|
US$679.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 37933-2019: Information security technology - Technical requirements of industrial control system dedicated firewall
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 37933-2019 | English | 679 |
Add to Cart
|
6 days [Need to translate]
|
Information security technology - Technical requirements of industrial control system dedicated firewall
| Valid |
GB/T 37933-2019
|
PDF similar to GB/T 37933-2019
Basic data | Standard ID | GB/T 37933-2019 (GB/T37933-2019) | | Description (Translated English) | Information security technology - Technical requirements of industrial control system dedicated firewall | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 34,370 | | Date of Issue | 2019-08-30 | | Date of Implementation | 2020-03-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 37933-2019: Information security technology - Technical requirements of industrial control system dedicated firewall
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Technical requirements of industrial control system dedicated firewall
ICS 35.040
L80
National Standards of People's Republic of China
Information security technology for industrial control systems
Firewall technical requirements
2019-08-30 released
2020-03-01 Implementation
State Administration for Market Regulation
Issued by China National Standardization Administration
Table of contents
Foreword Ⅰ
Introduction Ⅱ
1 Scope 1
2 Normative references 1
3 Terms and definitions 2
4 Abbreviations 2
5 Product description 2
6 Safety technical requirements 3
6.1 Basic level safety technical requirements 3
6.1.1 Safety function requirements 3
6.1.2 Self-safety requirements 4
6.1.3 Performance requirements 6
6.1.4 Safety assurance requirements 7
6.2 Enhanced security technical requirements 9
6.2.1 Safety function requirements 9
6.2.2 Own safety requirements 11
6.2.3 Performance requirements 14
6.2.4 Safety assurance requirements 14
Appendix A (Informative Appendix) Application of Industrial Control Firewall 18
Appendix B (Normative Appendix) Environmental Adaptability Requirements 20
Appendix C (informative appendix) Typical industrial control protocol application layer control requirements 28
Reference 30
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. The Third Research Institute of the Ministry of Public Security, Beijing Hollysys System Engineering Co., Ltd., Zhejiang Supcon Technology Co., Ltd.,
Beijing Shenzhou NSFOCUS Information Security Technology Co., Ltd., China Information Security Research Institute Co., Ltd., China Electronic Technology Standardization Research
Institute, Beijing Tianrongxin Network Security Technology Co., Ltd., China Electronics Technology Network Information Security Co., Ltd., Wangshen Information Technology (Beijing) Co., Ltd.
Co., Ltd., Jinan Huahan Electric Technology Co., Ltd., Beijing Tiandi Hexing Technology Co., Ltd., Fengtai Technology (Beijing) Co., Ltd., Shanghai
School of Electric Power, Beijing University of Technology.
The main drafters of this standard. Zou Chunming, Tian Yuan, Shen Qinghong, Lu Zhen, Yu You, Zhao Ting, Yan Yixin, Gu Jian, Liu Ying, Wang Tao, Zhu Yiming,
Fan Kefeng, Wang Yong, Yao Xiangzhen, Li Lin, Zhou Ruikang, Ye Xiaohu, Wang Xiaopeng, Yang Chen, Zhou Wenqi, Jin Guangyu, Lei Xiaofeng, Lan Kun, Huang Wenjun,
Gong Lianghua, Yang Zhen, Wang Gang, Wu Yunkun.
Introduction
With the deep integration of industrialization and informatization, security threats from information networks are gradually causing great security to industrial control systems.
All threats, general firewalls are incapable of facing the security protection of industrial control systems, so there is an urgent need for a system that can be applied to industrial control systems.
The firewall of the control environment protects the industrial control system.
The main differences between firewalls used in industrial control environments and general firewalls are reflected in.
---In addition to basic five-tuple filtering, general firewalls also need to have certain application layer filtering protection capabilities. Used for
In addition to the application layer filtering capabilities of part of the general protocol of the general firewall, the firewall of the industrial control environment also has the
The filtering capability of the application layer of the industry control protocol.
---Firewall used in industrial control environment has higher environmental adaptability than general firewall.
---In an industrial control environment, the flow is usually relatively small, but the execution of control commands requires real-time performance. Therefore, industrial control
The throughput performance requirement of the firewall can be relatively low, but the real-time requirement is higher.
---The firewall under the industrial control environment has higher reliability and stability requirements than the general firewall.
Information security technology for industrial control systems
Firewall technical requirements
1 Scope
This standard specifies the security function requirements, own security requirements, and performance of the industrial control system special firewall (hereinafter referred to as the industrial control firewall).
Able to request and security requirements.
This standard applies to the design, development and testing of industrial control firewalls.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 2423.5-1995 Environmental testing of electrical and electronic products Part 2.Test method Test Ea and guideline. Impact
GB/T 2423.8-1995 Environmental testing of electrical and electronic products Part 2.Test method Test Ed. Free fall
GB/T 2423.10-2008 Environmental testing of electric and electronic products Part 2.Test method Test Fc. Vibration (sinusoidal)
GB/T 4208-2017 Enclosure protection grade (IP code)
GB 4824-2013 Industrial, scientific and medical (ISM) radio frequency equipment disturbance characteristic limits and measurement methods
GB/T 9254-2008 Information Technology Equipment Radio Disturbance Limits and Measurement Methods
GB/T 13729-2002 Telecontrol terminal equipment
GB/T 15153.1-1998 Telecontrol equipment and systems Part 2.Working conditions Part 1.Power supply and electromagnetic compatibility
GB/T 17214.4-2005 Working conditions of industrial process measurement and control devices Part 4.Corrosion and erosion effects
GB/T 17626.2-2018 Electromagnetic compatibility test and measurement technology Electrostatic discharge immunity test
GB/T 17626.3-2016 Electromagnetic compatibility test and measurement technology Radio frequency electromagnetic field radiation immunity test
GB/T 17626.4-2018 Electromagnetic compatibility test and measurement technology Electrical fast transient pulse group immunity test
GB/T 17626.5-2008 Electromagnetic compatibility test and measurement technology surge (impact) immunity test
GB/T 17626.6-2017 Electromagnetic compatibility test and measurement technology Radio frequency field induced conducted disturbance immunity
GB/T 17626.8-2006 Electromagnetic compatibility test and measurement technology Power frequency magnetic field immunity test
GB/T 17626.10-2017 Electromagnetic compatibility test and measurement technology Damped oscillation magnetic field immunity test
GB/T 17626.11-2008 Electromagnetic compatibility test and measurement technology Voltage sag, short-term interruption and voltage change immunity test
GB/T 17626.12-2013 Electromagnetic compatibility test and measurement technology Ring wave immunity test
GB/T 17626.16-2007 Electromagnetic compatibility test and measurement technology 0Hz~150kHz common mode conducted disturbance immunity test
GB/T 17626.17-2005 Electromagnetic compatibility test and measurement technology DC power input port ripple immunity test
GB/T 17626.18-2016 Electromagnetic compatibility test and measurement technology Damped oscillation wave immunity test
GB/T 17626.29-2006 Electromagnetic compatibility test and measurement technology DC power input port voltage sag, short-term interruption and voltage change immunity test
GB/T 20281-2015 Information security technology firewall security technical requirements and test evaluation methods
GB/T 20438.3-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems Part 3.Software requirements
GB/T 20438.4-2017 Functional safety of electrical/electronic/programmable electronic safety-related systems Part 4.Definitions and abbreviations
GB/T 25069-2010 Information Security Technical Terms
GB/T 32919-2016 Information Security Technology Industrial Control System Security Control Application Guide
3 Terms and definitions
GB/T 20281-2015, GB/T 20438.4-2017, GB/T 25069-2010 and GB/T 32919-2016 defined and
The following terms and definitions apply to this document.
3.1
Industrial Control Protocol
In the industrial control system, the communication protocol between the host computer and the control equipment and between the control equipment and the control equipment. Usually package
Including analog and digital read and write control.
3.2
Special firewall for industrial control system
Deployed between different security domains in the industrial control system, or in front of the controller, with network layer access control and filtering functions,
Industrial control protocol protocol inspection and filtering functions, and with high availability, can be applied to security gateway products in the industrial control environment.
4 Abbreviations
The following abbreviations apply to this document.
5 Product description
Industrial control firewall is a special type of firewall used in industrial control systems. It must not only meet the basic requirements of general firewalls, but also
To meet the special requirements of the industrial control environment, industrial control firewalls are mainly used for protection between industrial control levels and between various levels. work
Refer to Appendix A for typical deployment scenarios of control firewalls.
This standard divides the security technical requirements of industrial control firewalls into security function requirements, own security requirements, performance requirements and security assurance requirements
Four major categories. This standard divides the safety function requirements, own safety requirements and safety assurance requirements into basic level and enhanced level, and the content of basic level
In contrast, the content that has been increased or changed in the enhanced level is indicated by "in bold" in the text. If the industrial control firewall is deployed in industrial control
On-site, the environmental adaptability requirements of Appendix B should be met according to actual needs.
6 Safety technical requirements
6.1 Basic level safety technical requirements
6.1.1 Safety function requirements
6.1.1.1 Network layer control
6.1.1.1.1 Packet Filter
The packet filtering requirements of the industrial firewall are as follows.
a) The security policy should use the default prohibition principle, that is, prohibit unless explicitly allowed;
b) The security policy should include access control based on the source IP address and destination IP address;
c) Security policy should include access control based on source port and destination port;
d) The security policy should include access control based on the protocol type;
e) The security policy should include MAC address-based access control;
f) Should support user-defined security policies, security policies can be part or all of a combination of MAC address, IP address, and port.
6.1.1.1.2 NAT
The industrial control firewall between deployment domains should have NAT function. The specific technical requirements are as follows.
a) Should support two-way NAT. SNAT and DNAT;
b) SNAT should at least be able to achieve "many-to-one" address translation, so that when the internal network host accesses the external network, its source IP address is translated.
6.1.1.1.3 Status detection
The industrial control firewall should have the function of state detection and support access control based on state detection technology.
6.1.1.1.4 Dynamically open ports
The industrial control firewall should have the function of dynamic open port, and should at least support OPC and FTP protocols.
6.1.1.1.5 IP/MAC address binding
The industrial control firewall should support automatic or manual binding of IP/MAC addresses; it should be able to detect IP address embezzlement events and intercept IP address embezzlement
The host of the address is accessed through the industrial control firewall.
6.1.1.1.6 Resistance to denial of service attacks
The industrial control firewall should have the ability to resist denial of service attacks. The specific technical requirements are as follows (including, but not limited to).
a) ICMPFlood attack;
b) UDPFlood attack;
c) SYNFlood attack;
d) TearDrop attack;
e) Land attack;
f) Oversized ICMP data attack.
6.1.1.1.7 Network Scanning Protection
The industrial firewall should be able to detect and record scanning behavior, including scanning of protected networks.
6.1.1.2 Application layer control
6.1.1.2.1 Application protocol control
The industrial control firewall should be able to identify and control various application types. The specific technical requirements are as follows.
a) Support general application layer protocols such as HTTP, FTP, Telnet;
b) Support common industrial control protocols, such as OPC, ModbusTCP, Profinet, BACnet, DNP3, IEC 104, etc.
6.1.1.2.2 In-depth content inspection of industrial agreements
The industrial firewall should be able to perform in-depth content inspection of mainstream industrial protocols. The specific technical requirements are as follows.
a) Inspection of industrial control protocol format specifications, prohibiting communications that do not comply with the protocol specifications;
b) Control the operating type, operating object, operating range and other parameters of the industrial protocol;
c) Support at least one mainstream industrial control protocol.
Note. Please refer to Appendix C for specific inspection depth of industrial control protocol.
6.1.2 Own safety requirements
6.1.2.1 Operation and maintenance management
6.1.2.1.1 Management Security
Industrial control firewalls should have management security functions. The specific technical requirements are as follows.
a) Support the password authentication method for authorized administrators, and the password setting meets the security requirements;
b) Before all authorized administrators request to perform any operation, each authorized administrator should be uniquely identified;
c) It shall have the function of handling login failures. After the identification has passed a settable maximum number of authentication failures, the industrial control firewall shall
Terminate the session established by the management host or user;
d) The industrial control firewall should provide each authorized administrator with a unique set of security attributes necessary for the implementation of security policies.
6.1.2.1.2 Management method
Industrial firewalls should have multiple management methods, and the specific technical requirements are as follows.
a) It should support local management of industrial control firewalls;
b) It should support remote management through the network interface, and limit the network interface that can be remotely managed;
c) During remote management, all communication data between the management terminal and the industrial control firewall should be encrypted for transmission.
6.1.2.1.3 Management capabilities
Industrial firewalls should have corresponding management capabilities. The specific technical requirements are as follows.
a) Provide authorized administrators with the function of setting and modifying data parameters related to security management;
b) Provide authorized administrators with the function of setting, querying and modifying various security policies;
c) Provide authorized administrators with the function of managing audit logs.
6.1.2.2 Security audit
6.1.2.2.1 Record event type
The industrial control firewall should have a security audit function, and the requirements for recording event types are as follows.
a) Access requests that match the access control policy of the industrial control firewall;
b) Access requests prohibited by default in the access control policy, including access requests that attempt to traverse or reach industrial control firewalls;
c) Attacks detected;
d) Attempt to log in to the industrial control firewall management port and manage the identity authentication request;
e) Important management configuration operations for the industrial firewall system, such as adding/deleting/modifying administrators, saving/deleting audit logs, and changing security
Full strategy and configuration parameters, etc.;
f) Other types of events that should be recorded.
6.1.2.2.2 Log content
The industrial control firewall should have a security audit function, and the log content requirements are as follows.
a) The date and time of the event, the date should include year, month, and day, and the time should include hour, minute, and second;
b) The access control log should include the protocol type, source address, destination address, source port, and destination port of the data packet, and allow or prohibit;
c) In-depth content inspection information of industrial control agreements;
d) The management log should include event subject, event object, and event description.
6.1.2.2.3 Log Management
The industrial control firewall should have log management functions. The specific technical requirements are as follows.
a) Only authorized auditors should be allowed to read, archive, export, delete, and empty logs;
b) Log review tools should be provided, with the ability to retrieve audit events based on time, date, subject identification, and object identification, etc.
And only allow authorized auditors to use access tools;
c) Audit events should be stored in non-volatile storage media after power failure, and authorized administrators should be notified for processing when the storage space reaches the threshold.
6.1.2.3 Security management
6.1.2.3.1 Safety support system
The underlying support system of the industrial control firewall should meet the following requirements.
a) Do not provide redundant network services;
b) Does not contain any security vulnerabilities that lead to loss of product permissions, denial of service, etc.
6.1.2.3.2 Exception handling mechanism
After the industrial firewall is shut down abnormally (such as power failure, forced shutdown) and restarted, it should meet the following technical requirements.
a) The security policy is restored to the state before shutdown;
b) The log information will not be lost;
c) The administrator re-authenticate.
6.1.2.4 High availability
6.1.2.4.1 Availability guarantee
The industrial control firewall deployed in the field control layer should have the Bypass function. When the industrial control firewall itself has a power failure, the
The internal interface of the control firewall is directly connected to the external interface physically, maintaining the normal communication between the internal network and the external network, and alerting in time.
6.1.2.4.2 Equipment self-check
The industrial control firewall should have certain self-checking functions.
a) During initialization or startup, the equipment hardware, programs or functional modules, important configuration files, etc. should be detected.
Always be able to alert in time;
b) During operation, it should be possible to check modules or processes that provide safety functions at the request of an authorized administrator or periodically.
When an abnormality occurs, it can alert in time.
6.1.2.4.3 Operation mode
The industrial control firewall should support multiple operating modes, and the industrial control firewall can distinguish between the deployment process and the working process to realize the protection of the system.
The specific technical requirements are as follows.
a) Support the learning mode. The industrial control firewall records all the policies, assets and other information passing through the firewall during the operation process to form a whitelist policy set;
b) Support verification mode or test mode. In this mode, the industrial control firewall will alert the prohibition strategy, but will not intercept it;
c) Support the normal working mode, the normal working mode of the industrial control firewall, and strictly follow the protection strategy for filtering and other action protection.
6.1.2.4.4 Security Policy Update
The application of industrial firewall security policies should not affect normal data communication.
6.1.2.4.5 Time synchronization
The industrial control firewall should support the function of automatically synchronizing time with the clock server.
6.1.2.4.6 Power redundancy
The industrial control firewall deployed on the field control layer should provide dual power supply redundancy.
6.1.2.4.7 Cooling method
The industrial control firewall that deploys the field control layer should adopt natural heat dissipation and no fan design.
6.1.3 Performance requirements
6.1.3.1 Throughput
In the case of an industrial firewall with only one allowable rule and no packet loss, the two-way throughput indicators that a pair of ports of the corresponding rate should achieve are as follows.
a) Industrial control firewall deployed between domains.
1) For 64-byte short packets, the 100M industrial control firewall should be no less than 30% of the line speed, and the gigabit industrial control firewall should be no less than 40% of the line speed;
2) For 256-byte medium and long packets, the 100M industrial control firewall should be no less than 70% of the line speed, and the gigabit industrial control firewall should be no less than 80% of the line speed;
3) For 512-byte long packets, the 100M industrial control firewall should be no less than 90% of the wire speed, and the gigabit industrial control firewall should be no less than 95% of the wire speed.
b) Industrial control firewall deployed in front of the on-site control layer equipment.
1) For 64-byte short packets, the 100M industrial control firewall should be no less than 10% of the line speed, and the gigabit industrial control firewall should be no less than 20% of the line speed;
2) For 256-byte medium and long packets, the 100M industrial control firewall should be no less than 30% of the line speed, and the gigabit industrial control firewall should be no less than 40% of the line speed;
3) For 512-byte long packets, the 100M industrial control firewall should not be less than 50% of the wire speed, and the gigabit industrial control firewall should not be less than 70% of the wire speed.
6.1.3.2 Delay
The delay depends on the industrial firewall of different rates. Under the condition of 90% throughput, the following requirements should be met.
a) Industrial control firewall deployed between domains.
1) For 64-byte short packets, 256-byte medium-long packets, and 512-byte long packets, the average delay of the 100M industrial control firewall should not exceed
1ms;
2) For 64-byte short packets, 256-byte medium-long packets, and 512-byte long packets, the average delay of the gigabit industrial control firewall should not exceed.200μs.
b) Industrial control firewall deployed in front of the on-site control layer equipment.
1) For 64-byte short packets, 256-byte medium-long packets, and 512-byte long packets, the average delay of the 100M industrial control firewall should not exceed 500μs;
2) For 64-byte short packets, 256-byte medium-long packets, and 512-byte long packets, the average delay of the gigabit industrial control firewall should not exceed.200μs.
6.1.3.3 Maximum number of concurrent connections
The maximum number of concurrent connections varies depending on industrial firewalls of different rates. The specific indicators are as follows.
a) The maximum number of concurrent connections of a 100M industrial control firewall should not be less than 60,000;
b) The maximum number of concurrent connections of the gigabit industrial control firewall should not be less than 300,000.
6.1.3.4 Maximum connection rate
The maximum connection rate depends on the industrial firewall of different rates. The specific index requirements are as follows.
a) The maximum connection rate of the 100M industrial control firewall should not be less than 1500/s;
b) The maximum connection rate of the gigabit industrial control firewall should not be less than 5000/s.
6.1.4 Safety assurance requirements
6.1.4.1 Development
6.1.4.1.1 Security Architecture
The developer should provide a description of the security architecture of the product's security functions. The technical requirements are as follows.
a) Consistent with the description of...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 37933-2019_English be delivered?Answer: Upon your order, we will start to translate GB/T 37933-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 37933-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 37933-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|