Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 40856-2021 PDF English

US$350.00 · In stock · Download in 9 seconds
GB/T 40856-2021: Technical requirements and test methods for cybersecurity of on-board information interactive system
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure
Status: Valid
Standard IDUSDBUY PDFDeliveryStandard Title (Description)Status
GB/T 40856-2021350 Add to Cart Auto, 9 seconds. Technical requirements and test methods for cybersecurity of on-board information interactive system Valid

Similar standards

GB/T 40855   GB/T 40861   GB/T 40857   

GB/T 40856-2021: Technical requirements and test methods for cybersecurity of on-board information interactive system


---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT40856-2021
GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 43.020 CCS T 40 Technical Requirements and Test Methods for Cybersecurity of On-board Information Interactive System Issued on. OCTOBER 11, 2021 Implemented on. MAY 1, 2022 Issued by. State Administration for Market Regulation; Standardization Administration of the People’s Republic of China.

Table of Contents

Foreword... 3 1 Scope... 4 2 Normative References... 4 3 Terms and Definitions... 4 4 Abbreviations... 6 5 Technical Requirements... 7 5.1 Security Requirements for Hardware... 7 5.2 Security Requirements for Communication Protocols and Interfaces... 8 5.3 Security Requirements for Operating System... 11 5.4 Security Requirements for Application Software... 16 5.5 Security Requirements for Data... 19 6 Test Methods... 21 6.1 Hardware Security Test... 21 6.2 Security Test of Communication Protocols and Interfaces... 22 6.3 Security Test of Operating System... 25 6.4 Security Test of Application Software... 30 6.5 Data Security Test... 33 Appendix A (informative) Schematic Diagram of On-board Information Interactive System... 36

1 Scope

This Standard specifies the technical requirements and test methods for the cybersecurity of hardware, communication protocols and interfaces, operating systems, application software and data of on-board information interactive system. This Standard is applicable to the guidance of original equipment manufacturers, component suppliers and software suppliers in the implementation of the design, development, verification and production for the information security technology of on- board information interactive system.

2 Normative References

The contents of the following documents constitute indispensable clauses of this document through normative references in the text. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 25069 Information Security Technology - Glossary GB/T 40861 General Technical Requirements for Vehicle Cybersecurity GM/T 0005-2012 Randomness Test Specification

3 Terms and Definitions

What is defined in GB/T 25069 and GB/T 40861, and the following terms and definitions are applicable to this document. 3.1 On-board Information Interactive System On-board information interactive system refers to a communication system installed on the vehicle and with at least one of the following functions. 3.2 External Communication External communication refers to the wireless communication between the on-board information interactive system and outside the vehicle. 3.3 Internal Communication Internal communication refers to the communication between the on-board information interactive system and the electrical and electronic systems in the vehicle. 3.4 User User refers to the object that uses the resources of the on-board information interactive system. 3.5 User Data User data refers to data generated by user, or data that serves the user.

4 Abbreviations

The following abbreviations are applicable to this document. CAN. Controller Area Network CAN-FD. Control Area Network-flexible Data ECU. Electronic Control Unit E-Call. Emergency Call FTP. File Transfer Protocol HTTP. Hypertext Transfer Protocol ID. Identifier JTAG. Joint Test Action Group LE. Low Energy LIN. Local Interconnect Network TSP. Telematics Service Provider UART. Universal Asynchronous Receiver / Transmitter URL. Uniform Resource Locator USB. Universal Serial Bus WLAN. Wireless Local Area Networks WPA. WLAN Protected Access

5 Technical Requirements

5.1 Security Requirements for Hardware 5.1.1 The chip used by the on-board information interactive system shall satisfy the following requirements. 5.1.2 In accordance with 6.1 c), perform the test. The processor, memory module, communication IC and other key chips and security chips used in the processing, storage and transmission of sensitive personal information used by the on-board information interactive system shall reduce the number of exposed pins. 5.1.3 In accordance with 6.1 d), perform the test. The number of exposed communication lines shall be reduced among the key chips used by the on-board information interactive system. For example, the on-board information interactive system using multi-layer circuit boards may adopt the mode of internal wiring to conceal the communication lines. 5.1.4 In accordance with 6.1 e), perform the test. The circuit boards and chips should not expose readable screen printings that are used to mark the port and pin functions. 5.2 Security Requirements for Communication Protocols and Interfaces 5.2.1 Security of external communication 5.2.3 Security of communication interface 5.2.3.1 Overall requirements The communication interface of the on-board information interactive system shall satisfy the following requirements. 5.3 Security Requirements for Operating System 5.3.1 Security configuration of operating system In terms of the security configuration of operating system, the on-board information interactive system shall satisfy the following requirements. 5.3.2 Secure invocation control capability 5.3.3 Secure startup of operating system The on-board information interactive system shall satisfy the following requirements. a) In accordance with 6.3.3 a), perform the test. The startup of the operating system shall start with a root of trust that cannot be modified; b) In accordance with 6.3.3 b), perform the test. The on-board operating system can only be loaded after the operating system signature is verified in the trusted storage area, so as to prevent the loading of a tampered operating system; c) Before executing other secure startup codes, in accordance with 6.3.3 c), perform the test; the integrity of the code shall be verified. 5.3.4 Update of operating system The on-board information interactive system shall satisfy the following requirements. a) In accordance with 6.3.4 a), perform the test. It shall have the anti-rollback verification function of the system mirror; b) When the installation of the updated mirror image fails, in accordance with 6.3.4 b), perform the test. It shall restore to the version before the update or enter a secure status; 5.3.5 Isolation of operating system In accordance with 6.3.5, perform the test. Except for necessary interfaces and data, such as. functions like making calls and data like phone books and short messages, which can be shared, there shall be no communication between multi-operating systems with preset functions in parallel. 5.3.6 Security management of operating system The on-board information interactive system shall satisfy the following requirements. 5.4 Security Requirements for Application Software 5.5 Security Requirements for Data 5.5.1 Data collection The data collection of the on-board information interactive system shall satisfy the following requirements. 5.5.3 Data transmission In accordance with 6.5.3, perform the test. The on-board information interactive system shall adopt management measures and technical means to protect the confidentiality, integrity and availability of the transmitted user data. 5.5.4 Data destruction The data destruction of the on-board information interactive system shall satisfy the following requirements.

6 Test Methods

6.1 Hardware Security Test In accordance with the following procedures, carry out the test. 6.2 Security Test of Communication Protocols and Interfaces 6.2.1 Security test of external communication protocol 6.2.1.1 Security test of communication connection In accordance with the following procedures, carry out the test. 6.2.1.2 Security test of communication transmission Utilize network data packet capture tools to capture data packets; analyze communication message data; check whether the data content transmitted between the on-board information interactive system and the platform server or the external terminal is encrypted. 6.2.1.3 Security test of communication termination response In accordance with the following procedures, carry out the test. 6.2.1.4 Security test of telecommunication protocol 6.2.1.5 Security test of short-distance communication protocol 6.2.2 Security test of communication protocol in the vehicle Utilize the method of capturing, analyzing and sending data in the network message in the vehicle to check when the on-board information interactive system has data interaction and transmits important data with other controller nodes in the vehicle through buses, for example, CAN or on-board Ethernet, whether it uses the security mechanism to ensure the integrity and availability of the transmitted data. 6.2.3 Security test of communication interfaces 6.3 Security Test of Operating System 6.3.1 Test of security configuration of operating system In accordance with the following procedures, carry out the test. a) Log in with a user account with the highest authority; after logging in with an ordinary account, attempt to raise the authority; check whether the system prohibits the highest authority user from directly logging in and restricts the ordinary user’s authority-raising operation; b) View the list of accounts in the system; check whether there are useless accounts, or attempt to log in to the useless accounts to verify whether they can be logged in. By setting a weak password, check whether the system prompts a weak-security password. The account password includes at least Arabic numerals, uppercase and lowercase Latin letters, and a length of not less than 8 digits; c) Utilize authorized identities or authorized processes to access files and 6.3.2 Test of secure invocation control capability 6.3.2.1 Security test of communication function control mechanism 6.3.2.2 Test of local sensitive function control mechanism 6.3.3 Test of secure startup of operating system In accordance with the following procedures, carry out the test. a) Obtain the access method and address of the trusted root storage area for the secure startup of the operating system; utilize the software debugging tool to write-in the data; repeatedly check whether the data can be written into the storage area; b) Extract the operating system signature; utilize the software debugging tool to tamper with the signature; write the modified signature into the designated trusted area in the on-board terminal; check whether it can normally work; c) Obtain the other secure startup codes of the system firmware of the operating system; utilize the software debugging tool to tamper with them; write the modified startup codes into the designated area in the on-board terminal; check whether it can normally work. 6.3.4 Security test of update of operating system In accordance with the following procedures, carry out the test. a) Replace the mirror image with an expired mirror image; check whether it cannot be successfully loaded; b) For example, by manually cutting off the power supply when updating the mirror image, confirm when the installation of the updated mirror image fails, whether the previous version of the system before the installation is available or whether it enters a secure state; c) Modify the updated mirror image; check whether the update process cannot be executed; d) Utilize an unofficially credited updated mirror image to check whether the update process cannot be executed. 6.3.5 Test of isolation of operating system Review the design documents; check whether the operating system isolation measures are adopted. In other words, except for the necessary interfaces and data that can be shared, such as. calls, phone books and short messages, communication between different operating systems cannot be carried out. 6.3.6 Test of security management of operating system In accordance with the following procedures, carry out the test. a) For vehicle operating systems, introduce abnormal conditions, such as. abnormal network connections and sudden increase in memory usage; check whether an alarm will be issued for the abnormal conditions; b) For vehicle operating systems, review the documents; check whether the operating system has an audit function for important services and operations; c) Open the log query interface; check whether the operating system has log records for important events; d) Review the documents; check whether the operating system sets a strategy of uploading logs to the server; e) By attempting to overwrite and delete the log storage area, check whether the log storage has security protection; f) Utilize authorized identities to read or write-in logs; check whether the operation can be successful. Utilize unauthorized identities to read or access logs; check whether the operation cannot be successful; 6.4 Security Test of Application Software 6.4.1 Basic security test of application software In accordance with the following procedures, carry out the test. a) Attempt to download and install application software that does not use the official signature; check whether it cannot be normally downloaded and installed; b) Utilize vulnerability scanning tools to perform vulnerability detection on the on- board terminal; detect whether there are high-risk security vulnerabilities announced by the authoritative vulnerability platform for 6 months and above. If there are high-risk vulnerabilities, then, check the technical documents of the high-risk vulnerability disposal scheme; c) Analyze the data in the application software; check whether the application software collects or leaks personal sensitive information without authorization, and whether the unauthorized data is externally transmitted, or whether there are other malicious behaviors; d) Adopt the methods of analysis and search; check whether the application software stores personal sensitive information in plain text; e) Analyze the session content; verify whether the on-board information interactive system has a session security protection mechanism, for example, using a randomly generated session ID, etc.; f) Adopt the method of brute force cracking; check whether the strategies of user password length and character type satisfy the requirements, or when a strong-complexity password is not used, check whether the user is prompted of risks; 6.4.3 Test of application software access control In accordance with the following procedures, carry out the test. 6.4.4 Security test of application software operation In accordance with the following procedures, carry out the test. 6.4.5 Security test of application software communication In accordance with the following procedures, carry out the test. 6.4.6 Security test of application software log In accordance with the following procedures, carry out the test. 6.5 Data Security Test ......
Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
Image 1     Image 2     Image 3     

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of English version of GB/T 40856-2021 be delivered?Answer: The full copy PDF of English version of GB/T 40856-2021 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.

Question 2: Can I share the purchased PDF of GB/T 40856-2021_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 40856-2021_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 40856-2021 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.

How to buy and download a true PDF of English version of GB/T 40856-2021?

A step-by-step guide to download PDF of GB/T 40856-2021_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).
Step 2: Search keyword "GB/T 40856-2021".
Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart.
Step 4: Select payment option (Via payment agents Stripe or PayPal).
Step 5: Customize Tax Invoice -- Fill up your email etc.
Step 6: Click "Checkout".
Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively.
Step 8: Optional -- Go to download PDF.
Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice.
See screenshots for above steps: Steps 1~3    Steps 4~6    Step 7    Step 8    Step 9