifications and implementation guidelines for specific information security demands of unclassified system. It may also be adopted to guide the implementation of planning, design, construction, operation and maintenance, and evaluation of information security technology system. 2 Normative References The following documents are indispensable to the application of this document. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 20839-2007 Intelligent Transport Systems - General Terminology GB/T 25069-2010 Information Security Technology - Glossary 3 Terms and Definitions What is defined in GB/T 20839-2007 and GB/T 25069-2010, and the following terms and definitions are applicable to this document. For ease of use, some terms and definitions in GB/T 20839-2007 and GB/T 25069-2010 are repeatedly listed out. 3.1 Transport Information System Transport information system refers to a system in the field of transportation which is constituted of computer or other information terminals and related equipment and networks that collects, stores, transmits, exchanges and processes information in accordance with certain rules and procedures. Generally speaking, it is completely or partially constituted of terminal, vehicle side unit, infrastructure side unit, computing center, network and communication, etc. 3.2 Information Security a) Identity identification and authentication shall be conducted towards log-in users; users’ identity identification shall have the requirement for uniqueness; users’ identity authentication information shall have the requirement for complexity; b) When users log in for the first time, the initial password set by the system shall be altered and periodically changed; c) Two or above two combinations of authentication technology should be adopted to identify users; one of the authentication technologies shall be implemented by means of cryptographic technology; d) When performing remote management, necessary measures shall be adopted to avoid clear text transmission of authentication information; e) The function of login failure processing shall be possessed; related necessary protection measures, such as: ending session, limiting the number of illegal logins and automatically logging out when the login connection times out, shall be allocated and enabled; f) When user identity authentication information is lost or invalid, authentication information resetting, or other technological measures shall be adopted to ensure system security; g) In accordance with the principle of “real-name in the background, voluntary in the front-end”, users shall be requested to register their real-name identity (based on name, ID number, VIN number, mobile phone number, etc.) in various transportation applications, and the system shall verify the real-name condition. 6.2 Access Control The technology requirements for access control include: a) The function of access control shall be provided to assign accounts and permissions to logged-in users; b) Default accounts shall be renamed or deleted; default passwords of the default accounts shall be altered; c) Excess and expired accounts shall be deleted in a timely manner; d) Minimum permissions required to complete the respective tasks shall be granted to different accounts; a mutually restrictive relationship shall be formed among them; e) Access control policy shall be configurated by authorized subject; the access control policy shall specify the subject’s access rules to the object; b) Key transport information system shall adopt cryptographic technology to ensure that the application system implements security functions like identity authentication and access control, and ensure the security of audit records, data storage and communication; c) Give priority to SM series cryptographic algorithms; d) Cryptographic products approved by the national cryptography competent department shall be adopted; e) Information systems that simultaneously run on the Internet and private networks must adopt cryptographic technology to ensure that the network system implements secure access paths, access control and identity authentication functions; f) Cryptographic technology shall be adopted to ensure that host equipment and network equipment implement identity authentication, access control, audit record, data transmission security, data storage security and program security; g) Cryptographic technology shall be adopted to implement access authentication for special-purpose terminal, vehicle side unit and infrastructure side unit. 7 Security Technology Requirements for User Terminal 7.1 Equipment and Host Security The technology requirements for equipment and host security include: a) Special user terminal shall be equipped with physical protection measures that are suitable for the working environment, and necessary anti-squeezing and waterproofing capabilities; b) The identity identification device of special user terminal shall be equipped with the functions of preventing physical disassembly, logical destruction and forgery. When abnormal identification is found, the service shall be stopped, and warning information shall be issued and uploaded; c) Special mobile terminal, and card and certificate read-write equipment shall have a unique and addressable identifier; when information transmission is initiated, self-identity identification shall be performed; d) Full-lifecycle management of the activation, maintenance and disposal of special user terminal shall be conducted; e) Special user terminal shall receive security test before the startup; 7.4 Intrusion Prevention The technology requirements for intrusion prevention include: a) User terminal shall close unwanted system services, default sharing and high- risk ports; b) Special user terminal operating system shall follow the principle of minimal installation, and merely install required components and applications. 8 Security Technology Requirements for Vehicle Side Unit 8.1 Physical and Environmental Security The technology requirements for physical and environmental security include: a) It shall be equipped with the capability of normally functioning in specific service environment; b) Vehicle side units, for example, vehicle side equipment operating status control or driving assistance, shall be equipped with the function of monitoring and rejecting illegal physical access; c) Vehicle side unit which provides basic data of logical calculation to safety related application and driving aid application shall be equipped with the capability of preventing communication interference and physical damage, and the capability of monitoring and alerting abnormal conditions. 8.2 Equipment Identification of Vehicle Side Unit The technology requirements for equipment identification of vehicle side unit include: a) Vehicle side unit shall have a unique and addressable identifier; when information transmission is initiated, self-identity identification shall be performed; b) Vehicle side unit shall implement the functions of secure registration, and key or certificate-based identity authentication with computing center system, infrastructure side unit, special user terminal, card and certificate read-write equipment, and card and certificate; c) The identity identification device of vehicle side unit shall be equipped with the function of preventing logical destruction and forgery; when abnormality is found, warning information shall be uploaded; when it does not affect traffic safety, the service shall be stopped. malicious codes; b) Rigorous control shall be carried out on the ports of the vehicle side equipment to implement remote access; unnecessary ports shall be closed; c) Configuration and access control (such as: whitelist, data flow and data content, etc.) shall be performed on all access points of vehicle side equipment (such as: Bluetooth, USB, optical drive, diagnostic interface, debugging interface, positioning system, TPMS radio frequency communication, car key radio frequency communication and RFID, etc.); d) Key network border equipment (such as: T-BOX and gateway, etc.) of vehicle side equipment shall provide the function of border security protection; e) Vehicle side unit shall adopt a secure access mode for external communication; in accordance with the application priority, securely access the network through different communication systems; f) Logical isolation or other technological measures shall be adopted to implement border protection of safety related application and value-added service application; g) Vehicle side unit that undertakes safety related application and driving aid application shall be equipped with the function of intrusion prevention and the capability corresponding alarm; comply with the fail-safe principle. 9 Security Technology Requirements for Infrastructure Side Unit 9.1 Physical and Environmental Security The technology requirements for physical and environmental security include: a) It shall be equipped with the capability of physical security protection and the function of alarm for anti-theft, lightning protection, fire prevention and waterproofing, etc.; b) Continuous power supply shall be guaranteed; c) When selecting locations, avoid the interference of strong light, electromagnetism and other radiation sources; d) It shall be equipped with the capability of resisting electromagnetic and communication interference; e) Important infrastructure side unit shall adopt redundancy or other measures a security element or a chip with the same security level; b) The network transmission and communication between the infrastructure side unit, and the computing center system, vehicle side unit or special user terminal, card and certificate read-write equipment, and card and certificate, shall ensure data confidentiality, integrity and availability; c) The network transmission and communication between the infrastructure side unit, and the computing center system, vehicle side unit or special user terminal, card and certificate read-write equipment, shall be able to identify the validity and freshness of data; be equipped with the function of data filtering; d) Video surveillance equipment shall be equipped with the function of data signature; e) Audio, video and other publishing systems shall adopt check code technology, specific file format protocols or means with equivalent strength to ensure data integrity. 9.5 Intrusion Prevention The technology requirements for intrusion prevention include: a) Unnecessary USB, optical drive, wireless and other interfaces shall be removed or closed. If they are indeed needed, rigorous access control shall be implemented through technological means; b) It shall be equipped with the capability of resisting remote and illegal control; c) It shall be able to detect and alarm illegal access to infrastructure side equipment, such as: broadcasting and electronic instructions, etc.; d) Network that undertakes system operation of lighting control, ventilation control, fire control and ship lock control shall be physically isolated from other networks. 10 Security Technology Requirements for Computing Center 10.1 Physical and Environmental Security The technology requirements for physical and environmental security include: a) Computer room shall be selected in buildings with the capability of resisting earthquakes, wind and rain; a) Implement isolation among different cloud tenant virtual networks; b) Ensure the isolation of cloud computing platform management flow from cloud tenant business flow; c) Cloud tenant shall be able to independently set security policy set and load security services in accordance with the business demands; d) It shall be ensured that only under the authorization by cloud tenant may cloud service providers or a third party have the administration authority to cloud tenant data; e) It shall be ensured that memory space allocated to virtual machine is merely for its exclusive access; f) It shall be able to monitor the operating status of application systems; alarm when abnormalities are found; g) It shall be able to monitor abnormal flow between the virtual machine and the host machine, and alarm; h) The function of virtual machine mirror image and snapshot integrity verification shall be provided to prevent virtual machine mirror image from being maliciously tampered; i) For important business systems, reinforced operating system mirror image shall be provided; j) When remote management is performed, a two-way authentication mechanism shall be established between the management terminal and the border equipment of the cloud computing platform; k) It shall be ensured that cloud service providers’ operations on cloud tenant system and data can be audited by cloud tenant; l) It shall be able to monitor cloud tenant’s network attack behaviors; record information, such as: the source address, target address, time and flow of such attack, etc. m) When the memory and storage space used by virtual machine is recycled, irrecoverable elimination shall be implemented. 10.4 Application Software Security The technology requirements for application software security include: a) Before application software goes online, it shall receive software security test; a) It shall be ensured that the communication of cross-border access and data flows is implemented through controlled interfaces provided by border protection equipment; b) It shall be able to restrict or examine unauthorized connections of unauthorized equipment to the special transport business network, and effectively block them; c) It shall be able to restrict or examine unauthorized connections of internal users of transport business to the Internet, and effectively block them; d) It shall be ensured that communication between the wired network and the wireless network boundary passes through the wireless access gateway equipment; e) Risky functions, such as: wireless access equipment and wireless access gateways, should be disabled. 11.5 Centralized Control The technology requirements for centralized control include: a) Specific management area shall be divided, so as to manage and control security equipment or security components distributed in the network; b) It shall be able to establish a secure information transmission path, so as to manage security equipment or security components in the network; c) Centralized monitoring of the operating conditions of network links, security equipment, network equipment and servers shall be implemented; d) Audit data scattered on various equipment shall be collected, summarized and centrally analyzed; e) Security-related issues, such as: security policy, malicious code and patch update, shall be centrally managed; f) Various security incidents that occur in the network shall be identified, alarmed and analyzed. 11.6 Access Control The technology requirements for access control include: a) During the remote management of network or communication equipment, necessary measures shall be taken to prevent identification information from being intercepted during the network transmission process; ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.