Modern vehicles are cyber-physical systems equipped with a large number of embedded controllers and other computing devices, which are interconnected with networks internal to the vehicle, and some of these devices also have interfaces to external networks. These embedded controller devices and the firmware running on them are responsible for various functions of the vehicle, some of which are safety critical. This setup makes vehicles subject to cyberattacks, whereby malicious actors may try to interfere with the behavior of the vehicle by accessing its internal components via its aforementioned external interfaces. Hence, it became clear that the world must react to this new source of risk for road safety, and appropriate steps must be taken to protect vehicles against cyberattacks. Consequently, today, more than ten years after the first demonstrations of the feasibility of vehicle hacking, an abundance of research results, as well as key standards and important regulations are available to govern the development and operation of vehicles that are resistant to cyberattacks. While legislation is somewhat behind, it will surely catch up. In this study, we attempt to give a critical overview on the relevant - very broad - body of law, focusing on the liability for the necessary assessment of the security posture of the vehicles. The presented work was carried out within the MASPOV Project (KTI_KVIG_4-1_2021), which has been implemented with support provided by the Government of Hungary in the context of the Innovative Mobility Program of KTI.
A mai modern járművek kiber-fizikai rendszerek, amelyek nagyszámú, a járművön belüli hálózatokkal összekapcsolt és adott esetben külső hálózatokhoz interfésszel rendelkező beágyazott vezérlővel és egyéb számítógépes rendszerrel vannak felszerelve. Ezek a beágyazott vezérlőeszközök és a rajtuk futó förmverek a jármű különböző - egyes esetekben biztonsági szempontból kritikus - funkcióinak ellátásáért felelnek. Ez az alaphelyzet a járművek kibertámadásoknak való kitettségét eredményezi, amelyek során a támadók megpróbálhatnak beavatkozni a jármű viselkedésébe azáltal, hogy a belső rendszerekhez a fent említett külső interfészeken keresztül férnek hozzá. Az egyértelmű, hogy a világnak reagálnia kell a közúti közlekedés biztonságát fenyegető új kockázatforrás megjelenésére és meg kell tenni a megfelelő lépéseket a járművek kibertámadások elleni védelme érdekében. Következésképpen ma, több mint tíz évvel azután, hogy először demonstrálták a járműinformatikai rendszerek feltörhetőségét, számos kutatási eredmény, valamint kulcsfontosságú szabvány és előírás áll rendelkezésre a kibertámadásokkal szemben ellenálló járművek fejlesztésének és üzemeltetésének szabályozására. Bár a jogalkotás némi lemaradásban van, biztosan fel fog zárkózni. Ebben a tanulmányban - a járművek biztonság-értékeléséért fennálló felelősségre összpontosítva - megkísérlünk kritikai áttekintést adni a vonatkozó igen széles joganyagról. Jelen tanulmány a MASPOV projekt (KTI_KVIG_4-1_2021) keretében készült, amely Magyarország Kormányának támogatásával, a KTI Innovatív Mobilitási Programjának keretében valósult meg.
The present first part of the work focuses on the relevant international body of law, providing an overview of the UN and EU governing legislation.
The UNECE, the largest actor in the field of automotive safety and security establishes regulations, technical regulations and rules that contain provisions for vehicles, their systems, parts and equipment. These include requirements, specifications, and procedures to follow, to ensure the conformity of production and the mutual recognition of the type-approvals by the contracting parties.[1] The main goal of the regulatory frameworks developed by the UNECE is to help the proliferation of innovative technologies while improving safety, decreasing environmental pollution and energy consumption. These regulations also help to improve the cross-border trade of vehicles, by giving the frame for the reciprocal acceptance of approvals of vehicle systems, parts and equipment (although unfortunately, these frameworks do not allow for the recognition of complete vehicle approvals).[2] Application of the regulations are not directly binding (it is not obligatory for the contracting parties to sign any of the regulations), but if an UNECE member decides to apply a regulation, the adoption becomes mandatory.[3]
The two most relevant regulations regarding our topic, the UN Regulation No. 155 (Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system) and the UN Regulation No. 156 (Uniform provisions concerning the approval of vehicles with regards to software update and software updates management system). In a nutshell: UN Regulation No. 155. focuses on cyber security (the condition in which road vehicles and their functions are protected from cyber threats to electrical or electronic components)[4], and gives a baseline for setting up a Cyber Security Management System (a systematic risk-based approach defining organizational processes, responsibilities and governance to treat risk associated with cyber threats to vehicles and protect them from cyber-attacks)[5]. The outlined CSMS is based on a holistic approach in the sense that the regulation tries to minimalize risks from all possible attack surfaces by defining the framework for prevention, detection, and response (correction) at the level of the organization (including the infrastructure and the supply chain as well) and the individual vehicle systems.
We focus our research on one of the most fundamental group of security measures that ensures the security compliance of individual (road) vehicles[6] (a common control measure for "traditional" information systems), vulnerability assessment and penetration testing.[7] Penetration testing and vulnerability assessment in the case of traditional, office IT environments, mobile applications and also cyber-physical or hybrid environments, is a vital element of prevention. Even the most sophisticated IT or OT (ICS/SCADA) system, IT, OT or vehicular network, applications with carefully selected and implemented measures and controls can have security gaps, undetected vulnerabilities or unmanaged risks. Moreover, even these systems, networks and/or applications are susceptible to carelessness and lack of updates, resulting in weakened security during their operational life. Therefore, it is recommended to carry out regular and independent cybersecurity checks to assure the adequacy of controls and the protection provided by security measures.[8] In the case of a vehicle, the scope of this cybersecurity assessment can be the embedded, in-car (CAN, Ethernet, LIN, etc.) networks, systems; the ECU-s, microcontrollers; the telemetry applications; and
A Jogkódex-előfizetéséhez tartozó felhasználónévvel és jelszóval is be tud jelentkezni.
Az ORAC Kiadó előfizetéses folyóiratainak „valós idejű” (a nyomtatott lapszámok megjelenésével egyidejű) eléréséhez kérjen ajánlatot a Szakcikk Adatbázis Plusz-ra!
Visszaugrás
