National Energy Administration: Release of the "Measures for the Management of Classified Cybersecurity Protection in the Power Industry"
To thoroughly implement the important thoughts of General Secretary Xi Jinping on building a strong cyber nation, standardize the management of classified cybersecurity protection in the power industry, and improve the cybersecurity assurance capabilities and level of the power industry, the National Energy Administration has revised the "Measures for the Management of Information Security Classified Protection in the Power Industry" (Guo Neng Anquan [2014] No. 318). The revised "Measures for the Management of Classified Cybersecurity Protection in the Power Industry" is hereby issued.
Chapter I: General Provisions: Article 1: These Measures are formulated in accordance with laws, regulations, and normative documents such as the "Cybersecurity Law of the People's Republic of China," the "Cryptography Law of the People's Republic of China," the "Regulations on the Protection of Computer Information System Security," the "Regulations on the Security Protection of Critical Information Infrastructure," and the "Measures for the Management of Information Security Classified Protection," in order to standardize the management of classified cybersecurity protection in the power industry, improve the cybersecurity assurance capabilities and level of the power industry, and safeguard national security, social stability, and public interests. Article 2: Power enterprises that construct, operate, maintain, and use networks (excluding nuclear safety) within the territory of the People's Republic of China and carry out classified cybersecurity protection work shall apply these Measures. The term "network" as used in these Measures refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information according to certain rules and procedures, including power monitoring systems, management information systems, and communication network facilities. These Measures do not apply to networks involving state secrets. Networks involving state secrets shall be managed in accordance with the management regulations and technical standards for the graded protection of secret-related information systems issued by the state secrecy department, taking into account the actual situation of the network. Article 3: The National Energy Administration shall, in accordance with national policies, regulations, and technical standards for classified cybersecurity protection, and in light of the actual conditions of the industry, organize the formulation of management norms and technical standards applicable to the power industry for classified cybersecurity protection, and provide guidance and supervision for the implementation of classified cybersecurity protection work in the power industry. The dispatched agencies of the National Energy Administration shall, as authorized by the National Energy Administration, supervise and manage the implementation of classified cybersecurity protection work by power enterprises within their respective jurisdictions. Power enterprises shall fulfill the obligations and responsibilities of classified cybersecurity protection in accordance with relevant national and power industry laws, regulations, and normative documents.
Chapter II: Classification and Protection: Article 4: Based on the importance of power industry networks to national security, economic construction, and social life, as well as the degree of harm to national security, social order, public interests, and the legitimate rights and interests of citizens, legal persons, and other organizations once they are destroyed, lose functionality, or have their data tampered with, leaked, lost, or damaged, power industry networks are divided into five security protection levels: Level 1: After being damaged, it will cause general damage to the legitimate rights and interests of relevant citizens, legal persons, and other organizations, but does not endanger national security, social order, or public interests. Level 2: After being damaged, it will cause serious or particularly serious damage to the legitimate rights and interests of relevant citizens, legal persons, and other organizations, or endanger social order and public interests, but does not endanger national security. Level 3: After being damaged, it will cause serious harm to social order and public interests, or endanger national security. Level 4: After being damaged, it will cause particularly serious harm to social order and public interests, or cause serious harm to national security. Level 5: After being damaged, it will cause particularly serious harm to national security. Article 5: The classified cybersecurity protection of the power industry adheres to the principles of protection by classification, highlighting key points, active defense, and comprehensive prevention.
Chapter III: Implementation and Management of Classified Protection: Article 6: The National Energy Administration shall, in accordance with national standards and specifications such as "Information Security Technology - Guidelines for Classified Cybersecurity Protection" (GB/T 22240) and in light of the characteristics of power industry networks, formulate guidelines for the classification of cybersecurity protection in the power industry to guide the classification work for classified cybersecurity protection in the power industry. Article 7: Power enterprises shall, during the network planning and design stage, determine the classification object (network) and its security protection level in accordance with national standards and specifications such as "Information Security Technology - Guidelines for Classified Cybersecurity Protection" (GB/T 22240) and the power industry's guidelines for the classification of cybersecurity protection, and apply for changes to its security protection level in a timely manner when major changes occur in network functions, service scope, service objects, and processed data. For networks intended to be classified as Level 2 or above, power enterprises shall organize cybersecurity experts to conduct classification reviews. Among them, networks intended to be classified as Level 4 or above shall also be reviewed by national classified cybersecurity protection experts organized uniformly by the National Energy Administration. Article 8: Member enterprises of the National Electric Power Safety Production Committee shall summarize the classification results and expert review opinions for networks intended to be classified as Level 2 or above at the group headquarters level and report them to the National Energy Administration for review. Power enterprises within each region (province) shall summarize the classification results for networks intended to be classified as Level 2 or above within their own unit and report them to the dispatched agencies of the National Energy Administration for review. Article 9: When power enterprises go through the review procedures for the classification of cybersecurity protection, they shall submit the "Review Form for Classified Cybersecurity Protection in the Power Industry" (see the appendix for details), including the classification report and expert review opinions for each classification object. The National Energy Administration or its dispatched agencies shall provide review feedback within 30 days from the date of receiving the review materials. Article 10: After receiving the review opinions from the National Energy Administration or its dispatched agencies, power enterprises shall, in accordance with relevant regulations, file records with the public security organs and report the classification and filing results to the National Energy Administration or its dispatched agencies according to the classification review authority specified in Article 8. Article 11: Power enterprises shall purchase and use network products and services that comply with national laws, regulations, and relevant standards and norms and meet the requirements of classified cybersecurity protection. For power monitoring systems, equipment and facilities such as power-specific lateral one-way security isolation devices, power-specific longitudinal encryption authentication devices, or encryption authentication gateways shall be purchased and used in accordance with the relevant requirements for the security protection of power monitoring systems; during equipment selection and configuration, it is prohibited to select systems and equipment that have been notified by the National Energy Administration to have vulnerabilities and risks, and systems and equipment already in operation shall be rectified in a timely manner, and operation management and security protection shall be strengthened. The purchase of network products and services that affect or may affect national security shall pass security review in accordance with national cybersecurity regulations. Article 12: In the process of network planning, construction, and operation, power enterprises shall follow the principles of synchronous planning, synchronous construction, and synchronous use, and in accordance with the security protection level requirements of the network, construct cybersecurity equipment and facilities, formulate and implement security management systems, and improve the cybersecurity protection system. Article 13: After the network is built, power enterprises shall, in accordance with relevant national and industry standards or specifications, regularly conduct classified cybersecurity protection assessments on the status of cybersecurity protection. Level 2 networks shall undergo a classified protection assessment every two years, and Level 3 and above networks shall undergo an assessment every year. Newly built Level 3 and above networks shall be put into operation after passing the classified protection assessment. The classified cybersecurity protection assessment work for power monitoring systems shall be coordinated with the security protection assessment of power monitoring systems, the cybersecurity detection and assessment of critical information infrastructure, and the security assessment of commercial cryptography applications to avoid duplicate assessments. Power enterprises shall regularly conduct self-inspections on the cybersecurity status and the implementation of security protection systems and measures. Level 2 power monitoring systems shall undergo self-inspection at least once every two years, and Level 3 and above networks shall undergo self-inspection at least once a year. Power enterprises shall formulate rectification plans for security risks and hidden dangers found in self-inspections and classified protection assessments, and carry out security construction and rectification. Power enterprises shall require the classified cybersecurity protection assessment agency (hereinafter referred to as the assessment agency) to organize experts to review the classified protection assessment reports for Level 3 and above networks, and submit expert review opinions along with the assessment report. Article 14: Power enterprises shall, in accordance with the classification review authority specified in Article 8, report the work situation of classified cybersecurity protection to the National Energy Administration or its dispatched agencies annually, including the classification and filing, assessment, security construction and rectification, and self-inspection of classified cybersecurity protection. Article 15: The National Energy Administration and its dispatched agencies shall, in conjunction with cybersecurity inspections of critical information infrastructure, regularly organize spot checks on power enterprises operating Level 3 and above networks. When conducting cybersecurity inspections, coordination, cooperation, and information communication shall be strengthened to avoid unnecessary inspections and cross-duplicate inspections. The main inspection items include: (1) The implementation of classified cybersecurity protection classification work, including classification review, review, filing, and adjustment of classification according to changes in cybersecurity requirements; (2) The implementation of cybersecurity management systems and measures by power enterprises; (3) The self-inspection of the cybersecurity status by power enterprises; (4) The implementation of classified cybersecurity protection assessment work; (5) The use of cybersecurity products; (6) The construction and rectification of cybersecurity; (7) The compliance of filing materials with the power enterprise and its network; (8) Other matters that should be supervised and inspected. Article 16: Power enterprises shall accept the security supervision, inspection, and guidance of the National Energy Administration and its dispatched agencies, and provide the following information materials and data files related to classified cybersecurity protection truthfully as needed: (1) Changes in the filing matters of classified cybersecurity protection; (2) Changes in cybersecurity organization, personnel, and job responsibilities; (3) Changes in cybersecurity management systems and measures; (4) Network operation status records; (5) Self-inspection records of the cybersecurity status by power enterprises; (6) Classified cybersecurity protection assessment reports issued by assessment agencies; (7) Changes in the use of cybersecurity products; (8) Cybersecurity incident emergency plans, and reports on the results of cybersecurity incident emergency response; (9) Network data disaster recovery backup situation; (10) Reports on the results of cybersecurity construction and rectification; (11) Other materials that need to be provided. Article 17: For problems found in cybersecurity inspections, power enterprises shall organize rectification in accordance with the management norms and technical standards for classified cybersecurity protection. If necessary, the National Energy Administration and its dispatched agencies may conduct spot checks on the rectification. Article 18: When power enterprises select assessment agencies to conduct classified cybersecurity protection assessments, the following requirements shall be followed: (1) The assessment agency shall obtain the "Service Certification Certificate for Classified Cybersecurity Assessment and Detection Evaluation Institutions" (hereinafter referred to as the assessment agency service certification certificate) issued by a certification body approved by the National Certification and Accreditation Administration; (2) Agencies engaged in classified cybersecurity protection assessment for power monitoring systems shall be familiar with the cybersecurity management and technical protection requirements of power monitoring systems and possess corresponding service capabilities and experience. Agencies engaged in Level 2 network assessment for power monitoring systems shall have experience in providing classified protection assessment or risk assessment services for more than 30 sets of industrial control systems within the past 2 years; agencies engaged in Level 3 network assessment for power monitoring systems shall have experience in providing classified protection assessment or security protection assessment services for more than 50 sets of power monitoring systems within the past 3 years; agencies engaged in Level 4 and above network assessment for power monitoring systems shall have experience in providing classified protection assessment or security protection assessment services for more than 90 sets of power monitoring systems within the past 5 years; (3) For networks that are critical information infrastructure of the power industry, when selecting assessment agencies, their security and trustworthiness shall be ensured, and if necessary, materials such as no-criminal-record certificates may be required from the assessment agency and its principal responsible persons and technical backbone; (4) It is not allowed to entrust assessment agencies that have been notified by the National Energy Administration for bad behaviors as stipulated in these Measures within the past 3 years, or whose assessment agency service certification certificate has been cancelled or suspended by the certification body, or that have been notified by the national competent department for classified cybersecurity protection work or industry associations to suspend classified protection assessment business and are in the rectification period; (5) Power enterprises shall take measures such as signing confidentiality agreements, conducting security and confidentiality training, and on-site supervision to strengthen the security and confidentiality management of assessment agencies, assessment personnel, and the assessment process to avoid the occurrence of disclosure of secrets. Article 19: The National Energy Administration and its dispatched agencies may, while conducting cybersecurity inspection work on power enterprises, simultaneously supervise and inspect the assessment work carried out by assessment agencies. Article 20: The National Energy Administration encourages power enterprises to carry out the construction of assessment agencies and apply for assessment agency service certification in accordance with national requirements, and supports power enterprises in participating in the formulation of technical standards for classified cybersecurity protection in the power industry.
Chapter IV: Cryptography Management for Classified Cybersecurity Protection: Article 21: Where power enterprises use cryptography for classified protection, they shall comply with relevant laws and regulations such as the "Cryptography Law of the People's Republic of China" and the technical standards for classified cybersecurity protection cryptography formulated by the national cryptography management department. Article 22: The deployment, use, and management of cryptography in the classified cybersecurity protection of power enterprises shall strictly execute the relevant provisions of national cryptography management. When using cryptography technology for the construction and rectification of classified cybersecurity protection, commercial cryptography products and services that have passed the testing and certification of commercial cryptography testing and certification institutions shall be adopted. Those involving the import of commercial cryptography shall also comply with the relevant national requirements for the import license of commercial cryptography. Article 23: Power enterprises shall carry out security assessments of commercial cryptography applications in accordance with relevant laws and regulations. Article 24: Cryptography management departments at all levels shall inspect and conduct security assessments of the deployment, use, and management of cryptography in classified cybersecurity protection work, and relevant power enterprises shall actively cooperate. For problems found in inspections and security assessments, rectification shall be carried out in a timely manner as required.
Chapter V: Legal Liability: Article 25: If a power enterprise violates relevant national regulations and the provisions of these Measures, the National Energy Administration or its dispatched agencies shall order it to make corrections within a time limit according to their respective duties; if it fails to make corrections within the time limit, a warning shall be given, and the situation shall be reported to its superior department, suggesting that the directly responsible person in charge and other directly responsible persons be dealt with; if serious harm is caused, the public security organs and cryptography management departments shall deal with it in accordance with relevant laws and regulations. Article 26: If relevant departments and their staff members neglect their duties, abuse their powers, or engage in malpractice for personal gain in performing their supervision and management duties, they shall be given administrative sanctions according to law; if a crime is constituted, criminal responsibility shall be investigated according to law. Article 27: If an assessment agency violates relevant laws, regulations, and normative document requirements and commits the following bad behaviors, the National Energy Administration may propose suggestions such as ordering rectification within a time limit, cancelling/suspending the use of the assessment agency service certification certificate, etc., to relevant national departments, certification bodies, and industry associations, and notify power enterprises of relevant risk information: (1) Providing non-objective and unfair classified protection assessment services, issuing false assessment reports or reports that do not conform to the actual situation, affecting the quality and effect of the classified protection assessment; (2) Disclosing, selling, or illegally providing to others state secrets, work secrets, trade secrets, important data, personal information, and privacy learned during the service, illegally using or擅自 publishing and disclosing data information, system vulnerabilities, malicious code, network intrusion attacks, and other cybersecurity information collected and mastered during the service; (3) Causing cybersecurity incidents due to the factors of the employees of the assessment agency; (4) Assessment agency employees participating in cybersecurity competitions and other activities organized overseas without reporting to the public security organs; (5) Other actions that endanger or may endanger power production safety or cybersecurity.
Chapter VI: Supplementary Provisions: Article 28: These Measures shall come into effect from the date of issuance and shall be valid for 5 years. The "Measures for the Management of Information Security Classified Protection in the Power Industry" (Guo Neng Anquan [2014] No. 318) shall be repealed simultaneously.
Special Statement: The content reprinted from other websites on this site is for the purpose of conveying more information rather than making profits, and does not mean agreeing with its views or confirming its description. The content is for reference only. The copyright belongs to the original author. If there is any infringement, please contact us to delete it.