In May 2015, the National Institute of Standards and Technology (NIST), at the request of the Federal Information Security Modernization Act, Published the Guide to Industrial Control Systems Security (NIST SP 800-82) for industrial control systems and their components (Supervisory Control and Data Acquisition System SCADA, Distributed control System DCS, Programmable logic controllers (PLCS), as well as other terminals and smart electronic devices that perform control functions, provide security guidance to help companies reduce risks related to information security in industrial control systems.
The guide Outlines the components and architecture of the industrial control system, points out the threats and vulnerabilities faced by the industrial control system, and provides methods, frameworks and implementation steps for enterprises to reference from the following four aspects:
Industrial control system risk assessment and management;
Industrial control system safety project development and implementation;
Industrial control system security architecture;
Industrial control system safety control.
This guide is not aimed at the compliance requirements of enterprises, but has a strong reference significance for enterprises to establish and implement the safety management of industrial control system.
Europe
In 2010, “Stuxnet” virus was found to infect industrial control systems, causing concern about the safety of industrial control systems. In order to strengthen the safety of industrial control systems, the EU and its Member States, European Union Agency for Network and Information Security, European Union Agency for Network and Information Security, In December 2011, ENISA published “Protecting Industrial Control Systems Recommendations for Europe and Member States” States). The recommendation describes the security threats, risks and challenges faced by industrial control systems, and recommends that EU member States improve the safety weaknesses in existing industrial control systems by developing a national level industrial control system safety strategy, establishing an industrial control safety certification framework and establishing industrial control safety best practices and other top-level designs.
Under the guidance of this recommendation, various EU countries have successively issued relevant safety guidelines, such as: In November 2013, The German Federal Office for Information Security published the “ICS Security Guidelines for Industrial Control Systems” Compendium describes industrial control systems and their components, information security threats, and best practices for industrial control system security. In January 2015, the French Network and Information Security Agency, ANSSI has released the “Managing Cybersecurity for Industrial Control Systems” Guide to support companies in addressing security risks in industrial control systems. In September 2017, an industry-specific practice guide for industrial control systems, ICS Cybersecurity: A Road Tunnel Case Study, was released.
Eu countries have established industrial control system safety standards and best practices to provide guidance for enterprises in the EU to deal with industrial control safety risks.
China
In October 2011, affected by the “Stuxnet” virus incident, the Ministry of Industry and Information Technology of China (hereinafter referred to as the Ministry of Industry and Information Technology or MIIT) believes that the information security of industrial control systems is facing a severe situation, and issued No. 451 “Notice on Strengthening the Information Security Management of Industrial Control Systems”. A series of requirements are made for connection management, networking management, configuration management, equipment selection and upgrade management, data management and emergency management of industrial control system.
In October 2016, with the advancement of industry 4.0, The State Council requested to further promote the integrated development of manufacturing industry and the Internet, and the Ministry of Industry and Information Technology issued the “Industrial Control System Information Security Protection Guide”, requiring industrial control system application enterprises to do industrial control security protection from 11 aspects. It covers security software selection and management, configuration and patch management, border security, physical and environmental security, identity authentication, remote access security, security monitoring and emergency preparedness drills, asset security, data security, supply chain management and implementation responsibilities.
In November 2016, the 24th session of the Standing Committee of the 12th National People’s Congress of China passed the Cyber Security Law of the People’s Republic of China (hereinafter referred to as the Cyber Security Law), which came into force on June 1, 2017. The law makes it clear that the state implements a network security level protection system, emphasizing the security protection of critical information infrastructure.
In May 2017, under the requirements of the Guiding Opinions of The State Council on Deepening the Integrated Development of Manufacturing Industry and the Internet, the Ministry of Industry and Information Technology further issued the Guidelines for the Emergency Management of Industrial Control System Information Security Incidents, pointing out that industrial enterprises have the main responsibility for industrial control safety, should establish and improve the industrial control safety responsibility system, and be responsible for the emergency management of industrial control safety. We will ensure human and financial security. Industrial enterprises are required to immediately carry out emergency treatment for industrial control safety incidents that may occur or have already occurred, and strive to minimize losses. The guidelines also require industrial enterprises to develop emergency plans for industrial safety incidents and regularly organize emergency drills.
In July 2017, the Ministry of Industry and Information Technology issued the “Industrial Control System Information Security Protection Capability Evaluation Management Measures” (and its annex “Industrial Control System Information security Protection Capability Evaluation Method”), The evaluation activities for industrial control safety protection capability of industrial enterprises are standardized from the aspects of evaluation management organization, evaluation agency and personnel requirements, evaluation tool requirements, evaluation work procedures, and supervision and management, covering the evaluation work of safety protection capability of industrial control systems of industrial enterprises in all stages of the life cycle of planning, design, construction, operation, and maintenance. According to the relevant requirements, important industrial enterprises need to be evaluated by a third-party organization on the safety protection capability of the industrial control system every year, and other industrial enterprises are evaluated at least once a year (self-evaluation or third-party evaluation).
In December 2017, the Ministry of Industry and Information Technology issued the Industrial Control System Information Security Action Plan (2018-2020), which requires the implementation of the main responsibility of the enterprise, the establishment of the industrial control security responsibility system in accordance with the Network Security Law, the responsibility of the enterprise legal representative and the first responsible person of the operation, the formation of management institutions, and the improvement of the management system. The “action Plan” also requires the establishment of a sound standard system, the development of industrial control safety classification, safety requirements, safety implementation, safety evaluation standards.
On May 13, 2019, in order to implement the requirements of the Network Security Law, the National Information Security Standardization Technical Committee (SAC/TC 260), together with the Ministry of Public Security and other agencies, issued the Basic Requirements for the Level Protection of Information Security Technology Network Security (GB/T 22239-2019), which standardized the principles and requirements for the level protection of industrial control systems. To ensure system components and overall safety.
The above notices, guidelines issued by the Ministry of Industry and Information Technology, the Ministry of Public Security, SAC/TC260, and the “Network Security Law” together constitute the compliance requirements of enterprises applying industrial control systems. In addition, enterprises can also draw on a series of national recommended standards issued by SAC/TC260, such as “Information Security Technology – Industrial Control System Security Control Application Guide -GB/T 32919-2016”, “Industrial Control System Risk Assessment Implementation Guide -GB/T 36466-2018”, Industrial control network security isolation and information exchange system security Technical requirements (draft), Industrial control System Information Security Inspection Guide (draft), etc.