GB/T 40857-2021 PDF in English
GB/T 40857-2021 (GB/T40857-2021, GBT 40857-2021, GBT40857-2021)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 40857-2021 | English | 260 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Technical requirements and test methods for cybersecurity of vehicle gateway
| Valid |
Standards related to (historical): GB/T 40857-2021
PDF Preview
GB/T 40857-2021: PDF in English (GBT 40857-2021) GB/T 40857-2021
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 43.020
CCS T 40
Technical requirements and test methods for cyber
security of vehicle gateway
ISSUED ON: OCTOBER 11, 2021
IMPLEMENTED ON: MAY 01, 2022
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Abbreviations ... 5
5 Vehicle gateway network topology ... 6
5.1 CAN gateway ... 6
5.2 Ethernet gateway ... 6
5.3 Hybrid gateway... 7
6 Technical requirements ... 7
6.1 Hardware cyber security requirements ... 7
6.2 Communication cyber security requirements ... 7
6.3 Firmware cyber security requirements ... 9
6.4 Data cyber security requirements ... 10
7 Test methods ... 11
7.1 Hardware cyber security test ... 11
7.2 Communication cyber security test ... 11
7.3 Firmware cyber security test ... 13
7.4 Data cyber security test ... 14
Annex A (informative) Example of vehicle gateway topology ... 16
Annex B (informative) Examples of typical attacks ... 18
Bibliography ... 21
Technical requirements and test methods for cyber
security of vehicle gateway
1 Scope
This Standard specifies cyber security technical requirements and test methods
for vehicle gateway product hardware, communication, firmware, data.
This Standard is applicable to the design and implementation of cyber security
of vehicle gateway products. It is also applicable to product testing, evaluation
and management.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 25069, Information security technology - Glossary
GB/T 37935-2019, Information security technology - Trusted computing
specification - Trusted software base
GB/T 40861, General technical requirements for vehicle cybersecurity
3 Terms and definitions
For the purposes of this document, the terms and definitions defined in GB/T
25069, GB/T 37935-2019, GB/T 40861 as well as the followings apply.
3.1 vehicle gateway
an electronic control unit of which the main function is to safely and reliably
forward and transmit data between multiple networks in the vehicle
NOTE 1: The vehicle gateway passes through the isolation between different networks and
the conversion between different communication protocols. Information can be exchanged
among the functional domains that share communication data.
NOTE 2: The vehicle gateway is also called central gateway.
The typical Ethernet gateway topology is shown in Figure A.2.
5.3 Hybrid gateway
In part of the new generation of in-vehicle network structure, some ECUs and
domain controllers communicate through Ethernet, while the other part of ECUs
and domain controllers still communicate through traditional communication
protocols (for example: CAN, CAN-FD, LIN, MOST).
The vehicle gateway in this kind of structure has both Ethernet interface and
traditional communication protocol interface, which can be called hybrid
gateway.
The typical hybrid gateway topology is shown in Figure A.3.
Annex B lists some typical attacks against vehicle gateways and in-vehicle
network communications.
6 Technical requirements
6.1 Hardware cyber security requirements
6.1.1 Test according to 7.1a). The gateway shall not have backdoors or hidden
interfaces.
6.1.2 Test according to 7.1b). The debugging interface of the gateway shall be
disabled or set up security access control.
6.2 Communication cyber security requirements
6.2.1 CAN gateway communication cyber security requirements
6.2.1.1 Access control
The gateway shall establish a communication matrix between each CAN
network. Establish an access control strategy based on CAN data frame
identifier (CANID). After testing according to 7.2.1a), the data frame sent by the
source port shall be detected at the destination port specified in the list. After
testing according to 7.2.1b), data frames that do not meet the definition shall be
discarded or logged.
6.2.1.2 Denial of service attack detection
The gateway shall perform CAN bus DoS attack detection on the CAN channel
of the vehicle's external communication interface (for example: the channel
connected to the OBD-II port and the channel connected to the vehicle
information interaction system).
The gateway shall have a DoS attack detection function based on the CAN bus
interface load. It shall have a DoS attack detection function based on one or
more CANID data frame periods.
Test according to 7.2.1c) and d). When the gateway detects a DoS attack on
one or more CAN channels, it shall meet the following requirements:
a) The communication function and pre-set performance of the unattended
CAN channel of the gateway shall not be affected;
b) The gateway discards or logs the detected attack data frames.
6.2.1.3 Data frame health detection
The gateway shall check the data frame according to the signal definition in the
communication matrix. The checking content includes DLC field, signal value
validity. Test according to 7.2.1e), f). Discard or log data frames that do not meet
the definition of the communication matrix.
6.2.1.4 Data frame anomaly detection
The gateway shall have a data frame abnormality detection function, that is, the
mechanism for checking and recording the sending and receiving relationship
between data frames is tested in accordance with 7.2.1g). Discard or log the
abnormal data frames.
Example:
When the gateway detects that the transmission frequency of a data frame
within a certain period of time is far from the predefined frequency, or the signal
value content of the same data frame at adjacent times conflicts or jumps
abnormally, discard or log data frames.
6.2.1.5 UDS session detection
The gateway shall check whether the CAN channel initiated by the UDS session
is normal. Test according to 7.2.1h). Intercept or log conversations initiated by
abnormal channels.
NOTE: The normal channel usually includes the channel connected to the OBD-II port and
the channel connected to the in-vehicle information interaction system.
6.2.2 Ethernet gateway communication cyber security requirements
6.2.2.1 Network domain
The gateway shall support network division. Test according to 7.2.2a). Discard
packets that do not conform to the network domain.
The gateway shall have the function of safe startup, which can protect the
trusted root used for secure startup through the entity of root of trust. Test
according to 7.3a), b), c). The trusted root, Bootloader program and system
firmware of the gateway shall not be tampered with, or the gateway cannot start
normally after being tampered.
6.3.2 Security log
If the gateway has a security log function, it meets the following requirements:
a) Test according to 7.3d), e), f). When the gateway detects various events
such as communication that does not meet the requirements of 6.2,
software configuration changes in the gateway, and failure to verify the
integrity of the gateway software, relevant information shall be recorded;
b) Test according to 7.3g). The security log of the gateway shall include at
least the time (absolute time or relative time) of the event that triggered
the log, the type of event, and the unique identification code of the vehicle;
c) Test according to 7.3h). The gateway shall securely store the security log.
Prevent damage to log records under non-physical sabotage attacks. At
the same time prevent unauthorized addition, access, modification and
deletion. Security log records can be stored in the gateway, other ECUs,
or cloud servers;
d) Test according to 7.3i). The security log of the gateway shall not contain
any form of personal information.
6.3.3 Security breach
Test according to 7.3j). The gateway shall not have high-risk and higher security
vulnerabilities announced by the authoritative vulnerability platform 6 months
ago that have not been dealt with.
NOTE: Disposal includes eliminating loopholes, formulating mitigation measures and so
on.
6.4 Data cyber security requirements
The important safety parameters in the gateway shall be stored and processed
in a safe manner. Prevent unauthorized access, modification, deletion and
retrieval. Test according to 7.4. The security zone or security module in the
gateway cannot be cracked, read, or written without authorization. This can be
achieved through the use of security zones, security modules, or equivalent
security technologies that provide appropriate authorization procedures.
7 Test methods
7.1 Hardware cyber security test
The gateway hardware cyber security test is carried out in sequence according
to the following procedures and requirements:
a) Disassemble the shell of the equipment under test. Take out the PCB
board. Check whether the PCB board hardware has a back door or hidden
interface;
b) Check whether there are debugging interfaces such as JTAG, USB, UART,
SPI exposed on the PCB board. If it exists, use the test tool to try to obtain
debugging permission.
7.2 Communication cyber security test
7.2.1 CAN gateway communication cyber security test
The CAN gateway communication cyber security test is carried out in sequence
according to the following procedures and requirements.
a) Set the access control strategy specified in 6.2.1.1 (if the access control
strategy of the tested sample cannot be modified through the software
configuration, the sample sender will provide a list of preset access control
strategies). The detection device sends data frames that comply with the
policy to the source port specified in the list. Detect the received data
frame at the destination port specified in the list.
b) Set the access control strategy specified in 6.2.1.1 (if the access control
strategy of the tested sample cannot be modified through the software
configuration, the sample sender will provide a list of preset access control
strategies). The detection device sends data frames that do not comply
with the policy to the source port specified in the list. Detect the received
data frame at the destination port specified in the list, and collect sample
logs.
c) The sender confirms that the gateway is connected to the CAN channel of
the vehicle's external communication interface. The detection device
sends a flood attack data frame conforming to the communication matrix
with a bus load rate greater than 80% on this channel. Detect the received
data frame at the designated destination port and collect sample logs. If
there are multiple channels of this type, they are tested separately in turn.
d) The sender confirms that the gateway is connected to the CAN channel of
the vehicle's external communication interface. The detection equipment
packets at the destination port specified in the list;
c) Set the access control strategy specified in 6.2.2.2 (if the access control
strategy of the tested sample cannot be modified through the software
configuration, the sample sender will provide a list of preset access control
strategies). The detection device sends data packets that do not comply
with the policy to the source port specified in the list. Detect and receive
data packets at the destination port specified in the list, and collect sample
logs;
d) The detection device sends a flood attack packet that conforms to the
network domain policy and access control policy to the gateway. Attack
type can be ICMP flood attack and UDP flood attack. Detect and receive
data packets at the destination port and collect sample logs;
e) Based on the TCP protocol, construct multiple data packets or data packet
sequences that do not meet the protocol standards to form a test set. The
detection device sends the test set to the gateway. Detect and receive
data packets at the destination port, and collect sample logs.
7.2.3 Cyber security test for hybrid gateway communication
For the hybrid gateway, the cyber security test for CAN communication and
Ethernet communication shall be carried out according to 7.2.1 and 7.2.2
respectively.
7.3 Firmware cyber security test
The cyber security test of the gateway system is carried out in sequence
according to the following procedures and requirements.
a) Anti-tampering test of root of trust for secure startup of gateway:
1) Obtain the access method and address of the root of trust storage area
for secure startup of the gateway;
2) Testers use software debugging tools to write data. Repeat multiple
times to verify whether data can be written to the storage area.
b) Verification test of secure startup Bootloader program of gateway:
1) Extract the Bootloader program that the gateway is running normally;
2) Use software debugging tools to modify the signature information of the
Bootloader program;
3) Write the modified Bootloader program to the designated area in the
gateway;
4) Monitor whether the gateway loads Bootloader and system firmware
normally.
c) Verification test of secure startup system firmware of gateway:
1) Obtain the system firmware for the normal operation of the gateway;
2) Use software debugging tools to modify the signature information of the
system firmware program;
3) Write the damaged system firmware to the designated area in the
gateway;
4) Monitor whether the gateway is working properly.
d) If the tested gateway has a security log recording function, check the logs
generated by the tested samples in turn and execute 7.2.
e) If the tested gateway has a security log recording function, try to change
the cyber security settings of the tested sample (such as modifying the
access control list). Check the generated log.
f) If the tested gateway has a security log recording function, try to change
the key configuration of the system (such as routing table) for the tested
sample. Check the generated log.
g) If the tested gateway has a security log recording function, check whether
the log contains the time of the event triggering the log, the type of event,
and the unique identification code of the vehicle.
h) If the tested gateway has a security log recording function, try to access,
modify or delete the recorded security log through the test tool.
i) If the tested gateway has a security log recording function, check whether
the log contains personal information.
j) Use vulnerability scanning tools to perform vulnerability detection on the
gateway. Detect whether there are high-risk security vulnerabilities that
have been released by the authoritative vulnerability platform for 6 months
or more. If there is a high-risk vulnerability, check the technical documents
of the high-risk vulnerability disposal plan.
7.4 Data cyber security test
The gateway data cyber security test is carried out in sequence according to
the following procedures and requirements:
a) Testers try to crack the authorized access control of the gateway security
Annex B
(informative)
Examples of typical attacks
B.1 Ping of death
An attack by sending malformed or other malicious ping protocol packets to the
computer, also known as the ping of death. For example, the attacker
deliberately sends IP packets larger than 65536 bits to the attacked, causing
the attacked to be unable to process or even the system to crash.
B.2 ICMP flood attack
A simple denial of service attack, also known as ping flood attack. The attacker
uses "reply to request" (ping) packet to submerge the attacked.
B.3 UDP flood attack
A denial-of-service attack that uses UDP protocol (a session-less,
connectionless transport layer protocol).
B.4 TCP SYN attack
A denial-of-service attack. The attacker sends a series of SYN requests to the
target system in an attempt to consume enough server resources to make the
system unresponsive to legitimate traffic.
B.5 Teardrop attack
In the header of the IP packet, one of the fields is slice displacement. This field
indicates the starting position or offset of the fragmented data packet in the
original unfragmented data packet.
Teardrop attack refers to the use of IP packets that maliciously modify the offset
value of IP fragments to attack. As a result, the attacked person cannot
reorganize IP data packets normally, and even causes the system to crash.
B.6 ARP spoofing attack
This kind of spoofing attack is that the attacker sends deceptive Address
Resolution Protocol (ARP) packets to the local network. The purpose is to
associate the MAC address of the attacker with the IP address of another host
or network device, thereby causing other nodes on the network to send any
traffic from that IP address to the attacker.
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|