|
US$839.00 · In stock
Delivery: <= 7 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 37953-2019: Information security technology - Security requirements and evaluation approaches for industrial control network monitor
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 37953-2019 | English | 839 |
Add to Cart
|
7 days [Need to translate]
|
Information security technology - Security requirements and evaluation approaches for industrial control network monitor
| Valid |
GB/T 37953-2019
|
PDF similar to GB/T 37953-2019
Basic data | Standard ID | GB/T 37953-2019 (GB/T37953-2019) | | Description (Translated English) | Information security technology - Security requirements and evaluation approaches for industrial control network monitor | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 42,478 | | Date of Issue | 2019-08-30 | | Date of Implementation | 2020-03-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 37953-2019: Information security technology - Security requirements and evaluation approaches for industrial control network monitor
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Security requirements and evaluation approaches for industrial control network monitor
ICS 35.040
L80
National Standards of People's Republic of China
Information security technology industrial control network monitoring
Safety technical requirements and test evaluation methods
2019-08-30 released
2020-03-01 Implementation
State Administration for Market Regulation
Issued by China National Standardization Administration
Table of contents
Foreword Ⅰ
Introduction Ⅱ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 2
5 Product description 2
6 Safety technical requirements 2
6.1 Safety function requirements 2
6.2 Safety assurance requirements 7
7 Evaluation method 11
7.1 Safety function evaluation method 11
7.2 Security Assurance Evaluation Method 22
Appendix A (Normative Appendix) Classification of technical requirements for industrial control network monitoring and safety and its requirements 29
Appendix B (Normative Appendix) Classification and evaluation items of industrial control network monitoring and evaluation methods 32
Appendix C (Normative Appendix) Industrial Environment Application Requirements 35
Reference 39
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. China Electronics Standardization Institute, Shenyang Institute of Automation, Chinese Academy of Sciences, Shenzhen Saixi Information Technology
Co., Ltd., Beijing University of Technology, the Third Research Institute of the Ministry of Public Security, Zhejiang Zheneng Taizhou Second Power Generation Co., Ltd., China Information Security Evaluation
Center, Shanghai Sanling Information Security Co., Ltd., Shanghai Jiaotong University, National Information Technology Security Research Center, Hollysys Group, Beijing
Venus Star Information Security Technology Co., Ltd., Fengtai Technology (Beijing) Co., Ltd., State Grid Zhejiang Electric Power Co., Ltd. Electric Power Research
Institute, Huada Semiconductor Co., Ltd., China Power Engineering Consulting Group Southwest Electric Power Design Institute Co., Ltd., China Ping An Insurance (Group) Co., Ltd.
Co., Ltd., Beijing Kuangen Network Technology Co., Ltd.
The main drafters of this standard. Fan Kefeng, Zhou Ruikang, Yao Xiangzhen, Li Lin, Liu Xiangang, Gong Jiezhong, Zhang Dajiang, Shang Wenli, Lai Yingxu, Gu Jian,
Lu Zhen, Zou Chunming, Xia Kechao, Zhu Qingguo, Xie Feng, Di Liqing, Dai Zhonghua, Zhao Jianming, Wu Dakui, Gu Dawu, Xia Zhengmin, Li Bing, Wang Tao, Meng Yahui,
Gong Lianghua, Wei Qinzhi, Luo Zhihao, Lan Tian, Zhang Jinbin, Yu Jingtao, Bi Siwen.
Introduction
With the deep integration of industrialization and informatization, security threats from information networks are gradually causing great security to industrial control systems.
All threats, general-purpose network monitoring products are incapable of facing the security protection of industrial control systems, so they need a solution that can be applied to industrial control systems.
The network monitoring products of the industrial control environment protect the industrial control system.
The main differences between network monitoring products used in industrial control environments and general network monitoring products are reflected in.
---General network monitoring products mainly analyze and respond to common Internet protocols. Network monitoring applied in industrial control environment
In addition to the ability to analyze some common Internet protocols, the test products also have in-depth analysis capabilities for industrial control protocols, without
Analyze common protocols that will not be used in industrial control systems.
---Network monitoring products used in industrial control environments may have some components that need to be deployed in industrial field environments, so they are more
Network monitoring products have higher environmental adaptability.
---Network monitoring products used in industrial control environments have higher availability, reliability and stability than general network monitoring products
Qualitative.
Information security technology industrial control network monitoring
Safety technical requirements and test evaluation methods
1 Scope
This standard specifies the safety technical requirements and test evaluation methods for industrial control network monitoring products.
This standard applies to the design and manufacturer of industrial control network monitoring products to provide guidance on its design, development and evaluation, and it can also provide
The industrial control system design, construction and operation and maintenance parties provide guidance for the safety protection of industrial control systems.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 2423.5-1995 Environmental testing of electrical and electronic products Part 2.Test method Test Ea and guideline. Impact
GB/T 2423.8-1995 Environmental testing of electrical and electronic products Part 2.Test method Test Ed. Free fall
GB/T 2423.10-2008 Environmental testing of electric and electronic products Part 2.Test method Test Fc. Vibration (sinusoidal)
GB/T 4208-2017 Enclosure protection grade (IP code)
GB/T 17214.4-2005 Working conditions of industrial process measurement and control devices Part 4.Corrosion and erosion effects
GB/T 18336.1-2015 Information Technology Security Technology Information Technology Security Assessment Criteria Part 1.Introduction and General
model
GB/T 22239-2019 Information Security Technology Network Security Level Protection Basic Requirements
GB/T 25069-2010 Information Security Technical Terms
GB/T 32919-2016 Information Security Technology Industrial Control System Security Control Application Guide
3 Terms and definitions
GB/T 25069-2010, GB/T 32919-2016 and GB/T 18336.1-2015 and the following terms and definitions are applicable
Used in this document.
3.1
Industrial Control System
A variety of control systems used in industrial production.
Note. Including monitoring and data acquisition systems (SCADA), distributed control systems (DCS) and other smaller control systems, such as programmable logic controllers
(PLC), has been widely used in industrial sectors and critical infrastructure.
3.2
Industrial control network monitoring
Deployed in the industrial control network to realize the security event monitoring, auditing and management functions of the network behavior in the industrial control network
Technology.
Note 1.It is used to monitor and analyze the data messages in the industrial control network, and to find violations of security policies, abnormal operations, and traces of attacks on industrial control equipment
Elephants, or signs that industrial production has been affected.
Note 2."Industrial control network monitoring" referred to in this standard is "industrial control network monitoring products". Industrial control network monitoring products are deployed in industrial control networks
In the network, the equipment product used to realize the monitoring function of the industrial control network.
4 Abbreviations
The following abbreviations apply to this document.
5 Product description
Industrial control network monitoring products are used in industrial control environments. By monitoring data messages in the industrial control network, data can be obtained in real time.
In-depth analysis according to the package, monitoring of intrusion behavior and abnormal behavior in the industrial control network, and timely warning equipment. The equipment needs to meet special
Determine the industrial environment and safety function requirements, and can monitor the boundary of the industrial control network or between different control areas within the industrial control network
Protection, detection of illegal intrusion activities, and real-time alarm and response based on the monitoring results, so as to actively detect intrusion activities and ensure network security.
of. The equipment product can be implemented in the form of hardware or software.
In accordance with the strength of the safety function requirements of industrial control network monitoring products, this standard divides industrial control network monitoring products into basic level and increased
The strength level, the strength of the safety function and the level of safety assurance requirements are the specific basis for the classification. Among them, the basic level safety function requirements should be equipped
GB/T 22239-2019 second level safety protection capability, enhanced level safety function requirements should have GB/T 22239-2019 third level
Security protection capabilities. The new requirements in the enhanced level will be marked in bold.
For the classification of industrial control network monitoring safety technical requirements and its requirements, see Appendix A, the classification of industrial control network monitoring and evaluation methods
See Appendix B for grade and its evaluation items, and Appendix C for industrial environment application requirements.
6 Safety technical requirements
6.1 Safety function requirements
6.1.1 Functional requirements
6.1.1.1 Security incident monitoring
6.1.1.1.1 Flow Monitoring
The product should have the function of flow monitoring, and specifically meet the following requirements.
a) It should be able to monitor the traffic data packets in the network, obtain the data packets in real time for detection and analysis, and do not affect the normal operation of the industrial control equipment
run.
b) It should be able to monitor the traffic data packets of the designated protocol or IP address without affecting the normal operation of industrial control equipment.
6.1.1.1.2 Analysis of Industrial Control Protocol
For the data packets obtained in the industrial control network, the product should be able to analyze the industrial control protocol messages it carries to meet one of the following
Claim.
a) Analyze the following (but not limited to) general protocols. Modbus/TCP protocol, OPCClassic protocol, DNP3.0 protocol,
IEC -60875-5-104 protocol, SIEMENSS7Comm protocol, PROFINET protocol, EtherNet/IP protocol;
b) An industry-specific protocol, for example, IEC -61850MMS protocol, IEC -61850GOOSE protocol, IEC -61850SV protocol
Negotiation, rail transit professional agreement, etc.
6.1.1.1.3 Internet Protocol Analysis
For the Internet protocol traffic acquired in the industrial control network, the product should be able to analyze the data packets it carries, and analyze the following (but
Not limited to) Internet protocol messages.
a) HTTP;
b) FTP;
c) TELNET;
d) SNMP.
6.1.1.1.4 Attack behavior monitoring
Products should be able to analyze, compare and other methods, including but not limited to discovering the following attacks.
a) Industrial protocol vulnerability attacks;
b) Industrial control application vulnerability attacks;
c) Operating system vulnerability attacks;
d) Vulnerability attacks on industrial control equipment;
e) It should be able to monitor the occurrence of attacks such as worms and Trojan horses in the network without affecting the normal operation of industrial control equipment.
Note. For security vulnerabilities and attacks, please refer to the information released by the National Information Security Vulnerability Sharing Platform.
6.1.1.2 Security incident response
6.1.1.2.1 Event Alarm
For aggressive behavior or abnormal behavior, the product should classify the incident according to the severity of the incident, and adopt intuitive and effective screen real-time prompts.
Ways to convey warning messages.
6.1.1.2.2 Alarm filtering
The product should allow administrators to define security policies and not to alert on specified events in the industrial control network.
6.1.1.2.3 Event merge
The product should combine alarms for the same security incidents that occur frequently to avoid alarm storms.
6.1.1.2.4 Custom response
The product should allow administrators to define security policies and customize response methods to events in the industrial control network.
6.1.1.3 Security configuration management
6.1.1.3.1 Security Policy Configuration
The product should provide security policy configuration functions.
6.1.1.3.2 Industrial Control Vulnerability Knowledge Base
The product should have a built-in knowledge base of industrial control vulnerabilities, and the content should include industrial control protocol vulnerabilities, industrial control application vulnerabilities, and operating system leaks.
Hole and industrial control equipment vulnerabilities, detailed vulnerability repair programs and possible countermeasures.
6.1.1.3.3 Industrial control detection feature library
Products should have built-in industrial control detection feature library, detailed repair schemes and possible countermeasures.
6.1.1.3.4 Industrial control protocol port settings
In addition to supporting industrial control network protocol analysis based on the default port, the product should be able to support existing industrial control protocols and extended industrial control
The protocol port is reset.
6.1.1.3.5 Custom Attack Event
The product should allow administrators to customize attack events, and the customized content should include attack targets, attack characteristics and event levels.
6.1.1.3.6 Industrial control protocol extension
In addition to supporting the default industrial control network protocol, the product should support the addition of new industrial control protocols.
6.1.1.4 Product function management
6.1.1.4.1 Interface Management
The product should provide a friendly administrator interface for management and configuration. The management configuration interface should contain all the functions needed to configure and manage the product.
6.1.1.4.2 Hardware Management
6.1.1.4.2.1 Distributed deployment and centralized management
The product should be capable of distributed deployment.
The product should be set up with a centralized management platform for unified management of the same series of different types of monitoring equipment.
6.1.1.4.2.2 Port separation
The monitoring equipment should be equipped with different physical ports for configuration management and network data monitoring.
6.1.1.4.2.3 Product self-inspection
When the product starts and works normally, it should have a self-checking mechanism for running status, including hardware working status monitoring and component connection status monitoring
Etc. to verify whether the product itself is normal.
6.1.1.4.2.4 Clock synchronization
The product should provide the function of clock synchronization with an external clock server.
6.1.1.4.2.5 Clock setting
The product should provide the function of manually setting the clock so that the correct time can be set when there is no external clock server.
6.1.1.4.2.6 Power redundancy
The product should provide power redundancy.
6.1.1.4.2.7 Power-down physical conduction
When deployed in series, the product should be able to automatically realize the physical conduction of each pair of input and output communication ports in the case of sudden power failure.
6.1.1.4.2.8 Hardware fault handling
The product should be able to monitor whether its own hardware is working properly, and promptly alert the administrator when a failure occurs.
6.1.1.4.3 Configuration information recovery
After replacing the monitoring equipment, the product should be able to restore configuration information locally or remotely.
6.1.1.4.4 Data storage space management
When the storage space is about to run out, the product should automatically generate an alarm. The remaining storage space limit that triggers an alarm should be set by the administrator.
set. The product should take measures to ensure the availability of stored event records and the storage of subsequent event records (e.g., dump existing event records, only
Record important event data, etc.). The product should allow the user to set a processing strategy when the space is exhausted.
6.1.1.4.5 Upgrade management
6.1.1.4.5.1 Library upgrade
The product should have the function of locally and remotely upgrading the industrial control vulnerability knowledge base and industrial control detection signature database.
The product should have the industrial control vulnerability knowledge base and industrial control detection feature database of the monitoring equipment through the console or management platform.
Unified upgrade function.
6.1.1.4.5.2 Product upgrade
The product should have the ability to upgrade locally and remotely.
6.1.1.4.5.3 Unified product upgrade
The product should have the function of uniformly upgrading the monitoring equipment through the console or management platform.
6.1.1.4.5.4 Upgrade package verification
The product should ensure the safety of the event library and product upgrades, and should have an upgrade package verification mechanism to prevent incorrect or forged upgrades
package. The upgrade process requires two-way identification.
6.1.1.4.6 User Management
6.1.1.4.6.1 Logo management
The product should support the division of authority and set the security attribute information for each user, including identification, authentication data, authorization information or management group information
Information, other security attributes, etc.
6.1.1.4.6.2 Timeout setting
The product shall have the function of re-authentication after user login timeout. Without any operation within the time period set by the security policy,
To lock or terminate the session, you need to authenticate again before you can log in again.
6.1.1.4.6.3 Console authentication
The product should authenticate the console before the user performs any safety-related operations on the monitoring equipment through the console.
6.1.1.4.6.4 Session Lock
The product should allow the user to lock the current interactive session. After the lock is locked, the identity authentication is required to be able to log in again.
6.1.1.4.6.5 Authentication data protection
The product shall protect the authentication data from unauthorized access and modification.
6.1.1.5 Communication security
6.1.1.5.1 Communication confidentiality
If the product is composed of multiple components, the confidentiality of communication between the components should be guaranteed.
6.1.1.5.2 Communication integrity
If the product consists of multiple components, the integrity of the communication between the components should be ensured. If the integrity of the data is compromised, the product should ensure
Discover and notify the administrator in time.
6.1.2 Own safety requirements
6.1.2.1 User management and authentication
6.1.2.1.1 User Management
The product should support user management, including adding, deleting, activating, and banning users.
The product should set security attributes such as identification and authority for each user.
6.1.2.1.2 User authentication
The product should be authenticated when the user logs in.
6.1.2.1.3 Authentication failure handling
When the user authentication attempts fail for the specified number of consecutive times, the product shall prevent the user from further authentication requests.
6.1.2.1.4 Timeout setting
The product should have a login timeout lock or logout function.
6.1.2.1.5 Remote management
If the product console provides remote management functions, it should be able to perform identity authentication and access control on the remotely manageable host address, and ensure
Certify the confidentiality and integrity of the transmitted data.
6.1.2.2 Product upgrade
6.1.2.2.1 Upgrade function
Products should have upgraded functions (including repairing their own defects, etc.).
6.1.2.2.2 Upgrade package verification
The product should have an upgrade package verification mechanism to prevent wrong or forged upgrade packages.
6.1.2.3 Log Management
6.1.2.3.1 Security log generation
The product should generate security logs for related security events, including but not limited to.
a) Successful login and logout, login failure;
b) restart;
c) The number of unsuccessful consecutive attempts to identify exceeds the set limit;
d) Add or delete administrator roles and modify the attributes of administrator roles;
e) Upgrade;
f) Monitoring operation.
Each security log shall include the date, time, user identification, event type, event description and result of the event. If remote
The login method to manage the product should also record the address of the management host.
6.1.2.3.2 Security log management
The product should provide the following security log management functions.
a) Only authorized administrators are allowed to access the security log;
b) Provide query functions for security logs;
c) Authorized administrators should be able to save or delete security logs;
d) The security log should be able to be exported in a common format (for example, Excel).
6.1.2.4 Policy security management
Products should provide security measures such as access control for the creation, modification, deletion, and application of monitoring strategies.
6.1.2.5 Clock synchronization
Products and components should support time synchronization.
a) If it is composed of multiple components, each component should support time synchronization with the central monitoring component;
b) The central monitoring component should support time synchronization with an external time server.
6.1.2.6 Sensitive information protection
When customizing the monitoring strategy, some sensitive information may be involved, and corresponding measures should be taken to ensure the confidentiality and integrity of sensitive information.
For example, encrypt and store user passwords.
The product should only allow authorized users to read the monitoring data.
6.2 Security requirements
6.2.1 Product Configuration Management
6.2.1.1 Configuration management capabilities
6.2.1.1.1 Version number
Developers should provide unique identifications for different versions of the product.
6.2.1.1.2 Configuration items
Industrial control system network monitoring products should meet the following requirements.
a) The developer should use a configuration management system and provide configuration management documents.
b) The configuration management document should include a configuration list, which should uniquely identify all configuration items that make up the product and
The description should also describe the method of giving unique identification to the configuration items, and provide evidence that all configuration items are effectively maintained.
6.2.1.1.3 Authorization control
Industrial control system network monitoring products should meet the following requirements.
a) The configuration management document provided by the developer should include a configuration management plan. The configuration management plan should describe how to use configuration management.
理系统。 Management system. The configuration management implemented should be consistent with the configuration management plan.
b) The developer should provide evidence that all configuration items are effectively maintained, and should ensure that configuration items can only be modified with authorization.
6.2.1.2 Configuration management coverage
Industrial control system network monitoring products should meet the following requirements.
a) The scope of configuration management should include at least product realization representation, design documents, test documents, guidance documents, and configuration management documents.
And make sure that their modifications are carried out in a properly authorized and controlled manner.
b) The configuration management document should at least be able to track the above content and describe how the configuration management system tracks these configuration items.
6.2.2 Delivery and operation
6.2.2.1 Delivery procedures
Industrial control system network monitoring products shall meet the following requirements when d...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 37953-2019_English be delivered?Answer: Upon your order, we will start to translate GB/T 37953-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 7 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 37953-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 37953-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|