信息安全技术 工业控制系统信息安全防护能力成熟度模型
Information security technology — Information security protection capability maturity model of industrial control systems
1 范围
Scope
本文件给出了工业控制系统信息安全防护能力成熟度模型,规定了核心保护对象安全和通用安全的成熟度等级要求,提出了能力成熟度等级核验方法。
This document gives the information security protection capability maturity model of industrial control systems, specifies the requirements for maturity levels of core protected object security and general security, and puts forward the verification method of capability maturity levels.
本文件适用于工业控制系统设计、建设、运维等相关方进行工业控制系统信息安全防护能力建设,以及对组织工业控制系统信息安全防护能力成熟度等级进行核验。
This document is applicable for the design, building, operation and maintenance organizations and other parties concerned of industrial control systems to build the information security protection capability of industrial control systems, and to verify the maturity levels of the information security protection capability of industrial control systems.
2 规范性引用文件
Normative references
下列文件中的内容通过文中的规范性引用而构成本文件必不可少的条款。其中,注日期的引用文件,仅该日期对应的版本适用于本文件;不注日期的引用文件,其最新版本(包括所有的修改单)适用于本文件。
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069 信息安全技术 术语
Information security techniques — Terminology
GB/T 32919-2016 信息安全技术 工业控制系统安全控制应用指南
Information security technology — Application guide to industrial control system security control
3 术语和定义
Terms and definitions
GB/T 25069、GB/T 32919—2016界定的以及下列术语和定义适用于本文件。
For the purposes of this document, the terms and definitions given in GB/T 25069, GB/T 32919-2016 and the following apply.
3.1
工业控制系统
industrial control system
由各种自动化控制组件以及对实时数据进行采集、监测的过程控制组件共同构成的确保工业基础设施自动化运行、过程控制与监控的业务流程管控系统。
business process management and control system composed of various automation control components and process control components for acquiring and monitoring real-time data, so as to ensure the automatic operation, process control and supervisory control of industrial infrastructure
注:工业控制系统包括监控和数据采集(SCADA)系统、分布式控制系统(DCS)和其他较小的控制系统,如可编程逻辑控制器(PLC)等。
Note: The industrial control system includes supervisory control and data acquisition (SCADA) system, distributed control system (DCS) and other smaller control systems, such as programmable logic controller (PLC).
[来源:GB/T 36323—2018,3.1,有修改]
[Source: GB/T 36323-2018, 3.1, modified]
3.2
工业控制系统信息安全防护能力
information security protection capability of industrial control system
组织为避免工业控制系统遭到非授权或意外的访问、篡改、破坏及损失,在机构建设、制度流程、技术工具和人员能力等方面对工业控制系统的安全保障。
security assurance given by an organization to industrial control system in terms of organization building, system process, technical tools and personnel abilities, in order to protect the industrial control system from unauthorized or accidental access, tampering, destruction and loss
3.3
能力成熟度
capability maturity
对一个组织有条理的持续改进能力以及实现特定过程的连续性、可持续性、有效性和可信度的水平。
level of continuity, sustainability, effectiveness, and credibility of an organization to improve its capability in an orderly and continuous manner and achieve a particular process
[来源:GB/T37988—2019,3.6]
[Source: GB/T 37988-2019, 3.6]
3.4
能力成熟度模型
capability maturity model
对一个组织的能力成熟度进行度量的模型,包括一系列代表能力和进展的特征、属性、指示或者模式。
model for measuring the capability maturity of an organization, including a series of characteristics, attributes, indications, or patterns that represent capabilities and progress
注:能力成熟度模型为组织衡量其当前的实践、流程、方法的能力水平提供参考基准,并设置明确的提升目标。
Note: The capability maturity model can provide a reference for organizations to measure the capability of their current practices, processes and methods, and set clear improvement objectives.
[来源:GB/T37988—2019,3.7]
[Source: GB/T 37988-2019, 3.6]
3.5
过程域
process area
实现同一安全目标的相关工业控制系统信息安全防护基础实践的集合。
collection of relevant basic practices of information security protection of industrial control system to achieve the same security objectives
3.6
基础实践
base practice
实现某一安全目标的工业控制系统信息安全防护相关活动。
relevant activity of information security protection of industrial control system to achieve a certain security objective
3.7
通用实践
generic practice
在等级核验中用于确定任何安全过程域或基础实践的实施能力的评定准则。
assessment criteria used in a level verification to determine the capability to implement any security process area or base practice
3.8
核心保护对象
core protected object
组织在工业控制系统信息安全防护能力建设过程中具有价值的信息或资源。
valuable information or resources of an organization in the process of building information security protection capability of industrial control system
注:核心保护对象包括工业设备、工业主机、工业网络边界、工业控制软件和工业数据等。
Note: Core protected objects include industrial equipment, industrial host, industrial network boundary, industrial control software and industrial data.
3.9
工业设备
industrial equipment
工业生产过程中用于控制执行器以及采集传感器数据的装置。
installation for controlling actuators and acquiring sensor data in the process of industrial production
注:工业设备包括控制设备、现场测控设备等。
Note: Industrial equipment includes control equipment and data acquisition and control field devices.
3.10
工业主机
industrial host
工业生产控制各业务环节涉及组态、工作流程和工艺管理、状态监控、运行数据采集以及重要信息存储等工作的设备。
equipment for configuration, workflow and process management, supervisory control of state, operation data acquisition and important information storage involved in each business link of industrial production control
注:工业主机包括工程师站、操作员站、服务器等。
Note: Industrial hosts include engineer stations, operator stations and servers.
4 缩略语
Abbreviations
下列缩略语适用于本文件。
For the purposes of this document, the following abbreviations apply.
APP:应用程序(Application)
BP:基础实践(Base Practice)
CF:公共特征(Common Feature)
DCS:分布式控制系统(Distributed Control System)
DPU:分散处理单元(Distributed Processing Unit)
FTP:文件传输协议(File Transfer Protocol)
GP:通用实践(Generic Practice)
GPS:全球定位系统(Global Positioning System)
HTTP:超文本传输协议(Hyper Text Transfer Protocol)
IED:智能电子设备(Intelligent Electric Device)
OLE:对象连接与嵌入(Object Linking and Embedding)
OPC:用于过程控制的OLE(OLE for Process Control)
PA:过程域(Process Area)
PLC:可编程逻辑控制器(Programmable Logic Controller)
PKI:公钥基础设施(Public Key Infrastructure)
RFID:射频识别(Radio Frequency Identification)
RTU:远程终端单元(Remote Terminal Unit)
SCADA:监控和数据采集(Supervisory Control And Data Acquisition)
SQL:结构化查询语言(Structured Query Language)
SSH:安全外壳(Secure Shell)
UPS:不间断电源(Uninterruptible Power Supply)
USB:通用串行总线(Universal Serial Bus)
VPN:虚拟专用网络(Virtual Private Network)
5 工业控制系统信息安全防护能力成熟度模型
Information security protection capability maturity model of industrial control system
5.1 能力成熟度模型架构
Architecture of capability maturity model
工业控制系统信息安全防护能力成熟度模型的架构(见图1)由以下三个维度构成。
The architecture of information security protection capability maturity model of industrial control systems (see Figure 1) consists of the following three dimensions.
a)安全能力要素
Security capability elements
组织工业控制系统信息安全防护能力要素包括机构建设、制度流程、技术工具和人员能力。
The information security protection capability elements of industrial control systems include organization building, system process, technical tools and personnel ability.
b)能力成熟度等级
Capability maturity levels
组织工业控制系统信息安全防护能力成熟度等级划分为五级,具体包括:1级是基础建设级,2级是规范防护级,3级是集成管控级,4级是综合协同级,5级是智能优化级。
There are five information security protection capability maturity levels of industrial control systems, i.e. Level 1: basic building, Level 2: Standard protection, Level 3: Integrated control, Level 4: Comprehensive synergy, and Level 5: Intelligent optimization.
c)能力建设过程
Capability building process
组织工业控制系统信息安全防护能力建设过程包括核心保护对象安全和通用安全:
The information security protection capability building process of industrial control systems of an organization includes the core protected object security and general security:
1)核心保护对象安全包括:工业设备安全、工业主机安全、工业网络边界安全、工业控制软件安全、工业数据安全5个过程类;
Core protected object security consists of five process classes: industrial equipment security, industrial host security, industrial network boundary security, industrial control software security and industrial data security.
2)通用安全包括:安全规划与架构、人员管理与培训、物理与环境安全、监测预警与应急响应、供应链安全保障5个过程类。
General security consists of five process classes: security planning and architecture, personnel management and training, physical and environmental security, monitoring, warning and emergency response, and supply chain security assurance.
前言 Foreword v
1 范围 Scope
2 规范性引用文件 Normative references
3 术语和定义 Terms and definitions
4 缩略语 Abbreviations
5 工业控制系统信息安全防护能力成熟度模型 Information security protection capability maturity model of industrial control system
5.1 能力成熟度模型架构 Architecture of capability maturity model
5.2 能力要素维度 Dimensions of capability elements
5.2.1 能力构成 Capability composition
5.2.2 机构建设 Organization building
5.2.3 制度流程 System process
5.2.4 技术工具 Technical tools
5.2.5 人员能力 Personnel ability
5.3 能力成熟度等级维度 Dimension of capability maturity levels
5.4 能力建设过程维度 Dimension of capability building process
5.4.1 PA体系 PA system
5.4.2 编码规则 Encoding rule
5.4.3 关系描述 Relationship description
6 核心保护对象安全 Core protected object security
6.1 工业设备安全 Industrial equipment security
6.1.1 PA01控制设备安全 PA01 control equipment security
6.1.2 PA02现场测控设备安全 PA02 data acquisition and control field device security
6.1.3 PA03设备资产管理 PA03 equipment asset management
6.1.4 PA04存储媒体保护 PA04 storage media protection
6.2 工业主机安全 Industrial host security
6.2.1 PA05专用安全软件 PA05 special security software
6.2.2 PA06漏洞和补丁管理 PA06 vulnerability and patch management
6.2.3 PA07外设接口管理 PA07 peripheral interface management
6.3 工业网络边界安全 Industrial network boundary security
6.3.1 PA08安全区域划分 PA08 secure area division
6.3.2 PA09网络边界防护 PA09 network boundary protection
6.3.3 PA10远程访问安全 PA10 remote access security
6.3.4 PA11身份认证 PA11 identity authentication
6.4 工业控制软件安全 Industrial control software security
6.4.1 PA12安全配置 PA12 security configuration
6.4.2 PA13配置变更 PA13 configuration change
6.4.3 PA14账户管理 PA14 account management
6.4.4 PA15口令保护 PA15 password protection
6.4.5 PA16安全审计 PA16 security audit
6.5 工业数据安全 Industrial data security
6.5.1 PA17数据分类分级管理 PA17 data classification and grading management
6.5.2 PA18差异化防护 PA18 differentiated protection
6.5.3 PA19数据备份与恢复 PA19 data backup and recovery
6.5.4 PA20测试数据保护 PA20 test data protection
7 通用安全 General security
7.1 安全规划与架构 Security planning and architecture
7.1.1 PA21安全策略与规程 PA21 security policies and procedures
7.1.2 PA22安全机构设置 PA22 security authority setup
7.1.3 PA23安全职责划分 PA23 division of security duty
7.2 人员管理与培训 Personnel management and training
7.2.1 PA24人员安全管理 PA24 personnel security management
7.2.2 PA25安全教育培训 PA25 security education and training
7.3 物理与环境安全 Physical and environmental security
7.3.1 PA26物理安全防护 PA26 physical security protection
7.3.2 PA27应急电源 PA27 emergency power source
7.3.3 PA28物理防灾 PA28 physical disaster prevention
7.3.4 PA29环境分离 PA29 environmental separation
7.4 监测预警与应急响应 Monitoring, warning and emergency response
7.4.1 PA30工业资产感知 PA30 industrial asset sensing
7.4.2 PA31风险监测 PA31 risk monitoring
7.4.3 PA32威胁预警 PA32 threat warning
7.4.4 PA33应急预案 PA33 contingency plan
7.4.5 PA34应急演练 PA34 emergency drill
7.5 供应链安全保障 Supply chain security assurance
7.5.1 PA35产品选型 PA35 product selection
7.5.2 PA36供应商选择 PA36 supplier selection
7.5.3 PA37采购交付 PA37 procurement and delivery
7.5.4 PA38合同协议控制 PA38 contract agreement control
7.5.5 PA39源代码审计 PA39 source code audit
7.5.6 PA40升级安全保障 PA40 upgrade security assurance
8 能力成熟度等级核验方法 Verification method of capability maturity levels
8.1 工业设备安全 Industrial equipment security
8.1.1 PA01控制设备安全 PA01 control equipment security
8.1.2 PA02现场测控设备安全 PA02 data acquisition and control field device security
8.1.3 PA03设备资产管理 PA03 equipment asset management
8.1.4 PA04存储媒体保护 PA04 Storage media protection
8.2 工业主机安全 Industrial host security
8.2.1 PA05专用安全软件 PA05 special security software
8.2.2 PA06漏洞和补丁管理 PA06 vulnerability and patch management
8.2.3 PA07外设接口管理 PA07 peripheral interface management
8.3 工业网络边界安全 Industrial network boundary security
8.3.1 PA08安全区域划分 PA08 secure area division
8.3.2 PA09网络边界防护 PA09 network boundary protection
8.3.3 PA10远程访问安全 PA10 remote access security
8.3.4 PA11身份认证 PA11 identity authentication
8.4 工业控制软件安全 Industrial control software security
8.4.1 PA12安全配置 Security configuration
8.4.2 PA13配置变更 PA13 configuration change
8.4.3 PA14账户管理 PA14 account management
8.4.4 PA15口令保护 PA15 password protection
8.4.5 PA16安全审计 PA16 security audit
8.5 工业数据安全 Industrial data security
8.5.1 PA17数据分类分级管理 PA17 data classification and grading management
8.5.2 PA18差异化防护 PA18 differentiated protection
8.5.3 PA19数据备份与恢复 PA19 data backup and recovery
8.5.4 PA20测试数据保护 PA20 test data protection
8.6 安全规划与架构 Security planning and architecture
8.6.1 PA21安全策略与规程 PA21 security policies and procedures
8.6.2 PA22安全机构设置 PA22 security authority setup
8.6.3 PA23安全职责划分 PA23 division of security duties
8.7 人员管理与培训 Personnel management and training
8.7.1 PA24人员安全管理 PA24 personnel security management
8.7.2 PA25安全教育培训 PA25 security education and training
8.8 物理与环境安全 Physical and environmental security
8.8.1 PA26物理安全防护 PA26 physical security protection
8.8.2 PA27应急电源 PA27 emergency power supply
8.8.3 PA28物理防灾 PA28 physical disaster prevention
8.8.4 PA29环境分离 PA29 environmental separation
8.9 监测预警与应急响应 Monitoring, warning and emergency response
8.9.1 PA30工业资产感知 PA30 industrial asset sensing
8.9.2 PA31风险监测 PA31 risk monitoring
8.9.3 PA32威胁预警 PA32 threat warning
8.9.4 PA33应急预案 PA33 contingency plan
8.9.5 PA34应急演练 PA34 emergency drill
8.10 供应链安全保障 Supply chain security assurance
8.10.1 PA35产品选型 PA35 product selection
8.10.2 PA36供应商选择 PA36 supplier selection
8.10.3 PA37采购交付 PA37 procurement and delivery
8.10.4 PA38合同协议控制 PA38 contract agreement control
8.10.5 PA39源代码审计 PA39 source code audit
8.10.6 PA40升级安全保障 PA40 upgrade security assurance
附录A (资料性) 能力成熟度等级描述与GP Annex A (Informative) Capability maturity level description and GP
附录B (资料性) 能力成熟度模型使用方法 Annex B (Informative) Use method of capability maturity model
附录C (资料性) 能力成熟度等级核验流程 Annex C (Informative) Verification process of capability maturity level