标准摘要
[中文适用范围]: 本推荐实践为车辆网络安全提供指导,基于并扩展了行业、政府和会议论文中正在实施或报告的现有实践。这些最佳实践旨在灵活、实用,并能适应车辆行业及其他网络物理车辆系统(如商用和军用车辆、卡车、公交车)的进一步应用。其他专有的网络安全开发流程和标准可能已建立以支持特定制造商的开发流程,可能未在本文件中全面体现,但本文件中的信息可能有助于完善现有的内部流程、方法等。 本推荐实践建立了一套与网络物理车辆系统相关的高级网络安全指导原则。这包括: • 定义一个完整的生命周期流程框架,可在各组织的开发流程中定制和使用,将网络安全纳入网络物理车辆系统,从概念阶段到生产、运营、服务和退役。 • 提供在设计、验证和确认网络物理车辆系统时使用的一些常见现有工具和方法的信息。 • 为车辆系统网络安全提供基本指导原则。 • 为车辆网络安全的进一步标准开发活动奠定基础。 附录提供了额外的信息,可用于帮助改进功能设计的网络安全。附录中列出的许多信息是可用的,但一些专家可能不知道所有可用信息。因此,附录概述了一些信息,为进一步在网络物理车辆系统中构建网络安全提供指导。概述的目的是鼓励研究,帮助改进设计,并确定应用公司内部网络安全流程的方法和工具。 附录A-C - 描述了一些威胁分析和风险评估、威胁建模和漏洞分析(如攻击树)的技术及其使用时机。 附录D-I - 提供车辆行业可用信息的意识。 附录D - 概述了可能在设计阶段考虑的源自NIST SP 800-53的样本网络安全和隐私控制。 附录E - 提供了一些可用漏洞数据库和漏洞分类方案的参考。 附录F - 描述了车辆级别的考虑,包括电气架构的一些良好设计实践。 附录G - 列出了车辆行业可能感兴趣的当前网络安全标准和指南。 附录H - 概述了自2004年以来的车辆网络安全相关研究项目。 附录I - 描述了车辆行业可能感兴趣的一些现有安全测试工具。 请参阅定义部分以了解整个文档中使用的术语。 [外文原描述]: This recommended practice provides guidance on vehicle Cybersecurity and was created based off of, and expanded on from, existing practices which are being implemented or reported in industry, government and conference papers. The best practices are intended to be flexible, pragmatic, and adaptable in their further application to the vehicle industry as well as to other cyber-physical vehicle systems (e.g., commercial and military vehicles, trucks, busses). Other proprietary Cybersecurity development processes and StandardDetails may have been established to support a specific manufacturer’s development processes, and may not be comprehensively represented in this document, however, information contained in this document may help refine existing in-house processes, methods, etc.This recommended practice establishes a set of high-level guiding principles for Cybersecurity as it relates to cyber-physical vehicle systems . This includes:Defining a complete lifecycle process framework that can be tailored and utilized within each organization’s development processes to incorporate Cybersecurity into cyber-physical vehicle systems from concept phase through production, operation, service, and decommissioning.Providing information on some common existing tools and methods used when designing, verifying and validating cyber-physical vehicle systems.Providing basic guiding principles on Cybersecurity for vehicle systems.Providing the foundation for further StandardDetails development activities in vehicle Cybersecurity.The appendices provide additional information to be aware of and may be used in helping improve Cybersecurity of feature designs. Much of the information identified in the appendices is available but some experts may not be aware of all of the available information. Therefore, the appendices provide an overview of some of this information to provide further guidance on building Cybersecurity into cyber-physical vehicle systems. The objective of the overviews is to encourage research to help improve designs and identify methods and tools for applying a company’s internal Cybersecurity process.Appendices A - C - Describe some techniques for Threat Analysis and Risk Assessment, Threat Modeling and Vulnerability Analysis (e.g., Attack Trees) and when to use them.Appendices D - I - Provide awareness of information that is available to the Vehicle Industry.Appendix D - Provides an overview of sample Cybersecurity and privacy controls derived from NIST SP 800-53 that may be considered in design phases.Appendix E - Provides references to some available vulnerability databases and vulnerability classification schemes.Appendix F - Describes vehicle-level considerations, including some good design practices for electrical architecture.Appendix G -Lists current Cybersecurity StandardDetails and guidelines of potential interest to the vehicle industry.Appendix H - Provides an overview of vehicle Cybersecurity-related research projects starting from 2004.Appendix I - Describes some existing security test tools of potential interest to the vehicle industry.Refer to the definitions section to understand the terminology used throughout the document.Cross Reference:
英文名称Cybersecurity Guidebook for Cyber-Physical Vehicle Systems