01 Security Overview
With the continuous improvement of intelligence, automobiles are gradually evolving from traditional means of transportation to intelligent terminals on roads, and core components have also risen from engines, gearboxes, and chassis to chips, software, and data. According to research by relevant institutions, the current penetration rate of new cars equipped with intelligent network connection functions in the global market is about 45%, and it is expected to reach about 60% by 2025, and China is expected to exceed 75%. International Data Corporation IDC predicts that the scale of China's intelligent networked automobile industry will exceed US$200 billion in 2035. This means that in the next few years, China's intelligent networked car market will usher in a blowout. On the one hand, it is the rapidly developing intelligent networked car market, and on the other hand, intelligence brings convenience to travel. At the same time, because intelligent networked vehicles bring together camera devices, radar sensors, mobile communication technologies, GPS navigation systems, etc. Equipment, to a considerable extent, has security risks such as remote control, data theft, and information deception, and even endangers personal safety and national security.
In 2021, the "Data Security Protection Law of the People's Republic of China" and "Personal Information Protection Law of the People's Republic of China" were promulgated and implemented successively, forming the pillars of the legal level of data security protection. On October 1, 2021, the "Several Regulations on Automobile Data Security Management (Trial Implementation)" (hereinafter referred to as the "Regulations") was officially implemented, regulating and restricting the processing activities related to automobile data. Relying on this, relevant national standards and industry standards have been incorporated into the standard system, and "GB/T 41871-2022 Safety Requirements for Information Security Technology Vehicle Data Processing" has been released and will be implemented on May 1, 2023. The telecommunications network and the Internet industry are simultaneously developing relevant industry standards for data security in the Internet of Vehicles. The state has clarified compliance requirements for vehicle data. As the Internet of Vehicles data that contains a large amount of vehicle data, it is the top priority of vehicle data security management.
02 Analysis of Vehicle-Road-Cloud Collaborative Architecture
Intelligence and networking are typical features of the new vehicle-road-cloud fusion system. The integration of traditional vehicles and C-V2X technology will connect intelligent networked vehicles to a unified "new six centers", specifically: sensing center, map center, decision-making center, control center, service center and security center. The perception center is responsible for information collection, status monitoring, and collaborative fusion perception of driving vehicles; the map center provides high-precision positioning, route planning, and dynamic traffic information for vehicles; the decision-making center is responsible for collaboration and group decision-making in single-vehicle, multi-vehicle, local or global scenarios and planning; the control center realizes intelligent driving and intelligent transportation services in the vehicle-road-cloud collaboration scenario based on (perception center) perception information, (map center) high-precision positioning and real-time traffic information, (decision center) decision-making and planning strategies, and improves The comprehensive performance of vehicle driving and traffic operation ensures safe driving when the vehicle fails or is in a harsh environment; the on-board visualization platform is connected to the service center to enjoy personalized automatic driving and traffic information services; the safety center is responsible for the management of intelligent networked vehicles. Terminal security, networking security, system security, data and interface security, etc.
03Data security risk analysis
(1) Scope
1) Personal privacy level. Internet-connected vehicle data contains a large amount of private information of passengers, such as vehicle trajectory data, call data, in-vehicle camera image data, etc. The leakage of these data will lead to personal privacy security risks. Since the connected car has a remote control function, once the control data is intercepted and tampered with, it will directly affect the safety of the driver. In 2019, Tencent Keen Lab pointed out in a test report on Tesla's Autopilot system that when interference information is deployed on the road surface, the system may cause vehicles to make wrong judgments on lane lines when passing by, thus causing the vehicle to drive in the opposite direction. driveway, causing uncontrollable accidents.
2) Public governance level. With the gradual integration of ICVs and the Internet of Vehicles, the data interaction of ICVs will be further deepened, and the data governance of ICVs has increasingly become an important part of public governance. For example, if a vehicle sends false information to the Internet of Vehicles system, it will cause large-scale traffic jams and bring great social security risks.
3) National security level. The first is the risk of national geographic information leakage. Intelligent networked vehicles will continue to collect latitude and longitude data during vehicle driving. When these data are collected to a certain level, they will have map surveying and mapping capabilities. Once leaked, it will pose a potential threat to national security. threaten. The second is the risk of image leakage of important parts of the core. Intelligent networked vehicles are equipped with 360-degree cameras, which will make the security and confidentiality work of secret-related places, troops and other units more difficult and difficult to prevent. The third is the operation risk of special vehicles. Vehicles used for military, law enforcement, emergency rescue, confidential, VIP pick-up, etc. may be remotely controlled or monitored.
(2) Technology application
1) Centralization of the Internet of Vehicles data cloud. Centralized data processing activities in the cloud is an important feature of the Internet of Vehicles, and a large amount of data is easily targeted by hackers. In recent years, the social impact caused by attacks or theft of cloud data has been enormous, especially after the data has been stolen and traded on the dark web, burying deeper hidden dangers for the society. This also means that the data security of the Internet of Vehicles needs to be examined from a stricter perspective.
2) The data processing of the Internet of Vehicles is complicated. Internet of Vehicles data processing is a means to maximize the value of data. Different roles need access to data. More and more data processing technologies are applied to data processing activities. The more people who have access to data, the richer the role, and the higher the threat to data security. The new data processing technology further expands the data exposure surface, and the new exposure surface is very likely to become a new data security risk point. In the context of the Internet of Vehicles, data security risks need to be changed from single-point risk and single-line risk control to multi-faceted risk and multi-line top-level risk control.
3) The data security compliance requirements of the Internet of Vehicles are clarified. Whether it is national laws and regulations, rules and regulations, or standard guidelines, the compliance requirements for data security in the Internet of Vehicles are becoming more and more specific, which faces compliance issues for data organizations involved in the Internet of Vehicles. Internet of Vehicles data involves both important data and extensive personal information. Important data and personal information are the focus of automobile data regulation. Once the important data and personal information are violated, the organization processing the data will face the risk of punishment stipulated by laws and administrative regulations, and even bear criminal responsibility.
04Challenges to data security
1) The data mobility of the Internet of Vehicles is strong. The Internet of Vehicles service scenario is complex and has multiple functions, involving "multi-terminal and multi-platform", including vehicle-side sensors, road-side infrastructure, OEM data platforms, public transportation platforms, and national regulatory platforms. The multi-dimensional data interaction between vehicles, vehicles and roads, and vehicles and clouds expands the scope of data interaction. In addition, the mobile nature of vehicles results in highly dynamic data, which requires real-time transmission, processing and high-frequency interaction between the vehicle end, road end, and cloud, and the overall data flow is greatly enhanced. From a horizontal perspective, in the entire Internet of Vehicles industry chain, there is also data flow between upstream and downstream industries, such as automobile production, insurance, maintenance and other industries, there will inevitably be data sharing and exchange. The strong mobility of data is one of the main challenges faced by the data security management of the Internet of Vehicles.
2) The data complexity of the Internet of Vehicles is high. The Internet of Vehicles involves a wide variety of data. On the vehicle side, it includes basic vehicle data such as license plate, model, and size, as well as environmental data, driving data, operation data, and location track data collected and processed during actual driving; on the car enterprise side, Including vehicle research and development and product related data, user data, operation and maintenance data, supply chain and various functional data, etc.; on the public transportation platform side, including real-time traffic conditions, road emergencies, traffic control, road construction, extreme weather and accident releases data etc. Different types of data have different sensitivities, and hierarchical and classified security management measures are required to achieve data security and overall maximum utility. In addition, the data format is complex and diverse, and data from different sources often have different formats. This non-standardization also brings difficulties to the analysis and processing behavior of data security. Therefore, the high complexity of data is one of the main challenges for data security in the Internet of Vehicles.
3) The safe sharing of IoV data encounters many difficulties. The Internet of Vehicles data integrates massive data from users, vehicles, roads, and comprehensive transportation systems. It involves many data types and large scales, and involves many data processing subjects, such as users, intelligent networked vehicles, OEMs, and Internet of Vehicles. Service cloud platform, data supervision department, etc. Facing the security management requirements of the Internet of Vehicles data, the security sharing of Internet of Vehicles data faces the lack of classification of Internet of Vehicles data for diversified subjects, the lack of a trusted execution environment at the vehicle end, the loopholes in the host software and hardware systems on which the data depends, and the lack of data security in the Internet of Vehicles data. During the life cycle, there is a lack of systematic security management technology to ensure data security and other major challenges.
05Data classification and classification and security impact
(1) Data types of intelligent connected vehicles in normative documents
(2) Data types of self-driving cars in the industry
(3) Main data composition and security impact analysis of intelligent network connection
(4) Intelligent Network Data Classification
06 Relevant standards for data security of intelligent network connection
1) GB/T41871-2022 Information Security Technology Automotive Data Processing Safety Requirements
2) GB/T40855-2021 Electric vehicle remote service and management system information security technical requirements and test methods
3) GB/T40856-2021 Information Security Technical Requirements and Test Methods for Vehicle Information Interaction System
4) GB/T40857-2021 Automotive Gateway Information Security Technical Requirements and Test Methods
5) GB/T40861-2021 Technical Requirements for Automotive Information Security Leakage
6) YD/T3746-2020 Personal Information Protection Requirements for Internet of Vehicles Information Service Users
7) VD/T3751-2020 Technical Requirements for Data Security of Internet of Vehicles Information Service
8) GB/T electric vehicle charging system information security technical requirements and test methods
9) GB/T Automotive Diagnostic Interface Information Security Technical Requirements and Test Methods (Under Approval)
10) General Technical Requirements for GB Automotive Software Upgrade (Draft)
11) GB Automotive Information Security Technical Requirements (Draft for Comment)
12) GB/T General Requirements for Intelligent Connected Vehicle Data (under development)
13) GB/T Intelligent Connected Vehicle Automatic Driving Data Recording System (Draft for Comment)
14) GB/T Automotive Information Security Emergency Response Management Guidelines (under development)
15) GB/T technical requirements and test methods for in-vehicle information interaction system based on LTE-V2X direct connection communication (under development)
16) GB/T Automobile Digital Certificate Application Technical Specification (pre-research)
17) Technical requirements for GBT automotive commercial encryption application (pre-research)
18) YD/T Internet of Vehicles Information Service Data Security Protection Capability Assessment Specification (under development)
19) Research on standardization requirements for data compliance of intelligent connected vehicles (requirements research or to be formulated)
20) Intelligent networked vehicle data security sharing reference architecture (needs research or to be formulated)
21) YD/T Internet of Vehicles data cross-border flow security management requirements (demand research or to be formulated)
22) YD/T Internet of Vehicles reform according to the cross-border mobility security assessment specification (needs research or to be formulated)
23) ....
07 Simplified framework for intelligent network data security construction
The core of intelligent network data security construction is to reduce the system attack surface and defend against various known and unknown network attacks. However, at this time, the attack surface is no longer limited to the terminal, but the entire "cloud-edge-end system ". In this case, an effective security defense is usually a systematic defense in depth. Basic defense technologies such as encryption authentication and isolation can build the first line of defense and provide basic defense for the Internet of Vehicles; firewalls, intrusion detection and other defense technologies based on prior features and feature detection can block the traffic of various known attacks Configure corresponding defense rules and strategies based on characteristics such as behavior, content, etc., implement specific precise defense, and build a third line of defense; a defense technology that can quickly, extensively and efficiently respond to unknown threats, and build the second defense of the Internet of Vehicles The first line of defense, and enable it to work closely with the third line of defense and generate a stimulating effect, forming a very good systematic defense effect.
