Interpretation of Industrial Control System Cybersecurity Protection Guidelines

Industrial control systems, as the cornerstone of industrial production operations, play an indispensable role in ensuring the stability of enterprise operations, facilitating the smoothness of the supply chain, promoting healthy economic and social development, and safeguarding national security. To guide industrial enterprises in strengthening control security protection, the Ministry of Industry and Information Technology formulated the “Guidelines for Information Security Protection of Industrial Control Systems” in 2016, which significantly enhanced the security protection capabilities of industrial enterprises. Since 2017, China has successively issued a series of laws and regulations, including the “Cybersecurity Law,” “Data Security Law,” and “Cryptography Law,” as well as specific regulations for industry applications, which play a core role in maintaining network and data security. However, current policy documents still need to be improved in aligning with relevant legal requirements. At the same time, with the accelerated digital transformation of industrial enterprises and the increasing trend of open interconnection of industrial control systems, the cybersecurity risks faced by industrial enterprises have become increasingly prominent. Therefore, the demand for strengthening cybersecurity protection in industrial enterprises has become an urgent issue that needs to be addressed.

The “Protection Guidelines” are applicable to enterprises that use and operate industrial control systems. The protection objects include industrial control systems and other equipment and systems that may directly or indirectly affect production operations after being attacked by cyber threats.

Main Content

Clearly define the responsible department and personnel for asset management, and implement focused protection for the list of important industrial control systems.

Strengthen password management, set account permissions according to the principle of least privilege, and establish a security configuration list for industrial control systems.

Clearly define the security responsibilities and obligations that suppliers must fulfill, using equipment that has passed safety certification by qualified institutions or meets safety testing requirements.

Regularly carry out awareness education on industrial control system cybersecurity, professional skills training, and assessments.

Regularly upgrade virus databases and conduct malware scans, only allowing the deployment of applications that have been authorized and assessed for safety by the enterprise, closing unnecessary network service ports, and using two-factor authentication for critical hosts or endpoints.

Implement partition and domain management for industrial control networks, and enforce strict access control for wireless access devices and remote access devices.

Utilize identity verification, secure communication, and other technologies to protect cloud platforms, and implement strict identification management for cloud devices to ensure security isolation between different business systems.

Implement strict access control for critical application services, and conduct security testing for self-developed software either by the enterprise itself or by a third-party organization.

Conduct data classification and grading, establish directories for important and core data, and implement security protection throughout the data lifecycle. When providing data overseas, conduct data exit assessments in accordance with laws and regulations.

1

2

3

4

5