Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 37955-2019 English PDF

Q: How long will the true-PDF of English version of GB/T 37955-2019 be delivered?

Upon your order, we will start to translate GB/T 37955-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time.

Q: Can I share the purchased PDF of GB/T 37955-2019_English with my colleagues?

Yes. The purchased PDF of GB/T 37955-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Q: Does the price include tax/VAT?

Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries). Avoidance of Double Taxation Agreements (DTAs) between Singapore and 100+ Countries: https://www.iras.gov.sg/taxes/international-tax

Q: Do you accept my currency other than USD?

Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

US$439.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 37955-2019: Information security technology - Security technique requirements for numerical control network
Status: Valid

Standard ID	USD	BUY PDF	Lead-Days	Standard Title (Description)	Status
GB/T 37955-2019	439	Add to Cart	4 days	Information security technology - Security technique requirements for numerical control network	Valid

Similar standards

GB/T 37985 GB/T 37988 GB/T 37973 GB/T 37952 GB/T 37950

Basic data

Standard ID: GB/T 37955-2019 (GB/T37955-2019)
Description (Translated English): Information security technology - Security technique requirements for numerical control network
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: L80
Classification of International Standard: 35.040
Word Count Estimation: 22,271
Date of Issue: 2019-08-30
Date of Implementation: 2020-03-01
Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration

GB/T 37955-2019: Information security technology - Security technique requirements for numerical control network

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Security technique requirements for numerical control network ICS 35.040 L80 National Standards of People's Republic of China Information Security Technology CNC network security technical requirements 2019-08-30 released 2020-03-01 Implementation State Administration for Market Regulation Issued by China National Standardization Administration

Foreword Ⅰ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Abbreviations 2 5 Overview 2 5.1 CNC Network Security Framework 2 5.2 Principles of CNC Network Information Security Protection 3 5.3 Safety technical requirements 4 5.4 Classification of safety technical requirements 4 6 Equipment safety technical requirements 4 6.1 Safety technical requirements for NC server and acquisition server 4 6.2 Safety technical requirements for CNC equipment 7 6.3 Safety technical requirements for network communication equipment 9 7 Cyber security technical requirements 10 7.1 Network Architecture 10 7.2 Border protection 10 7.3 Access Control 11 7.4 Intrusion Prevention 11 7.5 Wireless usage control 11 7.6 Security Audit 12 7.7 Centralized Management and Control 12 8 Application safety technical requirements 13 8.1 Identification 13 8.2 Access Control 13 8.3 Resource control 14 8.4 Software fault tolerance 14 8.5 Security Audit 14 9 Data Security Technical Requirements 15 9.1 Data integrity 15 9.2 Data confidentiality 15 9.3 Data backup and recovery 15 9.4 Protection of remaining information 16 Appendix A (informative appendix) CNC network reference model 17 Appendix B (informative appendix) Information security risks faced by CNC networks 18 Reference 19

Foreword

This standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents. This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). Drafting organizations of this standard. China Electronics Standardization Institute, Huazhong University of Science and Technology, Beijing Saixi Technology Development Co., Ltd., Beijing Jing Kuang En Network Technology Co., Ltd., Shenyang Institute of Automation, Chinese Academy of Sciences, Shenyang High-precision CNC Intelligent Technology Co., Ltd., Beijing Digital Dafang Technology Co., Ltd., Beijing Languang Innovation Technology Co., Ltd., National Computer Network Emergency Technology Coordination Center, West Menzi (China) Co., Ltd., Hangzhou Dianzi University, Changchun Qiming Information Integration Service Technology Co., Ltd. The main drafters of this standard. Zhang Dajiang, Li Qiangqiang, Wu Zeguang, Li Kaibin, Wang Zheng, Fan Kefeng, Li Lin, Yao Xiangzhen, Zhou Chunjie, Shang Wenli, Hu Yi, Han Shengxia, Ding Tao, Ding Xiaozhen, Yan Tao, Shu Min, Zhang Xiaoming, Li Jiangli, Zhong Cheng, An Gaofeng, Xu Xianghua, Hu Xixiang, Xu Yanping, Liu Hao. Information Security Technology CNC network security technical requirements

1 Scope

This standard proposes the security protection principles for CNC networks in digital factories or digital workshops, and specifies the security technical requirements for CNC networks. Requirements, including equipment security technical requirements, network security technical requirements, application security technical requirements and data security technical requirements. This standard applies to the planning, design, inspection and evaluation of CNC network security protection.

2 Normative references

The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. GB/T 25069-2010 Information Security Technical Terms

3 Terms and definitions

The following terms and definitions defined in GB/T 25069-2010 apply to this document. 3.1 techy's equipment According to a pre-programmed program, the control system sends out digital information instructions to control the working process. Note 1.Rewrite GB/T 6477-2008, definition 2.1.26. Note 2.Common CNC equipment includes. CNC machine tools, CNC cutting machines, three-coordinate measuring instruments, etc. 3.2 CNC system The control system that uses numerical data on numerical control equipment continuously introduces numerical data during operation to realize the Process automation control. Note. Rewrite GB/T 26220-2010, definition 3.1. 3.3 CNC code The instruction set used to control the operation of CNC equipment. 3.4 CNC network A network composed of digital control servers, acquisition servers, numerical control equipment, and network communication equipment. Note. The centralized control of numerical control equipment is realized in the numerical control network, as well as the control instructions and equipment between the digital control server, acquisition server and numerical control equipment. The transmission of equipment status information. 3.5 area A collection of logical assets or physical assets that share the same information security requirements. Note. The area has clear boundaries. The information security policy of an information security zone must be enforced within and on its borders. [GB/T 35673-2017, definition 3.1.47]

4 Abbreviations

The following abbreviations apply to this document.

5 overview

5.1 CNC Cyber Security Framework The numerical control network is composed of a numerical control server (ie, NC server), a collection server, numerical control equipment, and network communication equipment. CNC Refer to Appendix A for the reference model of the network. Installation and operation of equipment (CNC equipment, acquisition server, NC server, network communication equipment), equipment The operating system, application software, stored data, and communication between devices (wired, wireless) are the objects of protection covered by this standard. Refer to Appendix B for the information security risks faced by CNC networks. Aiming at the security risks and protection objects faced by CNC networks, this The standard proposes a CNC network security framework, as shown in Figure 1.Chapter 6, Chapter 7, Chapter 8, Chapter 9 of this standard are based on the security framework and The CNC network security protection principles in 5.2 put forward specific security technical requirements for each item. Figure 1 CNC network security framework 5.2 Principles of CNC Network Information Security Protection The security protection of CNC network information should follow the following principles. a) Internet available The use of various safety protection measures should not affect the normal operation of the CNC network and the interaction between the CNC network and external networks. b) Network isolation The CNC network should only be used for CNC production and processing business, a dedicated physical network should be used, and the interaction with external networks should be effective Safety protection measures. c) Divisional defense The numerical control network should be divided into numerical control network-supervisory control area and numerical control network-numerical control equipment area. CNC Network-CNC Equipment The area can be further divided into different sub-areas according to the production function. Different areas should be protected according to safety requirements. Protection measures. On the premise of not affecting the work of each area, safety isolation measures should be taken at the boundary of each area to ensure that each area There is a clear boundary setting between them, and the security of each regional boundary is guaranteed. d) Comprehensive protection The security protection of the CNC network can be achieved through physical access control measures, management measures and technical measures. Protection of a single device The use of protection, single protection measures, or single protection products cannot effectively protect the CNC network. A security mechanism and multi-layer protection strategy. Note. See the requirements in GB/T 22239 for physical access control measures. 5.3 Safety technical requirements This standard proposes equipment security technical requirements, network security technical requirements, application security technical requirements, data security technical requirements and collections. Central management and control technology requirements. The equipment safety technical requirements are for the operating system on the acquisition server in the CNC network, the operating system and database system on the NC server. System, the operating system of the CNC system on the CNC equipment and the network communication equipment in the CNC network from identity authentication, access control, intrusion prevention, Provisions are made for resource control, malicious code prevention, and security auditing. The network security technology requires from the network architecture, CNC network and management network, and the boundary between different security areas within the CNC network Provisions are made for protection, access control, intrusion prevention, security auditing, and use control of wireless networks in CNC networks. Application security technology requires the identification of various application software installed on the acquisition server, NC server, and numerical control equipment. Provisions are made in terms of security, access control, resource control, software fault tolerance, and security audits. Data security technical requirements are for the NC codes, process files, audit records, etc. stored on the equipment and the NC codes transmitted between the equipment, Data such as equipment status information is specified in terms of data integrity, data confidentiality, data backup and recovery, and remaining information protection. According to the business type, classify the business sensitive data of CNC network and take corresponding protection measures. Centralized management and control technology requirements stipulate the centralized management of various security mechanisms implemented by security equipment and security components in the CNC network. 5.4 Classification of safety technical requirements This standard divides various requirements into basic requirements and enhanced requirements according to the needs of CNC networks for security protection capabilities. The enhancement request is right Supplement and enhancement of basic requirements.

6 Equipment safety technical requirements

6.1 Safety technical requirements for NC server and acquisition server 6.1.1 Identity authentication 6.1.1.1 Basic requirements The basic requirements include. a) It shall be able to uniquely identify and authenticate logging in the NC server operating system, collecting server operating system and NC server data Users of the library system; b) It should be possible to compulsorily configure the NC server operating system and acquisition server by setting the minimum length and multiple character types The user password strength of the operating system and NC server database system; c) The user's password should be stored encrypted; d) Thresholds should be set for consecutive invalid access attempts, and within the specified time period, the NC server operating system and collection service When the number of access attempts of the server operating system and NC server database system exceeds the threshold, it should be able to alert and lock Set until the administrator unlocks. 6.1.1.2 Enhanced requirements The enhancement requirements include. a) Any existing users of NC server operating system, acquisition server operating system and NC server database system should be prevented The account uses the same password repeatedly; b) It should have the function of handling login failures, and take measures such as ending the session and automatically exiting after the login connection timeout; c) It should be able to uniquely identify all equipment; d) The longest and shortest validity periods of user passwords should be restricted; e) It should be able to hide the authentication information feedback during the authentication process; f) Two or more authentication technologies should be provided for identity authentication, at least one of which is unforgeable. 6.1.2 Access Control 6.1.2.1 Basic requirements The basic requirements include. a) Accounts and permissions should be assigned to users who log in to the NC server, collection server operating system and NC server database system, According to the user's role, only the minimum permissions required by the user are granted. b) Authorized users of NC server, collection server operating system and NC server database system shall be supported to manage all accounts, Including adding, activating, modifying, deactivating and deleting accounts. c) Should support renaming and modification of the default account of NC server, collection server operating system and NC server database system The default password of the default account. d) It shall support the deletion or disabling of redundant and outdated NC server, collection server operating system and NC server database system Account, avoid the existence of shared accounts. e) It should be able to configure the inactive time period, and the operation of the NC server, the collection server operating system and the NC server database system Users should automatically start after the inactive time period specified in the security policy or manually initiate session lock to prevent further access. The session lock should remain effective until the person initiating the session or other authorized personnel uses the appropriate identification And authentication re-establish access. f) Authorized users or roles of NC server, collection server operating system and NC server database system shall be supported for all The user's authority mapping is specified and modified. 6.1.2.2 Enhanced requirements The enhancement requirements include. a) It should be able to set the operation timeout for the acquisition server accessing the NC server, and automatically lock it after the timeout; b) Authorized personnel should be supported to configure access control strategies, which stipulate user access rules to resources; c) The granularity of access control should be such that the access subject is the user or software process, and the accessible resources are files and database tables; d) Important information resources such as NC code and user authentication information should be set up with sensitive marks, and users should be strictly controlled in accordance with security policies. Operate on important information resources with sensitive marks. 6.1.3 Intrusion Prevention 6.1.3.1 Basic requirements The basic requirements include. a) The operating system of the acquisition server and NC server should adopt the minimum installation principle, and only install the necessary components and application software; b) The use of peripheral ports and wireless functions such as the USB of the acquisition server and NC server should be clearly blocked or restricted; c) Unauthorized mobile devices are not allowed to connect to the collection server or NC server, and are not allowed to authorize mobile devices to exceed their rights Limited operations; d) It is not allowed to communicate with users or systems outside the CNC network through the instant messaging system; e) Unnecessary system services, default sharing and ports should be closed. 6.1.3.2 Enhanced requirements The enhancement requirements include. a) Only authorized collection servers should be allowed to access the NC server, and only authorized mobile devices should be allowed to access the collection server and NC server; b) The vulnerabilities in the collection server and NC server operating system should be patched in time after full testing and evaluation It should not affect normal production. Note. To ensure the normal progress of production, loophole patch testing and loophole patching can be performed during planned or unplanned system maintenance. 6.1.4 Resource Control 6.1.4.1 Basic requirements The basic requirements include. a) The network and security configuration recommended in the guide provided by the supplier should be set up; b) The operating resources of the equipment should be monitored, including but not limited to the use of CPU, hard disk, memory and other resources; c) Hardware redundancy of NC servers and industrial switches should be provided to ensure the availability of the system. 6.1.4.2 Enhanced requirements The enhancement requirements include. a) It should be able to set a threshold for the resource usage of the device, and give an alarm when the threshold is reached; b) It should be able to limit the number of concurrent sessions on the device interface, and the number of sessions is configurable; c) It should be able to generate a list of the current security configuration of the equipment. 6.1.5 Malicious code prevention 6.1.5.1 Basic requirements The basic requirements include. a) Malicious code protection mechanisms should be deployed on the collection server and NC server to achieve the purpose of preventing malicious code; b) The protection of the malicious code of the collection server and NC server should not change the configuration of the system, read sensitive information, and consume a large amount of system Resources or affect the availability of the system; c) The use of mobile code technologies that may cause damage should be restricted on the acquisition server and NC server, including but not limited to preventing migration Execution of mobile code, identification and authorization of the source of mobile code, and monitoring of the use of mobile code; Note 1.Mobile code refers to programs or plug-ins such as Java, JavaScript, ActiveX, etc. d) The protection mechanism of malicious code on the collection server and NC server should be upgraded regularly. Normal production should be affected and the upgrade content should be fully tested. Note 2.To ensure the normal progress of production, malicious code protection mechanisms can be upgraded and tested during planned or unplanned system maintenance. 6.1.5.2 Enhanced requirements The enhancement requirements include. a) The integrity of the mobile code should be checked before the execution of the mobile code; b) Before updating the malicious code library, Trojan horse library, and rule library, you should first pass the test in the test environment. The code update should have a dedicated person responsible, the update operation should be performed offline, and the update record should be kept. 6.1.6 Security Audit 6.1.6.1 Basic requirements The basic requirements include. a) Responses include, but are not limited to, user login to the operating system, access to NC code, NC code transmission, request errors, backup and restoration Auditing security events such as recovery and configuration changes; b) Audit records should include but are not limited to timestamp, source, category, event identif......

Image

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 37955-2019_English be delivered?

Answer: Upon your order, we will start to translate GB/T 37955-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 37955-2019_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 37955-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.