Click the blue text for more
MIIT Cybersecurity [2024] No. 14
To the industrial and information authorities of all provinces, autonomous regions, municipalities directly under the central government, and Xinjiang Production and Construction Corps, as well as relevant enterprises and institutions:
We hereby issue the “Guidelines for Cybersecurity Protection of Industrial Control Systems”. Please implement them seriously.
Ministry of Industry and Information Technology
Guidelines for Cybersecurity Protection of Industrial Control Systems
(Issued by the Ministry of Industry and Information Technology on January 19, 2024, MIIT Cybersecurity [2024] No. 14)
Table of Contents
1. Security Management
1. Security Management
(1) Asset Management
1. Conduct a comprehensive inventory of typical industrial control systems such as Programmable Logic Controllers (PLC), Distributed Control Systems (DCS), and Supervisory Control and Data Acquisition (SCADA) systems, as well as related assets, software, and data. Clearly define the responsible departments and individuals for asset management, establish an asset list for industrial control systems, and update it promptly based on changes in asset status. Regularly conduct asset verification for industrial control systems, including but not limited to system configuration, permission allocation, log auditing, virus scanning, data backup, and equipment operational status.
2. Based on the importance of the business carried, scale, and the potential harm of cybersecurity incidents, establish a list of critical industrial control systems and update it regularly to implement focused protection. Critical industrial control systems related to key industrial hosts, network devices, control devices, etc., should implement redundant backups.
(2) Configuration Management
3. Strengthen account and password management, avoid using default or weak passwords, and regularly update passwords. Follow the principle of least privilege, reasonably set account permissions, disable unnecessary default system accounts and administrator accounts, and promptly clean up expired accounts.
4. Establish an industrial control system security configuration list and a security protection device policy configuration list. Regularly conduct audits of the configuration lists, and adjust configurations in a timely manner based on changes in security protection needs. Major configuration changes should undergo strict security testing before implementation, and changes should only be implemented after passing the tests.
(3) Supply Chain Security
5. Agreements with suppliers such as industrial control system manufacturers, cloud service providers, and security service providers should clearly define the security-related responsibilities and obligations of all parties, including management scope, responsibilities, access authorization, privacy protection, code of conduct, and liability for breach of contract.
6. When using PLCs and other devices included in the list of key network devices, ensure that the devices have passed security certification by qualified institutions or meet security testing requirements.
(4) Promotion and Education
7. Regularly conduct education and promotion on laws, regulations, and policy standards related to cybersecurity for industrial control systems to enhance the cybersecurity awareness of enterprise personnel. For personnel involved in the operation and maintenance of industrial control systems and networks, regularly conduct professional skill training and assessments on ICS security.
2. Technical Protection
(1) Host and Terminal Security
8. Deploy antivirus software on engineer stations, operator stations, industrial database servers, etc., regularly update virus definitions, and conduct scanning to prevent the spread of ransomware and other malware. For storage media, conduct virus and trojan scanning before connecting to industrial hosts.
9. Hosts can adopt application whitelisting technology, only allowing the deployment and operation of applications authorized and assessed for security by the enterprise, and plan to upgrade operating systems, databases, and other system software and important application software.
10. Remove or disable unnecessary external device interfaces such as USB ports, optical drives, and wireless interfaces on industrial hosts, and close unnecessary network service ports. If external devices must be used, implement strict access control.
11. Implement user identity verification for accessing industrial hosts, industrial intelligent terminal devices (control devices, smart instruments, etc.), and network devices (industrial switches, industrial routers, etc.), and use two-factor authentication for access to critical hosts or terminals.
(2) Architecture and Boundary Security
12. Based on the characteristics of the business carried, business scale, and the importance of the impact on industrial production, implement zone and domain management for industrial control networks composed of industrial Ethernet, industrial wireless networks, etc., and deploy industrial firewalls and gateways to achieve lateral isolation between domains. When the industrial control network is connected to the enterprise management network or the Internet, implement vertical protection between networks and conduct security audits of inter-network behaviors. Authentication should be conducted when devices connect to the industrial control network.
13. When using wireless communication technologies such as 5G and Wi-Fi to build networks, establish strict network access control policies, implement identity authentication mechanisms for wireless access devices, regularly audit wireless access points, and disable broadcasting of publicly accessible information (SSID) to prevent unauthorized device access.
14. Strictly control remote access, prohibiting unnecessary high-risk common network services such as HTTP, FTP, Telnet, and RDP from being opened to the Internet for industrial control systems. For necessary network services, adopt technologies such as secure access proxies for user identity authentication and application authorization. During remote maintenance, use secure network protocols such as IPsec and SSL to establish secure network channels (e.g., VPNs), and strictly limit access scope and authorization time, retaining logs and conducting audits.
15. When using encryption protocols and algorithms in industrial control systems, ensure compliance with relevant laws and regulations, and prioritize the use of commercial encryption to achieve encrypted network communication, device identity authentication, and secure data transmission.
(3) Cloud Security
16. When self-building an industrial cloud platform, utilize user identity verification, access control, secure communication, and intrusion prevention technologies to ensure security protection, effectively preventing unauthorized operations and cyber attacks.
17. When industrial devices are connected to the cloud, implement strict identification management for cloud devices. Devices connecting to the industrial cloud platform should use two-way identity authentication, and unmarked devices should be prohibited from accessing the industrial cloud platform. When migrating business systems to the cloud, ensure the security isolation of different business system operating environments.
(4) Application Security
18. When accessing application services such as Manufacturing Execution Systems (MES), configuration software, and industrial databases, implement user identity authentication. For accessing critical application services, use two-factor authentication and strictly limit access scope and authorization time.
19. Industrial control system-related software developed independently by industrial enterprises should undergo security testing conducted by the enterprise itself or commissioned third-party organizations, and should only be put into use after passing the tests.
(5) System Data Security
20. Regularly review the data generated by the operation of industrial control systems, conduct data classification and grading based on actual business needs, identify important and core data, and create a directory. Use encryption technology, access control, disaster recovery backups, and other technologies to implement security protection for data throughout the processes of collection, storage, use, processing, transmission, provision, and disclosure.
21. Important and core data that have domestic storage requirements as per laws and administrative regulations should be stored domestically. If it is necessary to provide such data to overseas entities, conduct a security assessment for data export in accordance with laws and regulations.
3. Security Operations
(1) Monitoring and Early Warning
22. Deploy monitoring and auditing devices or platforms in the industrial control network to promptly detect and warn about system vulnerabilities, malware, cyber attacks, and intrusions without affecting system stability.
23. At the boundary between the industrial control network and the enterprise management network or the Internet, utilize threat capture technologies such as honeypots for industrial control systems to capture network attack behaviors and enhance proactive defense capabilities.
(2) Operation Center
24. Enterprises with conditions can establish a cybersecurity operation center for industrial control systems, utilizing technologies such as Security Orchestration, Automation, and Response (SOAR) to achieve unified management and policy configuration of security devices, comprehensively monitor network security threats, and enhance centralized risk inspection and rapid incident response capabilities.
(3) Emergency Response
25. Develop emergency plans for ICS security incidents, clarify reporting and handling processes, and conduct assessments and revisions as needed. Regularly conduct emergency drills. In the event of an ICS security incident, promptly activate the emergency plan, take urgent measures, and handle the security incident in a timely and prudent manner.
26. Retain access and operation logs for important devices, platforms, and systems for no less than six months, and regularly back up logs to facilitate post-incident tracing and evidence collection.
27. Regularly conduct backups and recovery tests for important system applications and data to ensure that the industrial control system can resume normal operations within an acceptable time frame during emergencies.
(4) Security Assessment
28. Before the launch of new or upgraded industrial control systems and before connecting industrial control networks to the enterprise management network or the Internet, conduct security risk assessments.
29. For important industrial control systems, enterprises should conduct assessments of their ICS security protection capabilities at least once a year, either independently or by commissioning third-party professional organizations.
(5) Vulnerability Management
30. Closely monitor major ICS security vulnerabilities and their patch releases shared on platforms such as the Ministry of Industry and Information Technology’s cybersecurity threat and vulnerability information sharing platform, and promptly take upgrade measures. If upgrades cannot be performed in the short term, implement targeted security hardening measures.
31. Regularly conduct vulnerability scans for important industrial control systems, and upon discovering significant security vulnerabilities, validate patches or hardening measures before implementing patch upgrades or hardening.
4. Responsibility Implementation
32. Industrial enterprises bear the primary responsibility for their ICS security, establishing ICS security management systems, clarifying responsible individuals and departments, and implementing ICS security protection responsibilities according to the principles of “who operates is responsible, who supervises is responsible”.
ICCD
Scan to follow “Bingrenhui Consulting Development”
Share
Like
View