Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 30976.1-2014 English PDF (GBT30976.1-2014)

GB/T 30976.1-2014 English PDF (GBT30976.1-2014)

Regular price $555.00 USD
Regular price Sale price $555.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 30976.1-2014 to get it for Purchase Approval, Bank TT...

GB/T 30976.1-2014: Industrial control system security -- Part 1: Assessment specification

This part of GB/T 30976 specifies the objectives, assessment contents and implementation process of the information security assessment of industrial control systems (SCADA, DCS, PLC, PCS, etc.). This part applies to system designers, equipment manufacturers, system integrators, engineering companies, users, asset owners, and assessment and certification agencies to perform assessment against the information security of the industrial control systems.
GB/T 30976.1-2014
ICS 25.040
N 10
Industrial control system security ?€?
Part 1. Assessment specification
ISSUED ON. JULY 24, 2014
Issued by. General Administration of Quality Supervision, Inspection and Quarantine;
Standardization Administration of the People's Republic of
Table of Contents
Foreword ... 4
1 Scope ... 6
2 Normative references ... 6
3 Terms, definitions and abbreviations ... 6
3.1 Terms and definitions ... 6
3.2 Abbreviations ... 9
4 Industrial control system information security overview ... 10
4.1 General ... 10
4.2 Hazard introduction points ... 11
4.3 Transmission routes ... 11
4.4 Hazard consequence recipient and its influence ... 12
4.5 Overview of information security assessment of industrial control systems ... 13
4.6 Assessment results ... 15
5 Organization management assessment ... 17
5.1 Security policy... 17
5.2 Information security organization ... 19
5.3 Asset management ... 33
5.4 Human resource security ... 37
5.5 Physical and environmental security ... 45
5.6 Communication and operation management ... 56
5.7 Access control ... 83
5.8 Information system acquisition, development and maintenance ... 107 5.9 Information security incident management ... 123
5.10 Business continuity management ... 129
5.11 Compliance ... 135
6 System capability (technology) assessment ... 144
6.1 Description of fundamental requirements (FR), system requirements (SR), and system capability level (CL) ... 144
6.2 FR1. Identification and authentication control ... 145
6.3 FR2. Using control ... 156
6.4 FR3. System integrity ... 167
6.5 FR4. Data confidentiality... 174
6.6 FR5. Limited data flow ... 177
6.7 FR6. Timely response to events ... 181
6.8 FR7. Resource availability ... 182
7 Assessment procedures ... 188
7.1 Assessment work process ... 188
7.2 Determination of assessment methods ... 190
8 Risk assessment at various stages of the industrial control system life cycle ... 194
8.1 Life cycle overview... 194
8.2 Risk assessment at planning stage ... 194
8.3 Risk assessment at design stage ... 195
8.4 Risk assessment at implementation stage ... 196
8.5 Risk assessment at operation maintenance stage ... 198
8.6 Risk assessment at decommissioning stage ... 199
9 Format requirements of assessment report ... 200
Appendix A (Normative) Management assessment list ... 202
Appendix B (Normative) System capability (technology) assessment list ... 209 Appendix C (Informative) Risk assessment tools and common testing content of industrial control systems ... 213
References ... 221
GB/T 30976 ?€?Industrial control system security?€? is divided into two parts. - Part 1. Assessment specification;
- Part 2. Acceptance specification.
This part is part 1 of GB/T 30976.
This part was drafted in accordance with the rules given in GB/T 1.1-2009. This part was proposed by China Machinery Industry Federation.
This part shall be under the jurisdiction of the National Standardization Technical Committee for Industrial Process Measurement and Control (SAC/TC 124) and the National Standardization Technical Committee for Information Security (SAC/TC 260).
The drafting organizations of this part. Machinery Industry Instrumentation Institute of Integrated Technology and Economics, China Electronics
Standardization Institute, Beijing Hollysys System Engineering Co., Ltd., China Nuclear Power Engineering Co., Ltd., Shanghai Automation Instrumentation Co., Ltd., Dongtu Technology Co., Ltd. , China Electric Power Research Institute, Tsinghua University, Siemens (China) Co., Ltd., Zhejiang University, Southwest University, Chongqing University of Posts and Telecommunications, Schneider Electric (China) Co., Ltd., Beijing Iron and Steel Design and Research Institute, Huazhong University of Science and Technology, Beijing Austin Technology Co., Ltd., Rockwell Automation (China) Co., Ltd., China Institute of Instrumentation, Chinese Academy of Sciences Shenyang Institute of Automation, National
Engineering Laboratory for Wireless Network Security Technologies, Xi'an Xidian Jietong Wireless Network Communication Co., Ltd., Central Office Electronics Institute of Science and Technology, Beijing Haitai Fangyuan Technology Co., Ltd., Qingdao Tofino Information Security Technology Co., Ltd., Beijing Guodian Zhishen Control Technology Co., Ltd., Beijing Likang Huakang Technology Co., Ltd., Guangdong Hangyu Satellite Technology Co., Ltd., North China Electric Power Design Institute Engineering Co., Ltd., Huawei
Technologies Co., Ltd., Mitsubishi Electric Automation (China) Co., Ltd., Zhongbiao Software Co., Ltd., Yokogawa Electric (China) Co., Ltd. Beijing R and D Center.
The main drafters of this part. Wang Yumin, Tang Yihong, Yan Aifen, Luo An, Lv Dongbao, Zhang Jianjun, Xue Baihua, Chen Xiaoyi, Gao Kunlun, Wang Xue,
Feng Dongqin, Liu Feng, Wang Hao, Zhou Chunjie, Chen Xiaofeng, Hua Rong, Zhang Li, Song Yan, Li Qin, Xia Dehai, Hu Ya?€?nan, Wang Xiong, Hu Boliang, Mei Ke, Liu Anzheng, Tian Yucong, Fang Liang, Ma Xinxin, Zhang Jianxun, Industrial control system security ?€?
Part 1. Assessment specification
1 Scope
This part of GB/T 30976 specifies the objectives, assessment contents and implementation process of the information security assessment of industrial control systems (SCADA, DCS, PLC, PCS, etc.).
This part applies to system designers, equipment manufacturers, system
integrators, engineering companies, users, asset owners, and assessment and certification agencies to perform assessment against the information security of the industrial control systems. [Translator. In Chinese, words ?€?security [3.1.14]?€? and ?€?safety [3.1.13]?€? are identical. For simplicity, ?€?security?€? is used for Clause 5.5 and other Clauses in this translated standard.]
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB/T 22081-2008 Information technology - Security techniques - Code of
practice for information security management (ISO/IEC 27002.2005, IDT)
IEC 62443-3-3-2013 Industrial communication networks - Network and
system security - Part 3-3. System security requirements and security levels (SL)
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions apply to this document.
Risk assessment
The entire process of risk analysis and risk assessment.
Risk management
The coordinated activities of guiding and controlling the relevant risks of an organization.
Risk treatment
The process of selecting and implementing measures to change the risk.
Industrial control system; ICS
A collection of personnel, hardware, and software that contribute to and influence the industrial production process safety, information security, and reliable operation.
Note. The system includes, but is not limited to.
1) Industrial control systems include distributed control system (DCS), programmable logic controller (PLC), intelligent electronic device (IED), supervisory control and data acquisition (SCADA) system, motion control (MC) system, network electronic transmission sensing and control,
monitoring and diagnostic systems [In this standard, whether physically separated or integrated, process control systems (PCS) include basic
process control systems and safety instrumented systems (SIS)].
2) Relevant information systems such as advanced control or multivariable control, online optimizer, special equipment monitor, graphical interface, process history, manufacturing execution system (MES) and enterprise
resource planning (ERP) management system.
3) Associated department, personnel, network, or machine interfaces, which provide control, security, and manufacturing operations for continuous, batch processing, discrete, and other processes.
ML. Management level
PCS. Process control system
RE. Requirement enhancement
SLC. Programmable logic controller
SCADA. Supervisory control and data acquisition
SIS. Safety instrumented system
SL. Security level
SR. System requirements
VPN. Virtual private network
4 Industrial control system information security
4.1 General
The information security features of industrial control systems depend on various factors such as their design, management, robustness, and
environmental conditions. The assessment of system information security shall include all activities related to the system during all phases of design, development, installation, operation and maintenance, and exit from use within the system life cycle. It must be recognized that the risks faced by the system will change throughout the life cycle.
When evaluating the security features of system information, it shall consider the following aspects.
a) Hazard introduction points;
b) Recipients of dangerous consequences and their effects;
c) The route of transmission;
d) Measures to reduce risks;
e) Environmental conditions;
f) Organization management.
4.5.2 Assessment of industrial control system capability (technique)
The purpose of the system capability (technique) assessment is to ensure that the system is technically immune from attack. For a well-functioning system, it shall meet both operational and security requirements. It is up to the company to decide in advance when it is time to develop a project test and what level of assurance the supplier and integrator needs for the network security device or system. The level of assurance for a particular device or system will determine the requirements for the realization of system capabilities. Vendors may recommend test methods for specific equipment and systems, but users will need to determine whether these techniques meet the security requirements. Ideally, all the status of the system is evaluated for capabilities to ensure that each security measure can meet or be aware of its remaining risks. Although a complete system assessment is theoretically possible, most certifications cannot be obtained due to financial and human constraints. Therefore, the problem now facing is to decide the acceptable level of risk and to perform an assessment of acceptable risks. The content of this part is mainly shown in clause 4 to clause 10 of IEC 62443-3-3.2013, corresponding to clause 6 and Appendix B of this part, respectively.
4.5.3 Links with other security measures
In an industrial control system environment, the assessor shall fully understand the company's computer security policies, procedures, health, security, and environmental risks associated with specific facilities and/or industrial operations. Care shall be taken to ensure that the assessment does not
interfere with the control functions provided by the industrial control system equipment and that the system may need to be taken offline before the
assessment can be implemented.
Information security, physical security, and functional security may be closely related. In some cases, other security measures may provide a separate layer of protection for information security, whilst additional information security measures may also undermine the integrity of other security measures.
Therefore, in the specific risk assessment activities, the potential interactions among them three and their consequences shall be considered.
4.5.4 Process environment constraints
When assessing the information security features of industrial control systems, consideration shall be given to the constraints of process environmental conditions, in particular the industrial automation control systems in service, the impact of field testing and the introduction of security technology measures on the normal production process shall be considered. Before implementing field testing and introducing security technology measures, the following process the importance of security under permitting information sharing
b) The statement of managerial intent, to support information security goals and principles consistent with business strategy and objectives;
c) Set up the framework of control objectives and control measures, including the structure of risk assessment and risk management;
d) A brief description of the security policies, principles, standards, and compliance requirements that are particularly important to the
organization, including.
1) Requirements to comply with laws and regulations and contract;
2) Security education, training and awareness requirements;
3) Business continuity management;
4) Consequences of violating the information security policy.
e) The definition of general and specific responsibilities for information security management (including the reporting of information security
f) References to supporting policy documents, such as more detailed security policies and procedures for specific information systems, or security rules to be followed by the users. Review of information security policy
Control measures.
Information security policy reviews shall be conducted at planned intervals or when significant changes occur, to ensure continued suitability, adequacy and effectiveness.
Assessment guide.
The information security policy shall be handled by a special person. He has the management responsibilities for setting, reviewing, and evaluating security policies. The review shall include assessing opportunities for improvement of the organization?€?s information security policy and managing information security to adapt to changes in the organizational environment, business conditions, legal conditions, or technological environment.
The information security policy review shall consider the results of the management review. Define management review procedures, including
Managers shall approve information security policies, assign security roles, and coordinate and review the implementation of security throughout the
If necessary, set up an expert information security advice library within the organization and make it available within the organization. Develop contacts with external security experts or organizations (including relevant authorities) to keep up with industry trends, track standards and assessment methods, and provide appropriate contact points when dealing with information security incidents. Information security management commitments
Control measures.
Managers shall actively support security within the organization through clear instructions, verifiable commitments, and clear assignments and confirmations of information security responsibilities.
Assessment guide.
Recommendation managers.
a) Ensure that information security goals are identified, meet organizational requirements, and have been integrated into relevant processes;
b) Develop, review and approve information security policies;
c) Review the effectiveness of the implementation of the information security policy;
d) Provide clear direction and support for safe start-up;
e) Provide the necessary resources for information security;
f) Approve the allocation of specific roles and responsibilities for information security throughout the organization;
g) Initiate plans and procedures to maintain information security awareness; h) Ensure that the implementation of information security controls throughout the organization is coordinated (see
The manager identifies the need for information security advice from internal and external experts, and reviews and coordinates the results of expert recommendations throughout the organization.
Depending on the size of the organization, these responsibilities can be borne by a dedicated management coordination group or by an existing agency (such Assessment guide.
The allocation of information security responsibilities should be consistent with the information security policy (see 5.1). The responsibility for the protection of individual assets and the execution of specific security processes must be clearly identified. Supplement these duties as necessary to provide more detailed guidance for specific locations and information processing facilities. The local responsibilities of asset protection and implementation of specific security processes, such as business continuity plans, are clearly defined. Persons assigned security responsibilities can delegate security tasks to other personnel, but they cannot be relieved of their responsibilities, to ensure that any delegated tasks have been performed correctly.
The areas of personal responsibility are clearly defined, in particular, the following work.
a) The assets and security processes associated with each particular system shall be identified and clearly defined;
b) It shall assign the entity responsibility for each asset or security process, and the details of the responsibilities shall be documented (see; c) The level of authorization shall be clearly defined and documented.
In many organizations, an information security manager shall be appointed to take overall responsibility for the development and implementation of security and to support the identification of control measures.
However, the responsibility for providing control resources and implementing these controls is often attributed to individual managers. A common practice is to assign a person responsible for each asset to be responsible for the day-to- day protection of the asset. Information processing facility authorization process
Control measures.
A management authorization process shall be defined and implemented for new information processing facilities.
Assessment guide.
The authorization process considers the following guidelines.
a) The new facility must have appropriate user management authorizations to approve its application and use; it must also obtain the authorization from the managers responsible for maintaining the local system's security termination of the agreement;
j) Measures expected to be taken if the agreement is violated.
Based on the security requirements of the organization, other factors may be required in confidentiality or non-disclosure agreements.
Confidentiality and non-disclosure agreements comply with all applicable laws and regulations for the jurisdiction to which it applies (see Make periodic review of confidentiality and non-disclosure agreement requirements, when there are changes that affect these requirements, it shall also make review.
Confidentiality and non-disclosure agreements protect organizational
information and inform the signatory of their responsibilities, so as to protect, use and disclose information in an authorized and responsible manner.
For an organization, it may be necessary to use different formats of
confidentiality or non-disclosure agreements in different environments. Contact with government departments

View full details