——Interpretation of “Network Security Level Protection Evaluation Requirements Part 5: Industrial Control System Security Extension Requirements”
Editor’s Note
The “Cybersecurity Law of the People’s Republic of China” Article 31 states, “The state shall implement key protection for critical information infrastructure in important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other areas that, if damaged, lose functionality, or leak data, could seriously endanger national security, the economy, and the public interest, based on the network security level protection system.” As a critical information infrastructure, industrial control systems are the core protection targets of level protection work. To adapt to the latest requirements of national laws and policies, related standards for the level protection of industrial control systems need to be expanded and improved. How to evaluate the security status of systems will be the foundation for subsequent work. Below, the standard drafting team will introduce the main contents of the evaluation requirements for industrial control systems in detail.
Interpretation of “Network Security Level Protection Evaluation Requirements Part 5: Industrial Control System Security Extension Requirements” Standard
Interpretation of “Network Security Level Protection Evaluation Requirements Part 5: Industrial Control System Security Extension Requirements” Standard
With the development of information technology and industrialization, industrial control systems are widely used in important industries and fields such as energy, transportation, water conservancy, and public services. Modern industrial production, transportation, and supply automation processes all rely on industrial control systems. After the 2010 “Stuxnet” virus incident, the security of industrial control systems has increasingly attracted high attention from governments and the public worldwide. Developed countries such as the United States have successively released a series of standards and frameworks for the protection of industrial control systems. In 2013, the “Prism” incident indicated that certain Western powers have been utilizing their technological advantages to continuously strengthen their infiltration, control, and destruction of other countries’ cyberspaces, posing a severe threat to these countries’ social order and national security. In 2015, the Ukrainian power grid company suffered a malicious code attack, resulting in failures at seven 110KV substations and 23 35KV substations, causing power outages for 8,000 users. The cyber attack on the Ukrainian power grid company is considered the largest scale power system attack in history, serving as a wake-up call and profoundly revealing the severe nature of industrial control system security protection and the formidable power of hacker attacks. For China, since the reform and opening up, the country has gradually transformed from an agricultural nation to an industrial nation. The integration of informatization and industrialization has changed the modern industrial production methods and liberated social productivity, but the resulting security situation cannot be ignored. Due to the lagging core technologies, for a long time, critical equipment has mostly been imported from abroad, with domestic levels being relatively low and the cybersecurity foundation being weak. Maintaining cybersecurity and achieving the task of making industrial control systems “controllable, manageable, and under control” is extremely challenging.
In 1994, the State Council issued the “Regulations on the Security Protection of Computer Industrial Control Systems of the People’s Republic of China,” which clearly states that “computer industrial control systems shall implement security level protection.” In 2003, the General Office of the Central Committee of the Communist Party of China and the General Office of the State Council issued the “Opinions of the National Informatization Leadership Group on Strengthening Information Security Assurance Work,” which clearly requires the key protection of national basic information networks and important information systems related to national security, economic lifelines, and social stability, and the establishment of an information security level protection system. After 2007, the Ministry of Public Security, in conjunction with relevant departments, successively issued a series of policy documents such as the “Implementation Opinions on Information Security Level Protection Work,” “Management Measures for Information Security Level Protection,” and “Guiding Opinions on Carrying Out Rectification Work for Information System Level Protection Security Construction.” At the same time, the National Information Security Standardization Technical Committee and the Ministry of Public Security’s Industrial Control System Security Standardization Technical Committee organized the formulation of a series of urgently needed standards for information security level protection work, including the “Guidelines for Classifying Information System Security Level Protection,” “Basic Requirements for Information System Security Level Protection,” and “Evaluation Requirements for Information System Security Level Protection,” which are widely used by national information security regulatory departments, information system operation units, evaluation institutions, and other relevant units. Overall, significant progress has been made in China’s information security level protection work, and key industries have implemented the level protection system.
However, during the use of the standards, some clauses have emerged that are either inapplicable or have weak applicability, especially for industrial control systems. General system protection measures such as upgrading, patching, anti-virus, and intrusion detection, as well as online scanning and penetration testing methods, are not applicable to operational industrial control systems, necessitating the formulation of a series of industrial control system level protection standards based on the characteristics of industrial control systems. Furthermore, Article 31 of the national “Cybersecurity Law” implemented on June 1, 2017, stipulates that critical information infrastructure must implement key protection based on network security level protection. A large number of industrial control systems are used in important industries and fields, and once they are damaged, lose functionality, or leak data, they could seriously endanger national security, the economy, and the public interest, and should be included in the critical information infrastructure protection directory. The promulgation of the “Cybersecurity Law” indicates that “networks” and “cybersecurity” have new definitions under the new circumstances, and the related standards for the level protection of industrial control systems need to adapt to the latest requirements of national laws and policies, in conjunction with the revision of existing level protection standards.
The power industry is one of the earliest to carry out level protection work and the construction of a level evaluation system, accumulating rich experience in the security protection of industrial control systems. Since 2012, based on existing work, the National Energy Administration has sorted out, revised, and formulated existing industry policies. In 2014, the “Regulations on the Security Protection of Power Monitoring Systems” were issued in the form of a National Development and Reform Commission order. In 2015, the “Management Measures for Network and Information Security in the Power Industry,” “Management Measures for Information Security Level Protection in the Power Industry,” and other security protection plans and evaluation specifications were issued in the form of National Energy Administration documents. These documents have played an important role in supervising and guiding the network and information security work in the industry. To enhance the security protection capabilities of industrial control systems, standardize the construction of industrial control system security protection, and promote the development of China’s information security industry, under the guidance of relevant national departments, the National Energy Administration’s Information Center organized evaluation institutions, industrial control security vendors, energy enterprises, etc., to conduct special research on industrial control system evaluation methods, and compiled the “Industrial Control System Security Level Protection Evaluation Requirements Part 5: Industrial Control Security Extension Evaluation Requirements” (hereinafter referred to as industrial control evaluation requirements).
The industrial control evaluation requirements are based on the revised draft of the “Information Security Technology Information System Security Level Protection Evaluation Requirements” (GB/T 28448-2012), with appropriate adjustments made to suit the characteristics of industrial control systems, making it more applicable to the current state of industrial control system evaluations.
The industrial control evaluation requirements specify the requirements for security testing and assessment of the security level protection status of industrial control systems, including unit evaluation requirements for the first, second, third, and fourth levels of industrial control systems, and overall evaluation requirements for industrial control systems. The specific content requirements for unit evaluation of the fifth-level industrial control systems are omitted.
The industrial control evaluation requirements apply to information security evaluation service institutions, competent departments of industrial control systems, and operational units using industrial control systems for security testing and assessment of the security level protection status. Information security regulatory departments can refer to these requirements for legal information security level protection supervision and inspection.
The industrial control evaluation requirements are drafted according to the rules of GB/T1.1-2009. They include scope, normative references, terminology and definitions, overview, overall requirements, and unit evaluations for the first to fourth levels of industrial control systems.
The overview includes two aspects: 1. Evaluation description framework; 2. Evaluation usage methods.
The overall evaluation requirements include two aspects: 1. Technical evaluation of overall requirements; 2. Management evaluation of overall requirements.
The unit evaluations for the first, second, third, and fourth levels of industrial control systems include two aspects: 1. Security technical unit evaluations; 2. Security management unit evaluations.
1. Continuation of Positioning in the National Standard Level Protection Standard System
In the existing national standard level protection series standards, the classification guidelines are foundational, implementation guidelines and design requirements are methodological guidance, basic requirements are baseline requirements, and evaluation requirements are status analysis, as shown in Figure 1. The “Network Security Level Protection Evaluation Requirements” is an analysis of the status of already classified level protection objects, which may include information systems, the Internet of Things, big data, mobile interconnected systems, industrial control systems, etc. The evaluation requirements for industrial control systems are based on maintaining consistency with the framework structure of the “Network Security Level Protection Evaluation Requirements” while testing and evaluating the corresponding extended security control measures of industrial control systems in the form of evaluation units. Evaluation units consist of evaluation indicators, evaluation objects, evaluation implementation, and unit determinations.
Figure 1 Relationship of Existing National Standard Level Protection Series Standards
2. Consistency with General Evaluation Requirements Evaluation Framework
The conceptual description framework of network security level protection evaluation consists of two parts: unit evaluation and overall evaluation, with the level evaluation framework shown in Figure 2.
Figure 2 General Evaluation Requirements Level Evaluation Framework
The conceptual description framework of industrial control system level protection evaluation is basically consistent with the level evaluation framework, with two distinctions: first, the evaluation indicators for industrial control systems include requirements from GB/T 22239.1-20XX and reference GB/T 22239.5-20XX; second, the evaluation units for industrial control systems include “one-vote veto” evaluation units, where any individual unit determination result in a “one-vote veto” evaluation unit being non-compliant means that no further unit evaluations are needed, and the overall evaluation conclusion is non-compliant. The establishment of the “one-vote veto” evaluation unit depends on whether there are mandatory prohibitive clauses supported by national or industry policies.
Figure 3 Industrial Control System Level Evaluation Framework
3. Consistency with the Document Structure of the Level Protection Series Standards
In the national standard level protection series standards, there is a close internal relationship between the document structures of basic requirements, evaluation requirements, and design requirements, as shown in Figure 4 for the basic requirements document structure and Figure 5 for the industrial control evaluation requirements document structure. The industrial control evaluation requirements single evaluations are divided into two major categories: security management evaluations and security technical evaluations. Security management evaluations are further divided into four security aspects: security policies and management systems, security management organizations and personnel, security construction management, and security operation management. Security technical evaluations can be further divided into four security aspects: physical and environmental, network and communication, equipment and computing, and application and data. Security aspect evaluations can be further subdivided into requirement item evaluations, with evaluation units proposed for each requirement item. Overall evaluations include evaluations of security control points, evaluations between security control points, and evaluations between security aspects.
Figure 4 Basic Requirements Document Structure
Figure 5 Industrial Control Evaluation Requirements Document Structure
4. Design Control and Evaluation Measures Based on Basic Requirement Description Model
Article 31 of the national “Cybersecurity Law,” which began implementation on June 1, 2017, defines a network as: “A network refers to a system composed of computers or other information terminals and related devices that collect, store, transmit, exchange, and process information according to certain rules and procedures. Network security refers to the ability to stabilize and reliably operate the network by taking necessary measures to prevent attacks, intrusions, interference, destruction, and illegal use of the network, as well as accidental incidents, and to ensure the integrity, confidentiality, and availability of network data.” The level protection has transitioned from version 1.0 to version 2.0, with level protection objects roughly divided into three types: information system shape, network infrastructure shape, and new application shapes such as cloud computing, the Internet of Things, big data, and mobile interconnectivity. Industrial control systems classified as level protection objects are a special subclass of information systems. They have information and computing capabilities, networks, and devices. Achieving cybersecurity goals for industrial control systems similarly requires taking necessary measures to prevent attacks, intrusions, interference, destruction, and illegal use of the network, as well as accidental incidents, to ensure stable and reliable operation and to guarantee the integrity, confidentiality, and availability of network data. Identifying baseline measures and evaluating their effectiveness are important considerations for the industrial control evaluation requirements. To determine baseline measures, it is necessary to consider the main threats faced by industrial control systems. Table 1 lists the main threats faced by industrial control systems.
Table 1 Main Threats to Industrial Control Systems
|
Serial Number |
Security Threat |
Description |
|
1 |
Hacker Intrusion |
Organized hacker groups maliciously attack industrial control systems, stealing data and disrupting the normal operation of industrial control systems. |
|
2 |
Bypass Control |
Unauthorized individuals send illegal control commands, leading to system accidents or even system collapse. |
|
3 |
Integrity Damage |
Unauthorized modifications to industrial control system configurations, programs, or control commands; unauthorized modifications to sensitive data in power market transactions. |
|
4 |
Unauthorized Operation |
Illegal operations beyond authorized limits. |
|
5 |
Unintentional or Intentional Actions |
Unintentional or intentional leakage of sensitive information such as passwords, or careless configuration of access control rules. |
|
6 |
Interception and Tampering |
Interception or tampering with sensitive data such as control commands and parameter settings transmitted over the network. |
|
7 |
Unauthorized Users |
Unauthorized users accessing computer or network resources. |
|
8 |
Information Leakage |
Leaking sensitive information such as passwords and certificates. |
|
9 |
Network Deception |
Web service deception attacks; IP deception attacks. |
|
10 |
Identity Spoofing |
Intruders impersonating legitimate identities to access industrial control systems. |
|
11 |
Denial of Service Attack |
Sending a large volume of avalanche data to industrial networks or communication gateways, causing network or system paralysis. |
|
12 |
Eavesdropping |
Hackers tapping into industrial networks or dedicated channels to eavesdrop on plaintext transmissions of sensitive information, preparing for subsequent attacks. |
From the perspective of basic requirements, it is necessary to consider the baseline capabilities that each level of the system must possess in terms of management and technology. The technical and management characteristics and coverage of the security protection capabilities required for each level of information systems can be illustrated in Figures 6, 7, and 8.
Figure 6 Characteristics of Basic Requirements Technical Requirements
Figure 7 Characteristics of Basic Requirements Management Requirements
Figure 8 Characteristics of Basic Requirements Coverage
The evaluation requirements corresponding to the industrial control system evaluation requirements have slight differences compared to information systems. The distinctions are as follows: first, management adopts the “highest level” principle. That is, if a control unit has multiple levels of industrial control systems, the highest level of security management measures must be applied to all industrial control systems. Second, in terms of technical characteristics, all levels of industrial control systems must implement security protection according to overall strategies. The technical requirements characteristics of industrial control system evaluation requirements are shown in Figure 9.
Figure 9 Technical Requirements Characteristics of Evaluation Indicators for Industrial Control System Evaluation Requirements
The compilation idea for extended evaluation indicators is based on data flow analysis of the main threats corresponding to each level of industrial control systems, selecting security control measures based on the basic requirements description model.
For the document structure diagram of evaluation indicators, we compared Figures 10 and 11. After thorough research and discussion, we ultimately chose Figure 11. This is because Figure 11 maintains consistency with the basic requirements document structure; additionally, using Figure 11 allows for a clearer description of security control measures from the perspective of security layer architecture to enhance the security protection capabilities corresponding to each level of industrial control systems (e.g., Level 4 includes strategy/protection/detection/recovery/response); thirdly, from an operational perspective, for existing industrial control systems, it is difficult for operational units, evaluation institutions, and inspection institutions to unambiguously and clearly determine which layer the evaluation object belongs to (e.g., excitation devices, relay protection devices are difficult to classify); for PLCs, they possess both field components and control components. Therefore, the control measures that users can take can only protect the entire device. For evaluation institutions, the evaluation implementation can only be conducted on the entire device.
Figure 10 Evaluation Requirements Evaluation Indicators Compilation Description Idea 1
Figure 11 Evaluation Requirements Evaluation Indicators Compilation Description Idea 2
Examples of evaluation indicators are as follows:
Overall Requirements – Technical Evaluation Indicator Example: (L0-OS5-01) The industrial control system and the enterprise management system should generally be divided into two zones, and effective isolation technology measures should be used between the zones; any common network services such as E-Mail, Web, Telnet, Rlogin, FTP should be prohibited from crossing the zone boundaries.
Overall Requirements – Management Evaluation Indicator Example: (L0-OS5-07) When multiple levels of industrial control systems exist within a unit, the general management requirements should uniformly apply the highest level of classification to all industrial control systems.
Graded Requirements – Technical Evaluation Indicator Example: (L3-MMS5-03) Before updating the malicious code library, Trojan library, and rule library, they should first be tested in a testing environment. The update of malicious code in isolated areas should be handled by designated personnel, and update operations should be conducted offline, with update records retained.
Graded Requirements – Management Evaluation Indicator Example: (L3-CMS5-02) Important software and hardware systems, devices, and specialized information security products of industrial control systems should be constructed using secure and trustworthy products and services.
Author: Industrial Control System Evaluation Requirements Drafting Team
â–²Swipe up
Security Evaluation Alliance
More information about security evaluation
Long press the QR code on the right
Follow us ˉ►