Recently, China has published the “Security Assessment Measures for Outbound Data Transfers,” a crucial regulation on outbound data flows. This regulation contains strong national security considerations and produces independent and direct legal effects compared with other assessment systems in China’s laws. However, there is a possibility that conflict arises between these measures and the international commitments made by China due to the ambiguity in how "critical data" is defined, the excessive emphasis placed on self-risk assessment, and the arbitrary extension of procedures. Particularly, with China's current application to join the CPTPP, the restrictive measures of its cross-border data flow may appear to violate the obligation of CPTPP, but may be justified through CPTPP’s exception clauses. In light of this, it is necessary for China to adopt a more modest approach to balancing data security with the effort made to promote the flow of cross-border data.
KINAC (Korea Institute of Nuclear Non-proliferation and Control) is entrusted with the NSSC (Nuclear Safety And Security Commission) to conduct threat assessments for nuclear facilities. As part of the threat assessment, DBT (Design Basis Threat) must be established every three years, and a threat assessment report must be developed for DBT establishment. This paper suggests a method for collecting and analyzing cyber threat information for the development of a cyber security threat assessment report. Recently, cyber threats not only in the IT (Information Technology) field but also in the ICS (Industrial Control System) field are rapidly increasing. As cyber threats increase, threat information including related attack techniques is also increasing. Although KINAC is conducting a threat assessment on cyber security at nuclear facilities, it cannot collect and analyze all cyber threat information. Therefore, it is necessary to determine a reliable source of threat information for threat assessment, and establish a strategy for collecting and analyzing threat information for DBT establishment. The first method for collecting and analyzing threat information is to first collect threat information on industrial fields with high similarity to nuclear facilities. Most of the disclosed cyber threat information is in the IT field, and most of this information is not suitable for closed-network nuclear facilities. Therefore, it is necessary to first collect and analyze threat information on facilities that use networks similar to nuclear facilities such as energy and financial sector. The second method is to analyze the attack technique for the collected threat information. The biggest factor in DBT reset is whether there is a new threat and how much it has increased compared to the existing threat. Therefore, it is necessary to analyze which attack technique was used in the collected threat information, and as part of the analysis, a cyber attack analysis model such as a kill chain can be used. The last method is to collect and manage the disclosed vulnerability information. In order to manage vulnerabilities, it is necessary to analyze what assets are in the nuclear facility first. By matching the reported vulnerability with the CDA (Critical Digital Asset) in the facility, it is possible to analyze whether the CDA can be affected by a cyber attack.As cyber threats continue to increase, it is necessary to analyze threat cases of similar facilities, attack techniques using attack models, and vulnerability analysis through asset identification in order to develop a threat assessments report.
The purpose of this study is, by recognizing that recently, as crimes using information and various adverse-effect phenomena such as hacking and virus occur frequently with rapid development of information network such as Internet in every field of industry, the range of security is widening to the field of industrial areas for preventing the leaking of industrial technology and protecting that technology as well as information security only limited to IT area, and by establishing common concept about industrial security through education on the industrial security at the point of increasing importance of industrial security, to prepare the base of comprehensive risk management system for protecting company's assets (physical factor, technical factor and managerial factor) safely from the random threats or attacks inside and outside the company through assessment of important assets of the company, evaluation of threats and weak points, and risk assessment by building industrial security management system in order to protect company's information assets and resources which are connected to the existence of the company safely from the threats or attacks from inside or outside the company and to spread stable business activities.