Notice on Issuing the “Industrial Control System Information Security Protection Guidelines”
Ministry of Industry and Information Technology Document No. 338, 2016
In order to implement the “Guiding Opinions of the State Council on Deepening the Integration of Manufacturing and the Internet” (Guofa [2016] No. 28), and to ensure the information security of industrial control systems in industrial enterprises, the “Industrial Control System Information Security Protection Guidelines” are formulated and issued to you.
The Ministry of Industry and Information Technology guides and manages the protection and security work of industrial control systems in national industrial enterprises, and revises the guidelines based on actual conditions. Local industrial and information technology authorities guide industrial enterprises in their administrative regions to develop implementation plans for industrial control security protection in accordance with the overall arrangements of the Ministry of Industry and Information Technology, promoting enterprises to meet the relevant requirements of this guideline in phases.
The Ministry of Industry and Information Technology
October 17, 2016
(Contact number: 010-68208171)
Industrial Control System Information Security Protection Guidelines
The information security of industrial control systems is related to economic development, social stability, and national security. To enhance the protection level of industrial enterprises’ industrial control systems (hereinafter referred to as industrial control security) and ensure the safety of industrial control systems, these guidelines are formulated.
These guidelines apply to enterprises using industrial control systems and institutions engaged in the planning, design, construction, operation, maintenance, and evaluation of industrial control systems.
Enterprises applying industrial control systems should carry out security protection work in the following eleven areas.
1. Selection and Management of Security Software
(1) Use antivirus software or application whitelisting software that has been fully tested and verified in an offline environment on industrial hosts, only allowing software authorized and assessed for safety by the industrial enterprise to run.
(2) Establish a management mechanism for antivirus and malware intrusion, and take security prevention measures such as virus scanning for industrial control systems and temporarily connected devices.
2. Configuration and Patch Management
(1) Ensure the security configuration of industrial control networks, industrial hosts, and industrial control devices, establish a configuration list for industrial control systems, and conduct regular configuration audits.
(2) Develop a change plan for significant configuration changes and conduct impact analysis; strict security testing should be carried out before implementing configuration changes.
(3) Closely monitor major industrial control security vulnerabilities and the release of patches, and promptly take patch upgrade measures. Before installing patches, a strict security assessment and testing verification of the patches must be conducted.
3. Boundary Security Protection
(1) Separate the development, testing, and production environments of industrial control systems.
(2) Use boundary protection devices for industrial control networks to secure the boundary between the industrial control network and the enterprise network or the Internet, prohibiting unprotected industrial control networks from connecting to the Internet.
(3) Use industrial firewalls, network barriers, and other protective devices to logically isolate safety areas within industrial control networks.
4. Physical and Environmental Security Protection
(1) Implement physical security measures such as access control, video surveillance, and dedicated personnel for important engineer stations, databases, servers, and other core industrial control hardware and software areas.
(2) Remove or seal unnecessary USB ports, optical drives, wireless interfaces, etc., on industrial hosts. If necessary, strict access control measures should be implemented through peripheral security management techniques.
5. Identity Authentication
(1) Use identity authentication management during the login to industrial hosts, application service resource access, and industrial cloud platform access. Multi-factor authentication should be used for access to critical devices, systems, and platforms.
(2) Reasonably classify and set account permissions, allocating account permissions based on the principle of least privilege.
(3) Strengthen the login accounts and passwords of industrial control devices, SCADA software, industrial communication devices, etc., avoiding the use of default or weak passwords, and regularly updating passwords.
(4) Enhance the protection of identity authentication certificate information, prohibiting sharing in different systems and network environments.
6. Remote Access Security
(1) In principle, strictly prohibit the opening of high-risk general network services such as HTTP, FTP, Telnet for industrial control systems facing the Internet.
(2) If remote access is necessary, strengthen security using data unidirectional access control strategies, control access time limits, and implement marking lock strategies.
(3) If remote maintenance is necessary, use remote access methods such as Virtual Private Network (VPN).
(4) Retain relevant access logs of industrial control systems and conduct security audits of the operation process.
7. Security Monitoring and Emergency Response Drills
(1) Deploy network security monitoring devices in industrial control networks to promptly detect, report, and handle network attacks or abnormal behaviors.
(2) Deploy protective devices with deep packet detection capabilities for industrial protocols in front of important industrial control devices to restrict illegal operations.
(3) Develop emergency response plans for industrial control security incidents; when security threats cause abnormality or failure in industrial control systems, immediate emergency protective measures should be taken to prevent escalation, and reports should be sent up to the local provincial industrial and information technology authority, while ensuring the site is preserved for investigation and evidence collection.
(4) Regularly conduct drills for the emergency response plans of industrial control systems and revise them as necessary.
8. Asset Security
(1) Build an asset inventory for industrial control systems, clarify asset responsible persons, and establish rules for asset use and disposal.
(2) Implement redundancy configurations for key host devices, network devices, control components, etc.
9. Data Security
(1) Protect important industrial data during static storage and dynamic transmission processes, managing data information based on risk assessment results.
(2) Regularly back up critical business data.
(3) Protect test data.
10. Supply Chain Management
(1) When selecting service providers for planning, design, construction, operation, maintenance, or evaluation of industrial control systems, prioritize enterprises with experience in industrial control security protection, and clearly define the information security responsibilities and obligations of service providers through contracts.
(2) Require service providers to maintain confidentiality through confidentiality agreements to prevent sensitive information leakage.
11. Implementing Responsibilities
Establish a management mechanism for industrial control security, form an information security coordination group, clarify the responsible persons for industrial control security management, implement the industrial control security responsibility system, and deploy industrial control security protection measures.
Interpretation
The information security of industrial control systems (hereinafter referred to as “industrial control security”) is an important part of national network and information security and is the basic guarantee for promoting China Manufacturing 2025 and the integration of manufacturing and the Internet. In October 2016, the Ministry of Industry and Information Technology issued the “Industrial Control System Information Security Protection Guidelines” (hereinafter referred to as “the Guidelines”) to guide industrial enterprises in carrying out industrial control security protection work.
1. Background
Industrial control security is related to economic development, social stability, and national security. In recent years, with the continuous deepening of the integration of information technology and industrialization, industrial control systems have transitioned from standalone to interconnected, from closed to open, and from automation to intelligence. While productivity has significantly increased, industrial control systems face increasingly severe information security threats. In order to implement the spirit of the “Guiding Opinions of the State Council on Deepening the Integration of Manufacturing and the Internet” (Guofa [2016] No. 28) and respond to the new situation of industrial control security, this “Guidelines” has been prepared to enhance the protection level of industrial enterprises’ industrial control security.
2. Overall Considerations
The “Guidelines” adhere to the principle that “safety is the premise of development, and development is the guarantee of safety,” starting from the current security issues faced by industrial control systems in China, focusing on the executability of protective requirements, and clarifying the protection requirements for industrial enterprises’ industrial control security from both management and technical aspects. The preparation thought is as follows:
(1) Implement the requirements of the “National Cybersecurity Law”
The 11 requirements listed in the “Guidelines” fully reflect the requirements for network security support and promotion, network operation security, network information security, monitoring and early warning, and emergency response in the field of industrial control security, which is a specific application of the “National Cybersecurity Law” in the industrial field.
(2) Highlight the main responsibility of industrial enterprises
The “Guidelines” propose protection requirements for industrial control security based on practical experience in industrial control security management in China, establishing enterprises as the main responsible entities for industrial control security, requiring enterprises to clarify the responsible persons for industrial control security management and implement the industrial control security responsibility system.
(3) Consider the current state of industrial control security in China
The preparation of the “Guidelines” is based on the relevant situations gathered from the Ministry of Industry and Information Technology’s industrial control security inspection work over the past five years, fully considering the current issues such as insufficient awareness of industrial control security protection, unclear management responsibilities, and inadequate access control strategies, and clarifying the requirements of the “Guidelines”.
(4) Learn from the industrial control security protection experience of developed countries
The “Guidelines” reference the relevant policies, standards, and best practices of developed countries such as the United States, the European Union, and Japan, and have validated measures for security software selection and management, configuration and patch management, boundary security protection, etc., improving the scientificity, rationality, and operability of the “Guidelines”.
(5) Emphasize the security protection of the entire lifecycle of industrial control systems
The “Guidelines” cover the protective work requirements for all stages of industrial control system design, selection, construction, testing, operation, maintenance, and decommissioning, proposing specific implementation details from aspects such as security software selection, access control strategy construction, data security protection, and asset configuration management.
3. Detailed Explanation
The “Guidelines” adhere to the main responsibility of enterprises and the regulatory and service responsibilities of the government, focusing on key security guarantees such as system protection and security management, and propose 11 protective requirements, which are explained as follows:
(1) Selection and Management of Security Software
1. Use antivirus software or application whitelisting software that has been fully tested and verified in an offline environment on industrial hosts, only allowing software authorized and assessed for safety by the industrial enterprise to run.
Interpretation:Industrial control systems require high availability and real-time performance. Security software used on industrial hosts such as MES servers, OPC servers, database servers, engineer stations, and operator stations should be tested and verified in an offline environment beforehand, where the offline environment refers to an environment physically isolated from the production environment. The verification and testing content includes the functionality, compatibility, and security of the security software.
2. Establish a management mechanism for antivirus and malware intrusion, and take necessary security prevention measures for industrial control systems and temporarily connected devices.
Interpretation:Industrial enterprises need to establish a management mechanism for antivirus and malware intrusion in industrial control systems, taking necessary security prevention measures for industrial control systems and temporarily connected devices. Security prevention measures include regular virus and malware scanning, regularly updating virus databases, and scanning temporary access devices (such as temporarily connected USB drives, mobile terminals, etc.).
(2) Configuration and Patch Management
1.Ensure the security configuration of industrial control networks, industrial hosts, and industrial control devices, establish a configuration list for industrial control systems, and conduct regular configuration audits.
Interpretation:Industrial enterprises should ensure security configurations for industrial control networks such as VLAN isolation, port disabling, etc., security configurations for industrial hosts such as remote control management, default account management, etc., and security configurations for industrial control devices such as password policy compliance, establishing corresponding configuration lists, designating responsible persons for regular management and maintenance, and conducting regular configuration audits.
2.Develop a change plan for significant configuration changes and conduct impact analysis; strict security testing should be conducted before implementing configuration changes.
Interpretation:When significant configuration changes occur, industrial enterprises should promptly develop a change plan, clarifying change time, content, responsible persons, approval, and verification. Significant configuration changes refer to major vulnerability patch updates, additions or reductions of security devices, redefinition of security domains, etc. At the same time, an analysis report should be formed to analyze the risks that may arise during the change process, and security verification of the configuration change should be conducted in an offline environment.
3.Closely monitor major industrial control security vulnerabilities and the release of patches, and promptly take patch upgrade measures. Before installing patches, a strict security assessment and testing verification of the patches must be conducted.
Interpretation:Industrial enterprises should closely monitor vulnerability databases such as CNVD, CNNVD, and patches released by equipment manufacturers. When major vulnerabilities and their patches are released, based on the enterprise’s own situation and change plans, strict security assessments and testing verifications of the patches should be conducted in an offline environment, and timely upgrades should be made for patches that pass security assessments and testing verifications.
(3) Boundary Security Protection
1.Separate the development, testing, and production environments of industrial control systems.
Interpretation:Different security control measures should be implemented for the development, testing, and production environments of industrial control systems. Industrial enterprises can adopt physical isolation, network logical isolation, and other methods for separation.
2.Use boundary protection devices for industrial control networks to secure the boundary between the industrial control network and the enterprise network or the Internet, prohibiting unprotected industrial control networks from connecting to the Internet.
Interpretation:Boundary security protection devices for industrial control networks include industrial firewalls, industrial network barriers, unidirectional isolation devices, and enterprise-customized boundary security protection gateways. Industrial enterprises should deploy boundary security protection devices between different network boundaries based on actual conditions to achieve secure access control, block unauthorized network access, and strictly prohibit unprotected industrial control networks from connecting to the Internet.
3.Use industrial firewalls, network barriers, and other protective devices to logically isolate safety areas within industrial control networks.
Interpretation:The security areas of industrial control system networks are divided based on the importance of the areas and business needs. Security protection between areas can be carried out using industrial firewalls, network barriers, and other devices for logical isolation.
(4) Physical and Environmental Security Protection
1.Implement physical security measures such as access control, video surveillance, and dedicated personnel for important engineer stations, databases, servers, and other core industrial control hardware and software areas.
Interpretation:Industrial enterprises should adopt appropriate physical security protection measures for areas where important industrial control system assets are located.
2.Remove or seal unnecessary USB ports, optical drives, wireless interfaces, etc., on industrial hosts. If necessary, strict access control measures should be implemented through peripheral security management techniques.
Interpretation:The use of USB ports, optical drives, wireless interfaces, and other peripherals on industrial hosts provides a pathway for viruses, Trojans, worms, and other malicious code to invade. Removing or sealing unnecessary peripheral interfaces on industrial hosts can reduce the risk of infection. If necessary, safety management techniques such as unified management devices for host peripherals and isolating industrial hosts with peripheral interfaces can be adopted.
(5) Identity Authentication
1. Use identity authentication management during the login to industrial hosts, application service resource access, and industrial cloud platform access. Multi-factor authentication should be used for access to critical devices, systems, and platforms.
Interpretation:During the login to industrial hosts, access to application service resources, and industrial cloud platforms, users should use password-based authentication, USB keys, smart cards, biometric fingerprints, iris recognition, and other identity authentication management methods. Multiple authentication methods can be used simultaneously if necessary.
2.Reasonably classify and set account permissions, allocating account permissions based on the principle of least privilege.
Interpretation:Industrial enterprises should allocate system account permissions based on the principle of least privilege that meets work requirements, ensuring that losses caused by accidents, errors, tampering, and other reasons are minimized. Industrial enterprises need to regularly audit whether allocated account permissions exceed work needs.
3.Strengthen the login accounts and passwords of industrial control devices, SCADA software, industrial communication devices, etc., avoiding the use of default or weak passwords, and regularly updating passwords.
Interpretation:Industrial enterprises can refer to the recommended setting rules provided by suppliers and set different strengths of login accounts and passwords for industrial control devices, SCADA software, industrial communication devices, etc., based on asset importance, and regularly update them to avoid using default or weak passwords.
4.Enhance the protection of identity authentication certificate information, prohibiting sharing in different systems and network environments.
Interpretation:Industrial enterprises can use secure media such as USB keys to store identity authentication certificate information, establishing relevant systems to strictly control the processes of application, issuance, use, revocation, etc., ensuring that the same identity authentication certificate information is prohibited from being used in different systems and network environments, reducing the impact of certificate exposure on systems and networks.
(6) Remote Access Security
1.In principle, strictly prohibit the opening of high-risk general network services such as HTTP, FTP, Telnet for industrial control systems facing the Internet.
Interpretation:Opening high-risk general network services such as HTTP, FTP, Telnet for industrial control systems facing the Internet can easily lead to invasions, attacks, and exploitation of industrial control systems. Industrial enterprises should, in principle, prohibit the opening of high-risk general network services for industrial control systems.
2.If remote access is necessary, strengthen security using data unidirectional access control strategies, control access time limits, and implement marking lock strategies.
Interpretation:If remote access is necessary, industrial enterprises can achieve data unidirectional access at the network boundary using unidirectional isolation devices, VPNs, etc., and control access time limits. Marking lock strategies should be implemented to prohibit the accessing party from carrying out illegal operations during remote access.
3.If remote maintenance is necessary, use remote access methods such as Virtual Private Network (VPN).
Interpretation:If remote maintenance is necessary, industrial enterprises should ensure the security of remote access channels through authentication, encryption, etc., such as using Virtual Private Network (VPN) methods, assigning dedicated accounts to accessing users, and regularly auditing access account operation records.
4.Retain relevant access logs of industrial control systems and conduct security audits of the operation process.
Interpretation:Industrial enterprises should retain access logs for industrial control system devices and applications, regularly backing them up, and tracking unauthorized access behaviors through audit information such as audit personnel accounts, access times, and operation content.
(7) Security Monitoring and Emergency Response Drills
1.Deploy network security monitoring devices in industrial control networks to promptly detect, report, and handle network attacks or abnormal behaviors.
Interpretation:Industrial enterprises should deploy network security monitoring devices capable of identifying, alarming, and recording network attacks and abnormal behaviors in industrial control networks, promptly detecting, reporting, and handling network attacks or abnormal behaviors such as viruses, port scans, brute force cracking, abnormal traffic, abnormal commands, and fabricated industrial control system protocol packets.
2.Deploy protective devices with deep packet detection capabilities for industrial protocols in front of important industrial control devices to restrict illegal operations.
Interpretation:Deploy protective devices in front of core control units of industrial enterprises that can perform deep analysis and filtering of mainstream industrial control system protocols such as Modbus, S7, Ethernet/IP, OPC, etc., blocking data packets that do not conform to protocol standard structures or do not meet business requirements.
3.Develop emergency response plans for industrial control security incidents; when security threats cause abnormality or failure in industrial control systems, immediate emergency protective measures should be taken to prevent escalation, and reports should be sent up to the local provincial industrial and information technology authority, while ensuring the site is preserved for investigation and evidence collection.
Interpretation:Industrial enterprises need to independently or entrust third-party industrial control security service units to develop emergency response plans for industrial control security incidents. The plans should include strategies and procedures for emergency planning, training for emergency plans, testing and drills for emergency plans, emergency handling processes, incident monitoring measures, emergency event reporting processes, emergency support resources, and emergency response plans.
4.Regularly conduct drills for the emergency response plans of industrial control systems and revise them as necessary.
Interpretation:Industrial enterprises should regularly organize personnel related to the operation, maintenance, and management of industrial control systems to conduct drills for emergency response plans, which can take the form of tabletop exercises, single-item drills, comprehensive drills, etc. If necessary, enterprises should revise the plans based on actual conditions.
(8) Asset Security
1.Build an asset inventory for industrial control systems, clarify asset responsible persons, and establish rules for asset use and disposal.
Interpretation:Industrial enterprises should build an asset inventory for industrial control systems, including information assets, software assets, hardware assets, etc. Clarify asset responsible persons, establish rules for asset use and disposal, regularly conduct security inspections of assets, audit asset usage records, and check the operational status of assets to promptly identify risks.
2.Implement redundancy configurations for key host devices, network devices, control components, etc.
Interpretation:Industrial enterprises should configure redundant power supplies, redundant devices, and redundant networks for key host devices, network devices, control components, etc., based on business needs.
(9) Data Security
1.Protect important industrial data during static storage and dynamic transmission processes, managing data information based on risk assessment results.
Interpretation:Industrial enterprises should encrypt and store important industrial data during static storage, set access control functions, encrypt important industrial data during dynamic transmission, use VPNs, and establish and improve the classification management system for data information based on risk assessment results.
2.Regularly back up critical business data.
Interpretation:Industrial enterprises should regularly back up critical business data, such as process parameters, configuration files, equipment operation data, production data, control commands, etc.
3.Protect test data.
Interpretation:Industrial enterprises should protect test data, including security assessment data, on-site configuration development data, system joint debugging data, on-site change testing data, emergency drill data, etc., by signing confidentiality agreements, retrieving test data, etc.
(10) Supply Chain Management
1.When selecting service providers for planning, design, construction, operation, maintenance, or evaluation of industrial control systems, prioritize enterprises with experience in industrial control security protection, and clearly define the information security responsibilities and obligations of service providers through contracts.
Interpretation:When selecting service providers for planning, design, construction, operation, maintenance, or evaluation of industrial control systems, industrial enterprises should prioritize service providers with industrial control security protection experience and verify their provided contracts, cases, acceptance reports, and other proof materials. The contract should explicitly stipulate the information security responsibilities and obligations that the service provider should undertake during the service process.
2.Require service providers to maintain confidentiality through confidentiality agreements to prevent sensitive information leakage.
Interpretation:Industrial enterprises should sign confidentiality agreements with service providers, stipulating the content of confidentiality, confidentiality duration, liability for breach of contract, etc. to prevent the leakage of sensitive information such as process parameters, configuration files, equipment operation data, production data, control commands, etc.
(11) Implementing Responsibilities
Establish a management mechanism for industrial control security, form an information security coordination group, clarify the responsible persons for industrial control security management, implement the industrial control security responsibility system, and deploy industrial control security protection measures.
Four Implementation
First, carry out the promotion of the “Guidelines” to local industrial and information technology authorities, central enterprises, etc., organize training based on the requirements of the “Guidelines”, and guide industrial enterprises to further optimize industrial control security management and technical protection measures.
Second, select cities and regions with industrial clusters for development, establish pilot areas for industrial control security protection, and organize industrial enterprises in the area to carry out pilot applications for industrial control security protection, selecting excellent pilot enterprises to share industrial control security protection experiences and summarize exemplary cases of industrial control system protection.
Third, incorporate the requirements of the “Guidelines” into the annual cybersecurity inspection projects of the industrial sector, strengthening the implementation of responsibilities and management and technical measures. Promote industrial enterprises to thoroughly implement and comply with the “Guidelines” through self-inspection, random checks, and in-depth inspections.
Local industrial and information technology authorities are responsible for supervising and managing the industrial control security protection work within their regions and cooperating with the Ministry of Industry and Information Technology to carry out related work on industrial control security. Industrial enterprises should carry out and improve the industrial control security protection work according to the requirements of the “Guidelines”, improving their own security protection capabilities while providing support for enhancing the overall level of industrial information security protection in China.