美國交通部國家公路交通安全管理局近日發(fā)布了《現(xiàn)代車輛安全的網絡安全最佳實踐》，這是其2016年版的更新。該文件描述了NHTSA對汽車行業(yè)的指導，以改善車輛網絡安全以確保安全。

一、背景信息

    NHTSA最近發(fā)布了最新的《車輛網絡安全最佳實踐》2022更新版。而NHTSA最佳實踐的第一版（可訪問www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdf獲取）最初于2016年發(fā)布，22年新版本充分考慮了新的行業(yè)標準和研究內容，以及整個汽車行業(yè)網絡安全實踐的標準化，如UNECE WP.29 R155和 ISO 21434，并納入了根據過去6年通過研究行業(yè)從真實的事件中獲得的知識以及專家們提交的關于2016年和2021年草案的意見，新版本最佳實踐可以概述分為兩部分，首先是通用網絡安全最佳實踐，第二部分是網絡安全技術最佳實踐。

    NHTSA現(xiàn)代汽車網絡安全最佳實踐的發(fā)布表明，政府機構理解并關注保護車輛安全的重要性，因為它們變得更容易受到黑客攻擊。雖然這些準則目前不具有強制約束力，但其目的是反映出業(yè)界對減輕網絡安全風險的日益關注和緊迫感。

二、目錄概覽

1.Purpose of This document 本文件編寫目的

2.Scope 范圍

3.Background 背景

4.General Cybersecurity Best Practices 一般網絡安全最佳實踐

4.1 Leadership Priority on Product Cybersecurity 領導層對產品網絡安全的重視

4.2 Vehicle Development Process With Explicit Cybersecurity Considerations 具有明確網絡安全考慮的車輛開發(fā)流程

4.2.1 Process 流程

4.2.2 Risk Assessment 風險評估

4.2.3 Sensor Vulnerability Risks 傳感器的脆弱性風險

4.2.4 Removal or Mitigation of Safety-Critical Risks 消除或減輕安全關鍵性的風險

4.2.5 Protections 保護措施

4.2.6 Inventory and Management of Hardware and Software Assets on Vehicles 車輛上硬件和軟件資產的清點和管理

4.2.7 Cybersecurity Testing and Vulnerability Identification 網絡安全測試和弱點識別

4.2.8 Monitoring, Containment, Remediation 監(jiān)測、遏制、補救

4.2.9 Data, documentation, Information Sharing 數據、文件、信息共享

4.2.10 Continuous Risk Monitoring and Assessment 持續(xù)的風險監(jiān)測和評估

4.2.11 Industry Best Practices 行業(yè)最佳實踐

4.3 Information Sharing 信息共享

4.4 Security Vulnerability Reporting Program 安全漏洞報告計劃

4.5 Organizational Incident Response Process 組織事件響應程序

4.6 Self-Auditing 自我審計

4.6.1 Process Management documentation 流程管理文件

4.6.2 Review and Audit 審查和審計

5. Education 教育

6. Aftermarket/User-Owned Devices 售后市場/用戶擁有的設備

6.1 Vehicle Manufacturers 車輛制造商

6.2 Aftermarket Device Manufacturers 售后市場設備制造商

7. Serviceability 可維修性

8. Technical Vehicle Cybersecurity Best Practices 技術性車輛網絡安全最佳實踐

8.1 Developer/Debugging Access in Production Devices 生產設備中的開發(fā)人員/調試訪問

8.2 Cryptographic Techniques and Credentials 加密技術和憑證

8.3 Vehicle Diagnostic Functionality 車輛診斷功能

8.4 Diagnostic Tools 診斷工具

8.5 Vehicle Internal Communications 車輛內部通信

8.6 Event Logs 事件日志

8.7 Wireless Paths Into Vehicles 進入車輛的無線途徑

8.7.1 Wireless Interfaces  無線接口

8.7.2 Segmentation and Isolation Techniques in Vehicle Architecture Design 車輛結構設計中的分割和隔離技術

8.7.3 Network Ports, Protocols, and Services網絡端口、協(xié)議和服務

8.7.4 Communication to Back-End Servers與后端服務器的通信

8.7.5 Capability to Alter Routing Rules改變路由規(guī)則的能力

8.8 Software Updates/Modifications軟件更新/修改

8.9 Over-the-Air Software Updates OTA軟件更新

Appendix 附錄

Terms and Descriptions 術語和說明

三、最佳實踐內容概覽

45條通用的車輛網絡安全最佳實踐

[G.1] The automotive industry should follow the National Institute of Standards and Technology’s (NIST’s) documented Cybersecurity framework, which is structured around the five principal functions, “Identify, Protect, Detect, Respond, and Recover,” to build a comprehensive and systematic approach to developing layered cybersecurity protections for vehicles.

汽車行業(yè)應該遵循 (NIST）美國國家標準與技術協(xié)會記錄的網絡安全框架。這個框架構建圍繞5個主要功能“識別、保護、監(jiān)測、反饋、恢復”構建，從而建立了一個全面且系統(tǒng)的方法來開發(fā)針對汽車的分層網絡安全保護。

[G.2] Companies developing or integrating vehicle electronic systems or software should prioritize vehicle cybersecurity and demonstrate executive management commitment and accountability by:

開發(fā)或者集成車輛電子系統(tǒng)或者軟件的公司，應該將網絡安全置于首要位置，并且通過以下的方式證明執(zhí)行管理層的承諾和責任。

[a] Allocating dedicated resources within the organization focused on researching, investigating, implementing, testing, and validating product cybersecurity measures and vulnerabilities;

在組織內分配指定的資源去關注研究，調查，實施，測試，驗證產品的網絡安全和弱點。

[b] Facilitating seamless and direct communication channels through organizational ranks related to product cybersecurity matters; and

通過與產品網絡安全事項相關的組織排名，促進不間斷且直接的交流渠道，以及。

[c] Enabling an independent voice for vehicle cybersecurity-related considerations within the vehicle safety design process.

在車輛安全設計過程中，應該使得網絡安全相關的考慮成為一個獨立的意見。

[G.3] The automotive industry should follow a robust product development process based on a systems-engineering approach with the goal of designing systems free of unreasonable safety risks, including those from potential cybersecurity threats and vulnerabilities.

汽車行業(yè)應該遵循基于系統(tǒng)工程方法的強有力的產品開發(fā)流程，致力于設計完全合理的無安全風險的系統(tǒng)，包括那些潛在的網絡安全威脅和漏洞。

[G.4] This process should include a cybersecurity risk assessment step that is appropriate and reflects mitigation of risk for the full lifecycle of the vehicle.

開發(fā)流程應該包括合適的網絡安全風險評估的步驟，這個步驟能夠反映出整車生命周期的風險緩解。

[G.5] Safety of vehicle occupants and other road users should be of primary consideration when assessing risks.

當評估風險的時候，也應該首先考慮車輛乘員和其他道路使用的安全。

[G.6] Manufacturers should consider the risks associated with sensor vulnerabilities and potential sensor signal manipulation efforts such as GPS spoofing, road sign modification, Lidar/Radar jamming and spoofing, camera blinding, and excitation of machine learning false positives.

OEM應該考慮涉及傳感器弱點和潛在的傳感器信號操縱力的風險，比如GPS欺騙，道路標注的修改，激光雷達/普通雷達的干擾和欺騙，攝像頭致盲以及機器學習誤報的激發(fā)。

[G.7] Any unreasonable risk to safety-critical systems should be removed or mitigated to acceptable levels through design, and any functionality that presents an unavoidable and unnecessary risk should be eliminated where possible.

任何針對安全關鍵系統(tǒng)的不合理風險都應該被移除或者通過設計緩解到可以接受的水平。只要條件允許，應盡可能消除存在不可避免和不必要風險的任何功能。

[G.8] For remaining functionality and underlying risks, layers of protection that are appropriate for the assessed risks should be designed and implemented.

對于剩余功能和潛在風險，應該設計和實施合適的進行過評估風險的保護層。

[G.9] Clear cybersecurity expectations should be specified and communicated to the suppliers that support the intended protections.

應該規(guī)定清晰的網絡安全期望，并且將該期望傳達給提供主動保護支持的供應商。

[G.10] Suppliers and vehicle manufacturers should maintain a database of their operational hardware and software components used in each automotive ECU, each assembled vehicle, and a history log of version updates applied over the vehicle’s lifetime.

供應商和OEM應該維護一個軟件物料清單（SBOM），涵蓋每一個電子控制單元中運行的硬件和軟件的零部件，每一輛整車，以及跨越全生命周期的版本升級的歷史記錄。

[G.11] Manufacturers should track sufficient details related to software components, such that when a newly identified vulnerability is identified related to an open source or off-the-shelf software, manufacturers can quickly identify what ECUs and specific vehicles would be affected by it.

OEM應該追蹤到足夠的與軟件零件相關的細節(jié)，比如當一個新識別出來的缺陷被認為是一個開放資源或者流行軟件，制造商能夠快速地識別出影響到了哪些電子控制單元和車輛。

[G.12] Manufacturers should evaluate all commercial off-the-shelf and open-source software components used in vehicle ECUs against known vulnerabilities.

評估用在汽車電子控制單元中的所有的商業(yè)流行軟件和開源軟件來抵御已知的缺陷。

[G.13] Manufacturers should also pursue product cybersecurity testing, including using penetration tests, as part of the development process.

進行產品網絡安全測試，比如使用滲透測試作為開發(fā)流程的一部分。

[G.14] Test stages should employ qualified testers who have not been part of the development team, and who are highly incentivized to identify vulnerabilities.

測試環(huán)節(jié)應該使用非開發(fā)組成員的有資格的測試人員，并且充分發(fā)揮該測試員能力識別網絡安全弱點。

[G.15] A vulnerability analysis should be generated for each known vulnerability assessed or new vulnerability identified during cybersecurity testing. The disposition of the vulnerability and the rationale for the how the vulnerability is managed should also be documented.

對于每一個評估的已知軟件或者在網絡網絡安全測試中識別出的新的弱點，應該生成一份軟件分析報告，并且應該記錄下弱點的處置以及如何管理弱點的基本方法。

[G.16] In addition to design protections, the automotive industry should establish rapid vehicle cybersecurity incident detection and remediation capabilities.

除了設計保護外，汽車行業(yè)應該具有快速的汽車網絡安全事件監(jiān)測和補救的能力。

[G.17] Such capabilities should be able to mitigate safety risks to vehicle occupants and surrounding road users when a cyberattack is detected and transition the vehicle to a minimal risk condition, as appropriate for the identified risk.

當檢測到網絡攻擊時，此類能力應能夠緩解車輛乘員和周圍道路使用者的安全風險，并將車輛轉換至最低風險狀態(tài)，視識別的風險而定。

[G.18] Manufacturers should collect information on potential attacks, and this information should be analyzed and shared with industry through the Auto-ISAC and other sharing mechanisms.

OEM應該收集潛在攻擊的信息，并且分析這些信息以及通過其他信息交換機構與行業(yè)進行分享。

[G.19] Manufacturers should fully document any actions, design choices, analyses, supporting evidence, and changes related to its management of vehicle cybersecurity.

OEM應該完全記錄所有的關于汽車網絡安全管理的行為，如設計選擇，分析，支持證據及變更。

[G.20] All related work products should be traceable within a robust document version control system.

所有相關的工作產出應在一個穩(wěn)健的文件版本控制系統(tǒng)中確?？勺匪?。

[G.21] Companies should use a systematic and ongoing process to periodically reevaluate risks and make appropriate updates to processes and designs due to changes in the vehicle cybersecurity landscape, as appropriate.

在合適的情況下，公司應該使用成體系的，持續(xù)的流程來周期性重新評估風險，并依據汽車網絡安全環(huán)境的變化對于流程和設計作出適當的更新。

[G.22] Best practices for secure software development should be followed, for example as outlined in NIST publications and ISO/SAE 21434.

應該遵循安全軟件開發(fā)的最佳實踐，比如，NIST美國國家標準與技術協(xié)會的公開發(fā)布物和ISO 21434描述的內容。

[G.23] Manufacturers should actively participate in automotive industry-specific best practices and standards development activities through recognized standards development organizations and Auto-ISAC.

制造商應該通過權威的標準制定機構及汽車安全信息共享和分析中心主動地參加汽車行業(yè)指定的最佳實踐和標準開發(fā)的活動。

[G.24] As future risks emerge; industry should collaborate to expediently develop mitigation measures and best practices to address new risks.

隨著未來風險的出現(xiàn)，行業(yè)內部應通力合作，以便于開發(fā)出緩解的措施和最佳實踐以應對新的風險。

[G.25] Members of the extended automotive industry (including, but not limited to, vehicle manufacturers, automotive equipment suppliers, software developers, communication services providers, aftermarket system suppliers, and fleet managers) are strongly encouraged to:

大力鼓勵擴展汽車行業(yè)的成員（包括但不限于車輛制造商、汽車設備供應商、軟件開發(fā)商、通信服務提供商、售后市場系統(tǒng)供應商和車隊管理者）：

[a] Join Auto-ISAC;

加入汽車信息共享和分析中心；

[b] Share timely information concerning cybersecurity issues, including vulnerabilities, and intelligence information with Auto-ISAC.

及時地與美國汽車信息分享和分析中心分享包括漏洞在內的有關網絡安全問題信息和情報信息。

[G.26] Members of Auto-ISAC are strongly encouraged to collaborate in expeditiously exploring containment options and countermeasures to reported vulnerabilities, regardless of an impact on their own systems.

不論對這些成員自己的系統(tǒng)有什么影響，鼓勵汽車信息共享和分析中心的成員合作以便快速地探索出應對報告漏洞抑制選項和應對措施。

[G.27] Automotive industry members should create their own vulnerability reporting policies and mechanisms.

汽車行業(yè)成員應該建立自己的漏洞報告策略和機制。

[G.28] Members of the automotive industry should develop a product cybersecurity incident response process. This process should include:

汽車行業(yè)的所有成員應該擁有一個產品網絡安全事件響應流程。這個流程包括：

[a] A documented incident response plan;

有文檔記錄的事件響應計劃；

[b] Clearly identified roles and responsibilities within the organization;

組織內有清晰識別的角色和職責；

[c] Clearly identified communication channels and contacts outside the organization; and

組織外有清晰識別的交流渠道和聯(lián)系方式；以及

[d] Procedures for keeping this information, [G.28[a]-[c]], up to date.

保持[G.28[a]-[c]]持續(xù)更新狀態(tài)的流程。

[G.29] Organizations should develop metrics to periodically assess the effectiveness of their response process.

組織應該開發(fā)出能夠定期評估它們響應流程有效性的矩陣。

[G.30] Organizations should document the details of each identified and reported vulnerability, exploit, or incident applicable to their products.

組織應記錄適用于其產品的每個已識別和報告的漏洞、利用或事件的詳細信息。

[G.31] The nature of the vulnerability and the rationale for how the vulnerability is managed should be documented.

應該記錄漏洞的屬性和如何管理漏洞的基本原理。

[G.32] Commensurate to assessed risks, organizations should have a plan for addressing newly identified vulnerabilities on consumer-owned vehicles in the field, inventories of vehicles built but not yet distributed to dealers, vehicles delivered to dealerships but not yet sold to consumers, as well as future products and vehicles.

與評估的風險相適應，組織應制定計劃，以解決現(xiàn)場消費者擁有的車輛、已制造但尚未分銷給經銷商的車輛庫存、已交付給經銷商但尚未銷售給消費者的車輛以及未來產品和車輛的新發(fā)現(xiàn)的漏洞。

[G.33] Any incidents should also be reported to CISA/United States Computer Emergency Readiness Team (US-CERT) in accordance with the US-CERT Federal Incident Notification Guidelines.

任何事故也應根據CERT聯(lián)邦事故通知指南報告給CISA/計算機應急準備小組（CERT）。

[G.34] Industry members should periodically conduct and participate in organized, cyber incident response exercises.

行業(yè)成員應該定期進行和參與有組織的網絡安全事件演練。

[G.35] The automotive industry should document the details related to their vehicle cybersecurity risk management process to facilitate auditing and accountability.

汽車行業(yè)應該記錄于汽車網絡安全風險管理過程相關的細節(jié)，以便應對審核和問責。

[G.36] Further, such documents should be retained through the expected lifespan of the associated product.

此外，這類文件應該在相關產品的預期生命周期中妥善保存。

[G.37] documents should follow a robust version control protocol, and should be revised regularly as new information, data, and research results become available.

文檔應該遵循一個強有力的版本控制計劃，也應該隨著新的信息，數據，研究成果落地進行定期升級。

[G.38] The automotive industry should establish procedures for internal review of its management and documentation of cybersecurity-related activities.

汽車行業(yè)應該建立網絡安全相關活動的管理和文檔內部評估的流程。

[G.39] The automotive industry should consider carrying out organizational and product cybersecurity audits annually.

汽車行業(yè)應考慮每年進行組織和產品網絡安全審計。

[G.40] Vehicle manufacturers, suppliers, universities, and other stakeholders should work together to help support educational efforts targeted at workforce development in the field of automotive cybersecurity.

OEM，供應商，大學，和其他利益相關者應該一起合作來幫助支持針對在汽車網絡安全領域中從業(yè)者的教育工作。

[G.41] The automotive industry should consider the risks that could be presented by user-owned or aftermarket devices when connected with vehicle systems and provide reasonable protections.

汽車行業(yè)應該考慮到用戶手里或者售后設備在連接車輛系統(tǒng)的風險并提供合理的保護。

[G.42] Any connection to a third-party device should be authenticated and provided with appropriate limited access.

應該經過授權才能連接所有的第三方設備，并提供合適的有限的訪問權限。

[G.43] Aftermarket device manufacturers should employ strong cybersecurity protections on their products.

售后設備制造商應該在它們的產品使用強有力的網絡安全保護措施。

[G.44] The automotive industry should consider the serviceability of vehicle components and systems by individuals and third parties.

業(yè)內應考慮車輛部件和系統(tǒng)的可維修性，以便于個人和第三方使用。

[G.45] The automotive industry should provide strong vehicle cybersecurity protections that do not unduly restrict access by alternative third-party repair services authorized by the vehicle owner.

業(yè)內應該提供強有力的汽車網絡安全保護，不過度限制汽車所有者授權的替代第三方維修服務的訪問權限。

25個車輛網絡安全技術最佳實踐

[T.1] Developer-level access should be limited or eliminated if there is no foreseeable operational reason for the continued access to an ECU for deployed units.

如果沒有因為對正在使用單元的電子控制單元的持續(xù)訪問權限的預期操作，那么應該限制或者消除開發(fā)者級別的訪問權限

[T.2] If continued developer-level access is necessary, any developer-level debugging interfaces should be appropriately protected to limit access to authorized privileged users.

如果持續(xù)的開發(fā)者級別的訪問權限是必要的，應該通過限制對授權優(yōu)先使用者訪問權限的限制，來正確地保護開發(fā)者級別的調試接口。

[T.3] Cryptographic techniques should be current and non-obsolescent for the intended application.

對于預期應用，應該使用最新且不過時的加密技術。

[T.4] Cryptographic credentials that provide an authorized, elevated level of access to vehicle computing platforms should be protected from unauthorized disclosure or modification.

應保護提供對車輛計算平臺的授權的、提高的訪問級別的加密憑證，以防止未經授權的披露或修改。

[T.5] Any credential obtained from a single vehicle’s computing platform should not provide access to other vehicles.

從某一汽車計算平臺獲得的任何憑證應該不能訪問其他車輛。

[T.6] Diagnostic features should be limited, as much as possible, to a specific mode of vehicle operation which accomplishes the intended purpose of the associated feature.

盡可能將診斷功能限制在滿足相關功能的預期目的汽車運行指定模式。

[T.7] Diagnostic operations should be designed to eliminate or minimize potentially dangerous ramifications if they were misused or abused outside of their intended purposes.

如果診斷功能在預期目的之外被錯誤使用或者隨意亂用，那么應該將診斷操作設計為可以消除或者最小化危險的且復雜很難預料的結果。

[T.8] The use of global symmetric keys and ad-hoc cryptographic techniques for diagnostic access should be minimized.

應該將針對診斷功能的全球對稱密匙和點對點加密技術的使用降到最小范圍。

[T.9] Vehicle and diagnostic tool manufacturers should control tools’ access to vehicle systems that can perform diagnostic operations and reprogramming by providing for appropriate authentication and access control.

整車和診斷工具制造商應該控制進入汽車系統(tǒng)工具的訪問權限，通過合理的授權和訪問權限的控制來進行診斷操作和重新編程。

[T.10] When possible, critical safety signals should be transported in a manner inaccessible through external vehicle interfaces.

如果可能的話，關鍵的安全信號應該通過外部汽車接口無法訪問的方式進行傳輸。

[T.11] Employ best practices for communication of critical information over shared and possibly insecure channels. Limit the possibility of replay, integrity compromise, and spoofing. Physical and logical access should also be highly restricted.

采用最佳實踐，通過共享和可能不安全的渠道交流關鍵信息。限制重放、完整性損害和欺騙的可能性。物理和邏輯訪問也應受到嚴格限制。

[T.12] A log of events sufficient to reveal the nature of a cybersecurity attack or successful breach and support event reconstruction should be created and maintained.

應該創(chuàng)建和維護能夠充分揭露網路安全攻擊或者成功入侵特性的事件日志，并能夠支持事件重建。

[T.13] Such logs that can be aggregated across vehicles should be periodically reviewed to assess potential trends of cyberattacks.

應該定期總結評價涉及到整個車輛的總體日志，來評價網絡攻擊的潛在趨勢。

[T.14] Manufacturers should treat all networks and systems external to a vehicle’s wireless interfaces as untrusted and use appropriate techniques to mitigate potential threats.

OEM應該將所有連接車輛無線接口的外部所有網絡和系統(tǒng)視為不可信的，并且應該使用合適的技術來緩解潛在的威脅。

[T.15] Network segmentation and isolation techniques should be used to limit connections between wireless-connected ECUs and low-level vehicle control systems, particularly those controlling safety critical functions, such as braking, steering, propulsion, and power management.

應使用網絡分段和隔離技術來限制無線連接ECU和低級別車輛控制系統(tǒng)之間的連接，特別是控制安全關鍵功能的系統(tǒng)，如制動、轉向、驅動和電源管理。

[T.16] Gateways with strong boundary controls, such as strict whitelist-based filtering of message flows between different network segments, should be used to secure interfaces between networks.

應該使用帶有強力邊界控制的網關來確保網絡之間的接口安全，比如基于嚴格白名單制度的不同網絡分割體的信息流的過濾機制。

[T.17] Eliminating unnecessary internet protocol services from production vehicles;

關閉量產車不必要的網絡協(xié)議服務。

[T.18] Limiting the use of network services on vehicle ECUs to essential functionality only; and

限制只針對關鍵功能塊的汽車電子控制單元的網絡服務的使用。

[T.19] Appropriately protecting services over such ports to limit use to authorized parties.

正確地報告這些接口之間的服務，來限制授權團體的使用。

[T.20] Manufacturers should use appropriate encryption and authentication methods in any operational communication between external servers and the vehicle.

針對車輛與外部服務商之間的任何運行通訊，OEM應該使用合適的加密技術和授權方法。

[T.21] Manufacturers should plan for and create processes that could allow for quickly propagating and applying changes in network routing rules to a single vehicle, subsets of vehicles, or all vehicles connected to the network.

OEM應該計劃并創(chuàng)建一個可以快速傳播和應用網絡路由規(guī)則的變更，網絡路由規(guī)則是針對單車，車輛的子系統(tǒng)，或者所有連接到網絡里的車輛。

[T.22] Automotive manufacturers should employ state-of-the-art techniques for limiting the ability to modify firmware to authorized and appropriately authenticated parties.

OEM應該應用最先進的針對授權和合適的授權機構，限制其更改硬件系統(tǒng)能力的技術。

[T.23] Manufacturers should employ measures to limit firmware version rollback attacks.

OEM應該采取措施來限制固件版本回滾攻擊。

[T.24] Maintain the integrity of OTA updates, update servers, the transmission mechanism, and the updating process in general.

總體上維護遠程升級，升級服務器，傳遞機構和升級過程的完整性。

[T.25] Take into account, when designing security measures, the risks associated with compromised servers, insider threats, men-in-the-middle attacks, and protocol vulnerabilities.

在設計安全措施時，應考慮到與受損服務器、內部威脅、中間人攻擊和協(xié)議漏洞相關的風險。