标准编号:	GB/T 25070-2019
中文名称:	信息安全技术 网络安全等级保护安全设计技术要求
英文名称:	Information security technology—Technical requirements of security design for classified protection of cybersecurity
中标分类:	L80    数据加密
行业分类:	GB    国家标准
ICS分类:	35.040 35.040    字符集和信息编码 35.040
发布机构:	国家市场监督管理总局 国家标准化管理委员会
发布日期:	2019-05-10
实施日期:	2019-12-1
标准状态:	现行
替代旧标准:	GB/T 25070-2010 信息安全技术 信息系统等级保护安全设计技术要求
翻译语言:	英文
文件格式:	PDF
中文字符数:	65000 字
翻译价格(元):	4550.00 元
交付时间:	付款后 1 个工作日

Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.



This standard is developed in accordance with the rules given in GB/T 1.1-2009.



This standard replaces GB/T 25070-2010 Information security technology - Technical requirements of security design for information system classified protection and has the following main changes with respect to GB/T 25070-2010:



——The standard name is changed to Information security technology - Technical requirements of security design for classified protection of cybersecurity;



——The technical requirements of design for security computing environments at all levels are adjusted to the technical requirements of design for general security computing environment, cloud security computing environment, mobile interconnection security computing environment, IoT system security computing environment, and ICS security computing environment;



——The technical requirements of design for security area boundaries at all levels are adjusted to the technical requirements of design for general security area boundary, cloud security area boundary, mobile interconnection security area boundary, IoT system security area boundary, and ICS security area boundary;



——The technical requirements of design for security communication networks at all levels are adjusted to the technical requirements of design for general security communication network, cloud security communication network, mobile interconnection security communication network, IoT system security communication network, and ICS security communication network;



——B.2 "Interface between subsystems" and B.3 "Important data structure" in Annex B are deleted, and B.4 "Trusted verification implementation mechanism for Level 3 system" is added.



Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this standard shall not be held responsible for identifying any or all such patent rights.



This standard was proposed by and is under the jurisdiction of SAC/TC 260 National Technical Committee on Information Security of Standardization Administration of China.



 

The previous edition of this standard is as follows:



——GB/T 25070-2010.



 

Introduction



GB/T 25070-2010 Information security technology - Technical requirements of security design for information system classified protection has played a very important role in the process of classified protection of cybersecurity, and has been widely used to guide the construction and rectification of classified protection of cybersecurity in various industries and fields. However, with the development of information technology, GB/T 25070-2010 needs to be further improved in terms of applicability, timeliness, usability and operability.



With a view to cooperating with the implementation of the Cybersecurity Law of the People's Republic of China and adapting to the proceeding of classified protection of cybersecurity under such new technologies and applications as cloud computing, mobile interconnection, IoT, industrial control and big data, GB/T 25070-2010 shall be revised. The idea and method of revision are to adjust the content of the former national standard GB/T 25070-2010, put forward general security design technical requirements in allusion to common security protection objectives, and put forward special security design technical requirements in allusion to special security protection objectives of the new technologies and application areas such as cloud computing, mobile interconnection, IoT, industrial control and big data.



This standard is one of the series standards related to classified protection of cybersecurity.



Standards in relation to this one include:



——GB/T 25058 Information security technology - Implementation guide for classified protection of information system;



——GB/T 22240 Information security technology - Classification guide for classified protection of information systems security;



——GB/T 22239 Information security technology - Baseline for classified protection of cybersecurity;



——GB/T 28448 Information security technology - Evaluation requirement for classified protection of cybersecurity.



In the text of this standard, those in bold represent requirements that are not present or strengthened in lower level.





Information security technology -

Technical requirements of security design for classified protection of cybersecurity



1 Scope



This standard specifies the technical requirements of security design for targets of classified protection of Level 1 to Level 4 under the classified protection of cybersecurity.



This standard is applicable to guiding the design and implementation of security technical scheme for classified protection of cybersecurity by operating and using units, network security enterprises and network security service organizations, and may also be used as the basis for supervision, inspection and guidance by network security functional departments.



Note: The targets of classified protection of Level 5 are very important supervision and management objects and special management mode and security design technical requirements are proposed for them, which are not described herein.



2 Normative references



The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.



GB 17859-1999 Classified criteria for security protection of computer information system

GB/T 22240-2008 Information security technology - Classification guide for classified protection of information systems security

GB/T 25069-2010 Information security technology - Glossary

GB/T 31167-2014 Information security technology - Security guide of cloud computing services

GB/T 31168-2014 Information security technology - Security capability requirements of cloud computing services

GB/T 32919-2016 Information security technology - Application guide to industrial control system security control



 

3 Terms and definitions



For the purposes of this document, the terms and definitions given in GB 17859-1999, GB/T 22240-2008, GB/T 25069-2010, GB/T 31167-2014, GB/T 31168-2014 and GB/T 32919-2016 as well as the followings apply. For the convenience of application, some terms and definitions specified in GB/T 31167-2014 are listed below.



3.1

cybersecurity

capabilities to prevent the network from attack, intrusion, interference, damage, illegal use and unexpected accident, enable the network to operate stably and reliably and ensure the integrity, confidentiality and availability of network data by taking necessary measures



[GB/T 22239-2019, Definition 3.1]



3.2

classified system

system with a classified protection of security. The classified systems are divided into Levels 1, 2, 3, 4 and 5 systems



3.3

security environment of classified system

an environment consisting of security computing environment, security area boundary, security communication network, and/or security management center for the security protection of the classified system



3.4

security computing environment

relevant components that store and process the information of the classified system and implement security policies



3.5

security area boundary

security computing environment boundary of the classified system, as well as relevant components that realize connections and implement security policies between the security computing environment and the security communication network



3.6

security communication network

relevant components that perform information transmission and implement security policies between the security computing environments of the classified system



 

3.7

security management center

a platform or area that implements unified management of the security policies as well as the security mechanisms on the security computing environment, security area boundary and security communication network of the classified system



3.8

security management center for cross classified system

a platform or area that implements unified management of the security policies and the security mechanisms on security interconnection components for interconnection between classified systems of the same or different levels



3.9

classified system interconnection

secure connections realized between the security environments of classified systems of the same or different levels by the security interconnection components and the security management center for cross classified system



3.10

cloud computing

a kind of mode in which extensible and elastic sharable physical and virtual resource pools are supplied and managed in the mode of on-demand self-service via network



Note: Resources include the server, operating system, network, software, application and storage equipment.



[GB/T 32400-2015, Definition 3.2.5]



3.11

cloud computing platform

a collection of cloud computing infrastructure and its service layer software provided by the cloud service provider



[GB/T 31167-2014, Definition 3.7]



3.12

cloud computing environment

a collection of cloud computing platform provided by the cloud service provider and software and related components deployed by customers on the cloud computing platform



[GB/T 31167-2014, Definition 3.8]



 

3.13

mobile interconnection system

information system adopting mobile interconnection technology and with the mobile applications as the main form of distribution, which enables users to get business and service through the mobile terminals of mobile internet system



3.14

internet of things

system consisting of sensor nodes connected via internet or other networks



[GB/T 22239-2019, Definition 3.15]



3.15

sensor layer gateway

device for summarizing, properly processing or integrating and forwarding the data collected at sensor nodes



3.16

sensor node

device capable of conducting network communication and used for acquiring information and/or executing operation for things or environment



3.17

data freshness

characteristic of identifying received historical data or data beyond the time limit



3.18

field device

device connected to the ICS field, including RTUs, PLCs, sensors, actuators, human-machine interfaces and related communication devices, etc.



3.19

fieldbus

a kind of digital serial multi-point bi-directional data bus or communication link between underlying industrial field devices (such as sensors, actuators, controllers and control room devices). Using fieldbus technology does not require point-to-point wiring between the controller and each field device. The bus protocol is used to define messages on the fieldbus network, each message identifies a specific sensor on the network



 

4 Abbreviations



For the purposes of this document, the following abbreviations apply.



3G: 3rd Generation Mobile Communication Technology



4G: 4th Generation Mobile Communication Technology



API: Application Programming Interface



BIOS: Basic Input Output System



CPU: Central Processing Unit



DMZ: Demilitarized Zone



GPS: Global Positioning System



ICS: Industrial Control System



IoT: Internet of Things



NFC: Near Field Communication



OLE: Object Linking and Embedding



OPC: OLE for Process Control



PLC: Programmable Logic Controller



RTU: Remote Terminal Units



VPDN: Virtual Private Dial-up Networks



SIM: Subscriber Identification Module



WiFi: Wireless Fidelity



 

5 Overview on security technology design for classified protection of cybersecurity



5.1 Framework of security technology design for general classified protection



The security technology design for classified protection of cybersecurity includes the design of security environment of systems at all levels and the design of their security interconnection, as shown in Figure 1. The security environment of system at each level consists of security computing environment, security area boundary, security communication network and/or security management center of the corresponding level. The classified system interconnection consists of security interconnection components and security management center for cross classified system.









Figure 1 Framework of security technology design for classified protection of cybersecurity





Clauses 6 to 11 of this standard put forward corresponding technical requirements of design for each part of Figure 1 (except for the requirements of design for security environment of Level 5 network). Annex A gives the design of access control mechanism, and Annex B gives an example of the design for security environment of Level 3 system. In addition, Annex C gives the technical requirements of big data design.



When designing the security environment of classified system, the classified system may be further divided into different subsystems in combination with the system's own business requirements, and then the security environment of each subsystem can be designed after determining the level of each subsystem.



5.2 Framework of security technology design for classified protection of cloud computing



Combining the hierarchical framework of cloud computing functions and the security characteristics of cloud computing, the protection technology framework of security design for cloud computing is constructed, which consists of cloud user layer, access layer, service layer, resource layer, hardware facility layer and management layer (cross-layer function). In this framework, the center refers to the security management center, and the triple protection includes security computing environment, security area boundary and security communication network, as shown in Figure 2.









Figure 2 Framework of security technology design for classified protection of cloud computing





Users can securely access the security computing environment provided by cloud service providers through the security communication network by means of direct network access, API interface access and WEB service access, among which the security of the user terminal itself is beyond the scope of this part. Security computing environment includes resource layer security and service layer security. The resource layer is divided into physical resources and virtual resources. It is necessary to clarify the technical requirements of security design for physical resources and the requirements for security design for virtual resources, among which the physical and environmental security are beyond the scope of this part. The service layer is the realization of the services provided by cloud service providers, including the software components needed to realize the services. According to different service modes, cloud service providers and cloud tenants have different security responsibilities. The security design for service layer needs to specify the technical requirements of security design within the resources controlled by cloud service providers, and the cloud service providers may provide security technology and security protection capabilities for cloud tenants by providing security interfaces and security services. The system management, security management and security audit of cloud computing environment are under the unified control of the security management center. Combined with this framework, the security technology design for different levels of cloud computing environments can be performed, and the security design for different levels of cloud tenants (business systems) is supported by the service layer security.



5.3 Framework of security technology design for classified protection of mobile interconnection



The reference architecture of mobile interconnection system security protection is shown in Figure 3, in which the security computing environment consists of three security domains: core business domain, DMZ domain and remote access domain; the security area boundary consists of mobile interconnection system area boundary, mobile terminal area boundary, traditional computing terminal area boundary, core server area boundary and DMZ area boundary; and the security communication network consists of wireless networks built by mobile operators or users themselves.



a) Core business domain



The core business domain is the core area of the mobile interconnection system, which is composed of mobile terminals, traditional computing terminals and servers to complete the processing, maintenance, etc. of mobile interconnection services. The core business domain shall focus on ensuring the operating system security, application security, network communication security and device access security of servers, computing terminals and mobile terminals in the domain.



 

b) DMZ domain



The DMZ domain is the external service area of the mobile interconnection system, where servers and applications for external services, such as Web servers and database servers, are deployed. This area is connected with the Internet, and access requests from the Internet shall be routed through this area to access the core business domain. The DMZ domain shall focus on ensuring the security of server operating systems and applications.







Figure 3 Framework of security technology design for classified protection of mobile interconnection



c) Remote access domain



The remote access domain consists of mobile terminals that can be controlled by the mobile interconnection system operators and users and remotely access the network of the mobile interconnection system operators and users through VPN and other technical means, so as to complete telecommuting, application system management and control and other services. The remote access domain shall focus on ensuring the security of remote mobile terminal operation, access to mobile interconnection application system and communication network.



 

This standard classifies computing nodes in mobile interconnection system into two categories: mobile computing nodes and traditional computing nodes. The mobile computing nodes mainly include the mobile terminals in remote access domain and core business domain, while the traditional computing nodes mainly include the traditional computing terminals and servers in core business domain. The security design for traditional computing nodes and their boundaries may refer to the general security design requirements, and the security design for computing environment, area boundary and communication network of mobile interconnection mentioned below are specific to the mobile computing nodes.



5.4 Framework of security technology design for classified protection of internet of things



Combined with the characteristics of the internet of things (IoT) system, the triple protection system of security computing environment, security area boundary and security communication network is constructed with support of the security management center. The framework of security protection design for IoT system supported by the security management center is shown in Figure 4. Both the sensor layer and application layer of the IoT are composed of the computing environment for completing the computing tasks and the area boundaries connecting the network communication domains.







Figure 4 Framework of security technology design for classified protection of IoT system



a) Security computing environment



It includes relevant components in the sensor layer and application layer of the IoT system that store and process the information of the grading system and implement security policies, such as objects, computing nodes and sensing control devices in the sensor layer, and computing resources and application services in the application layer.



 

b) Security area boundary



It includes the security computing environment boundary of the IoT system and the relevant components that realize connections and implement security policies between the security computing environment and the security communication network, such as the boundary between the sensor layer and the network layer, and the boundary between the network layer and the application layer.



c) Security communication network



It includes the relevant components that perform information transmission and implement security policies between the security computing environments and security areas of the IoT system, such as the communication network of the network layer and the communication network between the security computing environments in the sensor layer and the application layer.



d) Security management center



It includes a platform that implements unified management of the security policies as well as the security mechanisms on the security computing environment, security area boundary and security communication network of the IoT system, including three parts: system management, security management and audit management. Only the security environments of the Level 2 and above are designed with security management centers.



5.5 Framework of security technology design for classified protection of industrial control



For the industrial control system, it is partitioned according to the business nature of the protected object, and the classified protection of cybersecurity is designed according to the technical characteristics of the functional layers. The framework of security technology design for classified protection of industrial control system is shown in Figure 5. The security technology design for classified protection of industrial control system is based on the triple protection system of computing environment, area boundary and communication network with support of the security management center. It is a layered and partitioned architecture, and is designed in combination with the characteristics of complex and diverse bus protocols, high real-time requirements, limited node computing resources, high device reliability requirements, short failure recovery time, and no influence of security mechanism on real-time of the industrial control system, so as to realize reliable, controllable and manageable system security interconnection, area boundary security protection and computing environment security.



 

The industrial control system is divided into four layers, that is, Layers 0~3 are within the scope of classified protection of industrial control system and are the areas covered by the design framework. The industrial control system is horizontally divided into security areas to form different security protection areas according to the importance, real-time, relevance, degree of influence on field controlled device, function range and asset attributes of the business in the industrial control system. The system shall all be placed in the corresponding security area, and the specific partition shall be subject to the actual situation of the industrial field (the partitioning methods include but are not limited to: Layers 0~2 form a security area, Layers 0~1 form a security area, there are different security areas in the same layer, etc.)



The partitioning principle is based on the real-time nature of business systems or their functional modules, the users, main functions, device usage places, the relationship between business systems, WAN communication modes and the degree of influence on the industrial control system. For additional security and reliability requirements, the main security areas may be further divided into sub-areas according to the operating functions. Dividing the device into different areas can effectively establish the "in-depth protection" strategy. The control functions of each system with the same functions and security requirements are divided into different security areas, and the network segment address is assigned to each security function area in accordance with the principle of convenient management and control.



The design framework is enhanced level by level, but the protection categories are the same, only with different strength of security protection design. The protection categories are: security computing environment, including the relevant components for storing and processing information and implementing security policies in Layers 0~3 of industrial control system; security area boundary, including the security computing environment boundary, as well as the relevant components that realize connections and implement security policies between security computing environment and security communication network; security communication network, including the relevant components that perform information transmission and implement security policies between security computing environment and network security area; security management center, including the platform that implements unified management of the security policies as well as the security mechanisms on the security computing environment, security area boundary and security communication network of the classified system, which consists of three parts: system management, security management and audit management.







 

Note 1: According to IEC/TS 62443-1-1, the industrial control system is divided into the following functional layers: Layer 0 (field device layer), Layer 1 (field control layer), Layer 2 (process monitoring layer), Layer 3 (production management layer), and Layer 4 (enterprise resource layer).



Note 2: An information security area may include several sub-areas of different levels.



Note 3: The vertical partitioning is subject to the actual situation of the industrial field (the partitioning in the figure is exemplary), and the partitioning methods include but are not limited to: Layers 0~2 form a security area, Layers 0~1 form a security area, etc.



Figure 5 Framework of security technology design for classified protection of industrial control system





6 Design for security environment of Level 1 system



6.1 Design objective



The design objective of the security environment of Level 1 system is to realize discretionary access control of the classified system according to the security protection requirements for Level 1 system in GB 17859-1999, so that the system users have the ability of self-protection for their objects.



6.2 Design strategy



The design strategy of the security environment of Level 1 system is to provide users and/or user groups with discretionary access control to files and database tables based on identity authentication by following the relevant requirements of GB 17859-1999, 4.1, so as to achieve user-data isolation and enable users to have independent security protection capability; to provide area boundary protection by means of packet filtering; to provide data and system integrity protection by means of data validation and unwanted code prevention.



The design of the security environment of Level 1 system is realized through the design of security computing environment, security area boundary and security communication network of Level 1 system. All computing nodes shall be based on the trusted root to realize the trusted verification from booting to operating system startup.



6.3 Technical requirements of design



6.3.1 Technical requirements of design for security computing environment



6.3.1.1 Technical requirements of design for general security computing environment



The requirements include:



a) User identity authentication



User identification and user authentication shall be supported. When each user is registered in the system, the user name and user identifier are used to identify the user identity; every time a user logs in to the system, the password authentication mechanism is used to authenticate the user identity, and the password data is protected.

Foreword II
Introduction IV
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Overview on security technology design for classified protection of cybersecurity
5.1 Framework of security technology design for general classified protection
5.2 Framework of security technology design for classified protection of cloud computing
5.3 Framework of security technology design for classified protection of mobile interconnection
5.4 Framework of security technology design for classified protection of internet of things
5.5 Framework of security technology design for classified protection of industrial control
6 Design for security environment of Level 1 system
6.1 Design objective
6.2 Design strategy
6.3 Technical requirements of design
7 Design for security environment of Level 2 system
7.1 Design objective
7.2 Design strategy
7.3 Technical requirements of design
8 Design for security environment of Level 3 system
8.1 Design objective
8.2 Design strategy
8.3 Technical requirements of design
9 Design for security environment of Level 4 system
9.1 Design objective
9.2 Design strategy
9.3 Technical requirements of design
10 Design for security environment of Level 5 system
11 Design for classified system interconnection
11.1 Design objective
11.2 Design strategy
11.3 Technical requirements of design
Annex A (Informative) Design of access control mechanism
Annex B (Informative) Design examples for security environment of Level 3 system
Annex C (Informative) Technical requirements of design for big data
Bibliography

信息安全技术
网络安全等级保护安全设计技术要求
1 范围
本标准规定了网络安全等级保护第一级到第四级等级保护对象的安全设计技术要求。
本标准适用于指导运营使用单位、网络安全企业、网络安全服务机构开展网络安全等级保护安全技术方案的设计和实施，也可作为网络安全职能部门进行监督、检查和指导的依据。
注：第五级等级保护对象是非常重要的监督管理对象，对其有特殊的管理模式和安全设计技术要求，所以不在本标准中进行描述。
2 规范性引用文件
下列文件对于本文件的应用是必不可少的。凡是注日期的引用文件，仅注日期的版本适用于本文件。凡是不注日期的引用文件，其最新版本(包括所有的修改单)适用于本文件。
GB 17859—1999 计算机信息系统 安全保护等级划分准则
GB/T 22240—2008 信息安全技术 信息系统安全等级保护定级指南
GB/T 25069—2010 信息安全技术 术语
GB/T 31167—2014 信息安全技术 云计算服务安全指南
GB/T 31168—2014 信息安全技术 云计算服务安全能力要求
GB/T 32919—2016 信息安全技术 工业控制系统安全控制应用指南
3 术语和定义
GB 17859—1999、GB/T 22240—2008、GB/T 25069—2010、GB/T 31167—2014，GB/T 31168—2014和GB/T 32919—2016界定的以及下列术语和定义适用于本文件。为了便于使用，以下重复列出了GB/T 31167—2014中的一些术语和定义。
3.1
网络安全 cybersecurity
通过采取必要措施，防范对网络的攻击、侵入、干扰、破坏和非法使用以及意外事故，使网络处于稳定可靠运行的状态，以及保障网络数据的完整性、保密性、可用性的能力。
[GB/T 22239—2019，定义3.1]
3.2
定级系统 classified system
已确定安全保护等级的系统。定级系统分为第一级、第二级、第三级、第四级和第五级系统。
3.3
定级系统安全保护环境 security environment of classified system
由安全计算环境、安全区域边界、安全通信网络和(或)安全管理中心构成的对定级系统进行安全保护的环境。
3.4
安全计算环境 security computing environment
对定级系统的信息进行存储、处理及实施安全策略的相关部件。
3.5
安全区域边界 security area boundary
对定级系统的安全计算环境边界，以及安全计算环境与安全通信网络之间实现连接并实施安全策略的相关部件。
3.6
安全通信网络 security communication network
对定级系统安全计算环境之间进行信息传输及实施安全策略的相关部件。
3.7
安全管理中心 security management center
对定级系统的安全策略及安全计算环境、安全区域边界和安全通信网络上的安全机制实施统一管理的平台或区域。
3.8
跨定级系统安全管理中心 security management center for cross classified system
对相同或不同等级的定级系统之间互联的安全策略及安全互联部件上的安全机制实施统一管理的平台或区域。
3.9
定级系统互联 classified system interconnection
通过安全互联部件和跨定级系统安全管理中心实现的相同或不同等级的定级系统安全保护环境之间的安全连接。
3.10
云计算 cloud computing
一种通过网络将可伸缩、弹性的共享物理和虚拟资源池以按需自服务的方式供应和管理的模式
注：资源包括服务器、操作系统、网络、软件、应用和存储设备等。
[GB/T 32400—2015，定义3.2.5]
3.11
云计算平台 cloud computing platform
云服务商提供的云计算基础设施及其上的服务层软件的集合。
[GB/T 31167—2014，定义3.7]
3.12
云计算环境 cloud computing environment
云服务商提供的云计算平台及客户在云计算平台之上部署的软件及相关组件的集合。
[GB/T 31167—2014，定义3.8]
3.13
移动互联系统 mobile interconnection system
采用了移动互联技术，以移动应用为主要发布形式，用户通过mobile internet system移动终端获取业务和服务的信息系统。
3.14
物联网 internet of things
将感知节点设备通过互联网等网络连接起来构成的系统。
[GB/T 22239—2019，定义3.15]
3.15
感知层网关 sensor layer gateway
将感知节点所采集的数据进行汇总、适当处理或数据融合，并进行转发的装置。
3.16
感知节点设备 sensor node
对物或环境进行信息采集和/或执行操作，并能联网进行通信的装置。
3.17
数据新鲜性 data freshness
对所接收的历史数据或超出时限的数据进行识别的特性。
3.18
现场设备 field device
连接到ICS现场的设备，现场设备的类型包括RTU、PLC、传感器、执行器、人机界面以及相关的通讯设备等。
3.19
现场总线 fieldbus
一种处于工业现场底层设备(如传感器、执行器、控制器和控制室设备等)之间的数字串行多点双向数据总线或通信链路。利用现场总线技术不需要在控制器和每个现场设备之间点对点布线。总线协议是用来定义现场总线网络上的消息，每个消息标识了网络上特定的传感器。
4 缩略语
下列缩略语适用于本文件。
3G：第三代移动通信技术(3rd Generation Mobile Communication Technology)
4G：第四代移动通信技术(4th Generation Mobile Communication Technology)
API：应用程序编程接口(Application Programming Interface)
BIOS：基本输入输出系统(Basic Input Output System)
CPU：中央处理器(Central Processing Unit)
DMZ：隔离区(Demilitarized Zone)
GPS：全球定位系统(Global Positioning System)
ICS：工业控制系统(Industrial Control System)
IoT：物联网(Internet of Things)
NFC：近场通信/近距离无线通信技术(Near Field Communication)
OLE：对象连接与嵌入(Object Linking and Embedding)
OPC：用于过程控制的OLE(OLE for Process Control)
PLC：可编程逻辑控制器(Programmable Logic Controller)
RTU：远程终端单元(Remote Terminal Units)
VPDN：虚拟专用拨号网(Virtual Private Dial-up Networks)
SIM：用户身份识别模块(Subscriber Identification Module)
WiFi：无线保真( Wireless Fidelity)
5 网络安全等级保护安全技术设计概述
5.1 通用等级保护安全技术设计框架
网络安全等级保护安全技术设计包括各级系统安全保护环境的设计及其安全互联的设计，如图1所示。各级系统安全保护环境由相应级别的安全计算环境、安全区域边界、安全通信网络和(或)安全管理中心组成。定级系统互联由安全互联部件和跨定级系统安全管理中心组成。

第一级系统安全保护环境
第二级系统安全保护环境
第三级系统安全保护环境
第四级系统安全保护环境
第五级系统安全保护环境
第一级安全计算环境
第一级安全区域边界
第一级安全通信网络
第二级安全计算环境
第二级安全区域边界
第二级安全通信网络
第二级安全管理中心
第三级安全计算环境
第三级安全区域边界
第三级安全通信网络
第三级安全管理中心
第四级安全计算环境
第四级安全区域边界
第四级安全通信网络
第四级安全管理中心
第五级安全计算环境
第五级安全区域边界
第五级安全通信网络
第五级安全管理中心
定级系统互联
安全互联部件
跨定级系统安全管理中心
图1 网络安全等级保护安全技术设计框架
本标准第6章～第11章，对图1各个部分提出了相应的设计技术要求(第五级网络安全保护环境的设计要求除外)。附录A给出了访问控制机制设计，附录B给出了第三级系统安全保护环境设计示例。此外，附录C给出大数据设计技术要求。
在对定级系统进行等级保护安全保护环境设计时，可以结合系统自身业务需求，将定级系统进一步细化成不同的子系统，确定每个子系统的等级，对子系统进行安全保护环境的设计。
5.2 云计算等级保护安全技术设计框架
结合云计算功能分层框架和云计算安全特点，构建云计算安全设计防护技术框架，包括云用户层、访问层，服务层、资源层、硬件设施层和管理层(跨层功能)。其中一个中心指安全管理中心，三重防护包括安全计算环境、安全区域边界和安全通信网络，具体如图2所示。

用户层安全
区域边界安全
计算环境安全
安全管理中心
用户安全
通信网络安全
访问层安全
网络访问
API接口
WEB服务
服务层安全
租户1
数据安全
应用安全
软件平台安全
网络和主机安全
租户n
数据安全
应用安全
软件平台安全
网络和主机安全
软件平台安全
网络和主机安全
安全管理中心
系统管理
安全管理
安全审计
资源层安全
虚拟资源安全
物理资源安全
资源抽象控制层安全
计算资源
网络资源
存储资源
分布式操作系统/虚拟机监视器
基础硬件与网络安全
物理与环境安全
图2 云计算等级保护安全技术设计框架
用户通过安全的通信网络以网络直接访问、API接口访问和WEB服务访问等方式安全地访问云服务商提供的安全计算环境，其中用户终端自身的安全保障不在本部分范畴内。安全计算环境包括资源层安全和服务层安全。其中，资源层分为物理资源和虚拟资源，需要明确物理资源安全设计技术要求和虚拟资源安全设计要求，其中物理与环境安全不在本部分范畴内。服务层是对云服务商所提供服务的实现，包含实现服务所需的软件组件，根据服务模式不同，云服务商和云租户承担的安全责任不同。服务层安全设计需要明确云服务商控制的资源范围内的安全设计技术要求，并且云服务商可以通过提供安全接口和安全服务为云租户提供安全技术和安全防护能力。云计算环境的系统管理、安全管理和安全审计由安全管理中心统一管控。结合本框架对不同等级的云计算环境进行安全技术设计，同时通过服务层安全支持对不同等级云租户端(业务系统)的安全设计。
5.3 移动互联等级保护安全技术设计框架
移动互联系统安全防护参考架构如图3，其中安全计算环境由核心业务域、DMZ域和远程接入域三个安全域组成，安全区域边界由移动互联系统区域边界、移动终端区域边界、传统计算终端区域边界、核心服务器区域边界、DMZ区域边界组成，安全通信网络由移动运营商或用户自己搭建的无线网络组成。
a) 核心业务域
核心业务域是移动互联系统的核心区域，该区域由移动终端、传统计算终端和服务器构成，完成对移动互联业务的处理、维护等。核心业务域应重点保障该域内服务器、计算终端和移动终端的操作系统安全、应用安全、网络通信安全、设备接入安全。
b) DMZ域
DMZ域是移动互联系统的对外服务区域，部署对外服务的服务器及应用，如Web服务器、数据库服务器等，该区域和互联网相联，来自互联网的访问请求应经过区域中转才能访问核心业务域。DMZ域应重点保障服务器操作系统及应用安全。

移动互联系统安全计算环境
移动终端区
传统计算终端区
远程接入域
核心服务器区
核心业务域
DMZ域
移动终端区域边界
传统计算终端区域边界
核心服务器区域边界
DMZ域边界
移动互联系统安全区域边界
移动互联系统安全通信网络
安全管理中心
图3 移动互联等级保护安全技术设计框架
c) 远程接入域
远程接入域由移动互联系统运营使用单位可控的，通过VPN等技术手段远程接入移动互联系统运营使用单位网络的移动终端组成，完成远程办公、应用系统管控等业务。远程接入域应重点保障远程移动终端自身运行安全、接入移动互联应用系统安全和通信网络安全。
本标准将移动互联系统中的计算节点分为两类：移动计算节点和传统计算节点。移动计算节点主要包括远程接入域和核心业务域中的移动终端，传统计算节点主要包括核心业务域中的传统计算终端和服务器等。传统计算节点及其边界安全设计可参考通用安全设计要求，下文提到的移动互联计算环境、区域边界、通信网络的安全设计都是特指移动计算节点而言的。
5.4 物联网等级保护安全技术设计框架
结合物联网系统的特点，构建在安全管理中心支持下的安全计算环境、安全区域边界、安全通信网络三重防御体系。安全管理中心支持下的物联网系统安全保护设计框架如图4所示，物联网感知层和应用层都由完成计算任务的计算环境和连接网络通信域的区域边界组成。

安全计算环境(应用层)
应用服务
智能电网
智能物流
计算资源
计算节点
基础设施
安全区域边界(前置处理)
安全通信网络
安全区域边界(网关接入)
安全计算环境(感知层)
物体对象
计算节点
传感控制
系统管理
安全管理
审计管理
安全管理中心
图4 物联网系统等级保护安全技术设计框架
a) 安全计算环境
包括物联网系统感知层和应用层中对定级系统的信息进行存储、处理及实施安全策略的相关部件，如感知层中的物体对象、计算节点、传感控制设备，以及应用层中的计算资源及应用服务等。
b) 安全区域边界
包括物联网系统安全计算环境边界，以及安全计算环境与安全通信网络之间实现连接并实施安全策略的相关部件，如感知层和网络层之间的边界、网络层和应用层之间的边界等。
c) 安全通信网络
包括物联网系统安全计算环境和安全区域之间进行信息传输及实施安全策略的相关部件，如网络层的通信网络以及感知层和应用层内部安全计算环境之间的通信网络等。
d) 安全管理中心
包括对物联网系统的安全策略及安全计算环境、安全区域边界和安全通信网络上的安全机制实施统一管理的平台，包括系统管理、安全管理和审计管理三部分，只有第二级及第二级以上的安全保护环境设计有安全管理中心。
5.5 工业控制等级保护安全技术设计框架
对于工业控制系统根据被保护对象业务性质分区，针对功能层次技术特点实施的网络安全等级保护设计，工业控制系统等级保护安全技术设计框架如图5所示。工业控制系统等级保护安全技术设计构建在安全管理中心支持下的计算环境、区域边界、通信网络三重防御体系，采用分层、分区的架构，结合工业控制系统总线协议复杂多样、实时性要求强、节点计算资源有限、设备可靠性要求高、故障恢复时间短、安全机制不能影响实时性等特点进行设计，以实现可信、可控、可管的系统安全互联、区域边界安全防护和计算环境安全。
工业控制系统分为4层，即第0～3层为工业控制系统等级保护的范畴，为设计框架覆盖的区域；横向上对工业控制系统进行安全区域的划分，根据工业控制系统中业务的重要性、实时性、业务的关联性、对现场受控设备的影响程度以及功能范围、资产属性等，形成不同的安全防护区域，系统都应置于相应的安全区域内，具体分区以工业现场实际情况为准(分区方式包括但不限于：第0～2层组成一个安全区域、第0～1层组成一个安全区域、同层中有不同的安全区域等)。
分区原则根据业务系统或其功能模块的实时性、使用者、主要功能、设备使用场所、各业务系统间的相互关系、广域网通信方式以及对工业控制系统的影响程度等。对于额外的安全性和可靠性要求，在主要的安全区还可以根据操作功能进一步划分成子区，将设备划分成不同的区域可以有效地建立“纵深防御”策略。将具备相同功能和安全要求的各系统的控制功能划分成不同的安全区域，并按照方便管理和控制为原则为各安全功能区域分配网段地址。
设计框架逐级增强，但防护类别相同，只是安全保护设计的强度不同。防护类别包括：安全计算环境，包括工业控制系统0～3层中的信息进行存储、处理及实施安全策略的相关部件；安全区域边界，包括安全计算环境边界，以及安全计算环境与安全通信网络之间实现连接并实施安全策略的相关部件；安全通信网络，包括安全计算环境和网络安全区域之间进行信息传输及实施安全策略的相关部件；安全管理中心，包括对定级系统的安全策略及安全计算环境、安全区域边界和安全通信网络上的安全机制实施统一管理的平台，包括系统管理、安全管理和审计管理三部分。

参见通用等线保护安全设技术要求
复杂工业控制系统等级保护
第4层企业资源层
第3层和第4层之间通信网络
第3层计算环境
第3层边界防护
第2层和第3层之间通信网络
信息安全区域之间通信网络
区域边界防护
信息安全区域A
第2层计算环境
第2层边界防护
第1层和第2层之间通信网络
第0层计算环境
第0层边界防护
信息安全区域B
信息安全区域之间通信网络
区域边界防护
区域边界防护
信息安全区域B1
第1层计算环境
第1层边界防护
第0层和第1层之间通信网络
安全管理中心
系统管理
安全管理
审计管理
安全管理中心边界防护
注1：参照IEC/TS 62443-1-1工业控制系统按照功能层次划分为第0层：现场设备层，第1层：现场控制层，第⒉层：过程监控层，第3层：生产管理层，第4层：企业资源层。
注2：一个信息安全区域可以包括多个不同等级的子区域。
注3：纵向上分区以工业现场实际情况为准(图中分区为示例性分区)，分区方式包括但不限于；第0～2层组成一个安全区域、第0～1层组成一个安全区域等。
图5 工业控制系统等级保护安全技术设计框架
6 第一级系统安全保护环境设计
6.1 设计目标
第一级系统安全保护环境的设计目标是：按照GB 17859—1999对第一级系统的安全保护要求，实现定级系统的自主访问控制，使系统用户对其所属客体具有自我保护的能力。
6.2 设计策略
第一级系统安全保护环境的设计策略是：遵循GB 17859—1999的4.1中相关要求，以身份鉴别为基础，提供用户和(或)用户组对文件及数据库表的自主访问控制，以实现用户与数据的隔离，使用户具备自主安全保护的能力；以包过滤手段提供区域边界保护；以数据校验和恶意代码防范等手段提供数据和系统的完整性保护。
第一级系统安全保护环境的设计通过第一级的安全计算环境、安全区域边界以及安全通信网络的设计加以实现。计算节点都应基于可信根实现开机到操作系统启动的可信验证。
6.3 设计技术要求
6.3.1 安全计算环境设计技术要求
6.3.1.1 通用安全计算环境设计技术要求
本项要求包括：
a) 用户身份鉴别
应支持用户标识和用户鉴别。在每一个用户注册到系统时，采用用户名和用户标识符标识用户身份；在每次用户登录系统时，采用口令鉴别机制进行用户身份鉴别.并对口令数据进行保护。
b) 自主访问控制
应在安全策略控制范围内，使用户/用户组对其创建的客体具有相应的访问操作权限，并能将这些权限的部分或全部授予其他用户/用户组。访问控制主体的粒度为用户/用户组级，客体的粒度为文件或数据库表级。访问操作包括对客体的创建、读、写、修改和删除等。
c) 用户数据完整性保护
可采用常规校验机制，检验存储的用户数据的完整性，以发现其完整性是否被破坏。
d) 恶意代码防范
应安装防恶意代码软件或配置具有相应安全功能的操作系统，并定期进行升级和更新，以防范和清除恶意代码。
e) 可信验证
可基于可信根对计算节点的BIOS、引导程序、操作系统内核等进行可信验证，并在检测到其可信性受到破坏后进行报警。