Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This document is developed in accordance with the rules given in GB/T 1.1-2020 Directives for standardization - Part 1: Rules for the structure and drafting of standardizing documents.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this standard shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of National Technical Committee on Transportation Information Communication and Navigation of Standardization Administration of China.
Technical specification for cybersecurity monitoring and warning system of transportation
1 Scope
This document specifies the system architecture, general requirements, functional requirements, performance requirements, display requirements, interface requirements, security requirements and operation management of the cybersecurity monitoring and warning system of transportation.
This document is applicable to the construction, testing, operation, maintenance and management of cybersecurity monitoring and warning systems in the transportation industry.
2 Normative references
The following normative documents contain provisions which, through reference in this text, constitute provisions of this standard. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/Z 20986-2007 Information security technology - Guidelines for the category and classification of information security incidents
GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity
GB/T 24363-2009 Information security technology - Specifications of emergency response plan for information security
GB/T 25069 Information security techniques - Terminology
GB/T 28517-2012 Network incident object description and exchange format
GB/T 29246 Information technology - Security techniques - Information security management systems - Overview and vocabulary
GB/T 33561-2017 Information security technology - Vulnerabilities classification
GB/T 36643-2018 Information security technology - Cyber security threat information format
GB/T 37027-2018 Information security technology - Specifications of definition and description for network attack
3 Terms and definitions
For the purposes of this document, the terms and definitions specified in GB/T 25069 and GB/T 29246 and the following apply.
3.1
threat
potential causes of undesired incidents that may cause harm to the system or organization
[Source: GB/T 29246-2017, 2.83]
3.2
asset
information or resources of value to the organization, which are the objects the security policies protect
[Source: GB/T 20984-2007, 3.1]
3.3
cybersecurity incident
incident that causes harm to the network or information system, or negatively affects the society, due to natural or man-made reasons as well as defects or failures of the software and hardware itself
[Source: GB/T 32924-2016, 3.4]
3.4
cybersecurity monitoring by collecting and analyzing cybersecurity incidents and logs and traffic data of assets such as safety equipment, hosts/servers, databases, middleware and application systems, cybersecurity risks are identified, threats are discovered, early warning notifications are made, and visual display are realized
[Source: GB/T 36635-2018, 3.1, modified]
3.5
cybersecurity warning
security warnings issued in advance or in time for upcoming or ongoing cybersecurity incidents or threats
[Source: GB/T 32924-2016, 3.5, modified]
3.6
threat intelligence
knowledge related to an existing or potential threat and used to inform decisions about response or handling of the threat or hazard
Note: Threat intelligence includes context, mechanism, indication, meaning and actionable recommendations.
3.7
device fingerprint
verifiable and comparable set of data used to uniquely identify device characteristics or unique device attributes
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
CPU: Central Processing Unit
FTP: File Transfer Protocol
HTTP: Hyper Text Transport Protocol
IP: Internet Protocol
JSON: JavaScript Object Notation
POP3: Post Office Protocol-Version 3
SMTP: Simple Mail Transfer Protocol
SNMP: Simple Network Management Protocol
VPN: Virtual Private Network
XML: Extensible Markup Language
5 System architecture and general requirements
5.1 System architecture
The cybersecurity monitoring and warning system of transportation (referred to as "monitoring and warning system") is an information system used for centralized monitoring and warning of cybersecurity of government websites, e-government mailboxes, important information systems, important network nodes and operating networks in the transportation industry. The monitoring and warning system includes ministerial-level cybersecurity monitoring and warning system of transportation (referred to as "ministerial-level system"), provincial-level cybersecurity monitoring and warning system of transportation (referred to as "provincial-level system") and cybersecurity monitoring and warning system of transportation of units directly under the ministry of maritime affairs and salvage (referred to as "subordinate system"). The ministerial-level system shall exchange data and share information with the platforms of national cybersecurity supervision departments; the provincial-level system and subordinate system shall dock with the ministerial-level system and form a warning and communication mechanism for cybersecurity incidents, and shall share knowledge base and threat intelligence database data with them; the provincial-level system shall exchange data and share information with the platforms of provincial cybersecurity supervision departments. The docking relationship between the monitoring and warning system and the internal and external systems and platforms is shown in Figure 1.
The monitoring and warning system is mainly composed of platform layer, basic layer, analysis layer, application layer and display layer, which, together with security requirements and operation management, constitute the system architecture of the monitoring and warning system, as shown in Figure 2.
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 System architecture and general requirements
5.1 System architecture
5.2 General requirements
6 Functional requirements
6.1 Data collection
6.2 Data processing
6.3 Data storage
6.4 Security analysis
6.5 Threat intelligence management
6.6 Risk identification
6.7 Cybersecurity warning and judgment
6.8 Information communication
6.9 Response and disposal
7 Performance requirements
8 Display requirements
8.1 Contents to be displayed
8.2 Display mode
9 Interface requirements
9.1 System cascade interface
9.2 Data sharing interface
10 Security requirements
11 Operation management
Bibliography