You are on page 1of 14

IoT Security Policy and

Regulation Initiatives
in China
Fan Dongyang, Huawei
China Economy – Facilitating High-quality Growth

Going digital
The new norm

GDP Growth Rate

E-commerce is on the rise – between


2006 and 2014,shipping leapt tenfold
from 1 billion to 10 billion packages
Supply-side reform delivered.
$14,3b sales Nov.11 2015 in Alibaba
platform, 60% increase from 2014

ETSI IoT Security Workshop


2
The National Strategies

Internet + Manufacture 2025


• Develop e-commerce, industry • Enhance industry base, quality
networks, and online banking, and brand, break through in main
and raise the profile of Internet areas.
companies on the world stage.
• Promoting green production,
• Boosting growth by infusing streamline industry structure,
mobile Internet, cloud transformation to services and
computing, big data, and IoT globalization
into manufacturing and others.

Platform, Application, Technology, Security, Mechanism


• Action Plan for Promoting Development of Big Data
• Previous: Special Action Plan for M2M Development (2013-2015)
ETSI IoT Security Workshop
3
Cybersecurity

• Internet benefit for the country and


people
• To proceed together with
development
• Protection system for critical
information infrastructure
• Core technologies
• Innovation, harmonization, green,
open, and sharing

ETSI IoT Security Workshop


4
Industry and Ministries

• MIIT (Ministry of Industry and Information Technologies) – Telecom + other


about 20 industries
• CAC (Cyberspace Administration of China, Office of the Central Leading
Group for Cyberspace of CCCP) – Cybersecurity and Informationization
• NDRC (National Development and Reform Commission)
• MOST (Ministry of Science and Technology)
• SAC (Standardization Administration of China)

ETSI IoT Security Workshop


5
Industry Alliances

IIC China Others


Industry
4.0 Group Team • Strategy Alliance for M2M
Industry Technology Innovation

• M2M Standardization Group

6 10 AII Members
• Smart City Standardization Group

11
8 Industry(225)
29 ICT(29)
University(8)
Research(11)
225 Security(6)
Abroad(10)

ETSI IoT Security Workshop


6
Non-governmental Organizations for Policies

• Self-regulation of data flow • Industry 4.0 public policy Digital Forum


Industry • Internet + Car + Traffic Summit • Security of social network
• IOT Cloud Service and Terminal • Energy Internet – opportunities • Way of China Cybersecurity
standards and challenges legislation

• How to protect information • IT industry Cybersecurity best

security in the Big Data time practices

• Information security impact on • Industry control system security

China economy workshop

ETSI IoT Security Workshop


7
Available Law and Regulations
• 2015 State Council - China Computer Information System Security Protection Regulation (first in 1994)

• 2007 MPS - Management Method for Information Security Protection for Classified Levels

• 2001 NPC Standing Committee – Resolution about Protection of Internet Security

• 2012 NPC Standing Committee – Resolution about Enhance Network Information Protection

• July 2015: National Security Law - ‘secure and controllable’ systems and data security in critical
infrastructure and key areas

• 2014 MIIT – Guidance on Enhance Telecom and Internet Security

• 2013 MIIT – Regulation about Telecom and Internet Personal Information Protection

• 2014 China Banking Regulatory Commission - Guidance for Applying Secure and Controllable Information
Technology to Enhance Banking Industry Cybersecurity and Informatization Development

ETSI IoT Security Workshop


8
Law and Regulations in the Pipe Line

CAC: Administrative Measures on Internet Information Services


CAC Rules on Security Protection for Critical Information Infrastructure
Cybersecurity Law - second read June 2016

• Cyber Sovereignty
• Security of Product and Service
• Security of Network Operation (Classified
Levels Protection, Critical Infrastructure)
• Data Security (Category, Personal
Information)
• Information Security
ETSI IoT Security Workshop
9
Standardization - CCSA
TC10 Ubiquitous Networks
TC8 Network and Information Security
• Security Requirements for Ubiquitous Networks
• Requirement for classified level security protection of
• M2M Technical Specification (Release 1) - Security Solutions
M2M information system
• Baseline for classified protection of IOT perception
• Security framework and technical requirement for logistics
communication system
information service
• Research on Physical layer security technology of Ubiquitous
• General requirement for M2M node authentication
Network Perceived Extension Layer

• Terminal embedded operating system security requirements of


the M2M

• Secure technology requirements for protocols of sensor layer of


TC11 Mobile Internet Application and Terminal
M2M • Research on information security problems and key
technologies of mobile internet vehicle
• Research on the security of communication between vehicle and
• Information security research for on-board intelligent terminal
Infrastructure

• Security Requirements Analysis for Smart City

ETSI IoT Security Workshop


10
Standardization – TC260 (IT Security)

• Framework for critical information infrastructure • Industrial control system security


network security • Management requirements
• Technical requirement for Industrial network • Audit guidance
protocol • Classification guidance
• General reference model and requirements for • Classification system security design guidance
M2M security
• Protection technical requirement and test method
• Technical requirement for M2M data
• Specified firewall technical requirements
transmission security
• Isolation and information exchange system security technical
• Technical requirement for M2M sensor gateway
requirement
• Technical requirement for M2M sensor device
• Vulnerability detection technical requirement and test method
• Technical requirement for information security of
• Supervision security technical requirement and test method
smart connected devices
ETSI IoT Security Workshop
11
Standardization – Smart Manufacture
Information Security Information Security Management
Software, Device, Network, Data and
Management and Supervision
security Protection

• Industrial control network security, and information security


• Security requirement for industrial automatic product
• Distributed Control System security protection, management, audit,
risk and vulnerability detection
• Security requirement for the programmable logic controller

• Network security specification of EPA(Ethernet for Plant Automation)


for industrial measurement and control system
• Secure and controllable information system – Electrical Power System
• Sensor network security: general technical specification, network
transmission security technical and test specification, etc.

ETSI IoT Security Workshop


12
Summary
• The regulations for IoT Security are yet to come
• Intentions are for critical infrastructure, classified levels of security
protection, information security and core technologies

ETSI IoT Security Workshop 13


13
Thank You
Open, Transparent, Cooperative

14