System and Practice of Information Security Certification for IT products in China

Transcription

1 System and Practice of Information Security Certification for IT products in China

2 Catalogue 01 Introduction to IT product information security certification 02 Practice of industrial control security product certification 2

3 Setting background of IT product information security certification Setting background of IT product information security certification IT products are a basic unit to form key information infrastructure, such as basic networks, important information systems, industrial control systems and etc., and the significance of their information security has become increasingly obvious. The risk of IT products information security vulnerabilities has become increasingly serious, as a result, related networks and systems are facing security risks of sensitive information leakage, system outage and other major security incidents. 3

4 Purpose and meaning of certification Product certification system Owner Confidence Measures Conformance Information security assurance Information security risks Manufacturer Effectiveness Quality+ Information Security Assurance technology Instructional documents Information security certification result IT product standard technical specifications Information security testing & certification evaluation technology Procedure rules Normalization 4 Certification and testing organization

5 Certification system Laws and regulations Policies and rules Regulations of the People s Republic of China on Certification and Accreditation Notices, announcements, departmental regulations & etc. published by state departments Normative documents Technical specifications Procedure rules Management requirements 5

6 Certification modes Type test Initial factory Inspection (If applicable) Supervision after certificate Validity of certificate: the certificate is valid within 3 years Change of certified products In case of any change to manufacturer, holder of certificate or related address & etc., a change application shall be submitted to the certification organization. The change of other certificates shall be executed as per related Implementation Rules After the certificate is expired, please reapply for the extension of certificate validity when necessary Extension of products covered by the certificate Please submit an extension application to the certification organization when extending the certification scope for certified products. 6

7 Main contents of certification rules Certification Implementation Rules Scope of application Certification basis Certification modes Certification application and acceptance Normative documents Factory inspection Supervision after certificate certificate Use of marks Applicable product scope Corresponding national, industrial standards and technical requirements for applicable products Certification modes Subdivision principles or regulations for application unit Requirements for sampling and sample presentation Confirmation requirements for key components and raw materials(when necessary) Requirements for testing standards (when necessary) Requirements for factory inspection Requirements for follow-up inspection after obtaining certificate Requirements for validity period of certificate Requirements for the certification mark labeling of certified products Specify the certification requirements for specific products Guide the implementation of certification activities 7 7

8 Standards and Specifications (GB/T 18336) In 2001 GB/T In 2008 GB/T In 2015 GB/T International common criteria ISO/IEC 15408:1999 International common criteria ISO/IEC 15408:2005 International common criteria ISO/IEC 15408:2009 Common criteria(cc) In 1999(V2.1) Common criteria(cc) In 2005 (V2.3) Common criteria(cc) In 2009(V3.1) 8

9 Standards and Specifications (GB/T 18336) GB/T Firewall GB/T Network intrusion detection GB/T IC-card chip GB/T Data backup and recovery GB/T18336 ( 一 ) GB/T IC-card embedded software GB/T Network and terminal isolation GB/T Network vulnerability scanning One of the important technical bases of carrying out information security certification work in China is the common standards of information security product certification and the normative and reference standards of security technical requirements/national standards/industrial standards for related products. 9

10 Standards and Specifications Security technical standards Information security products IDS IPS UTM security audit products, etc. GB/T IT products integrating security function IT products with smart cards, switches and operating systems IT products with new technology & new application Cloud computing, industrial control, internet of things Testing and evaluation methods Security assurance evaluation: development documents, life cycle support & instructional documents and test documents Security tests: independence test, penetrability test and security assurance evaluation Test results: type test report and evaluation technical report Factory inspection requirements Inspection of information security assurance ability, quality assurance ability and product uniformity 10

11 Progress of certification business 70 technical Specifications Access co product across boundaries, data security product, identification and access control product Intrusion supervision product, basic platform product, application security product and security management product Smart card product, and IT product integrating security function Special product for industrial control and internet of things 9 test labs The 15th research institute of CETC(NCI), Beijing Information Security Test and Evaluation Center, Shanghai information security Testing evaluation and certification center, CETC information security lab, Liaoning information security and software testing evaluation and certification center, the 1st institute of the Ministry of Public Security, China Financial Certification Authority, the 3rd institute of the Ministry of Public Security, and the 6th research institute of China Electronics Coporation Authentication certificates Issued 366 certificates accumulatively, including 243 valid certificates 11

12 Catalogue 01 Introduction to IT product information security certification 02 Practice of industrial control security product certification 12

13 Security challenges faced by industrial control network As national strategies like made in China 2025, internet+ were put forward, the information security construction of industrial enterprises has been put on the schedule, and the industrial control network security is faced with greater challenges. Control security Network security Data security Equipment security Factory s control environment is threatened and permeated by external internet due to Opening control environment Greater security risks are brought to factory network by IP-based & wireless network, and networking flexibility Data and privacy protection are faced with unprecedented challenges due to flow and share Production equipments and products are exposed under the network attack due to Intelligent equipments. 13

14 Security risks faced by industrial control network backdoor of equipment Advanced persistent threat Industrial network virus Surge of vulnerabilities Industrial control network Attack and elimination 14

15 Requirements for industrial control security management Laws and regulations CyberSecurity Law of the P.R.C Regulation on the Protection of Security of Critical Information Infrastructure System and working mechanism Product testing and certification Critical infrastructure protection Special security inspection Authorities management requirements CAC NDRC Ministry of industry and information technology The Ministry of Public Security National Energy Administration Critical industries: rail traffic, electric traffic, petrochemical industry, aerospace equipments, etc. Alliances and associations: industrial control information security industry alliance(icsisia), industrial internet industry alliance and critical infrastructure protection committee, etc. 15

16 Industrial control security technical standards (national) GB/T Security control application guide to industrial control system of information security technology Standardization Administration of the people s republic of china (SAC) National Information Security Standardization Technical Committee (SAC/TC260) Technical committee for standardization of national industrial process measurement and control (SAC/TC124) Technical committee for standardization of national power system management and information exchange (SAC /TC 82) Technical committee for standardization of national electricity supervision and management (SAC/TC 296) Technical committee for standardization of national nuclear instrumentation (SAC/TC 30) GB/T Security procedure to establish industrial automation and control system for Industrial communications, network and system security GB/T Programmable Logic Controller(PLC) for network security of industrial automation and control system GB/T Distributed control system(dcs) for network security of industrial automation and control system GB/T Industrial control system information security GB/Z Power system management and its information exchange data and communications security Safety protection standards for power secondary system (compulsive) Security inspection specifications for power information system (compulsive) Evaluation indexes for power industry Information safety level (recommended) GB/T Part I design criteria for safety systemof nuclear power plant GB/T Applicable specifications for digital computer in safety system of nuclear power plant 16

17 Industrial control security technical standards (industrial) JB/T Security networks and system security for industrial process measurement and control (IEC/TR : 2008) Standards of mechanical industry JB/T Safety terms, concepts and models for industrial communications network and system(iec/ts : 2009) JB/T information security technology for industrial communications network, network and information system, industrial automation and control system(iec/tr :2009) Standard of nuclear industry HAD Computer-based software for important systemsecurity of nuclear power plant 17

18 Certification for industrial control security products Based on IT product information security certification, ISCCC and their joint lab have carried out the industrial control product testing certification, including industrial control firewall products, industrial control gatekeeper products, industrial control safety auditing products & etc. The related labs have carried out the verification tests for safety technical specifications of PLC, DCS and other equipments. 18

19 Certification case: industrial control firewall Network layer control Application layer protocol control (EAL2 level) Security operation, maintenance and management 抗拒绝服务攻击 Certification test on industrial control firewall 19

20 Certification case: industrial control firewall Deep packet inspection Carry out deep content detection for common industrial control protocols Support OPC and other industrial control protocols Support industrial control protocol filtering over protocol Anti-Denial of service attack High availability Packet filtering Certification test on industrial control firewall Network scanning protection Dynamic open port Support Bypass, multiple working modes, power redundancy, thermal discharge mode and dual-computer hotstandby. 20

21 Certification case: industrial control firewall Test items Traditional firewall Industrial control firewall 1 Packet filtering Filtering based on MAC address, IP address, port, protocol type, time & etc. Support industrial control protocol filtering over protocol 2 NAT Support SNAT DNAT Optional, deployed in the control layer, usually transparent 3 Policy routing Support related function of Policy routing None related requirements 4 Dynamic open port Support FTP and other protocols Requirements for supporting OPC and other industrial control protocols 5 Deep packet inspection For some common protocols (http, smtp & etc.) Carry out deep content detection for common industrial control protocols 6 High availability dual-computer hot-standby Bypass, working modes, power redundancy, thermal discharge mode 21 and dual-computer hot-standby.21

22 Thanks! Bu Ning China information security certification center/isccc 22