IoT Security Policy and

Regulation Initiatives

in ChinaFan Dongyang, Huawei

2

China Economy – Facilitating High-quality Growth

Going digital

E-commerce is on the rise – between 2006 and 2014,shipping leapt tenfold from 1 billion to 10 billion packages delivered. $14,3b sales Nov.11 2015 in Alibabaplatform, 60% increase from 2014

The new norm

Supply-side reform

ETSI IoT Security Workshop

GDP Growth Rate

3

The National Strategies

Internet + • Develop e-commerce, industry

networks, and online banking, and raise the profile of Internet companies on the world stage.

• Boosting growth by infusing mobile Internet, cloud computing, big data, and IoTinto manufacturing and others.

Manufacture 2025• Enhance industry base, quality

and brand, break through in main areas.

• Promoting green production, streamline industry structure, transformation to services and globalization

• Action Plan for Promoting Development of Big Data• Previous: Special Action Plan for M2M Development (2013-2015)

Platform, Application, Technology, Security, Mechanism

ETSI IoT Security Workshop

4

Cybersecurity

• Internet benefit for the country and people

• To proceed together with development

• Protection system for critical information infrastructure

• Core technologies• Innovation, harmonization, green,

open, and sharing

ETSI IoT Security Workshop

5

Industry and Ministries

• MIIT (Ministry of Industry and Information Technologies) – Telecom + other

about 20 industries

• CAC (Cyberspace Administration of China, Office of the Central Leading

Group for Cyberspace of CCCP) – Cybersecurity and Informationization

• NDRC (National Development and Reform Commission)

• MOST (Ministry of Science and Technology)

• SAC (Standardization Administration of China)

ETSI IoT Security Workshop

6

Industry Alliances

IIC China Team

Industry 4.0 Group

225

298

116 10 AII Members

Industry(225)ICT(29)University(8)Research(11)Security(6)Abroad(10)

Others• Strategy Alliance for M2M

Industry Technology Innovation

• M2M Standardization Group

• Smart City Standardization Group

ETSI IoT Security Workshop

7

Non-governmental Organizations for Policies

• Self-regulation of data flow

Industry

• IOT Cloud Service and Terminal

standards

• Industry 4.0 public policy

• Internet + Car + Traffic Summit

• Energy Internet – opportunities

and challenges

• How to protect information

security in the Big Data time

• Information security impact on

China economy

Digital Forum

• Security of social network

• Way of China Cybersecurity

legislation

• IT industry Cybersecurity best

practices

• Industry control system security

workshop

ETSI IoT Security Workshop

8

Available Law and Regulations• 2015 State Council - China Computer Information System Security Protection Regulation (first in 1994)

• 2007 MPS - Management Method for Information Security Protection for Classified Levels

• 2001 NPC Standing Committee – Resolution about Protection of Internet Security

• 2012 NPC Standing Committee – Resolution about Enhance Network Information Protection

• July 2015: National Security Law - ‘secure and controllable’ systems and data security in critical

infrastructure and key areas

• 2014 MIIT – Guidance on Enhance Telecom and Internet Security

• 2013 MIIT – Regulation about Telecom and Internet Personal Information Protection

• 2014 China Banking Regulatory Commission - Guidance for Applying Secure and Controllable Information

Technology to Enhance Banking Industry Cybersecurity and Informatization Development

ETSI IoT Security Workshop

9

Law and Regulations in the Pipe Line

CAC: Administrative Measures on Internet Information Services

CAC Rules on Security Protection for Critical Information Infrastructure

Cybersecurity Law - second read June 2016

• Cyber Sovereignty• Security of Product and Service• Security of Network Operation (Classified

Levels Protection, Critical Infrastructure)• Data Security (Category, Personal

Information)• Information Security

ETSI IoT Security Workshop

10

Standardization - CCSA

TC10 Ubiquitous Networks• Security Requirements for Ubiquitous Networks

• M2M Technical Specification (Release 1) - Security Solutions

• Baseline for classified protection of IOT perception

communication system

• Research on Physical layer security technology of Ubiquitous

Network Perceived Extension Layer

• Terminal embedded operating system security requirements of

the M2M

• Secure technology requirements for protocols of sensor layer of

M2M

• Research on the security of communication between vehicle and

Infrastructure

• Security Requirements Analysis for Smart City

TC8 Network and Information Security• Requirement for classified level security protection of

M2M information system

• Security framework and technical requirement for logistics

information service

• General requirement for M2M node authentication

TC11 Mobile Internet Application and Terminal• Research on information security problems and key

technologies of mobile internet vehicle

• Information security research for on-board intelligent terminal

ETSI IoT Security Workshop

11

Standardization – TC260 (IT Security)

• Framework for critical information infrastructure

network security

• Technical requirement for Industrial network

protocol

• General reference model and requirements for

M2M security

• Technical requirement for M2M data

transmission security

• Technical requirement for M2M sensor gateway

• Technical requirement for M2M sensor device

• Technical requirement for information security of

smart connected devices

• Industrial control system security

• Management requirements

• Audit guidance

• Classification guidance

• Classification system security design guidance

• Protection technical requirement and test method

• Specified firewall technical requirements

• Isolation and information exchange system security technical

requirement

• Vulnerability detection technical requirement and test method

• Supervision security technical requirement and test method

ETSI IoT Security Workshop

12

Standardization – Smart Manufacture

• Industrial control network security, and information security

• Security requirement for industrial automatic product

• Distributed Control System security protection, management, audit,

risk and vulnerability detection

• Security requirement for the programmable logic controller

• Network security specification of EPA(Ethernet for Plant Automation)

for industrial measurement and control system

• Secure and controllable information system – Electrical Power System

• Sensor network security: general technical specification, network

transmission security technical and test specification, etc.

Information SecuritySoftware, Device, Network, Data and security Protection

Information Security ManagementManagement and Supervision

ETSI IoT Security Workshop

13

Summary

ETSI IoT Security Workshop 13

• The regulations for IoT Security are yet to come

• Intentions are for critical infrastructure, classified levels of security

protection, information security and core technologies

14

Open, Transparent, Cooperative

Thank You