|
US$599.00 · In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 37980-2019: Information security technology - Guide for security inspection of industrial control systems
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 37980-2019 | English | 599 |
Add to Cart
|
5 days [Need to translate]
|
Information security technology - Guide for security inspection of industrial control systems
| Valid |
GB/T 37980-2019
|
PDF similar to GB/T 37980-2019
Basic data | Standard ID | GB/T 37980-2019 (GB/T37980-2019) | | Description (Translated English) | Information security technology - Guide for security inspection of industrial control systems | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 30,323 | | Date of Issue | 2019-08-30 | | Date of Implementation | 2020-03-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 37980-2019: Information security technology - Guide for security inspection of industrial control systems
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Guide for security inspection of industrial control systems
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology
Industrial Control System Safety Inspection Guide
2019-08-30 released
2020-03-01 Implementation
State Administration for Market Regulation
Issued by China National Standardization Administration
Table of contents
Preface Ⅲ
Introduction Ⅳ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 2
5 Inspection method 2
6 Check the workflow 3
7 How to select inspection content 5
8 Check content 5
Appendix A (Informative Appendix) Risk Analysis Method 17
Appendix B (Informative Appendix) Inspection Content Classification Table 22
References 24
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. China Information Security Evaluation Center, China Electronics Standardization Institute, China National Petroleum Corporation,
Beijing Sanlingweishi Information Security Technology Co., Ltd., Beijing Kuangen Network Technology Co., Ltd., Qingdao Haitian Weiye Process Control Technology Co., Ltd.
Co., Ltd., Wangshen Information Technology (Beijing) Co., Ltd., Zhejiang Zheneng Taizhou Second Power Generation Co., Ltd., Huaneng International Power
Company limited by shares.
The main drafters of this standard. Dai Zhonghua, Peng Yong, Zhao Wei, Han Xuefeng, Xiang Li, Xiong Qi, Di Liqing, Gao Yang, Fan Kefeng, Yao Xiangzhen, Li Lin,
Zhou Ruikang, Jing Xiaowei, Teng Zhengcen, Zhang Jianjun, Zhang Dajiang, Su Fengqin, Li Hang, Xia Kechao, Li Hui.
Introduction
With the deep integration of industrialization and informatization, industrial control systems are widely used in nuclear facilities, steel, non-ferrous metals, chemicals, petroleum and petrochemicals, electricity
Power, natural gas, advanced manufacturing, water conservancy hubs, environmental protection, railways, urban rail transit, civil aviation, urban water supply, gas and heating, and other countries
Areas closely related to the people’s livelihood. Industrial control system refers to the data acquisition, monitoring and control system applied in the industrial field, which is designed by computer
The control system composed of equipment, industrial process control components and network is the nerve center of the industrial field. The control systems used in the industrial field include
Monitoring and data acquisition system (SCADA), distributed control system (DCS), programmable logic controller (PLC) system, etc. Needle in recent years
There are endless attacks on industrial control systems, and the security of industrial control systems will directly affect the production of important national basic industrial facilities.
The normal operation of production and the interests of the general public.
The purpose of this standard is to guide users of relevant industrial control systems in my country’s national critical infrastructure to carry out industrial control
System information security self-assessment work, grasp the overall status of industrial control system information security, and discover problems in industrial control systems in a timely and effective manner
And weak links, further improve the industrial control system information security management system, improve the industrial control system information security technical measures, and improve
The information security protection capabilities of industrial control systems provide support for the state to carry out information security inspections of industrial control systems in key industries.
Now a safer industrial control system and provide help for effective risk management within it.
Information Security Technology
Industrial Control System Safety Inspection Guide
1 Scope
This standard specifies the scope, method, process, method and content of information security inspection of industrial control systems.
This standard is applicable to the information security supervision and inspection of industrial control systems and entrusted inspections.
Carry out information security self-inspection of relevant systems within the regiment (system).
Note. The scope of inspection applicable to this standard is widely used in nuclear facilities, steel, non-ferrous metals, chemicals, petroleum and petrochemicals, electric power, natural gas, advanced manufacturing, water conservancy hubs,
Industrial control systems in environmental protection, steel, urban rail transit, civil aviation, urban water supply, gas and heating, and other fields closely related to the national economy and people's livelihood.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 25069-2010 Information Security Technical Terms
GB/T 32919-2016 Information Security Technology Industrial Control System Security Control Application Guide
3 Terms and definitions
The following terms and definitions defined in GB/T 25069-2010 and GB/T 32919-2016 apply to this document.
3.1
Industrial Control System
It is composed of various automation control components and process control components that collect and monitor real-time data to ensure the industrial foundation
A business process control system for facility automated operation, process control and monitoring.
Note. The core components of the industrial control system include monitoring and data acquisition systems, distributed control systems, programmable logic controllers, main terminal units, and remote terminals.
End unit, host computer, and interface technology to ensure communication between components.
3.2
Monitoring and data acquisition system
In the process of industrial production control, centralized data is performed on large-scale long-distance geographically distributed assets and equipment in the WAN environment
Control system for acquisition and monitoring management.
Note. The SCADA system is based on a computer and monitors and dispatches remote distributed operation equipment. Its main functions include data acquisition, parameter measurement and adjustment.
Section, information alarm, etc. The SCADA system generally consists of the main terminal unit (MTU), communication lines and equipment, and remote terminal unit located in the control center.
(RTU) and other components.
3.3
Distributed control system
Based on the computer, a system for distributed control and centralized management of the production process within the system (inside the unit).
Note. DCS generally includes two levels. field control level and control management level. The field control level mainly controls a single process, and the control management level is mainly
Data collection, unified scheduling and management of multiple scattered sub-processes.
3.4
Industrial control equipment
Equipment for testing and controlling industrial production processes and devices.
3.5
programmable logic controller
Electronic equipment that uses programmable memory to control industrial production equipment through digital operations.
Note. PLC mainly executes various operations, sequence control, timing execution and other instructions, used to control the actions of industrial production equipment, and is the main part of industrial control systems.
Basic unit.
3.6
Main terminal unit
The server in the SCADA system is used for centralized control and communicates with the remote terminal unit.
3.7
Remote terminal unit
Special computer measurement and control unit with modular structure designed for long communication distance and harsh industrial field environment.
3.8
Host computer
A computer that directly issues control commands.
3.9
Control net
The control layer network mainly deploys engineer stations, operator stations, and industrial control equipment, which are trusted areas with high security levels.
3.10
Security check
Promote by investigation, promote reform by investigation, promote management by investigation, and promote prevention by investigation, aiming to promote the improvement of information security work ability and protection level.
4 Abbreviations
The following abbreviations apply to this document.
5 Inspection method
5.1 Supervision and inspection
Supervision and inspection refer to inspections organized by higher-level administrative departments or carried out by relevant national functional departments in accordance with the law.
Supervision and inspection can implement a complete information security inspection process in accordance with the requirements of this standard.
Supervision and inspection can also implement inspections on key links or key content on the basis of self-inspection.
5.2 Self-check
Self-inspection refers to the inspection initiated by the owner, operation or user unit of the information system on the safety status of the industrial control system of the unit.
The self-check is implemented under the guidance of this standard and combined with the specific safety requirements of the system.
5.3 Commissioned inspection
If the inspected unit or the organization department for supervision and inspection does not have inspection capabilities, it may entrust an institution recognized by the relevant competent authority to carry out the inspection.
6 Check the workflow
6.1 Preparation for inspection
6.1.1 Overview
Inspection preparation is the prerequisite and basis for carrying out inspection work and the guarantee of the effectiveness of the entire inspection process. Check whether the preparation is adequate
It is directly related to whether the follow-up work can be carried out smoothly. The main content of this stage is to clarify the method, basis, scope and content of the inspection work, and adjust
Research the situation of the inspected unit and the inspected system, determine the contact person and contact information of the inspected unit, determine the members of the inspection team and the inspector
Develop inspection plan and plan and notify the inspected unit.
6.1.2 Work content of inspection preparation process
According to the requirements of inspection work, clarify the methods of security inspection work, including supervision and inspection by regulatory agencies, and self-inspection of corporate information security.
Clarify the basis for security inspections, including national information security regulatory documents and standards, industry information security regulatory documents and standards, and the requirements of the competent authority.
Clarify the scope of safety inspection work, including the inspected unit, the inspected system, the personnel involved, and the superior unit of the inspected unit
Etc., and formed the "Investigation Form for Information Security Inspection of Industrial Control Systems" through research.
Clarify the content of safety inspection work. It consists of two parts, one is the basic inspection content, and the relevant requirements are detailed in section 8 of this standard
Chapter; the other part is supplementary inspection content, and the inspection agency shall, before each inspection, follow the requirements of the relevant competent unit and the development trend of information security
And the development of information security management of the enterprise.
The inspection agency organizes and implements the inspection work uniformly, determines the personnel and equipment of the on-site inspection team, and can entrust a third-party information security service agency
The inspection agency implements on-site inspection work, and the inspection agency arranges special personnel to accompany it.
According to the content of the inspection work, formulate "industrial control system information security inspection plan" and "industrial control system information security inspection plan"
And "Industrial Control System Information Security Inspection Worksheet".
Before the on-site inspection starts, the inspection team shall submit the "Industrial Control System Information Security Inspection Plan" and "Industrial Control System Information" at least two days in advance.
The “Information Safety Inspection Plan” is issued to the inspected unit, and the inspected unit is clearly required to back up the necessary systems and data.
Actively cooperate, and provide necessary cooperating personnel and office conditions.
6.1.3 Roles and responsibilities of the inspection preparation process
Responsibilities of inspection agencies.
a) Introduce the meaning and purpose of safety inspection, inspection process and working methods to the inspected unit;
b) Understand the construction status of the industrial control system of the inspected unit;
c) Point out the basic information that the inspected unit needs to provide;
d) Explain the inspection risks and avoidance methods to the inspected unit;
e) Prepare a survey form for the basic situation of the checked system;
f) Understand the basic situation of the inspected system;
g) Preliminary analysis of the security situation of the system;
h) Prepare inspection tools and documents.
Responsibilities of the inspected unit.
a) Introduce the construction status and development of the unit's industrial control system to the inspection agency;
b) Prepare the materials required by the inspection agency;
c) Provide support and coordination for the information collection of inspectors;
d) According to the specific conditions of the inspected system, such as the peak period of business operation, network layout, etc., provide appropriate suggestions for the inspection schedule;
e) Back up data and systems, and develop emergency plans.
6.2 Inspection implementation
6.2.1 Overview
Inspection implementation is the core of inspection work. The requirements of this inspection specification are implemented into actual inspections based on the overall requirements of the inspection plan.
During work, pass personnel interviews, document review, configuration verification and safety testing of the inspected unit, and read the self-inspection or the last inspection report
(If any), collect evidence on the safety protection status of the industrial control system of the inspected unit, and obtain sufficient evidence and data required for analysis and summary activities.
6.2.2 Check the work content of the implementation process
The inspector fills in the "Industrial Control System Information Security Inspection Worksheet" on site. After the inspection is completed, the inspected unit must sign and confirm it.
After the on-site inspection is completed, the inspected unit needs to confirm the operation status of the
"Verification Record" shall be signed and confirmed, and the abnormal operation of the system due to inspection work shall be recorded truthfully and reported to the competent authority in time.
The methods and possible risks of on-site inspection are as follows.
a) The methods used for on-site inspection mainly include.
1) Personnel interview
The inspector obtains evidence to prove through communication, discussion and other activities with relevant personnel (individual/group) of the industrial control system
A method for the effectiveness of information system security protection measures.
2) Document review
Inspectors pass the safety management system, records and other documents supporting the safe construction and operation and maintenance of industrial control systems for the inspected unit
To obtain evidence to prove whether the safety protection requirements of the industrial control system are comprehensive and whether the safety protection regulations are implemented.
3) Configuration verification
The inspector obtains evidence to prove the safety of the inspected system by observing, inspecting, and analyzing the inspected system.
A way to ensure the effectiveness of protective measures.
4) Safety test
The inspector uses predetermined methods/tools to make the inspected system produce specific behaviors, and by viewing and analyzing the results of these behaviors
Therefore, it is a method to obtain evidence to prove whether the safety protection measures of industrial control system are effective. It is not necessary to re-inspect
Implement safety tests and use existing safety test results.
b) The main possible risks at this stage include.
1) The verification test affects the normal operation of the industrial control system. During the on-site inspection, it is necessary to configure the security strategy of the equipment and system.
Perform necessary verification tests for the configuration and safety functions. Part of the test content involves the operation of the device, which may affect the operation of the system.
It may cause a certain impact, and even the possibility of misoperation.
2) Tool testing affects the normal operation of industrial control systems. During on-site inspections, some technical testing tools are sometimes used
Perform vulnerability testing, performance testing and even penetration resistance testing. Tool testing may cause a certain
The impact of vulnerability testing and penetration testing may cause certain damage to system data.
3) In principle, the inspector should not touch the inspected system to avoid performing system data change operations, and the cooperating personnel shall follow the operating procedures
And the inspection items require verification operations on the inspected system.
6.2.3 Roles and responsibilities of on-site inspection process
Responsibilities of inspection agencies.
Use personnel interviews, document review, configuration verification and safety testing to check the compliance of the system’s protective measures with the requirements of this standard.
Conditions, as well as correctness and effectiveness.
Responsibilities of the inspected unit.
a) Coordinate the relationship between relevant personnel within the inspected system and cooperate with the inspection work;
b) Answer the inquiries of inspectors and operate on the computer for some content that needs to be verified;
c) Assist inspectors to implement tool tests and provide effective suggestions to reduce the impact of safety inspections on system operation;
d) Assist inspectors to complete inquiries, verification and testing of business-related content;
e) Relevant personnel confirm the inspection results.
6.3 Analysis of inspection results
6.3.1 Overview
The inspection result analysis is a comprehensive evaluation activity that summarizes the overall safety protection capability of the inspected system, based on the on-site inspection results and this standard
The relevant requirements of the positioning system, the gap between the safety protection status of the positioning system and the safety requirements of this standard, and analyze the gaps that lead to the system being inspected
Faced with risks, the inspection conclusion is given, and the inspection report and rectification notice are formed.
6.3.2 Work content of inspection result analysis process
After the on-site inspection work is completed, the inspection team will sort out the inspection results and adopt qualitative or quantitative risk analysis methods (see appendix
A), compile "industrial control system safety inspection report".
6.3.3 Roles and responsibilities of the inspection result analysis process
Responsibilities of inspection agencies.
a) Analyze the inspection results and form an inspection conclusion;
b) Prepare a rectification notice, explain the hidden safety hazards and deficiencies of the inspected system, and give suggestions for improvement; the process documentation will be generated
Documents are archived and saved, and the electronic documents generated during the inspection process are cleared.
7 Selection method of inspection content
7.1 Full coverage method
Select all check items of check content.
7.2 Key item extraction method
According to the actual expected target needs of the national functional departments, superior authorities or enterprises to conduct safety inspections of industrial control systems,
Determine the key inspection items from the inspection content and only check the key items.
7.3 Additional inspection method
According to the requirements of national functional departments, higher-level competent departments and the development trend of industrial control system information security, the content of the design inspection
Check items that are not included as new check items.
Note. The selection of inspection content is not limited to a single method for selection, and a combination of multiple selection methods can also be used according to the purpose of the inspection, such as simultaneous
Use the key item extraction method and the additional item inspection method to determine the inspection content.
8 Check content
8.1 Overview
Refer to GB/T 22239-2008, GB/T 20269-2006 and GB/T 20984-2007, combined with the characteristics of industrial control system, will
The content of industrial control system safety inspection is divided into twelve categories, namely, organizational system, rules and regulations, capital guarantee, personnel safety management, and outside services.
Package management and control, key information asset management and control, industrial control system construction security management, network security protection, host computer and equipment security protection,
Physical environment safety protection, operational safety management and emergency management. See Appendix B for the classification table of inspection contents.
8.2 Organization System
8.2.2 Implementation of information security responsibilities
This inspection item includes.
a) Check whether a functional department for information security management of industrial control systems is established, whether a security supervisor, system administrator,
Network administrator, security administrator and other positions.
b) Whether the responsibilities of the responsible department and responsible personnel are clearly defined in the form of documents.
Check elements.
Information security department and responsible personnel. Daily safety production management system.
Inspection Method.
Document review, check the responsibility documents of the information security department and responsible personnel. Daily safety production management system responsibility documents.
8.2.3 Full-time institutions and post settings
This inspection item includes.
Check whether the organization's information security management department and position settings meet the following requirements.
a) A full-time management organization for industrial control system information security is set up at the corporate headquarters.
b) The second-level units of the enterprise group company set up industrial control system information security management and technical positions.
c) The grassroots units of the industrial control system set up information security posts.
Check elements.
Enterprise level, information security management department and job setting.
Inspection Method.
a) Personnel interviews, interviews with the level of the company, information security management departments and job settings.
b) Document review, according to the enterprise level to view the information security management department and job setting instructions.
8.2.4 Security staffing
This inspection item includes.
Check whether the company is equipped with a certain number of full-time information security staff to meet the needs of the company's information security positions.
Check elements.
The number of full-time information security staff and information security posts.
Inspection Method.
Document review, check the description of corporate network responsibilities and the description of personnel job assignment.
8.3 Rules and Regulations
8.3.1 Overall strategy and overall plan formulation
This inspection item includes.
Check whether the company has formulated an overall strategy and overall plan for industrial control system information security that meets national and industry policy requirements.
The case, whether it explains the overall goal, scope, protection framework and protection measures of information security work.
Check elements.
The overall strategy, overall plan, overall objectives, scope, protection ...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 37980-2019_English be delivered?Answer: Upon your order, we will start to translate GB/T 37980-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 37980-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 37980-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|