信息安全技術(shù) 工業(yè)控制系統(tǒng)信息安全防護(hù)能力成熟度模型
Information security technology — Information security protection capability maturity model of industrial control systems
1 范圍
Scope
本文件給出了工業(yè)控制系統(tǒng)信息安全防護(hù)能力成熟度模型,規(guī)定了核心保護(hù)對象安全和通用安全的成熟度等級要求,提出了能力成熟度等級核驗(yàn)方法。
This document gives the information security protection capability maturity model of industrial control systems, specifies the requirements for maturity levels of core protected object security and general security, and puts forward the verification method of capability maturity levels.
本文件適用于工業(yè)控制系統(tǒng)設(shè)計(jì)、建設(shè)、運(yùn)維等相關(guān)方進(jìn)行工業(yè)控制系統(tǒng)信息安全防護(hù)能力建設(shè),以及對組織工業(yè)控制系統(tǒng)信息安全防護(hù)能力成熟度等級進(jìn)行核驗(yàn)。
This document is applicable for the design, building, operation and maintenance organizations and other parties concerned of industrial control systems to build the information security protection capability of industrial control systems, and to verify the maturity levels of the information security protection capability of industrial control systems.
2 規(guī)范性引用文件
Normative references
下列文件中的內(nèi)容通過文中的規(guī)范性引用而構(gòu)成本文件必不可少的條款。其中,注日期的引用文件,僅該日期對應(yīng)的版本適用于本文件;不注日期的引用文件,其最新版本(包括所有的修改單)適用于本文件。
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069 信息安全技術(shù) 術(shù)語
Information security techniques — Terminology
GB/T 32919-2016 信息安全技術(shù) 工業(yè)控制系統(tǒng)安全控制應(yīng)用指南
Information security technology — Application guide to industrial control system security control
3 術(shù)語和定義
Terms and definitions
GB/T 25069、GB/T 32919—2016界定的以及下列術(shù)語和定義適用于本文件。
For the purposes of this document, the terms and definitions given in GB/T 25069, GB/T 32919-2016 and the following apply.
3.1
工業(yè)控制系統(tǒng)
industrial control system
由各種自動化控制組件以及對實(shí)時(shí)數(shù)據(jù)進(jìn)行采集、監(jiān)測的過程控制組件共同構(gòu)成的確保工業(yè)基礎(chǔ)設(shè)施自動化運(yùn)行、過程控制與監(jiān)控的業(yè)務(wù)流程管控系統(tǒng)。
business process management and control system composed of various automation control components and process control components for acquiring and monitoring real-time data, so as to ensure the automatic operation, process control and supervisory control of industrial infrastructure
注:工業(yè)控制系統(tǒng)包括監(jiān)控和數(shù)據(jù)采集(SCADA)系統(tǒng)、分布式控制系統(tǒng)(DCS)和其他較小的控制系統(tǒng),如可編程邏輯控制器(PLC)等。
Note: The industrial control system includes supervisory control and data acquisition (SCADA) system, distributed control system (DCS) and other smaller control systems, such as programmable logic controller (PLC).
[來源:GB/T 36323—2018,3.1,有修改]
[Source: GB/T 36323-2018, 3.1, modified]
3.2
工業(yè)控制系統(tǒng)信息安全防護(hù)能力
information security protection capability of industrial control system
組織為避免工業(yè)控制系統(tǒng)遭到非授權(quán)或意外的訪問、篡改、破壞及損失,在機(jī)構(gòu)建設(shè)、制度流程、技術(shù)工具和人員能力等方面對工業(yè)控制系統(tǒng)的安全保障。
security assurance given by an organization to industrial control system in terms of organization building, system process, technical tools and personnel abilities, in order to protect the industrial control system from unauthorized or accidental access, tampering, destruction and loss
3.3
能力成熟度
capability maturity
對一個(gè)組織有條理的持續(xù)改進(jìn)能力以及實(shí)現(xiàn)特定過程的連續(xù)性、可持續(xù)性、有效性和可信度的水平。
level of continuity, sustainability, effectiveness, and credibility of an organization to improve its capability in an orderly and continuous manner and achieve a particular process
[來源:GB/T37988—2019,3.6]
[Source: GB/T 37988-2019, 3.6]
3.4
能力成熟度模型
capability maturity model
對一個(gè)組織的能力成熟度進(jìn)行度量的模型,包括一系列代表能力和進(jìn)展的特征、屬性、指示或者模式。
model for measuring the capability maturity of an organization, including a series of characteristics, attributes, indications, or patterns that represent capabilities and progress
注:能力成熟度模型為組織衡量其當(dāng)前的實(shí)踐、流程、方法的能力水平提供參考基準(zhǔn),并設(shè)置明確的提升目標(biāo)。
Note: The capability maturity model can provide a reference for organizations to measure the capability of their current practices, processes and methods, and set clear improvement objectives.
[來源:GB/T37988—2019,3.7]
[Source: GB/T 37988-2019, 3.6]
3.5
過程域
process area
實(shí)現(xiàn)同一安全目標(biāo)的相關(guān)工業(yè)控制系統(tǒng)信息安全防護(hù)基礎(chǔ)實(shí)踐的集合。
collection of relevant basic practices of information security protection of industrial control system to achieve the same security objectives
3.6
基礎(chǔ)實(shí)踐
base practice
實(shí)現(xiàn)某一安全目標(biāo)的工業(yè)控制系統(tǒng)信息安全防護(hù)相關(guān)活動。
relevant activity of information security protection of industrial control system to achieve a certain security objective
3.7
通用實(shí)踐
generic practice
在等級核驗(yàn)中用于確定任何安全過程域或基礎(chǔ)實(shí)踐的實(shí)施能力的評定準(zhǔn)則。
assessment criteria used in a level verification to determine the capability to implement any security process area or base practice
3.8
核心保護(hù)對象
core protected object
組織在工業(yè)控制系統(tǒng)信息安全防護(hù)能力建設(shè)過程中具有價(jià)值的信息或資源。
valuable information or resources of an organization in the process of building information security protection capability of industrial control system
注:核心保護(hù)對象包括工業(yè)設(shè)備、工業(yè)主機(jī)、工業(yè)網(wǎng)絡(luò)邊界、工業(yè)控制軟件和工業(yè)數(shù)據(jù)等。
Note: Core protected objects include industrial equipment, industrial host, industrial network boundary, industrial control software and industrial data.
3.9
工業(yè)設(shè)備
industrial equipment
工業(yè)生產(chǎn)過程中用于控制執(zhí)行器以及采集傳感器數(shù)據(jù)的裝置。
installation for controlling actuators and acquiring sensor data in the process of industrial production
注:工業(yè)設(shè)備包括控制設(shè)備、現(xiàn)場測控設(shè)備等。
Note: Industrial equipment includes control equipment and data acquisition and control field devices.
3.10
工業(yè)主機(jī)
industrial host
工業(yè)生產(chǎn)控制各業(yè)務(wù)環(huán)節(jié)涉及組態(tài)、工作流程和工藝管理、狀態(tài)監(jiān)控、運(yùn)行數(shù)據(jù)采集以及重要信息存儲等工作的設(shè)備。
equipment for configuration, workflow and process management, supervisory control of state, operation data acquisition and important information storage involved in each business link of industrial production control
注:工業(yè)主機(jī)包括工程師站、操作員站、服務(wù)器等。
Note: Industrial hosts include engineer stations, operator stations and servers.
4 縮略語
Abbreviations
下列縮略語適用于本文件。
For the purposes of this document, the following abbreviations apply.
APP:應(yīng)用程序(Application)
BP:基礎(chǔ)實(shí)踐(Base Practice)
CF:公共特征(Common Feature)
DCS:分布式控制系統(tǒng)(Distributed Control System)
DPU:分散處理單元(Distributed Processing Unit)
FTP:文件傳輸協(xié)議(File Transfer Protocol)
GP:通用實(shí)踐(Generic Practice)
GPS:全球定位系統(tǒng)(Global Positioning System)
HTTP:超文本傳輸協(xié)議(Hyper Text Transfer Protocol)
IED:智能電子設(shè)備(Intelligent Electric Device)
OLE:對象連接與嵌入(Object Linking and Embedding)
OPC:用于過程控制的OLE(OLE for Process Control)
PA:過程域(Process Area)
PLC:可編程邏輯控制器(Programmable Logic Controller)
PKI:公鑰基礎(chǔ)設(shè)施(Public Key Infrastructure)
RFID:射頻識別(Radio Frequency Identification)
RTU:遠(yuǎn)程終端單元(Remote Terminal Unit)
SCADA:監(jiān)控和數(shù)據(jù)采集(Supervisory Control And Data Acquisition)
SQL:結(jié)構(gòu)化查詢語言(Structured Query Language)
SSH:安全外殼(Secure Shell)
UPS:不間斷電源(Uninterruptible Power Supply)
USB:通用串行總線(Universal Serial Bus)
VPN:虛擬專用網(wǎng)絡(luò)(Virtual Private Network)
5 工業(yè)控制系統(tǒng)信息安全防護(hù)能力成熟度模型
Information security protection capability maturity model of industrial control system
5.1 能力成熟度模型架構(gòu)
Architecture of capability maturity model
工業(yè)控制系統(tǒng)信息安全防護(hù)能力成熟度模型的架構(gòu)(見圖1)由以下三個(gè)維度構(gòu)成。
The architecture of information security protection capability maturity model of industrial control systems (see Figure 1) consists of the following three dimensions.
a)安全能力要素
Security capability elements
組織工業(yè)控制系統(tǒng)信息安全防護(hù)能力要素包括機(jī)構(gòu)建設(shè)、制度流程、技術(shù)工具和人員能力。
The information security protection capability elements of industrial control systems include organization building, system process, technical tools and personnel ability.
b)能力成熟度等級
Capability maturity levels
組織工業(yè)控制系統(tǒng)信息安全防護(hù)能力成熟度等級劃分為五級,具體包括:1級是基礎(chǔ)建設(shè)級,2級是規(guī)范防護(hù)級,3級是集成管控級,4級是綜合協(xié)同級,5級是智能優(yōu)化級。
There are five information security protection capability maturity levels of industrial control systems, i.e. Level 1: basic building, Level 2: Standard protection, Level 3: Integrated control, Level 4: Comprehensive synergy, and Level 5: Intelligent optimization.
c)能力建設(shè)過程
Capability building process
組織工業(yè)控制系統(tǒng)信息安全防護(hù)能力建設(shè)過程包括核心保護(hù)對象安全和通用安全:
The information security protection capability building process of industrial control systems of an organization includes the core protected object security and general security:
1)核心保護(hù)對象安全包括:工業(yè)設(shè)備安全、工業(yè)主機(jī)安全、工業(yè)網(wǎng)絡(luò)邊界安全、工業(yè)控制軟件安全、工業(yè)數(shù)據(jù)安全5個(gè)過程類;
Core protected object security consists of five process classes: industrial equipment security, industrial host security, industrial network boundary security, industrial control software security and industrial data security.
2)通用安全包括:安全規(guī)劃與架構(gòu)、人員管理與培訓(xùn)、物理與環(huán)境安全、監(jiān)測預(yù)警與應(yīng)急響應(yīng)、供應(yīng)鏈安全保障5個(gè)過程類。
General security consists of five process classes: security planning and architecture, personnel management and training, physical and environmental security, monitoring, warning and emergency response, and supply chain security assurance.
前言 Foreword v
1 范圍 Scope
2 規(guī)范性引用文件 Normative references
3 術(shù)語和定義 Terms and definitions
4 縮略語 Abbreviations
5 工業(yè)控制系統(tǒng)信息安全防護(hù)能力成熟度模型 Information security protection capability maturity model of industrial control system
5.1 能力成熟度模型架構(gòu) Architecture of capability maturity model
5.2 能力要素維度 Dimensions of capability elements
5.2.1 能力構(gòu)成 Capability composition
5.2.2 機(jī)構(gòu)建設(shè) Organization building
5.2.3 制度流程 System process
5.2.4 技術(shù)工具 Technical tools
5.2.5 人員能力 Personnel ability
5.3 能力成熟度等級維度 Dimension of capability maturity levels
5.4 能力建設(shè)過程維度 Dimension of capability building process
5.4.1 PA體系 PA system
5.4.2 編碼規(guī)則 Encoding rule
5.4.3 關(guān)系描述 Relationship description
6 核心保護(hù)對象安全 Core protected object security
6.1 工業(yè)設(shè)備安全 Industrial equipment security
6.1.1 PA01控制設(shè)備安全 PA01 control equipment security
6.1.2 PA02現(xiàn)場測控設(shè)備安全 PA02 data acquisition and control field device security
6.1.3 PA03設(shè)備資產(chǎn)管理 PA03 equipment asset management
6.1.4 PA04存儲媒體保護(hù) PA04 storage media protection
6.2 工業(yè)主機(jī)安全 Industrial host security
6.2.1 PA05專用安全軟件 PA05 special security software
6.2.2 PA06漏洞和補(bǔ)丁管理 PA06 vulnerability and patch management
6.2.3 PA07外設(shè)接口管理 PA07 peripheral interface management
6.3 工業(yè)網(wǎng)絡(luò)邊界安全 Industrial network boundary security
6.3.1 PA08安全區(qū)域劃分 PA08 secure area division
6.3.2 PA09網(wǎng)絡(luò)邊界防護(hù) PA09 network boundary protection
6.3.3 PA10遠(yuǎn)程訪問安全 PA10 remote access security
6.3.4 PA11身份認(rèn)證 PA11 identity authentication
6.4 工業(yè)控制軟件安全 Industrial control software security
6.4.1 PA12安全配置 PA12 security configuration
6.4.2 PA13配置變更 PA13 configuration change
6.4.3 PA14賬戶管理 PA14 account management
6.4.4 PA15口令保護(hù) PA15 password protection
6.4.5 PA16安全審計(jì) PA16 security audit
6.5 工業(yè)數(shù)據(jù)安全 Industrial data security
6.5.1 PA17數(shù)據(jù)分類分級管理 PA17 data classification and grading management
6.5.2 PA18差異化防護(hù) PA18 differentiated protection
6.5.3 PA19數(shù)據(jù)備份與恢復(fù) PA19 data backup and recovery
6.5.4 PA20測試數(shù)據(jù)保護(hù) PA20 test data protection
7 通用安全 General security
7.1 安全規(guī)劃與架構(gòu) Security planning and architecture
7.1.1 PA21安全策略與規(guī)程 PA21 security policies and procedures
7.1.2 PA22安全機(jī)構(gòu)設(shè)置 PA22 security authority setup
7.1.3 PA23安全職責(zé)劃分 PA23 division of security duty
7.2 人員管理與培訓(xùn) Personnel management and training
7.2.1 PA24人員安全管理 PA24 personnel security management
7.2.2 PA25安全教育培訓(xùn) PA25 security education and training
7.3 物理與環(huán)境安全 Physical and environmental security
7.3.1 PA26物理安全防護(hù) PA26 physical security protection
7.3.2 PA27應(yīng)急電源 PA27 emergency power source
7.3.3 PA28物理防災(zāi) PA28 physical disaster prevention
7.3.4 PA29環(huán)境分離 PA29 environmental separation
7.4 監(jiān)測預(yù)警與應(yīng)急響應(yīng) Monitoring, warning and emergency response
7.4.1 PA30工業(yè)資產(chǎn)感知 PA30 industrial asset sensing
7.4.2 PA31風(fēng)險(xiǎn)監(jiān)測 PA31 risk monitoring
7.4.3 PA32威脅預(yù)警 PA32 threat warning
7.4.4 PA33應(yīng)急預(yù)案 PA33 contingency plan
7.4.5 PA34應(yīng)急演練 PA34 emergency drill
7.5 供應(yīng)鏈安全保障 Supply chain security assurance
7.5.1 PA35產(chǎn)品選型 PA35 product selection
7.5.2 PA36供應(yīng)商選擇 PA36 supplier selection
7.5.3 PA37采購交付 PA37 procurement and delivery
7.5.4 PA38合同協(xié)議控制 PA38 contract agreement control
7.5.5 PA39源代碼審計(jì) PA39 source code audit
7.5.6 PA40升級安全保障 PA40 upgrade security assurance
8 能力成熟度等級核驗(yàn)方法 Verification method of capability maturity levels
8.1 工業(yè)設(shè)備安全 Industrial equipment security
8.1.1 PA01控制設(shè)備安全 PA01 control equipment security
8.1.2 PA02現(xiàn)場測控設(shè)備安全 PA02 data acquisition and control field device security
8.1.3 PA03設(shè)備資產(chǎn)管理 PA03 equipment asset management
8.1.4 PA04存儲媒體保護(hù) PA04 Storage media protection
8.2 工業(yè)主機(jī)安全 Industrial host security
8.2.1 PA05專用安全軟件 PA05 special security software
8.2.2 PA06漏洞和補(bǔ)丁管理 PA06 vulnerability and patch management
8.2.3 PA07外設(shè)接口管理 PA07 peripheral interface management
8.3 工業(yè)網(wǎng)絡(luò)邊界安全 Industrial network boundary security
8.3.1 PA08安全區(qū)域劃分 PA08 secure area division
8.3.2 PA09網(wǎng)絡(luò)邊界防護(hù) PA09 network boundary protection
8.3.3 PA10遠(yuǎn)程訪問安全 PA10 remote access security
8.3.4 PA11身份認(rèn)證 PA11 identity authentication
8.4 工業(yè)控制軟件安全 Industrial control software security
8.4.1 PA12安全配置 Security configuration
8.4.2 PA13配置變更 PA13 configuration change
8.4.3 PA14賬戶管理 PA14 account management
8.4.4 PA15口令保護(hù) PA15 password protection
8.4.5 PA16安全審計(jì) PA16 security audit
8.5 工業(yè)數(shù)據(jù)安全 Industrial data security
8.5.1 PA17數(shù)據(jù)分類分級管理 PA17 data classification and grading management
8.5.2 PA18差異化防護(hù) PA18 differentiated protection
8.5.3 PA19數(shù)據(jù)備份與恢復(fù) PA19 data backup and recovery
8.5.4 PA20測試數(shù)據(jù)保護(hù) PA20 test data protection
8.6 安全規(guī)劃與架構(gòu) Security planning and architecture
8.6.1 PA21安全策略與規(guī)程 PA21 security policies and procedures
8.6.2 PA22安全機(jī)構(gòu)設(shè)置 PA22 security authority setup
8.6.3 PA23安全職責(zé)劃分 PA23 division of security duties
8.7 人員管理與培訓(xùn) Personnel management and training
8.7.1 PA24人員安全管理 PA24 personnel security management
8.7.2 PA25安全教育培訓(xùn) PA25 security education and training
8.8 物理與環(huán)境安全 Physical and environmental security
8.8.1 PA26物理安全防護(hù) PA26 physical security protection
8.8.2 PA27應(yīng)急電源 PA27 emergency power supply
8.8.3 PA28物理防災(zāi) PA28 physical disaster prevention
8.8.4 PA29環(huán)境分離 PA29 environmental separation
8.9 監(jiān)測預(yù)警與應(yīng)急響應(yīng) Monitoring, warning and emergency response
8.9.1 PA30工業(yè)資產(chǎn)感知 PA30 industrial asset sensing
8.9.2 PA31風(fēng)險(xiǎn)監(jiān)測 PA31 risk monitoring
8.9.3 PA32威脅預(yù)警 PA32 threat warning
8.9.4 PA33應(yīng)急預(yù)案 PA33 contingency plan
8.9.5 PA34應(yīng)急演練 PA34 emergency drill
8.10 供應(yīng)鏈安全保障 Supply chain security assurance
8.10.1 PA35產(chǎn)品選型 PA35 product selection
8.10.2 PA36供應(yīng)商選擇 PA36 supplier selection
8.10.3 PA37采購交付 PA37 procurement and delivery
8.10.4 PA38合同協(xié)議控制 PA38 contract agreement control
8.10.5 PA39源代碼審計(jì) PA39 source code audit
8.10.6 PA40升級安全保障 PA40 upgrade security assurance
附錄A (資料性) 能力成熟度等級描述與GP Annex A (Informative) Capability maturity level description and GP
附錄B (資料性) 能力成熟度模型使用方法 Annex B (Informative) Use method of capability maturity model
附錄C (資料性) 能力成熟度等級核驗(yàn)流程 Annex C (Informative) Verification process of capability maturity level
