With the rapid development of the "new four modernizations" process in the automotive industry, information systems and information assets have become an important strategic resource for modern automotive companies and an important means of participating in market competition. The importance of information security has risen to a new strategic height, and the information security management system is an important foundation for the rapid development of the automotive industry. The automobile industry has a long chain, many links involved, and strong differentiated consumer demand. It is an important starting point for the new round of industrial revolution and an important force to realize "demand-side reform. But at the same time, the gradually exposed data security problems not only harm consumers, but also harm car companies, harm the industry, and even seriously restrict the development of traditional cars to smart cars.
In the past two or three years, my country has paid more and more attention to information security issues, from the introduction of the Cyber Security Law to the Personal Information Protection Law, to the proposal of the General Data Protection Regulations, and The "Industrial Control System Information Security Action Plan", correspondingly, the relevant standards have also been upgraded and supplemented. GB/T 22080-2016/ISO/IEC 27001:2013 "Information Technology Security Technology Information Security Management System Requirements" provides requirements for establishing, implementing, maintaining and continuously improving information security management systems. The standard structural framework is consistent with ISO 9001:2015 "Quality Management System Requirements" and gives specific requirements from the aspects of organizational environment, leadership, planning, support, operation, performance evaluation and improvement. The information security management system maintains the confidentiality, integrity, and availability of information through the application of risk management processes.
1. to understand the organizational environment of the information security management system
The organization shall identify relevant parties to the information security management system, identify the information security-related requirements of these parties, and determine the scope of the information security management system. Automotive companies should study and pay attention to the status of international standards and regulations in information security, such as the EU General Data Protection Regulation, which is known for its penalties, and the National Institute of Standards and Technology.(NIST), etc., for Chinese car companies that are actively expanding overseas business, these are external matters that affect their ability to achieve the expected results of the information security management system. Only by complying with relevant regulations and standards can they Better help Chinese cars go global.
2. the implementation of information security management system leadership
"Adhering to both management and technology" is the main principle for strengthening information security in China. The top management of the automobile enterprise should establish and document the information security management system policy applicable to the enterprise. The policy should be understood in the organization. The top management should assign responsibilities and authorities, authorize representatives to report the performance of the information security management system to the top management, and then implement the information security system in an all-round way. All departments are required to cooperate closely, and actively carry out publicity and implementation training through system specifications to strengthen daily execution management, make it an effective way to confirm the level and ability of information security.
3. information security management system planning
(I) to establish relevant guidelines
shall define and apply an information security risk assessment process, establish and maintain information security risk guidelines, including risk acceptance guidelines and information security risk assessment implementation guidelines.
(II) identify sources of risk
1. Main sources of automotive business risk
automobile enterprises are as follows: the company's classified data are leaked, which may be due to employee violations or improper operations, or external intrusions, and even whether the cooperative third party has fulfilled its classified data protection obligations is worth noting; Automobile production is interrupted due to security incidents, such as industrial control environment infected with viruses or external personnel invasion, malicious stop of equipment operation, etc. Security compliance issues hinder business progress, it mainly includes failing to meet the industry information security standards and being unable to be listed, or violating relevant laws and regulations on cross-border data transmission and personal privacy protection, and facing heavier penalties; there are security loopholes in the company's research and development process or products, which not only cover products already on the market, but also involve product security loopholes caused by the supply chain and information systems in operation.
2. Sources of risk for smart connected vehicles
intelligent network vehicles mainly include three levels:
(1) System security
is software system security. With the gradual increase in the proportion of software in automobiles, software security faces greater risks and challenges. For example, the main engine factory opens the software installation package (APK) for download, which is vulnerable to hacker attacks; on the other hand, it is hardware system security. For automatic driving and automatic cruise systems, obstacles are forged to interfere with millimeter wave radar judgment, thus forcing vehicles to stop or interfere with vehicle progress, or control the ultrasonic equipment to send ultrasonic waves with the same cycle and frequency as the car, interfere with the car, etc., once attacked, there will be a risk of vehicle safety accidents.
(2) Key Security
usually uses data encryption to protect data privacy. Once the key is leaked, the security of encrypted data will disappear. For example, by recording the car key signal when far away from the car, the door is opened once, and the error is always within a reasonable range through calculation after analysis and decoding, so as to open the door indefinitely. The attacker obtains the control information through the plug debugging and then analyzes the reverse, so as to obtain the control process, and uses the script to control the car through the Bluetooth key.
(3) Architecture security
The relatively closed network environment inside the car also has gaps that can be attacked, and the defense capability against external attacks is weak, such as the on-board diagnostic system (OBD) interface, the media-oriented system transfer (MOST) bus, and the controller area network (CAN) bus, serial communication network (LIN) bus, tire pressure monitoring system, etc. Since the CAN bus uses a plaintext communication mechanism, if it can go deep into the control of the CAN network, it can control the related electronic control unit (ECU), causing danger.
(III) analysis and evaluation of information security risk
Information security risk assessment is the process of analyzing the asset value, potential threats, weak links, protective measures taken, etc. of information systems with reference to risk assessment standards and management norms, to determine the probability of security incidents and possible losses, and to propose risk management measures. When risk assessment is applied to the IT field, it is the risk assessment of information security. Use analytical methods and tools to analyze the potential consequences that may result from the occurrence of a risk, analyze the likelihood of the actual occurrence of the risk, determine the level of risk, compare the results of the risk analysis with the guidelines established by the previous enterprise, and rank the risk disposal.
(IV) Information Security Risk Assessment Process Mark
Automotive companies should retain documented information about the information security risk assessment process. Only after a correct and comprehensive understanding of the risk, can we make a correct and reasonable judgment on how to control the risk, such as what kind of resources to mobilize, what kind of price to pay, what measures to take to control, transfer and so on. In addition, the construction of information security needs to be based on certain reality in order to better avoid risks. Risks always exist objectively. How to avoid them requires specific analysis of specific problems.
(V) to establish information security objectives
Automobile enterprises should establish appropriate information security objectives, analyze the implementation of policy objectives through management review, and output suggestions for improvement of information security management system.
4. information security management system support
The organization shall establish and provide the resources necessary to establish, implement, maintain and continuously improve the information security management system. Resource management should include requirements for human resources, infrastructure, monitoring and measurement resources.
1. Enterprises should determine the necessary competency requirements for positions that affect information security performance, and be competent through experience or training.
2. Make all employees understand the information security policy of the enterprise, and make all employees have the awareness of information security management in the form of education and training, it can include written security policies, formal information security training, employees signing agreements to abide by the organization's security policies and procedures, business confidentiality agreements signed by employees, using various media to publicize security issues within the company (regular publications, company homepages, audio and video recordings, online training, etc.), enforcement of security regulations, encouraging employees to report suspicious events, periodic audits, etc.
3. The communication methods should be implemented concretely, so that the division of labor is clear and the responsibilities are in place. The information to be communicated should be clear and easy to understand and appropriate to the cognitive level of the information user. Communication methods include: the most common e-mails, instant messaging, and meetings; others such as kanban boards, group discussions, special meetings, employee opinion surveys and survey results, suggestion boxes, risk warnings, websites, and circulating information.
4. Documented information. Automobile companies can determine the necessary documented information according to the scale of the organization and its activities, processes, product types, processes and the complexity of their interactions to ensure that it is available and available at the required place and time. Appropriate, while identifying and controlling the required external documented information.
5. Information Security Management System
The organization's information security management system is affected by the organization's needs and objectives, security requirements, the process, scale and structure adopted by the organization, and changes over time. More importantly, the information security management system is part of the organization's process and overall management system structure, and information security needs to be considered in the design of processes, information systems and controls, that is, the information security management system should be combined with the needs of the organization to prove its ability to control information security and provide trust for the organization and related parties.
6. Information Security Management System
After the preparation of information security management system documents is completed, review and approve them according to the requirements of document control, issue current effective system documents to various departments, keep records in the process of system operation, conduct internal audit and management review on a regular basis, take corrective and preventive measures for non-conformities or potential non-conformities, and continuously improve the information security management system.
By examining the current development trend of the automobile industry, we can basically determine the necessity of information security work, and study and pay attention to the current situation of international standards and regulations in information security, which is the only way for the development of Chinese automobile enterprises. Under the background of vehicle networking, the importance of information security is beyond doubt. The establishment of information security management system can help automobile enterprises to standardize internal information security behavior, properly protect the information assets supported by the whole life cycle of automobiles, improve the management and control ability of enterprise information security risks, and enhance the ability of organizations to resist catastrophic events.
Source: China Certification and Accreditation Magazine, Issue 6, 2022
