Requirements for vulnerability management in the mandatory standard
As one of the core concerns of network security, the "Technical Requirements for Information Security of Automobiles" (hereinafter referred to as the GB Mandatory Standards) has made specific requirements for security vulnerabilities in terms of management process and technology in multiple chapters.
5.2 The automotive information security management system shall include the following:
Establish a process for monitoring, responding to, and reporting vulnerabilities of cyber attacks, cyber threats, and vulnerabilities against vehicles, with the following requirements:
It should include a vulnerability management mechanism, and clarify the links of vulnerability collection, analysis, reporting, disposal, release, and reporting
A process for providing relevant data for cyber attacks and analyzing them should be established, such as analyzing and detecting cyber attacks, threats, and vulnerabilities through vehicle data and vehicle logs
A process should be established to ensure continuous monitoring of cyber attacks, cyber threats and vulnerabilities and that the vehicle should be included in the monitoring no later than the time when the vehicle is registered;
Processes should be established to ensure that identified cyber attacks, cyber threats and vulnerabilities are responded to and addressed within the time frame;
A process should be established to assess whether the information security measures implemented remain effective in the event of the discovery of new cyber attacks, cyber threats, and vulnerabilities.
6.7 Vehicle manufacturers shall implement vehicle-specific measures to identify cyber-attacks against the vehicle and provide vehicle manufacturers with monitoring capabilities in identifying vehicle-related cyber-attacks, cyber threats, and vulnerabilities, as well as data forensic capabilities for analyzing cyber attacks, cyber threats, and vulnerabilities.
7.1.1.1. External connection systems such as systems with remote control functions and authorized third-party applications on the vehicle side should not have high-risk or above security vulnerabilities that were announced by authoritative vulnerability platforms 6 months ago and have not been dealt with.
7.3.12. The on-board software upgrade system shall not have high-risk and above security vulnerabilities that have been announced by the authoritative vulnerability platform 6 months ago and have not been dealt with.
Among the above requirements:
5.2. It is required that the enterprise-level information security management system of the vehicle manufacturer should include the corresponding vulnerability management process;
6.7. It is required that the vulnerability management process be implemented in the whole life cycle of the specific vehicle
7.1.1.1 and 73.12 is the specific vulnerability technical requirements for external systems such as remote control systems and third-party applications, and software upgrade systems.
Vulnerability management process and implementation practice
Throughout the vehicle's lifecycle, the enterprise-level vulnerability management process includes the following activities:
1. Vulnerability information collection:
In the vulnerability collection process, the security activities that need to be completed include:
(1) Define information security information monitoring**
First of all, the monitoring of information security vulnerabilities should be established, and the monitoring of vulnerabilities can be:
a) Input of project personnel during product development, including various test reports;
b) Vulnerability feedback email on the company's official website;
c) Feedback from partners or other companies;
d) Feedback from ** merchants;
e) Customer feedback;
f) Release;
g) Databases of all kinds of public vulnerabilities;
(2) Define trigger conditions for vulnerability information monitoring, etc
Enterprises need to screen the data of monitoring ** according to the actual assets of the developed vehicles, and determine the ones associated with the protected vehicles, such as:
a) Hardware, software, communication component modules;
b) Open source components used;
c) Self-developed software used;
d) The name of the product and the company used
e) Customer products and company names used, etc.
The collection of vulnerability information is a continuous process, covering the entire life cycle of the vehicle, and in the development process, it relies more on testing (such as vulnerability scanning and penetration testing) to collect vulnerability information, and the mass-produced vehicle generally uses the VSOC system to monitor the vulnerability.
2. Vulnerability analysis
In the vulnerability analysis session, the main security activities include:
(1) Vulnerability relevance judgment:
The monitoring personnel make a correlation judgment on the vulnerability information collected on the monitoring system (such as VSOC and C**D platforms) to determine whether the vulnerability is related to the vehicle.
(2) Vulnerability classification and classification:
Due to the particularity of automobiles, the cost, timeliness, and impact assessment of vulnerability fixes are more stable and complex than those of general IT systems, so it is necessary to classify and grade the collected vulnerabilities. Classification can help us determine the technical cause of the vulnerability, who is affected, and other information, while classification can determine the likelihood of exploitation and the impact of damage.
At present, the vulnerability classification and grading standard for automobiles is still being formulated, and generally speaking, the classification of vulnerabilities can be considered from the following two aspects:
Exploit feasibility analysis of vulnerabilities by CVSS method
Impact rating is performed based on the four dimensions of SFOP
Finally, through the risk matrix, the risk level of the vulnerability is determined.
3. Vulnerability information report:
Vulnerability information reporting refers to the process of reporting the vulnerability to the relevant information security officer or product owner after the company's security engineers monitor and analyze the vulnerability. Enterprises need to establish a complete internal and external communication management and problem reporting mechanism at the project level to ensure that the relevant responsible persons and management personnel can be contacted as soon as possible when monitoring safety vulnerabilities affecting vehicles, so as to deal with the risk of information security vulnerabilities.
In practice, enterprises can adopt different reporting methods and reporting objects according to different vulnerability risk levels based on the classification and grading results of vulnerabilities.
4. Vulnerability disposal:
Vulnerability disposal refers to the process of dealing with identified vulnerabilities in products and components, and enterprises can formulate vulnerability handling policies in the system process, and comprehensively determine whether to deal with the vulnerability risk based on the attack feasibility rating results and vulnerability impact.
The vulnerability handling process mainly includes:
a) Vulnerability disposal decision: Determine whether the vulnerability is fixed, and the conclusion of the vulnerability disposal decision can be to fix the vulnerability and accept the vulnerability;
b) Disposal plan design: Design a vulnerability disposal plan based on information such as the cause, location, and attack path of the vulnerability;
c) Evaluation of the resolution plan: Conduct a comprehensive analysis of the effectiveness, impact, and rationality of the vulnerability disposal plan, and refer to the method of TARA
d) Development of disposal plan: The technical development process of the vulnerability repair plan, including the development of vulnerability patches, the adjustment of firewall policies, etc.;
e) Vulnerability remediation verification test: Through the test, determine the actual repair effect of the vulnerability.
5. Vulnerability release:
During the vulnerability release phase, the following security activities are mainly included:
(1) Vulnerability Notice:
For low- and medium-risk vulnerabilities that are to be fixed, a vulnerability notice shall be issued to the customer and the vulnerability assessment conclusion and remediation plan shall be notified.
The "vulnerability notice" shall include the cause of the vulnerability, the risk level of the vulnerability, the scope of the vulnerability, the vulnerability remediation plan, and the remediation plan.
In general, organizations or researchers should not publish or disclose vulnerability information until they have remediated the vulnerability;Undisclosed vulnerability information shall not be provided to enterprises or individuals other than product vendors;When publishing security vulnerabilities in information products, preventive or remedial measures should be published at the same time.
(2) Vulnerability patch push:
If it is a high-risk and emergency vulnerability, you need to push the upgrade package to the user through ** or offline upgrade after the verification test of the vulnerability fix solution is completed to mitigate the security vulnerability risk of the customer's vehicle.
If the vulnerability is low to medium risk, it can be upgraded along with subsequent software versions.
6. Vulnerability reporting:
According to the requirements of relevant laws and regulations in China, car companies should report to the C**D vulnerability database after confirming the vehicle vulnerability. This process is not described in detail here.
How to address high-risk vulnerabilities that have been in place for more than 6 months
Strong standard 7 for GB vehicles1.1.1 and 73.12, we recommend meeting them through the following activities:
1.During the development process, the SBOM software library of the vehicle is established;
2.Vulnerability scanning, penetration testing of vehicles during the development process, finding and fixing all vulnerabilities where possible
3.Due to the long development cycle of the vehicle, the company should conduct a comprehensive vulnerability compliance scan of the vehicle 3-4 months before submitting it for inspection
4.Dealing with new vulnerabilities that are discovered, including fixing them, developing a remediation plan, and accepting vulnerabilities after re-evaluation, are all acceptable ways to dispose of them.
More detailed explanations, and listen to the next breakdown.