The industrial control system is the basic core of industrial production and operation. With the acceleration of the digital transformation of the manufacturing industry, the trend of digitalization, networking and intelligence of industrial control systems is obvious, and the network security risks faced by industrial enterprises are increasing day by day, and industrial enterprises need to strengthen network security protection urgently. In order to adapt to the network security situation of industrial control systems in the new era, further guide enterprises to improve the level of industrial control security protection, and consolidate the security foundation for the development of new industrialization, the Ministry of Industry and Information Technology issued the "Ministry of Industry and Information Technology Network Security [2024] No. 14 "Guidelines for Network Security Protection of Industrial Control Systems" (hereinafter referred to as the "Guidelines") on January 30, 2024.
Interpretation of the guidelines
The "Guide" gives suggestions from 16 aspects in 4 dimensions: safety management, technical protection, safety operation, and responsibility implementation, with a total of 33 protection requirements.
Focus on safety risk management and control, highlight key management objects, and improve the industrial control safety management capabilities of industrial enterprises
Asset management
Clarify the departments and responsible persons for asset management, and implement key protection for the list of important industrial control systems.
Configuration management
Strengthen password management, follow the principle of least authorization to set account permissions, and establish a security configuration list for industrial control systems.
Supply chain security
Clarify the safety responsibilities and obligations of all suppliers and use qualified equipment that has been certified by a qualified organization or has been tested for safety.
Publicity and education
Regularly carry out network security awareness publicity and education, professional skills training and assessment of industrial control systems.
Focus on the weak and key links of security, strengthen technical response strategies, and improve the industrial control safety protection capabilities of industrial enterprises
Host and endpoint security
Regularly upgrade virus databases and detect and kill malware, only deploy and run application software that has been authorized by the enterprise and evaluated for security, close unnecessary network service ports, and adopt two-factor authentication for key hosts or terminals.
Architecture & Perimeter Security
Implement zoning and domain management of the industrial control network, and implement strict access control for wireless access equipment and remote access equipment.
Cloud security
Technologies such as identity authentication and secure communication are used to protect the cloud platform, and strict identity management is implemented for cloud-based devices to ensure the security isolation of different business systems.
Application security
Implement strict access control for key application services, and conduct security testing of self-developed software by enterprises or by entrusting third-party institutions.
System data security
Carry out data classification and grading, establish a catalog of important data and core data, implement security protections around the entire life cycle of data, and conduct cross-border data export assessments in accordance with laws and regulations when it is necessary to provide data overseas.
Focus on cyber security risks, enhance threat detection and disposal capabilities, and improve the security operation capabilities of industrial enterprises
Monitoring and early warning
Deploy monitoring and auditing-related equipment or platforms to detect and warn security risks in a timely manner. Threat trapping techniques such as honeypots are used to improve active defense capabilities.
Fulfillment centers
Enterprises with the conditions can establish a network security operation center to improve the ability of centralized investigation of risks and hidden dangers and rapid response to incidents.
Emergency response
Formulate emergency plans, carry out emergency drills on a regular basis, back up log data and ensure that it is retained for no less than six months, so as to facilitate post-event traceability and forensics, and regularly carry out backup and recovery tests for important system applications and data.
Security assessments
Carry out risk assessment of new systems and upgraded systems, and carry out protection capability related assessments for important industrial control systems at least once a year.
Vulnerability management
Carry out vulnerability patching and security reinforcement in a timely manner, and carry out vulnerability investigation and patch upgrade of important industrial control systems.
Focus on the resource guarantee of industrial enterprises, adhere to the overall development and security, and urge enterprises to implement network security responsibilities
Implement the responsible entity
Industrial enterprises shall bear the main responsibility for the industrial control safety of the enterprise, establish an industrial control safety management system, clarify the responsible persons and responsible departments, and implement the responsibility for industrial control safety protection in accordance with the principle of "who is responsible for the operation and who is in charge is responsible".
Strengthen resource protection
Strengthen the guarantee of enterprise resources to ensure that safety protection measures are planned, constructed and used synchronously with industrial control systems.
Original link: https://www.miit.gov.cn/gyhxxhb/jgsj/wlaqglj/zcjd/art/2024/art_e664d2855f3541019f8951ccf1deaa30.html
Protection recommendations
In response to the 33 protection requirements, NSFOCUS recommends the following security protection requirements:
Safety Management
Technical protection
Operate safely
Responsibility implementation
Escort the road to new industrialization
* NSFOCUS New Industrialized Safety Product Panorama *
1. NSFOCUS industrial network security monitoring and management platform
From the perspective of industrial control security, NSFOCUS industrial network security monitoring and management platform sorts out various IT and OT assets of the industrial control system and collects security data, including business device log collection, security device event collection, network traffic data collection, security device configuration collection and other functions. The platform analyzes and displays the collected results in a unified manner, and discovers abnormal behaviors within the industrial control network, such as new assets, abnormal time, new relationships, load changes, abnormal access, etc., so as to realize the early warning and response to industrial control on-site security events.
2. NSFOCUS industrial control system safety inspection tool
NSFOCUS Industrial Control System Security Inspection Tool is a network security inspection tool for industrial control systems, which has three inspection methods: information investigation and collection, manual evaluation and inspection, and technical inspection. IT HAS 7 MAJOR TECHNICAL INSPECTION FUNCTIONS AND 10 KNOWLEDGE BASES REQUIRED FOR THE INSPECTION PROCESS, INCLUDING INDUSTRIAL CONTROL SYSTEM ASSET DISCOVERY, ASSET CONFIGURATION VERIFICATION, ASSET SECURITY VULNERABILITY INSPECTION, HOST INFORMATION COLLECTION, COMMUNICATION TRAFFIC DIAGNOSIS, WIRELESS WI-FI INSPECTION, AND FIRMWARE MALICIOUS CODE INSPECTION. The product is in the form of a rugged notebook, which is light and easy to carry, smooth to operate, high ease of use, and high stability. It is suitable for inspection of various industrial control scenarios, easy to operate, and has no disturbance to on-site business.
3. NSFOCUS Host Guard System
NSFOCUS Host Guard System is a terminal security protection product for the security reinforcement of monitoring hosts, engineer stations, operation stations, data servers and other equipment in industrial control systems. In view of the relatively fixed and stable business environment of the industrial control terminal, the system adopts the whitelist mechanism and system reinforcement technology to intercept the execution of all unknown programs and scripts, and carry out virus scanning before reinforcement, which can not only effectively resist known and unknown malicious code, but also avoid the problem of untimely update of the virus database of traditional antivirus software, and fundamentally ensure the security of the host operating environment.
4. NSFOCUS USB security management system
NSFOCUS USB Security Management System is a security protection product designed for virus isolation, scanning, and killing of USB storage media. It uses a strong authorization method to control the access of USB storage media, performs real-time virus detection, isolation and alarm on the data files in the storage media, and records and audits the uploaded and downloaded data files. Effectively prevent the files on the USB storage medium from carrying viruses into the host system, so as to improve the security of the system and intranet, and avoid security accidents caused by external viruses.
5. NSFOCUS Industrial Firewall
NSFOCUS Industrial Firewall is a next-generation perimeter protection product designed for industrial network security needs. It not only has the ability of in-depth analysis and control of various industrial protocols (MQTT, Modbus, NC-LINK, etc.), but also has the functions of intrusion prevention and content filtering. As a new generation of comprehensive border protection platform, the product focuses on protecting scenarios such as the internal network of industrial Internet of Things, the boundary between the network and the information network, and the exit boundary of the industrial Internet.
6. NSFOCUS Industrial Safety Isolation Device
NSFOCUS Industrial Safety Isolation Device (ISID) consists of an internal and external network processing unit and a security data exchange unit. The security data exchange unit ferries security data between the host on the internal and external networks according to the specified period. In this way, reliable and efficient secure data exchange can be achieved while ensuring the isolation of internal and external networks. ISID can strip the industrial control protocol data packets layer by layer, and accurately identify and control the content of the industrial control protocol, such as function codes, register addresses, etc., to ensure the security of the user information system and ensure the convenience of customer applications to the greatest extent. ISID supports industrial data collection and forwarding, which not only solves the problem of complex industrial protocol collection and single standard protocol forwarding in industrial sites, but also solves users' needs for border isolation. The product is mainly used in the process monitoring layer, process control layer, process monitoring layer, and the boundary area between the enterprise management in industrial scenarios, and uses its "2+1" physical structure and one-way isolation technology application to achieve multiple protection and isolation of industrial networks, industrial assets and data, and has been applied in batches in many industrial fields to escort the industrial network security boundary.
7. NSFOCUS IoT access gateway
NSFOCUS IoT Access Gateway integrates a variety of security functions, such as automatic discovery of network-wide devices, real-time alarm of device failures, automatic detection of vulnerabilities, automatic screening of security access, automatic analysis of network behaviors, automatic blocking of violations, and automatic management of infrastructure, as well as the discovery of abnormal assets such as counterfeit devices and conflicting devices in the network. It can be used for device management, access and blocking management, violation detection, fault detection, weak password and vulnerability detection, weak password detection, and support multiple deployment methods such as bypass, serial connection, and routing, and can be deployed at multiple levels and flexibly expanded.
8. NSFOCUS O&M security management system
Based on the 4A management concept of "account, authentication, authorization, and audit", NSFOCUS O&M Security Management System (commonly known as Bastionhost (OSMS) is based on the 4A management concept of "account, authentication, authorization, and audit", adopts the principle of separation of powers and least access permission, and uses protocol proxy technology to achieve accurate pre-identification, fine in-process control, and accurate post-event audit, helping enterprises transform the traditional mode of passive response to IT security O&M, and establish a centralized and user-oriented The proactive operation and maintenance security management and control mode reduces human security risks, meets compliance requirements, and ensures enterprise benefits.
9. NSFOCUS Edge Computing Intelligent Gateway
NSFOCUS Edge Computing Intelligent Gateway SGEC focuses on industrial Internet application scenarios, integrates the cloud business needs and security requirements of industrial enterprises, selects microservice technology architecture, integrates functional safety and information security capabilities, and forms a complete set of industrial Internet edge computing security products including industrial data collection, edge computing, and edge security capabilities. It supports a variety of industrial communication protocols, edge computing capabilities, and comprehensive security service capabilities such as static leakage scanning, instruction auditing, access, firewall, and encrypted transmission, and all security capabilities can be flexibly deployed on demand. Provide customers with one-stop edge computing security products.
10. NSFOCUS Data Safe
Based on TEE trusted hardware, NSFOCUS Data Safe adopts core technologies such as encrypted virtual machines and log auditing, and has security capabilities such as confidential computing and audit traceability, which can empower various application scenarios, including data storage and controllable sharing.
11. NSFOCUS Data Leakage Prevention System
NSFOCUS Data Leakage Prevention System is a data security protection product based on network protocol analysis and control technology. The product integrates passive audit and active defense, obtains the traffic to be detected through mirror bypass or bridge series, deeply analyzes the data outgoing behavior, discovers and blocks data leakage risks, and records and quantifies data leakage risks.
12. NSFOCUS Sensitive Data Discovery and Risk Assessment System
NSFOCUS Sensitive Data Discovery and Risk Assessment System is a self-developed data asset mapping, data flow mapping and data security risk assessment product based on NSFOCUS experience in big data security research, years of vulnerability mining technology, protocol resolution capabilities and in-depth content analysis capabilities of many big data components, including sensitive data discovery, data classification and classification, data asset mapping and mapping, data flow mapping and mapping, big data component discovery and scanning, data security risk assessment and other capabilities.
13. NSFOCUS Data Security Inspection System
NSFOCUS Data Security Check System is a product independently developed by NSFOCUS based on relevant regulatory requirements and comprehensive research experience on data security. According to relevant standards, the product helps the supervisory unit to take the initiative to inspect and quickly discover the data security risks of the inspected unit. It can also help the inspected unit to conduct self-inspection and self-inspection, assess its own data security risks, rectify it in a timely manner, and smoothly meet the inspection, including data security inspection program management, data security inspection management, data security technical inspection, data collection, data analysis knowledge base management, as well as vulnerability detection engine, network traffic detection engine, network asset identification engine, data interface detection engine, data collection engine, data analysis engine and other technical monitoring engines.
14. NSFOCUS Industrial Control Safety Audit System
NSFOCUS Industrial Control Security Audit System (SAS-ICS) is an audit product dedicated to the security monitoring of industrial control network traffic. Based on the understanding of the industrial control environment of different business systems and the in-depth decoding of protocol specifications, the potential abnormal operation behaviors in the system are perceived. While collecting, analyzing, identifying, sorting out and tracking assets in the industrial control system, it dynamically monitors communication content, network behavior and network traffic in real time, discovers and captures various sensitive information and violations, and responds to real-time alarms.
15. NSFOCUS Industrial Control Security Intrusion Detection System
NSFOCUS Industrial Control Security Intrusion Detection System is an intrusion detection product for the industrial control field. It can detect network communication in real time, accurately identify traditional attacks such as buffer overflow, scanning attacks, DoS/DDoS, SQL injection, worms, Trojans, and spyware, and has built-in rich detection rules for industrial control system attacks. Using the self-learning baseline model, it can customize the security policy of the industrial control protocol, detect abnormal operations in depth with business association, adopt diversified alarm methods, send alarm information to the administrator in a timely manner, and form a deep protection system with gateway protection products such as industrial firewalls.
16. NSFOCUS Industrial Control Vulnerability Scanning System
NSFOCUS Industrial Control Vulnerability Scanning System (ICSScan) is a vulnerability scanning system developed for the industrial field, which supports the functions of vulnerability scanning, configuration verification, and web scanning of IT\OT system assets, including the vulnerabilities of information modules such as mainstream operating systems, industrial software, databases, and network components, supports the network topology function of industrial field assets and equipment, and helps customers to control and view the global risk of field devices based on asset management, and supports static scanning to reduce scanning risks.
17. NSFOCUS Advanced Threat Hunting System
NSFOCUS Advanced Threat Hunting System uses deception defense technology (next-generation honeypot technology) to accurately trap attack behaviors, provide clues of intrusion activities, and further combine traceability countermeasures and threat intelligence to help customers portray attacker portraits and assist customers in protecting assets.
18. NSFOCUS log audit system
NSFOCUS Log Audit System is a comprehensive log management platform based on big data architecture, which realizes the full lifecycle management of logs through massive log collection with big data technology, paradigmatization of heterogeneous device logs, and correlation analysis of security events. Assist O&M personnel to monitor cybersecurity incidents in multiple dimensions such as pre-event (discovery of security risks), in-process (analysis and backtracking), and post-event (investigation and evidence collection), helping enterprises meet the requirements of the Cybersecurity Law and classified protection compliance.
19. NSFOCUS Threat and Vulnerability Management Platform
NSFOCUS Threat and Vulnerability Management Platform is designed to build an expert-level enterprise-specific asset vulnerability management platform based on the current vulnerability management status of various industries, combined with NSFOCUS cloud-based professional vulnerability intelligence and traditional enterprise leakage scanning tools. To propose a risk-based vulnerability management approach, it is necessary to pay attention to the entire attack exposure surface, gain insight into vulnerability priority, and achieve active defense, dynamic and continuous risk monitoring, and closed loop. With the threat and vulnerability management platform as the starting point, we build a full-life cycle leakage management system, which is oriented to enterprise vulnerability management, combined with external vulnerability intelligence information, from the perspective of asset security, with risk priority as the core, integrates multi-source vulnerability data, focuses on key risks, quantifies risk indicators, and provides management and operation of the whole life cycle of vulnerabilities, so as to establish asset vulnerability management capabilities with rapid response, orderly patching, and continuous optimization. Meet the compliance needs of customers and improve the efficiency of vulnerability operation and maintenance.
20. NSFOCUS Supply Chain Security System
NSFOCUS Supply Chain Security System is based on SBOM management and aims to improve transparency in the software development, delivery, and usage chain. Focus on third-party security issues, such as open source component security, development environment security, IaC configuration security, etc., to improve third-party risk detection capabilities. It supports the integration of common CICD processes to help users establish security and quality access control, achieve the goal of shifting left security, and reduce security operation costs. Implement third-party security threat warnings to help users fix vulnerabilities in a timely manner.
21. NSFOCUS NAC Network Access Control System
NSFOCUS NAC Network Access Control System is an integrated terminal security access management platform developed based on the next-generation network access control architecture, which is a dynamic visual access control system in line with the concept of zero trust.
Based on MVG access technology, NSFOCUS NAC network access control system cooperates with up to 9 access technologies such as industry-leading mirroring, 802.1x, and policy-based routing, supports more than 18 kinds of identity recognition and multi-factor authentication systems, more than 6,000 asset identification databases, and more than 30 security baseline check items. Problems such as difficulties in terminal troubleshooting finally achieve the effect of real-name access to the network, clear classification of asset ledgers, second-level blocking of risk behaviors, and time-saving operation and maintenance management.
As the basic core of industrial production and operation, the network security of industrial control system is related to the safety of enterprise operation and production, the security and stability of the industrial chain and supply chain, and the economic and social operation and national security. In the future, NSFOCUS will continue to focus on the strategic direction of industrial information security, give full play to its advantages in core technology research and development, provide more comprehensive, efficient and intelligent network security solutions for industrial enterprises, build a solid industrial information security barrier, and promote the digital transformation and development of enterprises.