|
US$999.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 36323-2018: Information security technology -- Security management fundamental requirements for industrial control systems
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 36323-2018 | English | 999 |
Add to Cart
|
6 days [Need to translate]
|
Information security technology -- Security management fundamental requirements for industrial control systems
| Valid |
GB/T 36323-2018
|
PDF similar to GB/T 36323-2018
Basic data | Standard ID | GB/T 36323-2018 (GB/T36323-2018) | | Description (Translated English) | Information security technology -- Security management fundamental requirements for industrial control systems | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 50,580 | | Date of Issue | 2018-06-07 | | Date of Implementation | 2019-01-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 36323-2018: Information security technology -- Security management fundamental requirements for industrial control systems
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology--Security management fundamental requirements for industrial control systems
ICS 35.040
L80
National Standards of People's Republic of China
Information security technology
Basic requirements for safety management of industrial control systems
Published on.2018-06-07
2019-01-01 implementation
State market supervision and administration
China National Standardization Administration issued
Content
Foreword III
Introduction IV
1 Scope 1
2 Normative references 1
3 Terms and Definitions 1
4 Abbreviations 2
5 ICS Safety Management Basic Framework and Key Activities 2
5.1 ICS Security Management Basic Framework 2
5.2 Top Level Commitment 3
5.3 Planning Evaluation 4
5.4 Resource Support 4
5.5 Strategy Implementation 4
5.6 Performance Evaluation 5
5.7 Continuous Improvement 5
6 ICS security management basic control measures 5
6.1 Classification of safety control measures 5
6.2 Security Assessment and Authorization (CA) 6
6.3 System and Service Acquisition (SA) 8
6.4 Personnel Safety (PS) 11
6.5 Planning (PL) 12
6.6 Risk Assessment (RA) 13
6.7 Emergency Planning (CP) 14
6.8 Physical and Environmental Safety (PE) 17
6.9 Configuration Management (CM) 20
6.10 System and Information Integrity (SI) 22
6.11 Media Protection (MP) 25
6.12 Incident Response (IR) 26
6.13 Awareness and Training (AT) 28
6.14 Access Control (AC) 29
6.15 Maintenance (MA) 33
6.16 Audit and verifiability (AU) 34
6.17 Identification and Identification (IA) 37
Appendix A (informative) Basic requirements for ICS security management at different security levels Table 40
Reference 45
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents.
This standard is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
This standard was drafted. China Electronics Technology Standardization Research Institute, National Information Technology Security Research Center, the Third Institute of the Ministry of Public Security, China
East Normal University, China Electronics Technology Group Corporation 30th Institute, China Information Security Research Institute Co., Ltd., Shanghai Sanzhi Guardian Information
Security Co., Ltd., Beijing Shenzhou Lvmeng Information Security Technology Co., Ltd., Venus Star Information Technology Co., Ltd., Fujian and Taiwan Technology (North)
Beijing) Co., Ltd., Zhejiang Zheneng Taizhou Second Power Generation Co., Ltd., Beijing University of Technology, State Grid Zhejiang Electric Power Company
Institute, Huaneng Power International Co., Ltd. Changxing Power Plant, Guilin University of Electronic Science and Technology, Xi'an University of Electronic Science and Technology, Zhejiang University, China Science
Institute of Shenyang Institute of Automation, Hollysys Group, Global Energy Internet Research Institute, Shenji (Shanghai) intelligent system research and development design
Company, Shenzhen Saixi Information Technology Co., Ltd., Guangzhou CNC Equipment Co., Ltd., Beijing Jiangnan Tianan Technology Co., Ltd., Zhongjing Tianyu Branch
Technology (Beijing) Co., Ltd., Beijing Yuen Network Technology Co., Ltd.
The main drafters of this standard. Fan Kefeng, Liu Xiangang, Li Lin, Yao Xiangzhen, Zhou Ruikang, Li Bing, Gu Jian, Shangguan Xiaoli, Xu Dongyang, Gong Jiezhong,
Wang Huili, Liu Hongyun, He Daojing, Gong Lianghua, Shang Wenli, Yang Chen, Cai Lei, Yan Dakui, Liu Shuo, Zhang Jianjun, Wang Xiaopeng, Xu Kechao, Zhou Shenxue,
Yin Feng, Chen Shengjun, Yan Wei, Yang Zhen, Gao Kunlun, Lai Yingxu, Shen Yulong, Zhao Qingyi, Xu Chuanpei, Chen Guanzhi, Liang Shu, Wang Yong, Huang Yunying, Yang Tangyong,
Yu Pei.
Introduction
With the development of computer and network technology, especially the deep integration of informationization and industrialization and the rapid development of the Internet of Things, industrial control
Systems, including distributed control systems (DCS), monitoring and data acquisition (SCADA) systems, and programmable logic controllers (PLCs)
Widely used in nuclear facilities, aerospace, advanced manufacturing, petroleum and petrochemical, oil and gas pipeline networks, power systems, transportation, water conservancy hubs, urban facilities
And other important areas of the country. Industrial Control Systems (ICS) move from stand-alone to open, from closed to open, from automation to intelligent
Accelerating, making the information security of industrial control systems increasingly prominent, once the industrial control system is attacked, it will seriously threaten people's lives.
Property security and state power are stable. In this regard, the National Information Security Standardization Technical Committee (SAC/TC260) has established industrial control
Systematic system information security classification, management requirements, control application guidelines and many other standards.
This standard addresses the common characteristics of the safety management activities of industrial control systems in various industries, and proposes the basic management of industrial control systems.
Framework, standardizing the safety management activities of industrial control systems from the aspects of leadership, planning, support, operation, performance evaluation and continuous improvement
Sex requirements, and give the basic control measures for safety management and the safety of industrial control systems at all levels to achieve the basic framework of safety management.
Manage the basic control measures correspondence table to meet the organization's safety management requirements for industrial control systems at all levels, in order to achieve industrial control systems
Provides a reference for effective security management control.
Information security technology
Basic requirements for safety management of industrial control systems
1 Scope
This standard specifies the basic framework for the safety management of industrial control systems and the key activities contained in the framework, and proposes to achieve this security.
The basic control measures for the safety management of industrial control systems required to manage the basic framework. On this basis, the safety of industrial control systems at all levels is given.
Management Basic Control Measures Correspondence Table (see Appendix A) for basic control of safety management for safety management of industrial control systems at all levels
Claim.
This standard is applicable to industrial control systems for the construction, operation, use and management of industrial control systems that are not related to state secrets.
The planning and implementation of safety management can also be used as a reference for the safety assessment and safety inspection of industrial control systems.
2 Normative references
The following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article.
Pieces. For undated references, the latest edition (including all amendments) applies to this document.
GB/T 25069-2010 Information Security Technology Terminology
GB/T 22080-2016 Information Technology Security Technology Information Security Management System Requirements
GB/T 22081-2016 Information Technology Security Technology Information Security Control Practice Guide
GB/T 32919-2016 Information Security Technology Industrial Control System Safety Control Application Guide
3 Terms and definitions
GB/T 22080-2016, GB/T 22081-2016, GB/T 25069-2010 and the following terms and definitions apply to
This document.
3.1
Industrial control system industrialcontrolsystem; ICS
Control systems used in industrial production, including monitoring and data acquisition systems (SCADA), distributed control systems (DCS), and others
Smaller control systems, such as programmable logic controllers (PLCs).
3.2
Distributed control system distributedcontrolsystem; DCS
A computer-based system for distributed control and centralized management of production processes within the system (within the unit).
Note. The DCS system generally includes two levels. the field control level and the control management level. The field control level mainly controls the individual sub-processes, and controls the management level.
It is mainly for data collection, centralized display, unified scheduling and management of multiple distributed sub-processes.
3.3
Monitoring and data acquisition system supervisorycontrolanddataacquisitionsystem
In the process of industrial production control, centralized data collection for large-scale and long-distance geographically distributed assets and equipment in the WAN environment
Set and control management system.
Note. It is based on computer and monitors and dispatches remotely distributed running equipment. Its main functions include data acquisition, parameter measurement and adjustment, and signal alarm.
Wait. The SCADA system generally consists of a Master Terminal Control Unit (MTU), a communication line and equipment, and a Remote Terminal Unit (RTU) located in the control center.
3.4
Programmable logic controller programmablelogiccontroler;PLC
An electronic device that uses programmable memory to control industrial production equipment through digital operations.
Note. PLC mainly performs various types of calculations, sequence control, timing and other instructions for controlling the movement of industrial production equipment. It is the basic unit of industrial control system.
3.5
Security control baseline securitycontrolbaseline
The security controls the starting point of the selection process and the selection base point.
Note. The Safety Control Baseline is the minimum safety basis developed to help organizations select the most cost-effective and appropriate safety control set to meet safety requirements.
Guidelines.
4 Abbreviations
The following abbreviations apply to this document.
AC. Access Control (AccessControl)
AT. Awareness and Training (AwarenessandTraining)
AU. Audit and Accountability (AuditandAccountability)
CA. Security Assessment and Authorization (SecurityAssessmentandAuthorization)
CM. Configuration Management (ConfigurationManagement)
CP. Contingency Planning (ContingencyPlanning)
DCS. Distributed Control System (DistributedControlSystem)
IA. Identification and Authentication (Identification and Authentication)
ICS. Industrial Control System (Industrial Control System)
IR. Incident Response (IncidentResponse)
MA. Maintenance
MP. Media Protection (MediaProtection)
PE. Physical and Environmental Protection (PhysicalandEnvironmentalProtection)
PL. Planning
PLC. Programmable Logic Controller (ProgrammableLogicControler)
PS. Personnel Security (PersonnelSecurity)
RA. Risk Assessment (RiskAssessment)
SA. System and Service Acquisition (SystemandServicesAcquisition)
SCADA. Data Monitoring and Data Acquisition System (SupervisoryControlandDataAcquisition)
SI. System and Information Integrity
5 ICS Safety Management Basic Framework and Key Activities
5.1 ICS Security Management Basic Framework
Many important differences between industrial control systems (ICS) and traditional information technology (IT) systems determine that ICS should be planned and managed.
Consider the characteristics of ICS itself in the information security process. Refer to the traditional information security management system, combined with the characteristics of ICS, the security needs
Seeking integration into ICS, formed the basic framework of ICS security management (as shown in Figure 1). The framework is in determining the specific intent of ICS security management,
Based on understanding the requirements of the requirements and clarifying the scope of the ICS system, the ICS security management activities are divided into top-level commitments, planning assessments, and resource support.
Six aspects of holding, strategy implementation, performance evaluation, and continuous improvement. Among them, the top-level commitment requires the organization to obtain management’s commitment to determine
The ICS security management policy clearly defines the roles and responsibilities of all relevant members in ICS management activities; the organization should determine the rules in the planning assessment
General rules, conduct ICS security risk assessment and disposal, clarify objectives and achieve planning; in the resource support part of the organization should guarantee ICS security
Resources needed, providing capacity and awareness training, identifying communication mechanisms and establishing a documented system; organization of strategy implementation should be planned, implemented and controlled
The specific process of meeting the requirements of ICS safety management activities, and regularly carry out ICS safety risk assessment and disposal; in the performance evaluation stage,
The organization conducts monitoring, measurement, analysis and evaluation of ICS, conducts internal audits and management reviews on a regular basis, and organizes responses to ICS in the continuous improvement phase.
The safety is continuously monitored, and corrective actions are taken and improved continuously in the event of an ICS safety anomaly.
Figure 1 ICS security management basic framework
In order to realize the security functions of each stage of the basic framework of ICS security management, this standard gives the basics of ICS security management in Chapter 6.
The basic control measures required at each stage of the framework, and the safety management requirements for different levels of industrial control systems are given in Appendix A.
It should be used to guide the organization to select the basic control measures for safety management according to the different safety levels of its industrial control system, and according to industrial control
System system safety control application guide, safety grading and other related standards, tailoring and selecting the basic control measures for selected safety management.
5.2 Top-level commitment
5.2.1 Management commitment
The organization shall make a commitment to ICS security in accordance with 5.1 of GB/T 22080-2016.
5.2.2 Policy
The organization shall establish a policy applicable to ICS security in accordance with 5.2 of GB/T 22080-2016. In addition, the corresponding ICS shall be formulated accordingly.
The safety policy is consistent with the overall policy of organizing information security and serves as an integral part of it.
5.2.3 Establishing ICS Security Joint Management Team
To ensure the implementation of ICS security, the organization should.
a) Establish an inter-departmental, cross-functional ICS security joint management team;
b) The management team shall include at least IT personnel, control engineers, control system operators, network and information system security experts, and management
Representatives of the physical layer and representatives of the physical security department;
c) Top management shall ensure that the team has the rights and responsibilities for ICS security management activities and provides corresponding commitments.
5.2.4 Roles, responsibilities and authorities of the organization
Top management should ensure that responsibilities and authorities for ICS information security related roles are assigned and communicated.
Top management should assign responsibilities and authority to achieve the following objectives.
a) ensure that the basic framework of ICS security management meets the requirements of this standard;
b) report to the top management the basic framework performance of the ICS security management;
c) Accept regular reports from the joint management team.
5.3 Planning assessment
5.3.1 Measures to address risks and opportunities
5.3.1.1 General
The organization shall make a general rule for ICS in accordance with 6.1.1 of GB/T 22080-2016, and shall also include ICS security in the general rules.
Expectations of operation and maintenance.
5.3.1.2 ICS Information Security Risk Assessment
The organization shall define and apply the risk assessment process for ICS in accordance with 6.1.2 of GB/T 22080-2016, and shall also fully demonstrate
The consequences of the risk assessment process on the availability and stability of ICS to ensure the proper conduct of industrial production activities.
5.3.1.3 ICS information security risk disposal
The organization shall define and apply the ICS information security risk disposal process in accordance with 6.1.3 of GB/T 22080-2016.
5.3.2 ICS Information Security Objectives and Implementation Planning
The organization shall establish a target for ICS information security and its implementation plan in accordance with 6.2 of GB/T 22080-2016.
5.4 Resource support
5.4.1 Resources
The organization shall identify and provide the resources needed to establish, implement, maintain and continually improve the ICS Information Security Management System.
5.4.2 Ability
See 7.2 in GB/T 22080-2016.
5.4.3 Consciousness
Education and training should be carried out on a regular basis and personnel working under the control of the organization should be made aware of.
a) ICS information security policy;
b) its contribution to the effectiveness of the basic framework of ICS security management, including the benefits of improving ICS information security performance;
c) Does not meet the impact of the ICS security management basic framework requirements.
5.4.4 Communication
See 7.4 of GB/T 22080-2016.
5.5 Policy implementation
5.5.1 Operation planning and control
The organization shall carry out operational planning and control work for ICS information security in accordance with 8.1 of GB/T 22080-2016, and shall also.
a) A detailed assessment of the hazards that this safety control may pose to ICS before implementing safety control measures against ICS;
b) Authorization of safety control measures should be obtained prior to the implementation of safety control measures.
5.5.2 ICS Information Security Risk Assessment
The organization shall conduct risk assessment work for ICS information security in accordance with 8.1 of GB/T 22080-2016. In the risk assessment process
In accordance with the contents of Appendix A of GB/T 32919-2016, fully consider the difference between ICS and traditional information systems.
5.5.3 ICS Information Security Risk Disposal
See 8.3 of GB/T 22080-2016 and carry out risk disposal according to the characteristics of ICS.
5.6 Performance evaluation
5.6.1 Monitoring, measurement, analysis and evaluation
See 9.1 of GB/T 22080-2016, and should also continuously monitor the implemented safety control measures, identify safety violations, and detect
The occurrence of a security anomaly in ICS.
5.6.2 Internal Audit
See 9.2 of GB/T 22080-2016 and carry out internal audit according to the characteristics of ICS.
5.6.3 Management Review
See 9.3 of GB/T 22080-2016 and carry out management review according to the characteristics of ICS.
5.7 Continuous improvement
5.7.1 Non-compliance and corrective actions
See 10.1 of GB/T 22080-2016 and take corrective actions based on the characteristics of ICS.
5.7.2 Continuous improvement
The organization shall continually improve the suitability, adequacy and effectiveness of the basic framework of ICS security management, and in the ICS production business or system security
Report to the joint management team and top management when major changes occur in full protection.
6 ICS security management basic control measures
6.1 Classification of safety control measures
This standard gives security control from three aspects. management system, operation and maintenance management and technical management. There are a total of 16 security control families.
As shown in Table 1.
Table 1 Safety Control Classification Table
Family identifier security control family security control class
CA Security Assessment and Authorization (SecurityAssessmentandAuthorization) Management System
SA System and Service Acquisition (SystemandServicesAcquisition) Management System
PL planning management system
RA Risk Assessment (RiskAssessment) Management System
PS Personnel Security (PersonnelSecurity) Operation and Maintenance Management
Table 1 (continued)
Family identifier security control family security control class
CP Emergency Planning (ContingencyPlanning) Operation and Maintenance Management
PE Physical and Environmental Protection (PhysicalandEnvironmental Protection) Operation and Maintenance Management
CM Configuration Management (ConfigurationManagement) Operation and Maintenance Management
SI System and Information Integrity (Operational Management)
MP Media Protection (MediaProtection) Operation and Maintenance Management
IR Event Response (IncidentResponse) Operation and Maintenance Management
AT awareness and training (AwarenessandTraining) operation and maintenance management
MA Maintenance (Operation)
AC Access Control (AccessControl) Technical Management
AU Audit and Auditability (AuditandAccountability) Technical Management
IA identification and authentication (Identification and Authentication) technical management
6.2 Security Assessment and Authorization (CA)
6.2.1 Security Assessment and Authorization Policy and Procedures (CA-1)
This requirement includes.
a) Safety assessment and authorization strategies and procedures guidelines should be developed and published, including at least. purpose, scope, role, responsibilities,
Management commitment, coordination and compliance between relevant departments;
b) Safety assessment and authorization guidelines and procedures should be developed and published to promote safety assessment and authorization strategies and related safety controls
Implementation of the system;
c) Security assessment and authorization policies and procedures should be reviewed and updated on a regular basis.
6.2.2 Security Assessment (CA-2)
This requirement includes.
a) A safety assessment plan should be developed, which should include. safety control measures to be evaluated; assessment of the effectiveness of safety measures
Assess the process; assess the environment, team, role and responsibilities;
b) The correctness and effectiveness of the implementation of the safety measures adopted by ICS should be regularly evaluated and the relevant safety should be judged.
demand;
c) an assessment report should be generated based on the assessment results and the assessment results reported to the relevant personnel;
d) An independent and accredited body should be authorized to conduct the assessment and ensure that the assessment does not interfere with ICS operations and functions;
e) Ensure that the evaluator is fully aware of the information security related policies and procedures, ICS's security policy and procedures, and
Specific safety and environmental risks associated with the equipment and/or process;
f) For ICSs that cannot be directly evaluated online, they should be taken offline or in a replication system.
6.2.3 ICS Connection Management (CA-3)
This requirement includes.
a) ICS interconnection security regulations should be established to authorize ICS to connect with other external information systems;
b) The interface characteristics, security requirements, communication information characteristics, etc. of the ICS connection with other external industrial control systems shall be carried out.
recording;
c) The ICS and external connections should be reviewed periodically to verify that the ICS connection meets the specified requirements;
d) that national security systems that do not have a secrecy level should be prevented from directly connecting to the external network;
e) The national security system with a confidentiality level should be prevented from directly connecting to the external network.
6.2.4 Action Plan and Time Node (CA-4)
This requirement includes.
a) Develop an action plan and time node in which to record the corrective actions to be taken to correct the assessment of safety control measures
Current weaknesses and deficiencies, reducing or eliminating known vulnerabilities in the system;
b) update existing action plans and time at least quarterly based on safety assessments, consequences analysis and ongoing monitoring
node;
c) The organization shall use automated mechanisms that contribute to the implementation of the plan in an accurate, timely and timely manner.
6.2.5 Security Authorization (CA-5)
This r...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 36323-2018_English be delivered?Answer: Upon your order, we will start to translate GB/T 36323-2018_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 36323-2018_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 36323-2018_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|