Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF & invoice in 1 second!

GB/T 33009.1-2016 English PDF (GBT33009.1-2016)

GB/T 33009.1-2016 English PDF (GBT33009.1-2016)

Regular price $145.00 USD
Regular price Sale price $145.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 33009.1-2016 to get it for Purchase Approval, Bank TT...

GB/T 33009.1-2016: Industrial automation and control system security -- Distributed control system (DCS) -- Part 1: Protection requirements

This part of GB/T 33009 specifies the security capabilities, protection technical requirements, and division of security protection zones of the distributed control system in the operation and maintenance process, AND proposes specific requirements for the key protection items, protection equipment, and protection techniques of the process monitoring layer, field control layer and field equipment layer.
GB/T 33009.1-2016
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 25.040
N 10
Industrial automation and control system security -
Distributed control system (DCS) -
Part 1. Protection requirements
ISSUED ON. OCTOBER 13, 2016
IMPLEMENTED ON. MAY 01, 2017
Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of
China.
3. No action is required - Full-copy of this standard will be automatically and immediately delivered to your EMAIL address in 0~60 minutes.
Table of Contents
Foreword ... 4
1 Scope .. 6
2 Normative references ... 6
3 Terms, definitions, abbreviations ... 7
3.1 Terms and definitions ... 7
3.2 Abbreviations ... 11
4 DCS security overview .. 11
4.1 DCS system overview ... 11
4.2 DCS protection overall requirements and principles ... 14
5 Physical access control requirements .. 17
6 Process monitoring network security ... 18
6.1 Zone division ... 18
6.2 Access and use control .. 19
6.3 Intrusion prevention ... 21
6.4 Identification and certification ... 22
6.5 Security audit ... 23
6.6 Resource control ... 24
6.7 Data security ... 25
7 Field control layer network security ... 27
7.1 Zone division ... 27
7.2 Access and use control .. 27
7.3 Intrusion prevention ... 29
7.4 Identity authentication and certification ... 30
7.5 Security audit ... 30
7.6 Resource control ... 31
7.7 Data security ... 31
8 Field equipment layer network security ... 32
8.1 Zone division ... 32
8.2 Access and use control .. 33
8.3 Intrusion prevention ... 33
8.4 Identity authentication and certification ... 34
8.5 Security audit ... 34
8.6 Data security ... 35
References ... 36
Foreword
GB/T 33009 ?€?Industrial automation and control system security - Distributed control system (DCS)?€? and GB/T 33008 ?€?Industrial automation and control system security - Programmable logic controller (PLC)?€? and other standards together constitute the industrial automation and control systems network security series standard.
GB/T 33009 ?€?Industrial automation and control system security - Distributed control system (DCS)?€? is divided into 4 parts.
- Part 1. Protection requirements;
- Part 2. Management requirements;
- Part 3. Assessment guidelines;
- Part 4. Risk and vulnerability detection requirements.
This part is part 1 of GB/T 33009.
This part was drafted in accordance with the rules given GB/T 1.1-2009. This part was proposed by China Machinery Industry Federation.
This part shall be under the jurisdiction of the National Industrial Process Measurement, Control and Automation Standardization Technical Committee (SAC/TC 124) and the National Information Security Standardization Technical Committee (SAC/TC 260).
The drafting organizations of this part. Zhejiang University, Zhejiang Institute of Control Technology Co., Ltd., Machinery Industry Instrumentation Technology Institute of Economics, Chongqing University of Posts and Telecommunications, Chinese Academy of Sciences Shenyang Institute of Automation, Southwest University, Fujian Institute of Technology, Hangzhou Institute of Technology, Beijing Venus Information Security Technology Co., Ltd., China Electronics Standardization Institute, State Grid Smart Grid Research Institute, China Nuclear Power Engineering Co., Ltd., Shanghai Automation Instrumentation Co., Ltd., Dongtu Technology Co., Ltd., Tsinghua University, Siemens (China) Limited, Schneider Electric (China) Co., Ltd., Beijing Iron and Steel Design and Research Institute, Huazhong University of Science and Technology, Beijing Austin Technology Co., Ltd., Rockwell Automation (China) Co., Ltd., China Instrument Society, Ministry of Industry and Information Technology Electronics Five Research Institute, Beijing Haitai Fangyuan Science and Technology Co., Ltd., Qingdao Tofino Information Security Technology Co., Ltd., Beijing Guodian Zhoushen Control Technology Co., Ltd., Beijing Lihua Huakang Technology Co., Industrial automation and control system security -
Distributed control system (DCS) -
Part 1. Protection requirements
1 Scope
This part of GB/T 33009 specifies the security capabilities, protection technical requirements, and division of security protection zones of the distributed control system in the operation and maintenance process, AND proposes specific
requirements for the key protection items, protection equipment, and protection techniques of the process monitoring layer, field control layer and field equipment layer.
This part applies to all the key infrastructure areas related to the security protection of distributed control systems such as electricity, petroleum, chemicals, water conservancy, metallurgy, building materials and so on, to guide the business users to improve the security of the distributed control system in service and newly established, which can also be used as the system security design guide for the distributed control system manufacturer and integrator.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this document.
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/T 30976.1-2014 Industrial control system security - Part 1. Assessment specification
[GB/T 20984-2007, Definition 3.5]
3.1.6
Control system security
The goal is to protect the control system availability, integrity, and, confidentiality, also including real-time, reliability and stability.
3.1.7
Human machine interface
A set of methods that employees (users) can interact with specific machines, equipment, computer programs, or other complex tools (systems).
Note. In many cases, these include video or computer terminals, buttons, audible feedback, flashing lights, and so on. The human machine interface provides methods that include. input (allowing the user to control the
machine), output (allowing the machine to notify the user).
3.1.8
Identification
The process of identifying and discerning an assessment element.
[GB/T 30976.1-2014, Definition 3.1.2]
3.1.9
Security risk
The occurrence of security incident and its influence onto organizations due to the threat use of vulnerability in man-made or natural systems and their management systems.
[GB/T 20984-2007, Definition 3.6]
3.1.10
Integrity
Characteristics that ensure that information and information systems are not altered or broken by unauthorized persons, including data integrity and system integrity.
[GB/T 20984-2007, Definition 3.10]
3.1.21
Threat
Potential causes of unwanted accidents that can cause harm to the system or organization.
[GB/T 20984-2007, Definition 3.17]
3.1.22
Vulnerability
Defects or weaknesses in system design, implementation, or operation and management, which can be exploited to compromise system integrity or
security policies.
[GB/T 30976.1-2014, Definition 3.1.1]
3.2 Abbreviations
The following abbreviations apply to this document.
DCS. Distributed Control System
MES. Manufacturing Execution System
DoS. Denial of Service
4 DCS security overview
4.1 DCS system overview
4.1.1 Network structure of common DCS system application
DCS system applications are usually a vertical hierarchical network structure, from top to bottom including process monitoring layer, field control layer and field equipment layer. Each layer is connected by a communication network, and each equipment in each layer is communicated through a communication network of the same level. The typical network structure is as shown in Figure 1. This part mainly proposes requirements for security requirements of the process monitoring layer, field control layer network, and field equipment layer network in the DCS system. The description of each layer is as follows. 4.2.1.2 External network isolation requirements
DCS user enterprise topological structure may be deployed in hierarchical manner. If the DCS system network is directly or indirectly interconnected with the external network (other networks than such DCS system network as the enterprise management network, the internet), physical or logic isolation technical measures shall be used between the DCS system network and
external network for protection.
4.2.1.3 Network link requirements
For DCS system applications deployed in multiple zones and interconnected by networks, the resources of the internet link shall be sufficient. That is, when the business traffic reaches the maximum peak, the link data communication is normal, and the network delay still meets the requirements of the DCS system. For enterprise users with high requirements on network interoperability and stability, link redundancy technologies and means can be adopted to ensure that the enterprise network can maintain basic communication in the event of a network failure, so that when one link fails, the other link can provide network protection of the normal production and operation of enterprises.
Enterprise users having higher network interoperability and stability can deploy enterprise core business networks, backbone networks, core control networks in a physical line redundancy method, and the redundant line network can be constructed by other network construction methods different from the main network.
4.2.1.4 Data backup requirements
General DCS system shall have real-time data, OPC data, configuration data, control programs and other important data real-time backup and regular backup measures; for DCS system applications having high data security requirements, it may take measures of complete backup of the system normal operation data, the backup period shall be not more than 3 months; for the DCS system
applications having higher data security requirements, it may establish remote disaster backup center with communication lines, network equipment and data processing equipment required for disaster recovery.
4.2.2 System protection principles
In the industrial control system area, industrial control systems emphasize the intelligent control, monitoring and management of industrial automation processes and related equipment. They are quite different from common IT information systems in terms of system architecture, equipment operating system, data exchange protocol and the like. It pays more attention to the system real-time and business continuity. In other words, the industrial control Technical protection mainly refers to the use of technical means to
perform DCS security protection, such as access control, border
management, pipeline communication, etc. Before the application of
protection technology, strict system test shall be carried out on the same DCS system by means of offline test to avoid the availability, real-time, reliability and security of normal DCS operation from affected after being on-line; if there is significant risk which affects system availability, real- time, reliability and security, the deployment of protective software which affects the system is revoked.
d) The principle of defense in depth
A single security product, technology, or solution cannot protect DCS
effectively, so a multi-layered protection strategy with two or more
different mechanisms is needed. The defense strategy arc...

View full details