Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB 44495-2024 PDF English

US$305.00 · In stock · Download in 9 seconds
GB 44495-2024: Technical requirements for vehicle cybersecurity
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure
Status: Valid
Standard IDUSDBUY PDFDeliveryStandard Title (Description)Status
GB 44495-2024305 Add to Cart Auto, 9 seconds. Technical requirements for vehicle cybersecurity Valid

Similar standards

GB 44496   GB/T 44464   GB/T 44461.2   GB/T 45312   

GB 44495-2024: Technical requirements for vehicle cybersecurity

---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GB44495-2024
GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 43.020 CCS T 40 Technical requirements for vehicle cybersecurity Issued on: AUGUST 23, 2024 Implemented on: JANUARY 01, 2026 Issued by. State Administration for Market Regulation; Standardization Administration of the People’s Republic of China.

Table of Contents

Foreword... 3 1 Scope... 4 2 Normative references... 4 3 Terms and definitions... 4 4 Abbreviated terms... 6 5 Requirements for vehicle cybersecurity management system... 7 6 Basic requirements for cybersecurity... 8 7 Technical requirements for cybersecurity... 9 8 Inspection and test methods... 14 9 Same type determination... 26 10 Implementation of standards... 27 Bibliography... 28

1 Scope

This document specifies the requirements for vehicle cybersecurity management system, basic requirements for cybersecurity, technical requirements for cybersecurity and same type identification, and describes the corresponding inspection and test methods. This document applies to category M and category N vehicles, as well as category O vehicles that are equipped with at least one electronic control unit.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the version corresponding to that date is applicable to this document; for undated references, the latest version (including all amendments) is applicable to this document. GB/T 40861, General technical requirements for vehicle cybersecurity GB/T 44373, Intelligent and connected vehicle - Terms and definitions GB/T 44464-2024, General requirements of vehicle data GB 44496, General technical requirements for software update of vehicles

3 Terms and definitions

Terms and definitions given in GB/T 40861, GB/T 44373 and GB 44496, as well as the following, are applicable to this document. 3.1 vehicle cybersecurity The state where the vehicle's electrical and electronic systems, components and functions are protected from asset threats. [Source. GB/T 40861-2021, 3.1] 3.2 cybersecurity management system; CSMS System approach based on risk. Note. Including organizational processes, responsibilities and governance to address risks associated with vehicle cyber threats and to protect vehicles from cyber- attacks. [Source. GB/T 44373-2024, 3.11, modified] 3.3 risk Impact of vehicle cybersecurity uncertainty. Note. Risk is expressed in terms of attack feasibility and impact. 3.4 risk assessment The process of discovering, identifying and describing risks, understanding the nature of risks and determining the level of risks, and comparing the results of risk analysis with risk criteria to determine whether the risks are acceptable. 3.5 threat Potential causes of unexpected events that may result in harm to systems, organizations, or individuals.

4 Abbreviated terms

For the purposes of this document, the following abbreviated terms apply. CAN. Controller Area Network ECU. Electronic Control Unit HSM. Hardware Security Module NFC. Near Field Communication OBD. On-Board Diagnostics RFID. Radio Frequency Identification USB. Universal Serial Bus VLAN. Virtual Local Area Network VIN. Vehicle Identification Number V2X. Vehicle to Everything WLAN. Wireless Local Area Networks

5 Requirements for vehicle cybersecurity management system

5.1 Vehicle manufacturers shall have a cybersecurity management system for the entire vehicle life cycle. Note. The entire vehicle life cycle includes the vehicle development phase, production phase and post-production phase. 5.2 The vehicle cybersecurity management system shall include the following contents. -- Establish a process for vehicle cybersecurity management inside the enterprise. -- Establish a process for identifying, assessing, classifying, and handling vehicle cybersecurity risks and verifying that identified risks are handled, and ensure that vehicle risk assessments are kept up to date.

6 Basic requirements for cybersecurity

6.1 The vehicle product development process shall comply with the requirements for vehicle cybersecurity management system. 6.2 The vehicle manufacturer shall identify and manage risks associated with vehicles and suppliers. 6.3 The vehicle manufacturer shall identify the key elements of the vehicle, conduct risk assessments on the vehicle, and manage the identified risks. Note 1.The scope of risk assessment includes the various elements of the vehicle and their interactions, and further considers the interactions with external systems. Note 2.Key elements include, but are not limited to, elements that contribute to vehicle security, environmental protection or theft prevention, as well as system components that provide connectivity or parts of the vehicle architecture that are critical to cybersecurity. 6.4 The vehicle manufacturer shall take measures based on the requirements of Chapter 7 to protect the vehicle from the risks identified in the risk assessment. If the measures are not relevant to the identified risks, the vehicle manufacturer shall explain their irrelevance. If the measures are not sufficient to address the identified risks, the vehicle manufacturer shall implement other measures and explain the rationality of the measures used. 6.5 If there is a dedicated environment, the vehicle manufacturer shall take measures to protect the dedicated environment used by the vehicle to store and execute post- installed software, services, applications or data. Note. Such as sandbox dedicated environment, etc. 6.6 The vehicle manufacturer shall verify the effectiveness of the cybersecurity measures implemented through testing. 6.7 The vehicle manufacturer shall implement appropriate measures for the vehicle to ensure the following capabilities. -- Ability to identify vehicle cyber-attacks; -- Monitoring and data forensics capabilities for vehicle-related cyber-attacks, cyber threats and vulnerabilities. 6.8 The vehicle manufacturer shall use public, published, and effective cryptographic algorithms and select appropriate parameters and options based on different cryptographic algorithms and service scenarios. 6.9 The vehicle manufacturer shall meet one of the following requirements for cryptographic modules. -- Adopt cryptographic modules that comply with international, national or industry standards; -- For the cryptographic modules not adopting international, national or industry standards, explain the rationality.

7 Technical requirements for cybersecurity

7.1 Security requirements for external connections 7.1.1 General security requirements 7.1.1.1 Vehicle-side systems with remote control functions, authorized third-party applications and other external connection systems shall not have high-risk or higher security vulnerabilities that have been announced by the authoritative vulnerability platforms of the automotive industry for 6 months and have not been handled. Note 1.Authoritative vulnerability platforms of the automotive industry refer to NVDB-CAVD, a vulnerability database specifically for Internet of Vehicles, and other vulnerability platforms approved by government authorities. Note 2.Handling includes methods such as eliminating loopholes and formulating mitigation measures. 7.1.1.2 Vehicles shall turn off network ports that are not essential for service operations. 7.1.2 Security requirements for remote controls 7.1.2.1 The authenticity and integrity of remote-control commands shall be verified. 7.1.2.2 Access control shall be set for remote control commands to disable unauthorized remote-control commands. 7.1.2.3 A security log function shall be available to record remote control commands. The content of the security log shall at least include the time of the remote-control command, the sender, the remote-control object, the operation results, etc. The relevant security log shall be retained for no less than 6 months. 7.1.2.4 The integrity of the vehicle-side system with remote control function shall be verified. 7.1.3 Security requirements for third party applications 7.1.3.1 The authenticity and integrity of authorized third-party applications shall be verified. Note. Third-party applications refer to applications provided by entities – other than vehicle manufacturers and their suppliers – who supply services to users, including third-party entertainment applications. 7.1.3.2 Prompts shall be given before the installation of unauthorized third-party applications, and access control shall be performed on installed unauthorized third- party applications to restrict such applications from directly accessing system resources, personal information, etc. 7.1.4 Security requirements for external interfaces 7.1.4.1 Access control protection shall be implemented on the vehicle's external interfaces to prohibit unauthorized access. Note. External interfaces include USB interface, diagnostic interface, and other directly accessible physical interfaces. 7.1.4.2 Access control shall be implemented on files in devices connected to the vehicle's USB interface and SD card interface, allowing only reading and writing of files in specified formats or installation and execution of application software with specified signatures. 7.1.4.3 The vehicle shall handle with the virus risks in the devices connected to the USB interface. 7.1.4.4 When sending write operation commands for key configuration and calibration parameters to the vehicle through the diagnostic interface, the vehicle shall adopt security strategies such as identity authentication or access control. 7.2 Communication security requirements 7.2.1 When a vehicle communicates with the vehicle manufacturer’s cloud platform, the authenticity of the identity of the communication partner shall be verified. 7.2.2 When vehicles conduct V2X direct communications with other vehicles, road side units, mobile terminals, etc., the validity and legality of the certificates shall be verified. 7.2.3 Vehicles shall use integrity protection mechanisms to protect external wireless communication channels other than RFID and NFC. 7.2.4 The vehicle shall have an access control mechanism for data operation commands from the vehicle's external communication channels. Note. Data operation commands from the vehicle's external communication channels include code injection, data manipulation, data overwriting, data erasing and data writing commands.

8 Inspection and test methods

8.1 General Inspection and test methods include vehicle cybersecurity management system inspection, basic requirements inspection and technical requirements testing. -- Inspect the documents related to the vehicle manufacturer's cybersecurity capabilities to confirm that the vehicle manufacturer meets the requirements of Chapter 5; -- Check the cybersecurity-related documents during the vehicle development and production process to confirm that the test vehicle meets the requirements of Chapter 6; -- Based on the risks identified for the vehicle and the relevance of the measures to be taken in Chapter 7 regarding the vehicle technical requirements, confirm the test scope of the vehicle cybersecurity technical requirements in accordance with 8.3, and conduct tests based on the test scope to confirm that the vehicle meets the requirements of Chapter 7. Note. The test scope includes the applicable clauses of Chapter 7 and the vehicle to be tested, the test objects corresponding to each applicable clause, etc. 8.2 Inspection of basic requirements for cybersecurity 8.2.1 Inspection requirements 8.2.1.1 Vehicle manufacturers shall have documents to describe the cybersecurity status of the vehicle during development and production, including submitted documents and retained documents for future reference. 8.2.1.2 The submitted documents shall be in Chinese and shall contain at least the following. -- Summary document demonstrating that the vehicle meets the requirements of Chapter 6; -- A list of documents to be retained for future reference that specifies the document version information. 8.2.1.3 The vehicle manufacturer shall retain vehicle cybersecurity-related process documents locally in a secure manner for reference, and shall prevent the retained documents from tampering with, after completing the inspection. 8.2.1.4 The vehicle manufacturer shall make a self-declaration on the consistency and traceability of the documents submitted and retained for reference with the vehicle. 8.2.2 Inspection methods 8.2.2.1 Inspect the documents submitted by the vehicle manufacturer and confirm the inspection plan, including the inspection scope, inspection method, inspection schedule, and the list of necessary supporting documents for on-site inspection. 8.2.2.2 Based on the inspection plan confirmed in 8.2.2.1, inspect the cybersecurity- related process documents retained for reference on-site at the vehicle manufacturer, and confirm whether the vehicle meets the requirements of Chapter 6. 8.3 Test of technical requirements for cybersecurity 8.3.1 Test conditions 8.3.1.1 Test environment requirements For tests involving wireless short-range communications, the vehicle shall be tested in a test environment without signal interference. 8.3.1.2 Test status requirements The test samples include the whole vehicle and the parts involved in the test scope determined in 8.1.The following requirements shall be met. -- The test sample can operate normally; -- The vehicle cybersecurity related functions are turned on; -- During the test, if the test vehicle speed is greater than 0 km/h or the test vehicle may start unexpectedly, place the test vehicle on a complete vehicle rotating hub test bench or in a road environment that ensures safe operation of the test vehicle. 8.3.1.3 Test input requirements The vehicle manufacturer shall provide the necessary test input to support the completion of the test based on the test scope determined in 8.1. 8.3.2 External connection security test 8.3.2.1 General security test 8.3.2.1.1 System vulnerability security test The tester shall use vulnerability scanning tools to scan the vehicle's external connection system for vulnerabilities, and compare the test results with the list of high- risk and above security vulnerabilities published by the authoritative vulnerability platform of the automotive industry 6 months ago and the vehicle external connection system vulnerability treatment plan provided by the vehicle manufacturer to determine whether the vehicle meets the requirements of 7.1.1.1. 8.3.2.1.2 Non-service essential network port security test The tester shall network the test vehicle with the scanning test equipment based on the vehicle service port list provided by the vehicle manufacturer through communication channels such as WLAN, vehicle Ethernet, and cellular networks, use the scanning test equipment to test the ports opened by the vehicle, and compare the vehicle open port list obtained from the test with the vehicle service port list to determine whether the vehicle meets the requirements of 7.1.1.2. 8.3.2.2 Remote control security test 8.3.2.2.1 Authenticity and integrity verification security test The tester shall carry out the test in the following order to determine whether the vehicle meets the requirements of 7.1.2.1. a) Log in to the vehicle remote control program account and test whether normal remote vehicle control commands can be triggered; b) Forge, tamper with and send remote vehicle control commands, and check whether the commands can be forged or tampered with, and whether the vehicle executes the commands. 8.3.2.2.2 Remote control command authority control security test The tester shall construct and send remote control commands that exceed the authority based on the vehicle remote control command application scenarios and usage permission files provided by the vehicle manufacturer to determine whether the vehicle meets the requirements of 7.1.2.2.

9 Same type determination

9.1 Direct criteria for same-type-identification of cybersecurity If the following requirements are met, they are considered to be of the same type. -- The cybersecurity management system is effective; -- The vehicles have the same electrical and electronic architecture and cybersecurity measures; -- The hardware model and software version number of the vehicle central gateway (except those that do not affect cybersecurity) are the same; -- The vehicle's on-board software upgrade system hardware model and software version number (except those that do not affect cybersecurity) are the same; -- The hardware models and software version numbers (except those that do not affect cybersecurity) of the vehicle's components with cellular mobile communication system functions are the same; -- The protocol type, protocol version, interface type, and number of interfaces used in the vehicle wireless communication method are the same or reduced; Note. Wireless communication methods include WLAN, Bluetooth, NFC, cellular communication, V2X, etc. -- The types and number of vehicle external interfaces remain the same or are reduced; -- The IP address or domain name of the vehicle manufacturer's cloud platform that is directly connected to the vehicle and generates data interaction is the same. 9.2 Criteria for same-type-identification after cybersecurity test verification If the vehicle model is changed in accordance with 9.1, it is only necessary to conduct additional tests on the technical requirements related to the changed parameters when the following provisions are met, and the extension can be obtained after approval. -- The vehicle cybersecurity management system is effective; -- The vehicles have the same electrical and electronic architecture and cybersecurity measures; -- The types of protocols and interfaces used in vehicle wireless communication methods are the same or reduced; -- The types of vehicle external interfaces are the same or reduced. ......
Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
Image 1     Image 2     Image 3     

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of English version of GB 44495-2024 be delivered?Answer: The full copy PDF of English version of GB 44495-2024 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.

Question 2: Can I share the purchased PDF of GB 44495-2024_English with my colleagues?Answer: Yes. The purchased PDF of GB 44495-2024_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB 44495-2024 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.

How to buy and download a true PDF of English version of GB 44495-2024?

A step-by-step guide to download PDF of GB 44495-2024_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).
Step 2: Search keyword "GB 44495-2024".
Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart.
Step 4: Select payment option (Via payment agents Stripe or PayPal).
Step 5: Customize Tax Invoice -- Fill up your email etc.
Step 6: Click "Checkout".
Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively.
Step 8: Optional -- Go to download PDF.
Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice.
See screenshots for above steps: Steps 1~3    Steps 4~6    Step 7    Step 8    Step 9