The Ministry of Industry and Information Technology (“MIIT”) published the Administrative Measures for the Assessment of the Information Security Defence Capabilities of Industrial Control Systems (the “Measures”) on 11 August 2017.

An industrial control system (“ICS”) is the integration of personnel, hardware, software, and platforms involved in the different parts of industrial control. It includes (but is not limited to) industrial production control system (e.g. programmable logic controller (PLC), distributed control system (DCS), supervisory control and data acquisition (SCADA)), industrial control process safety protection system (e.g. emergency shutdown device (ESD), safety instrumented system (SIS)), industrial production scheduling and management information system (e.g. manufacturing execution system (MES), enterprise resource planning (ERP)), and industrial service application system (e.g. cloud platform, big data platform). 

An assessment on the information security defence capabilities of an ICS can either be ordered by the MIIT or applied by the operator. All assessments shall be conducted in accordance with the specification, requirements and procedures provided in the Measures and its appendix. The Measures do not specify whether the assessments on an ICS are part of the various security assessments and examinations mentioned in the PRC Cybersecurity Law. Further guidance or explanation might be published in the future. 

Please click here to read the full text of the Measures.