Modern vehicles are cyber-physical systems equipped with a large number of embedded controllers and other computing devices, which are interconnected with networks internal to the vehicle, and some of these devices also have interfaces to external networks. These embedded controller devices and the firmware running on them are responsible for various functions of the vehicle, some of which are safety critical. This setup makes vehicles subject to cyberattacks, whereby malicious actors may try to interfere with the behavior of the vehicle by accessing its internal components via its aforementioned external interfaces. Hence, it became clear that the world must react to this new source of risk for road safety, and appropriate steps must be taken to protect vehicles against cyberattacks. Consequently, today, more than ten years after the first demonstrations of the feasibility of vehicle hacking, an abundance of research results, as well as key standards and important regulations are available to govern the development and operation of vehicles that are resistant to cyberattacks. While legislation is somewhat behind, it will surely catch up. In this study, we attempt to give a critical overview on the relevant - very broad - body of law, focusing on the liability for the necessary assessment of the security posture of the vehicles. The presented work was carried out within the MASPOV Project (KTI_KVIG_4-1_2021), which has been implemented with support provided by the Government of Hungary in the context of the Innovative Mobility Program of KTI.
A mai modern járművek kiber-fizikai rendszerek, amelyek nagyszámú, a járművön belüli hálózatokkal összekapcsolt és adott esetben külső hálózatokhoz interfésszel rendelkező beágyazott vezérlővel és egyéb számítógépes rendszerrel vannak felszerelve. Ezek a beágyazott vezérlőeszközök és a rajtuk futó förmverek a jármű különböző - egyes esetekben biztonsági szempontból kritikus - funkcióinak ellátásáért felelnek. Ez az alaphelyzet a járművek kibertámadásoknak való kitettségét eredményezi, amelyek során a támadók megpróbálhatnak beavatkozni a jármű viselkedésébe azáltal, hogy a belső rendszerekhez a fent említett külső interfészeken keresztül férnek hozzá. Az egyértelmű, hogy a világnak reagálnia kell a közúti közlekedés biztonságát fenyegető új kockázatforrás megjelenésére és meg kell tenni a megfelelő lépéseket a járművek kibertámadások elleni védelme érdekében. Következésképpen ma, több mint tíz évvel azután, hogy először demonstrálták a járműinformatikai rendszerek feltörhetőségét, számos kutatási eredmény, valamint kulcsfontosságú szabvány és előírás áll rendelkezésre a kibertámadásokkal szemben ellenálló járművek fejlesztésének és üzemeltetésének szabályozására. Bár a jogalkotás némi lemaradásban van, biztosan fel fog zárkózni. Ebben a tanulmányban - a járművek biztonságértékeléséért fennálló felelősségre összpontosítva - megkísérlünk kritikai áttekintést adni a vonatkozó igen széles joganyagról. Jelen tanulmány a MASPOV projekt (KTI_KVIG_4-1_2021) keretében készült, amely Magyarország Kormányának támogatásával, a KTI Innovatív Mobilitási Programjának keretében valósult meg.
In this second part of the work, we give an overview of the relevant Hungarian legislation in line with the international body of rules presented in the first part.
The Ministerial Decree 6/1990. KöHÉM on technical conditions for the placing on the market of road vehicles and keeping vehicles in operation (last amended in August 2021) contains the national process and detailed rules for the type-approval of road vehicles in Hungary. Annex 17 of the Regulation addresses cybersecurity only in two points, focusing on developers of autonomous vehicles, requiring the provision of appropriate built-in security protection for automated vehicle control and other vehicle systems against risks arising from unauthorized access, and the obligation to apply standards and technologies of the highest quality for the development of safety-critical vehicle systems. Annex 1 to the decree contains the list of UNECE Regulations to be applied in the national type-approval procedure, by reference to Regulation No. 661/2009/EC.[1] The standard should be amended and clarified because of the "soft", undefined legal concepts (such as "adequate" or "highest quality") contained in the provisions referred to in the context of cybersecurity. Beyond the clarification, the scope of these provisions, and therefore the whole decree should also be extended, since it is not only autonomous vehicles that have automated vehicle control and other vehicle systems, and it is not only unauthorized access that can be a problem (although unauthorized access indeed covers the largest proportion of attack surfaces, there are also other dangerous behaviours like sabotage). Extending the scope is also justified because, in addition to autonomous (and non-autonomous) vehicles for development, "traditional" mass-produced vehicles, even those already on the road, can be targets of cyber-attacks. While it is certainly a positive aspect of the decree that it refers to the relevant EU and UNECE regulations to ensure that the relevant requirements are enforced, it is less positive - although it is an opportunity to enforce cybersecurity requirements - that the decree authorizes the issuing of additional official prescriptions for certain types of vehicles, beyond those contained in the regulation, in the interests of road safety and environmental protection, if the requirements of the regulation do not apply to the vehicle type concerned.[2] However, this kind of legislation and legislative development by law-enforcers is highly questionable, violates the principle of separation of powers and could lead to legal uncertainty, which should be avoided.
The Ministerial Decree KöHÉM 5/1990. on the technical examination of road vehicles, which is related to the Decree 6/1990., lays down the procedures for the technical examination of vehicles before placing them on the market and for the mandatory periodic technical examinations, and also contains certain rules governing the issue of type certificates and the modification of vehicles. A vehicle may be sold for domestic use only on the basis of a type certificate or a registration certificate.[3] The type-approval certificate is issued subject to vehicle safety and environmental inspection, but where type-approval documents issued by an EU Member State authority are available, this is not necessary and the approval is recognized by the National Transportation Authority. As we have seen, cybersecurity conformity assessment is part of the type-approval process. However, it would also be worth considering the addition of a technical evaluation of the cybersecurity posture of the vehicle
A Jogkódex-előfizetéséhez tartozó felhasználónévvel és jelszóval is be tud jelentkezni.
Az ORAC Kiadó előfizetéses folyóiratainak „valós idejű” (a nyomtatott lapszámok megjelenésével egyidejű) eléréséhez kérjen ajánlatot a Szakcikk Adatbázis Plusz-ra!
Visszaugrás
