|
US$919.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 36466-2018: Information security technology -- Implementation guide to risk assessment of industrial control systems
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 36466-2018 | English | 919 |
Add to Cart
|
6 days [Need to translate]
|
Information security technology -- Implementation guide to risk assessment of industrial control systems
| Valid |
GB/T 36466-2018
|
PDF similar to GB/T 36466-2018
Basic data | Standard ID | GB/T 36466-2018 (GB/T36466-2018) | | Description (Translated English) | Information security technology -- Implementation guide to risk assessment of industrial control systems | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 46,446 | | Date of Issue | 2018-06-07 | | Date of Implementation | 2019-01-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 36466-2018: Information security technology -- Implementation guide to risk assessment of industrial control systems
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology--Implementation guide to risk assessment of industrial control systems
ICS 35.040
L80
National Standards of People's Republic of China
Information security technology
Industrial Control System Risk Assessment Implementation Guide
Published on.2018-06-07
2019-01-01 implementation
State market supervision and administration
China National Standardization Administration issued
Content
Foreword III
Introduction IV
1 Scope 1
2 Normative references 1
3 Terms, definitions and abbreviations 1
3.1 Terms and Definitions 1
3.2 Abbreviations 2
4 Overview 2
4.1 Industrial Control System Hierarchy Model 2
4.2 Implementation Principles and Work Forms 3
4.3 Framework and Process 3
5 Implementation method 5
5.1 Overview 5
5.2 Document Review 5
5.3 On-site interview 6
5.4 On-site verification 6
5.5 Field Test 7
5.6 Simulation Environment Test 7
6 Implementation process 7
6.1 Preparation 7
6.2 Asset Valuation 14
6.3 Threat Assessment 16
6.4 Vulnerability Assessment 19
6.5 Supportability Assessment 28
6.6 Risk Analysis 30
6.7 Residual risk control 31
Appendix A (informative) Record Table 32
Appendix B (informative) Vulnerability and support capability verification example 34
Reference 41
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
This standard is mainly drafted by. National Information Technology Security Research Center, China Electronics Technology Standardization Institute, Global Energy Internet
Institute, the sixth research institute of China Electronic Information Industry Group Co., Ltd.
The main drafters of this standard. Li Jingchun, Li Bing, Liu Hongyun, Fang Jinshe, Liu Xiangang, Fan Kefeng, Gao Kunlun, Liu Renhui, Ge Peiqin, Wang Hong,
Zeng Zhenzhen, Li Jian, Liang Shu, Zhan Xiong, Li Xia, Pang Ning, Yao Xiangzhen, Zhou Ruikang, Zhao Ting, Liu Nan, Xu Kechao, Cai Lei.
Introduction
With the integration of industrial control systems and information technology, industrial control systems are widely used in metallurgy, electric power, petrochemical, water treatment, railway,
Aviation and food processing industries. Industrial control system refers to the data acquisition, monitoring and control system applied in the field of industrial control, which is calculated by
The control system consisting of machine equipment, industrial process control components and networks is the nerve center of the industrial field. Control system package used in industry
Including monitoring control and acquisition systems, distributed control systems, programmable logic controller systems, etc. China's industrial control system information security
The construction of a relatively independent system for information security will directly affect the production of important national infrastructure facilities.
The normal operation and the interests of the general public.
Based on the analysis and analysis of the assets of the industrial control system, this standard analyzes the industrial control from the safety characteristics of its assets.
The source of the system's threats and its own vulnerability, summarizing the information security risks faced by industrial control systems, and giving the implementation of industrial control system wind
Guidance recommendations for risk assessment.
This standard mainly provides guidance for third-party safety testing and evaluation agencies to implement risk assessment on the site of industrial control systems, and is also available for industrial use.
The control system owner unit refers to the self-assessment.
Information security technology
Industrial Control System Risk Assessment Implementation Guide
1 Scope
This standard specifies the methods and processes for the implementation of risk assessment for industrial control systems.
This standard is applicable to guide the implementation of risk assessment of industrial control systems by third-party safety testing and evaluation agencies, and is also available for industrial control.
The owner of the system system makes reference for self-assessment.
2 Normative references
The following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article.
Pieces. For undated references, the latest edition (including all amendments) applies to this document.
GB/T 20984-2007 Information Security Technology Information Security Risk Assessment Specification
GB/T 31509-2015 Information Security Technology Information Security Risk Assessment Implementation Guide
GB/T 32919-2016 Information Security Technology Industrial Control System Safety Control Application Guide
ISO /IEC 62264-1.2013 Enterprise Control Systems Synthesis Part 1. Models and Terminology (Enterprise-controlsystem
integration-Part 1.Modelsandterminology)
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions as defined in GB/T 31509-2015 and GB/T 32919-2016 apply to this document.
3.1.1
Monitoring control data acquisition system supervisorycontrolanddataacquisitionsystem; SCADA
In the process of industrial production control, centralized data for large-scale long-distance geographically distributed assets and equipment in the WAN environment
Acquisition and monitoring management control system.
3.1.2
Distributed control system distributedcontrolsystem; DCS
A computer-based system for distributed control and centralized management of production processes within the system (within the unit).
3.1.3
Master terminal unit masterterminalunit; MTU
Industrial Control System Terminus for collection and inspection of production process information.
Note. Generally deployed in the dispatch control center.
3.1.4
Remote terminal unit remoteterminalunit; RTU
Industrial control system remote site equipment for monitoring and controlling remote industrial production equipment.
3.1.5
Programmable logic controller programmablelogiccontroler;PLC
An electronic device that uses programmable memory to control industrial production equipment through digital operations.
3.1.6
Intelligent electronic device inteligentelectronicdevice; IED
Information acquisition, automatic measurement recording and transmission for the production process, intelligent electronic devices that communicate with the MTU through the network.
Note. Generally deployed in the website site.
3.1.7
Human-machine interface human-machine interface; HMI
A software and hardware platform that provides an operator interface and data communication between the operator and the controller.
3.2 Abbreviations
The following abbreviations apply to this document.
ICS Industrial Control System (IndustrialControlSystem)
SCADA Monitoring Control and Data Acquisition System (SupervisoryControlAndDataAcquisition)
DCS Distributed Control System (DistributedControlSystem)
PLC programmable logic controller (ProgrammableLogicControler)
RTU Remote Terminal Equipment (RemoteTerminalUnit)
MTU master terminal device (MasterTerminalUnit)
ACL access control list (AccessControlList)
DNS Domain Name System (DomainNameSystem)
DHCP Dynamic Host Configuration Protocol (DynamicHostConfigurationProtocol)
DNP Distributed Network Protocol (DistributedNetworkProtocol)
RPC Remote Procedure Call Protocol (RemoteProcedureCalProtocol)
DCOM Distributed Component Object Model (MicrosoftDistributedComponentObjectModel)
OPC object connection and embedding for process control (ObjectLinkingandEmbeddingforProcessControl)
DoS Denial of Service (DenialofService)
CAN Controller Area Network (ControlerAreaNetwork)
UPS uninterruptible power supply (UninterruptiblePowerSystem)
HMI Human Machine Interface (HumanMachineInterface)
CVSS Common Vulnerability Score System (CommonVulnerabilityScoringSystem)
4 Overview
4.1 Industrial Control System Hierarchy Model
The technical field of industrial control system application, the characteristics of the industry or the differentiation of the types of services carried by the industry leads to the actual industrial control
The architecture of the system varies widely. In order to reach a consensus on the functional characteristics and deployment forms of typical industrial control systems, this standard is based on
The hierarchical structure model of ISO /IEC 62264-1.2013 gives the hierarchical structure model of the general industrial control system, as shown in Figure 1.
The color part shows.
Figure 1 Industrial control system hierarchy model diagram
According to the hierarchical model diagram, most of the software used in the enterprise resource layer and the production management layer is the software commonly used in traditional information systems.
And the hardware, GB/T 31509-2015 gives the corresponding evaluation method. Process monitoring layer, field control layer and field device layer are industrial control
A unique part of the system. This standard mainly regulates the implementation of risk assessment at these three levels.
4.2 Implementation principles and working forms
GB/T 31509-2015 specifies the principles for risk assessment implementation, including standard principles, key business principles, and controllability principles.
The principle of minimum impact.
GB/T 20984-2007 clarifies that the basic working form of risk assessment is self-assessment and inspection evaluation. Whether self-assessment or review
Estimates can be commissioned by third-party industrial control system risk assessment agencies.
4.3 Framework and Process
4.3.1 Risk factor relationship
The various elements of the risk assessment and their relationship are shown in Figure 2.
Figure 2 Relationship between risk factors of industrial control systems
The basic elements of an industrial control system risk assessment include assets, threats, support capabilities, and vulnerability. Risk assessment around these basics
In the process of evaluating these basic elements, it is necessary to fully consider the various attributes related to the basic elements. Basic elements of risk
The following relationship exists with attributes.
a) industrial production operations rely on assets to achieve;
b) Assets have asset value, which is reflected in the degree of dependence of industrial production operations and system information security on assets.
The greater the value of the asset;
c) Assets are at risk, and the greater the value of the assets, the greater the threat they face;
d) The ability to protect assets can protect assets from threats, and the stronger the support, the less threats assets face;
e) Risk is caused by threats, and the more threats an asset faces, the greater the risk;
f) Vulnerability can affect asset security, and threats can exploit vulnerabilities to damage assets and create risks;
g) that the more vulnerable, the greater the likelihood of security risks;
h) Support capabilities reduce vulnerability and reduce security risks;
i) need to consider the implementation cost of the support capability in combination with the value of the assets;
j) Safeguards can counter threats, compensate or reduce vulnerabilities, and reduce security risks.
The risk cannot be reduced to zero and there will be residual risks after the implementation of safety measures. Some residual risks come from the ability to support
Foot, need to strengthen control, and some residual risks are uncontrolled risks after comprehensive consideration of safety costs and benefits, can be accepted
risks of.
4.3.2 Risk Assessment Process
The implementation of risk assessment for industrial control systems is divided into three phases, including. risk assessment preparation phase, risk component assessment phase, and comprehensive analysis.
stage. According to the different stages of the risk assessment of the industrial control system, the assessor develops a corresponding work plan to ensure the smooth progress of the assessment.
get on.
The risk assessment implementation process is described in Chapter 6, and the risk assessment implementation process is shown in Figure 3.
Figure 3 Risk assessment implementation flow chart
5 Implementation method
5.1 Overview
Risk assessment of industrial control systems requires investigation, forensics, analysis and testing. Method of risk assessment for industrial control systems
There are five types. document review, live interviews, on-site verification, field testing, and simulation environment testing.
5.2 Document Review
Document review is used to confirm that the policy and technical aspects of the assessed party are comprehensive and up to date. The assessed party should provide the assessment required
Documentation to ensure that the evaluator conducts a comprehensive review. The evaluator consults the industrial control system planning and design scheme and network topology of the evaluated party
Diagram, system security plan, security policy, architecture, requirements, standard operating procedures, licensing agreements, system interconnection memos, information security events
Documentation such as emergency response plans to assess their accuracy and completeness.
Document review helps the assessor understand the basic information of the industrial control system, including network topology, major hardware and software components. Text
File lookups can identify security policies that can result in loss, deficiency, or incorrect execution. The assessor needs to verify whether the document of the evaluated party is
Standards and regulations to find defects, outdated content or unreasonableness of the policy of the assessed party.
The implementation guidelines are as follows.
a) The evaluator prepares a common industrial control system risk assessment document for the required documentation in the preparation phase;
b) the assessed party provides the corresponding documentation according to the file directory;
c) The evaluator reviews the content of the relevant documentation for complete compliance;
d) When the required documents are not reproducible or non-existent, the appraiser marks them and communicates with the assessed party on the relevant content.
5.3 On-site interview
On-site interviews are used to collect objective factual materials, complementing the details of industrial control systems not found in document review, further understanding and
Insight into the development, integration, supply, use, and management of industrial control systems.
The assessor should prepare an interview questionnaire or questionnaire before the assessment is implemented. In the interview, the survey questions can be based on the respondents’ responses.
Make adjustments or expand. See Appendix A for the live interview questionnaire.
The implementation guidelines are as follows.
a) The assessor prepares a general industrial control system risk assessment interview questionnaire during the evaluation preparation phase;
b) The assessed party assigns different personnel to the evaluator interview according to the specific problem, and the assigned personnel should be the most familiar with the assessment target.
Personnel
c) If the interviewee is unable to give a definitive answer to certain questions, the question should be marked and it should be
Undergo verification;
d) Label the questions that need to be verified in the interview for later on-site verification and technical confirmation;
e) The interviewee will check the interview record after the interview, and if it is correct, it needs to be signed and confirmed.
5.4 On-site verification
On-site verification is a verification work carried out in the on-site production environment of the industrial control system, which can truly reflect the safety of the system.
On-site verification may be required in the following situations.
a) on-site physical environmental assessment of industrial control systems;
b) assessment of industrial control system configuration, system architecture and system logs;
c) assessment of the safety management of industrial control systems;
d) Confirm that safety measures have been taken.
The implementation guidelines are as follows.
a) The assessor needs to communicate the test items that need to be verified on site with the on-site production management and operation personnel of the industrial control system.
Field verification plan arrangement. If the industrial control system has a large distribution area and involves multiple departments, it needs to be planned in advance.
Raise time and personnel, etc.
b) For the harsh environment of the site where some industrial control systems are located, the site rules and regulations of the evaluated party shall be strictly observed;
When necessary, the assessed party may organize assessment personnel to conduct safety education and training before entering the industrial control system site.
Safety;
c) On-site production management and operation of the industrial control system when the evaluator verifies the functions of access control, auditing, etc. of the industrial control system
Personnel and corresponding information security personnel are present, preferably by industrial control system operators for verification operations, evaluators
Only responsible for viewing and recording the results;
d) that the assessment party shall not alter any configuration of the industrial control system during on-site verification testing;
e) Record the results of the on-site inspection. If a non-conformance or vulnerability is found, it needs to be verified.
5.5 Field test
Industrial control systems are divided into discrete and continuous types. Some discrete industrial control systems, such as CNC machine tools, are not in operation
Field testing is available. Field test refers to the safety test directly on the field environment of the industrial control system to be evaluated.
The method can more realistically reflect the vulnerability of industrial control systems. Field test methods include vulnerability scanning, protocol analysis, device vulnerabilities
Excavation, permeability testing, etc.
The purpose of the permeability test is to identify and confirm the vulnerability of the industrial control system, which can be discretely allowed, subject to the approval of the assessor.
Cheng's industrial control system implementation. Before the test, discuss with the relevant experts the specific implementation plan and evaluate the possible consequences, and develop the phase
The disposal plan should be. The assessor should use the permeability test method with caution.
After the field test is completed, the system needs to be verified before it can be used again.
5.6 Simulation environment test
Continuous industrial control systems are often in an uninterrupted state of operation, and any system failure can cause huge losses. Risk assessment
Vulnerability identification in the process often requires attack testing or bypassing the security mechanism of the system. If implemented directly on the production system, it will bring more
Large security risks have even led to industrial control systems crashing or entering an uncontrollable state. Therefore, it is necessary to build a simulation test environment and
This is based on security testing. Since the test work is only carried out in a simulated environment, there is no normal operation of the on-site industrial control system.
The line has an impact. Test evaluation in a simulated simulation environment is the most effective test evaluation method, and can be found to be tested on a larger scale.
Security vulnerabilities such as processes, protocols, and implementations within the system.
Simulation test evaluation may cause damage to the equipment under test during the test, or result in the database of the system being tested.
Invalid data. If an industrial control system development, test or backup system is used as the simulation test environment, it is required after the test is completed.
It can only be put into use after verification to take on its original function.
The most commonly used technical test methods for simulation testing include. penetration testing, firmware reverse analysis, dedicated embedded system analysis, source code.
Audit, program upload and download vulnerability analysis, proprietary protocol analysis, hardware board analysis, etc. Common detection tools include vulnerability scanners, seepage
Permeability testing tools, communication protocol data capture tools, etc.
In the simulation environment, the security of the entire system can be tested to assess the overall security status of the system, as well as for important equipment.
Conduct separate component testing to identify key risks in industrial control systems.
6 Implementation process
6.1 Preparation
6.1.1 Overview
The preparation of the risk assessment is a guarantee of the effectiveness of the entire risk assessment process. Both the assessor and the assessed party should fully take risks
Assess the preparations before implementation. In order to ensure the smooth development of the risk assessment work, a risk assessment work start meeting should be held.
GB/T 31509-2015 specifies the content and significance of the kick-off meeting. Figure 4 is the preparation of risk assessment for industrial control systems
Process.
Figure 4 Risk assessment preparation workflow
6.1.2 Determining the target
Risk assessment should be carried out throughout the life cycle of the industrial control system, due to risks in the various stages of the industrial control system life cycle
The content, object and security requirements of the assessment implementation are different, so the assessor should first determine the actual situation of the current industrial control system.
In the stage of the industrial control system life cycle, and to identify the risk assessment objectives, as shown in Figure 5. See the specific implementation process
GB/T 20984-2007 and GB/T 31509-2015.
Figure 5 Determine the assessment target
The implementation guidelines are as follows.
a) The appraisers should analyze and judge the current life of the industrial control system based on the input document materials and interviews with relevant personnel.
Life cycle
b) Determine the assessment objectives based on the requirements of the different phases of the life cycle.
6.1.3 Determination of scope
The scope of risk assessment implementation is the scope of the assessment party's work. The scope of the assessment can be the entire production management layer and the enterprise resource layer.
Industrial control systems can also be unique parts of industrial control systems or key business processing systems. When determining the scope of assessment,
The assessment target and the actual construction and operation of the industrial control system are reasonable to determine the boundary of the assessment scope. Determine the scope of assessment as shown in Figure 6.
Shown.
Figure 6 determines the scope of assessment
The implementation guidelines are as follows.
a) The assessor should be aware of the industrial control safety baseline level of the industrial control system, see GB/T 32919-2016;
b) The assessor should be aware of the scope of the assessment requested by the assessed party and the actual construction of the industrial control system;
c) The scope of risk assessment implementation should include the assets, management agencies, key business processes, etc. of the industrial control system of the assessed party;
d) The assessor should combine the identified assessment objectives, the scope of the assessment requested by the assessee, and the actual industrial control system construction.
Reasonably define the assessment object and the scope of the assessment scope.
6.1.4 Forming a team
The risk assessment implementation team can be composed of the assessment party and the risk assessment implementation team and expert group of the assessed party. The assessor should be industrial
Control system professionals, information technology evaluators and other components. A running industrial control system involves multiple stakeholders, including
Manufacturers of industrial control products, distributors of actual sales of industrial control products, integrators integrating and developing application systems, and operating systems for systems
The manufacturer of the manufacturer and the owner of the industrial control system. Before conducting a risk assessment of an industrial control system, it is necessary to clearly define the assessment
Which par...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 36466-2018_English be delivered?Answer: Upon your order, we will start to translate GB/T 36466-2018_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 36466-2018_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 36466-2018_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|