GB/T 36470-2018 English PDFUS$839.00 ยท In stock
Delivery: <= 7 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 36470-2018: Information security technology -- Common security functional requirements for data acquisition and control field devices of industrial control systems Status: Valid
Basic dataStandard ID: GB/T 36470-2018 (GB/T36470-2018)Description (Translated English): Information security technology -- Common security functional requirements for data acquisition and control field devices of industrial control systems Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 42,421 Date of Issue: 2018-06-07 Date of Implementation: 2019-01-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 36470-2018: Information security technology -- Common security functional requirements for data acquisition and control field devices of industrial control systems---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information security technology--Common security functional requirements for data acquisition and control field devices of industrial control systems ICS 35.040 L80 National Standards of People's Republic of China Information security technology industrial control system site General safety function requirements for measurement and control equipment Published on.2018-06-07 2019-01-01 implementation State market supervision and administration China National Standardization Administration issued ContentForeword I Introduction II 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 2 5 Security Function Requirements Description Structure 2 5.1 Requirements Class Structure 2 5.2 Requirement of family structure 3 5.3 Requirements Structure 3 6 General Security Function Requirements 4 6.1 Overview 4 6.2 FIA Class. User Identification and Identification 4 6.3 FUC class. use control 10 6.4 FDI Class. Data Integrity 18 6.5 FDC Class. Data Privacy 22 6.6 FRF Class. Data Flow Limitation 24 6.7 FRA Class. Resource Availability 26 Appendix A (informative appendix) Function and composition of on-site measurement and control equipment for typical industrial control systems 30 Appendix B (Normative) A brief description of the classification information for the required class and the required family. 32 Appendix C (Normative) Safety Function Requirements Dependency Table 34 Appendix D (Normative) General Safety Function Requirements Summary Table 36 Reference 38ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents. This standard is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). This standard was drafted. Global Energy Internet Research Institute, China Electric Power Research Institute Co., Ltd., Beijing and Lishi Department Engineering Co., Ltd., Beijing Sifang Jibao Automation Co., Ltd., North China Electric Power University, Guodian Nanrui Technology Co., Ltd., Shenyang Electric Industry Electrical Installation Co., Ltd., China Information Security Evaluation Center, Beijing Jiangnan Tianan Technology Co., Ltd., China Electronic Technology Standardization Research Research Institute, National Information Technology Security Research Center. The main drafters of this standard. Liang Shu, Gao Kunlun, Wang Wei, Ren Yanming, Li Huan, Zheng Xiaokun, Xu Ruzhi, Yin Yi, Zheng Jie, Wang Di, Zhao Baohua, An Ning, Wang Zhiwei, Zhao Ting, Zhan Xiong, Li Ling, Zhang Wei, Xie Feng, Chen Guanzhi, Li Bing, Liu Hongyun, Fan Kefeng, Li Lin.IntroductionThe on-site measurement and control equipment is the basic function execution equipment of the industrial control system, which directly monitors and controls the industrial production process. Safe and stable operation of production is essential. With the application of information and communication technology in industrial control systems, the intelligence of field devices is gradually increasing, networking and processing capabilities. The increase in information security risks faced by these devices is more diverse, more extensive, and more hierarchical than traditional field devices. In-depth, once attacked, will directly lead to even serial production accidents within the area under the jurisdiction of the equipment, so its information security is not only related to production Safety and economic security are inseparable, and the on-site safety level of important infrastructure such as electricity, chemicals, and natural gas is directly related to the national economy. Health, social stability and public interest. In order to improve the information security capability of field devices, this standard proposes general safety function requirements for on-site measurement and control equipment for equipment. Safety design, development, testing and evaluation. The user should select the equipment to be full according to the actual or planned use environment security risk analysis results. The safety function requirements of the foot. Information security technology industrial control system site General safety function requirements for measurement and control equipment1 ScopeThis standard specifies the user identification and identification, usage control, data integrity, data confidentiality, and on-site measurement and control equipment of industrial control systems. Data flow restrictions, resource availability, and six types of common security function requirements. This standard applies to the safety design, development, testing and evaluation of equipment. The content related to the realization of the device function, the overall management and operation of the industrial control system, and the information security peripheral technology are not in this standard. Within the scope. E.g. --- This standard does not cover administrative management and operational safety requirements that are not directly related to the device's own security functions and implementation, such as groups. Management and personnel management. Management measures such as password policies and configuration procedures that affect technology implementation will be included in the requirements. In the description, no emphasis is placed on management and operational content; --- This standard does not cover physical security aspects such as electromagnetic radiation that are not directly related to the device's own information security functions and implementation. Measures such as physical security access control that affect the effectiveness of information security technology protection will be included in the required description, Emphasis on physical security content; --- This standard does not refer to electromechanical, hydraulic and pneumatic devices in traditional industrial control systems that do not involve the implementation of information technology. Information security features are required; --- This standard does not cover production process equipment such as sensors, transmitters, regulators, switches/circuit breakers.2 Normative referencesThe following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article. Pieces. For undated references, the latest edition (including all amendments) applies to this document. GB/T 9387.2-1995 Information Processing Systems - Open Systems Interconnection Basic Reference Model Part 2. Security Architecture GB/T 25069-2010 Information Security Technology Terminology GB/T 32919-2016 Information Security Technology Industrial Control System Safety Control Application Guide3 Terms and definitionsGB/T 9387.2-1995, GB/T 25069-2010 and GB/T 32919-2016 define the following terms and definitions apply In this document. 3.1 Industrial control system on-site measurement and control equipment dataacquisitionandcontrolfielddevicesofindustrialcontrolsystems An independent physical device in the industrial control system that is located on site and has all or part of the following production-related functions. --- Receive acquisition data from process equipment such as sensors, transmitters, regulators or switches; --- Perform logic and control calculations; --- Send control commands to process execution devices such as regulators or switches. The device communicates with other similar devices, system masters or applications to collect digital and analog signals such as data and control commands. See Appendix A for the function and composition of the on-site measurement and control equipment for typical industrial control systems. Note. The following equipment is a typical industrial control system on-site measurement and control equipment. --- Remote Terminal Unit (RTU, RemoteTerminalUnit); ---Intelligent Electronic Equipment (IED, Inteligent ElectricDevice); ---Distributed Processing Unit (DPU, Distributed Processing Unit). 3.2 Identification of authentication In an information system, a user, process, or device authenticates its identity before accessing it. [NISTSP800-53R3] 3.3 Flooding flooding By attempting to provide input to a computing system or other data processing entity that is greater than its processing power, in an attempt to cause information security Faulty attack. [RFC2828]4 AbbreviationsThe following abbreviations apply to this document. API. Application Programming Interface (ApplicationProgrammingInterface) CA. Certification Authority (CertificateAuthority) CRC. Cyclic Redundancy Check (CyclicRedundancyCheck) DoS. Denial of Service Attack (DenyofService) DPU. Distributed Processing Unit (DistributedProcessingUnit) IED. Intelligent Electronic Devices (InteligentElectricDevice) I/O. Input/Output MAC. Message Authentication Code (MessageAuthenticationCode) MCU. Microcontrol Unit (MicrocontrolerUnit) MMI. Human Machine Interface (ManMachineInterface) MMU. Memory Management Unit (MemoryManagementUnit) MPU. Microprocessor Unit RAM. Random Access Memory (RandomAccessMemory) RTOS. Real-time Multitasking Operating System (Real-timeOperatingSystem) RTU. Remote Terminal Unit (RemoteTerminalUnit) TCP. Transmission Control Protocol (TransmissionControlProtocol) UDP. User Datagram Protocol (UserDatagramProtocol)5 Security function requirements description structure5.1 Requirements class structure Figure 1 illustrates in block diagram form the structure of the required class. Each requirement class includes a class name, a class description, and one or more requirement families. Class names provide the information necessary to identify and classify different required classes. Each requirement class has a unique name, class classification information Consists of a shorthand of three characters. See Appendix B for a short description of the required class classification information. The short name of the class name is also used for the family name of the family. Fan Zhong. The class description generally describes the families contained in the class and the main roles required by the class. Class descriptions use diagrams to describe the families in the class and in each family The hierarchy of components. Figure 1 requires a class structure 5.2 Requirements family structure Figure 2 illustrates in block diagram form the structure of the claim family. Each requirement family includes a family name, a family description, and one or more components. Family names provide the information necessary to identify and classify different families of requirements. Each claim family has a unique name, the classification information of the family It consists of shorthand for the class and shorthand for the three characters of the family name. A brief description of the classification information of the required family is given in Appendix B. The family describes the general description of the family and the main role required by the family. Figure 2 requires family structure 5.3 Requirements structure Figure 3 illustrates in block diagram form the structure of the requirements. Each requirement includes the name of the request, the content of the request, the description of the request, zero or more Requirements to strengthen child and dependency requirements. Request Name. Used to identify, classify, and classify different requirements. Each request has a unique name that indicates the purpose of the request. use The serial number identifies the location in the family. Requirement. Describe the requirements and describe the conditions that the equipment should meet in order to meet the requirements. Description of requirements. Describe the typical implementation mechanisms and technical principles required. Requirement to strengthen. Requirement to strengthen the sub-item is to strengthen the strength of the requirements or increase the content, and use the serial number to identify the position within the requirements. Dependency requirements. When a requirement item needs to depend on other requirements or be used in conjunction with other requirements, this The direct association of his claim is noted in this section. See Appendix C for details of the dependencies between requirements. Figure 3 requirements structure6 General safety function requirements6.1 Overview The general safety function requirements for on-site measurement and control equipment for industrial control systems are summarized in Appendix D. 6.2 FIA class. user identification and authentication 6.2.1 Class Description The purpose of user identification and authentication is to determine the access actors (people, processes, and devices) of the device, and to perform access behaviors. control. Depending on the number of devices and the level of intelligence, the device has multiple external access interfaces. Typical interfaces include. --- Local operation panel for viewing or modifying the configuration; ---Local RS232 or RS485 interface for business data transmission or equipment debugging and management; --- Network for equipment debugging, management and business data transmission. Typical users accessing devices through these interfaces include, but are not limited to, the following. ---Manipulating personnel such as equipment use and configuration; ---Device configuration software; --- System host computer application process. 6.2.2 FIA_IAM family. identification and authentication 6.2.2.1 Family Description The device identifies and authenticates the user's identity as the most basic security protection for the device, as well as the implementation of rights allocation and access control. basis. 6.2.2.2 FIA_IAM.1 logo and method 6.2.2.2.1 Requirements The industrial control system on-site measurement and control equipment should have the ability to identify users. 6.2.2.2.2 Description of requirements Provide important users with identity, such as configuration management users, PC control processes, and so on. Typical user identity identifiers include Network address (such as physical address, IP address), user identifier of the controller, and so on. 6.2.2.2.3 Requirements for strengthening The enhancements to the FIA_IAM.1 logo and method requirements include. a) The device has the ability to identify users on all external interfaces; b) The device has the ability to uniquely identify users on all external interfaces. 6.2.2.2.4 Dependency requirements no. 6.2.2.3 Identification and method of FIA_IAM.2 6.2.2.3.1 Requirements The industrial control system on-site measurement and control equipment should have the ability to identify the user's identity on the external interface. 6.2.2.3.2 Description of requirements The device should authenticate the open network service interface and important local access users, such as configuration management users and remote access services. Wait. Typical methods of identity authentication include. passwords, shared keys, digital certificates, and biometrics. 6.2.2.3.3 Requirement to strengthen The requirements for FIA_IAM.2 identification and methods are enhanced to include. a) The device performs two-factor authentication on the remote network access interface for users with control, parameter and fixed value modification functions; b) The device performs two-factor authentication for users on all remote network access interfaces. 6.2.2.3.4 Dependency requirements The dependency requirement for FIA_IAM.2 authentication and mode is FIA_IAM.1. 6.2.3 FIA_IDM family. identifier management 6.2.3.1 Family description Industrial control system on-site measurement and control equipment can be used to identify the identity of users (people, processes and equipment) including network-level IP addresses, physical Address, TCP/UDP port, application address, or operator identifier. The function of the user user identifier management is equivalent to the user management of the ordinary IT application system, and the direct use of the control panel pair The device is viewed or configured by the controller, and the management of the IP address, physical address, and port is described in Access Control. 6.2.3.2 FIA_IDM.1 Manipulator Identifier Management 6.2.3.2.1 Requirements The industrial control system on-site measurement and control equipment should have the ability to assign identifiers to the operator. 6.2.3.2.2 Description of requirements The device should have the ability to assign an identifier to a controller with access to the operating parameters or device configuration. 6.2.3.2.3 Requirements for strengthening The enhanced requirements for FIA_IDM.1 Manipulator Identifier Management include. a) The device supports the management of adding, deleting, etc. the operator identifier; b) The device supports locking of the operator identifier that is not used by the security policy for a period of time. 6.2.3.2.4 Dependency requirements The dependency requirement for FIA_IDM.1 Manipulator Identifier Management is FIA_IAM.1. 6.2.4 FIA_ACM family. authentication certificate management 6.2.4.1 Family description The ability of the industrial control system on-site measurement and control equipment to manage user identity authentication credentials mainly includes the management of the strength and use of the authentication credentials. Since the access method to the device may include local panel access, serial port access, network access, and upper computer application access, the authentication credential is Use and manage the identification that covers both the device layer and the network layer. 6.2.4.2 FIA_ACM.1 password modification 6.2.4.2.1 Requirements The industrial control system on-site measurement and control equipment should support administrators and other control personnel to modify their management within the scope of normal operation. Password. The device should support and prompt for modifications to the factory default password. 6.2.4.2.2 Description of requirements It mainly manages the passwords of device controllers such as administrators, configuration viewers, and configuration users. 6.2.4.2.3 Requirements for strengthening no. 6.2.4.2.4 Dependency requirements The dependency requirement for FIA_ACM.1 password modification is FIA_IAM.2. 6.2.4.3 FIA_ACM.2 password replacement cycle 6.2.4.3.1 Requirements The industrial control system on-site measurement and control equipment should support the password life cycle required in the security policy. 6.2.4.3.2 Description of requirements After the operator has successfully verified, the on-site monitoring and control equipment of the industrial control system shall provide the necessary automatic reminding capability to notify the user of the last modification. The password time has exceeded the password usage period required by the security policy. 6.2.4.3.3 Requirement to strengthen The FIA_ACM.2 password replacement cycle requirement is enhanced so that the device should support the administrator to configure the password replacement cycle. 6.2.4.3.4 Dependency requirements The dependency requirement for the FIA_ACM.2 password replacement cycle is FIA_IAM.2. 6.2.4.4 FIA_ACM.3......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 36470-2018_English be delivered?Answer: Upon your order, we will start to translate GB/T 36470-2018_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 7 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 36470-2018_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 36470-2018_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
