1、Overview-GB 44495-2024
GB 44495-2024 "automobile vehicle information security technical requirements" stipulates the automobile information security management system requirements, and external connection security, communication security, software security, data security, technical requirements and test methods, suitable for class M, class N and at least one electronic control unit (ECU) of class O vehicles, to improve the level of automotive products of information security protection technology, strengthen the industrial chain risk prevention and the ability to respond to network attacks, build a car information security protection baseline is of great significance.
Øtips
1. Class M: a motor vehicle with at least four wheels and used to carry passengers
2. Class N: a motor vehicle with at least four wheels and is used for cargo carrying
3. Class O: (with at least one ECU) trailer (including semi-trailer)
2、Important time node
Standard release: August 23,2024
Formal implementation: January 1,2026
E-time:
lFor the new application form of approval (VTA) models: starting from the date of implementation of the standard, that is, January 2026
lFor formally approved models: it will start from 25 months from the end of the implementation date of the standard, that is, January 2028
3、Standard basic framework
4、Automobile information safety management system requirements
GB 44495-2024 points out that the vehicle manufacturer should have the vehicle information security management system for the whole life cycle of the vehicle, stipulates that the vehicle product development process should follow the vehicle information safety management system, and at the same time, the vehicle manufacturer should put forward clear requirements for the organizational process, responsibility and governance measures for risk identification, management and assessment.
In the management of internal process of vehicle information security, enterprises need to establish the process of identifying, evaluating, classifying and disposing vehicle information security risks and verifying the disposal of identified risks, and ensure that vehicle risk assessment keeps the latest state; enterprises need to establish a process for vehicle information security testing, and monitoring, response and vulnerability reporting mechanism for vehicle cyber attacks, cyber threats and vulnerabilities. In addition, enterprises need to establish the process of managing the information security dependence between enterprises and parts suppliers and service suppliers according to the information security risks of different parts of vehicles, and control the external risks related to suppliers.
5、Information security and technical requirements
1)External connection security requirements
Due to the security considerations of the current complex network environment, with the rapid development of information technology, external wired and wireless connections have become common ways for attackers to invade, and security threats such as illegal outreach, data leakage and malware software infection have become increasingly severe. Therefore, GB 44495-2024 puts forward security requirements for external connections at the first point of technical requirements, aiming to prevent sensitive data leakage, illegal access and malicious attacks caused by entering the automobile system through the external connection channel, and ensure the continuity and stability of business. The main test objects are TBOX-cellular Ethernet interface, Wifi interface, key parts firmware, third-party applications, remote vehicle control APP, USB interface, CAN diagnostic interface, etc.
2)Communication security requirements
Communication network is an indispensable infrastructure in modern society, carrying the task of transmitting and exchanging massive data. In the process of driving, the vehicle also needs to interact with the external equipment through the communication network. In this process, communication security is particularly important, which is directly related to the confidentiality, integrity and availability of data in the transmission process. However, communication security is facing increasingly complex threats and challenges, hacker attacks, virus transmission, data leakage and other security incidents, which will not only bring huge economic losses to enterprises, but also may seriously threaten national security and social stability. Therefore, incorporating communication security into GB information security is an important measure to build an all-round and multi-level information security protection network, aiming to ensure the stable operation of the information system and the safe transmission of data. The main test objects are network communication protocol, WLAN, Bluetooth, V2X communication, radio frequency key, OBD port, etc.
3)Software upgrade security requirements
Software upgrades have become an important means of maintaining system performance, fixing security vulnerabilities, and improving the user experience. However, the software upgrade process itself is also accompanied by certain security risks. Improper upgrade operations may lead to system instability, data loss, and may even be exploited by malicious software, thus posing a serious threat to the overall security of the information system. Hackers and attackers often exploit vulnerabilities in software upgrades. They may disguise as legitimate upgrade packages, implant malicious code, or steal sensitive information during the upgrade. Therefore, ensuring the security of the software upgrade process is crucial to prevent external threats and protect the system from attacks. The main test objects are ECU with on-board software upgrade system, network communication protocol, upgrade package, upgrade log, etc
4)Data security requirements
With the deepening of automobile information degree, the security problems in the whole life cycle of data in production, storage, transmission, access, use and destruction have become increasingly prominent. Frequent security incidents such as cyber attacks, data leakage and misoperation of internal personnel have brought huge losses to individuals, enterprises and the country.
The safety of data in the car data is not only related to the protection of personal privacy, to ensure that the sensitive information of drivers and passengers is not leaked and abused, but also directly related to the driving safety, because the arbitrary modification of key parameters may lead to serious consequences. Therefore, by strengthening data security protection, it can not only provide users with reliable information security guarantee, but also ensure that the key parameters of vehicle driving are not arbitrarily modified. GB 44495-2024 Data security part of the main test objects are IVI, TBOX, gateway, ADAS domain controller and other key components in the car.
6、Influence and significance
GB 44495-2024 "Vehicle Information Security Technical Requirements" clearly stipulates the technical requirements of vehicles in the information security and the requirements of vehicle manufacturers in the information security management system, providing a clear goal and a standardized framework for vehicle manufacturers to carry out the construction of vehicle information security.
The release of this standard has far-reaching influence and significance on improving the information security level of the whole vehicles, promoting the technological upgrading and market competition of the intelligent and connected automobile industry, protecting the rights and interests of consumers and public safety, and promoting international cooperation and exchanges.
If you want to know more about GB 44495-2024 "Vehicle Information Security Technical Requirements", welcome to contact zhongle certification, we have a professional team, to provide you with detailed certification services.
Tel:13417442373 (Skype)
E-mail:finny.zhou@zhongletest.com
