Path: Home > GB/T > Page207 > GB/T 41400-2022

Price & Delivery

US$1619.00 · In stock · Download in 9 seconds
GB/T 41400-2022: Information security technology - Information security protection capability maturity model of industrial control systems
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure
Status: Valid

Std ID	Version	USD	Buy	Deliver [PDF] in	Title (Description)
GB/T 41400-2022	English	1619	Add to Cart	9 days [Need to translate]	Information security technology - Information security protection capability maturity model of industrial control systems

GB/T 41400-2022: Information security technology - Information security protection capability maturity model of industrial control systems

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology -- Information security protection capability maturity model of industrial control systems ICS 35.030 CCSL80 National Standards of People's Republic of China Information Security Technology Industrial Control System Information Security Defense Capability Maturity Model Published on 2022-04-15 2022-11-01 Implementation State Administration for Market Regulation Released by the National Standardization Administration directory Foreword V 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 2 5 Industrial control system information security protection capability maturity model 3 5.1 Capability Maturity Model Architecture 3 5.2 Capability element dimension 4 5.2.1 Competency Composition 4 5.2.2 Institutional Building 4 5.2.3 Institutional Process 4 5.2.4 Technical tools 4 5.2.5 Personnel Capability 4 5.3 Capability Maturity Level Dimension 4 5.4 Dimension 5 of the capacity building process 5.4.1 PA System 5 5.4.2 Coding Rules 6 5.4.3 Relationship Description 6 6 Core Protection Object Security 7 6.1 Industrial Equipment Safety 7 6.1.1 PA01 Control Equipment Safety 7 6.1.2 PA02 On-site measurement and control equipment safety 8 6.1.3 PA03 Equipment Asset Management 9 6.1.4 PA04 Storage Media Protection 9 6.2 Industrial host security 11 6.2.1 PA05 special security software 11 6.2.2 PA06 Vulnerability and Patch Management 12 6.2.3 PA07 Peripheral Interface Management 12 6.3 Industrial Network Border Security 13 6.3.1 PA08 security area division 13 6.3.2 PA09 Network Border Protection 14 6.3.3 PA10 Remote Access Security 15 6.3.4 PA11 Authentication 16 6.4 Industrial Control Software Security 17 6.4.1 PA12 Security Configuration 17 6.4.2 PA13 configuration change 18 6.4.3 PA14 Account Management 19 6.4.4 PA15 password protection 19 6.4.5 PA16 Security Audit 20 6.5 Industrial Data Security 21 6.5.1 PA17 Data Classification and Hierarchical Management 21 6.5.2 PA18 Differential Protection 23 6.5.3 PA19 data backup and recovery 23 6.5.4 PA20 test data protection 24 7 General Security 25 7.1 Security Planning and Architecture 25 7.1.1 PA21 Security Policy and Procedure 25 7.1.2 PA22 safety mechanism settings 26 7.1.3 PA23 Security Responsibilities 27 7.2 Personnel Management and Training 27 7.2.1 PA24 Personnel Safety Management 27 7.2.2 PA25 Safety Education and Training 28 7.3 Physical and Environmental Security 29 7.3.1 PA26 physical security protection 29 7.3.2 PA27 emergency power supply 30 7.3.3 PA28 Physical Disaster Prevention 31 7.3.4 PA29 Environmental Separation 32 7.4 Monitoring, early warning and emergency response 33 7.4.1 PA30 Industrial Asset Perception 33 7.4.2 PA31 Risk Monitoring 34 7.4.3 PA32 Threat Warning 35 7.4.4 PA33 emergency plan 36 7.4.5 PA34 emergency drill 37 7.5 Supply Chain Security 37 7.5.1 PA35 product selection 37 7.5.2 PA36 Supplier Selection 38 7.5.3 PA37 Procurement Delivery 39 7.5.4 PA38 Contract Agreement Control 40 7.5.5 PA39 Source Code Audit 41 7.5.6 PA40 upgrade security 42 8 Capability Maturity Level Verification Methods 43 8.1 Industrial Equipment Safety 43 8.1.1 PA01 Control Equipment Safety 43 8.1.2 PA02 On-site measurement and control equipment safety 43 8.1.3 PA03 Equipment Asset Management 44 8.1.4 PA04 Storage Media Protection 45 8.2 Industrial host security 45 8.2.1 PA05 special security software 45 8.2.2 PA06 Vulnerability and Patch Management 46 8.2.3 PA07 Peripheral Interface Management 47 8.3 Industrial network perimeter security 47 8.3.1 PA08 Security Area Division 47 8.3.2 PA09 Network Border Protection 48 8.3.3 PA10 Remote Access Security 48 8.3.4 PA11 Authentication 49 8.4 Industrial Control Software Security 50 8.4.1 PA12 Security Configuration 50 8.4.2 PA13 configuration changes 51 8.4.3 PA14 Account Management 51 8.4.4 PA15 password protection 52 8.4.5 PA16 Security Audit 53 8.5 Industrial Data Security 54 8.5.1 PA17 Data Classification and Hierarchical Management 54 8.5.2 PA18 Differential Protection 55 8.5.3 PA19 data backup and recovery 56 8.5.4 PA20 test data protection 56 8.6 Security Planning and Architecture 57 8.6.1 PA21 Security Policies and Procedures 57 8.6.2 PA22 safety mechanism settings 57 8.6.3 PA23 Security Responsibilities 58 8.7 Personnel management and training 58 8.7.1 PA24 Personnel Safety Management 58 8.7.2 PA25 Safety Education and Training 59 8.8 Physical and Environmental Security 60 8.8.1 PA26 physical security protection 60 8.8.2 PA27 emergency power supply 61 8.8.3 PA28 Physical Disaster Prevention 61 8.8.4 PA29 Environmental Separation 63 8.9 Monitoring, early warning and emergency response 63 8.9.1 PA30 Industrial Asset Perception 63 8.9.2 PA31 Risk Monitoring 64 8.9.3 PA32 Threat Warning 65 8.9.4 PA33 emergency plan 65 8.9.5 PA34 emergency drill 66 8.10 Supply Chain Security 66 8.10.1 PA35 product selection 66 8.10.2 PA36 Supplier Selection 67 8.10.3 PA37 Procurement Delivery 68 8.10.4 PA38 Contract Agreement Control 68 8.10.5 PA39 Source Code Audit 69 8.10.6 PA40 upgrade security 70 Appendix A (Informative) Capability Maturity Level Description and GP 71 Appendix B (Informative) Capability Maturity Model Usage 74 Appendix C (Informative) Capability Maturity Level Verification Process 75 Reference 78

foreword

This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for Standardization Work Part 1.Structure and Drafting Rules of Standardization Documents" drafted. Please note that some content of this document may be patented. The issuing agency of this document assumes no responsibility for identifying patents. This document is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). This document is drafted by. China Electronics Standardization Institute, Taiji Computer Co., Ltd., Jiangsu Saixi Technology Development Co., Ltd. Company, Ministry of Industry and Information Technology Computer and Microelectronics Development Research Center (China Software Evaluation Center), Guangzhou Saibao Certification Center Service Co., Ltd. Company, China National Petroleum Corporation Northwest Sales Branch, China National Petroleum Corporation Changqing Petrochemical Branch, Ningbo Hollysys Information Security Research Institute Co., Ltd., National Industrial Information Security Development Research Center, National Information Technology Security Research Center, China Information Security Evaluation Center, Zhejiang Energy Group Co., Ltd., Zhejiang Zheneng Yueqing Power Generation Co., Ltd., Shanghai Sanzero Guardian Letter Information Security Co., Ltd., Shaanxi Provincial Network and Information Security Evaluation Center, Siemens (China) Co., Ltd., Shanghai Industrial Control Security Innovation Section Technology Co., Ltd., East China Normal University, Hangzhou Anheng Information Technology Co., Ltd., China Cyber Security Review Technology and Certification Center, Kunlun Digital Intelligence Technology Co., Ltd., Xidian University, State Grid Xinjiang Electric Power Co., Ltd. Electric Power Research Institute, CLP Great Wall Internet Department System Application Co., Ltd., China National Petroleum Corporation Xinjiang Oilfield Branch Data Company, Hangzhou Lisichen Anke Technology Co., Ltd. Company, Dongguan Qingzhou Optoelectronics Technology Co., Ltd., Liuzhou Yuanchuang EFI Technology Co., Ltd., Jiangsu Province Electronic Information Product Quality Supervision, Inspection and Research Research Institute (Jiangsu Information Security Evaluation Center), Beijing Liufang Cloud Information Technology Co., Ltd., Institute of Software, Chinese Academy of Sciences, Beacon Technology (North Beijing) Co., Ltd., Shanghai Chemical Treasure Digital Technology Co., Ltd., Beijing Hezhongning Information Technology Co., Ltd., Hangzhou Wood Chain Internet of Things Technology Co., Ltd. Company, Shaanxi University of Science and Technology, PetroChina East China Design Institute Co., Ltd., China Energy Construction Group Zhejiang Electric Power Design Institute Co., Ltd., Shaanxi Yanchang Petroleum Fuxian Power Generation Co., Ltd., Shanghai University, Heilan Zhiyun Technology Co., Ltd., Chengdu Aerospace Communication Equipment Co., Ltd. The main drafters of this document. Yao Xiangzhen, Li Lin, Gan Junjie, Zhou Ruikang, Gong Jiezhong, Zhou Feng, Li Yao, Liu Xiangang, Zhao Zhenxue, Zhao Jinyuan, Hao Zhiqiang, Zhao Zitong, Fang Jinshe, Li Jun, Guo Xian, Xia Ji, Xu Yuna, Min Jinghua, Di Liqing, Sun Yan, Hu Ying, Wang Huili, Li Hongyan, Ma Qiang, Cheng Yu, Chen Keyu, Zhang Hongwei, Chen Xi, Mou Wenbiao, Zhang Jianqun, Wu Dakui, Liu Ying, Yang Fan, Gao Rui, Yan Tao, Pu Geguang, Liu Hong, Fei Minrui, Peng Chen, Du Dajun, Bunin, Shen Yongbo, Jiao Chengpeng, Liu Hongyun, Zhang Zhijun, Wang Fei, Suo Tao, Dai Yun, Zhang Jianxin, Qiangjian, Shi Yongjie, Yu Huichao, Wang Xiaohong, Zhao Peng, Shen Yulong, Li Feng, Wang Bin, Zhou Yanhua, Sun Jun, Yu Meng, Xiao Wei, Lin Xin, Jiang Yaguang, Liu Piqun, Sun Junjun, Liu Zhile, Wu Lan, Yang Chen, Gong Lianghua, Duan Peixin, Chen Yan, Liu Kesong, Gao Zhiwei, Zhang Liuhua, Liu Dong, Li Min, Zhang Xiaofei, Cao Yu, Hao Xin, Ma Xiaolei, Yang Lijun, Lin Hongjun, Chen Ruochun, Ji Lu, Yan Min, Fang Jing, Mo Tao, He Shuangyu, Zhao Feng, Zhang Junfeng, Liu Zhigang, Zhao Xuequan, Cheng Weichen, Wang Yiwei, Zhao Jianhong. Information Security Technology Industrial Control System Information Security Defense Capability Maturity Model

1 Scope

This document presents the maturity model of the information security protection capability of the industrial control system, and specifies the core protection object security and general security According to the requirements of maturity level, the verification method of capability maturity level is proposed. This document applies to industrial control system design, construction, operation and maintenance and other related parties to build industrial control system information security protection capabilities. And verify the maturity level of the organization's industrial control system information security protection capability.

2 Normative references

The contents of the following documents constitute essential provisions of this document through normative references in the text. Among them, dated citations documents, only the version corresponding to that date applies to this document; for undated references, the latest edition (including all amendments) applies to this document. GB/T 25069 Information Security Technical Terminology GB/T 32919-2016 Information Security Technology Industrial Control System Security Control Application Guide

3 Terms and Definitions

The terms and definitions defined in GB/T 25069, GB/T 32919-2016 and the following apply to this document. 3.1 The guaranteed industrial foundation consists of various automation control components and process control components that collect and monitor real-time data A business process control system for facility automation, process control and monitoring. NOTE. Industrial control systems include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and other smaller control systems such as programmable logic PLC, etc. [Source. GB/T 36323-2018, 3.1, with modifications] 3.2 In order to avoid unauthorized or accidental access, tampering, destruction and loss of industrial control systems, organizations have Safety assurance of industrial control systems in terms of technical tools and personnel capabilities. 3.3 capability maturity The ability to methodically improve an organization and achieve the continuity, sustainability, effectiveness and credibility of specific processes Level. [Source. GB/T 37988-2019, 3.6] 3.4 A model for measuring the capability maturity of an organization, including a set of characteristics, attributes, indicators, or ...