|
US$1484.00 · In stock
Delivery: <= 8 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 42456-2023: Security for industrial automation and control systems - Technical security requirements for IACS components
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 42456-2023 | English | 1484 |
Add to Cart
|
8 days [Need to translate]
|
Security for industrial automation and control systems - Technical security requirements for IACS components
| Valid |
GB/T 42456-2023
|
PDF similar to GB/T 42456-2023
Basic data | Standard ID | GB/T 42456-2023 (GB/T42456-2023) | | Description (Translated English) | Security for industrial automation and control systems - Technical security requirements for IACS components | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | N10 | | Classification of International Standard | 25.040 | | Word Count Estimation | 82,894 | | Date of Issue | 2023-03-17 | | Date of Implementation | 2023-10-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 42456-2023: Security for industrial automation and control systems - Technical security requirements for IACS components
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
ICS25:040
CCSN10
National Standards of People's Republic of China
GB/T 42456-2023/IEC 62443-4-2:2019
Information security for industrial automation and control systems
Safety Technical Requirements for IACS Components
Released on 2023-03-17
2023-10-01 implementation
State Administration for Market Regulation
Released by the National Standardization Management Committee
table of contents
Preface V
Introduction VI
1 Scope 1
2 Normative references 1
3 Terms, Definitions, Abbreviations and Conventions 2
3:1 Terms and Definitions 2
3:2 Abbreviations 7
3:3 Practice 9
4 General principles10
4:1 Overview 10
4:2 CCSC1: Basic Function Support 10
4:3 CCSC2: Compensatory countermeasures10
4:4 CCSC3: Least Privilege 10
4:5 CCSC4: Software Development Process 10
5 FR1---Identification and authentication control 10
5:1 Purpose and description of SL-C (IAC) 10
5:2 Reason 11
5:3 CR1:1---personnel identification and identification 11
5:4 CR1:2---Software process and equipment identification and authentication 12
5:5 CR1:3---Account Management 12
5:6 CR1:4---Identifier Management 13
5:7 CR1:5 --- discriminator management 14
5:8 CR1:6---Wireless Access Management 15
5:9 CR1:7---Password-based authentication strength 15
5:10 CR1:8---Public Key Infrastructure (PKI) Certificate 15
5:11 CR1:9---Strength based on public key authentication 16
5:12 CR1:10---Discriminator Feedback 17
5:13 CR1:11---Failed login attempt 17
5:14 CR1:12---System usage tips 18
5:15 CR1:13---Access through untrusted network 19
5:16 CR1:14---Strength based on symmetric key authentication 19
6 FR2---Using Control 20
6:1 Purpose and description of SL-C(UC) 20
6:2 Rationale and additional guidance 20
6:3 CR2:1---Authorization to execute 20
6:4 CR2:2---Wireless usage control 21
6:5 CR2:3---Portable and mobile device use control 22
6:6 CR2:4 --- Mobile Code 22
6:7 CR2:5---Session Lock 22
6:8 CR2:6---Remote session termination 22
6:9 CR2:7---concurrent session control 23
6:10 CR2:8---Audit event 23
6:11 CR2:9---Audit storage capacity 24
6:12 CR2:10 --- Audit processing failure response 25
6:13 CR2:11---time stamp 25
6:14 CR2:12---non-repudiation 26
6:15 CR2:13---Physical diagnosis and use of test interface 26
7 FR3---System Integrity 26
7:1 Purpose and description of SL-C(SI) 26
7:2 Fundamentals 27
7:3 CR3:1---communication integrity 27
7:4 CR3:2---Malicious code protection 28
7:5 CR3:3---Information security function verification 28
7:6 CR3:4---Software and Information Integrity 29
7:7 CR3:5---Input inspection 29
7:8 CR3:6---Deterministic output 30
7:9 CR3:7---error handling 30
7:10 CR3:8---Session Integrity 31
7:11 CR3:9 --- Audit information protection 32
7:12 CR3:10 --- Support update 32
7:13 CR3:11---Physical vandalism and detection 32
7:14 CR3:12---Provide the root of trust for product suppliers 32
7:15 CR3:13---Provide the asset owner's root of trust 32
7:16 CR3:14---Start process integrity 32
8 FR4---Data Confidentiality 33
8:1 Purpose and description of SL-C(DC) 33
8:2 Fundamentals 33
8:3 CR4:1---Information Confidentiality 33
8:4 CR4:2 --- Remaining information 34
8:5 CR4:3 --- use of encryption 34
9 FR5---Restricted data flow 35
9:1 Purpose and SL-C(RDF) description 35
9:2 Fundamentals 35
9:3 CR5:1---Network Segmentation 35
9:4 CR5:2---Regional boundary protection 36
9:5 CR5:3 --- general purpose inter-personal communication restrictions 36
10 FR6---Timely Response to Events 36
10:1 Purpose and SL-C(TRE) description 36
10:2 Rationale and additional guidance 37
10:3 CR6:1---Audit log accessibility 37
10:4 CR6:2---Continuous monitoring 37
11 FR7---Resource Availability 38
11:1 Purpose and SL-C(RA) Description 38
11:2 Origin 38
11:3 CR7:1 --- Denial of service protection 38
11:4 CR7:2---Resource Management 39
11:5 CR7:3---Control system backup 39
11:6 CR7:4---Control system recovery and reconstruction 40
11:7 CR7:5---emergency power supply 40
11:8 CR7:6---Network and security configuration settings 40
11:9 CR7:7---minimum function 41
11:10 CR7:8---Inventory of control system components 41
12 Software Application Requirements 42
12:1 Purpose 42
12:2 SAR2:4 --- Mobile Code 42
12:3 SAR3:2---Malicious code protection 43
13 Embedded Device Requirements 43
13:1 Purpose 43
13:2 EDR2:4 --- Mobile Code 43
13:3 EDR2:13---using physical diagnosis and test interface 44
13:4 EDR3:2---Malicious code protection 45
13:5 EDR3:10 --- Support update 45
13:6 EDR3:11---Physical vandalism and detection 46
13:7 EDR3:12---provisioning product vendor root of trust 46
13:8 EDR3:13---provisioning the asset owner's root of trust 47
13:9 EDR3:14---Boot process integrity 48
14 Host Device Requirements 48
14:1 Purpose 48
14:2 HDR2:4 --- Mobile Code 48
14:3 HDR2:13---using physical diagnosis and test interface 49
14:4 HDR3:2---Malicious code protection 50
14:5 HDR3:10 --- support update 50
14:6 HDR3:11---Physical anti-vandalism and detection 51
14:7 HDR3:12---provision product supplier trust root 51
14:8 HDR3:13---provision root of trust for asset owner 52
14:9 HDR3:14---Boot process integrity 53
15 Network Equipment Requirements 53
15:1 Purpose 53
15:2 NDR1:6---Wireless Access Management 54
15:3 NDR1:13---Access through untrusted network 54
15:4 NDR2:4 --- Mobile Code 55
15:5 NDR2:13---Using physical diagnosis and test interface 56
15:6 NDR3:2---Malicious code protection 56
15:7 NDR3:10---Support update 57
15:8 NDR3:11---Physical vandalism and detection 57
15:9 NDR3:12---provision product supplier root of trust 58
15:10 NDR3:13 --- provisioning asset owner's root of trust 58
15:11 NDR3:14---Boot process integrity 59
15:12 NDR5:2---Regional boundary protection 60
15:13 NDR5:3 --- general purpose inter-personal communication restrictions 60
Appendix A (Informative) Equipment Classification 62
A:1 Overview 62
A:2 Device Classification: Embedded Devices 62
A:3 Equipment Classification: Network Equipment 63
A:4 Device Classification: Host Device/Application 63
Appendix B (Informative) Mapping of CR and RE to FRSL1~4 64
B:1 Overview 64
B:2 SL mapping table 64
References 70
foreword
This document is drafted in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents":
This document is equivalent to IEC 62443-4-2:2019 "Information Security for Industrial Automation and Control Systems Part 4-2: Security Technical Requirements for IACS Components":
The following minimal editorial changes have been made to this document:
--- In order to coordinate with existing standards, change the name of the standard to "Security Technical Requirements for IACS Components of Industrial Automation and Control System Information Security":
Please note that some contents of this document may refer to patents: The issuing agency of this document assumes no responsibility for identifying patents:
This document is proposed by China Machinery Industry Federation:
This document is under the jurisdiction of the National Industrial Process Measurement Control and Automation Standardization Technical Committee (SAC/TC124):
This document is drafted by: Dongfang Electric Group Science and Technology Research Institute Co:, Ltd:, Mechanical Industry Instrumentation Comprehensive Technical Economic Research
Institute, General Electric Power Planning Institute Co:, Ltd:, Schneider Electric (China) Co:, Ltd:, Siemens (China) Co:, Ltd:, Beijing Sifang Relay Automation
Co:, Ltd:, Beijing Guoneng Zhishen Control Technology Co:, Ltd:, North China Electric Power University, Chongqing Xin'an Network Security Level Evaluation Co:, Ltd:,
Chengdu Venus Information Security Technology Co:, Ltd:, PetroChina Tarim Oilfield Branch, Chongqing University of Posts and Telecommunications
Science, Southwest University, Shenyang Institute of Automation, Chinese Academy of Sciences, Huazhong University of Science and Technology, 30th Research Institute of China Electronics Technology Group Corporation, Shanghai
Sea Industry Automation Instrument Research Institute Co:, Ltd:, the Fifth Electronic Research Institute of the Ministry of Industry and Information Technology, and the National Industrial Information Security Development Research Center
Xin, Rockwell (Shanghai) Co:, Ltd:, Shanghai Electrical Apparatus Research Institute (Group) Co:, Ltd:, Hollysys Technology Group Co:, Ltd:, China Soft
Software Evaluation Center (Software and Integrated Circuit Promotion Center of the Ministry of Industry and Information Technology), Phoenix Asia Pacific Electric (Nanjing) Co:, Ltd:
The main drafters of this document: Yuan Xiaoshu, Wang Yumin, Shang Yujia, Zhang Jinbin, Wang Yong, Yan Tao, Du Zhenhua, Zhu Jingling, Gong Gangjun, Zhou Yanhui,
Wang Rui, Yang Jinhua, Wei Min, Liu Feng, Zhao Jianming, Zhou Chunjie, Lan Kun, Liu Huifang, Liu Jie, Zhao Ran, Gao Jingmei, Ren Yue, Liu Ying, Guo Yongzhen,
Wang Aipeng, Sang Zi, Wang Ying, Zhai Wanbo, Yang Xiaoqian, Zhang Yan, Pan Xuelong:
Introduction
0:1 Overview
IEC 62443 is a series of standards applied to the safety of industrial automation and control systems: At present, my country has adopted this series of standards to issue
GB/T 33007-2016 "Industrial Communication Network Network and System Security Establishing Industrial Automation and Control System Security Procedures"
(IEC 62443-2-1:2010, IDT), GB/T 35673-2017 "Industrial Communication Network Network and System Security System Security Requirements and
Security Level" (IEC 62443-3-3:2013, IDT), GB/T 40211-2021 "Industrial Communication Network Network and System Security Terms,
Overview and Model" (IEC /T S62443-1-1:2009, IDT), GB/T 40218-2021 "Industrial Communication Network Network and System Security
Industrial Automation and Control System Information Security Technology" (IEC /T R62443-3-1:2009, IDT), GB/T 40682-2021 "Industrial Automation
Network security of automation and control systems Part 2-4: Security program requirements for IACS service providers" (IEC 62443-2-4:2015, IDT),
GB/T 42445-2023 "Patch Management in Industrial Automation and Control System Security IACS Environment" (IEC /T R62443-2-3:
2015, IDT), GB/T 42457-2023 "Industrial Automation and Control System Information Security Product Security Development Life Cycle Requirements"
(IEC 62443-4-1:2018, IDT) and this document: These standards together constitute a series of national standards applied to the safety of industrial automation and control systems:
Industrial automation and control system (IACS) organizations are increasingly using inexpensive, efficient and highly automated commercial-off-the-shelf (COTS)
Internet equipment: For sound business reasons, control systems are also increasingly interconnected with non-IACS networks: These devices, open
Networking technologies and increased connectivity present control system hardware and software with increasing opportunities for cyber-attacks: This weakness can
A range of health, safety and environmental (HSE), financial and/or reputational consequences that can result in deployed control systems:
Organizations utilizing commercial information technology (IT) cybersecurity solutions to address IACS security concerns may not fully understand this
the result of the decision: At the same time, many business IT applications and security solutions can be applied to IACS and thus need to be applied in an appropriate manner
These are solutions to eliminate unintended consequences: For this reason, the approach to defining system requirements considers both functional requirements and risk assessment:
assessment, often including awareness of operational issues as well:
IACS security countermeasures include contingency procedures that should avoid the possibility of loss of essential services and functions (commonly utilized IT security
Countermeasures do have this potential): IACS safety objectives focus on control system availability, plant protection, plant operation (even in
degraded mode) and time-critical system responses: IT security goals often do not place equal weight on these factors; they may be more
Focus on protecting information rather than physical assets: Regardless of the degree of plant integration, these various goals need to be clearly articulated as safety goals
mark: According to the requirements of IEC 62443-2-1, a key step in the risk assessment should be to determine which services and functions are really important to the operation:
Essential (for example, engineering support may be identified as a non-essential service or function in some facilities): and essential services or functions should not be subject to
Adverse effects vary, and in some cases information security measures that may result in a temporary loss of non-essential services or functions are acceptable:
This document provides cybersecurity requirements for the components that make up the IACS, in particular embedded devices, network components, host components, and software applications:
use: Appendix A describes the classification of commonly used IACS equipment: The requirements of this document refer to the IACS system safety described in IEC 62443-3-3
Require: The purpose of this document is to specify security functions that enable components to be integrated into a system environment with a given security level (SL): appendix
The table in B summarizes the requirements defined in this document and the SLs for enhanced requirements:
The main goal of the IEC 62443 series of standards is to provide a flexible framework that can help address current and future vulnerabilities of IACS
security and apply necessary mitigations in a systematic and defensible manner: The purpose of IEC 62443 is to build a system that adapts to the needs of enterprise IT systems
It is important to extend the security of the enterprise and combine it with the unique requirements of high integrity and availability required by IACS:
0:2 Purpose and target audience
The intended readers of this document in the IACS community are asset owners, system integrators, product suppliers and, where appropriate, compliance departments: combine
Regulatory agencies include government agencies and regulators with statutory powers that can conduct audits to verify compliance with laws and regulations:
System integrators will use this document to assist them in sourcing the control system components that make up the IACS solution: This document will help the department
System integrators specify the appropriate level of security capabilities for the individual components they are procuring: The main standards that system integrators refer to are
IEC 62443-2-1, IEC 62443-3-2 and IEC 62443-3-3, which provide the organizational and operational requirements for a safety management system and guide the system
The system integrator completes the process of defining security areas and defines the target safety capability level (SL-T) for these areas: Once each region is defined
SL-T, components that provide the necessary functions to be able to realize SL-T for each area:
Product suppliers will use this document to understand the requirements for control system components with specific SL-C requirements: Components themselves may not mention
provide security capabilities, but may be designed to be integrated with a higher-level entity, thereby benefiting from the capabilities of that entity—for example, the embedded device itself
May not have the ability to maintain user directories, but may be integrated into systems with authentication and authorization services, thus still meeting the requirements for providing personal
Requirements for human user authentication, authorization and management capabilities: This document will guide product suppliers on which requirements can be assigned and which requirements require
built into the component: According to Practice 8 of IEC 62443-4-1, the product supplier will provide information on how to correctly integrate components into the system
to comply with specific SL-T documents:
The component requirements (CR) in this document refer to the system requirements (SR) in IEC 62443-3-3: The requirements in IEC 62443-3-3 are called
For SR, it is derived from the overall Fundamental Requirements (FR) defined in IEC 62443-1-1: CR can also include a set of enhancement requirements
(RE): The combination of CR and RE will determine the target safety level that the component can achieve:
This document provides requirements for four types of components: software applications, embedded devices, host devices, and network devices: Therefore, each group
The CR of the piece will be designated as follows:
● Software Application Requirements (SAR);
● Embedded Device Requirements (EDR);
● Host Device Requirements (HDR);
● Network Device Requirements (NDRs):
Most of the requirements of this document are the same for the four types of components, hence the abbreviation CR: When there are unique component specific requirements
When , the general requirement will state that the requirement is component-specific and is located in the component-specific requirements clause of this document:
Figure 1 shows a graphical representation of the IEC 62443 series of standards at the time of writing:
Figure 1 IEC 62443 standard system
Information security for industrial automation and control systems
Safety Technical Requirements for IACS Components
1 Scope
This document provides detailed technical control system components related to the seven Fundamental Requirements (FR) described in IEC TS62443-1-1
Requirements (CR), including requirements defining the control system capability safety level and its components SL-C (components):
According to the regulations of IEC TS62443-1-1, there are seven FRs in total:
a) Identification and Authentication Control (IAC),
b) Usage Control (UC),
c) system integrity (SI),
d) Data Confidentiality (DC),
e) Restricted Data Flow (RDF),
f) Timely Response to Incidents (TRE),
g) Resource Availability (RA):
These seven requirements (FR) are the basis for defining the security capability level of the control system: The main objective of this document is to define the control system components
The level of security capability, while SL (SL-T) or how to achieve SL (SL-A), is not within the scope of this document:
Note 1: To fully realize the SL goal of the control system, it is also necessary to refer to a series of non-technical, program-related CR capabilities specified in IEC 62443-2-1: like
Unless otherwise specified, "security" in this document refers to "information security":
Note 2: The trademarks and product names mentioned in this document are only for the convenience of users: This information does not constitute an endorsement by IEC of the products mentioned:
2 Normative references
The contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references,
Only the version corresponding to the date applies to this document; for undated references, the latest version (including all amendments) applies to this document:
GB/T 35673-2017 Industrial Communication Network Network and System Security System Security Requirements and Security Levels
IEC TS62443-1-1 Industrial communication network network and system security Part 1-1: Terminology, concepts and models
Note: GB/T 40211-2021 Industrial Communication Network Network and System Security Terms, Concepts and Models (IEC TS62443-1-1:2009, IDT)
IEC 62443-3-3 Industrial Communication Network Network and System Security Part 3-3: System Security Requirements and Security Levels
Note: GB/T 42457-2023 Industrial automation and control system information security product security development life cycle requirements (IEC 62443-4-1:2018,
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 42456-2023_English be delivered?Answer: Upon your order, we will start to translate GB/T 42456-2023_English as soon as possible, and keep you informed of the progress. The lead time is typically 5 ~ 8 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 42456-2023_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 42456-2023_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|