To further implement the “Guiding Opinions of the State Council on Deepening the Integration of Manufacturing and the Internet”, and in accordance with the “Cybersecurity Law of the People’s Republic of China” and the “Emergency Response Law of the People’s Republic of China”, the Ministry of Industry and Information Technology recently issued the “Emergency Management Guidelines for Industrial Control System Information Security Events” (hereinafter referred to as the “Guidelines”), aimed at strengthening the emergency management of industrial control system information security (hereinafter referred to as “ICS security”) events, improving the emergency response capability to ICS security events, preventing and reducing the losses and harms caused by ICS security events, and ensuring the normal operation of industrial production.
1. Background of the Issuance of the Guidelines
With the continuous deepening of the integration of information technology and industrialization, as well as the rapid development of new generation information technologies such as the Internet of Things, cloud computing, and big data, the trend of intelligence and networking of industrial control systems has become increasingly evident, and threats such as viruses and Trojans continue to spread to industrial control systems. In recent years, ICS security incidents have occurred frequently, and the number of ICS security vulnerabilities has continued to grow, facing an increasingly severe security situation. The implementation of a series of strategic deployments such as the national “13th Five-Year Plan” Outline, Cyber Power, Made in China 2025, and “Internet Plus” has raised higher requirements for the security assurance of ICS in our country, urgently needing to rapidly enhance the level of ICS security assurance and emergency response capabilities, better supporting the healthy and orderly development of the economy and society, and safeguarding national security.
2. Overall Considerations
Closely combining with the actual emergency work of ICS security events, focusing on preventing major ICS security incidents, clarifying the responsibilities of the Ministry of Industry and Information Technology, local industrial and information departments, technical support teams, and enterprises, strengthening the emergency management and organizational coordination of ICS security events, and enhancing the emergency response capabilities for ICS security events.
(1) Purpose and Significance
Firstly, to establish and improve the emergency work mechanism for ICS security events. Based on the “National Cybersecurity Incident Emergency Plan”, the Guidelines are formulated to further improve the emergency system for ICS security events, forming an effective emergency work mechanism for ICS security, providing a basis and methods for the emergency management and response work of ICS security events.
Secondly, to enhance the emergency response capability for ICS security events. The Guidelines clarify the organizational structure and responsibilities for ICS security event emergency work, determine the monitoring and reporting, response processes, and specific measures for ICS security events, and propose requirements for emergency teams, expert groups, materials, and funding guarantees, providing action guidelines for emergency response work.
Thirdly, to improve the ICS security management system. The research, formulation, and implementation of the Guidelines, together with the issued “Guidelines for Information Security Protection of Industrial Control Systems” and the “Management Measures for the Assessment of Information Security Protection of Industrial Control Systems” currently being drafted, jointly construct the ICS security management system. The security requirements and management methods proposed in the document cover the entire lifecycle of industrial control system planning, design, construction, operation, and maintenance, laying a solid foundation for strengthening ICS security management.
(2) Compilation Principles
Government guidance and enterprise主体. The government guides enterprises to establish awareness of主体 responsibility for ICS security through improving policy measures and strengthening supervision and management, urging enterprises to treat ICS security as an important part of production safety, and to do a good job in emergency-related work for ICS security, accelerating the enhancement of emergency capabilities for ICS security events.
Prevention first, combining peacetime and wartime. Following systematic and scientific management ideas, strengthening monitoring and risk prediction of ICS security, timely grasping the ICS security situation, smoothing information transmission channels, fully leveraging the power of all parties, and organically combining prevention and reduction, actively doing a good job in the prevention and reduction of ICS security events.
Quick response and scientific disposal. Establishing a quick response system for ICS security that is fast in perception, judgment, response, and reduction, continuously strengthening the overall emergency level and quick response capability of the ICS security emergency team, managing scientifically, commanding effectively, and properly handling ICS security events.
3. Management Requirements of the Guidelines
The Guidelines propose a series of management requirements for risk monitoring of ICS security, information reporting and notification, emergency response, and emergency management during sensitive periods, clarifying responsibilities, workflows, and guarantee measures.
(1) Strengthening Risk Monitoring
Risk monitoring is the foundational work for grasping ICS security events and sensing risk trends. The Guidelines require that technical institutions such as the National Industrial Information Security Development Research Center, local industrial and information departments, and industrial enterprises carry out risk monitoring work. Among them, the National Industrial Information Security Development Research Center and other technical institutions are responsible for organizing nationwide ICS security risk monitoring and early warning notification work, local industrial and information departments are responsible for organizing risk monitoring work in their regions, and industrial enterprises are responsible for conducting risk monitoring work within their units.
(2) Conducting Information Reporting and Notification
Information reporting and notification are important ways to help emergency-related departments understand risks and the overall situation of events in a timely manner. The Guidelines clearly state that local industrial and information departments and industrial enterprises should timely report important monitoring information to the National Industrial Information Security Development Research Center while conducting risk monitoring. The National Industrial Information Security Development Research Center is responsible for summarizing, organizing, and analyzing the information, and reporting the results to the Ministry of Industry and Information Technology. For risk information that has a large impact range and serious harm, the Ministry of Industry and Information Technology will promptly notify relevant industries, regions, and enterprises. In addition, for security risks and event information that may exceed the response capabilities of the local area, local industrial and information departments should promptly report to the Ministry of Industry and Information Technology.
(3) Proper Emergency Response
Emergency response to ICS security events is the top priority of emergency work, and doing a good job in ICS security emergency response is of paramount significance for maintaining national security, social order, economic construction, and public interests. For ICS security emergency response work, the Guidelines clearly outline the following requirements: firstly, industrial enterprises should actively carry out initial response. For possible or already occurring ICS security events, industrial enterprises should take scientific and effective measures to provide timely rescue, striving to minimize losses and restore the normal operation of damaged industrial control systems as soon as possible. Secondly, it is crucial to focus on information reporting during emergency response. During the emergency response process, local industrial and information departments and industrial enterprises should timely report the development of the situation and progress of event handling. Thirdly, if necessary, the Ministry of Industry and Information Technology will organize on-site response. If necessary, the Ministry of Industry and Information Technology will send a working group to the scene to command emergency response work and coordinate emergency technical institutions to provide technical support. Fourthly, timely summary evaluation after the emergency ends. The Guidelines require that after the emergency work concludes, relevant industrial enterprises should carry out event analysis and summary work and report it on time.
(4) Guarantee Measures
The Guidelines require the establishment of a three-level emergency plan system covering the Ministry of Industry and Information Technology, local industrial and information departments, and industrial enterprises, promoting the standardization and institutionalization of ICS security emergency management work; regularly organizing emergency drills to improve technical capabilities in responding to ICS security events; and establishing national and local ICS security emergency expert groups to support the construction of emergency technical institutions and basic platforms, enhancing the basic capabilities for emergency response.
In addition, the Guidelines also emphasize the emergency management requirements during important sensitive periods such as national significant activities and meetings, clarifying that the Ministry of Industry and Information Technology should provide emergency guidance, local industrial and information departments and industrial enterprises should strengthen risk monitoring, timely report information, and ensure emergency duty, ensuring the safe and stable operation of industrial control systems during important sensitive periods.
