NHTSA最近发布了最新的《车辆网络安全最佳实践》2022更新版。而NHTSA最佳实践的第一版(可访问www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdf获取)最初于2016年发布,22年新版本充分考虑了新的行业标准和研究内容,以及整个汽车行业网络安全实践的标准化,如UNECE WP.29 R155和 ISO 21434,并纳入了根据过去6年通过研究行业从真实的事件中获得的知识以及专家们提交的关于2016年和2021年草案的意见,新版本最佳实践可以概述分为两部分,首先是通用网络安全最佳实践,第二部分是网络安全技术最佳实践。
NHTSA现代汽车网络安全最佳实践的发布表明,政府机构理解并关注保护车辆安全的重要性,因为它们变得更容易受到黑客攻击。虽然这些准则目前不具有强制约束力,但其目的是反映出业界对减轻网络安全风险的日益关注和紧迫感。
1.Purpose of This Document 本文件编写目的
2.Scope 范围
3.Background 背景
4.General Cybersecurity Best Practices 一般网络安全最佳实践
4.1 Leadership Priority on Product Cybersecurity 领导层对产品网络安全的重视
4.2 Vehicle Development Process With Explicit Cybersecurity Considerations 具有明确网络安全考虑的车辆开发流程
4.2.1 Process 流程
4.2.2 Risk Assessment 风险评估
4.2.3 Sensor Vulnerability Risks 传感器的脆弱性风险
4.2.4 Removal or Mitigation of Safety-Critical Risks 消除或减轻安全关键性的风险
4.2.5 Protections 保护措施
4.2.6 Inventory and Management of Hardware and Software Assets on Vehicles 车辆上硬件和软件资产的清点和管理
4.2.7 Cybersecurity Testing and Vulnerability Identification 网络安全测试和弱点识别
4.2.8 Monitoring, Containment, Remediation 监测、遏制、补救
4.2.9 Data, Documentation, Information Sharing 数据、文件、信息共享
4.2.10 Continuous Risk Monitoring and Assessment 持续的风险监测和评估
4.2.11 Industry Best Practices 行业最佳实践
4.3 Information Sharing 信息共享
4.4 Security Vulnerability Reporting Program 安全漏洞报告计划
4.5 Organizational Incident Response Process 组织事件响应程序
4.6 Self-Auditing 自我审计
4.6.1 Process Management Documentation 流程管理文件
4.6.2 Review and Audit 审查和审计
5. Education 教育
6. Aftermarket/User-Owned Devices 售后市场/用户拥有的设备
6.1 Vehicle Manufacturers 车辆制造商
6.2 Aftermarket Device Manufacturers 售后市场设备制造商
7. Serviceability 可维修性
8. Technical Vehicle Cybersecurity Best Practices 技术性车辆网络安全最佳实践
8.1 Developer/Debugging Access in Production Devices 生产设备中的开发人员/调试访问
8.2 Cryptographic Techniques and Credentials 加密技术和凭证
8.3 Vehicle Diagnostic Functionality 车辆诊断功能
8.4 Diagnostic Tools 诊断工具
8.5 Vehicle Internal Communications 车辆内部通信
8.6 Event Logs 事件日志
8.7 Wireless Paths Into Vehicles 进入车辆的无线途径
8.7.1 Wireless Interfaces 无线接口
8.7.2 Segmentation and Isolation Techniques in Vehicle Architecture Design 车辆结构设计中的分割和隔离技术
8.7.3 Network Ports, Protocols, and Services网络端口、协议和服务
8.7.4 Communication to Back-End Servers与后端服务器的通信
8.7.5 Capability to Alter Routing Rules改变路由规则的能力
8.8 Software Updates/Modifications软件更新/修改
8.9 Over-the-Air Software Updates OTA软件更新
Appendix 附录
Terms and Descriptions 术语和说明
45条通用的车辆网络安全最佳实践
[G.1] The automotive industry should follow the National Institute of Standards and Technology’s (NIST’s) documented Cybersecurity Framework, which is structured around the five principal functions, “Identify, Protect, Detect, Respond, and Recover,” to build a comprehensive and systematic approach to developing layered cybersecurity protections for vehicles.
汽车行业应该遵循 (NIST)美国国家标准与技术协会记录的网络安全框架。这个框架构建围绕5个主要功能“识别、保护、监测、反馈、恢复”构建,从而建立了一个全面且系统的方法来开发针对汽车的分层网络安全保护。
[G.2] Companies developing or integrating vehicle electronic systems or software should prioritize vehicle cybersecurity and demonstrate executive management commitment and accountability by:
开发或者集成车辆电子系统或者软件的公司,应该将网络安全置于首要位置,并且通过以下的方式证明执行管理层的承诺和责任。
[a] Allocating dedicated resources within the organization focused on researching, investigating, implementing, testing, and validating product cybersecurity measures and vulnerabilities;
在组织内分配指定的资源去关注研究,调查,实施,测试,验证产品的网络安全和弱点。
[b] Facilitating seamless and direct communication channels through organizational ranks related to product cybersecurity matters; and
通过与产品网络安全事项相关的组织排名,促进不间断且直接的交流渠道,以及。
[c] Enabling an independent voice for vehicle cybersecurity-related considerations within the vehicle safety design process.
在车辆安全设计过程中,应该使得网络安全相关的考虑成为一个独立的意见。
[G.3] The automotive industry should follow a robust product development process based on a systems-engineering approach with the goal of designing systems free of unreasonable safety risks, including those from potential cybersecurity threats and vulnerabilities.
汽车行业应该遵循基于系统工程方法的强有力的产品开发流程,致力于设计完全合理的无安全风险的系统,包括那些潜在的网络安全威胁和漏洞。
[G.4] This process should include a cybersecurity risk assessment step that is appropriate and reflects mitigation of risk for the full lifecycle of the vehicle.
开发流程应该包括合适的网络安全风险评估的步骤,这个步骤能够反映出整车生命周期的风险缓解。
[G.5] Safety of vehicle occupants and other road users should be of primary consideration when assessing risks.
当评估风险的时候,也应该首先考虑车辆乘员和其他道路使用的安全。
[G.6] Manufacturers should consider the risks associated with sensor vulnerabilities and potential sensor signal manipulation efforts such as GPS spoofing, road sign modification, Lidar/Radar jamming and spoofing, camera blinding, and excitation of machine learning false positives.
OEM应该考虑涉及传感器弱点和潜在的传感器信号操纵力的风险,比如GPS欺骗,道路标注的修改,激光雷达/普通雷达的干扰和欺骗,摄像头致盲以及机器学习误报的激发。
[G.7] Any unreasonable risk to safety-critical systems should be removed or mitigated to acceptable levels through design, and any functionality that presents an unavoidable and unnecessary risk should be eliminated where possible.
任何针对安全关键系统的不合理风险都应该被移除或者通过设计缓解到可以接受的水平。只要条件允许,应尽可能消除存在不可避免和不必要风险的任何功能。
[G.8] For remaining functionality and underlying risks, layers of protection that are appropriate for the assessed risks should be designed and implemented.
对于剩余功能和潜在风险,应该设计和实施合适的进行过评估风险的保护层。
[G.9] Clear cybersecurity expectations should be specified and communicated to the suppliers that support the intended protections.
应该规定清晰的网络安全期望,并且将该期望传达给提供主动保护支持的供应商。
[G.10] Suppliers and vehicle manufacturers should maintain a database of their operational hardware and software components used in each automotive ECU, each assembled vehicle, and a history log of version updates applied over the vehicle’s lifetime.
供应商和OEM应该维护一个软件物料清单(SBOM),涵盖每一个电子控制单元中运行的硬件和软件的零部件,每一辆整车,以及跨越全生命周期的版本升级的历史记录。
[G.11] Manufacturers should track sufficient details related to software components, such that when a newly identified vulnerability is identified related to an open source or off-the-shelf software, manufacturers can quickly identify what ECUs and specific vehicles would be affected by it.
OEM应该追踪到足够的与软件零件相关的细节,比如当一个新识别出来的缺陷被认为是一个开放资源或者流行软件,制造商能够快速地识别出影响到了哪些电子控制单元和车辆。
[G.12] Manufacturers should evaluate all commercial off-the-shelf and open-source software components used in vehicle ECUs against known vulnerabilities.
评估用在汽车电子控制单元中的所有的商业流行软件和开源软件来抵御已知的缺陷。
[G.13] Manufacturers should also pursue product cybersecurity testing, including using penetration tests, as part of the development process.
进行产品网络安全测试,比如使用渗透测试作为开发流程的一部分。
[G.14] Test stages should employ qualified testers who have not been part of the development team, and who are highly incentivized to identify vulnerabilities.
测试环节应该使用非开发组成员的有资格的测试人员,并且充分发挥该测试员能力识别网络安全弱点。
[G.15] A vulnerability analysis should be generated for each known vulnerability assessed or new vulnerability identified during cybersecurity testing. The disposition of the vulnerability and the rationale for the how the vulnerability is managed should also be documented.
对于每一个评估的已知软件或者在网络网络安全测试中识别出的新的弱点,应该生成一份软件分析报告,并且应该记录下弱点的处置以及如何管理弱点的基本方法。
[G.16] In addition to design protections, the automotive industry should establish rapid vehicle cybersecurity incident detection and remediation capabilities.
除了设计保护外,汽车行业应该具有快速的汽车网络安全事件监测和补救的能力。
[G.17] Such capabilities should be able to mitigate safety risks to vehicle occupants and surrounding road users when a cyberattack is detected and transition the vehicle to a minimal risk condition, as appropriate for the identified risk.
当检测到网络攻击时,此类能力应能够缓解车辆乘员和周围道路使用者的安全风险,并将车辆转换至最低风险状态,视识别的风险而定。
[G.18] Manufacturers should collect information on potential attacks, and this information should be analyzed and shared with industry through the Auto-ISAC and other sharing mechanisms.
OEM应该收集潜在攻击的信息,并且分析这些信息以及通过其他信息交换机构与行业进行分享。
[G.19] Manufacturers should fully document any actions, design choices, analyses, supporting evidence, and changes related to its management of vehicle cybersecurity.
OEM应该完全记录所有的关于汽车网络安全管理的行为,如设计选择,分析,支持证据及变更。
[G.20] All related work products should be traceable within a robust document version control system.
所有相关的工作产出应在一个稳健的文件版本控制系统中确保可追溯。
[G.21] Companies should use a systematic and ongoing process to periodically reevaluate risks and make appropriate updates to processes and designs due to changes in the vehicle cybersecurity landscape, as appropriate.
在合适的情况下,公司应该使用成体系的,持续的流程来周期性重新评估风险,并依据汽车网络安全环境的变化对于流程和设计作出适当的更新。
[G.22] Best practices for secure software development should be followed, for example as outlined in NIST publications and ISO/SAE 21434.
应该遵循安全软件开发的最佳实践,比如,NIST美国国家标准与技术协会的公开发布物和ISO 21434描述的内容。
[G.23] Manufacturers should actively participate in automotive industry-specific best practices and standards development activities through recognized standards development organizations and Auto-ISAC.
制造商应该通过权威的标准制定机构及汽车安全信息共享和分析中心主动地参加汽车行业指定的最佳实践和标准开发的活动。
[G.24] As future risks emerge; industry should collaborate to expediently develop mitigation measures and best practices to address new risks.
随着未来风险的出现,行业内部应通力合作,以便于开发出缓解的措施和最佳实践以应对新的风险。
[G.25] Members of the extended automotive industry (including, but not limited to, vehicle manufacturers, automotive equipment suppliers, software developers, communication services providers, aftermarket system suppliers, and fleet managers) are strongly encouraged to:
大力鼓励扩展汽车行业的成员(包括但不限于车辆制造商、汽车设备供应商、软件开发商、通信服务提供商、售后市场系统供应商和车队管理者):
[a] Join Auto-ISAC;
加入汽车信息共享和分析中心;
[b] Share timely information concerning cybersecurity issues, including vulnerabilities, and intelligence information with Auto-ISAC.
及时地与美国汽车信息分享和分析中心分享包括漏洞在内的有关网络安全问题信息和情报信息。
[G.26] Members of Auto-ISAC are strongly encouraged to collaborate in expeditiously exploring containment options and countermeasures to reported vulnerabilities, regardless of an impact on their own systems.
不论对这些成员自己的系统有什么影响,鼓励汽车信息共享和分析中心的成员合作以便快速地探索出应对报告漏洞抑制选项和应对措施。
[G.27] Automotive industry members should create their own vulnerability reporting policies and mechanisms.
汽车行业成员应该建立自己的漏洞报告策略和机制。
[G.28] Members of the automotive industry should develop a product cybersecurity incident response process. This process should include:
汽车行业的所有成员应该拥有一个产品网络安全事件响应流程。这个流程包括:
[a] A documented incident response plan;
有文档记录的事件响应计划;
[b] Clearly identified roles and responsibilities within the organization;
组织内有清晰识别的角色和职责;
[c] Clearly identified communication channels and contacts outside the organization; and
组织外有清晰识别的交流渠道和联系方式;以及
[d] Procedures for keeping this information, [G.28[a]-[c]], up to date.
保持[G.28[a]-[c]]持续更新状态的流程。
[G.29] Organizations should develop metrics to periodically assess the effectiveness of their response process.
组织应该开发出能够定期评估它们响应流程有效性的矩阵。
[G.30] Organizations should document the details of each identified and reported vulnerability, exploit, or incident applicable to their products.
组织应记录适用于其产品的每个已识别和报告的漏洞、利用或事件的详细信息。
[G.31] The nature of the vulnerability and the rationale for how the vulnerability is managed should be documented.
应该记录漏洞的属性和如何管理漏洞的基本原理。
[G.32] Commensurate to assessed risks, organizations should have a plan for addressing newly identified vulnerabilities on consumer-owned vehicles in the field, inventories of vehicles built but not yet distributed to dealers, vehicles delivered to dealerships but not yet sold to consumers, as well as future products and vehicles.
与评估的风险相适应,组织应制定计划,以解决现场消费者拥有的车辆、已制造但尚未分销给经销商的车辆库存、已交付给经销商但尚未销售给消费者的车辆以及未来产品和车辆的新发现的漏洞。
[G.33] Any incidents should also be reported to CISA/United States Computer Emergency Readiness Team (US-CERT) in accordance with the US-CERT Federal Incident Notification Guidelines.
任何事故也应根据CERT联邦事故通知指南报告给CISA/计算机应急准备小组(CERT)。
[G.34] Industry members should periodically conduct and participate in organized, cyber incident response exercises.
行业成员应该定期进行和参与有组织的网络安全事件演练。
[G.35] The automotive industry should document the details related to their vehicle cybersecurity risk management process to facilitate auditing and accountability.
汽车行业应该记录于汽车网络安全风险管理过程相关的细节,以便应对审核和问责。
[G.36] Further, such documents should be retained through the expected lifespan of the associated product.
此外,这类文件应该在相关产品的预期生命周期中妥善保存。
[G.37] Documents should follow a robust version control protocol, and should be revised regularly as new information, data, and research results become available.
文档应该遵循一个强有力的版本控制计划,也应该随着新的信息,数据,研究成果落地进行定期升级。
[G.38] The automotive industry should establish procedures for internal review of its management and documentation of cybersecurity-related activities.
汽车行业应该建立网络安全相关活动的管理和文档内部评估的流程。
[G.39] The automotive industry should consider carrying out organizational and product cybersecurity audits annually.
汽车行业应考虑每年进行组织和产品网络安全审计。
[G.40] Vehicle manufacturers, suppliers, universities, and other stakeholders should work together to help support educational efforts targeted at workforce development in the field of automotive cybersecurity.
OEM,供应商,大学,和其他利益相关者应该一起合作来帮助支持针对在汽车网络安全领域中从业者的教育工作。
[G.41] The automotive industry should consider the risks that could be presented by user-owned or aftermarket devices when connected with vehicle systems and provide reasonable protections.
汽车行业应该考虑到用户手里或者售后设备在连接车辆系统的风险并提供合理的保护。
[G.42] Any connection to a third-party device should be authenticated and provided with appropriate limited access.
应该经过授权才能连接所有的第三方设备,并提供合适的有限的访问权限。
[G.43] Aftermarket device manufacturers should employ strong cybersecurity protections on their products.
售后设备制造商应该在它们的产品使用强有力的网络安全保护措施。
[G.44] The automotive industry should consider the serviceability of vehicle components and systems by individuals and third parties.
业内应考虑车辆部件和系统的可维修性,以便于个人和第三方使用。
[G.45] The automotive industry should provide strong vehicle cybersecurity protections that do not unduly restrict access by alternative third-party repair services authorized by the vehicle owner.
业内应该提供强有力的汽车网络安全保护,不过度限制汽车所有者授权的替代第三方维修服务的访问权限。
25个车辆网络安全技术最佳实践
[T.1] Developer-level access should be limited or eliminated if there is no foreseeable operational reason for the continued access to an ECU for deployed units.
如果没有因为对正在使用单元的电子控制单元的持续访问权限的预期操作,那么应该限制或者消除开发者级别的访问权限
[T.2] If continued developer-level access is necessary, any developer-level debugging interfaces should be appropriately protected to limit access to authorized privileged users.
如果持续的开发者级别的访问权限是必要的,应该通过限制对授权优先使用者访问权限的限制,来正确地保护开发者级别的调试接口。
[T.3] Cryptographic techniques should be current and non-obsolescent for the intended application.
对于预期应用,应该使用最新且不过时的加密技术。
[T.4] Cryptographic credentials that provide an authorized, elevated level of access to vehicle computing platforms should be protected from unauthorized disclosure or modification.
应保护提供对车辆计算平台的授权的、提高的访问级别的加密凭证,以防止未经授权的披露或修改。
[T.5] Any credential obtained from a single vehicle’s computing platform should not provide access to other vehicles.
从某一汽车计算平台获得的任何凭证应该不能访问其他车辆。
[T.6] Diagnostic features should be limited, as much as possible, to a specific mode of vehicle operation which accomplishes the intended purpose of the associated feature.
尽可能将诊断功能限制在满足相关功能的预期目的汽车运行指定模式。
[T.7] Diagnostic operations should be designed to eliminate or minimize potentially dangerous ramifications if they were misused or abused outside of their intended purposes.
如果诊断功能在预期目的之外被错误使用或者随意乱用,那么应该将诊断操作设计为可以消除或者最小化危险的且复杂很难预料的结果。
[T.8] The use of global symmetric keys and ad-hoc cryptographic techniques for diagnostic access should be minimized.
应该将针对诊断功能的全球对称密匙和点对点加密技术的使用降到最小范围。
[T.9] Vehicle and diagnostic tool manufacturers should control tools’ access to vehicle systems that can perform diagnostic operations and reprogramming by providing for appropriate authentication and access control.
整车和诊断工具制造商应该控制进入汽车系统工具的访问权限,通过合理的授权和访问权限的控制来进行诊断操作和重新编程。
[T.10] When possible, critical safety signals should be transported in a manner inaccessible through external vehicle interfaces.
如果可能的话,关键的安全信号应该通过外部汽车接口无法访问的方式进行传输。
[T.11] Employ best practices for communication of critical information over shared and possibly insecure channels. Limit the possibility of replay, integrity compromise, and spoofing. Physical and logical access should also be highly restricted.
采用最佳实践,通过共享和可能不安全的渠道交流关键信息。限制重放、完整性损害和欺骗的可能性。物理和逻辑访问也应受到严格限制。
[T.12] A log of events sufficient to reveal the nature of a cybersecurity attack or successful breach and support event reconstruction should be created and maintained.
应该创建和维护能够充分揭露网路安全攻击或者成功入侵特性的事件日志,并能够支持事件重建。
[T.13] Such logs that can be aggregated across vehicles should be periodically reviewed to assess potential trends of cyberattacks.
应该定期总结评价涉及到整个车辆的总体日志,来评价网络攻击的潜在趋势。
[T.14] Manufacturers should treat all networks and systems external to a vehicle’s wireless interfaces as untrusted and use appropriate techniques to mitigate potential threats.
OEM应该将所有连接车辆无线接口的外部所有网络和系统视为不可信的,并且应该使用合适的技术来缓解潜在的威胁。
[T.15] Network segmentation and isolation techniques should be used to limit connections between wireless-connected ECUs and low-level vehicle control systems, particularly those controlling safety critical functions, such as braking, steering, propulsion, and power management.
应使用网络分段和隔离技术来限制无线连接ECU和低级别车辆控制系统之间的连接,特别是控制安全关键功能的系统,如制动、转向、驱动和电源管理。
[T.16] Gateways with strong boundary controls, such as strict whitelist-based filtering of message flows between different network segments, should be used to secure interfaces between networks.
应该使用带有强力边界控制的网关来确保网络之间的接口安全,比如基于严格白名单制度的不同网络分割体的信息流的过滤机制。
[T.17] Eliminating unnecessary internet protocol services from production vehicles;
关闭量产车不必要的网络协议服务。
[T.18] Limiting the use of network services on vehicle ECUs to essential functionality only; and
限制只针对关键功能块的汽车电子控制单元的网络服务的使用。
[T.19] Appropriately protecting services over such ports to limit use to authorized parties.
正确地报告这些接口之间的服务,来限制授权团体的使用。
[T.20] Manufacturers should use appropriate encryption and authentication methods in any operational communication between external servers and the vehicle.
针对车辆与外部服务商之间的任何运行通讯,OEM应该使用合适的加密技术和授权方法。
[T.21] Manufacturers should plan for and create processes that could allow for quickly propagating and applying changes in network routing rules to a single vehicle, subsets of vehicles, or all vehicles connected to the network.
OEM应该计划并创建一个可以快速传播和应用网络路由规则的变更,网络路由规则是针对单车,车辆的子系统,或者所有连接到网络里的车辆。
[T.22] Automotive manufacturers should employ state-of-the-art techniques for limiting the ability to modify firmware to authorized and appropriately authenticated parties.
OEM应该应用最先进的针对授权和合适的授权机构,限制其更改硬件系统能力的技术。
[T.23] Manufacturers should employ measures to limit firmware version rollback attacks.
OEM应该采取措施来限制固件版本回滚攻击。
[T.24] Maintain the integrity of OTA updates, update servers, the transmission mechanism, and the updating process in general.
总体上维护远程升级,升级服务器,传递机构和升级过程的完整性。
[T.25] Take into account, when designing security measures, the risks associated with compromised servers, insider threats, men-in-the-middle attacks, and protocol vulnerabilities.
在设计安全措施时,应考虑到与受损服务器、内部威胁、中间人攻击和协议漏洞相关的风险。
END
原文始发于微信公众号(汽车信息安全):谈谈新版NHTSA车辆网络安全最佳实践