GB/T 33009.4-2016 PDF EnglishUS$150.00 · In stock · Download in 9 seconds
GB/T 33009.4-2016: Industrial automation and control system security - Distributed control system (DCS) - Part 4: Risk and vulnerability detection requirements Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid
Similar standardsGB/T 33009.4-2016: Industrial automation and control system security - Distributed control system (DCS) - Part 4: Risk and vulnerability detection requirements---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT33009.4-2016 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 25.040 N 10 Industrial automation and control system security - Distributed control system (DCS) - Part 4. Risk and vulnerability detection requirements Issued on: OCTOBER 13, 2016 Implemented on: MAY 01, 2017 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China Standardization Administration of the People's Republic of China. 3. No action is required - Full-copy of this standard will be automatically & immediately delivered to your EMAIL address in 0~60 minutes. Table of ContentsForeword ... 3 1 Scope .. 5 2 Normative references ... 5 3 Terms, definitions, abbreviations ... 6 3.1 Terms and definitions ... 6 3.2 Abbreviations .. 9 4 Overview of DCS risk and vulnerability detection .. 10 4.1 DCS system overview ... 10 4.2 DCS risk and vulnerability detection objectives .. 12 4.3 Basic principles of DCS risk and vulnerability detection ... 12 4.4 DCS risk and vulnerability detection content ... 13 4.5 Basic work unit of DCS risk and vulnerability detection ... 13 4.6 Implementation of DCS risk and vulnerability detection ... 15 4.7 Disposal of DCS risk and vulnerability detection results ... 16 5 DCS software security risk and vulnerability .. 16 5.1 Operating system of server and control station .. 16 5.2 Database management system ... 18 5.3 OPC software ... 21 5.4 DCS monitoring software .. 22 5.5 DCS configuration software ... 24 5.6 Other software ... 26 6 DCS network communications security risk and vulnerability ... 26 6.1 Commercial Ethernet protocol communication mechanism ... 26 6.2 Industrial network protocol communication mechanism ... 27 6.3 DCS communication data security .. 29 6.4 DCS communication services ... 30 6.5 DCS status conversion .. 31 References ... 33ForewordGB/T 33009 “Industrial automation and control system security - Distributed control system (DCS)” and GB/T 33008 “Industrial automation and control system security - Programmable logic controller (PLC)” and other standards together constitute the industrial automation and control systems network security series standard. GB/T 33009 “Industrial automation and control system security - Distributed control system (DCS)” is divided into 4 parts. - Part 1. Protection requirements; - Part 2. Management requirements; - Part 3. Assessment guidelines; - Part 4. Risk and vulnerability detection requirements. This part is part 4 of GB/T 33009. This part was drafted in accordance with the rules given GB/T 1.1-2009. This part was proposed by China Machinery Industry Federation. This part shall be under the jurisdiction of the National Industrial Process Measurement, Control and Automation Standardization Technical Committee (SAC/TC 124) and the National Information Security Standardization Technical Committee (SAC/TC 260). The drafting organizations of this part. Zhejiang University, Zhejiang Institute of Control Technology Co., Ltd., Machinery Industry Instrumentation Technology Institute of Economics, Chongqing University of Posts and Telecommunications, Chinese Academy of Sciences Shenyang Institute of Automation, Southwest University, Fujian Institute of Technology, Hangzhou Institute of Technology, Beijing Venus Information Security Technology Co., Ltd., China Electronics Standardization Institute, State Grid Smart Grid Research Institute, China Nuclear Power Engineering Co., Ltd., Shanghai Automation Instrumentation Co., Ltd., Dongtu Technology Co., Ltd., Tsinghua University, Siemens (China) Limited, Schneider Electric (China) Co., Ltd., Beijing Iron and Steel Design and Research Institute, Huazhong University of Science and Technology, Beijing Austin Technology Co., Ltd., Rockwell Automation (China) Co., Ltd., China Instrument Society, Ministry of Industry and Information Technology Electronics Fifth Research Institute, Beijing Haitai Fangyuan Science and Technology Co., Ltd., Qingdao Tofino Information Security Technology Co., Ltd., Beijing Guodian Zhishen Control Technology Co., Ltd., Beijing Likong Huakang Technology Co., Industrial automation and control system security - Distributed control system (DCS) - Part 4. Risk and vulnerability detection requirements1 ScopeThis part of GB/T 33009 specifies the risk and vulnerability detection of the distributed control system (DCS) before and after being put into operation, proposes specific requirements for the risk and vulnerability detection of the DCS software, Ethernet network communication protocol and industrial control network protocol. This part applies to vulnerability detection of the following objects in the DCS. a) Monitoring software, configuration software, database software and other DCS application software; b) Operating systems such as DCS operator stations and control stations; c) Functions and components in the DCS with network protocol implementation and network communication capabilities. This part does not apply to intelligent instrumentation and industrial wireless vulnerability detection.2 Normative referencesThe following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this document. GB 17859-1999 Classified criteria for security protection of computer information system GB/T 20271-2006 Information security technology - Common security techniques requirement for information system GB/T 20984-2007 Information security technology - Risk assessment specification for information security GB/T 28449-2012 Information security technology - Testing and evaluation process guide for classified protection of information system security GB/T 30976.1-2014 Industrial control system security - Part 1. Assessment specification GB/T 33009.1-2016 Industrial automation and control system security - Distributed control system (DCS) - Part 1. Protection requirements GB/T 33009.2-2016 Industrial automation and control system security - Distributed control system (DCS) - Part 2. Management requirements3 Terms, definitions, abbreviations3.1 Terms and definitions The terms and definitions as defined in GB/T 20984-2007 and GB/T 30976.1- 2014 AND the following terms and definitions apply to this document. For ease of use, some terms and definitions from GB/T 20984-2007 and GB/T 30976.1- 2014 are repeatedly listed below. 3.1.1 Availability Characteristics of data or resources that can be accessed and used by the authorized entities as required. [GB/T 20984-2007, Definition 3.3] 3.1.2 Authentication The act of verifying the entity's claimed identity. 3.1.3 Authorized user A user who can perform an action based on security policy. 3.1.4 Confidentiality4 Overview of DCS risk and vulnerability detection4.1 DCS system overview 4.1.1 Network structure of common DCS system application DCS system applications are usually a vertical hierarchical network structure, from top to bottom including process monitoring layer, field control layer and field equipment layer. Each layer is connected by a communication network, and each equipment in each layer is communicated through a communication network of the same level. The typical network structure is as shown in Figure 1. This part mainly proposes requirements for security requirements of the process monitoring layer, field control layer network, and field equipment layer network in the DCS system. The description of each layer is as follows. - Process monitoring layer. the main task is to monitor the operation, it has some management functions at the same time. This level is for operator and control system engineers, so it is equipped at this level with technologically sophisticated computer systems and a wide range of external devices, especially displays and keyboards, it also requires support from hard discs or soft discs of large storage capacity as well as the support of software of strong functions, to ensure that engineers and operators configure, monitor and operate the system, implement advanced control policies, diagnostics, and quality assessments of the production process; - Field control layer. The main functions of the field control layer include. collecting process data, data conversion and processing; monitoring and control of the production process, output of control signals, achieving analog and digital control; I/O card diagnosis; data communication with process monitoring layer; - Field equipment layer. The main functions of the field equipment layer include. collecting control signals, executing control commands, performing equipment actions in accordance with control signals. system operation site to perform field observation of personnel actions, technical facilities and physical environments to judge the personnel security awareness, business operation, management procedures, and other security conditions. Test refers to the testing performed by technical tools. Detection implementation. The main component of the work unit. It is the specific requirements for detection implementation as developed based on the detection purposes and the detection contents, which relates to the specific detection method, detection target, and operation process. In the detection implementation process, use the adverb “shall” to indicate that these processes are mandatory, which must be completed before the detection staff makes conclusions; use the adverb “may” to indicate that these processes are non- mandatory activities, which have no fundamental impact onto the conclusions made by the detection staff, and can be selectively completed by the detection staff based on actual conditions. The detection measures in this part are all important and need to be considered, but it should be based on the actual application of DCS, DCS security requirements of enterprise to determine whether the detection measures are appropriate and to select feasible detection measures. Result judgment. Describe how the detection staff can determine whether the system under detection meets the testing requirements based on these detection evidences after the detection staffs have obtained various detection evidences through performing the detection operations. Before giving the detection conclusions of the overall work unit, it shall first give the conclusion of a single detection implementation item. Generally speaking, the conclusion judgment of a single detection implementation item always requires the subjective judgment of the detection staff, and this detection implementation item is satisfied once the correct and critical evidence is obtained. 4.6 Implementation of DCS risk and vulnerability detection For DCS systems that have not been deployed and implemented, the DCS risk and vulnerability detection can be selected before the DCS is put into production and after the security assessment. For DCS upgraded based on existing DCS or newly added with extension functions, it is recommended to perform risk and vulnerability detection on the newly added systems before the new and old system joint test. Conduct risk and vulnerability detection on the affected DCS key components and network communication functions in the old and new joint test phase. For systems in service, risk and vulnerability detection may be selected afte... ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of English version of GB/T 33009.4-2016 be delivered?Answer: The full copy PDF of English version of GB/T 33009.4-2016 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.Question 2: Can I share the purchased PDF of GB/T 33009.4-2016_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 33009.4-2016_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 33009.4-2016 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.How to buy and download a true PDF of English version of GB/T 33009.4-2016?A step-by-step guide to download PDF of GB/T 33009.4-2016_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).Step 2: Search keyword "GB/T 33009.4-2016". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9 |
