
Recently, the Ministry of Industry and Information Technology issued the "Guidelines for Network Security Protection of Industrial Control Systems" (hereinafter referred to as the "Guidelines"), which proposes 33 guiding baseline requirements for security protection in four aspects: security management, technical protection, security operation, and responsibility implementation.
As the fundamental core of industrial production operation, industrial control system's network security is related to enterprise operation and production safety, industrial chain supply chain security and stability, economic and social operation, and national security. The Protection Guide is positioned as a guiding document for industrial enterprises to do a good job in network security protection. It adheres to coordinated development and security, and proposes 33 guiding security protection baseline requirements around security management, technical protection, security operation, and responsibility implementation, promoting the resolution of prominent problems faced by industrial control system network security in the process of walking the new industrialization path.
In terms of security management, we mainly focus on four aspects. One is asset management. Comprehensively sort out typical industrial control systems such as programmable logic controllers (PLCs), distributed control systems (DCS), data acquisition and monitoring control systems (SCADA), as well as related equipment, software, data and other assets, clarify the department and person responsible for asset management, establish a list of industrial control system assets, and update them in a timely manner according to changes in asset status. Regularly conduct asset verification of industrial control systems, including but not limited to system configuration, permission allocation, log auditing, virus killing, data backup, equipment operation status, and other related information. Establish a list of important industrial control systems and regularly update it based on factors such as the importance and scale of the carrying business, as well as the degree of harm caused by network security incidents, and implement key protection measures. Key industrial hosts, network equipment, control equipment, etc. related to important industrial control systems should implement redundant backup.
The second is configuration management. Strengthen account and password management, avoid using default or weak passwords, and update passwords regularly. Follow the principle of minimum authorization, set account permissions reasonably, disable unnecessary system default accounts and administrator accounts, and promptly clean up expired accounts. Establish a list of industrial control system security configurations and a list of security protection equipment strategy configurations. Regularly conduct configuration list audits, adjust configurations in a timely manner according to changes in security protection requirements, conduct strict security testing before implementing major configuration changes, and only after passing the testing can changes be implemented.
The third is supply chain security. In the agreements signed by industrial control system manufacturers, cloud service providers, security service providers, and other suppliers, the security related responsibilities and obligations that each party needs to fulfill should be clearly defined, including management scope, division of responsibilities, access authorization, privacy protection, code of conduct, breach of contract liability, etc. When using PLC and other equipment included in the network critical equipment catalog in industrial control systems, qualified institutions with safety certification or equipment that meets safety testing requirements should be used.
The fourth is publicity and education. Regularly carry out publicity and education on laws, regulations, and policy standards related to industrial control system network security, and enhance the awareness of network security among enterprise personnel. Regular training and assessment of professional skills in industrial control security will be conducted for maintenance personnel related to industrial control systems and networks.
In terms of technical protection, we mainly focus on five aspects. One is host and terminal security. Deploy antivirus software on hosts such as engineer stations, operator stations, and industrial database servers, regularly upgrade and kill virus libraries, and prevent the spread of malicious software such as ransomware. Before connecting media with storage functions to industrial hosts, malicious code such as viruses and Trojans should be detected and killed. The host can adopt application software whitelist technology, only allowing the deployment and operation of application software authorized and security evaluated by the enterprise, and implementing system software upgrades such as operating systems, databases, and important application software in a planned manner. Dismantle or close unnecessary external device interfaces such as universal serial bus (USB), optical drive, wireless, etc. on industrial hosts, and close unnecessary network service ports. If it is necessary to use external devices, strict access control should be implemented. Implement user identity authentication for access to industrial hosts, industrial intelligent terminal devices (control devices, intelligent instruments, etc.), and network devices (industrial switches, industrial routers, etc.), and use dual factor authentication for access to critical hosts or terminals.
The second is architecture and boundary security. Based on factors such as the characteristics of the carrying business, the scale of the business, and the importance of industrial production, the industrial control network composed of industrial Ethernet, industrial wireless network, etc. is implemented with partition and domain management, and industrial firewalls, network gates, and other equipment are deployed to achieve horizontal isolation between domains. When the industrial control network is connected to the enterprise management network or the Internet, longitudinal protection between networks shall be implemented, and security audits shall be carried out for network behaviors. Identity authentication should be performed when the device is connected to the industrial control network. When using fifth generation mobile communication technology (5G), wireless local area network technology (Wi Fi) and other wireless communication technologies to form a network, strict network access control policies should be formulated, identity authentication mechanisms should be adopted for wireless access devices, regular audits of wireless access points should be conducted, and wireless access public information (SSID) broadcasts should be turned off to avoid unauthorized access by devices. Strict remote access control, prohibit the industrial control system from opening unnecessary hypertext transfer protocol (HTTP), file transfer protocol (FTP), Internet remote login protocol (Telnet), remote desktop protocol (RDP) and other high-risk general network services to the Internet, and adopt security access agent and other technologies for user identity authentication and application authentication of the network services that must be opened. During remote maintenance, Internet Security Protocol (IPsec), Secure Socket Protocol (SSL) and other protocols are used to build a secure network channel (such as Virtual Private Network (VPN)), strictly limit the access scope and authorization time, and carry out log retention and audit. When using encryption protocols and algorithms in industrial control systems, relevant laws and regulations should be followed, and commercial passwords should be encouraged as a priority to achieve encrypted network communication, device identity authentication, and secure data transmission.
The third is cloud security. When industrial cloud platforms are self built for enterprises, they utilize technologies such as user identity authentication, access control, secure communication, and intrusion prevention to effectively prevent illegal operations, network attacks, and other behaviors. When industrial equipment is uploaded to the cloud, strict identification management is implemented for the uploaded equipment. The equipment adopts bidirectional identity authentication when accessing the industrial cloud platform, and unidentified devices are prohibited from accessing the industrial cloud platform. When business systems are deployed to the cloud, it is important to ensure secure isolation of different business system operating environments.
The fourth is application security. When accessing application services such as Manufacturing Execution Systems (MES), configuration software, and industrial databases, user identity authentication should be performed. When accessing critical application services, dual factor authentication is adopted, and the access scope and authorization time are strictly limited. Industrial control system related software independently developed by industrial enterprises should pass safety tests conducted by the enterprise itself or commissioned third-party organizations. Only after passing the tests can it be put online for use.
The fifth is system data security. Regularly sort out the data generated by the operation of industrial control systems, combine with business reality, carry out data classification and grading, identify important and core data, and form a directory. Using password technology, access control, disaster recovery backup, and other technologies to implement security protection for data collection, storage, use, processing, transmission, provision, and disclosure. Important data and core data that require domestic storage according to laws and administrative regulations should be stored domestically. If it is necessary to provide them overseas, data export security assessments should be conducted in accordance with laws and regulations.
In terms of security operations, we mainly focus on five aspects. One is monitoring and early warning. Deploy monitoring and auditing related equipment or platforms in industrial control networks, and timely detect and warn of security risks such as system vulnerabilities, malicious software, network attacks, and network intrusions without affecting the stable operation of the system. At the boundary between the industrial control network and the enterprise management network or the Internet, threat trapping technologies such as the industrial control system honeypot can be used to capture network attacks and improve active defense capabilities.
The second is the operation center. Conditional enterprises can establish an industrial control system network security operation center, utilize security orchestration automation and response (SOAR) and other technologies to achieve unified management and policy configuration of security equipment, comprehensively monitor network security threats, and improve the centralized investigation of risk hazards and rapid response capabilities to events.
The third is emergency response. Develop emergency plans for industrial control safety incidents, clarify reporting and disposal processes, evaluate and revise them in a timely manner based on actual situations, and conduct regular emergency drills. When an industrial control safety incident occurs, the emergency plan should be immediately activated, emergency response measures should be taken, and the safety incident should be handled in a timely and safe manner. The retention time of important equipment, platform, system access and operation logs shall not be less than six months, and regular log backups shall be made to facilitate post event traceability and evidence collection. Regularly conduct backup and recovery tests on important system applications and data to ensure that the industrial control system can resume normal operation within an acceptable time frame in case of emergencies.
The fourth is safety assessment. Before the new or upgraded industrial control system goes online, and before the industrial control network is connected to the enterprise management network or the Internet, a security risk assessment should be carried out. For important industrial control systems, enterprises should conduct at least one industrial control safety protection capability assessment annually on their own or by entrusting a third-party professional organization.
The fifth is vulnerability management. Pay close attention to major industrial control security vulnerabilities and their patch program releases, such as the Network Security Threats and Vulnerability Information Sharing Platform of the Ministry of Industry and Information Technology, and take timely upgrade measures. If it is not possible to upgrade in the short term, targeted security reinforcement should be carried out. Regular vulnerability investigation should be conducted on important industrial control systems. When major security vulnerabilities are discovered, patch upgrades or enhancements can only be implemented after testing and verifying patch programs or reinforcement measures.
The implementation of responsibilities mainly focuses on two aspects. One is for industrial enterprises to assume the main responsibility for their own industrial control safety, establish an industrial control safety management system, clarify the responsible persons and departments, and implement industrial control safety protection responsibilities in accordance with the principle of "whoever operates is responsible, whoever is in charge is responsible". The second is to strengthen the guarantee of enterprise resources, ensuring that safety protection measures are planned, constructed, and used synchronously with industrial control systems.