Information security in industrial control systems affects economic development, social stability and national security. In order to enhance the information security protection levels of industrial control systems in industrial enterprises (hereafter simply named industrial control security), and ensure the security of industrial control systems, these Guidelines are formulated.
These Guidelines apply to enterprises utilizing industrial control systems, as well as enterprise and undertaking work units engaging in industrial control system planning, design, construction, operations and maintenance, as well as evaluation.
Enterprises utilizing industrial control systems shall conduct industrial control security protection work well, on the basis of the following eleven aspects.
I, Security software choice and management
(1) Adopt anti-virus software that has passed full testing and verification in an off-line environment, or use software from a programme whitelist for industrial host computers, it is only permitted to use software authorized by the industrial enterprise itself, which has also passed security evaluation.
(2) Establish anti-virus and malicious software intrusion management mechanisms, and adopt virus-killing and other such security prevention measures for industrial control systems and temporarily connected equipment.
II, Deployment and patch management
(1) Arrange the security deployment of industrial control networks, industrial host computers and industrial control equipment well, establish industrial control system deployment lists, regularly conduct audits of the deployment.
(2) Formulate modification plans for the modification of major deployments, as well as influence analysis, conduct strict security tests before deployment modification is carried out.
(3) Closely monitor major industrial control security leaks and issuance of patches for them, timely adopt patching and upgrading measures. Before patches are installed, a security assessment, test and verification of the patch must be conducted.
III, Border security protection
(1) Separate the exploitation, testing and production environments of industrial control systems.
(2) Conduct security protection of the borders between industrial control networks and enterprise networks or the Internet through border protection equipment in industrial control networks, it is prohibited for industrial control networks that do not have protection to link to the Internet.
(3) Conduct logic segregation security protection between industrial control network security areas through protection equipment such as industrial firewalls, online sluices, etc.
IV, Physical and environmental security protection
(1) Adopt physical security protection methods such as access controls, video monitoring, specially assigned guards, etc., for the localities where important engineering stations, databases, servers and other such core industrial control software and hardware are located.
(2) Remove or block unnecessary USB ports, optical drives, wireless ports and other such gateways from industrial host computers. If they are truly required, implement strict access control through security management technology measures set up outside the host computer.
V, Identity authentication
(1) Use identity authentication management in processes such as industrial host computer registration, application and service resource access, industrial cloud platform access, etc. Adopt multi-factor authentication for access to crucial equipment, systems and platforms.
(2) Rationally categorize the privileges of installed accounts, allocate account privileges on the basis of the fewest privilege principle.
(3) Strengthen registered accounts and passwords in industrial control equipment, SCADA software, industrial telecommunications equipment, etc., avoid the use of tacitly approved passwords or weak passwords, regularly renew passwords.
(4) Strengthen protection of identity authentication certificate information, it is prohibited to share them across different systems and network environments.
VI, Remote access security
(1) In principle, it is strictly prohibited that industrial control systems are open to the Internet through HTTP, FTP, Telnet and other such high-risk telecommunications network services.
(2) Where remote access is required, unidirectional data access control and other such strategies are to be adopted to consolidate security, access times are to be controlled, and lock-out tag0out strategies are to be adopted.
(3) Where remote maintenance is required, virtual private networks and other such remote access methods are to be adopted.
VII, Security monitoring and drills for emergency response preparations
(1) Deploy cybersecurity monitoring equipment on industrial control networks, to discover, report and deal with cyber attacks or unusual activities.
(2) Deploy protection equipment with industrially-agreed deep packet inspection functions at the front end of industrial control equipment, and restrict unlawful manipulation.
(3) Formulate industrial security incident emergency response plans, when a security threat leads to abnormalities or stoppages in industrial control systems, emergency protection measures shall be adopted immediately, prevent the expansion of the situation, and progressively report the matter to the local provincial-level industry and information technology department, pay attention to protecting the scene of the incident at the same time, in order to conduct investigations and gather evidence.
(4) Regularly conduct drills of industrial control system emergency response plans, and revise emergency response plans when necessary.
VIII, Asset security
(1) Establish industrial control system asset lists, make clear who is the responsible person for assets, as well as norms for the use and disposition of assets.
(2) Conduct redundant deployment of crucial host computer equipment, tinwork equipment, control packages, etc.
IX, Data security
(1) Protect important industrial data in the process of static storage and dynamic operations, conduct multi-level and categorize management of data and information on the basis of the results of a security assessment.
(2) Regularly back up crucial business data.
(3) Protect monitoring data.
X, Supply chain management
(1) When selecting service providers for industrial control system planning, design, construction, maintenance or evaluation, give preferential consideration to enterprise and undertaking work units having experience in industrial control security protection, and use contracts and other such methods to clarify the information security responsibilities and duties that service providers should undertake.
(2) Demand that service providers perform secret-keeping work well through secret-keeping agreements, and prevent that sensitive information leaks out.
XI, Implementation responsibility
Clarify who is the responsible person for industrial control security management through establishing methods such as industrial control security management mechanisms, establishing information security coordination groups, etc., implement industrial control security responsibility systems, and deploy protection measures for industrial control security.