信息安全技術 工業控制系統信息安全防護能力成熟度模型
Information security technology — Information security protection capability maturity model of industrial control systems
1 范圍
Scope
本文件給出了工業控制系統信息安全防護能力成熟度模型,規定了核心保護對象安全和通用安全的成熟度等級要求,提出了能力成熟度等級核驗方法。
This document gives the information security protection capability maturity model of industrial control systems, specifies the requirements for maturity levels of core protected object security and general security, and puts forward the verification method of capability maturity levels.
本文件適用于工業控制系統設計、建設、運維等相關方進行工業控制系統信息安全防護能力建設,以及對組織工業控制系統信息安全防護能力成熟度等級進行核驗。
This document is applicable for the design, building, operation and maintenance organizations and other parties concerned of industrial control systems to build the information security protection capability of industrial control systems, and to verify the maturity levels of the information security protection capability of industrial control systems.
2 規范性引用文件
Normative references
下列文件中的內容通過文中的規范性引用而構成本文件必不可少的條款。其中,注日期的引用文件,僅該日期對應的版本適用于本文件;不注日期的引用文件,其最新版本(包括所有的修改單)適用于本文件。
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069 信息安全技術 術語
Information security techniques — Terminology
GB/T 32919-2016 信息安全技術 工業控制系統安全控制應用指南
Information security technology — Application guide to industrial control system security control
3 術語和定義
Terms and definitions
GB/T 25069、GB/T 32919—2016界定的以及下列術語和定義適用于本文件。
For the purposes of this document, the terms and definitions given in GB/T 25069, GB/T 32919-2016 and the following apply.
3.1
工業控制系統
industrial control system
由各種自動化控制組件以及對實時數據進行采集、監測的過程控制組件共同構成的確保工業基礎設施自動化運行、過程控制與監控的業務流程管控系統。
business process management and control system composed of various automation control components and process control components for acquiring and monitoring real-time data, so as to ensure the automatic operation, process control and supervisory control of industrial infrastructure
注:工業控制系統包括監控和數據采集(SCADA)系統、分布式控制系統(DCS)和其他較小的控制系統,如可編程邏輯控制器(PLC)等。
Note: The industrial control system includes supervisory control and data acquisition (SCADA) system, distributed control system (DCS) and other smaller control systems, such as programmable logic controller (PLC).
[來源:GB/T 36323—2018,3.1,有修改]
[Source: GB/T 36323-2018, 3.1, modified]
3.2
工業控制系統信息安全防護能力
information security protection capability of industrial control system
組織為避免工業控制系統遭到非授權或意外的訪問、篡改、破壞及損失,在機構建設、制度流程、技術工具和人員能力等方面對工業控制系統的安全保障。
security assurance given by an organization to industrial control system in terms of organization building, system process, technical tools and personnel abilities, in order to protect the industrial control system from unauthorized or accidental access, tampering, destruction and loss
3.3
能力成熟度
capability maturity
對一個組織有條理的持續改進能力以及實現特定過程的連續性、可持續性、有效性和可信度的水平。
level of continuity, sustainability, effectiveness, and credibility of an organization to improve its capability in an orderly and continuous manner and achieve a particular process
[來源:GB/T37988—2019,3.6]
[Source: GB/T 37988-2019, 3.6]
3.4
能力成熟度模型
capability maturity model
對一個組織的能力成熟度進行度量的模型,包括一系列代表能力和進展的特征、屬性、指示或者模式。
model for measuring the capability maturity of an organization, including a series of characteristics, attributes, indications, or patterns that represent capabilities and progress
注:能力成熟度模型為組織衡量其當前的實踐、流程、方法的能力水平提供參考基準,并設置明確的提升目標。
Note: The capability maturity model can provide a reference for organizations to measure the capability of their current practices, processes and methods, and set clear improvement objectives.
[來源:GB/T37988—2019,3.7]
[Source: GB/T 37988-2019, 3.6]
3.5
過程域
process area
實現同一安全目標的相關工業控制系統信息安全防護基礎實踐的集合。
collection of relevant basic practices of information security protection of industrial control system to achieve the same security objectives
3.6
基礎實踐
base practice
實現某一安全目標的工業控制系統信息安全防護相關活動。
relevant activity of information security protection of industrial control system to achieve a certain security objective
3.7
通用實踐
generic practice
在等級核驗中用于確定任何安全過程域或基礎實踐的實施能力的評定準則。
assessment criteria used in a level verification to determine the capability to implement any security process area or base practice
3.8
核心保護對象
core protected object
組織在工業控制系統信息安全防護能力建設過程中具有價值的信息或資源。
valuable information or resources of an organization in the process of building information security protection capability of industrial control system
注:核心保護對象包括工業設備、工業主機、工業網絡邊界、工業控制軟件和工業數據等。
Note: Core protected objects include industrial equipment, industrial host, industrial network boundary, industrial control software and industrial data.
3.9
工業設備
industrial equipment
工業生產過程中用于控制執行器以及采集傳感器數據的裝置。
installation for controlling actuators and acquiring sensor data in the process of industrial production
注:工業設備包括控制設備、現場測控設備等。
Note: Industrial equipment includes control equipment and data acquisition and control field devices.
3.10
工業主機
industrial host
工業生產控制各業務環節涉及組態、工作流程和工藝管理、狀態監控、運行數據采集以及重要信息存儲等工作的設備。
equipment for configuration, workflow and process management, supervisory control of state, operation data acquisition and important information storage involved in each business link of industrial production control
注:工業主機包括工程師站、操作員站、服務器等。
Note: Industrial hosts include engineer stations, operator stations and servers.
4 縮略語
Abbreviations
下列縮略語適用于本文件。
For the purposes of this document, the following abbreviations apply.
APP:應用程序(Application)
BP:基礎實踐(Base Practice)
CF:公共特征(Common Feature)
DCS:分布式控制系統(Distributed Control System)
DPU:分散處理單元(Distributed Processing Unit)
FTP:文件傳輸協議(File Transfer Protocol)
GP:通用實踐(Generic Practice)
GPS:全球定位系統(Global Positioning System)
HTTP:超文本傳輸協議(Hyper Text Transfer Protocol)
IED:智能電子設備(Intelligent Electric Device)
OLE:對象連接與嵌入(Object Linking and Embedding)
OPC:用于過程控制的OLE(OLE for Process Control)
PA:過程域(Process Area)
PLC:可編程邏輯控制器(Programmable Logic Controller)
PKI:公鑰基礎設施(Public Key Infrastructure)
RFID:射頻識別(Radio Frequency Identification)
RTU:遠程終端單元(Remote Terminal Unit)
SCADA:監控和數據采集(Supervisory Control And Data Acquisition)
SQL:結構化查詢語言(Structured Query Language)
SSH:安全外殼(Secure Shell)
UPS:不間斷電源(Uninterruptible Power Supply)
USB:通用串行總線(Universal Serial Bus)
VPN:虛擬專用網絡(Virtual Private Network)
5 工業控制系統信息安全防護能力成熟度模型
Information security protection capability maturity model of industrial control system
5.1 能力成熟度模型架構
Architecture of capability maturity model
工業控制系統信息安全防護能力成熟度模型的架構(見圖1)由以下三個維度構成。
The architecture of information security protection capability maturity model of industrial control systems (see Figure 1) consists of the following three dimensions.
a)安全能力要素
Security capability elements
組織工業控制系統信息安全防護能力要素包括機構建設、制度流程、技術工具和人員能力。
The information security protection capability elements of industrial control systems include organization building, system process, technical tools and personnel ability.
b)能力成熟度等級
Capability maturity levels
組織工業控制系統信息安全防護能力成熟度等級劃分為五級,具體包括:1級是基礎建設級,2級是規范防護級,3級是集成管控級,4級是綜合協同級,5級是智能優化級。
There are five information security protection capability maturity levels of industrial control systems, i.e. Level 1: basic building, Level 2: Standard protection, Level 3: Integrated control, Level 4: Comprehensive synergy, and Level 5: Intelligent optimization.
c)能力建設過程
Capability building process
組織工業控制系統信息安全防護能力建設過程包括核心保護對象安全和通用安全:
The information security protection capability building process of industrial control systems of an organization includes the core protected object security and general security:
1)核心保護對象安全包括:工業設備安全、工業主機安全、工業網絡邊界安全、工業控制軟件安全、工業數據安全5個過程類;
Core protected object security consists of five process classes: industrial equipment security, industrial host security, industrial network boundary security, industrial control software security and industrial data security.
2)通用安全包括:安全規劃與架構、人員管理與培訓、物理與環境安全、監測預警與應急響應、供應鏈安全保障5個過程類。
General security consists of five process classes: security planning and architecture, personnel management and training, physical and environmental security, monitoring, warning and emergency response, and supply chain security assurance.
前言 Foreword v
1 范圍 Scope
2 規范性引用文件 Normative references
3 術語和定義 Terms and definitions
4 縮略語 Abbreviations
5 工業控制系統信息安全防護能力成熟度模型 Information security protection capability maturity model of industrial control system
5.1 能力成熟度模型架構 Architecture of capability maturity model
5.2 能力要素維度 Dimensions of capability elements
5.2.1 能力構成 Capability composition
5.2.2 機構建設 Organization building
5.2.3 制度流程 System process
5.2.4 技術工具 Technical tools
5.2.5 人員能力 Personnel ability
5.3 能力成熟度等級維度 Dimension of capability maturity levels
5.4 能力建設過程維度 Dimension of capability building process
5.4.1 PA體系 PA system
5.4.2 編碼規則 Encoding rule
5.4.3 關系描述 Relationship description
6 核心保護對象安全 Core protected object security
6.1 工業設備安全 Industrial equipment security
6.1.1 PA01控制設備安全 PA01 control equipment security
6.1.2 PA02現場測控設備安全 PA02 data acquisition and control field device security
6.1.3 PA03設備資產管理 PA03 equipment asset management
6.1.4 PA04存儲媒體保護 PA04 storage media protection
6.2 工業主機安全 Industrial host security
6.2.1 PA05專用安全軟件 PA05 special security software
6.2.2 PA06漏洞和補丁管理 PA06 vulnerability and patch management
6.2.3 PA07外設接口管理 PA07 peripheral interface management
6.3 工業網絡邊界安全 Industrial network boundary security
6.3.1 PA08安全區域劃分 PA08 secure area division
6.3.2 PA09網絡邊界防護 PA09 network boundary protection
6.3.3 PA10遠程訪問安全 PA10 remote access security
6.3.4 PA11身份認證 PA11 identity authentication
6.4 工業控制軟件安全 Industrial control software security
6.4.1 PA12安全配置 PA12 security configuration
6.4.2 PA13配置變更 PA13 configuration change
6.4.3 PA14賬戶管理 PA14 account management
6.4.4 PA15口令保護 PA15 password protection
6.4.5 PA16安全審計 PA16 security audit
6.5 工業數據安全 Industrial data security
6.5.1 PA17數據分類分級管理 PA17 data classification and grading management
6.5.2 PA18差異化防護 PA18 differentiated protection
6.5.3 PA19數據備份與恢復 PA19 data backup and recovery
6.5.4 PA20測試數據保護 PA20 test data protection
7 通用安全 General security
7.1 安全規劃與架構 Security planning and architecture
7.1.1 PA21安全策略與規程 PA21 security policies and procedures
7.1.2 PA22安全機構設置 PA22 security authority setup
7.1.3 PA23安全職責劃分 PA23 division of security duty
7.2 人員管理與培訓 Personnel management and training
7.2.1 PA24人員安全管理 PA24 personnel security management
7.2.2 PA25安全教育培訓 PA25 security education and training
7.3 物理與環境安全 Physical and environmental security
7.3.1 PA26物理安全防護 PA26 physical security protection
7.3.2 PA27應急電源 PA27 emergency power source
7.3.3 PA28物理防災 PA28 physical disaster prevention
7.3.4 PA29環境分離 PA29 environmental separation
7.4 監測預警與應急響應 Monitoring, warning and emergency response
7.4.1 PA30工業資產感知 PA30 industrial asset sensing
7.4.2 PA31風險監測 PA31 risk monitoring
7.4.3 PA32威脅預警 PA32 threat warning
7.4.4 PA33應急預案 PA33 contingency plan
7.4.5 PA34應急演練 PA34 emergency drill
7.5 供應鏈安全保障 Supply chain security assurance
7.5.1 PA35產品選型 PA35 product selection
7.5.2 PA36供應商選擇 PA36 supplier selection
7.5.3 PA37采購交付 PA37 procurement and delivery
7.5.4 PA38合同協議控制 PA38 contract agreement control
7.5.5 PA39源代碼審計 PA39 source code audit
7.5.6 PA40升級安全保障 PA40 upgrade security assurance
8 能力成熟度等級核驗方法 Verification method of capability maturity levels
8.1 工業設備安全 Industrial equipment security
8.1.1 PA01控制設備安全 PA01 control equipment security
8.1.2 PA02現場測控設備安全 PA02 data acquisition and control field device security
8.1.3 PA03設備資產管理 PA03 equipment asset management
8.1.4 PA04存儲媒體保護 PA04 Storage media protection
8.2 工業主機安全 Industrial host security
8.2.1 PA05專用安全軟件 PA05 special security software
8.2.2 PA06漏洞和補丁管理 PA06 vulnerability and patch management
8.2.3 PA07外設接口管理 PA07 peripheral interface management
8.3 工業網絡邊界安全 Industrial network boundary security
8.3.1 PA08安全區域劃分 PA08 secure area division
8.3.2 PA09網絡邊界防護 PA09 network boundary protection
8.3.3 PA10遠程訪問安全 PA10 remote access security
8.3.4 PA11身份認證 PA11 identity authentication
8.4 工業控制軟件安全 Industrial control software security
8.4.1 PA12安全配置 Security configuration
8.4.2 PA13配置變更 PA13 configuration change
8.4.3 PA14賬戶管理 PA14 account management
8.4.4 PA15口令保護 PA15 password protection
8.4.5 PA16安全審計 PA16 security audit
8.5 工業數據安全 Industrial data security
8.5.1 PA17數據分類分級管理 PA17 data classification and grading management
8.5.2 PA18差異化防護 PA18 differentiated protection
8.5.3 PA19數據備份與恢復 PA19 data backup and recovery
8.5.4 PA20測試數據保護 PA20 test data protection
8.6 安全規劃與架構 Security planning and architecture
8.6.1 PA21安全策略與規程 PA21 security policies and procedures
8.6.2 PA22安全機構設置 PA22 security authority setup
8.6.3 PA23安全職責劃分 PA23 division of security duties
8.7 人員管理與培訓 Personnel management and training
8.7.1 PA24人員安全管理 PA24 personnel security management
8.7.2 PA25安全教育培訓 PA25 security education and training
8.8 物理與環境安全 Physical and environmental security
8.8.1 PA26物理安全防護 PA26 physical security protection
8.8.2 PA27應急電源 PA27 emergency power supply
8.8.3 PA28物理防災 PA28 physical disaster prevention
8.8.4 PA29環境分離 PA29 environmental separation
8.9 監測預警與應急響應 Monitoring, warning and emergency response
8.9.1 PA30工業資產感知 PA30 industrial asset sensing
8.9.2 PA31風險監測 PA31 risk monitoring
8.9.3 PA32威脅預警 PA32 threat warning
8.9.4 PA33應急預案 PA33 contingency plan
8.9.5 PA34應急演練 PA34 emergency drill
8.10 供應鏈安全保障 Supply chain security assurance
8.10.1 PA35產品選型 PA35 product selection
8.10.2 PA36供應商選擇 PA36 supplier selection
8.10.3 PA37采購交付 PA37 procurement and delivery
8.10.4 PA38合同協議控制 PA38 contract agreement control
8.10.5 PA39源代碼審計 PA39 source code audit
8.10.6 PA40升級安全保障 PA40 upgrade security assurance
附錄A (資料性) 能力成熟度等級描述與GP Annex A (Informative) Capability maturity level description and GP
附錄B (資料性) 能力成熟度模型使用方法 Annex B (Informative) Use method of capability maturity model
附錄C (資料性) 能力成熟度等級核驗流程 Annex C (Informative) Verification process of capability maturity level
