iotsecurity policy and regulation initiatives in china€¦ · $14,3b sales nov.11 2015 in alibaba...
TRANSCRIPT
IoT Security Policy and
Regulation Initiatives
in ChinaFan Dongyang, Huawei
2
China Economy – Facilitating High-quality Growth
Going digital
E-commerce is on the rise – between 2006 and 2014,shipping leapt tenfold from 1 billion to 10 billion packages delivered. $14,3b sales Nov.11 2015 in Alibabaplatform, 60% increase from 2014
The new norm
Supply-side reform
ETSI IoT Security Workshop
GDP Growth Rate
3
The National Strategies
Internet + • Develop e-commerce, industry
networks, and online banking, and raise the profile of Internet companies on the world stage.
• Boosting growth by infusing mobile Internet, cloud computing, big data, and IoTinto manufacturing and others.
Manufacture 2025• Enhance industry base, quality
and brand, break through in main areas.
• Promoting green production, streamline industry structure, transformation to services and globalization
• Action Plan for Promoting Development of Big Data• Previous: Special Action Plan for M2M Development (2013-2015)
Platform, Application, Technology, Security, Mechanism
ETSI IoT Security Workshop
4
Cybersecurity
• Internet benefit for the country and people
• To proceed together with development
• Protection system for critical information infrastructure
• Core technologies• Innovation, harmonization, green,
open, and sharing
ETSI IoT Security Workshop
5
Industry and Ministries
• MIIT (Ministry of Industry and Information Technologies) – Telecom + other
about 20 industries
• CAC (Cyberspace Administration of China, Office of the Central Leading
Group for Cyberspace of CCCP) – Cybersecurity and Informationization
• NDRC (National Development and Reform Commission)
• MOST (Ministry of Science and Technology)
• SAC (Standardization Administration of China)
ETSI IoT Security Workshop
6
Industry Alliances
IIC China Team
Industry 4.0 Group
225
298
116 10 AII Members
Industry(225)ICT(29)University(8)Research(11)Security(6)Abroad(10)
Others• Strategy Alliance for M2M
Industry Technology Innovation
• M2M Standardization Group
• Smart City Standardization Group
ETSI IoT Security Workshop
7
Non-governmental Organizations for Policies
• Self-regulation of data flow
Industry
• IOT Cloud Service and Terminal
standards
• Industry 4.0 public policy
• Internet + Car + Traffic Summit
• Energy Internet – opportunities
and challenges
• How to protect information
security in the Big Data time
• Information security impact on
China economy
Digital Forum
• Security of social network
• Way of China Cybersecurity
legislation
• IT industry Cybersecurity best
practices
• Industry control system security
workshop
ETSI IoT Security Workshop
8
Available Law and Regulations• 2015 State Council - China Computer Information System Security Protection Regulation (first in 1994)
• 2007 MPS - Management Method for Information Security Protection for Classified Levels
• 2001 NPC Standing Committee – Resolution about Protection of Internet Security
• 2012 NPC Standing Committee – Resolution about Enhance Network Information Protection
• July 2015: National Security Law - ‘secure and controllable’ systems and data security in critical
infrastructure and key areas
• 2014 MIIT – Guidance on Enhance Telecom and Internet Security
• 2013 MIIT – Regulation about Telecom and Internet Personal Information Protection
• 2014 China Banking Regulatory Commission - Guidance for Applying Secure and Controllable Information
Technology to Enhance Banking Industry Cybersecurity and Informatization Development
ETSI IoT Security Workshop
9
Law and Regulations in the Pipe Line
CAC: Administrative Measures on Internet Information Services
CAC Rules on Security Protection for Critical Information Infrastructure
Cybersecurity Law - second read June 2016
• Cyber Sovereignty• Security of Product and Service• Security of Network Operation (Classified
Levels Protection, Critical Infrastructure)• Data Security (Category, Personal
Information)• Information Security
ETSI IoT Security Workshop
10
Standardization - CCSA
TC10 Ubiquitous Networks• Security Requirements for Ubiquitous Networks
• M2M Technical Specification (Release 1) - Security Solutions
• Baseline for classified protection of IOT perception
communication system
• Research on Physical layer security technology of Ubiquitous
Network Perceived Extension Layer
• Terminal embedded operating system security requirements of
the M2M
• Secure technology requirements for protocols of sensor layer of
M2M
• Research on the security of communication between vehicle and
Infrastructure
• Security Requirements Analysis for Smart City
TC8 Network and Information Security• Requirement for classified level security protection of
M2M information system
• Security framework and technical requirement for logistics
information service
• General requirement for M2M node authentication
TC11 Mobile Internet Application and Terminal• Research on information security problems and key
technologies of mobile internet vehicle
• Information security research for on-board intelligent terminal
ETSI IoT Security Workshop
11
Standardization – TC260 (IT Security)
• Framework for critical information infrastructure
network security
• Technical requirement for Industrial network
protocol
• General reference model and requirements for
M2M security
• Technical requirement for M2M data
transmission security
• Technical requirement for M2M sensor gateway
• Technical requirement for M2M sensor device
• Technical requirement for information security of
smart connected devices
• Industrial control system security
• Management requirements
• Audit guidance
• Classification guidance
• Classification system security design guidance
• Protection technical requirement and test method
• Specified firewall technical requirements
• Isolation and information exchange system security technical
requirement
• Vulnerability detection technical requirement and test method
• Supervision security technical requirement and test method
ETSI IoT Security Workshop
12
Standardization – Smart Manufacture
• Industrial control network security, and information security
• Security requirement for industrial automatic product
• Distributed Control System security protection, management, audit,
risk and vulnerability detection
• Security requirement for the programmable logic controller
• Network security specification of EPA(Ethernet for Plant Automation)
for industrial measurement and control system
• Secure and controllable information system – Electrical Power System
• Sensor network security: general technical specification, network
transmission security technical and test specification, etc.
Information SecuritySoftware, Device, Network, Data and security Protection
Information Security ManagementManagement and Supervision
ETSI IoT Security Workshop
13
Summary
ETSI IoT Security Workshop 13
• The regulations for IoT Security are yet to come
• Intentions are for critical infrastructure, classified levels of security
protection, information security and core technologies
14
Open, Transparent, Cooperative
Thank You