Break the shackles of car networking information security risks

Since the launch of the Internet of Vehicles concept in 2010, a large number of startups related to Internet of Vehicles have emerged, and many well-known companies have also made high-profile deployments in the field of Internet of Vehicles. However, the development of the Internet of Vehicles in the past 10 years has not been smooth sailing. Discussions on the safety of Internet of Vehicles products are endless. In particular, related information security risks have become a high threshold for the Internet of Vehicles industry and have attracted great attention.

In what areas are the information security risks of the Internet of Vehicles mainly reflected? What are the main car networking information security technical standards that automakers need to meet? How to use a third-party testing and certification body to meet the challenge of access to the Internet of Vehicles information security compliance? With these questions in mind, this magazine interviewed Huang Qingquan, an expert in information security and business development manager of TÜV SÜD’s Greater China Transportation Service Department.

A variety of factors cause information security risks for the Internet of Vehicles

“The risk of automobile network security is getting higher and higher, especially the prominent problem of Internet of Vehicles information security, which is caused by a variety of factors.” Huang Qingquan told our reporter.

On the one hand, with the continuous development of connected technology, there are more and more external interfaces for the Internet of Vehicles, and more and more vulnerabilities and loopholes exposed in the entire connected ecosystem, such as car driving safety issues. On the other hand, changes in certain automotive business models have led to increasing value of vehicles being attacked, which may lead to more attacks. For example, an automobile manufacturer launched a software upgrade package for heating rear seats in winter. This is an emerging business model. Based on this business model, “hackers” may benefit from attacks on it, leading to information The security risk rises accordingly.

Huang Qingquan said that nodes with external communication interfaces such as T-BOX, IVI, and GWM are all vulnerable to attacks. For example, during the charging process, if the charging pile is hacked, the charging state of the car may be forged or deceived, thereby causing a safety hazard during the charging process of the car. One of the reasons why a large car screen is most vulnerable to attention and attacks is that it is relatively close to the areas usually covered by traditional “hackers” and is easily subject to cross-border tracking. In addition, the development of autonomous driving has also brought about an increase in external interaction or perception portals, and cameras, sensors, etc. may all be used.

It can be seen that in the intelligent connected car environment, if the vehicle network security is weak or the protection is not good enough, the launch of software services at this time will often cause a greater negative impact on the enterprise. Therefore, ensuring the security of automobile networks and information is something that automobile companies must invest resources to do.

Information Security Technical Standards: From a Hundred Flowers to the Same Goal by Different Routes

At present, many network information security standards have emerged around the world. For example, the SP-800 series standards issued by the National Institute of Standards and Technology (NIST) and a series of information security technical standards launched by the National Information Security Standardization Technical Committee can be used as vehicles. Reference in the field of networked information security.

“However, in the automotive field, network and information security are still relatively new topics. There are not many technical standards to be compulsory for the Internet of Vehicles.” According to Huang Qingquan, a report issued by the United Nations Economic Commission for Europe involves The network security regulation in the field of intelligent networked vehicles-UNECE R155, is the most influential reference standard.

The UNECE R155 information security regulations came into effect on January 22, 2021. They are applicable to Class M, Class N, Class O equipped with at least one electronic control unit, and Class L6 and L7 vehicles with autonomous driving functions above L3. They are currently used in automobiles. It has strong guiding significance in the industry.

Huang Qingquan explained that the regulations are mainly divided into two parts: Cyber ​​Security Management System (Cyber ​​Security Management System, hereinafter referred to as “CSMS certification”) and vehicle type approval. Among them, the CSMS certification mainly examines whether the OEM (original equipment manufacturer) has established a network security-related system covering the entire life cycle of the automobile to ensure that there are corresponding process measures for the entire life cycle of the automobile. Vehicle type approval is to ensure that the vehicle information security architecture and protection scheme developed by OEMs meet the basic requirements during review and certification.

Generally speaking, many authoritative organizations in the industry are formulating automotive information security regulations and standards. This is bound to be a process of gradual maturity and continuous improvement with the Internet of Vehicles industry, and subsequent more specific technical standards will be followed.

Huang Qingquan is optimistic about the current situation of a hundred flowers blooming. He believes that some framework standards recognized in the industry will tend to be relatively consistent in the future, but there will still be differences in the standards involving specific scenarios and more details, and the standards need to be continuously updated. .

So, how should the current automobile manufacturers and parts suppliers adapt to the diverse and changeable network and information security environment? In Huang Qingquan’s view, Internet of Vehicles companies need to at least pay attention to the network information security process system and best practices in the industry.

“Network security is a relative concept. You may be safe one minute, and you won’t be safe the next. So there is no fixed routine to define that you must be safe if you do it, and then it must be unsafe if you do it. It is different from the conventional automobile testing and certification thinking. Therefore, the current network security testing and certification work in the Internet of Vehicles industry mainly considers the evaluation of the process system and the product testing and certification based on best practices and analytical methodologies.” Huang Qingquan further explained that the process The system takes into account the characteristics of network security, and based on a reasonable process, it can timely monitor the dynamic security risks of vehicles and give timely guidance on what countermeasures to take.

In this process, T?V SÜD (hereinafter referred to as “T?V SÜD”) acts as a third-party testing and certification organization. On the one hand, it assists automobile companies to build a compliant cyber security process system based on framework laws and regulations. On the one hand, it continuously updates its knowledge system in response to the dynamic characteristics of network security, participates in or tracks the formulation of the latest regulations or standards, and applies best practices to achieve product testing and certification.

High standards to avoid Internet of Vehicles information security risks

In 2020, some self-driving cars will start testing on the road, and many people look at the new things in this smart era with a curious mind. As the final manifestation of the Internet of Vehicles, it will take time for autonomous driving to truly land and realize commercial use. From concept proposal to product development, from production stage to mass production operation and maintenance stage, the Internet of Vehicles industry needs to build an overall process system, organizational structure, and network security management system. At present, the formulation of test standards is particularly urgent.

As a testing and certification technical service organization that has been deeply involved in the automotive industry for more than 100 years, TÜV SÜD has always followed the requirements of international vehicle regulations and is committed to helping automakers solve the difficulties and pain points in network and information security certification. At present, TÜV SÜD experts are deeply involved in the formulation of the latest automotive network security standards (ISO/SAE 21434) and automotive software upgrade standards (ISO 24089).

Huang Qingquan has a very clear understanding of the role of third-party testing and certification agencies in promoting the development of the Internet of Vehicles. “This mainly includes two aspects, one is the front end and the other is the end.” He explained that at the front end, TÜV SÜD participates in the formulation of a number of standards and regulations, which can support the Internet of Vehicles industry. At the end, TÜV SÜD has conducted testing, evaluation and certification of specific products and process systems to ensure that the certified Internet of Vehicles related products comply with standards and regulations, and promote the healthy development of the entire industry.

It can also be said that TÜV SÜD will first assist the Internet of Vehicles related products to meet the basic requirements of the security baseline through testing and certification, and promote the improvement of the network and information security level of the Internet of Vehicles ecosystem. Then, for some important parts and components, according to the needs of the market and the supply chain. Perform testing and certification higher than the security baseline framework requirements, thereby guiding the development of the Internet of Vehicles industry to a higher level.

In recent years, TÜV SÜD has also devoted itself to a number of international research and development projects related to autonomous driving and cross-field autonomous driving cooperation projects. For example, TÜV SÜD joined the autonomous driving legislation research project (PEGASUS) initiated by the German Federal Government, and jointly developed the “TÜV Algorithm” and openGENESIS collaboration platform with the German Research Center for Artificial Intelligence (DFKI), and participated in Singapore Regarding the CETRAN project for the formulation of automated driving test standards in the complex urban traffic environment and the formulation of the United Nations internal coordination of regulatory requirements, etc.

While participating in the formulation of standards and regulations related to vehicle networking and information security at home and abroad, TÜV SÜD also continuously updates its internal vehicle network security knowledge system, and provides special training on vehicle network and information security for vehicle companies. Not long ago, TÜV SÜD and the National Intelligent Connected Vehicle Innovation Center jointly organized the first “Intelligent Connected Future” series of courses-special training on the interpretation of automotive information security standards and regulations, focusing on the current domestic and foreign vehicle information security standards and regulations. The status quo and development trends, threat analysis and risk assessment methods and practices are systematically sorted out and interpreted.

Undoubtedly, the new business format represented by the Internet of Vehicles is changing the inherent development path of the global automotive industry, shaping a new pattern of intelligent connected vehicles, and vehicle network and information security risks will accumulate. A third-party testing and certification organization represented by TÜV SÜD will serve as an important participant in the Internet of Vehicles industry and help automakers break the shackles of information security risks.