GB/T 25070-2019 (GB/T25070-2019, GBT 25070-2019, GBT25070-2019)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
GB/T 25070-2019 | English | 1005 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Technical requirements of security design for classified protection of cybersecurity
| Valid |
GB/T 25070-2019
|
Standards related to: GB/T 25070-2019
Standard ID | GB/T 25070-2019 (GB/T25070-2019) | Description (Translated English) | Information security technology -- Technical requirements of security design for classified protection of cybersecurity | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.040 | Word Count Estimation | 50,530 | Date of Issue | 2019-05-10 | Date of Implementation | 2019-12-01 | Drafting Organization | The First Research Institute of the Ministry of Public Security, Beijing University of Technology, Beijing Chinasoft Huatai Information Technology Co., Ltd., the Sixth Research Institute of China Electronics Information Industry Group Co., Ltd., China Academy of Information and Communications Technology, Alibaba Cloud Computing Technology Co., Ltd., Bank of China Co., Ltd. Software Center, The Third Research Institute of the Ministry of Public Security, Information Center of the National Energy Administration, China Electric Power Research Institute Co., Ltd., Software Research Institute of the Chinese Academy of Sciences, Computer and Microelectronics Development Research Center of the Ministry of Industry and Information Technology (China Software Evaluation Center), China Institute of Information Engineering, Academy of Sciences, Venus Star Information Technology Group Co., Ltd., Zhejiang China Tobacco Industry Co., Ltd., CCTV, Beijing Jiangnan Tianan Technology Co., Ltd., Huawei Technologies Co., Ltd., Beijing University of Aeronautics and Astronautics, Beijing Institute of Technology, Beijing Tianan | Administrative Organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Proposing organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration |
GB/T 25070-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 25070-2010
Information security technology - Technical
requirements of security design for classified
protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 11
5 Design overview of classified protection security technology of cybersecurity
... 12
5.1 Design framework of security technology of general classified protection ... 12
5.2 Design framework of security technology of classified protection for cloud
computing ... 13
5.3 Design framework of security technology of classified protection for mobile
interconnection ... 15
5.4 Design framework of security technology of classified protection for Internet of
Things ... 17
5.5 Design framework of security technology of classified protection of industrial
control ... 18
6 Design of the first-level system security protection environment ... 20
6.1 Design targets ... 20
6.2 Design strategy ... 21
6.3 Design technical requirements ... 21
7 Design of second-level system security protection environment ... 26
7.1 Design targets ... 26
7.2 Design strategy ... 26
7.3 Design technical requirements ... 27
8 Design of third-level system security protection environment design ... 36
8.1 Design targets ... 36
8.2 Design strategy ... 36
8.3 Design technical requirements ... 37
9 Design of fourth-level system security protection environment ... 53
9.1 Design targets ... 53
9.2 Design strategy ... 53
9.3 Design technical requirements ... 54
10 Design of fifth-level system security protection environment ... 72
11 Interconnection design of classified system ... 72
11.1 Design targets ... 72
11.2 Design strategy ... 72
11.3 Design technical requirements ... 72
Appendix A (Informative) Design of access control mechanism ... 75
Appendix B (Informative) Design example of third-level system security
protection environment ... 78
Appendix C (Informative) Technical requirements for big data design ... 85
References ... 90
Information security technology - Technical
requirements of security design for classified
protection of cybersecurity
1 Scope
This standard specifies the technical requirements for the security design of the
first to fourth-levels of classified protection of cybersecurity.
This standard is applicable to the design and implementation of classified
protection of cybersecurity and security technology solutions by operating and
using organizations, network security enterprises, network security service
agencies. It can also be used as the basis for cybersecurity functional
departments to conduct supervision, inspection and guidance.
Note: The fifth-level classified protection object is a very important supervision and
management object. It has special management modes and security design technical
requirements, so it is not described in this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 22240-2008 Information security technology - Classification guide for
classified protection of information systems security
GB/T 25069-2010 Information security technology - Glossary
GB/T 31167-2014 Information security technology - Security guide of
cloud computing services
GB/T 31168-2014 Information security technology - Security capability
requirements of cloud computing services
GB/T 32919-2016 Information security - Industrial control systems -
network layer and the application layer, etc.
c) Security communication network
Include the relevant components of the Internet of Things system’s security
computing environment and security area for information transmission and
implementation of security policies, such as the communication network at
the network layer and the communication network between the internal
security computing environment at the sensor layer and the application layer.
d) Security management center
Include a platform for the unified management of security policies and
security computing environments, security area boundaries, security
mechanisms on security communication networks for Internet of Things
systems. It includes three parts: system management, security management,
audit management. Only the second-level and above security protection
environment is designed with a security management center.
5.5 Design framework of security technology of classified
protection of industrial control
The industrial control system is zoned based on the business nature of the
object being protected; the classified protection of cybersecurity design is
implemented based on the technical characteristics of the functional level; the
design framework of security technology of classified protection of industrial
control system is as shown in Figure 5. The triple protection system of
computing environment, area boundary, communication network of the
construction of the security technology design of the classified protection of
industrial control system, under the support of the security management center,
adopts a layered and partitioned architecture. It is designed combining the
characteristics of the complex and diverse bus protocols of the industrial control
system, strong real-time requirements, limited node computing resources, high
device reliability requirements, short fault recovery time, security mechanisms
that cannot affect real-time performance, to realize reliable, controllable,
manageable system security interconnection, area boundary security
protection, computing environment security.
The industrial control system is divided into 4 layers, that is, the 0 ~ 3 layers are
the scope of the industrial control system’s classified protection, which is the
area covered by the design framework; the security zone of the industrial control
system is divided horizontally; according to the importance of the business in
the industrial control system, the timeliness, business relevance, degree of
impact on field controlled device, functional scope, asset attributes, etc., it forms
so that the system users have the ability to protect the object it belongs to.
6.2 Design strategy
The design strategy of the first-level system security protection environment is
to follow the relevant requirements in 4.1 of GB 17859-1999, based on identity
authentication, to provide users and / or user groups with independent access
control of files and database tables, so as to achieve isolation between he user
and the data, thereby making the user have the ability of autonomous security
protection; provide area boundary protection by means of packet filtering;
provide data and system integrity protection by means of data verification and
prevention of malicious code.
The design of the first-level system security protection environment is realized
through the design of the first-level security computing environment, the
security area boundary, the security communication network. Computing nodes
shall be based on trusted roots for trusted verification from startup to operating
system startup.
6.3 Design technical requirements
6.3.1 Design technical requirements for security computing environment
6.3.1.1 Technical requirements for the design of general security
computing environment
This requirement includes:
a) Authentication of user identity
It shall support user identification and user authentication. When each user
registers with the system, use the user name and user identifier to identify
the user's identity; each time a user logs in to the system, use a password
authentication mechanism to authenticate the user's identity and protect the
password data.
b) Autonomous access control
Within the scope of security policy control, make the users / user groups
have corresponding access operation permissions on the objects they
create; meanwhile grant some or all of these permissions to other users /
user groups. The granularity of the access control subject is the user / user
group level; the granularity of the object is the file or database table level.
Access operations include creating, reading, writing, modifying, deleting
objects.
b) Application control
It shall provide an application signature authentication mechanism, to refuse
installation and execution of application software that has not been
authenticated and signed.
6.3.1.4 Technical requirements for design of security computing
environment for Internet of Things systems
This requirement includes:
a) Authentication of sensor layer device
It shall use the conventional authentication mechanisms to identify the
identity of the sensor device, to ensure that the data originates from the
correct sensor device.
b) Access control of sensor layer device
It is necessary to implement access control on sensor devices by formulating
security policies such as access control lists.
6.3.1.5 Technical requirements for design of security computing
environment for industrial control systems
This requirement includes:
a) Authentication of industrial control
Field control layer device and process monitoring layer device shall
implement unique marking, authentication and certification, to ensure that
the status of authentication and functional integrity can be verified and
confirmed at any time. Programs and corresponding data sets running on
control device and monitoring device shall be managed by unique identifier.
b) Access control of field device
It shall implement the role-based access control policies for users who pass
the identity authentication. After receiving the operation command, the field
device shall check whether the role bound to the user has the authority to
perform the operation. The user with authority obtains the permission. If the
user does not obtain the permission, it shall issue an alarm message to the
upper layer.
c) Protection of control process integrity
It shall complete the specified tasks within the specified time; the data shall
be processed in an authorized manner, to ensure that the data is not illegally
7.3 Design technical requirements
7.3.1 Technical requirements for design of security computing
environment
7.3.1.1 Technical requirements for design of general security computing
environment
This requirement includes:
a) Authentication of user identity
It shall support the user identification and user authentication. When each
user registers with the system, use the user name and user identifier to
identify the user, meanwhile ensure the uniqueness of the user identifier
throughout the life cycle of the system; each time a user logs in to the
system, use a controlled password or other mechanisms of
corresponding security strength for authentication of user identity; use
cryptographic technology for confidentiality and integrity protection of
authentication data.
b) Autonomous access control
Within the scope of security policy control, users shall be allowed to access
the objects they create, and some or all of these permissions can be granted
to other users. The granularity of the access control subject is the user level;
the granularity of the object is the file or database table level. Access
operations include creating, reading, writing, modifying, deleting objects.
c) System security audit
It shall provide a security audit mechanism, to record system-related security
events. The audit record includes the subject, object, time, type and result
of the security incident. The mechanism shall provide audit record query,
classification and storage protection, which can be managed by the security
management center.
d) Protection of user data integrity
It may use a conventional check mechanism, to check the integrity of the
stored user data, to find out whether its integrity has been compromised.
e) Protection of user data confidentiality
It may use the confidentiality protection mechanisms supported by
technologies such as passwords to protect the confidentiality of user data as
stored and processed in a security computing environment.
It shall be able to detect the abnormal access of the virtual machine to
the host's physical resources.
e) Data backup and recovery
It shall adopt redundant architecture or distributed architecture design; it
shall support data multi-copy storage; it shall support common interfaces to
ensure that cloud tenants can migrate business systems and data to other
cloud computing platforms and local systems, to ensure portability.
f) Virtualization security
It shall achieve the security isolation of CPU, memory, storage space
of virtual machines; it shall prohibit the direct access of virtual machines to
the host's physical resources; it shall support the security isolation between
virtualized networks of different cloud tenants.
g) Prevention of malicious code
Physical machines and host machines shall install a security-hardened
operating system or perform host malicious code prevention; virtual
machines shall install a security-hardened operating system or
perform the host malicious code prevention; they shall support the
ability to detect and protect Web application malicious code.
h) Mirror and snapshot security
It shall support images and snapshots, to provide integrity protection
for virtual machine images and snapshot files; prevent unauthorized
access to sensitive resources that may exist in virtual machine images
and snapshots; provide security-hardened operating system images
for important business systems or support self-hardening of the
operating system images.
7.3.1.3 Technical requirements for design of security computing
environment for mobile internet
This requirement includes:
a) Authentication of user identity
It shall use passwords, unlock patterns, and other mechanisms with
appropriate security strengths for authentication of user identity.
b) Application control
It shall provide an application signature authentication, to refuse installation
and execution of application software that has not been authenticated and
Field control layer device and process monitoring layer device shall
implement unique marking, authentication and certification, to ensure that
the status of authentication, certification and functional integrity can be
verified and confirmed at any time. Programs and corresponding data sets
running on control device and monitoring device shall be managed by unique
identification.
b) Access control of field device
It shall implement the role-based access control policies for users who pass
the identity authentication. After receiving the operation command, the field
device shall check whether the role bound to the user has the authority to
perform the operation. The user who has permission obtains the
authorization. If the user does not obtain the authorization, it shall issue the
alarm information to the upper layer.
c) Data confidentiality protection of field device
It may use the confidentiality protection mechanism supported by
cryptographic technology or the physical protection mechanism, to
protect the confidentiality of data, programs, configuration information,
etc. which has confidentiality requirements as stored in field device
layer devices and fieldbus devices connected to the field control layer.
d) Protection of control process integrity
It shall finish the specified tasks within the specified time; the data shall be
processed in an authorized manner, to ensure that the data is not illegally
tampered with, lost, or delayed, to ensure timely response and processing
of incidents, to protect the system's synchronization mechanism, time
correction mechanism, thereby maintaining the stability of the control
cycle and the stability of the rolling cycle of fieldbus.
7.3.2 Technical requirements for design of security area boundary
7.3.2.1 Technical requirements for design of general security area
boundary
This requirement includes:
a) Packet filtering of area boundary
It shall, according to the area boundary security control strategy, determine
whether to allow the data packet to pass through the area boundary by
checking the source address, destination address, transport layer protocol,
requested service of the data packet.
b) Security audit of area boundary
It may use the integrity check mechanism supported by the short-
message and short-latency cryptographic technology adapted to the
characteristics of the fieldbus, or the physical protection mechanism,
to achieve the integrity protection of the data transmission of fieldbus
network.
b) Protection of data transmission integrity of wireless network
It may use the integrity check mechanism supported by cryptographic
technology, to achieve integrity protection of data transmission of
wireless network.
7.3.4 Technical requirements for design of security management center
7.3.4.1 System management
System administrators can perform configuration, control and trusted
management of the resources and operations of the system, including user
identity, trusted certificates, trusted reference library, system resource
configuration, system loading and startup, exception handling of system
operations, data and device backup and recovery, protection against malicious
code.
It shall authenticate the identity of the system administrators. They are only
allowed to perform system management operations through specific commands
or operation interfaces, and audit these operations.
When performing the security design of a cloud computing platform, the security
management shall provide a way to query cloud tenant data and back up
storage locations.
When designing the security of the Internet of Things system, the system
administrator shall perform the unified identity management of the sensor
devices, sensor layer gateways, etc.
7.3.4.2 Audit management
Security auditors can centrally manage the security audit mechanisms
distributed in various components of the system, including classifying audit
records according to security audit policies; providing the corresponding types
of security audit mechanisms to be turned on and off by time period; storing,
managing, querying various types of audit records.
It shall perform identity authentication of the security auditor. It allows for the
auditor to perform security audit operations only through specific commands or
operation interfaces.
When performing the security design of a cloud computing platform, the cloud
detecting that the credibility is compromised; form the verification results
into audit record; send it to the management center.
i) Inspection of configuration credibility
The security configuration information of the system shall be formed into a
reference library, to monitor in real-time and regularly inspect the
modification behavior of the configuration information, to timely repair the
configuration information which is inconsistent with the contents in the
reference library.
j) Intrusion detection and malicious code prevention
It shall use the active immune trusted computing check mechanism to
timely identify the intrusion and virus behavior, meanwhile effectively
block it.
8.3.1.2 Technical requirements for design of cloud security computing
environment
This requirement includes:
a) Authentication of use identity
It shall support the cloud tenants registered to the cloud computing service
to establish a master and sub account; use the user name and user identifier
to identify the user identity of the master and sub account.
b) Protection of user account
It shall support the establishment of a cloud tenant account system, to
achieve the subject's access authorization to virtual machines, cloud
databases, cloud networks, cloud storage and other objects.
c) Security audit
It shall support the audit of privileged commands as executed by cloud
service providers and cloud tenants during remote management.
It shall support the tenant to collect and view audit information related to the
resources of the tenant, to ensure that cloud service providers' access to
cloud tenant systems and data can be audited by the tenant.
d) Intrusion prevention
It shall be able to detect the abnormal access of virtual machine to the host's
physical resources. It shall support the behavior monitoring of cloud
tenants, detect and alert to malicious attacks or malicious external
a) Authentication of user identity
It shall achieve the authentication of user identity for the mobile
terminal user based on the combination mechanism of two or more
methods of passwords or unlock patterns, digital certificates or
dynamic passwords, biometrics, etc.
b) Marking and mandatory access control
It shall ensure that the user or process’s minimum use permissions of
the mobile terminal system resources. It shall control mobile terminal
access to access peripherals according to security policies; the type
of peripherals shall at least include expansion memory cards, GPS and
other positioning devices, Bluetooth, NFC and other communication
peripherals. Record the log.
c) Application control
It shall have a software whitelist function, which can control the
installation and operation of application software according to the
whitelist; it shall provide an application signature authentication mechanism,
to refuse the installation and execution of application software that has not
been authenticated and signed.
d) Isolation of security domain
It shall be able to provide container-based, virtualized, and other system-
level isolated operating environments for important applications, to ensure
that application input, output, storage information is not obtained illegally.
e) Control of mobile device
It shall, based on mobile device management software, implement the entire
life cycle control of mobile devices, to ensure that after the mobile device is
lost or stolen, the location of the device is searched through the network, the
device is remotely locked, the data on the device is remotely erased, the
device emits an alarm tone, to ensure maximum protection of data while
being able to locate and retrieve.
f) Protection of data confidentiality
It shall use the measures such as encryption, obfuscation, to protect the
confidentiality of mobile applications, to prevent de-compilation; it shall
achieve the encryption function of extended storage devices, to ensure
the security of data storage.
g) Trusted verification
It shall ensure that the virtual machine can only receive messages with a
destination address that includes its own address or broadcast messages
with business needs, whilst limiting the broadcast attacks; it shall achieve
the isolation between the virtual network resources of different tenants,
avoid excessive occupation of network resources. It shall ensure that
cloud computing platform’s management traffic is separated from
cloud tenant’s business traffic.
It shall be able to identify and monitor network traffic between virtual
machines and between virtual machines and physical machines;
provide open interfaces or open security services; allow cloud tenants
to access third-party security products or select third-party security
services on cloud platforms.
b) Access control of area boundary
It shall ensure that when the virtual machine is migrated, the access control
policies are also migrated. It shall allow the cloud tenants to set access
control policies between different virtual machines. It shall establish the
tenant private networks to achieve the security isolation between different
tenants. It shall deploy a monitoring mechanism at the network
boundary, to implement effective monitoring of the traffic entering and
leaving the network.
c) Prevention of area boundary intrusion
When the virtual machine migrates, the intrusion prevention
mechanism can be applied to the new boundary; it shall include the
intrusion prevention mechanism at the area boundary into the security
management center for unified management.
It shall provide the cloud tenants with Internet content security
monitoring functions, to detect and alert harmful information in real
time.
d) Requirements for area boundary audit
According to the division of responsibilities of cloud service providers
and cloud tenants, collect audit data of their respective control parts.
According to the division of responsibilities of cloud service providers
and cloud tenants, achieve centralized audit of their respective control
parts. When virtual machine migration or virtual resource changes
occur, the security audit mechanism can be applied to new boundaries.
Provide an interface for the collection of security audit data; it can also
be audited by third parties.
8.3.2.3 Technical requirements for design of security area boundaries of
This requirement includes:
a) Communication protocol data filtering of industrial control
For industrial control communication protocols that pass through the
security area boundary, it shall be able to identify whether the data
carried by it will cause attacks or damage to the industrial control
system. It shall control the communication traffic, the frequency of
frame numbers, the frequency of reading variables to be stable and
within the normal range; protect the working rhythm of the controller;
identify and filter data with variable parameters outside the normal
range. The control filtering processing component can be configured
on the network device at the area boundary; it may also be configured
on the endpoint device of the industrial control communication
protocol in this security area or the only communication link device.
b) Information leakage protection of industrial control communication
protocol
It shall avoid user name and login password of the endpoint device of
the industrial control communication protocol in this area from being
exposed; use the filtering and transforming technology to hide the key
information such as the username and login password. The endpoint
device shall be separately partitioned and filtered; use the combination
mechanism of one or more types of corresponding protection
functions to implement protection.
c) Security audit of industrial area boundary
......
...
|