没有合适的资源?快使用搜索试试~ 我知道了~
首页《WP29汽车信息安全与信息安全管理系统》.pdf
资源详情
资源评论
资源推荐
Economic Commission for Europe
Inland Transport Committee
World Forum for Harmonization of Vehicle Regulations
Proposal for a new UN Regulation on uniform provisions
concerning the approval of vehicles with regards to cyber
security and cyber security management system
Submitted by the Working Party on Automated/autonomous and
Connected Vehicles
*
The text reproduced below is consolidated version of the draft UN Regulation on
Cyber Security and Cyber Security Management Systems. This informal version is meant
purely as documentation tool. The authentic text submitted for adoption is contained in the
three documents ECE/TRANS/WP.29/2020/79, ECE/TRANS/WP.29/2020/94
and
ECE/TRANS/WP.29/2020/97.
*
In accordance with the programme of work of the Inland Transport Committee for 2020 as outlined in
proposed programme budget for 2020 (A/74/6 (part V sect. 20) para 20.37), the World Forum will
develop, harmonize and update UN Regulations in order to enhance the performance of vehicles. The
present document is submitted in conformity with that mandate.
United Nations
ECE
/TRANS/WP.29/2020/79
REVISED
Economic and Social Council
Distr.: General
2
3 June 2020
Original: English
ECE/TRANS/WP.29/2020/79 Revised
2
UN Regulation on uniform provisions concerning the
approval of vehicles with regard to cyber security and of
their cybersecurity management systems
Contents
Page
1. Scope ......................................................................................................................................... 3
2. Definitions ........................................................................................................................................ 3
3. Application for approval .................................................................................................................. 4
4. Markings ......................................................................................................................................... 4
5. Approval ......................................................................................................................................... 5
6. Certificate of Compliance for Cyber Security Management System ............................................... 7
7. Specifications ................................................................................................................................... 8
8. Modification and extension of the vehicle type ............................................................................... 11
9. Conformity of production ................................................................................................................ 11
10. Penalties for non-conformity of production ..................................................................................... 11
11. Production definitively discontinued ................................................................................................ 11
12. Names and addresses of Technical Services responsible for conducting approval test, and
of Type Approval Authorities .......................................................................................................... 12
Annexes
1 Information document ...................................................................................................................... 13
2 Communication ............................................................................................................................. 15
3 Arrangement of approval mark ........................................................................................................ 16
4 Model of Certificate of Compliance for CSMS................................................................................ 17
5 List of threats and corresponding mitigations .................................................................................. 18
ECE/TRANS/WP.29/2020/79 Revised
3
1. Scope
1.1. This Regulation applies to vehicles, with regard to cyber security, of the
Categories M and N.
This Regulation also applies to vehicles of Category O if fitted with at least
one electronic control unit.
1.2. This Regulation also applies to vehicles of the Categories L
6
and L
7
if equipped
with automated driving functionalities from level 3 onwards, as defined in the
reference document with definitions of Automated Driving under WP.29 and
the General Principles for developing a UN Regulation on automated vehicles
(ECE/TRANS/WP.29/1140).
1.3. This Regulation is without prejudice to other UN Regulations, regional or
national legislations governing the access by authorized parties to the vehicle,
its data, functions and resources, and conditions of such access. It is also
without prejudice to the application of national and regional legislation on
privacy and the protection of natural persons with regard to the processing of
their personal data.
1.4. This Regulation is without prejudice to other UN Regulations, national or
regional legislation governing the development and installation/system
integration of replacement parts and components, physical and digital, with
regards to cybersecurity.
2. Definitions
For the purpose of this Regulation the following definitions shall apply:
2.1. "Vehicle type" means vehicles which do not differ in at least the following
essential respects:
(a) The manufacturer’s designation of the vehicle type;
(b) Essential aspects of the electric/electronic architecture and external
interfaces with respect to cyber security.
2.2. "Cyber security" means the condition in which road vehicles and their
functions are protected from cyber threats to electrical or electronic
components.
2.3. "Cyber Security Management System (CSMS)" means a systematic risk-based
approach defining organisational processes, responsibilities and governance to
treat risk associated with cyber threats to vehicles and protect them from cyber-
attacks.
2.4. "System" means a set of components and/or sub-systems that implements a
function or functions.
2.5. "Development phase" means the period before a vehicle type is type approved.
2.6. "Production phase" refers to the duration of production of a vehicle type.
2.7. "Post-production phase" refers to the period in which a vehicle type is no
longer produced until the end-of-life of all vehicles under the vehicle type.
Vehicles incorporating a specific vehicle type will be operational during this
phase but will no longer be produced. The phase ends when there are no longer
any operational vehicles of a specific vehicle type.
2.8. "Mitigation" means a measure that is reducing risk.
2.9. "Risk" means the potential that a given threat will exploit vulnerabilities of a
vehicle and thereby cause harm to the organization or to an individual.
2.10. "Risk Assessment" means the overall process of finding, recognizing and
describing risks (risk identification), to comprehend the nature of risk and to
ECE/TRANS/WP.29/2020/79 Revised
4
determine the level of risk (risk analysis), and of comparing the results of risk
analysis with risk criteria to determine whether the risk and/or its magnitude is
acceptable or tolerable (risk evaluation).
2.11. "Risk Management" means coordinated activities to direct and control an
organization with regard to risk.
2.12. "Threat" means a potential cause of an unwanted incident, which may result in
harm to a system, organization or individual.
2.13. "Vulnerability" means a weakness of an asset or mitigation that can be
exploited by one or more threats.
3. Application for approval
3.1. The application for approval of a vehicle type with regard to cyber security
shall be submitted by the vehicle manufacturer or by their duly accredited
representative.
3.2. It shall be accompanied by the undermentioned documents in triplicate, and by
the following particulars:
3.2.1. A description of the vehicle type with regard to the items specified in Annex 1
to this Regulation.
3.2.2. In cases where information is shown to be covered by intellectual property
rights or to constitute specific know-how of the manufacturer or of their
suppliers, the manufacturer or their suppliers shall make available sufficient
information to enable the checks referred to in this Regulation to be made
properly. Such information shall be treated on a confidential basis.
3.2.3. The Certificate of Compliance for CSMS according to paragraph 6 of this
Regulation.
3.3. Documentation shall be made available in two parts:
(a) The formal documentation package for the approval, containing the
material specified in Annex 1 which shall be supplied to the Approval
Authority or its Technical Service at the time of submission of the type
approval application. This documentation package shall be used by the
Approval Authority or its Technical Service as the basic reference for
the approval process. The Approval Authority or its Technical Service
shall ensure that this documentation package remains available for at
least 10 years counted from the time when production of the vehicle
type is definitively discontinued.
(b) Additional material relevant to the requirements of this regulation may
be retained by the manufacturer, but made open for inspection at the
time of type approval. The manufacturer shall ensure that any material
made open for inspection at the time of type approval remains available
for at least a period of 10 years counted from the time when production
of the vehicle type is definitively discontinued.
4. Marking
4.1. There shall be affixed, conspicuously and in a readily accessible place
specified on the approval form, to every vehicle conforming to a vehicle type
approved under this Regulation an international approval mark consisting of:
4.1.1. A circle surrounding the Letter "E" followed by the distinguishing number of
the country which has granted approval.
4.1.2. The number of this Regulation, followed by the letter "R", a dash and the
approval number to the right of the circle described in paragraph 4.1.1. above.
ECE/TRANS/WP.29/2020/79 Revised
5
4.2. If the vehicle conforms to a vehicle type approved under one or more other
Regulations annexed to the Agreement in the country which has granted
approval under this Regulation, the symbol prescribed in paragraph 4.1.1.
above need not be repeated; in this case the Regulation and approval numbers
and the additional symbols of all the Regulations under which approval has
been granted in the country which has granted approval under this Regulation
shall be placed in vertical columns to the right of the symbol prescribed in
paragraph 4.1.1. above.
4.3. The approval mark shall be clearly legible and shall be indelible.
4.4. The approval mark shall be placed on or close to the vehicle data plate affixed
by the Manufacturer.
4.5. Annex 3 to this Regulation gives examples of the arrangements of the approval
mark.
5. Approval
5.1. Approval Authorities shall grant, as appropriate, type approval with regard to
cyber security, only to such vehicle types that satisfy the requirements of this
Regulation.
5.1.1. The Approval Authority or the Technical Service shall verify by means of
document checks that the vehicle manufacturer has taken the necessary
measures relevant for the vehicle type to:
(a) Collect and verify the information required under this Regulation
through the supply chain so as to demonstrate that supplier-related risks
are identified and are managed;
(b) Document risks assessment (conducted during development phase or
retrospectively), test results and mitigations applied to the vehicle type,
including design information supporting the risk assessment;
(c) Implement appropriate cyber security measures in the design of the
vehicle type;
(d) Detect and respond to possible cyber security attacks;
(e) Log data to support the detection of cyber-attacks and provide data
forensic capability to enable analysis of attempted or successful cyber-
attacks.
5.1.2. The Approval Authority or the Technical Service shall verify by testing of a
vehicle of the vehicle type that the vehicle manufacturer has implemented the
cyber security measures they have documented. Tests shall be performed by
the Approval Authority or the Technical Service itself or in collaboration with
the vehicle manufacturer by sampling. Sampling shall be focused but not
limited to risks that are assessed as high during the risk assessment.
5.1.3. The Approval Authority or Technical Service shall refuse to grant the type
approval with regard to cyber security where the vehicle manufacturer has not
fulfilled one or more of the requirements referred to in paragraph 7.3., notably:
(a) The vehicle manufacturer did not perform the exhaustive risk
assessment referred to in paragraph 7.3.3.; including where the
manufacturer did not consider all the risks related to threats referred to
in Annex 5, Part A;
(b) The vehicle manufacturer did not protect the vehicle type against risks
identified in the vehicle manufacturer’s risk assessment or
proportionate mitigations were not implemented as required by
paragraph 7.;
剩余28页未读,继续阅读
weixin_41685978
- 粉丝: 6
- 资源: 34
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- ExcelVBA中的Range和Cells用法说明.pdf
- 基于单片机的电梯控制模型设计.doc
- 主成分分析和因子分析.pptx
- 共享笔记服务系统论文.doc
- 基于数据治理体系的数据中台实践分享.pptx
- 变压器的铭牌和额定值.pptx
- 计算机网络课程设计报告--用winsock设计Ping应用程序.doc
- 高电压技术课件:第03章 液体和固体介质的电气特性.pdf
- Oracle商务智能精华介绍.pptx
- 基于单片机的输液滴速控制系统设计文档.doc
- dw考试题 5套.pdf
- 学生档案管理系统详细设计说明书.doc
- 操作系统PPT课件.pptx
- 智慧路边停车管理系统方案.pptx
- 【企业内控系列】企业内部控制之人力资源管理控制(17页).doc
- 温度传感器分类与特点.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0