GB 44495-2024 Technical requirements for vehicle cybersecurity
1 Scope
This document specifies the requirements for cybersecurity management system, basic requirements for cybersecurity, technical requirements for cybersecurity and judgment on the same type, and describes the corresponding inspection and test methods.
This document is applicable to Categories M and N vehicles, as well as Category O vehicles equipped with at least one electronic control unit.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 40861 General technical requirements for vehicle cybersecurity
GB/T 44373 Intelligent and connected vehicle - Terms and definitions
GB/T 44464-2024 General requirements of vehicle data
GB 44496 General technical requirements for vehicle software update
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 40861, GB/T 44373, GB 44496 and the following apply.
3.1
vehicle cybersecurity
state in which a vehicle’s electronic and electrical systems, assembly and functions are protected so that its assets are free from threats
[Source: GB/T 40861-2021, 3.1]
3.2
cybersecurity management system; CSMS
risk-based system method
Note: It includes organizational processes, accountability, and governance to deal with risks associated with vehicle cyber threats and protect vehicles from cyber attacks.
[Source: GB/T 44373-2024, 3.11, modified]
3.3
risk
impact of vehicle cybersecurity uncertainty
Note: The risk is expressed in terms of attack feasibility and impact.
3.4
risk assessment
process of discovering, identifying and describing risks, understanding the nature of risks and determining the level of risks, and comparing the results of risk analysis with risk criteria so as to determine whether the risks are acceptable
3.5
threat
potential cause of an unexpected incident that may lead to damage to a system, organization, or individual
3.6
vulnerability
weakness in the asset or mitigation measures that may be exploited by one or more threats
3.7
on-board software update system
software and hardware installed on the vehicle terminal and having the function of directly receiving, distributing and verifying the update packages from outside the vehicle to realize software update
[Source: GB 44496-2024, 3.12]
3.8
over-the-air update
software update that transmits the update package to the vehicle by wireless means rather than using a cable or other local connection modes
Note 1: "Over-the-air update" is also referred to as "remote update".
Note 2: "Local connection modes" generally refer to the physical connection modes through the on-board diagnostics (OBD) interface, universal serial bus (USB) interface, etc.
[Source: GB 44496-2024, 3.3]
3.9
offline update
software update other than over-the-air update
[Source: GB 44496-2024, 3.13]
3.10
sensitive personal information
personal information that once leaked or illegally used, may lead to discrimination or serious harm to personal and property safety of vehicle owners, drivers and passengers as well as persons outside the vehicle
Note: It includes information such as vehicle whereabouts, audios, videos, images and biometric features.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
CAN: Controller Area Network
ECU: Electronic Control Unit
HSM: Hardware Security Module
NFC: Near Field Communication
OBD: On-Board Diagnostics
RFID: Radio Frequency Identification
USB: Universal Serial Bus
VLAN: Virtual Local Area Network
VIN: Vehicle Identification Number
V2X: Vehicle to Everything
WLAN: Wireless Local Area Networks
5 Requirements for cybersecurity management system
5.1 The vehicle manufacturer shall be provided with cybersecurity management system for the full life cycle of vehicles.
Note: The full life cycle of vehicles covers the development stage, production stage and post-production stage of vehicles.
5.2 The cybersecurity management system shall include the following contents.
——Establish the process for managing vehicle cybersecurity within the enterprise.
——Establish the process for identifying, assessing, classifying and disposing of vehicle cybersecurity risks and verifying that the identified risks are disposed of, and ensure that the vehicle risk assessment is kept up-to-date.
——Establish the process for vehicle cybersecurity test.
——Establish the process for monitoring, response and vulnerability reporting of cyber attacks, cyber threats and vulnerabilities of vehicles. The requirements are as follows:
include vulnerability management mechanism, clarify the activities such as vulnerability collection, analysis report, disposal, release and reporting;
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Requirements for cybersecurity management system
6 Basic requirements for cybersecurity
7 Technical requirements for cybersecurity
8 Inspection and test methods
9 Judgment on the same type
10 Implementation of this standard
Bibliography
GB 44495-2024 Technical requirements for vehicle cybersecurity
1 Scope
This document specifies the requirements for cybersecurity management system, basic requirements for cybersecurity, technical requirements for cybersecurity and judgment on the same type, and describes the corresponding inspection and test methods.
This document is applicable to Categories M and N vehicles, as well as Category O vehicles equipped with at least one electronic control unit.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 40861 General technical requirements for vehicle cybersecurity
GB/T 44373 Intelligent and connected vehicle - Terms and definitions
GB/T 44464-2024 General requirements of vehicle data
GB 44496 General technical requirements for vehicle software update
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 40861, GB/T 44373, GB 44496 and the following apply.
3.1
vehicle cybersecurity
state in which a vehicle’s electronic and electrical systems, assembly and functions are protected so that its assets are free from threats
[Source: GB/T 40861-2021, 3.1]
3.2
cybersecurity management system; CSMS
risk-based system method
Note: It includes organizational processes, accountability, and governance to deal with risks associated with vehicle cyber threats and protect vehicles from cyber attacks.
[Source: GB/T 44373-2024, 3.11, modified]
3.3
risk
impact of vehicle cybersecurity uncertainty
Note: The risk is expressed in terms of attack feasibility and impact.
3.4
risk assessment
process of discovering, identifying and describing risks, understanding the nature of risks and determining the level of risks, and comparing the results of risk analysis with risk criteria so as to determine whether the risks are acceptable
3.5
threat
potential cause of an unexpected incident that may lead to damage to a system, organization, or individual
3.6
vulnerability
weakness in the asset or mitigation measures that may be exploited by one or more threats
3.7
on-board software update system
software and hardware installed on the vehicle terminal and having the function of directly receiving, distributing and verifying the update packages from outside the vehicle to realize software update
[Source: GB 44496-2024, 3.12]
3.8
over-the-air update
software update that transmits the update package to the vehicle by wireless means rather than using a cable or other local connection modes
Note 1: "Over-the-air update" is also referred to as "remote update".
Note 2: "Local connection modes" generally refer to the physical connection modes through the on-board diagnostics (OBD) interface, universal serial bus (USB) interface, etc.
[Source: GB 44496-2024, 3.3]
3.9
offline update
software update other than over-the-air update
[Source: GB 44496-2024, 3.13]
3.10
sensitive personal information
personal information that once leaked or illegally used, may lead to discrimination or serious harm to personal and property safety of vehicle owners, drivers and passengers as well as persons outside the vehicle
Note: It includes information such as vehicle whereabouts, audios, videos, images and biometric features.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
CAN: Controller Area Network
ECU: Electronic Control Unit
HSM: Hardware Security Module
NFC: Near Field Communication
OBD: On-Board Diagnostics
RFID: Radio Frequency Identification
USB: Universal Serial Bus
VLAN: Virtual Local Area Network
VIN: Vehicle Identification Number
V2X: Vehicle to Everything
WLAN: Wireless Local Area Networks
5 Requirements for cybersecurity management system
5.1 The vehicle manufacturer shall be provided with cybersecurity management system for the full life cycle of vehicles.
Note: The full life cycle of vehicles covers the development stage, production stage and post-production stage of vehicles.
5.2 The cybersecurity management system shall include the following contents.
——Establish the process for managing vehicle cybersecurity within the enterprise.
——Establish the process for identifying, assessing, classifying and disposing of vehicle cybersecurity risks and verifying that the identified risks are disposed of, and ensure that the vehicle risk assessment is kept up-to-date.
——Establish the process for vehicle cybersecurity test.
——Establish the process for monitoring, response and vulnerability reporting of cyber attacks, cyber threats and vulnerabilities of vehicles. The requirements are as follows:
include vulnerability management mechanism, clarify the activities such as vulnerability collection, analysis report, disposal, release and reporting;
Contents of GB 44495-2024
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Requirements for cybersecurity management system
6 Basic requirements for cybersecurity
7 Technical requirements for cybersecurity
8 Inspection and test methods
9 Judgment on the same type
10 Implementation of this standard
Bibliography