Road vehicles Cybersecurity system evaluation method

With the continuous improvement of automobile intelligence and networking, automobile cybersecurity has gradually become the focus of attention from enterprises and research institutions. Whether it is domestic or international, there are many organizations and institutions on the Internet of vehicles cybersecurity is widely concerned, ISO 21434 road vehicle network security project, is an international automotive network security standard, which covers the entire life cycle of automotive products (from design to retirement), is currently in the development. From the perspective of ISO 21434 cybersecurity system requirements, this paper proposes an cybersecurity system evaluation method for automobile companies, in order to evaluate whether or to what extent each automobile company meets the cybersecurity status of ISO 21434 standard.


Introduction
With the interconnection and intelligence of cars, cars are no longer isolated, but more and more integrated into the Internet. At the same time, cars have gradually become potential network attack targets [1][2], and the network security of cars has become the basis of vehicle security, attracting more and more attention [3][4][5][6].How to realize automobile network security, the automobile industry has made a lot of exploration and achieved a lot of results. In order to reduce the cost and improve the quality, it is imperative to standardize the existing results.
In the process of formulating standards [7][8][9], China has referred to the standard formulation situation of foreign countries with mature automobile industry, such as developed countries such as the United States and Japan, as well as the standard formulation progress of more authoritative organizations and societies such as ISO/TC22 and SAE. From an international perspective, SAE J3061 is the first to be mentioned in terms of norms and standards for the entire life cycle of enterprises, organizations and products. SAE J3061 is a standard for the entire life cycle of a vehicle, which provides a process framework and guidance for vehicle network security that takes into account the entire life cycle of the vehicle, from concept to production, operation, maintenance and scrap. SAE J3061 is designed to help businesses identify and assess cyber security threats, and to import cyber security into the entire vehicle development process. The main contents of SAE J3061 are: • Defines the complete lifecycle process framework. Enterprises can tailor and utilize this framework to import network security into vehicle development process, including concept to production, operation, maintenance and scrap • Provides guidelines • Provides vehicle network security related tools and methodologies Based on SAE J3061, ISO 21434 is a standard for the entire life cycle of a vehicle. The standard is being developed and is scheduled for release in 2020.ISO 21434 mainly guarantees the development of automotive cybersecurity engineering from four aspects: risk assessment management, product 2. Introduction of ISO 21434 ISO 21434 [11] specifies requirements for the concept, development, production, operation, maintenance, and disposal of engineering-related cybersecurity risk management for road vehicle electrical and electronic systems and their components and interfaces. The standard defines a framework that includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risks. This standard applies to electrical and electronic systems for mass production road vehicles, including components and interfaces developed or modified after the date of publication of this standard.
The main elements of ISO 21434 include: ➢ Terms and definitions relating to cybersecurity ➢ Enterprise level cybersecurity management ➢ Project level cybersecurity management ➢ Continuous improvement of cybersecurity management ➢ Risk assessment of cybersecurity management ➢ Cybersecurity related product concept development ➢ Cybersecurity related product system development ➢ Cybersecurity management operation and maintenance requirements ➢ After the design stage (production, operation and maintenance, decommissioning, scrapping, etc.) cybersecurity management It is through these dimensions that the standard ensures the development of automotive cybersecurity engineering design and process system. However, the standard does not mention how to evaluate and evaluate the best practices of automobile cybersecurity conducted by automobile companies according to the standard. In this paper, from the perspective of best practice requirements mentioned in the standard, test and evaluation methods will be proposed to determine whether or to what extent automobile companies have implemented the best practices of automobile cybersecurity in accordance with the standard.

System evaluation method
ISO 21434 puts forward corresponding requirements for cybersecurity management content in each chapter, for example, the requirements are numbered as rq-xx-yy, XX represents the chapter, YY represents the entries in this chapter. For specific items, this paper proposes an cybersecurity evaluation method for this item. Generally, there are 5 items, and each item is awarded one point. There are 36 items in total and 180 points in total. The final score of more than 126 points (including) of the automobile companies, that can be evaluated to meet the cybersecurity requirements of ISO 21434 standard. Table 1. The corresponding relationship between the Evaluation method and ID requirements ID requirements Evaluation method RQ-05-01 The organization shall define a cybersecurity policy 1. The organization has a clear policy on network security, which is formally publicized and implemented by all staff; 2. Confirmation of road vehicle network security risks; 3. The commitment of the top management to manage the corresponding risks; 4. The policy should include the attitude the organization will take after an cybersecurity incident; 5. The change of policy should record the time, version and other information The organization shall establish and maintain rules and procedures at the organizational level to support the implementation of the requirements of this international standard and the implementation of the corresponding activities 1. The specific steps of the rules and procedures of the organization are recorded in the electronic system; 2. Have clear measures to deal with those who do not follow the rules and procedures of the organization; 3. Rules and procedures shall be reviewed and revised as the company develops; 4. There should be clear guidance documents for the complex technical procedures involved in the rules and procedures; 5. The organization's rules and procedures require the approval of the relevant leaders before they can take effect. RQ-05-03 The organization shall assign and communicate responsibilities for achieving and maintaining network security;And grant the appropriate permissions 1. Organize a special cybersecurity department to take charge of cybersecurity matters; 2. The cybersecurity department is independent of any other department of the organization; 3. The cybersecurity department has the authority to obtain the information resources it needs; 4. The organization shall publicize the status of its cybersecurity department internally; 5. The organization shall ensure the execution of the cybersecurity team in its work.

RQ-05-04
The organization should provide the resources needed to address cyber security issues 1. The organization shall purchase system equipment required for network security; 2. The organization shall provide the necessary funds for network security; 3. The cybersecurity department shall have a special cybersecurity incident management team; 4. The organization should make good public relations for the cybersecurity team; Organizations should have an cybersecurity red team. RQ-05-05 The organization shall identify areas of expertise related to or interacting with cyber security and establish and maintain channels of communication between these areas of expertise in order to A) determine whether to integrate network security into existing processes and how to do so; B) coordinate the exchange of relevant information.
1. The organization shall identify areas of expertise related to cyber security including information technology security, functional security, data protection and privacy protection; 2. Regularly communicate with the cybersecurity department in relevant professional fields (information technology security, functional security, data protection and privacy protection); 3. The cybersecurity department tries to integrate cybersecurity into the existing professional processes; 4. Relevant information includes threat scenarios and hazard information, network security objectives and functional security objectives, or where there may be conflicts between network security requirements and functional security requirements; 5. Coordination includes the identification of Shared cybersecurity services and reuse of cybersecurity policies and tools across professional domains.

RQ-05-06
The organization should define risk values (1 to 5) in a risk matrix 1. The organization shall conduct its own qualitative risk assessment; 2. The organization shall identify its significant assets; 3. Organizations can define appropriate risk matrices according to their specific needs and purposes; 4. Determine the priority of risk disposal; 5. Determine how to handle the risk. RQ-05-07 The organization shall establish and maintain a network security culture 1. People in charge of cybersecurity projects set an example that others can trust and follow. 2. Procedures are in place to ensure that network security decisions are traceable. 3. Give top priority to network security and functional security when making design and development decisions. 4. The reward system supports and encourages effective results in cyber security, while punishing those who harm cyber security in order to take shortcuts. 5. Positive attitude towards network security, such as: -can discover and solve network security problems in the early stage of the product life cycle (network security is designed); -the organization is ready to respond quickly to vulnerabilities and cyber security incidents that occur during user use. RQ-05-08 The organization shall ensure that the personnel involved in network security within the organization have the corresponding capabilities and awareness to perform their duties 1. Personnel involved in network security are familiar with the organization's network security rules and procedures, including network security risk management; 2. The personnel involved in network security are familiar with the rules and procedures of the organization in the professional fields related to network security, such as functional security and privacy protection; 3. Personnel involved in network security are familiar with methods, tools and guidelines related to network security; 4. Personnel involved in network security are familiar with known attack means and network security controls; 5. Network security personnel are familiar with the general handling of emergency security incidents. RQ-05-09 The organization shall establish and maintain a continuous improvement process 1. Learn from historical network security business experience, including experience gained from on-site monitoring and internal and external information observation; 2. Learn from the information of similar products in the industry; 3. Get the improvement items that need to be implemented in the network security activities of the follow-up projects; 4. Communicate lessons learned to appropriate personnel; 5. Make its cybersecurity-related issues more and more efficient. 1. The cybersecurity audit may be included in or integrated with other audits that meet the quality management system standards 2. The person performing the audit may be from within or outside the organization 3. To ensure that the organization's processes are always applicable to network security, audits can be performed periodically 4. Auditors or departments should be independent of the rest of the organization 5. Auditors have access to the resources they need. RQ-05-12 The organization should define the environmental conditions, taking into account the internal and external aspects of the organization, what sharing is necessary and allowed, and what is prohibited 1. List of Shared network security information types; 2. Approval process for sharing; 3. Information editing and desensitization requirements; 4. Rules for the traceability of Shared information; 5. Types of counseling and communication allowed.

RQ-05-13
The organization shall establish and maintain a quality management system in accordance with international standards or equivalent standards to support network security projects 1. Change management; 2. Document management; 3. Configuration management; 4. Demand management; 5. Incident management.

RQ-05-14
The network security configuration information of the mass production product shall remain available until the product is terminated for maintenance 1. Bill of materials 2. Binary code 3. A network security management system for the manufacturing process shall be developed 4. Change management 5. Configuration management

RQ-05-15
Tools that can affect related items, systems, and components should be managed 1. Use the tool correctly according to the user's manual with erratum; 2. Protect against unexpected use and operation; 3. Access control for tool users; 4. Verify the tool. 5. Use the minimum permission principle