|
US$329.00 ยท In stock
Delivery: <= 3 days. True-PDF full-copy in English will be manually translated and delivered via email.
GA/T 1559-2019: Information security technology - Security technical requirements for industrial control system software vulnerability scanners
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GA/T 1559-2019 | English | 329 |
Add to Cart
|
3 days [Need to translate]
|
Information security technology - Security technical requirements for industrial control system software vulnerability scanners
| Valid |
GA/T 1559-2019
|
PDF similar to GA/T 1559-2019
Basic data | Standard ID | GA/T 1559-2019 (GA/T1559-2019) | | Description (Translated English) | Information security technology - Security technical requirements for industrial control system software vulnerability scanners | | Sector / Industry | Public Security (Police) Industry Standard (Recommended) | | Classification of Chinese Standard | A90 | | Classification of International Standard | 35.240 | | Word Count Estimation | 14,112 | | Date of Issue | 2019 | | Date of Implementation | 2019-04-16 | | Issuing agency(ies) | Ministry of Public Security | GA/T 1559-2019: Information security technology - Security technical requirements for industrial control system software vulnerability scanners
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology-Security technical requirements for industrial control system software vulnerability scanners
ICS 35.240
A90
GA
People's Republic of China Public Safety Industry Standard
Information security technology industrial control system software vulnerability scan
Product safety technical requirements
Information security technology Security technical requirements for industrial control
system software vulnerability scanners
Published by the Ministry of Public Security of the People's Republic of China
Contents
Foreword ... I
1 Scope ... 1
2 Normative references ... 1
3 Terms and definitions ... 1
4 Acronyms ... 1
5 General description ... 2
5.1 Classification of safety technical requirements ... 2
5.2 Classification of Security Levels. 2
6 Safety function requirements ... 2
6.1 Information acquisition ... 2
6.2 Vulnerability scan content ... 2
6.3 Scanning result analysis and processing ... 3
6.4 Scan configuration ... 3
6.5 Target object security ... 4
6.6 Upgrade capability ... 4
6.7 Scanning IP Address Restrictions ... 4
6.8 Self-safety requirements ... 4
7 Security requirements ... 5
7.1 Development ... 6
7.2 Guidance documents ... 6
7.3 Life cycle support ... 7
7.4 Testing ... 8
7.5 Vulnerability assessment ... 8
8 Requirements for different security levels ... 8
8.1 Safety function requirements ... 8
8.2 Security requirements ... 9
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the Cyber Security Bureau of the Ministry of Public Security.
This standard is under the jurisdiction of the Information System Security Standardization Technical Committee of the Ministry of Public Security.
This standard was drafted. Computer Information System Security Product Quality Supervision and Inspection Center of the Ministry of Public Security.
The main drafters of this standard. Li Xi, Shen Qinghong, Yu You, Zou Chunming, Lu Zhen, Gu Jian.
Information security technology Industrial control system software vulnerability scanning product security technical requirements
1 Scope
This standard specifies the security function requirements, security assurance requirements, and classification requirements for industrial control system software vulnerability scanning products.
This standard applies to the design, development, and testing of industrial control system software vulnerability scanning products.
2 Normative references
The following documents are essential for the application of this document. For dated references, only the dated version applies to this document.
For undated references, the latest version (including all amendments) applies to this document.
GB/T 18336.3-2015 Information technology security technology Information technology security assessment guidelines Part 3. Security assurance components
GB/T 25069-2010 Information Security Technology Terminology
GB/T 30976.1-2014 Information security of industrial control systems-Part 1. Evaluation specifications
3 terms and definitions
GB/T 25069-2010 and GB/T 30976.1-2014 and the following terms and definitions apply to this document.
3.1
Industrial control system software
A collection of upper computer software and lower computer software for industrial control systems.
3.2
Vulnerability
Defects or weaknesses in system design, implementation, or operation and management can be exploited to compromise system integrity or security policies.
3.3
Flag banner
A piece of information sent by an application, usually including a welcome message, application name, and version.
4 Acronyms
The following abbreviations apply to this document.
DCS. Distributed Control System
HMI. Human Machine Interface
PLC. Programmable Logic Controller
SCADA. Supervisory Control And Data Acquisition
5 General description
5.1 Classification of safety technical requirements
This standard divides the security technical requirements of industrial control system software vulnerability scanning products into security functions and security assurance requirements. Of which, An
Full-featured requirements are specific requirements for the security functions that industrial control system software vulnerability scanning products should possess.
Identification and identification to limit the use of product functions and control of data access, so that the product has the ability of independent security protection, and ensure industrial control
The normal operation of the system software vulnerability scanning product and the requirements of the audit function make the administrator's various operating behaviors and scanning events all
Traceable. Security assurance requirements put forward specific requirements for the content of the development and use documents of industrial control system software vulnerability scanning products
Requirements, such as development, testing, and instructional documentation.
5.2 Classification of security levels
The security level of industrial control system software vulnerability scanning products is divided into according to the strength of its safety function requirements and safety assurance requirements.
Basic level and enhanced level, in which security requirements refer to GB/T 18336.3-2015.
6 Safety function requirements
6.1 Information acquisition
6.1.1 Support system information
It should be able to detect the operating system type and version number of the supporting platform on which the industrial control system software is located, and be able to obtain the opened items.
Flag for TCP/IP services.
6.1.2 Open Port
It should be able to detect the TCP and UDP ports open by the operating system where the industrial control system software is located, and be able to determine the general port corresponding to the corresponding port.
Service or Use Agreement
6.1.3 Protocol support
Should support typical industrial control protocols, such as MODBUS TCP, OPC, Siemens S7, IEC 60870-5-104, IEC 61850, etc.
6.2 Vulnerability scanning content
6.2.1 Vulnerability Discovery
It should be possible to discover the security vulnerability issues of open industrial control system software.
6.2.2 Vulnerability mining
It should be possible to discover the security vulnerability of unknown industrial control system software.
6.2.3 Weak passwords
It should be able to check the robustness of system user passwords using dictionaries or exhaustive methods. The check items should include.
a) Whether the system uses a simple converted password for the user name;
b) Whether the system uses easy-to-guess passwords.
6.2.4 File sharing
It should be able to check the file sharing mechanism and find dangerous settings. The inspection items should include.
a) important directories are shared;
b) the shared directory can be written by anonymous users;
c) Whether a default or overly simple shared password was used.
6.3 Scanning result analysis and processing
6.3.1 Scanning Results Export and Export
Scanning result browsing function shall be provided, and export operation of scanning result data shall be supported.
6.3.2 Report generation
Can generate corresponding reports based on the scan results. The report requirements include the following.
a) Vulnerability name, vulnerability description, scope of influence, etc. of each vulnerability;
b) Target's risk level assessment, categorize scan vulnerability points according to the severity of the risk, and clearly mark them
c) an overall report of the results of multiple target scans;
d) a summary report of the vulnerability scan information;
e) It should be output in a common document format.
6.3.3 Report customization
Report content customization capabilities should be provided.
6.3.4 Vulnerability patching recommendations
Ability to propose repairs to the discovered vulnerabilities.
a) propose targeted vulnerability patching methods for different security vulnerability issues;
b) The vulnerability description should be detailed, and the vulnerability repair methods provided should ensure its rationality and availability.
6.3.5 Result comparison
It should provide the comparison function for multiple scan results of the same target or scan results between different hosts, and can generate a comparison based on the comparison results
report.
6.4 Scan configuration
6.4.1 Scanning strategy
A convenient method of customizing the policy should be provided, which can specify the scan address range, port range, vulnerability type, etc.
6.4.2 Wizard function
A wizard function should be provided to facilitate users to configure scanning policies.
6.4.3 Scheduled tasks
It should be able to customize the scan schedule, which can be started at regular intervals or executed periodically.
6.4.4 Scanning for known accounts/passwords
It should be able to scan the target system more effectively with a known account/password.
6.5 Target object security
The following methods should be supported to avoid affecting the normal operation of the target object and its network.
a) Support scanning by version detection and vulnerability database comparison to avoid the impact of vulnerability verification methods on the system;
b) Provide reasonable scanning speed by adjusting the number of scanning threads, processes, or requests.
6.6 Upgrade capability
It should be possible to update the vulnerability signature database.
a) Support manual or automatic upgrade operation;
b) Have upgrade security measures.
6.7 Scanning IP Address Restrictions
Means should be provided to limit the scope of product scanning.
6.8 Self-safety requirements
6.8.1 Identification and attributes
6.8.1.1 Unique identification
The user should be provided with a unique identity, and the user's identity should be associated with all of the user's auditable capabilities.
6.8.1.2 Attribute Definition
Security attributes associated with each management role should be specified, such as management role identification, authentication information, membership groups, permissions, and so on.
6.8.1.3 Property Initialization
The ability to initialize the attributes of each management role created with default values should be provided.
6.8.2 Identity
6.8.2.1 Basic authentication
Users should be authenticated before performing any administrator-related functions.
6.8.2.2 Authentication data protection
It shall be ensured that the authentication data is not unauthorized access or modification.
6.8.2.3 Handling of authentication failure
Certain authentication failure handling measures shall be provided. When the number of authentication failures reaches the set value, it shall be able to prevent the user from further authentication.
test.
6.8.2.4 Timeout lock or logout
It should have a login timeout lock or logout function, which can lock or terminate the session without any operation within a set period of time,
You need to perform identity authentication again to restart the operation. The maximum timeout period is only set by the authorized administrator.
6.8.3 Security Management
6.8.3.1 Security management functions
Ensure that the authorized administrator has the following management rights.
a) View security attributes;
b) modify security attributes;
c) activate or deactivate all or part of the safety functions;
d) Develop and modify various security policies.
6.8.3.2 Role Management
Ability to distinguish administrator roles.
a) Administrator roles with at least two different permissions, such as operator, security officer, auditor, etc .;
b) According to different function modules, a variety of different permissions roles can be customized, and roles can be assigned to administrators.
6.8.3.3 Remote Security Management
If the product provides remote management capabilities.
a) should be able to protect remote management conversations from unauthorized access;
b) It should be possible to restrict the host addresses that can be remotely managed.
6.8.4 Audit Log
6.8.4.1 Audit log generation
It should be possible to generate logs for the following events.
a) Administrator login success and failure;
b) changes to security policies;
c) the session connection is terminated because the number of unsuccessful authentication attempts exceeds the set limit;
d) Add, delete, and modify attributes of administrators and management roles;
e) export and delete audit logs;
f) Start, pause and stop scanning tasks.
Each audit log shall include at least the event subject, the date and time when the event occurred, the event description, and the result. If using remote login
The management method of the product shall also record the address of the management host.
6.8.4.2 Audit log saving
The audit log should be capable of being stored on non-volatile media at power loss.
6.8.4.3 Audit log management
Provides the following audit log management functions.
a) Only authorized administrators are allowed to access the audit log;
b) Provide query function for audit logs;
c) Authorized administrators should be able to export audit logs;
d) Provide conditional query and sorting functions for audit logs.
6.8.4.4 Audit storage security
Data storage space exhaustion processing function shall be provided, and an alarm function shall be provided when the remaining storage space reaches the threshold.
7 Security requirements
7.1 Development
7.1.1 Security Architecture
The developer should provide a description of the security architecture of the product's security functions. The description of the security architecture should meet the following requirements.
a) Consistent with the level of abstract description of security functions implemented in the product design document;
b) describe the security domain of the product security function consistent with the requirements of the security function;
c) describe why the product safety function initialization process is safe;
d) confirm that product safety functions can be prevented from being compromised;
e) Verify that product safety functions prevent safety features from being bypassed.
7.1.2 Functional Specifications
Developers should provide complete functional specifications, which should meet the following requirements.
a) fully describe the safety functions of the product;
b) describe the purpose and use of all safety function interfaces;
c) identify and describe all parameters related to each safety function interface;
d) describe the safety function implementation behavior related to the safety function interface;
e) describe direct error messages caused by the behavioral processing of safety functions;
f) confirm that the safety function requires traceability to the safety function interface;
g) describe all actions related to the safety function interface during the implementation of the safety function;
h) Describe all direct error messages that may be caused by the call of the safety function interface.
7.1.3 Implementation Representation
Developers should provide implementation representations for all security functions. Implementation representations should meet the following requirements.
a) Provide a mapping between product design descriptions and implementation representation examples and prove their consistency;
b) Define product safety functions according to the level of detail, to a level of detail that can be generated without further design;
c) Provided in the form used by developers.
7.1.4 Product Design
Developers should provide product design documents, which should meet the following requirements.
a) describe the product structure in terms of subsystems;
b) identify and describe all subsystems of product safety functions;
c) describe the interaction between all subsystems of the safety function;
d) the mapping relationship provided can verify that all the behaviors described in the design can be mapped to the security function interface that calls it;
e) describe safety functions according to the module;
f) Provide the mapping relationship between the safety function subsystem and the module;
g) describe all safety function implementation modules, including their purpose and interaction with other modules;
h) Describe the relevant interfaces required by all modules to implement the security functions, return values from other interfaces, interactions with other modules, and
Called interface
i) Describe the supporting or related modules of all safety functions, including their purpose and interaction with other modules.
7.2 Guidance documents
7.2.1 Operation User Guide
Developers should provide clear and reasonable operating user guides, which are kept in line with all other documents provided for evaluation
Sincerely, the description of each user role should meet the following requirements.
a) describe the functions and privileges accessible to users controlled in a secure processing environment, including appropriate alert information;
b) describe how to use the available interfaces provided by the product in a secure manner;
c) describe available functions and interfaces, especially all safety parameters controlled by the user, and indicate safety values where appropriate;
d) clearly state each security-related event related to the user-accessible function that needs to be performed, including changes to the control of the security function
Security features of the entity;
e) identify all possible states of operation of the product (including failures or operational errors caused by operations), and their relevance to maintaining safety
Causality and connection between operations;
f) the security policies necessary to fully implement the security objectives.
7.2.2 Preparation procedures
The developer shall provide the product and its preparation procedures. The preparation procedure description shall meet the following requirements.
a) describe all steps necessary to securely receive the delivered product in accordance with the developer delivery process;
b) Describe all steps necessary to safely install the product and its operating environment.
7.3 Life cycle support
7.3.1 Configuration Management Capability
Developer configuration management capabilities should meet the following requirements.
a) provide unique identification for different versions of the product;
b) use a configuration management system to maintain all configuration items that make up the product and uniquely identify configuration items;
c) Provide configuration management documents, which describe the method used to uniquely identify configuration items;
d) The configuration management system provides an automatic way to support the generation of products, by which it is ensured that only the implementation of the products can be expressed
Authorized changes;
e) The configuration management document includes a configuration management plan, which describes how to develop products using a configuration management system. real
The implementation of the configuration management is consistent with the configuration management plan;
f) The configuration management plan describes the procedures used to accept modified or newly created configuration items as part of the product.
7.3.2 Configuration Management Scope
The developer should provide a list of product configuration items and describe the developer of the configuration item. The configuration item list should include the following.
a) Evaluation evidence of products, safety assurance requirements and components of products;
b) Implementation indication, security defect report and resolution status.
7.3.3 Delivery Procedure
Developers should use a certain delivery procedure to deliver the product and document the delivery process. When delivering versions of the product to the user,
The delivery documentation should describe all procedures necessary to maintain security.
7.3.4 Development Security
Developers should provide development security documentation. The development security documentation should describe the design and implementation
All physical, procedural, personal and other security measures necessary for confidentiality and integrity.
7.3.5 Life Cycle Definition
The developer should establish a life cycle model to control the development and maintenance of the product, and provide a description of the life cycle definition document.
Describe the models used to develop and maintain products.
7.3.6 Tools and Techniques
Developers should clearly define the tools used to develop the product, and provide development tool documentation to unambiguously define the meaning of each statement in the implementation
And the meaning of all implementation-dependent options.
7.4 Test
7.4.1 Test coverage
The developer should provide a test coverage document, and the test coverage description should meet the following requirements.
a) indicate the correspondence between the tests identified in the test documentation and the safety functions of the product described in the functional specification;
b) Show that the above correspondence is complete and confirm that all safety function interfaces in the functional specification have been tested.
7.4.2 Test depth
Developers should provide test depth analysis. The test in-depth analysis description should meet the following requirements.
a) confirm the consistency between the tests in the test documentation and the safety function subsystem and implementation modules in the product design;
b) Verify that all safety function subsystems and implementation modules in the product design have been tested.
7.4.3 Functional test
Developers should test product security features, document results and provide test documentation. The test documentation should include the following.
a) A test plan that identifies the tests to be performed and describes the scenarios for each test, including those for other test results
Any order dependency;
b) the expected test results, indicating the expected output after a successful test;
c) Consistency between actual test results and expected test results.
7.4.4 Independent testing
Developers should provide a set of resources equivalent to those used for self-testing security features for sample testing of security features.
7.5 Vulnerability assessment
Based on the identified potential vulnerabilities, the product is resistant to the following attacks.
a) attacks by attackers with basic attack potential;
b) Attacks by attackers with enhanced basic attack potential.
8 Requirements for different security levels
8.1 Safety function requirements
The security function requirements for the vulnerability scan products of industrial control system software of different security levels are shown in Table 1.
Table 1 Security function requirements of software vulnerability scanning products for industrial control system with different security levels
Security functions require basic level enhanced level
Information acquisition support system information 6.1.1 6.1.1
Table 1 (continued)
Security functions require basic level enhanced level
Access to information
Open ports 6.1.2 6.1.2
Protocol support 6.1.3 6.1.3
Scanning for Vulnerability
Vulnerability found 6.2.1 6.2.1
Vulnerability mining-6.2.2
Weak passwords 6.2.3 6.2.3
File sharing 6.2.4 6.2.4
Scanning result analysis and processing
Scanning results export and export 6.3.1 6.3.1
Report generation 6.3.2 6.3.2
Report customization-6.3.3
Vulnerability patching recommendations 6.3.4 6.3.4
Comparison of results-6.3.5
Scan configuration
Scanning policy 6.4.1 6.4.1
Planned tasks 6.4.2 6.4.2
Scan for known accounts/passwords-6.4.3
Target object security 6.5 6.5
Upgrade capability 6.6 a) 6.6
Scanning IP Address Restrictions-6.7
Own security requirements
Identification and attributes 6.8.1 6.8.1
Identity 6.8.2 6.8.2
Safety management
6.8.3.1, 6.8.3.3 a),
6.12.3.4 a)
6.8.3
Audit log 6.8.4.1-6.8.4.3 6.8.4
8.2 Security requirements
Table 2 shows the security requirements of software vulnerability scanning products for industrial control systems with different security levels.
Table 2 Security assurance requirements for software vulnerability scanning products of industrial control system with different security levels
Security Assurance Requirements Basic Level Enhanced Level
Develop
Security Architecture 7.1.1 7.1.1
Functional specifications 7.1.2 a) to f) 7.1.2
Implementation representation-7.1.3
Product design 7.1.4 a) to d) 7.1.4
Instructive
Documentation
Operation User Guide 7.2.1 7.2.1
Preparation procedures 7.2.2 7.2.2
Life week
Period support
Configuration management capabilities 7.3.1 a) to c) 7.3.1
Configuration management scope 7.3.2 a) 7.3.2
Table 2 (continued)
Security Assurance Requ...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GA/T 1559-2019_English be delivered?Answer: Upon your order, we will start to translate GA/T 1559-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GA/T 1559-2019_English with my colleagues?Answer: Yes. The purchased PDF of GA/T 1559-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|