Guidelines for Cybersecurity Protection of Industrial Control Systems
(Ministry of Industry and Information Technology Cybersecurity [2024] No. 14)
Industrial control systems are the foundational core of industrial production operations. In order to adapt to the new era of cybersecurity for industrial control systems (hereinafter referred to as ICS security), and to further guide enterprises in enhancing their ICS security protection levels, this guideline has been formulated to solidify the safety foundation for the development of new industrialization.
This guideline is applicable to enterprises that use and operate industrial control systems, with protection targets including industrial control systems and other devices and systems that may directly or indirectly affect production operations after being subjected to cyber attacks.
I. Security Management
(1) Asset Management
1. Conduct a comprehensive inventory of typical industrial control systems such as Programmable Logic Controllers (PLCs), Distributed Control Systems (DCS), and Supervisory Control and Data Acquisition (SCADA) systems, as well as related equipment, software, and data. Clearly define the responsible departments and individuals for asset management, establish an asset list for industrial control systems, and update it promptly based on changes in asset status. Regularly conduct asset verification for industrial control systems, including but not limited to system configuration, permission allocation, log auditing, virus scanning, data backup, and equipment operational status.
2. Based on the importance of the business being supported, the scale, and the potential harm of cybersecurity incidents, establish a list of critical industrial control systems and update it regularly for focused protection. Key industrial hosts, network devices, and control devices related to critical industrial control systems should implement redundant backups.
(2) Configuration Management
3. Strengthen account and password management, avoid using default or weak passwords, and update passwords regularly. Follow the principle of least privilege, set account permissions reasonably, disable unnecessary system default accounts and administrator accounts, and promptly clean up expired accounts.
4. Establish a security configuration checklist for industrial control systems and a policy configuration checklist for security protection devices. Regularly conduct audits of the configuration checklists, adjust configurations promptly based on changes in security protection needs, and conduct strict security testing before implementing major configuration changes, which can only be executed after passing the tests.
(3) Supply Chain Security
5. Agreements with suppliers such as industrial control system manufacturers, cloud service providers, and security service providers should clearly define the security-related responsibilities and obligations of all parties, including management scope, division of responsibilities, access authorization, privacy protection, code of conduct, and liability for breach of contract.
6. When using PLCs and other devices included in the directory of key network devices for industrial control systems, ensure that they are certified by qualified institutions or meet safety testing requirements.
(4) Awareness and Education
7. Regularly conduct education and training on relevant laws, regulations, and policy standards related to cybersecurity for industrial control systems to enhance the cybersecurity awareness of enterprise personnel. For personnel involved in the operation and maintenance of industrial control systems and networks, regularly conduct professional skills training and assessments in ICS security.
II. Technical Protection
(1) Host and Terminal Security
8. Deploy antivirus software on engineer stations, operator stations, and industrial database servers, regularly update virus definitions and conduct scans to prevent the spread of ransomware and other malicious software. For storage media, conduct virus and malware scans before connecting to industrial hosts.
9. Hosts may adopt application whitelisting technology, allowing only authorized and security-assessed application software to run, and plan for upgrades of operating systems, databases, and important application software.
10. Remove or seal unnecessary external device interfaces such as USB ports, optical drives, and wireless connections on industrial hosts, and close unnecessary network service ports. If external devices must be used, implement strict access controls.
11. Implement user identity verification for access to industrial hosts, industrial intelligent terminal devices (control devices, smart instruments, etc.), and network devices (industrial switches, industrial routers, etc.), with dual-factor authentication for access to critical hosts or terminals.
(2) Architecture and Boundary Security
12. Based on the characteristics of the business being supported, business scale, and the importance of the impact on industrial production, implement zoned management for industrial control networks composed of industrial Ethernet and industrial wireless networks, deploying industrial firewalls and gateways to achieve lateral isolation between domains. When the industrial control network connects to the enterprise management network or the internet, implement vertical protection between networks and conduct security audits of inter-network behaviors. Identity authentication should be conducted when devices connect to the industrial control network.
13. When using wireless communication technologies such as 5G and Wi-Fi to form networks, establish strict network access control policies, implement identity authentication mechanisms for wireless access devices, regularly audit wireless access points, and disable broadcasting of public information (SSID) to prevent unauthorized device access.
14. Strictly control remote access, prohibiting unnecessary high-risk common network services such as HTTP, FTP, Telnet, and RDP from being opened to the internet for industrial control systems. For necessary network services, use secure access proxies and other technologies for user identity authentication and application authorization. During remote maintenance, use secure network protocols (such as IPsec and SSL) to establish secure communication channels (e.g., VPNs), and strictly limit access scope and authorization time, while maintaining logs and conducting audits.
15. When using encryption protocols and algorithms in industrial control systems, ensure compliance with relevant laws and regulations, and prioritize the use of commercial encryption to achieve secure network communication, device identity authentication, and secure data transmission.
(3) Cloud Security
16. When enterprises build their own industrial cloud platforms, utilize user identity verification, access control, secure communication, and intrusion prevention technologies to ensure security protection, effectively preventing unauthorized operations and cyber attacks.
17. When industrial devices are migrated to the cloud, implement strict identification management for cloud devices, using mutual identity authentication when connecting to the industrial cloud platform, and prohibit unmarked devices from connecting to the industrial cloud platform. When migrating business systems to the cloud, ensure the security isolation of different business system operating environments.
(4) Application Security
18. When accessing application services such as Manufacturing Execution Systems (MES), configuration software, and industrial databases, user identity authentication should be conducted. For access to critical application services, implement dual-factor authentication and strictly limit access scope and authorization time.
19. Industrial control system-related software independently developed by industrial enterprises should undergo security testing conducted by the enterprise itself or entrusted third-party organizations, and can only be put into use after passing the tests.
(5) System Data Security
20. Regularly review the data generated by the operation of industrial control systems, conduct data classification and grading based on actual business needs, identify important and core data, and create a directory. Use encryption technology, access control, disaster recovery backup, and other technologies to ensure the security protection of data throughout its collection, storage, use, processing, transmission, provision, and disclosure.
21. Important and core data that are subject to domestic storage requirements under laws and regulations should be stored domestically. If it is necessary to provide data to foreign entities, conduct a security assessment for data export in accordance with laws and regulations.
III. Security Operations
(1) Monitoring and Early Warning
22. Deploy monitoring and auditing devices or platforms in the industrial control network to promptly detect and warn of system vulnerabilities, malware, cyber attacks, and intrusions without affecting system stability.
23. At the boundary between the industrial control network and the enterprise management network or the internet, use threat capture technologies such as honeypots for industrial control systems to capture network attack behaviors and enhance proactive defense capabilities.
(2) Operation Center
24. Enterprises with the capability can establish a cybersecurity operation center for industrial control systems, utilizing technologies such as Security Orchestration, Automation, and Response (SOAR) to achieve unified management and policy configuration of security devices, comprehensively monitor network security threats, and enhance centralized risk investigation and rapid incident response capabilities.
(3) Emergency Response
25. Develop emergency response plans for ICS security incidents, clearly defining reporting and handling processes, and regularly assess and revise them based on actual conditions, conducting emergency drills periodically. In the event of an ICS security incident, immediately activate the emergency plan, take urgent measures, and handle the security incident promptly and appropriately.
26. Retain access and operation logs for important devices, platforms, and systems for no less than six months, and regularly back up logs to facilitate post-incident tracing and evidence collection.
27. Regularly conduct backups and recovery tests for important system applications and data to ensure that the industrial control system can resume normal operations within an acceptable timeframe during emergencies.
(4) Security Assessment
28. Before the launch of new or upgraded industrial control systems, and before connecting the industrial control network to the enterprise management network or the internet, conduct security risk assessments.
29. For important industrial control systems, enterprises should conduct at least one assessment of ICS security protection capabilities annually, either independently or by entrusting third-party professional organizations.
(5) Vulnerability Management
30. Closely monitor major ICS security vulnerabilities and patch releases from platforms such as the Ministry of Industry and Information Technology’s cybersecurity threat and vulnerability information sharing platform, and take timely upgrade measures. If upgrades cannot be performed in the short term, implement targeted security hardening.
31. Regularly conduct vulnerability scans for important industrial control systems, and only implement patch upgrades or hardening after testing and verifying the patch programs or hardening measures when significant security vulnerabilities are discovered.
IV. Responsibility Implementation
32. Industrial enterprises bear the primary responsibility for their own ICS security, establishing ICS security management systems, clearly defining responsible individuals and departments, and implementing security protection responsibilities according to the principle of “who operates is responsible, who supervises is responsible.”
33. Strengthen the resource support of enterprises to ensure that security protection measures are planned, constructed, and used in synchronization with industrial control systems.
Issued on: January 30, 2024
