1
/
su
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 30976.1-2014 English PDF (GBT30976.1-2014)
GB/T 30976.1-2014 English PDF (GBT30976.1-2014)
Prezzo di listino
$560.00 USD
Prezzo di listino
Prezzo scontato
$560.00 USD
Prezzo unitario
/
per
Spese di spedizione calcolate al check-out.
Impossibile caricare la disponibilità di ritiro
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 30976.1-2014
Historical versions: GB/T 30976.1-2014
Preview True-PDF (Reload/Scroll if blank)
GB/T 30976.1-2014: Industrial control system security -- Part 1: Assessment specification
GB/T 30976.1-2014
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 25.040
N 10
Industrial control system security –
Part 1. Assessment specification
ISSUED ON. JULY 24, 2014
IMPLEMENTED ON. FEBRUARY 01, 2015
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 4
1 Scope ... 6
2 Normative references ... 6
3 Terms, definitions and abbreviations ... 6
3.1 Terms and definitions ... 6
3.2 Abbreviations ... 9
4 Industrial control system information security overview ... 10
4.1 General ... 10
4.2 Hazard introduction points ... 11
4.3 Transmission routes ... 11
4.4 Hazard consequence recipient and its influence ... 12
4.5 Overview of information security assessment of industrial control systems
... 13
4.6 Assessment results ... 15
5 Organization management assessment ... 17
5.1 Security policy... 17
5.2 Information security organization ... 19
5.3 Asset management ... 33
5.4 Human resource security ... 37
5.5 Physical and environmental security ... 45
5.6 Communication and operation management ... 56
5.7 Access control ... 83
5.8 Information system acquisition, development and maintenance ... 107
5.9 Information security incident management ... 123
5.10 Business continuity management ... 129
5.11 Compliance ... 135
6 System capability (technology) assessment ... 144
6.1 Description of fundamental requirements (FR), system requirements (SR),
and system capability level (CL) ... 144
6.2 FR1. Identification and authentication control ... 145
6.3 FR2. Using control ... 156
6.4 FR3. System integrity ... 167
6.5 FR4. Data confidentiality... 174
6.6 FR5. Limited data flow ... 177
6.7 FR6. Timely response to events ... 181
6.8 FR7. Resource availability ... 182
7 Assessment procedures ... 188
7.1 Assessment work process ... 188
7.2 Determination of assessment methods ... 190
8 Risk assessment at various stages of the industrial control system life cycle
... 194
8.1 Life cycle overview... 194
8.2 Risk assessment at planning stage ... 194
8.3 Risk assessment at design stage ... 195
8.4 Risk assessment at implementation stage ... 196
8.5 Risk assessment at operation maintenance stage ... 198
8.6 Risk assessment at decommissioning stage ... 199
9 Format requirements of assessment report ... 200
Appendix A (Normative) Management assessment list ... 202
Appendix B (Normative) System capability (technology) assessment list ... 209
Appendix C (Informative) Risk assessment tools and common testing content
of industrial control systems ... 213
References ... 221
Foreword
GB/T 30976 “Industrial control system security” is divided into two parts.
- Part 1. Assessment specification;
- Part 2. Acceptance specification.
This part is part 1 of GB/T 30976.
This part was drafted in accordance with the rules given in GB/T 1.1-2009.
This part was proposed by China Machinery Industry Federation.
This part shall be under the jurisdiction of the National Standardization
Technical Committee for Industrial Process Measurement and Control (SAC/TC
124) and the National Standardization Technical Committee for Information
Security (SAC/TC 260).
The drafting organizations of this part. Machinery Industry Instrumentation
Institute of Integrated Technology and Economics, China Electronics
Standardization Institute, Beijing Hollysys System Engineering Co., Ltd., China
Nuclear Power Engineering Co., Ltd., Shanghai Automation Instrumentation
Co., Ltd., Dongtu Technology Co., Ltd. , China Electric Power Research Institute,
Tsinghua University, Siemens (China) Co., Ltd., Zhejiang University, Southwest
University, Chongqing University of Posts and Telecommunications, Schneider
Electric (China) Co., Ltd., Beijing Iron and Steel Design and Research Institute,
Huazhong University of Science and Technology, Beijing Austin Technology Co.,
Ltd., Rockwell Automation (China) Co., Ltd., China Institute of Instrumentation,
Chinese Academy of Sciences Shenyang Institute of Automation, National
Engineering Laboratory for Wireless Network Security Technologies, Xi'an
Xidian Jietong Wireless Network Communication Co., Ltd., Central Office
Electronics Institute of Science and Technology, Beijing Haitai Fangyuan
Technology Co., Ltd., Qingdao Tofino Information Security Technology Co., Ltd.,
Beijing Guodian Zhishen Control Technology Co., Ltd., Beijing Likang Huakang
Technology Co., Ltd., Guangdong Hangyu Satellite Technology Co., Ltd., North
China Electric Power Design Institute Engineering Co., Ltd., Huawei
Technologies Co., Ltd., Mitsubishi Electric Automation (China) Co., Ltd.,
Zhongbiao Software Co., Ltd., Yokogawa Electric (China) Co., Ltd. Beijing R and D
Center.
The main drafters of this part. Wang Yumin, Tang Yihong, Yan Aifen, Luo An, Lv
Dongbao, Zhang Jianjun, Xue Baihua, Chen Xiaoyi, Gao Kunlun, Wang Xue,
Feng Dongqin, Liu Feng, Wang Hao, Zhou Chunjie, Chen Xiaofeng, Hua Rong,
Zhang Li, Song Yan, Li Qin, Xia Dehai, Hu Ya’nan, Wang Xiong, Hu Boliang,
Mei Ke, Liu Anzheng, Tian Yucong, Fang Liang, Ma Xinxin, Zhang Jianxun,
Industrial control system security –
Part 1. Assessment specification
1 Scope
This part of GB/T 30976 specifies the objectives, assessment contents and
implementation process of the information security assessment of industrial
control systems (SCADA, DCS, PLC, PCS, etc.).
This part applies to system designers, equipment manufacturers, system
integrators, engineering companies, users, asset owners, and assessment and
certification agencies to perform assessment against the information security of
the industrial control systems. [Translator. In Chinese, words “security [3.1.14]”
and “safety [3.1.13]” are identical. For simplicity, “security” is used for Clause
5.5 and other Clauses in this translated standard.]
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 22081-2008 Information technology - Security techniques - Code of
practice for information security management (ISO/IEC 27002.2005, IDT)
IEC 62443-3-3-2013 Industrial communication networks - Network and
system security - Part 3-3. System security requirements and security levels
(SL)
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions apply to this document.
3.1.1
Vulnerability
3.1.9
Risk assessment
The entire process of risk analysis and risk assessment.
3.1.10
Risk management
The coordinated activities of guiding and controlling the relevant risks of an
organization.
3.1.11
Risk treatment
The process of selecting and implementing measures to change the risk.
3.1.12
Industrial control system; ICS
A collection of personnel, hardware, and software that contribute to and
influence the industrial production process safety, information security, and
reliable operation.
Note. The system includes, but is not limited to.
1) Industrial control systems include distributed control system (DCS),
programmable logic controller (PLC), intelligent electronic device (IED),
Get QUOTATION in 1-minute: Click GB/T 30976.1-2014
Historical versions: GB/T 30976.1-2014
Preview True-PDF (Reload/Scroll if blank)
GB/T 30976.1-2014: Industrial control system security -- Part 1: Assessment specification
GB/T 30976.1-2014
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 25.040
N 10
Industrial control system security –
Part 1. Assessment specification
ISSUED ON. JULY 24, 2014
IMPLEMENTED ON. FEBRUARY 01, 2015
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 4
1 Scope ... 6
2 Normative references ... 6
3 Terms, definitions and abbreviations ... 6
3.1 Terms and definitions ... 6
3.2 Abbreviations ... 9
4 Industrial control system information security overview ... 10
4.1 General ... 10
4.2 Hazard introduction points ... 11
4.3 Transmission routes ... 11
4.4 Hazard consequence recipient and its influence ... 12
4.5 Overview of information security assessment of industrial control systems
... 13
4.6 Assessment results ... 15
5 Organization management assessment ... 17
5.1 Security policy... 17
5.2 Information security organization ... 19
5.3 Asset management ... 33
5.4 Human resource security ... 37
5.5 Physical and environmental security ... 45
5.6 Communication and operation management ... 56
5.7 Access control ... 83
5.8 Information system acquisition, development and maintenance ... 107
5.9 Information security incident management ... 123
5.10 Business continuity management ... 129
5.11 Compliance ... 135
6 System capability (technology) assessment ... 144
6.1 Description of fundamental requirements (FR), system requirements (SR),
and system capability level (CL) ... 144
6.2 FR1. Identification and authentication control ... 145
6.3 FR2. Using control ... 156
6.4 FR3. System integrity ... 167
6.5 FR4. Data confidentiality... 174
6.6 FR5. Limited data flow ... 177
6.7 FR6. Timely response to events ... 181
6.8 FR7. Resource availability ... 182
7 Assessment procedures ... 188
7.1 Assessment work process ... 188
7.2 Determination of assessment methods ... 190
8 Risk assessment at various stages of the industrial control system life cycle
... 194
8.1 Life cycle overview... 194
8.2 Risk assessment at planning stage ... 194
8.3 Risk assessment at design stage ... 195
8.4 Risk assessment at implementation stage ... 196
8.5 Risk assessment at operation maintenance stage ... 198
8.6 Risk assessment at decommissioning stage ... 199
9 Format requirements of assessment report ... 200
Appendix A (Normative) Management assessment list ... 202
Appendix B (Normative) System capability (technology) assessment list ... 209
Appendix C (Informative) Risk assessment tools and common testing content
of industrial control systems ... 213
References ... 221
Foreword
GB/T 30976 “Industrial control system security” is divided into two parts.
- Part 1. Assessment specification;
- Part 2. Acceptance specification.
This part is part 1 of GB/T 30976.
This part was drafted in accordance with the rules given in GB/T 1.1-2009.
This part was proposed by China Machinery Industry Federation.
This part shall be under the jurisdiction of the National Standardization
Technical Committee for Industrial Process Measurement and Control (SAC/TC
124) and the National Standardization Technical Committee for Information
Security (SAC/TC 260).
The drafting organizations of this part. Machinery Industry Instrumentation
Institute of Integrated Technology and Economics, China Electronics
Standardization Institute, Beijing Hollysys System Engineering Co., Ltd., China
Nuclear Power Engineering Co., Ltd., Shanghai Automation Instrumentation
Co., Ltd., Dongtu Technology Co., Ltd. , China Electric Power Research Institute,
Tsinghua University, Siemens (China) Co., Ltd., Zhejiang University, Southwest
University, Chongqing University of Posts and Telecommunications, Schneider
Electric (China) Co., Ltd., Beijing Iron and Steel Design and Research Institute,
Huazhong University of Science and Technology, Beijing Austin Technology Co.,
Ltd., Rockwell Automation (China) Co., Ltd., China Institute of Instrumentation,
Chinese Academy of Sciences Shenyang Institute of Automation, National
Engineering Laboratory for Wireless Network Security Technologies, Xi'an
Xidian Jietong Wireless Network Communication Co., Ltd., Central Office
Electronics Institute of Science and Technology, Beijing Haitai Fangyuan
Technology Co., Ltd., Qingdao Tofino Information Security Technology Co., Ltd.,
Beijing Guodian Zhishen Control Technology Co., Ltd., Beijing Likang Huakang
Technology Co., Ltd., Guangdong Hangyu Satellite Technology Co., Ltd., North
China Electric Power Design Institute Engineering Co., Ltd., Huawei
Technologies Co., Ltd., Mitsubishi Electric Automation (China) Co., Ltd.,
Zhongbiao Software Co., Ltd., Yokogawa Electric (China) Co., Ltd. Beijing R and D
Center.
The main drafters of this part. Wang Yumin, Tang Yihong, Yan Aifen, Luo An, Lv
Dongbao, Zhang Jianjun, Xue Baihua, Chen Xiaoyi, Gao Kunlun, Wang Xue,
Feng Dongqin, Liu Feng, Wang Hao, Zhou Chunjie, Chen Xiaofeng, Hua Rong,
Zhang Li, Song Yan, Li Qin, Xia Dehai, Hu Ya’nan, Wang Xiong, Hu Boliang,
Mei Ke, Liu Anzheng, Tian Yucong, Fang Liang, Ma Xinxin, Zhang Jianxun,
Industrial control system security –
Part 1. Assessment specification
1 Scope
This part of GB/T 30976 specifies the objectives, assessment contents and
implementation process of the information security assessment of industrial
control systems (SCADA, DCS, PLC, PCS, etc.).
This part applies to system designers, equipment manufacturers, system
integrators, engineering companies, users, asset owners, and assessment and
certification agencies to perform assessment against the information security of
the industrial control systems. [Translator. In Chinese, words “security [3.1.14]”
and “safety [3.1.13]” are identical. For simplicity, “security” is used for Clause
5.5 and other Clauses in this translated standard.]
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 22081-2008 Information technology - Security techniques - Code of
practice for information security management (ISO/IEC 27002.2005, IDT)
IEC 62443-3-3-2013 Industrial communication networks - Network and
system security - Part 3-3. System security requirements and security levels
(SL)
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions apply to this document.
3.1.1
Vulnerability
3.1.9
Risk assessment
The entire process of risk analysis and risk assessment.
3.1.10
Risk management
The coordinated activities of guiding and controlling the relevant risks of an
organization.
3.1.11
Risk treatment
The process of selecting and implementing measures to change the risk.
3.1.12
Industrial control system; ICS
A collection of personnel, hardware, and software that contribute to and
influence the industrial production process safety, information security, and
reliable operation.
Note. The system includes, but is not limited to.
1) Industrial control systems include distributed control system (DCS),
programmable logic controller (PLC), intelligent electronic device (IED),
Share
