Interpretation of the Information Security Technology Model for Industrial Control Systems

On November 1, 2022, GB/T 41400-2022 “Information Security Technology – Maturity Model for Information Security Protection Capability of Industrial Control Systems” (hereinafter referred to as “Industrial Control System Information Security Protection Capability Maturity Model“) will be officially implemented. This article will elaborate on how to assess the security protection capability of industrial enterprises and how to build industrial control security based on the new focus of industrial control security protection.(Follow our public account and reply “Maturity Model” in the dialog box to download the complete PDF).

1

Background of the Standard Preparation

In order to effectively implement the relevant requirements of the “State Council’s Opinions on Deepening the Development of Industrial Internet + Advanced Manufacturing Industry,” the National Information Security Standardization Technical Committee issued the national standard project number 20173585-T-469 in 2017, known as the “Information Security Technology Industrial Control System Information Security Protection Capability Evaluation Method.” Participating units include the China Electronics Technology Standardization Institute, the Ministry of Industry and Information Technology’s Electronic First Institute, and the National Information Technology Security Research Center. To support the work of the industry authorities for information security in industrial control systems and to meet the actual needs of industrial enterprises, the name was later modified to “Information Security Technology Industrial Control System Information Security Protection Capability Maturity Model.” This maturity model was voted on by 81 member units of the National Information Security Standard Technical Committee (hereinafter referred to as “Xinanbiao Committee”) on May 9, 2021, with unanimous approval of the standard, ultimately forming the draft for approval submitted by the Xinanbiao Committee. On April 15, 2022, the National Standards Committee officially released GB/T 41400-2022 “Information Security Technology – Maturity Model for Information Security Protection Capability of Industrial Control Systems,” which will be officially implemented on November 1, 2022. The development process of the entire standard is shown in Figure 1:

Interpretation of the Information Security Technology Model for Industrial Control Systems

Figure 1 Standard Development Process

2

Related Terms and Definitions

Table 1. Terms and Definitions of the Maturity Model

Interpretation of the Information Security Technology Model for Industrial Control Systems

The Relationship Description of the “3 Terms”: GP provides the level of information security protection PA and BP that each level of industrial control systems should achieve, offering principles and methodologies for classifying the levels of information security protection PA and BP, forming the level requirements of PA. The organization divides the capability maturity of each PA into 5 levels, proposing specific BP from 4 capability elements required for the organization at each level.

3

Scope of the Standard

The standard targets industrial enterprises as the implementation object, providing the maturity model for information security protection capability of industrial control systems, stipulating the maturity level requirements for core protection objects and general security, and proposing verification methods for capability maturity levels. This standard document is applicable to relevant parties involved in the design, construction, and operation of industrial control systems for building information security protection capabilities and verifying the maturity levels of organizational information security protection capabilities of industrial control systems.

4

Overall Framework of the Standard

Interpretation of the Information Security Technology Model for Industrial Control Systems

The architecture of the maturity model for information security protection capability of industrial control systems consists of the following three dimensions:

  • Capability Element Dimension: The capability elements of the organization’s information security protection for industrial control systems include organizational structure, institutional processes, technical tools, and personnel capabilities;
  • Capability Maturity Level Dimension: The maturity levels of the organization’s information security protection capability for industrial control systems are divided into five levels, specifically including: Level 1 is the basic construction level, Level 2 is the normative protection level, Level 3 is the integrated management level, Level 4 is the comprehensive collaboration level, and Level 5 is the intelligent optimization level.
  • Capability Building Process Dimension: The capability building process for the organization’s information security protection for industrial control systems includes core protection object security and general security:

(1) Core Protection Object Security includes: Industrial equipment security, industrial host security, industrial network boundary security, industrial control software security, and industrial data security, 5 process categories;

(2) General Security includes: Security planning and architecture, personnel management and training, physical and environmental security, monitoring and early warning and emergency response, supply chain security assurance, 5 process categories.

4.1 Capability Element Dimension

The capability elements refer to the quantification of the security capabilities that the organization should possess in the process of information security protection for industrial control systems, thereby verifying the implementation capabilities of each security process. The capability elements of the organization’s information security protection for industrial control systems include “2 levels, 4 contents”:

Interpretation of the Information Security Technology Model for Industrial Control Systems

4.2 Capability Maturity Level Dimension

The maturity levels of the organization’s information security protection capability for industrial control systems are divided into 5 levels (see Figure 3), from low to high: basic construction level, normative protection level, integrated management level, comprehensive collaboration level, and intelligent optimization level.

Interpretation of the Information Security Technology Model for Industrial Control Systems

Figure 3 Structure of the Maturity Levels for Information Security Protection Capability of Industrial Control Systems (5 Levels)

The 5 levels of the maturity model form a “stair-step” evolutionary framework, where Level 1 is the starting point. Any industrial enterprise preparing to evolve according to the maturity model system naturally starts at this point and progresses to Level 2. Except for Level 1, each level sets a group of objectives, and if this group of objectives is achieved, it indicates that the respective maturity level has been reached, allowing progression to a higher level. To gain a deeper understanding of the maturity model, the following interpretations of the objective requirements for each level are provided:

Level 1 – Basic Construction: At this level, the organization’s information security protection PA for industrial control systems can be identified, and a preliminary information security management system for industrial control systems has been established, but it is primarily based on the organization’s specific business scenarios and knowledge experience level, not yet forming a standardized and procedural work method;

Level 2 – Normative Protection: At this level, the management of the organization’s information security protection PA for industrial control systems complies with the standard’s regulations, and the execution of relevant BP is standardized, allowing for process verification against actual situations. The main difference from Level 1 “Basic Construction” is that the BP execution process is planned and managed in a standardized manner;

Level 3 – Integrated Management: At this level, the organization conducts centralized and unified management of industrial control system equipment, hosts, systems, networks, and data, forming a systematic institution. The main difference from Level 2 “Normative Protection” is the use of integrated tools to plan and manage information security for industrial control systems;

Level 4 – Comprehensive Collaboration: At this level, the organization comprehensively considers the information security risk needs of different production lines, plants, factories, and upstream and downstream related units in the industry chain, establishing a multi-level coordinated security protection system. The main difference from Level 3 “Integrated Management” is the comprehensive decision-making and collaborative protection during the execution process;

Level 5 – Intelligent Optimization: At this level, the organization deeply integrates existing security protection devices, systems, and institutional systems, forming a security protection system with self-decision-making and self-evolution capabilities. The main difference from Level 4 “Comprehensive Collaboration” is the intelligence and evolution of the execution process.

4.3 Capability Building Process Dimension

The industrial control security protection PA system is divided into core protection object security and general security, consisting of a total of 40 PAs. The core protection objects include 5 process categories, totaling 20 process domains (PA), and 188 basic practices (BP); general security includes 5 process categories, totaling 20 process domains (PA), and 177 basic practices (BP), with a total of 365 basic practices (BP). The architecture diagram of the industrial control system security protection PA system is shown in Figure 4, and the basic practice BP requirements at each capability level are shown in Figure 5:

Interpretation of the Information Security Technology Model for Industrial Control Systems

Figure 4 Architecture Diagram of the Industrial Control System Security Protection 20*PA System

Interpretation of the Information Security Technology Model for Industrial Control Systems

Figure 5 Basic Practice BP Requirements at Each Capability Level

Level 1: Basic Construction, with a total of 45 practices BP.Level 2: Normative Protection, with a total of 167 (45+122) practices BP;On the basis of Level 1, 122 additional practices BP have been added.Level 3: Integrated Management, with a total of 259 (167+92) practices BP;On the basis of Level 2, 92 additional practices BP have been added.Level 4: Comprehensive Collaboration, with a total of 320 (259+61) practices BP;On the basis of Level 3, 61 additional practices BP have been added.Level 5: Intelligent Optimization, with a total of 365 (320+45) practices BP;On the basis of Level 4, 45 additional practices BP have been added.Note:(1) PA Coding Rules The coding rules for industrial control system information security protection PA are as follows:a) Each PA has a corresponding number, represented by increasing values 01, 02, …, etc.;b) Each PA consists of several BPs, numbered as BP.XX.XX, where the first group of codes indicates the order of the PA, and the second group of codes indicates the specific BP order, with the specific BP order using increasing values 01, 02, …, etc.;c) For each level of each PA, the organization must achieve the BP of that level and all lower levels to reach the capability level of that level.(2) Relationship Description The relationships among capability maturity levels, PA, BP, GP, and capability elements are as follows:a) The organization divides the capability maturity of each PA into 5 levels, proposing specific BP from 4 capability elements required for the organization at each level;b) Not every PA’s capability maturity level includes all 4 capability elements;c) For each PA, the higher-level capability requirements should not be lower than all lower-level capability requirements, and the capability requirements for a certain level can be trimmed according to GB/T 32919—2016;d) General practices are numbered using GP, where the first digit represents the level and the second digit represents the GP order; GP provides the level of information security protection PA and BP that each level should achieve, offering principles and methodologies for classifying the levels of information security protection PA and BP, forming the level requirements of PA. For example, GP2.1 indicates the first GP of Level 2 (Normative Protection Level).Note: For a specific PA, if the capability requirements of Level 5 do not involve a certain capability element, it is assumed that the content of that capability element should be realized in the capability requirements of Level 4, and so on.

4.4 Capability Maturity Level Verification Process

The verification process for the maturity level of industrial control system information security protection capability mainly includes: forming a verification team, developing a verification plan, conducting on-site verification, and forming verification conclusions, comprising four parts (see Figure 6), where the solid line box represents self-assessment and diagnosis, and the dotted line box represents the added content of third-party verification. Industrial organizations can carry out improvements in industrial control system information security protection based on the verification conclusions.

Interpretation of the Information Security Technology Model for Industrial Control Systems

Figure 6 Capability Maturity Level Verification Process

The verification method for the maturity level of industrial control system information security protection capability adopts the idea of “Overall Compliance, Individual Qualification”, with the specific content as follows:a) To ensure the fairness and objectivity of the verification results, an evidence-based approach must be used, with evidence supporting the verification results for each detail. Evidence includes: records of interviews with responsible persons, institutional documents, equipment operation records, on-site inspection results, and test results, etc.;b) The enhancement of industrial control system information security protection capability is achieved through a gradual approach, meaning that organizations conduct verifications for higher maturity levels based on achieving lower maturity level requirements;c) All BPs in the maturity model for industrial control system information security protection capability have the same weight, and the overall passing rate must be above 80%, while the individual passing rate must be above 40%. That is, if the number of applicable BPs for the first to tenth process categories in a certain maturity level of the industrial control system information security protection capability is N1, N2, …, N10, and the number of BPs that meet the requirements in each process category is M1, M2, …, M10, then when the following two conditions are met simultaneously, the organization’s industrial control system information security protection capability reaches the corresponding maturity level:

1) (M1+M2+…+M10)/(N1+N2+…+N10) > 0.8;

2) Mi/Ni > 0.4 (0 < i < 11).

5

Recommended Steps for Using the Capability Maturity Model

First, when using the model, the organization should select the intended maturity level for the information security protection capability of industrial control systems based on the definition of the maturity levels and the actual business situation;

Secondly, after determining the intended maturity level, the organization should select applicable process domains for information security protection based on the business scenarios covered by the core protection objects of the industrial control system (for example, if Organization A does not have remote access, the process domain for remote access security should be removed from the verification scope);

Finally, based on an understanding of the content of the maturity model, the organization should identify the current state of information security protection capability of industrial control systems and analyze the differences between this state and the verification level, and based on this, develop a capability enhancement plan for information security protection for industrial control systems. As the organization’s business evolves, it can periodically review and clarify the suitable maturity level, gradually improving the information security protection capability of industrial control systems.The recommended process for using the capability maturity model adopts a “5-step method” as shown in the diagram below (Figure 7):

Interpretation of the Information Security Technology Model for Industrial Control Systems

Figure 7 Recommended Steps for Using the Capability Maturity Model

6

Expected Implementation Results

This standard refines the 11 protective requirements of the “Guidelines for Information Security Protection of Industrial Control Systems” into a total of 10 process categories, 40 process domains (PA), and 365 basic practices (BP), providing the maturity model for information security protection capability of industrial control systems, stipulating the maturity level requirements for core protection objects and general security, and proposing verification methods for capability maturity levels. The standard focuses on implementing the requirements of guidelines and related policy documents, proposing information security protection requirements for industrial control throughout the entire lifecycle of design, construction, and operation in the new situation of industrial control security protection; the implementation and application of this standard will help guide industrial enterprises to gradually enhance their own information security protection capability construction. Meanwhile, the promotion and implementation of this standard can effectively support the industry authorities for industrial control security, comprehensively understand the current level of information security protection capability of industrial enterprises in China, and provide standardized and visualized support for industrial control security management work.Interpretation of the Information Security Technology Model for Industrial Control SystemsIntroduction to WinutInterpretation of the Information Security Technology Model for Industrial Control Systems

Beijing Winut Technology Co., Ltd. (referred to as: Winut) is a leader in the domestic industrial control security industry and a subsidiary of the China State-owned Capital Venture Investment Fund. With outstanding technical innovation capabilities, it has become one of the six companies worldwide that have obtained the ISASecure certification from the International Society of Automation and one of the first national-level specialized and innovative “little giant” enterprises.

Winut relies on its pioneering core technology concept of the industrial network “White Environment” and is based on its independently developed full range of industrial control security products to provide full lifecycle deep defense solutions and specialized security services for important national industry users such as electricity, rail transit, petroleum and petrochemicals, municipal administration, tobacco, intelligent manufacturing, and military industry. To date, it has achieved safe and compliant operations for over 4,000 industry clients in China and along the Belt and Road.

As China’s national team in industrial control security, Winut actively promotes the construction of industrial clusters to build an ecosystem, leads and participates in the formulation of national and industry standards in the field of industrial control security, and major activities to ensure network security, always taking the protection of China’s critical information infrastructure network space security as its mission and committed to becoming a backbone force in building a strong cyber power!

Interpretation of the Information Security Technology Model for Industrial Control Systems

Interpretation of the Information Security Technology Model for Industrial Control Systems

Interpretation of the Information Security Technology Model for Industrial Control Systems

Interpretation of the Information Security Technology Model for Industrial Control Systems

Interpretation of the Information Security Technology Model for Industrial Control SystemsChannel Cooperation Consultation: Ms. Chen 15611262709Manuscript Cooperation: WeChat: shushu12121

Leave a Comment