GB/T 33007-2016 English PDFUS$2594.00 · In stock
Delivery: <= 7 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 33007-2016: Industrial communication networks -- Network and system security -- Establishing an industrial automation and control system security program Status: Valid
Basic dataStandard ID: GB/T 33007-2016 (GB/T33007-2016)Description (Translated English): Industrial communication networks -- Network and system security -- Establishing an industrial automation and control system security program Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: N10 Classification of International Standard: 25.040.40 Word Count Estimation: 130,189 Date of Issue: 2016-10-13 Date of Implementation: 2017-05-01 Regulation (derived from): National Standard Notice No.1716 of 2016 Issuing agency(ies): General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China, Standardization Administration of the People's Republic of China GB/T 33007-2016: Industrial communication networks -- Network and system security -- Establishing an industrial automation and control system security program---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Industrial communication networks - Network and system security - establishment an industrial automation and control system security program ICS 25.040.40 N10 National Standards of People's Republic of China Industrial communication network and system security Establish industrial automation and control System security program (IEC 62443-2-1..2010, Industrialcommunicationnetworks- Part 2-1. createdanindustrialautomationand controlsystemsecurityprogram, IDT) 2016-10-13 release.2017-05-01 implementation General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China China National Standardization Management Committee released Directory Preface Ⅴ Introduction Ⅵ 1 Scope 1 2 normative reference document 1 3 terms and definitions, acronyms and conventions 3.1 Terms and definitions 1 3.2 Abbreviations and Abbreviations 5 3.3 Conventions 7 4 elements of network security management system 7 4.1 Overview 7 4.2 Category. Risk analysis 9 Category. Use CSMS to handle risk 10 4.4 Category. CSMS Monitoring and Improvement Appendix A (Normative Appendix) CSMS Element Development Guide 27 A.1 Overview 27 A.2 Category. Risk analysis 28 A.3 Category. Resolving risk with SCSMS 49 A.4 Classification. Monitoring and enhancing CSMS 100 Appendix B (informative) Procedure for developing CSMS 106 B.1 Overview 106 B.2 Description of the process 106 B.3 Activity. Initialize CSMS project 107 B.4 Activities. Advanced risk assessment 107 B.5 Description of the process 108 B.6 Activities. Establish security strategies, organization and awareness B.7 Activities. measures to be selected and implemented B.8 Activity. Maintain CSMS 111 Appendix C (informative) and ISO /IEC 27001 requirements C.1 Overview 113 C.2 Mapping of this standard to ISO /IEC 27001..2005 113 C.3 ISO /IEC 27001..2005 Mapping with this standard Reference 121 Figure 1 Graphical view of the elements of the network security management system Figure 2 Graphical view of the risk analysis category Figure 3 Element group. graphical view of security, strategy, organization 11 Figure 4 Element group. Graphical view of selected security measures 15 Figure 5 Element group to achieve the graphical representation of 20 Figure 6 Graphic view classes. Monitoring and improving CSMS 24 Figure A.1 Graphical view of the elements of the network security management system Figure A.2 Category. Graphical view of risk analysis Figure A.3 Number of attacks on computer systems from.1998 to.2004 (source. CERT) 31 Figure A.4 Logical List of IACS Data Acquisition Samples Figure A.5 Image of the logical network control diagram of the example 44 Figure A.6 Graphical view of the element group. Security policy, organization and awareness 49 Figure A.7 Graphical view of the element group. Selected security measures 61 Figure A.8 Reference structure example of a segmented structure Figure A.9 SCADA Reference Architecture and Split Structure Example 69 Figure A.10 Access Control. Account Management 71 Figure A.11 Access Control. Authentication 74 Figure A.12 Access Control. Authorization 78 Figure A.13 Implementation Plan Chart 80 Figure A.14 Safety Level Lifecycle Model. Assessment Phase 82 Figure A.15 Enterprise security zone template structure Figure A.16 IACS Security Area 85 Figure A.17 Safety Level Lifecycle Mode. Development and Implementation Phase 87 Figure A.18 Safety Level Lifecycle. Maintenance Phase 90 Figure A.19 Illustration of classification. monitoring and improvement of computer security management system Figure B.1 Create a top-level activity for CSMS 106 Figure B.2 Dependencies of activities and activities. Initialize CSMS project 107 Figure B.3 Subordination of activities and activities. High-level risk assessment 108 Figure B.4 Activity and activity relevance. Detailed risk assessment 109 Figure B.5 Activity and activity relevance. Establish security policy, organization and awareness Figure B.6 Training and organization of responsibilities Figure B.7 Activity and Activity Relevance. Measures Selection and Implementation 111 Figure B.8 Activity and Activity Dependencies. CSMS Maintenance 112 Table 1 Business concept. Demand 9 Table 2 Risk identification, classification and assessment. Demand 10 Table 3 CSMS Scope. Requirements 12 Table 4 Security Organization. Requirements 12 Table 5 Staff training and safety awareness. Requirements 13 Table 6 Business continuity plan. Requirement 13 Table 7 Security policies and procedures. Requirements 14 Table 8 Personnel Safety. Requirements 16 Table 9 Physical and Environmental Security. Requirements 17 Table 10 Network Division Requirements 17 Table 11 Access Control - Account Management. Requirements 18 Table 12 Access Control - Certification. Requirements 19 Table 13 Access Control - Authorization. Requirement 20 Table 14 Risk management and implementation needs 21 Table 15 System development and maintenance requirements Table 16 Information and document management needs 22 Table 17 Requirements for Event Planning and Response 23 Table 18 Consistency. Demand 25 Table 19 Requirements for review, improvement and maintenance of CSMS 25 Table A.1 Typical Probability Set 38 Table A.2 Typical consequences set 39 Table A.3 Typical risk level matrix 39 Table A.4 Examples of countermeasures based on IACS risk rating 81 Table A.5 Example of Evaluation Results for IACS Assets 83 Table A.6 IACS Asset Evaluation Results and Risk Level Example 83 Table A.7 IACS Target Safety Level 85 Table C.1 Reference requirements for this standard to reference map 113 for ISO /IEC 27001..2005 Table C.2 Mapping of ISO /IEC 27001 requirements and this standard ForewordThis standard is in accordance with GB/T 1.1-2009 "Standardized working guidelines Part 1. Standard structure and preparation" and GB/T 20000.2- 2009 "Standardization Work Guide Part 2. Adoption of International Standards". This standard uses the translation method equivalent to IEC 62443-2-1..2010 "Industrial communication network and system security Part 2-1. Establishment of Industrial Automation and Control System Safety Procedures "(English version). Its technical content, text structure and expression form IEC 62443-2-1..2010 is fully equivalent. For ease of use, this standard has been modified as follows. --- deleted the original words in the original; - will introduce the contents of the part as the introduction of this standard; --- If you do not explain, the text of the "security" refers to "network security." This standard is proposed by the China Machinery Industry Federation. This standard by the National Industrial Process Measurement Control and Automation Standardization Technical Committee (SAC/TC124) and the national information security standards Technical Committee (SAC/TC260). The drafting unit of this standard. Institute of Mechanical and Industrial Instrumentation Integrated Technology and Economy, China Electronics Technology Standardization Research Institute, China Power Scientific Research Institute, China Nuclear Power Engineering Co., Ltd., Shanghai Automation Instrumentation Co., Ltd., Beijing Jiaotong University, Eastern Science and Technology Co., Ltd. Company, Tsinghua University, Siemens (China) Co., Ltd., Zhejiang University, Southwest University, Chongqing University of Posts and Telecommunications, Schneider Electric (China) Co., Ltd. Division, Beijing Iron and Steel Design and Research Institute, Huazhong University of Science and Technology, Beijing Austin Technology Co., Ltd., Rockwell Automation (China) Co., Ltd. Division, China Institute of Instrumentation, Beijing and Lee Department of Systems Engineering Co., Ltd., Ministry of Industry and Information Technology Institute of Electronics Fifth, the Chinese Academy of Sciences Shen Yang Automation Institute, Beijing Haitai radius of Science and Technology Co., Ltd., Qingdao Duo Fenuo Information Security Technology Co., Ltd., Beijing Guodian Zhi deep control Technology Co., Ltd., Beijing Power Control Huakang Technology Co., Ltd., Guangdong Aerospace Satellite Technology Co., Ltd., North China Electric Power Design Institute Engineering Co., Ltd. Division, Huawei Technologies Co., Ltd., Venus, China Electronics Technology Group Corporation 30th Institute, Shenzhen million-controlled Co., Ltd., Winning Software Co., Ltd., Yokogawa Electric (China) Co., Ltd. Beijing R & D Center. The main drafters of this standard. Wang Yumin, Fan Kefeng, Liang Xiao, Feng Dongqin, Wang Yijun, Hua Rong, Chen Xiaocong, Zhang Jianjun, Xue Baihua, Xu Bin, Gao Kunlun, Wang Xue, Liu Feng, Wang Hao, Xia Dehai, Zhou Chunjie, Zhang Li, Wang Tao, Liu Jie, Sun Xin, Xu Aedong, Zhu Yiming, Sun Jing, Hu Boliang, Liu Anzheng, Tian Yucong, Fang Liang, Ma Xinxin, Wang Yong, Du Jialin, Chen Rigang, Li Rui, Liu Limin, Kong Yong, Liu Wenlong, Li Lin, Huang Min, Zhang Zhi, He Jia, Zhang Jianxun, Meng Yahui, Lan Kun, Cheng Ji Xun, Ding Lu, Chen Xiaofeng, Yang Yingliang, Yang Lei.Introduction0.1 Overview Network security is an increasingly important topic in modern organizations. Over the years, many organizations involved in information technology and business have been Attention to network security, and in accordance with the ISO and IEC standards have been established an effective network security management system (CSMS) (see ISO /IEC 17799 [23] 1 and ISO /IEC 27001 [24]), these management systems provide an effective way for the organization To protect their assets from cyber attacks. The Industrial Automation Control System (IACS) organization has begun to use commercially available off-the-shelf technology for business systems in its daily processes (COTS), which makes the IACS equipment by the possibility of network attacks increased. Due to various reasons, in the fight against the network attack side These systems are usually less robust than those designed for the IACS environment. These weaknesses can lead to health, safety and environmental aspects (HSE) consequences. Without understanding these consequences, the organization may attempt to use existing information technology and business security solutions to address IACS security issues. Although many solutions can be applied to IACS, but need to take the right way to eliminate the adverse consequences. 0.2 IACS network security management system The management system usually provides guidance on what should be included in the management system, but does not provide guidance on how to develop the management system. this The standard describes the elements contained in the CSMS of IACS, and also provides guidance on how to develop CSMS for IACS. In the face of a challenging problem, a very common engineering approach is to break down the problem into smaller sub-problems, Way to solve each sub-problem. This is a reasonable way to solve the IACS network security risk. However, in the settlement of network security often committed The mistake is to try to solve all the network security problems with a system at once. Network security is a bigger challenge that needs to be considered throughout IACS and policies, procedures, practices and personnel that surround and utilize IACS. Implementing such a wide range of management systems may be required within the organization Department of cultural change. It is a daunting task to solve network security on the basis of the whole organization. But for security, there is no ready solution Program. It is easy to understand because there is no safe practice for all situations. In theory, absolute security may be possible, but it is possible Can not be desirable, because to achieve such a near-perfect state is bound to lose practicality. Security is actually a risk and cost balance. All the situation is different. In some cases, the risk may be related to the HSE factor rather than the mere economic impact. wind Risk may bring irreversible consequences rather than temporary financial setbacks. So a set of mandatory safety practices is either a solution In strict, expensive to follow, or not enough to deal with the risk. The relationship between this standard and ISO /IEC 17799 and ISO /IEC 27001 ISO /IEC 17799 [23] and ISO /IEC 27001 [24] are excellent descriptions of network security management systems for business/information technology systems standard. Most of the contents of these standards also apply to IACS. This standard emphasizes the management and business/information of IACS network security practices There is a need for consistency between the management of technical systems for network security. Consistency of these procedures can save money. The standard encourages users to read ISO /IEC 17799 and ISO /IEC 27001 for additional support information. This standard is based on these ISO /IEC standards IACS and general business/information technology systems. This standard introduces an important concept that IACS's network security risks can be Can bring HSE impact, should be combined with other existing risk management practices to deal with these risks. Industrial communication network and system security Establish industrial automation and control System security program1 ScopeThis standard specifies how to establish a network security management system in the Industrial Automation and Control System (IACS) and provide information on how to develop A guide to these elements. This standard has a broader definition and scope than the IACS described in IEC 62443-1-1. The elements of the CSMS described in this standard are primarily policies, procedures, procedures, and personnel-related elements that describe the elements What the final CSMS will include or should include. Note 1. Other documents in the IEC 62443 series of standards and references discuss more detailed and specific techniques and protocols for safety. How to develop CSMS guidance is an example, it represents the author's point of view. an organization can go to develop elements, but it may not be able to Apply in all cases. In order to develop a complete set of functional CSMS for the organization, the user of this standard must carefully read the requirements and Proper use of guidance. The strategies and procedures discussed in this standard should be tailored to the needs of the organization. Note 2. There may be a situation where the enterprise already has its own CSMS and added IACS, or has not formally established CSMS. The author can not IACS establishes a CSMS organization to predict all situations, so this standard does not attempt to provide a solution for all situations.2 normative reference documentsThe following documents are indispensable for the application of this document. For dated references, only the dated edition applies to this article Pieces. For undated references, the latest edition (including all modifications) applies to this document. IEC 62443-1-1 Industrial communication networks - Network and systems - Network security - Part 1-1. Terminology, concepts and models (Industrial communicationnetworks-Networkandsystemsecurity-Part 1-1. Terminology, conceptsandmodels) 3 terms, definitions, abbreviations and conventions 3.1 Terms and definitions IEC 62443-1-1 and the following terms and definitions apply to this document. 3.1.1 Access account accessaccount Allows the user to access the access control function of a specific device or feature set for a fixed device. Note. Accounts are often associated with the user's identity (ID) and password. These user IDs and passwords can be shared by individuals or groups, for example, to perform the same The task of working in the control room working group. 3.1.2 Administrative practice Well-defined and documented practice/procedures for employees to always comply. Note. usually used for employees within the enterprise. In the IACS environment, often associated with HSE. 3.1.3 Assets A physical or logical object owned or kept by an organization that has a potential or actual value to the organization [IEC 62443-1-1, 3.2.6] ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 33007-2016_English be delivered?Answer: Upon your order, we will start to translate GB/T 33007-2016_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 7 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 33007-2016_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 33007-2016_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
