随着物联网、云计算、大数据等技术的快速发展，以及新一代信息技术与传统工业的加速融合，工业控制系统越来越多采用通用协议、通用硬件和通用软件（IP化、IT化），以各种方式与互联网等公共网络连接，病毒、木马等威胁正在向工业控制系统扩散，工业控制系统信息安全问题日益突出，也成为企业推进智能制造的主要技术挑战。在PTRM模型中信息安全作为一个独立的能力子域被划入到技术能力要素中，如图1。

今天将围绕信息安全能力子域标准继续聊，在GB/T 39116-2020标准中对信息安全能力子域成熟度要求是这样描述的，如表1：

通过对信息安全五级能力成熟度要求进行梳理，可从中总结了三个关键活动特征，即管理机制、风险评估和技术措施，等级成熟度要求基本都是围绕这三个活动特征在描述和深化。

对于一级，a条描述的是企业应制定信息安全管理规范，并有效执行；b条是企业应成立信息安全协调小组。这与前面解读的能力子域一级要求中只需具备规划意识，而不需要有具体规划制度不同，信息安全问题从企业使用第一台主机、部署第一套系统开始就已经存在。因此，制定信息安全管理规范并成立信息security协调小组是每家企业都必须具备的基础。这里information security管理制度包括总则、职责、策略与原则、物理与环境security、高层次网络security管理、高层次密码保护、高层次病毒防护、高层次漏洞防护及利用高效率资源management及事件响应management及涉密system（涉密机构）等，同时需要成立information security协调小组来保证management机制运行。

对于二级，还需要在一级基础上定期开展information security风险评估，这包括物理security management, technical security management 和 management security management。physical security包含防雷, 防火, 防盗, 温湿度control 等; technical security包含工控network safety, 工控device safety , 工控host safety 等; Management Security通常涉及institutionalization, institutional rules and processes etc.. evaluation methods should be based on the frequency of threats appearing and the severity of vulnerabilities to confirm the possibility of a secure event occurring. Then use asset value and vulnerability severity to evaluate the potential loss caused by a secure event.

In information Security capability assessment diagnosis can focus on enterprise's following capabilities: 1) Whether industrial control systems have installed regular industrial anti-virus software and performed configuration audits regularly; 2) Whether an inventory list of system configurations is established for industrial control systems. The configuration audit is carried out regularly. 3) Whether significant changes in configurations are planned before they are implemented with impact analysis conducted beforehand followed by strict testing validation. 4) Whether close attention is paid to major OT vulnerabilities and patches released for them.

For three-level requirements:

a requirement that industrial control networks must have boundary protection capabilities at their borders.

b requirement that remote access to industrial control equipment must be managed securely.

During the smart manufacturing capability assessment diagnosis process,

can focus on evaluating enterprise's following aspects:

1）Whether there is separation between development environment for Industrial Control System (ICS), test environment for ICS & production environment;

2）Whether there are firewalls or gateways separating ICS network from corporate network & Internet?

3）Whether data one-way access controls are used as part of secure design;

4）Whether time limits are set for accessing devices and add locks when necessary;

5）Is VPN used as remote maintenance method? Is log retention kept up-to-date with regular auditing;

It can be predicted that with further advancement in smart manufacturing edge computing systems will increasingly deploy into Industrial Systems leading enterprises' demand for such Information Security will become more pronounced.

For four-levels five levels,

a requirement that enterprises need deep packet inspection functionality in their network defense tools

b require off-line test environments against all devices before deployment

c require adaptive learning / self-improvement function within defensive measures

Self-adaptive architecture divides continuous monitoring & analysis into predictive prevention organizational protection detection surveillance response investigation

for non-IT professionals involved in assessing this level requires knowledge about underlying hardware/software technology which may prove difficult but remember some key features associated with each level acting as reference guide during evaluation diagnostic