Establishment of Working Group on Information Security Level Standard Drafting

Establishment of Working Group on Information Security Level Standard Drafting

In order to quickly formulate information security level protection standards for industrial control systems and meet national needs and industry applications, the National Industrial Process Measurement, Control, and Automation Standardization Technical Committee (SAC/TC124) organizes relevant industry experts to set up a working group for the drafting of industrial control information security level standards, and The draft standard discussion meeting was held in Guangzhou from April 6th to 7th, 2016. Experts participating in this conference were from the Third Institute of the Ministry of Public Security, Zhejiang University, Institute of Instrument and Meter Technology, National Institute of Information Technology and Security, China Software Testing and Evaluation Center, and the Fifth Institute of Electronics, Ministry of Industry and Information Technology , Beijing Rail Transit Design & Research Institute Co., Ltd., Sinopec Qilu Petrochemical Company, Southwest Electric Power Design Institute, Beijing Guodian Zhishen Control Technology Co., Ltd., Siemens (China) Co., Ltd., Schneider Electric (China) Co., Ltd., Beijing, and Liszt Systems Engineering company and other units.

IPC Security Working Group held a draft standard seminar in Guangzhou

The meeting was chaired by Professor Wang Yumin of the SAC/TC124 Secretariat. Yuan Jing, a researcher from the Third Institute of the Ministry of Public Security, gave a lecture on “Level Protection Policy and Standard Explanation” and explained to the participating experts GB/T 22239.1. Relationship with this standard. The Deputy Director of the Institute of Instrument Technology, Institute of Integrated Technology and Economics of Machinery Industry, Mr. Mei Wei, elaborated the importance and significance of the establishment of the grade protection standards for industrial control systems in terms of national needs and industry needs.

Experts at the meeting carefully discussed the contents of the draft standard, and in particular analyzed in depth whether the classes in GB/T 22239.1 and related control points are applicable to industrial control systems such as Baoding. Finally, based on the determination of the system as the industrial security and other Baoding level, the working group of experts reached an agreement: in order to speed up the standard setting process, after the meeting by the SAC/TC124 Secretariat and related units according to the meeting's expert opinion, according to GB/T30976 .1-2014 and IEC62443-3-3 modify the draft standard, map the draft standard to the control points in GB/T 22239.1, and modify the draft standard according to the technical requirements and management requirements of the industrial control. And in June 30 before soliciting opinions in various industries.

Information security level protection system is the basic system, strategy, and method for national information security protection work. It is the fundamental guarantee for promoting the healthy development of information, safeguarding national security, social order, public interest, environmental protection, and personal safety. The Notice on Strengthening the Information Security Management of Industrial Control Systems (No. [2011] No. 451) issued by the Ministry of Industry and Information Technology clearly clarified the importance of strengthening the information security protection of industrial control systems.

Related reports: Last week, the US Department of Homeland Security’s ICS-CERT released three security announcements on the Industrial Control System (ICS) this week, re-emphasizing the serious security threats currently faced by infrastructure and industrial networks.

One of the bulletin ICSA-16-056-01 describes a memory access violation error in Rockwell Automation's Integrated Architecture Construction Tool (IAB) application. Once used successfully, it will allow the attacker to execute malicious code with the same permissions as the IAB tool. It can only be used by local users and it has now been fixed.

In a recent blog post summarizing current ICS threats, Fortinet’s Ruchna Nigam emphasized: “Most industrial control systems come from different vendors and run proprietary operating systems, applications, and protocols (including GE, Rock Vail, DNP3, and Modbus. As a result, security solutions based on the host and developed for the IT department almost do not apply to ICS."

Establishment of Working Group on Information Security Level Standard Drafting