Information Security Protection Guidelines for Industrial Control Systems.

Posted on Updated on

Information security in industrial control systems affects economic development, social stability and national security. In order to enhance the information security protection levels of industrial control systems in industrial enterprises (hereafter simply named industrial control security), and ensure the security of industrial control systems, these Guidelines are formulated.

These Guidelines apply to enterprises utilizing industrial control systems, as well as enterprise and undertaking work units engaging in industrial control system planning, design, construction, operations and maintenance, as well as evaluation.

Enterprises utilizing industrial control systems shall conduct industrial control security protection work well, on the basis of the following eleven aspects.

I, Security software choice and management

(1) Adopt anti-virus software that has passed full testing and verification in an off-line environment, or use software from a programme whitelist for industrial host computers, it is only permitted to use software authorized by the industrial enterprise itself, which has also passed security evaluation.

(2) Establish anti-virus and malicious software intrusion management mechanisms, and adopt virus-killing and other such security prevention measures for industrial control systems and temporarily connected equipment.

II, Deployment and patch management

(1) Arrange the security deployment of industrial control networks, industrial host computers and industrial control equipment well, establish industrial control system deployment lists, regularly conduct audits of the deployment.

(2) Formulate modification plans for the modification of major deployments, as well as influence analysis, conduct strict security tests before deployment modification is carried out.

(3) Closely monitor major industrial control security leaks and issuance of patches for them, timely adopt patching and upgrading measures. Before patches are installed, a security assessment, test and verification of the patch must be conducted.

III, Border security protection

(1) Separate the exploitation, testing and production environments of industrial control systems.

(2) Conduct security protection of the borders between industrial control networks and enterprise networks or the Internet through border protection equipment in industrial control networks, it is prohibited for industrial control networks that do not have protection to link to the Internet.

(3) Conduct logic segregation security protection between industrial control network security areas through protection equipment such as industrial firewalls, online sluices, etc.

IV, Physical and environmental security protection

(1) Adopt physical security protection methods such as access controls, video monitoring, specially assigned guards, etc., for the localities where important engineering stations, databases, servers and other such core industrial control software and hardware are located.

(2) Remove or block unnecessary USB ports, optical drives, wireless ports and other such gateways from industrial host computers. If they are truly required, implement strict access control through security management technology measures set up outside the host computer.

V, Identity authentication

(1) Use identity authentication management in processes such as industrial host computer registration, application and service resource access, industrial cloud platform access, etc. Adopt multi-factor authentication for access to crucial equipment, systems and platforms.

(2) Rationally categorize the privileges of installed accounts, allocate account privileges on the basis of the fewest privilege principle.

(3) Strengthen registered accounts and passwords in industrial control equipment, SCADA software, industrial telecommunications equipment, etc., avoid the use of tacitly approved passwords or weak passwords, regularly renew passwords.

(4) Strengthen protection of identity authentication certificate information, it is prohibited to share them across different systems and network environments.

VI, Remote access security

(1) In principle, it is strictly prohibited that industrial control systems are open to the Internet through HTTP, FTP, Telnet and other such high-risk telecommunications network services.

(2) Where remote access is required, unidirectional data access control and other such strategies are to be adopted to consolidate security, access times are to be controlled, and lock-out tag0out strategies are to be adopted.

(3) Where remote maintenance is required, virtual private networks and other such remote access methods are to be adopted.

VII, Security monitoring and drills for emergency response preparations

(1) Deploy cybersecurity monitoring equipment on industrial control networks, to discover, report and deal with cyber attacks or unusual activities.

(2) Deploy protection equipment with industrially-agreed deep packet inspection functions at the front end of industrial control equipment, and restrict unlawful manipulation.

(3) Formulate industrial security incident emergency response plans, when a security threat leads to abnormalities or stoppages in industrial control systems, emergency protection measures shall be adopted immediately, prevent the expansion of the situation, and progressively report the matter to the local provincial-level industry and information technology department, pay attention to protecting the scene of the incident at the same time, in order to conduct investigations and gather evidence.

(4) Regularly conduct drills of industrial control system emergency response plans, and revise emergency response plans when necessary.

VIII, Asset security

(1) Establish industrial control system asset lists, make clear who is the responsible person for assets, as well as norms for the use and disposition of assets.

(2) Conduct redundant deployment of crucial host computer equipment, tinwork equipment, control packages, etc.

IX, Data security

(1) Protect important industrial data in the process of static storage and dynamic operations, conduct multi-level and categorize management of data and information on the basis of the results of a security assessment.

(2) Regularly back up crucial business data.

(3) Protect monitoring data.

X, Supply chain management

(1) When selecting service providers for industrial control system planning, design, construction, maintenance or evaluation, give preferential consideration to enterprise and undertaking work units having experience in industrial control security protection, and use contracts and other such methods to clarify the information security responsibilities and duties that service providers should undertake.

(2) Demand that service providers perform secret-keeping work well through secret-keeping agreements, and prevent that sensitive information leaks out.

XI, Implementation responsibility

Clarify who is the responsible person for industrial control security management through establishing methods such as industrial control security management mechanisms, establishing information security coordination groups, etc., implement industrial control security responsibility systems, and deploy protection measures for industrial control security.

工业控制系统信息安全防护指南

工业控制系统信息安全事关经济发展、社会稳定和国家安全。为提升工业企业工业控制系统信息安全(以下简称工控安全)防护水平,保障工业控制系统安全,制定本指南。

工业控制系统应用企业以及从事工业控制系统规划、设计、建设、运维、评估的企事业单位适用本指南。

工业控制系统应用企业应从以下十一个方面做好工控安全防护工作。

一、安全软件选择与管理

(一)在工业主机上采用经过离线环境中充分验证测试的防病毒软件或应用程序白名单软件,只允许经过工业企业自身授权和安全评估的软件运行。

(二)建立防病毒和恶意软件入侵管理机制,对工业控制系统及临时接入的设备采取病毒查杀等安全预防措施。

二、配置和补丁管理

(一)做好工业控制网络、工业主机和工业控制设备的安全配置,建立工业控制系统配置清单,定期进行配置审计。

(二)对重大配置变更制定变更计划并进行影响分析,配置变更实施前进行严格安全测试。

(三)密切关注重大工控安全漏洞及其补丁发布,及时采取补丁升级措施。在补丁安装前,需对补丁进行严格的安全评估和测试验证。

三、 边界安全防护

(一)分离工业控制系统的开发、测试和生产环境。

(二)通过工业控制网络边界防护设备对工业控制网络与企业网或互联网之间的边界进行安全防护,禁止没有防护的工业控制网络与互联网连接。

(三)通过工业防火墙、网闸等防护设备对工业控制网络安全区域之间进行逻辑隔离安全防护。

四、物理和环境安全防护

(一)对重要工程师站、数据库、服务器等核心工业控制软硬件所在区域采取访问控制、视频监控、专人值守等物理安全防护措施。

(二)拆除或封闭工业主机上不必要的USB、光驱、无线等接口。若确需使用,通过主机外设安全管理技术手段实施严格访问控制。

五、身份认证

(一)在工业主机登录、应用服务资源访问、工业云平台访问等过程中使用身份认证管理。对于关键设备、系统和平台的访问采用多因素认证。

(二)合理分类设置账户权限,以最小特权原则分配账户权限。

(三)强化工业控制设备、SCADA软件、工业通信设备等的登录账户及密码,避免使用默认口令或弱口令,定期更新口令。

(四)加强对身份认证证书信息保护力度,禁止在不同系统和网络环境下共享。

六、远程访问安全

(一)原则上严格禁止工业控制系统面向互联网开通HTTP、FTP、Telnet等高风险通用网络服务。

(二)确需远程访问的,采用数据单向访问控制等策略进行安全加固,对访问时限进行控制,并采用加标锁定策略。

(三)确需远程维护的,采用虚拟专用网络(VPN)等远程接入方式进行。

(四)保留工业控制系统的相关访问日志,并对操作过程进行安全审计。

七、安全监测和应急预案演练

(一)在工业控制网络部署网络安全监测设备,及时发现、报告并处理网络攻击或异常行为。

(二)在重要工业控制设备前端部署具备工业协议深度包检测功能的防护设备,限制违法操作。

(三)制定工控安全事件应急响应预案,当遭受安全威胁导致工业控制系统出现异常或故障时,应立即采取紧急防护措施,防止事态扩大,并逐级报送直至属地省级工业和信息化主管部门,同时注意保护现场,以便进行调查取证。

(四)定期对工业控制系统的应急响应预案进行演练,必要时对应急响应预案进行修订。

八、资产安全

(一)建设工业控制系统资产清单,明确资产责任人,以及资产使用及处置规则。

(二)对关键主机设备、网络设备、控制组件等进行冗余配置。

九、数据安全

(一)对静态存储和动态传输过程中的重要工业数据进行保护,根据风险评估结果对数据信息进行分级分类管理。

(二)定期备份关键业务数据。

(三)对测试数据进行保护。

十、供应链管理

(一)在选择工业控制系统规划、设计、建设、运维或评估等服务商时,优先考虑具备工控安全防护经验的企事业单位,以合同等方式明确服务商应承担的信息安全责任和义务。

(二)以保密协议的方式要求服务商做好保密工作,防范敏感信息外泄。

十一、落实责任

通过建立工控安全管理机制、成立信息安全协调小组等方式,明确工控安全管理责任人,落实工控安全责任制,部署工控安全防护措施。

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s