If you really want to find relevant content, it depends on the strategic conference of some enterprises. For example, at this auto show, Nezha Automobile indicated that it would set up an intelligent safety joint laboratory with its partner * * * to conduct research and development in the fields of battery safety, information security of vehicle networking, autonomous driving and intelligent safety technology.
OTA is very popular, is automobile information security a closed loop?
If you don't know how to judge the importance of information security in the automobile industry, a clear but actually inappropriate representation is the popularity of OTA.
Among the new cars released at this year's Beijing Auto Show, the appearance rate of OTA configuration is also high. Geely is expected to officially release XC40, a production car of Xingrui, Chery New Energy pure electric SUV Ant and Volvo, in the fourth quarter. Recharge and Honda's concept car Honda? SUV? Concept ... Whether domestic or overseas brands, OTA appears in more and more occasions. Not to mention the new forces of building a car, Tesla, as the representative of a new car, plays OTA very hard, releasing rhetoric to beat or surpass Tesla's younger generation, and is embarrassed to go out without OTA.
"Volvo XC40 New Energy"
Customers have needs, and suppliers naturally need to keep up. Huawei held the Smart Car Solution Ecological Forum the day before the Beijing Auto Show, and the Huawei Smart Car Cloud Service 2.0 released at the forum included OTA function. Parts companies such as Bosch also exhibited OTA related solutions.
Software and firmware can be updated online, and the problems existing in the previous system can be made up in time without relying on the recall process. The application of OTA shows that cars can at least deal with the possible defects in information security to some extent. As early as 20 15-20 16, when information security accidents occurred frequently, GM proved that through the OTA function, GM fixed the vulnerability of the vehicle remote control App on the mobile phone and prevented the disguised unlocking and remote control request.
With the increasing popularity, OTA is gradually spreading to the whole vehicle from the original service only to the in-vehicle system. From the iterative update of patching to the comprehensive upgrade of firmware, the content and scope of the update are constantly expanding. The new force that makes cars here is also a representative. It can be seen that most of the production cars on the market have the function of SOTA+FOTA, and most of them have actually introduced some updates after the launch of the vehicles to prove that OTA is not invalid.
The importance of OTA to information security can also be seen in some regulations and standards. In June this year, the World Vehicle Regulations Coordination Forum (WP.29 for short) issued two regulations on information security and software upgrade, which clearly mentioned that vehicles must have OTA function to carry out safety-related updates and upgrades. According to the official statement of WP.29, these two regulations will come into effect on 202 1 and 1, and Europe, Japan and South Korea have clearly indicated that they will be introduced.
The popularity of OTA does not directly mean that information security is guaranteed. OTA is only a follow-up to ensure information security and a means to repair the existing information security defects. Simple maintenance cannot establish a complete information security system, not to mention the potential risk of being attacked by OTA data distribution. To achieve real information security, it is more critical to take active measures to build an information security system from the beginning of design.
Boiling under water surface
If we want to look at the industry's attention to information security from hot events, it should be concentrated in the beginning of 20 14, 20 15, peak in 20 16, and residual temperature in 20 17, and then start to fall off a cliff. But the fact is that the word information security has never stopped "torturing" the automobile industry since the world-famous Jeep was hacked back on 20 15. Moreover, the scope of this torture is still expanding, basically along the trajectory of car networking, which fully shows how unsafe cars on the network are.
In fact, with the popularity of the Internet of Vehicles, there are more components on the Internet of Vehicles and more ports connected with the outside world, so the attack scope itself increases and the information security risk also increases. This can also be seen from the gradually exposed information security incidents.
The earliest information security incidents are basically related to car Bluetooth keys and OBD devices. Since then, with the popularity of smart phones, mobile vehicle remote control apps have begun to appear, and the scope of security vulnerabilities has increased; Later, it began to focus on intelligent vehicle systems and cloud services with networking functions ... It can be said that with the realization of vehicle networking, the threshold for cyber attacks is gradually decreasing, and the implementation methods are becoming simpler and simpler. From the early need for hardware equipment, to the later as long as there are computers or mobile phones and networks, the attack scope has also moved from the front end to the back end. Moreover, with the advancement of electrification and * * * enjoyment, networked charging piles and car-mounted * * * enjoyment app also provide a new breakthrough for cars to improve information security.
It is these related events that have taught the automobile industry how to do a good job in information security: from the most basic identity verification to the independent information security gate between systems; From a single safety measure for a component or a function, it has developed into an overall solution that is fully considered when designing, and added safety-related testing and verification functions; From software solutions to hardware solutions, although few, some car companies have begun to use hardware chips with information security functions on vehicles. Interface security, communication process security, establishment and division of security boundary, security detection, protection and upgrade are all improved in this process.
From the explosion of burning oil to the silence of underwater volcano, it is just the consistent "slow temper" of the automobile industry. There is often a big gap between the attention caused by hot events and the final layout.
Information security is a systematic project.
The early understanding of information security hindered its development in the automobile industry. In the early years of the Internet of Vehicles, the automobile industry was still a novice in information security, and even many enterprises had no concept of information security at all. After three or four years' development, the automobile industry has really started the research on information security.
In 20 18, the Defective Product Management Center of the State Administration of Market Supervision selected a variety of vehicles for information security testing, and found that 63% of the networked vehicles had certain security risks. In the future, with the popularization of networking, especially after the vehicle-road collaboration technology is put on the agenda, the radiation range of automobile-centered networking will be wider, and information security will become necessary.
Information security is a systematic project. To realize information security, we must establish a complete security protection system from design, development, manufacturing to after-sales life cycle, and form a closed loop of security design, test and verification, supervision and management and update and maintenance. At present, both internationally and domestically, information security is deployed and implemented from the perspective of regulations and standards and from the top-level design.
Internationally, as mentioned above, the two laws and regulations that WP.29 will enforce next year can be regarded as an obvious signal. In addition, the International Organization for Standardization (ISO) and the American Society of Automotive Engineers (SAE) are also jointly developing the joint standard of road vehicle information safety engineering-ISO/SAE? Compilation 2 1434. According to the official introduction, the standard will make relevant definitions from the perspective of information security workflow, put forward a reference information security workflow framework, and establish a general standard that is convenient for all parties to communicate. This standard does not involve specific technologies or solutions related to information security.
Domestic legal systems and standards related to information security are gradually improving. In 20 17, the Medium-and Long-Term Planning of Automobile Industry jointly issued by the Ministry of Industry and Information Technology, the National Development and Reform Commission and the Ministry of Science and Technology clearly stated that information security should be regarded as an important goal and task of smart cars. In February this year, the National Development and Reform Commission, together with the Network Information Office and other departments, issued the "Innovative Development Strategy for Smart Cars", which explicitly mentioned the need to build a network security system for smart cars. Among them, formulating network security laws and regulations, building relevant standards for network security levels, and establishing a security management system and responsibility system are key contents. Organizations such as American National Automobile Standards Association are studying and formulating various technical standards related to automobile information security.
summary
Different from the security of physical protection, it is difficult to quantify the value of the early investment in automobile information security. The security performance is not gradually improved by adding technologies like AEB, but by establishing a security protection system and continuous supervision to increase the cost of external attacks to ensure security.
Therefore, information security is an offensive and defensive game. After having the basic information security process and risk management measures, the subsequent threat statistics and risk assessment work are continuous defense means. In the industry, there is a more invisible game between different car companies. Just as security performance will be an important evaluation factor when consumers buy a car, information security protection ability will also be an evaluation factor when hackers attack. The more obvious the weakness, the less prepared the enterprise is and the greater the risk it takes. (Text/car home commentator? Kong Zhao)