Standard No.:	JT/T 1417-2022
English Name:	Baseline for classified protection of cybersecurity of transportation
Chinese Name:	交通运输行业网络安全等级保护基本要求
Professional Classification:	JT    Professional Standard - Transport
Issued by:	Ministry of Transport
Issued on:	2022-06-09
Implemented on:	2022-9-9
Status:	valid
Language:	English
File Format:	PDF
Word Count:	36000 words
Price(USD):	1080.0
Delivery:	via email in 1 business day

Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative. This document is developed in accordance with the rules given in GB/T 1.1-2020 Directives for standardization - Part 1: Rules for the structure and drafting of standardizing documents. Attention is drawn to the possibility that some of the parts of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights. This standard was proposed by and is under the jurisdiction of National Technical Committee on Transportation Information Communication and Navigation of Standardization Administration of China. Introduction The transportation is an important part of the entire national economy and one of the key industries to implement classified protection of cybersecurity for China, so that the competent department of the industry shall further strengthen the management and guidance of cybersecurity, standardize the development of related work, and effectively ensure the cybersecurity of the industry. Based on national standards such as GB 17859-1999 and GB/T 22239-2019, this document proposes the minimum protection requirements for targets of classified security with different security protection levels for transportation according to the technical development level of the transportation and cybersecurity protection requirements. In order to facilitate the use of this document, many clauses in GB/T 22239-2019 are referenced and their sources are indicated. In the texts of this document, those in bold represent requirements added or strengthened in higher level for national standards. Baseline for classified protection of cybersecurity of transportation 1 Scope This document specifies the general principles for classified protection of cybersecurity of transportation, as well as the security requirements for the targets of classified security of Level 1 to Level 4. This document is applicable to the planning design, security construction, supervision and management of cybersecurity of transportation. 2 Normative references The following documents contain provisions which, through reference in this text, constitute indispensable provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB/T 5271.8 Information technology - Vocabulary - Part 8: Databases GB 17859 Classified criteria for security protection of computer information system GB/T 20839 Intelligent transport systems - General terminology GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity JT/T 904 Classification guide for security classified protection of transportation information system 3 Terms and definitions For the purposes of this document, the terms and definitions given in GB/T 5271.8, GB 17859, GB/T 20839, GB/T 22239 and JT/T 904 as well as the following apply. 3.1 cyber security capabilities to prevent the network from attack, intrusion, interference, damage, illegal use and unexpected accident, enable the network to operate stably and reliably and ensure the integrity, confidentiality and availability of network data by taking necessary measures [Source: GB/T 22239-2019, 3.1]   3.2 cloud service provider provider of cloud computing service Note: The cloud service provider manages, operates and supports the infrastructure and software of cloud computing, and delivers the cloud computing resources through the Internet. [Source: GB/T 31167-2014, 3.3] 3.3 cloud service customer participant entering into business relationship with the cloud service provider by using cloud computing service [Source: GB/T 31167-2014, 3.4, modified] 3.4 baseline verification method for verifying the baseline configured based on minimum security requirements for network device, security device, host operating system, database management system and business application system 3.5 important data processing system important communication device and computing device for routing forward, access control, network switching, releasing for use and storage of data Note: Important communication device and computing device include but are not limited to boundary routers, boundary firewalls, core switches, application servers and database servers. 3.6 data security protection system system or tool for protecting data Note: The systems or tools include but are not limited to database firewalls, data leakage prevention, desensitization system, database encryption system and file encryption system. 4 Abbreviations For the purposes of this document, the following abbreviations apply. AP: Wireless Access Point CPU: Central Processing Unit DDoS: Distributed Denial of Service DNS: Domain Name System FTP: File Transfer Protocol HTTP: Hyper Text Transfer Protocol HTTPS: Hyper Text Transfer Protocol over Secure Socket Layer IP: Internet Protocol IT: Information Technology MAC: Message Authentication Code POP3: Post Office Protocol-Version 3 SMTP: Simple Mail Transfer Protocol SQL: Structured Query Language SSH: Secure Shell SSID: Service Set Identifier VPN: Virtual Private Network WEP: Wired Equivalent Privacy 5 General 5.1 Target of classified security and security protection level The target of classified security refers to the target in classified protection of cybersecurity and those systems, formed by computer or other information terminals as well as relevant devices, for collection, storage, transmission, exchange and processing of information according to certain rules and programs, mainly including basic information network, information system (including the system adopting mobile communication technology), cloud computing platform/system, big data application/platform/resource, Internet of Things (IoT), and industrial control system, etc. The targets of classified security for transportation are classified into five security protection levels from low to high according to their importance in national security, economic construction and society life as well as their harmfulness to national security, public interest as well as the legitimate rights and interests of citizen, legal person and other organizations once they are damaged. The security protection level for target of classified protection of cybersecurity of transportation shall be determined according to the requirements of JT/T 904. 5.2 Security protection ability The basic security protection ability for different levels of targets of classified security of the transportation shall meet those specified in 5.2 of GB/T 22239-2019. 5.3 General security requirements and special security requirements   Due to different business objectives, adopted technologies, and application scenarios, target of classified security will appear in different forms. Targets of classified security in different forms will face different threats, so their security protection requirements are also different. For implementing the general and individualized protection for different levels and different forms of targets of classified security, security requirements of targets of classified security are divided into general security requirements and special security requirements. The general security requirements are put forward in allusion to general protection; the target of classified security, regardless of its appearance form, shall realize general security requirements for corresponding level according to security protection level; the special security requirements are put forward in allusion to individualized protection and shall be realized selectively according to security protection level and the adopted specific technology or specific application scenario. [Source: GB/T 22239-2019, 5.3] The security requirements shall be selected in accordance with Annex A of GB/T 22239-2019. 6 Level 1 security requirements 6.1 General security requirements 6.1.1 Physical environment security 6.1.1.1 Physical access control Special personnel shall be designated or electronic access control system shall be set at the entrance/exit of machine room to control, identify and record the personnel entering the machine room. [Source: GB/T 22239-2019, 6.1.1.1] 6.1.1.2 Prevention of burglary and damage The network device, security device, server, storage device and other devices or main components shall be fixed and marked with obvious and indelible signs, which shall indicate asset number, person in charge of the device and other information. 6.1.1.3 Lightning protection Various cabinets, facilities, devices and the like shall be safely earthed via the earthing system. [Source: GB/T 22239-2019, 6.1.1.3] 6.1.1.4 Fire prevention Portable gas extinguisher shall be set in machine room. The fire extinguisher shall pass the annual inspection, operate normally within the validity period. 6.1.1.5 Waterproofing and dampproofing Measures shall be taken to prevent the penetration of rainwater through the window, roof and wall of the machine room. [Source: GB/T 22239-2019, 6.1.1.5] 6.1.1.6 Temperature and humidity control The necessary temperature and humidity regulating facilities shall be installed so that the temperature and humidity changes in the machine room are within the allowable range for device operation. [Source: GB/T 22239-2019, 6.1.1.6] 6.1.1.7 Power supply The voltage regulator and overvoltage protection device shall be configured on the power supply line of the machine room. [Source: GB/T 22239-2019, 6.1.1.7] 6.1.2 Communication network security 6.1.2.1 Communication transmission Check technology shall be adopted to ensure the integrity of data in communication process. [Source: GB/T 22239-2019, 6.1.2.1] 6.1.2.2 Trusted verification The trusted verification shall be carried out for the system boot program, system program and the like of the communication device based on the trusted root, and an alarm is given after the credibility is detected as being damaged. [Source: GB/T 22239-2019, 6.1.2.2] 6.1.3 Area boundary security 6.1.3.1 Boundary protection The boundary protection requirements shall include: a) ensuring that the access and data flow which cross over the boundary carry out communication via the controlled interface provided by boundary device; b) being able to restrict the behavior of unauthorized device from connecting to the internal network privately; measures such as IP/MAC address binding and disabling the idle port of the network access device should be taken to restrict the networking; c) being able to restrict the behavior of unauthorized connection of internal user to the external network; measures such as controlling the physical interface should be taken to restrict the behavior of connection of external network. 6.1.3.2 Access control The access control requirements shall include: a) setting access control rule at network boundary according to access control policy; the controlled interface will deny all the communication (except for the allowable communication) in default situation; b) deleting excessive or invalid access control rules, optimizing the access control list and ensuring to minimize the quantity of access control rules; c) inspecting the source address, destination address, source port, destination port and protocol, etc. to allow/deny the data package passing in and out. [Source: GB/T 22239-2019, 6.1.3.2] 6.1.3.3 Security audit Technical measures shall be taken to monitor and record network operating status and cybersecurity incidents for security audit, and keeping relevant network logs for at least six months. 6.1.3.4 Trusted verification The trusted verification shall be carried out for the system boot program, system program and the like of the boundary device based on the trusted root, and an alarm is given after the credibility is detected as being damaged. [Source: GB/T 22239-2019, 6.1.4.5] 6.1.4 Computing environment security 6.1.4.1 Network device 6.1.4.1.1 Identity authentication The identity authentication shall meet the following requirements: a) The identity of login user shall be identified and authenticated; the identity identification shall be unique and the identity authentication information shall be required of complexity and be replaced regularly. Specific requirements are as follows: 1) the static password shall not be less than 8 bits in length, including at least three types of such elements as uppercase English letters, lowercase English letters, numerals and special symbols; 2) the replacement cycle of user password shall not exceed one year; 3) the user needs to modify the initial default password when logging in for the first time, and shall not set a new password the same as the old one every time the password is modified; b) The login failure handling function shall be available, and related measures, such as configuring and enabling end session, limiting illegal login times to no more than five times and automatic logout in case of login connection timeout shall be configured. 6.1.4.1.2 Access control The access control requirements shall include: a) allocating account and authority for the login user; b) renaming or deleting default account and modifying the default password of the default account; c) deleting or disabling redundant and expired accounts timely to avoid shared accounts. [Source: GB/T 22239-2019, 6.1.4.2] 6.1.4.1.3 Intrusion prevention The intrusion prevention requirements shall include: a) following the minimum installation principle and only installing the necessary component and application program; b) disabling the unnecessary system service, default-sharing and high-risk ports. [Source: GB/T 22239-2019, 6.1.4.3] 6.1.4.1.4 Data backup and recovery The local data backup and recovery function shall be provided for important data. [Source: GB/T 22239-2019, 6.1.4.7] 6.1.4.2 Safety device 6.1.4.2.1 Identity authentication The identity authentication shall meet the following requirements: a) The identity of login user shall be identified and authenticated; the identity identification shall be unique and the identity authentication information shall be required of complexity and be replaced regularly. Specific requirements are as follows: 1) the static password shall not be less than 8 bits in length, including at least three types of such elements as uppercase English letters, lowercase English letters, numerals and special symbols; 2) the replacement cycle of user password shall not exceed one year; 3) the user needs to modify the initial default password when logging in for the first time, and shall not set a new password the same as the old one every time the password is modified; b) The login failure handling function shall be available, and related measures, such as configuring and enabling end session, limiting illegal login times to no more than five times and automatic logout in case of login connection timeout shall be taken. 6.1.4.2.2 Access control The access control requirements shall include: a) allocating account and authority for the login user; b) renaming or deleting default account and modifying the default password of the default account; c) deleting or disabling redundant and expired accounts timely to avoid shared accounts. [Source: GB/T 22239-2019, 6.1.4.2] 6.1.4.2.3 Intrusion prevention The intrusion prevention requirements shall include: a) following the minimum installation principle and only installing the necessary component and application program; b) disabling the unnecessary system service, default-sharing and high-risk ports. [Source: GB/T 22239-2019, 6.1.4.3] 6.1.4.2.4 Data backup and recovery The local data backup and recovery function shall be provided for important data. [Source: GB/T 22239-2019, 6.1.4.7] 6.1.4.3 Host operating system 6.1.4.3.1 Identity authentication The identity authentication shall meet the following requirements: a) The identity of login user shall be identified and authenticated; the identity identification shall be unique and the identity authentication information shall be required of complexity and be replaced regularly. Specific requirements are as follows: 1) the static password shall not be less than 8 bits in length, including at least three types of such elements as uppercase English letters, lowercase English letters, numerals and special symbols; 2) the replacement cycle of user password shall not exceed one year; 3) the user needs to modify the initial default password when logging in for the first time, and shall not set a new password the same as the old one every time the password is modified; b) The login failure handling function shall be available, and related measures, such as configuring and enabling end session, limiting illegal login times to no more than five times and automatic logout in case of login connection timeout shall be taken. 6.1.4.3.2 Access control The access control requirements shall include: a) allocating account and authority for the login user; b) renaming or deleting default account and modifying the default password of the default account; c) deleting or disabling redundant and expired accounts timely to avoid shared accounts. [Source: GB/T 22239-2019, 6.1.4.2] 6.1.4.3.3 Intrusion prevention The intrusion prevention requirements shall include: a) following the minimum installation principle and only installing the necessary component and application program; b) disabling the unnecessary system service, default-sharing and high-risk ports; c) being able to find possible known vulnerabilities and repairing them timely. 6.1.4.3.4 Malicious code prevention Anti-malicious code software shall be installed or software with corresponding function shall be configured, and anti-malicious code library shall be upgraded and updated once every three months. 6.1.4.3.5 Trusted verification The trusted verification shall be carried out for the system boot program, system program and the like of the computing device based on the trusted root, and an alarm is given after the credibility is detected as being damaged. [Source: GB/T 22239-2019, 6.1.4.5] 6.1.4.3.6 Data backup and recovery The local data backup and recovery function shall be provided for important data. [Source: GB/T 22239-2019, 6.1.4.7]

Foreword i Introduction ii 1 Scope 2 Normative references 3 Terms and definitions 4 Abbreviations 5 General 5.1 Target of classified security and security protection level 5.2 Security protection ability 5.3 General security requirements and special security requirements 6 Level 1 security requirements 6.1 General security requirements 6.2 Special security requirements for cloud computing 6.3 Special security requirements for mobile communication 6.4 Special security requirements for IoT 6.5 Special security requirements for industrial control system 6.6 Special security requirements for big data 7 Level 2 security requirements 7.1 General security requirements 7.2 Special security requirements for cloud computing 7.3 Special security requirements for mobile communication 7.4 Special security requirements for IoT 7.5 Special security requirements for industrial control system 7.6 Special security requirements for big data 8 Level 3 security requirements 8.1 General security requirements 8.2 Special security requirements for cloud computing 8.3 Special security requirements for mobile communication 8.4 Special security requirements for IoT 8.5 Special security requirements for industrial control system 8.6 Special security requirements for big data 9 Level 4 security requirements Bibliography