Cyber Security Defense of Critical Infrastructure
According to the Executive Yuan’s "Guidance on National Critical Infrastructure Security Defense," critical infrastructures in Taiwan are divided by their feature types into the following eight fields: energy, water resource, telecommunications, transportation, banking and finance, emergency aid and hospitals, central and local governments, and high-tech parks. Critical Infrastructure Providers are also entities of Cyber Security Management Act’s regulation.
Legal basis and designation means of critical infrastructure providers
The Cyber Security Management Act was implemented on January 1, 2019, managing entities including government agencies, critical infrastructure provider, government-owned enterprises and government-endowed foundation, of which "critical infrastructure providers" refers to the ones who maintain or provide critical infrastructure either in whole or in part, as designated by the central authority in charge of relevant industry.
To assist critical infrastructure providers appointed, the Administration (formerly Executive Yuan’s Department of Cyber Security) especially created the Critical Infrastructure Provider Designated Procedures (hereinafter referred to as the Appointment Procedure), which is divided into the four main steps of "identifying critical field," "identifying critical service," "identifying critical (information) infrastructure," and "approving critical infrastructure provider." The job distribution in each step is distributed to the Executive Yuan, central authority in charge of relevant industry, and critical infrastructure provider candidates according to their jurisdictions.
Joint national cyber security defense
In response to growing cyber security threats against Taiwan, the National Information and Communication Security Taskforce, Executive Yuan (NICST) connected the central authority in charge of relevant industry of the eight major fields of critical infrastructure, expanding the joint national cyber security defense mechanisms and building the eight fields of major critical information infrastructure, the national-level Information Sharing and Analysis Center (ISAC), Computer Emergency Response Team (CERT), and the Security Operation Center (SOC). A joint cybersecurity defense and collaboration network formed by an intelligence-driven government, central authority in charge of relevant industry, and critical infrastructure providers thus creates the joint national cyber security defense system, defending cyber security, sharing intelligence with the rest of the world.
Additionally, critical infrastructure field level CERT, ISAC, and SOC are designated to provide practical construction guides for those providers to reference when constructing and operating CERTs, ISACs, and SOCs in their fields. The scope of application of the guides may be adjusted according to each field’s features.
Suggestions for Critical Information Infrastructure Cyber Security Defense
To implement Critical Information Infrastructure Protection (CIIP), the Administration created the "Suggestions for Critical Information Infrastructure Cyber Security Defense" as guideline for critical infrastructure field levels and critical infrastructure providers when setting cyber security standards in various fields. Each field level may follow these suggestions and adjust them according to each field’s features.
Obligations of notification cyber security incidents and receiving audit
According to Chapter 3 of the "Regulations on the Notification and Response of Cyber Security Incident," specific non-government agencies including critical infrastructure providers should notice cyber security incidents as central authority in charge of relevant industry designate within one hour of learning about them. For Level 1 and Level 2 cyber security incidents, central authority in charge of relevant industry should complete a level review within eight hours and periodically summarize the verification result, basis, and other necessary information, and then submit them to the competent authority in the manner as specified by the competent authority (the Ministry of Digital Affairs); for Level 3 and Level 4 cyber security incidents, level review should be completed within two hours, and results should be delivered to the Ministry of Digital Affairs within one hour. Additionally, According to Article 21 of the "Cyber Security Management Act," specific non-government agencies that do not report cybersecurity incidents to central authority in charge of relevant industry upon learning about them according to Article 18 shall be subject to a fine between NT$300,000 and NT$5 million issued by and be ordered to make improvements within a deadline; those that do not improve shall be subject to penalties by incident.
According to Article 16 of the "Cyber Security Management Act," central authority in charge of relevant industry should audit the cyber security management plan implementation of critical infrastructure providers under their jurisdiction; critical infrastructure providers with incomplete plans or needing improvement should provide an improvement report to their central authority in charge of relevant industry. According to Article 3 of the "Regulations on Audit of Implementation of Cyber Security Maintenance Plan of Specific Non-Government Agency," unless due to force majeure, the Ministry of Digital Affairs shall select specific non-government agencies (including critical infrastructure providers) for audit every year and conduct in-person audits to inspect their cyber security management plan implementation.