On 7 March 2022, MIIT issued the Development Guidelines on the Standards System for Internet of Vehicles Cybersecurity and Data Security (hereinafter referred to as the Guidelines), which outline the key areas as well as the structure of standards formulation in the field of cybersecurity and data security of Internet of Vehicles (IOV). A detailed list of standards, either released or yet to be released, is attached, clearly reflecting the standards structure outlined by the document.

Specifically, the standards system outlined in the Guidelines is structured on six aspects: (i) general requirements and generic standards, (ii) cybersecurity of IOV terminals and facilities, (iii) security of network communication, (iv) data security, (v) security of application services, and the (vi) safety safeguards and support.

Combined with the perspectives and information from CAICT’s White Paper on Internet of Vehicles 2021, the following is a summary of the key points of particular interest for vehicles manufacturers and IOV app developers.

For a vehicle manufacturer, the risks that threaten the cybersecurity and data security are mainly from:

  1. Network safety of thecomponents of the vehicle. Attackers often take advantage of system vulnerabilities of networked devices to carry out attacks, and then interfere with the functions of vehicle components. To ensure the network safety of the onboard equipment, the Guidelines indicate that a series of standards of network security of the onboard equipment shall be formulated, including the Technical Requirements for Network Security Protection of Automotive Electronic Control Units, and the Technical Requirements for Network Security of Automotive Safety Chip.
  2. Communication safety of the vehicles. Attackers usually leverage on thedefects in identity authentication or data encryption to launch attacks, resulting in security risks such as forgery, tampering, and theft. In this regard, the Guidelines outline a series of standards that are expected to be formulated and completed in the near future, covering onboard network safety, inspection requirements for network facilities and system security, security of network communication, and data security.
  3. Security of IOV service platforms. When vehicles are connected to relevant Internet platforms to obtain services, they face security threats from those information service platforms. Attackers can launch remote denial-of-service, brute force cracking, and malicious script injection attacks. To avoid those risks, the Guidelines urge the formulation of the Technical Requirements for Security of Interaction between IOV Service Platformsand Vehicle Terminals.

 

For IOV app developers, the risks mainly exist in the back-end connection between the onboard app and the third-party app service system, which may face security threats such as network attacks, communication protocol cracking, code decompilation, and theft of users’ data. If the third-party app is involved in vehicle control, there may even be the risk of remote malicious control of the vehicle. In order to reduce those risks, the Guidelines especially propose the formulation of the Technical and Testing Requirements for Security of IOV apps.