IoT Security Policy and Regulation Initiatives in China Fan Dongyang, Huawei
China Economy Facilitating High-quality Growth The new norm Going digital GDP Growth Rate Supply-side reform E-commerce is on the rise between 2006 and 2014,shipping leapt tenfold from 1 billion to 10 billion packages delivered. $14,3b sales Nov.11 2015 in Alibaba platform, 60% increase from 2014 2
The National Strategies Internet + Develop e-commerce, industry networks, and online banking, and raise the profile of Internet companies on the world stage. Boosting growth by infusing mobile Internet, cloud computing, big data, and IoT into manufacturing and others. Manufacture 2025 Enhance industry base, quality and brand, break through in main areas. Promoting green production, streamline industry structure, transformation to services and globalization Platform, Application, Technology, Security, Mechanism Action Plan for Promoting Development of Big Data Previous: Special Action Plan for M2M Development (2013-2015) 3
Cybersecurity Internet benefit for the country and people To proceed together with development Protection system for critical information infrastructure Core technologies Innovation, harmonization, green, open, and sharing 4
Industry and Ministries MIIT (Ministry of Industry and Information Technologies) Telecom + other about 20 industries CAC (Cyberspace Administration of China, Office of the Central Leading Group for Cyberspace of CCCP) Cybersecurity and Informationization NDRC (National Development and Reform Commission) MOST (Ministry of Science and Technology) SAC (Standardization Administration of China) 5
Industry Alliances Industry 4.0 Group IIC China Team Others Strategy Alliance for M2M Industry Technology Innovation M2M Standardization Group Smart City Standardization Group 29 8 11 6 10 AII Members Industry(225) ICT(29) University(8) 225 Research(11) Security(6) Abroad(10) 6
Non-governmental Organizations for Policies Self-regulation of data flow Industry IOT Cloud Service and Terminal standards Industry 4.0 public policy Internet + Car + Traffic Summit Energy Internet opportunities and challenges How to protect information security in the Big Data time Information security impact on China economy Digital Forum Security of social network Way of China Cybersecurity legislation IT industry Cybersecurity best practices Industry control system security workshop 7
Available Law and Regulations 2015 State Council - China Computer Information System Security Protection Regulation (first in 1994) 2007 MPS - Management Method for Information Security Protection for Classified Levels 2001 NPC Standing Committee Resolution about Protection of Internet Security 2012 NPC Standing Committee Resolution about Enhance Network Information Protection July 2015: National Security Law - secure and controllable systems and data security in critical infrastructure and key areas 2014 MIIT Guidance on Enhance Telecom and Internet Security 2013 MIIT Regulation about Telecom and Internet Personal Information Protection 2014 China Banking Regulatory Commission - Guidance for Applying Secure and Controllable Information Technology to Enhance Banking Industry Cybersecurity and Informatization Development 8
Law and Regulations in the Pipe Line CAC: Administrative Measures on Internet Information Services CAC Rules on Security Protection for Critical Information Infrastructure Cybersecurity Law - second read June 2016 Cyber Sovereignty Security of Product and Service Security of Network Operation (Classified Levels Protection, Critical Infrastructure) Data Security (Category, Personal Information) Information Security 9
Standardization - CCSA TC10 Ubiquitous Networks Security Requirements for Ubiquitous Networks M2M Technical Specification (Release 1) - Security Solutions Baseline for classified protection of IOT perception communication system Research on Physical layer security technology of Ubiquitous Network Perceived Extension Layer Terminal embedded operating system security requirements of the M2M Secure technology requirements for protocols of sensor layer of M2M Research on the security of communication between vehicle and Infrastructure TC8 Network and Information Security Requirement for classified level security protection of M2M information system Security framework and technical requirement for logistics information service General requirement for M2M node authentication TC11 Mobile Internet Application and Terminal Research on information security problems and key technologies of mobile internet vehicle Information security research for on-board intelligent terminal Security Requirements Analysis for Smart City 10
Standardization TC260 (IT Security) 11 Framework for critical information infrastructure Industrial control system security network security Management requirements Technical requirement for Industrial network Audit guidance protocol Classification guidance General reference model and requirements for Classification system security design guidance M2M security Protection technical requirement and test method Technical requirement for M2M data Specified firewall technical requirements transmission security Isolation and information exchange system security technical Technical requirement for M2M sensor gateway requirement Technical requirement for M2M sensor device Vulnerability detection technical requirement and test method Technical requirement for information security of Supervision security technical requirement and test method smart connected devices
Standardization Smart Manufacture Information Security Software, Device, Network, Data and security Protection Information Security Management Management and Supervision Industrial control network security, and information security Security requirement for industrial automatic product Distributed Control System security protection, management, audit, risk and vulnerability detection Security requirement for the programmable logic controller Network security specification of EPA(Ethernet for Plant Automation) for industrial measurement and control system Secure and controllable information system Electrical Power System Sensor network security: general technical specification, network transmission security technical and test specification, etc. 12
Summary The regulations for IoT Security are yet to come Intentions are for critical infrastructure, classified levels of security protection, information security and core technologies 13 13
Thank You Open, Transparent, Cooperative 14