GB/T 37378-2019 PDF in English
GB/T 37378-2019 (GB/T37378-2019, GBT 37378-2019, GBT37378-2019)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 37378-2019 | English | 185 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Transportation -- Information security specification
| Valid |
Standards related to (historical): GB/T 37378-2019
Preview PDF (Powered by Google. Reload if blank, scroll for next page)
GB/T 37378-2019: PDF in English (GBT 37378-2019) GB/T 37378-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 03.220.20
R 85
Transportation - Information Security Specification
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 1, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Abbreviations ... 7
5 Transport Information System Security Technology Architecture ... 7
6 General Security Technology Requirements of Transport Information System
... 8
7 Security Technology Requirements for User Terminal ... 11
8 Security Technology Requirements for Vehicle Side Unit ... 13
9 Security Technology Requirements for Infrastructure Side Unit ... 15
10 Security Technology Requirements for Computing Center ... 17
11 Security Technology Requirements for Network and Communication ... 21
Bibliography ... 25
Transportation - Information Security Specification
1 Scope
This Standard stipulates transport information security technology architecture and
general technology requirements, including general and special technology
requirements for information security of various basic constituent parts that constitute
transport information system, such as: user terminal, vehicle side unit, infrastructure
side unit, computing center, network and communication.
This Standard is applicable to guide operators of transport information system to
propose specific information security standards, specifications and implementation
guidelines for specific information security demands of unclassified system. It may also
be adopted to guide the implementation of planning, design, construction, operation
and maintenance, and evaluation of information security technology system.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 20839-2007 Intelligent Transport Systems - General Terminology
GB/T 25069-2010 Information Security Technology - Glossary
3 Terms and Definitions
What is defined in GB/T 20839-2007 and GB/T 25069-2010, and the following terms
and definitions are applicable to this document. For ease of use, some terms and
definitions in GB/T 20839-2007 and GB/T 25069-2010 are repeatedly listed out.
3.1 Transport Information System
Transport information system refers to a system in the field of transportation which is
constituted of computer or other information terminals and related equipment and
networks that collects, stores, transmits, exchanges and processes information in
accordance with certain rules and procedures. Generally speaking, it is completely or
partially constituted of terminal, vehicle side unit, infrastructure side unit, computing
center, network and communication, etc.
3.2 Information Security
a) Identity identification and authentication shall be conducted towards log-in
users; users’ identity identification shall have the requirement for uniqueness;
users’ identity authentication information shall have the requirement for
complexity;
b) When users log in for the first time, the initial password set by the system shall
be altered and periodically changed;
c) Two or above two combinations of authentication technology should be
adopted to identify users; one of the authentication technologies shall be
implemented by means of cryptographic technology;
d) When performing remote management, necessary measures shall be
adopted to avoid clear text transmission of authentication information;
e) The function of login failure processing shall be possessed; related necessary
protection measures, such as: ending session, limiting the number of illegal
logins and automatically logging out when the login connection times out, shall
be allocated and enabled;
f) When user identity authentication information is lost or invalid, authentication
information resetting, or other technological measures shall be adopted to
ensure system security;
g) In accordance with the principle of “real-name in the background, voluntary in
the front-end”, users shall be requested to register their real-name identity
(based on name, ID number, VIN number, mobile phone number, etc.) in
various transportation applications, and the system shall verify the real-name
condition.
6.2 Access Control
The technology requirements for access control include:
a) The function of access control shall be provided to assign accounts and
permissions to logged-in users;
b) Default accounts shall be renamed or deleted; default passwords of the
default accounts shall be altered;
c) Excess and expired accounts shall be deleted in a timely manner;
d) Minimum permissions required to complete the respective tasks shall be
granted to different accounts; a mutually restrictive relationship shall be
formed among them;
e) Access control policy shall be configurated by authorized subject; the access
control policy shall specify the subject’s access rules to the object;
b) Key transport information system shall adopt cryptographic technology to
ensure that the application system implements security functions like identity
authentication and access control, and ensure the security of audit records,
data storage and communication;
c) Give priority to SM series cryptographic algorithms;
d) Cryptographic products approved by the national cryptography competent
department shall be adopted;
e) Information systems that simultaneously run on the Internet and private
networks must adopt cryptographic technology to ensure that the network
system implements secure access paths, access control and identity
authentication functions;
f) Cryptographic technology shall be adopted to ensure that host equipment and
network equipment implement identity authentication, access control, audit
record, data transmission security, data storage security and program security;
g) Cryptographic technology shall be adopted to implement access
authentication for special-purpose terminal, vehicle side unit and
infrastructure side unit.
7 Security Technology Requirements for User Terminal
7.1 Equipment and Host Security
The technology requirements for equipment and host security include:
a) Special user terminal shall be equipped with physical protection measures
that are suitable for the working environment, and necessary anti-squeezing
and waterproofing capabilities;
b) The identity identification device of special user terminal shall be equipped
with the functions of preventing physical disassembly, logical destruction and
forgery. When abnormal identification is found, the service shall be stopped,
and warning information shall be issued and uploaded;
c) Special mobile terminal, and card and certificate read-write equipment shall
have a unique and addressable identifier; when information transmission is
initiated, self-identity identification shall be performed;
d) Full-lifecycle management of the activation, maintenance and disposal of
special user terminal shall be conducted;
e) Special user terminal shall receive security test before the startup;
7.4 Intrusion Prevention
The technology requirements for intrusion prevention include:
a) User terminal shall close unwanted system services, default sharing and high-
risk ports;
b) Special user terminal operating system shall follow the principle of minimal
installation, and merely install required components and applications.
8 Security Technology Requirements for Vehicle Side
Unit
8.1 Physical and Environmental Security
The technology requirements for physical and environmental security include:
a) It shall be equipped with the capability of normally functioning in specific
service environment;
b) Vehicle side units, for example, vehicle side equipment operating status
control or driving assistance, shall be equipped with the function of monitoring
and rejecting illegal physical access;
c) Vehicle side unit which provides basic data of logical calculation to safety
related application and driving aid application shall be equipped with the
capability of preventing communication interference and physical damage,
and the capability of monitoring and alerting abnormal conditions.
8.2 Equipment Identification of Vehicle Side Unit
The technology requirements for equipment identification of vehicle side unit include:
a) Vehicle side unit shall have a unique and addressable identifier; when
information transmission is initiated, self-identity identification shall be
performed;
b) Vehicle side unit shall implement the functions of secure registration, and key
or certificate-based identity authentication with computing center system,
infrastructure side unit, special user terminal, card and certificate read-write
equipment, and card and certificate;
c) The identity identification device of vehicle side unit shall be equipped with
the function of preventing logical destruction and forgery; when abnormality is
found, warning information shall be uploaded; when it does not affect traffic
safety, the service shall be stopped.
malicious codes;
b) Rigorous control shall be carried out on the ports of the vehicle side
equipment to implement remote access; unnecessary ports shall be closed;
c) Configuration and access control (such as: whitelist, data flow and data
content, etc.) shall be performed on all access points of vehicle side
equipment (such as: Bluetooth, USB, optical drive, diagnostic interface,
debugging interface, positioning system, TPMS radio frequency
communication, car key radio frequency communication and RFID, etc.);
d) Key network border equipment (such as: T-BOX and gateway, etc.) of vehicle
side equipment shall provide the function of border security protection;
e) Vehicle side unit shall adopt a secure access mode for external
communication; in accordance with the application priority, securely access
the network through different communication systems;
f) Logical isolation or other technological measures shall be adopted to
implement border protection of safety related application and value-added
service application;
g) Vehicle side unit that undertakes safety related application and driving aid
application shall be equipped with the function of intrusion prevention and the
capability corresponding alarm; comply with the fail-safe principle.
9 Security Technology Requirements for Infrastructure
Side Unit
9.1 Physical and Environmental Security
The technology requirements for physical and environmental security include:
a) It shall be equipped with the capability of physical security protection and the
function of alarm for anti-theft, lightning protection, fire prevention and
waterproofing, etc.;
b) Continuous power supply shall be guaranteed;
c) When selecting locations, avoid the interference of strong light,
electromagnetism and other radiation sources;
d) It shall be equipped with the capability of resisting electromagnetic and
communication interference;
e) Important infrastructure side unit shall adopt redundancy or other measures
a security element or a chip with the same security level;
b) The network transmission and communication between the infrastructure side
unit, and the computing center system, vehicle side unit or special user
terminal, card and certificate read-write equipment, and card and certificate,
shall ensure data confidentiality, integrity and availability;
c) The network transmission and communication between the infrastructure side
unit, and the computing center system, vehicle side unit or special user
terminal, card and certificate read-write equipment, shall be able to identify
the validity and freshness of data; be equipped with the function of data
filtering;
d) Video surveillance equipment shall be equipped with the function of data
signature;
e) Audio, video and other publishing systems shall adopt check code technology,
specific file format protocols or means with equivalent strength to ensure data
integrity.
9.5 Intrusion Prevention
The technology requirements for intrusion prevention include:
a) Unnecessary USB, optical drive, wireless and other interfaces shall be
removed or closed. If they are indeed needed, rigorous access control shall
be implemented through technological means;
b) It shall be equipped with the capability of resisting remote and illegal control;
c) It shall be able to detect and alarm illegal access to infrastructure side
equipment, such as: broadcasting and electronic instructions, etc.;
d) Network that undertakes system operation of lighting control, ventilation
control, fire control and ship lock control shall be physically isolated from other
networks.
10 Security Technology Requirements for Computing
Center
10.1 Physical and Environmental Security
The technology requirements for physical and environmental security include:
a) Computer room shall be selected in buildings with the capability of resisting
earthquakes, wind and rain;
a) Implement isolation among different cloud tenant virtual networks;
b) Ensure the isolation of cloud computing platform management flow from cloud
tenant business flow;
c) Cloud tenant shall be able to independently set security policy set and load
security services in accordance with the business demands;
d) It shall be ensured that only under the authorization by cloud tenant may cloud
service providers or a third party have the administration authority to cloud
tenant data;
e) It shall be ensured that memory space allocated to virtual machine is merely
for its exclusive access;
f) It shall be able to monitor the operating status of application systems; alarm
when abnormalities are found;
g) It shall be able to monitor abnormal flow between the virtual machine and the
host machine, and alarm;
h) The function of virtual machine mirror image and snapshot integrity
verification shall be provided to prevent virtual machine mirror image from
being maliciously tampered;
i) For important business systems, reinforced operating system mirror image
shall be provided;
j) When remote management is performed, a two-way authentication
mechanism shall be established between the management terminal and the
border equipment of the cloud computing platform;
k) It shall be ensured that cloud service providers’ operations on cloud tenant
system and data can be audited by cloud tenant;
l) It shall be able to monitor cloud tenant’s network attack behaviors; record
information, such as: the source address, target address, time and flow of
such attack, etc.
m) When the memory and storage space used by virtual machine is recycled,
irrecoverable elimination shall be implemented.
10.4 Application Software Security
The technology requirements for application software security include:
a) Before application software goes online, it shall receive software security test;
a) It shall be ensured that the communication of cross-border access and data
flows is implemented through controlled interfaces provided by border
protection equipment;
b) It shall be able to restrict or examine unauthorized connections of
unauthorized equipment to the special transport business network, and
effectively block them;
c) It shall be able to restrict or examine unauthorized connections of internal
users of transport business to the Internet, and effectively block them;
d) It shall be ensured that communication between the wired network and the
wireless network boundary passes through the wireless access gateway
equipment;
e) Risky functions, such as: wireless access equipment and wireless access
gateways, should be disabled.
11.5 Centralized Control
The technology requirements for centralized control include:
a) Specific management area shall be divided, so as to manage and control
security equipment or security components distributed in the network;
b) It shall be able to establish a secure information transmission path, so as to
manage security equipment or security components in the network;
c) Centralized monitoring of the operating conditions of network links, security
equipment, network equipment and servers shall be implemented;
d) Audit data scattered on various equipment shall be collected, summarized
and centrally analyzed;
e) Security-related issues, such as: security policy, malicious code and patch
update, shall be centrally managed;
f) Various security incidents that occur in the network shall be identified, alarmed
and analyzed.
11.6 Access Control
The technology requirements for access control include:
a) During the remote management of network or communication equipment,
necessary measures shall be taken to prevent identification information from
being intercepted during the network transmission process;
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|