HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (7 Dec 2024)

GB/T 40857-2021 PDF in English


GB/T 40857-2021 (GB/T40857-2021, GBT 40857-2021, GBT40857-2021)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 40857-2021English260 Add to Cart 0-9 seconds. Auto-delivery. Technical requirements and test methods for cybersecurity of vehicle gateway Valid
Standards related to (historical): GB/T 40857-2021
PDF Preview

GB/T 40857-2021: PDF in English (GBT 40857-2021)

GB/T 40857-2021 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 43.020 CCS T 40 Technical requirements and test methods for cyber security of vehicle gateway ISSUED ON: OCTOBER 11, 2021 IMPLEMENTED ON: MAY 01, 2022 Issued by: State Administration for Market Regulation; Standardization Administration of the People's Republic of China. Table of Contents Foreword ... 3  1 Scope ... 4  2 Normative references ... 4  3 Terms and definitions ... 4  4 Abbreviations ... 5  5 Vehicle gateway network topology ... 6  5.1 CAN gateway ... 6  5.2 Ethernet gateway ... 6  5.3 Hybrid gateway... 7  6 Technical requirements ... 7  6.1 Hardware cyber security requirements ... 7  6.2 Communication cyber security requirements ... 7  6.3 Firmware cyber security requirements ... 9  6.4 Data cyber security requirements ... 10  7 Test methods ... 11  7.1 Hardware cyber security test ... 11  7.2 Communication cyber security test ... 11  7.3 Firmware cyber security test ... 13  7.4 Data cyber security test ... 14  Annex A (informative) Example of vehicle gateway topology ... 16  Annex B (informative) Examples of typical attacks ... 18  Bibliography ... 21  Technical requirements and test methods for cyber security of vehicle gateway 1 Scope This Standard specifies cyber security technical requirements and test methods for vehicle gateway product hardware, communication, firmware, data. This Standard is applicable to the design and implementation of cyber security of vehicle gateway products. It is also applicable to product testing, evaluation and management. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB/T 25069, Information security technology - Glossary GB/T 37935-2019, Information security technology - Trusted computing specification - Trusted software base GB/T 40861, General technical requirements for vehicle cybersecurity 3 Terms and definitions For the purposes of this document, the terms and definitions defined in GB/T 25069, GB/T 37935-2019, GB/T 40861 as well as the followings apply. 3.1 vehicle gateway an electronic control unit of which the main function is to safely and reliably forward and transmit data between multiple networks in the vehicle NOTE 1: The vehicle gateway passes through the isolation between different networks and the conversion between different communication protocols. Information can be exchanged among the functional domains that share communication data. NOTE 2: The vehicle gateway is also called central gateway. The typical Ethernet gateway topology is shown in Figure A.2. 5.3 Hybrid gateway In part of the new generation of in-vehicle network structure, some ECUs and domain controllers communicate through Ethernet, while the other part of ECUs and domain controllers still communicate through traditional communication protocols (for example: CAN, CAN-FD, LIN, MOST). The vehicle gateway in this kind of structure has both Ethernet interface and traditional communication protocol interface, which can be called hybrid gateway. The typical hybrid gateway topology is shown in Figure A.3. Annex B lists some typical attacks against vehicle gateways and in-vehicle network communications. 6 Technical requirements 6.1 Hardware cyber security requirements 6.1.1 Test according to 7.1a). The gateway shall not have backdoors or hidden interfaces. 6.1.2 Test according to 7.1b). The debugging interface of the gateway shall be disabled or set up security access control. 6.2 Communication cyber security requirements 6.2.1 CAN gateway communication cyber security requirements 6.2.1.1 Access control The gateway shall establish a communication matrix between each CAN network. Establish an access control strategy based on CAN data frame identifier (CANID). After testing according to 7.2.1a), the data frame sent by the source port shall be detected at the destination port specified in the list. After testing according to 7.2.1b), data frames that do not meet the definition shall be discarded or logged. 6.2.1.2 Denial of service attack detection The gateway shall perform CAN bus DoS attack detection on the CAN channel of the vehicle's external communication interface (for example: the channel connected to the OBD-II port and the channel connected to the vehicle information interaction system). The gateway shall have a DoS attack detection function based on the CAN bus interface load. It shall have a DoS attack detection function based on one or more CANID data frame periods. Test according to 7.2.1c) and d). When the gateway detects a DoS attack on one or more CAN channels, it shall meet the following requirements: a) The communication function and pre-set performance of the unattended CAN channel of the gateway shall not be affected; b) The gateway discards or logs the detected attack data frames. 6.2.1.3 Data frame health detection The gateway shall check the data frame according to the signal definition in the communication matrix. The checking content includes DLC field, signal value validity. Test according to 7.2.1e), f). Discard or log data frames that do not meet the definition of the communication matrix. 6.2.1.4 Data frame anomaly detection The gateway shall have a data frame abnormality detection function, that is, the mechanism for checking and recording the sending and receiving relationship between data frames is tested in accordance with 7.2.1g). Discard or log the abnormal data frames. Example: When the gateway detects that the transmission frequency of a data frame within a certain period of time is far from the predefined frequency, or the signal value content of the same data frame at adjacent times conflicts or jumps abnormally, discard or log data frames. 6.2.1.5 UDS session detection The gateway shall check whether the CAN channel initiated by the UDS session is normal. Test according to 7.2.1h). Intercept or log conversations initiated by abnormal channels. NOTE: The normal channel usually includes the channel connected to the OBD-II port and the channel connected to the in-vehicle information interaction system. 6.2.2 Ethernet gateway communication cyber security requirements 6.2.2.1 Network domain The gateway shall support network division. Test according to 7.2.2a). Discard packets that do not conform to the network domain. The gateway shall have the function of safe startup, which can protect the trusted root used for secure startup through the entity of root of trust. Test according to 7.3a), b), c). The trusted root, Bootloader program and system firmware of the gateway shall not be tampered with, or the gateway cannot start normally after being tampered. 6.3.2 Security log If the gateway has a security log function, it meets the following requirements: a) Test according to 7.3d), e), f). When the gateway detects various events such as communication that does not meet the requirements of 6.2, software configuration changes in the gateway, and failure to verify the integrity of the gateway software, relevant information shall be recorded; b) Test according to 7.3g). The security log of the gateway shall include at least the time (absolute time or relative time) of the event that triggered the log, the type of event, and the unique identification code of the vehicle; c) Test according to 7.3h). The gateway shall securely store the security log. Prevent damage to log records under non-physical sabotage attacks. At the same time prevent unauthorized addition, access, modification and deletion. Security log records can be stored in the gateway, other ECUs, or cloud servers; d) Test according to 7.3i). The security log of the gateway shall not contain any form of personal information. 6.3.3 Security breach Test according to 7.3j). The gateway shall not have high-risk and higher security vulnerabilities announced by the authoritative vulnerability platform 6 months ago that have not been dealt with. NOTE: Disposal includes eliminating loopholes, formulating mitigation measures and so on. 6.4 Data cyber security requirements The important safety parameters in the gateway shall be stored and processed in a safe manner. Prevent unauthorized access, modification, deletion and retrieval. Test according to 7.4. The security zone or security module in the gateway cannot be cracked, read, or written without authorization. This can be achieved through the use of security zones, security modules, or equivalent security technologies that provide appropriate authorization procedures. 7 Test methods 7.1 Hardware cyber security test The gateway hardware cyber security test is carried out in sequence according to the following procedures and requirements: a) Disassemble the shell of the equipment under test. Take out the PCB board. Check whether the PCB board hardware has a back door or hidden interface; b) Check whether there are debugging interfaces such as JTAG, USB, UART, SPI exposed on the PCB board. If it exists, use the test tool to try to obtain debugging permission. 7.2 Communication cyber security test 7.2.1 CAN gateway communication cyber security test The CAN gateway communication cyber security test is carried out in sequence according to the following procedures and requirements. a) Set the access control strategy specified in 6.2.1.1 (if the access control strategy of the tested sample cannot be modified through the software configuration, the sample sender will provide a list of preset access control strategies). The detection device sends data frames that comply with the policy to the source port specified in the list. Detect the received data frame at the destination port specified in the list. b) Set the access control strategy specified in 6.2.1.1 (if the access control strategy of the tested sample cannot be modified through the software configuration, the sample sender will provide a list of preset access control strategies). The detection device sends data frames that do not comply with the policy to the source port specified in the list. Detect the received data frame at the destination port specified in the list, and collect sample logs. c) The sender confirms that the gateway is connected to the CAN channel of the vehicle's external communication interface. The detection device sends a flood attack data frame conforming to the communication matrix with a bus load rate greater than 80% on this channel. Detect the received data frame at the designated destination port and collect sample logs. If there are multiple channels of this type, they are tested separately in turn. d) The sender confirms that the gateway is connected to the CAN channel of the vehicle's external communication interface. The detection equipment packets at the destination port specified in the list; c) Set the access control strategy specified in 6.2.2.2 (if the access control strategy of the tested sample cannot be modified through the software configuration, the sample sender will provide a list of preset access control strategies). The detection device sends data packets that do not comply with the policy to the source port specified in the list. Detect and receive data packets at the destination port specified in the list, and collect sample logs; d) The detection device sends a flood attack packet that conforms to the network domain policy and access control policy to the gateway. Attack type can be ICMP flood attack and UDP flood attack. Detect and receive data packets at the destination port and collect sample logs; e) Based on the TCP protocol, construct multiple data packets or data packet sequences that do not meet the protocol standards to form a test set. The detection device sends the test set to the gateway. Detect and receive data packets at the destination port, and collect sample logs. 7.2.3 Cyber security test for hybrid gateway communication For the hybrid gateway, the cyber security test for CAN communication and Ethernet communication shall be carried out according to 7.2.1 and 7.2.2 respectively. 7.3 Firmware cyber security test The cyber security test of the gateway system is carried out in sequence according to the following procedures and requirements. a) Anti-tampering test of root of trust for secure startup of gateway: 1) Obtain the access method and address of the root of trust storage area for secure startup of the gateway; 2) Testers use software debugging tools to write data. Repeat multiple times to verify whether data can be written to the storage area. b) Verification test of secure startup Bootloader program of gateway: 1) Extract the Bootloader program that the gateway is running normally; 2) Use software debugging tools to modify the signature information of the Bootloader program; 3) Write the modified Bootloader program to the designated area in the gateway; 4) Monitor whether the gateway loads Bootloader and system firmware normally. c) Verification test of secure startup system firmware of gateway: 1) Obtain the system firmware for the normal operation of the gateway; 2) Use software debugging tools to modify the signature information of the system firmware program; 3) Write the damaged system firmware to the designated area in the gateway; 4) Monitor whether the gateway is working properly. d) If the tested gateway has a security log recording function, check the logs generated by the tested samples in turn and execute 7.2. e) If the tested gateway has a security log recording function, try to change the cyber security settings of the tested sample (such as modifying the access control list). Check the generated log. f) If the tested gateway has a security log recording function, try to change the key configuration of the system (such as routing table) for the tested sample. Check the generated log. g) If the tested gateway has a security log recording function, check whether the log contains the time of the event triggering the log, the type of event, and the unique identification code of the vehicle. h) If the tested gateway has a security log recording function, try to access, modify or delete the recorded security log through the test tool. i) If the tested gateway has a security log recording function, check whether the log contains personal information. j) Use vulnerability scanning tools to perform vulnerability detection on the gateway. Detect whether there are high-risk security vulnerabilities that have been released by the authoritative vulnerability platform for 6 months or more. If there is a high-risk vulnerability, check the technical documents of the high-risk vulnerability disposal plan. 7.4 Data cyber security test The gateway data cyber security test is carried out in sequence according to the following procedures and requirements: a) Testers try to crack the authorized access control of the gateway security Annex B (informative) Examples of typical attacks B.1 Ping of death An attack by sending malformed or other malicious ping protocol packets to the computer, also known as the ping of death. For example, the attacker deliberately sends IP packets larger than 65536 bits to the attacked, causing the attacked to be unable to process or even the system to crash. B.2 ICMP flood attack A simple denial of service attack, also known as ping flood attack. The attacker uses "reply to request" (ping) packet to submerge the attacked. B.3 UDP flood attack A denial-of-service attack that uses UDP protocol (a session-less, connectionless transport layer protocol). B.4 TCP SYN attack A denial-of-service attack. The attacker sends a series of SYN requests to the target system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. B.5 Teardrop attack In the header of the IP packet, one of the fields is slice displacement. This field indicates the starting position or offset of the fragmented data packet in the original unfragmented data packet. Teardrop attack refers to the use of IP packets that maliciously modify the offset value of IP fragments to attack. As a result, the attacked person cannot reorganize IP data packets normally, and even causes the system to crash. B.6 ARP spoofing attack This kind of spoofing attack is that the attacker sends deceptive Address Resolution Protocol (ARP) packets to the local network. The purpose is to associate the MAC address of the attacker with the IP address of another host or network device, thereby causing other nodes on the network to send any traffic from that IP address to the attacker. ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.