Please click above
Follow with one click!
Information security for industrial control systems (hereinafter referred to as “ICS security”) is an important component of national cybersecurity and information security, serving as a fundamental guarantee for promoting China Manufacturing 2025 and the integration of manufacturing and the Internet. In October 2016, the Ministry of Industry and Information Technology issued the “Guidelines for Information Security Protection in Industrial Control Systems” (hereinafter referred to as the “Guidelines”), to guide industrial enterprises in carrying out ICS security protection work.
1. Background
ICS security is related to economic development, social stability, and national security. In recent years, with the deepening integration of information technology and industrialization, industrial control systems have evolved from standalone to interconnected, from closed to open, and from automation to intelligence. While productivity has significantly increased, industrial control systems face increasingly severe information security threats. To implement the spirit of the “Guiding Opinions of the State Council on Deepening the Integration of Manufacturing and the Internet” (Guo Fa [2016] No. 28), and to respond to the new situation of ICS security, this “Guidelines” has been developed to enhance the ICS security protection level of industrial enterprises.
2. Overall Considerations
The “Guidelines” adhere to the principle that “security is the premise of development, and development is the guarantee of security,” starting from the current security issues faced by China’s industrial control systems, focusing on the executability of protection requirements, and clarifying the protection requirements for industrial enterprises from both management and technical aspects. The compilation ideas are as follows:
(1) Implement the requirements of the “National Cybersecurity Law”
The 11 requirements listed in the “Guidelines” fully reflect the requirements of the “National Cybersecurity Law” regarding cybersecurity support and promotion, network operation security, network information security, monitoring and early warning, and emergency response in the field of ICS security, representing the specific application of the “National Cybersecurity Law” in the industrial sector.
(2) Highlight the primary responsibility of industrial enterprises
Based on practical experience in ICS security management in China, the “Guidelines” propose protection requirements for industrial enterprises, establishing the enterprise as the primary responsible entity for ICS security, requiring enterprises to clarify the responsible person for ICS security management and implement the ICS security responsibility system.
(3) Consider the current state of ICS security in China
The “Guidelines” are based on the relevant information obtained from the ICS security inspection work conducted by the Ministry over the past five years, fully considering current issues such as inadequate awareness of ICS security protection, unclear management responsibilities, and incomplete access control policies, and clarifying the requirements of the “Guidelines”.
(4) Learn from the ICS security protection experiences of developed countries
The “Guidelines” reference the relevant policies, standards, and best practices of developed countries such as the United States, the European Union, and Japan regarding ICS security, validating measures for security software selection and management, configuration and patch management, and boundary security protection, thereby enhancing the scientific, rational, and operable nature of the “Guidelines”.
(5) Emphasize security protection throughout the entire lifecycle of industrial control systems
The “Guidelines” cover protection work requirements at all stages of the industrial control system lifecycle, including design, selection, construction, testing, operation, maintenance, and decommissioning, proposing specific implementation details regarding security software selection, access control policy construction, data security protection, and asset configuration management.
3. Detailed Explanation of Content
The “Guidelines” adhere to the principle of the primary responsibility of enterprises and the regulatory and service responsibilities of the government, focusing on key security guarantees such as system protection and security management, proposing 11 protection requirements, which are explained as follows:
(1) Security software selection and management
1. Use antivirus software or application whitelisting software that has been fully validated in an offline environment on industrial hosts, allowing only software authorized and assessed for security by the industrial enterprise to run.
Interpretation: Industrial control systems have high requirements for system availability and real-time performance. Security software used on industrial hosts such as MES servers, OPC servers, database servers, engineer stations, and operator stations should be tested and validated in an offline environment, which refers to an environment physically isolated from the production environment. The validation and testing content includes the functionality, compatibility, and security of the security software.
2. Establish a management mechanism for antivirus and malware intrusion, implementing security preventive measures such as virus scanning for industrial control systems and temporarily connected devices.
Interpretation: Industrial enterprises need to establish a management mechanism for antivirus and malware intrusion in industrial control systems, implementing necessary security preventive measures for industrial control systems and temporarily connected devices. Security preventive measures include regular virus and malware scanning, regular updates of virus databases, and scanning temporary access devices (such as USB drives, mobile terminals, etc.).
(2) Configuration and patch management
1. Ensure the security configuration of industrial control networks, industrial hosts, and industrial control devices, establishing a configuration list for industrial control systems and conducting regular configuration audits.
Interpretation: Industrial enterprises should ensure security configurations for industrial control networks, such as virtual LAN isolation and port disabling, security configurations for industrial hosts, such as remote control management and default account management, and security configurations for industrial control devices, such as compliance with password policies, establishing corresponding configuration lists, designating responsible persons for regular management and maintenance, and conducting regular configuration verification audits.
2. Develop change plans and conduct impact analysis for significant configuration changes, and perform strict security testing before implementing configuration changes.
Interpretation: When significant configuration changes occur, industrial enterprises should promptly develop change plans, clarifying change time, content, responsible persons, approval, and verification. Significant configuration changes refer to major vulnerability patch updates, additions or reductions of security devices, and redefinition of security domains. Additionally, risks that may arise during the change process should be analyzed, and an analysis report should be generated, with security verification of configuration changes conducted in an offline environment.
3. Closely monitor significant ICS security vulnerabilities and their patch releases, and promptly implement patch upgrade measures. Before installing patches, strict security assessments and testing validations should be conducted.
Interpretation: Industrial enterprises should closely monitor vulnerability databases such as CNVD and CNNVD, as well as patches released by device manufacturers. When significant vulnerabilities and their patches are released, based on the enterprise’s situation and change plans, strict security assessments and testing validations of the patches should be conducted in an offline environment, and timely upgrades should be made for patches that pass security assessments and testing validations.
(3) Boundary security protection
1. Separate the development, testing, and production environments of industrial control systems.
Interpretation: Different security control measures should be implemented for the development, testing, and production environments of industrial control systems. Industrial enterprises can use physical isolation, network logical isolation, and other methods for separation.
2. Use boundary protection devices for industrial control networks to secure the boundary between the industrial control network and the enterprise network or the Internet, prohibiting unprotected industrial control networks from connecting to the Internet.
Interpretation: Boundary security protection devices for industrial control networks include industrial firewalls, industrial gateways, unidirectional isolation devices, and enterprise-customized boundary security protection gateways. Industrial enterprises should deploy boundary security protection devices between different network boundaries based on actual conditions to achieve secure access control, block unauthorized network access, and strictly prohibit unprotected industrial control networks from connecting to the Internet.
3. Use industrial firewalls, gateways, and other protective devices for logical isolation security protection between secure areas of industrial control networks.
Interpretation: The network security areas of industrial control systems are divided based on the importance of the area and business needs. Security protection between areas can be achieved through logical isolation security protection using industrial firewalls, gateways, and other devices.
(4) Physical and environmental security protection
1. Implement access control, video surveillance, and dedicated personnel monitoring for areas housing core industrial control software and hardware, such as important engineer stations, databases, and servers.
Interpretation: Industrial enterprises should adopt appropriate physical security protection measures for areas housing important industrial control system assets.
2. Remove or seal unnecessary USB, optical drive, wireless, and other interfaces on industrial hosts. If necessary, implement strict access control through security management techniques for host peripherals.
Interpretation: The use of USB, optical drives, wireless, and other peripherals on industrial hosts provides a pathway for viruses, Trojans, worms, and other malicious code to invade. Removing or sealing unnecessary peripheral interfaces on industrial hosts can reduce the risk of infection. If use is necessary, security management techniques such as unified management devices for host peripherals and isolating industrial hosts with peripheral interfaces should be employed.
(5) Identity authentication
1. Use identity authentication management during the login process for industrial hosts, access to application service resources, and access to industrial cloud platforms. Multi-factor authentication should be used for access to critical devices, systems, and platforms.
Interpretation: Users should use identity authentication management methods such as password, USB-key, smart card, biometric fingerprint, and iris during the login process for industrial hosts, access to application service resources, and access to industrial cloud platforms, and may use multiple authentication methods when necessary.
2. Reasonably classify and set account permissions, allocating account permissions based on the principle of least privilege.
Interpretation: Industrial enterprises should allocate system account permissions based on the principle of least privilege necessary to meet work requirements, ensuring that losses caused by accidents, errors, or tampering are minimized. Industrial enterprises should regularly audit whether allocated account permissions exceed work needs.
3. Strengthen the login accounts and passwords for industrial control devices, SCADA software, and industrial communication devices, avoiding the use of default or weak passwords, and regularly updating passwords.
Interpretation: Industrial enterprises can refer to the recommended setting rules from suppliers and set different strengths of login accounts and passwords for industrial control devices, SCADA software, and industrial communication devices based on asset importance, and regularly update them to avoid using default or weak passwords.
4. Strengthen the protection of identity authentication certificate information, prohibiting sharing across different systems and network environments.
Interpretation: Industrial enterprises can use secure media such as USB-keys to store identity authentication certificate information, establishing relevant systems to strictly control the processes of application, issuance, use, and revocation of certificates, ensuring that the same identity authentication certificate information is prohibited from being used across different systems and network environments, thereby reducing the impact of certificate exposure on systems and networks.
(6) Remote access security
1. In principle, strictly prohibit industrial control systems from opening high-risk general network services such as HTTP, FTP, and Telnet to the Internet.
Interpretation: Opening network services such as HTTP, FTP, and Telnet to the Internet for industrial control systems can easily lead to intrusions, attacks, and exploitation of industrial control systems. Industrial enterprises should, in principle, prohibit industrial control systems from opening high-risk general network services.
2. If remote access is necessary, implement security hardening measures such as data unidirectional access control, control access time limits, and adopt marking and locking strategies.
Interpretation: If remote access is necessary, industrial enterprises can achieve data unidirectional access using unidirectional isolation devices, VPNs, and other methods at the network boundary, controlling access time limits. Marking and locking strategies should be adopted to prohibit the accessing party from performing illegal operations during remote access.
3. If remote maintenance is necessary, use remote access methods such as virtual private networks (VPNs).
Interpretation: If remote maintenance is necessary, industrial enterprises should ensure the security of remote access channels through authentication, encryption, and other methods, such as using virtual private networks (VPNs), assigning dedicated accounts for access, and regularly auditing access account operation records.
4. Retain relevant access logs for industrial control systems and conduct security audits of the operation process.
Interpretation: Industrial enterprises should retain access logs for industrial control system devices and applications, regularly backing them up, and tracking unauthorized access behaviors through log information such as auditor accounts, access times, and operation content.
(7) Security monitoring and emergency response drills
1. Deploy network security monitoring devices in the industrial control network to promptly detect, report, and handle network attacks or abnormal behaviors.
Interpretation: Industrial enterprises should deploy network security monitoring devices in the industrial control network that can identify, alert, and record network attacks and abnormal behaviors, promptly detecting, reporting, and handling network attacks or abnormal behaviors such as viruses, Trojans, port scanning, brute force cracking, abnormal traffic, abnormal commands, and forged industrial control system protocol packets.
2. Deploy protective devices with deep packet inspection capabilities for industrial protocols in front of important industrial control devices to restrict illegal operations.
Interpretation: Deploy protective devices capable of deep analysis and filtering of mainstream industrial control system protocols such as Modbus, S7, Ethernet/IP, and OPC in front of the core control units of industrial enterprises to block data packets that do not conform to protocol standard structures or business requirements.
3. Develop emergency response plans for ICS security incidents. When security threats lead to abnormalities or failures in industrial control systems, immediate emergency protective measures should be taken to prevent the situation from escalating, and reports should be submitted step by step to the local provincial industrial and information authorities, while ensuring the protection of the site for investigation and evidence collection.
Interpretation: Industrial enterprises need to independently or entrust third-party ICS security service units to develop emergency response plans for ICS security incidents. The plans should include strategies and procedures for emergency plans, training for emergency plans, testing and drills for emergency plans, emergency handling processes, incident monitoring measures, emergency incident reporting processes, emergency support resources, and emergency response plans.
4. Regularly conduct drills for the emergency response plans of industrial control systems, and revise the emergency response plans as necessary.
Interpretation: Industrial enterprises should regularly organize personnel involved in the operation, maintenance, and management of industrial control systems to conduct drills for emergency response plans, with drill formats including tabletop drills, single-item drills, and comprehensive drills. If necessary, enterprises should revise the plans based on actual conditions.
(8) Asset security
1. Build an asset list for industrial control systems, clarifying asset responsible persons and rules for asset use and disposal.Interpretation: Industrial enterprises should build an asset list for industrial control systems, including information assets, software assets, hardware assets, etc. Clarify asset responsible persons, establish rules for asset use and disposal, regularly conduct security inspections of assets, audit asset usage records, and check asset operational status to promptly identify risks.
2. Implement redundancy configurations for key host devices, network devices, and control components.
Interpretation: Industrial enterprises should configure redundant power supplies, redundant devices, and redundant networks for key host devices, network devices, and control components based on business needs.
(9) Data security
1. Protect important industrial data during static storage and dynamic transmission, and manage data information based on risk assessment results.
Interpretation: Industrial enterprises should encrypt and store important industrial data during static storage, set access control functions, encrypt important industrial data during dynamic transmission, use VPNs and other methods for isolation protection, and establish and improve a graded classification management system for data information based on risk assessment results.
2. Regularly back up critical business data.
Interpretation: Industrial enterprises should regularly back up critical business data, such as process parameters, configuration files, device operation data, production data, and control instructions.
3. Protect testing data.
Interpretation: Industrial enterprises should protect testing data, including security assessment data, on-site configuration development data, system joint debugging data, on-site change testing data, and emergency drill data, such as signing confidentiality agreements and recovering testing data.
(10) Supply chain management
1. When selecting service providers for planning, design, construction, operation, maintenance, or evaluation of industrial control systems, prioritize enterprises with ICS security protection experience, and clarify the information security responsibilities and obligations of service providers through contracts.
Interpretation: When selecting service providers for planning, design, construction, operation, maintenance, or evaluation of industrial control systems, industrial enterprises should prioritize service providers with ICS security protection experience and verify their provided ICS security contracts, cases, acceptance reports, and other proof materials. The contract should explicitly stipulate the information security responsibilities and obligations that the service provider should undertake during the service process.
2. Require service providers to maintain confidentiality through confidentiality agreements to prevent sensitive information leakage.
Interpretation: Industrial enterprises should sign confidentiality agreements with service providers, stipulating the content, duration, and liability for breach of confidentiality. This is to prevent the leakage of sensitive information such as process parameters, configuration files, device operation data, production data, and control instructions.
(11) Implement responsibilities
By establishing an ICS security management mechanism and forming an information security coordination group, clarify the responsible persons for ICS security management, implement the ICS security responsibility system, and deploy ICS security protection measures.
Interpretation: Industrial enterprises should establish and improve the ICS security management mechanism, clarify the primary responsibility for ICS security, and form an industrial control system information security coordination group led by the enterprise leader, composed of relevant departments such as information technology, production management, and equipment management, responsible for the construction and management of the security protection system throughout the lifecycle of industrial control systems, formulating industrial control system security management systems and deploying ICS security protection measures.
4. Implementation
First, promote the “Guidelines” to local industrial and information authorities and central enterprises, organizing training based on the requirements of the “Guidelines” to guide industrial enterprises in further optimizing ICS security management and technical protection measures.
Second, select cities and regions with concentrated industrial development to establish pilot areas for ICS security protection, organizing industrial enterprises within the area to conduct pilot applications for ICS security protection, selecting outstanding pilot enterprises to share ICS security protection experiences, and summarizing and refining demonstration cases for industrial control system protection.
Third, incorporate the requirements of the “Guidelines” into the annual cybersecurity inspection projects for the industrial sector, strengthening the implementation of responsibilities, and ensuring that management and technical measures are in place. Promote industrial enterprises to deeply implement and comply with the “Guidelines” through self-inspections, random checks, and in-depth inspections.
Local industrial and information authorities are responsible for supervising and managing the ICS security protection work within their regions and cooperating with the Ministry of Industry and Information Technology to carry out relevant work on ICS security. Industrial enterprises should carry out and improve ICS security protection work according to the requirements of the “Guidelines,” enhancing their own security protection capabilities while providing support for the overall improvement of China’s industrial information security protection level.
(Source: Industrial Internet Security Emergency Response Center)

Join the group chat
WeChat group related to Knowledge Planet Free to join Free sharing of security industry materials, laws and regulations, related standards, industry standards, and construction plans, etc.,For the management of the 【Cyber Security】 WeChat group,friends who want to join the group should first add me as a friend, and I will pull you into the group. The WeChat QR code is as follows:

—THE END—
Friends are watching
▶️【Collect】Level Protection Assessment 【Security Management System】 Level 3 Detailed assessment requirements, assessment methods, and assessment steps, assessment scoring standards: 0-point standard and full score standard
▶️【Collect】Level Protection Assessment 【Security Management Organization】 Level 3 Detailed assessment requirements, assessment methods, and assessment steps, assessment scoring standards: 0-point standard and full score standard
▶️【Collect】Level Protection Assessment 【Personnel Security Management】 Level 3 Detailed assessment requirements, assessment methods, and assessment steps, assessment scoring standards: 0-point standard and full score standard
▶️【Collect】Level Protection Assessment 【System Construction Management】 Level 3 Detailed assessment requirements, assessment methods, and assessment steps, assessment scoring standards: 0-point standard and full score standard
▶️【Collect】Level Protection Assessment 【System Operation and Maintenance Management】 Level 3 Detailed assessment requirements, assessment methods, and assessment steps, assessment scoring standards: 0-point standard and full score standard
Cyber Security