美國(guó)交通部國(guó)家公路交通安全管理局近日發(fā)布了《現(xiàn)代車輛安全的網(wǎng)絡(luò)安全最佳實(shí)踐》，這是其2016年版的更新。該文件描述了NHTSA對(duì)汽車行業(yè)的指導(dǎo)，以改善車輛網(wǎng)絡(luò)安全以確保安全。

一、背景信息

    NHTSA最近發(fā)布了最新的《車輛網(wǎng)絡(luò)安全最佳實(shí)踐》2022更新版。而NHTSA最佳實(shí)踐的第一版（可訪問www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdf獲取）最初于2016年發(fā)布，22年新版本充分考慮了新的行業(yè)標(biāo)準(zhǔn)和研究?jī)?nèi)容，以及整個(gè)汽車行業(yè)網(wǎng)絡(luò)安全實(shí)踐的標(biāo)準(zhǔn)化，如UNECE WP.29 R155和 ISO 21434，并納入了根據(jù)過去6年通過研究行業(yè)從真實(shí)的事件中獲得的知識(shí)以及專家們提交的關(guān)于2016年和2021年草案的意見，新版本最佳實(shí)踐可以概述分為兩部分，首先是通用網(wǎng)絡(luò)安全最佳實(shí)踐，第二部分是網(wǎng)絡(luò)安全技術(shù)最佳實(shí)踐。

    NHTSA現(xiàn)代汽車網(wǎng)絡(luò)安全最佳實(shí)踐的發(fā)布表明，政府機(jī)構(gòu)理解并關(guān)注保護(hù)車輛安全的重要性，因?yàn)樗鼈冏兊酶菀资艿胶诳凸?。雖然這些準(zhǔn)則目前不具有強(qiáng)制約束力，但其目的是反映出業(yè)界對(duì)減輕網(wǎng)絡(luò)安全風(fēng)險(xiǎn)的日益關(guān)注和緊迫感。

二、目錄概覽

1.Purpose of This document 本文件編寫目的

2.Scope 范圍

3.Background 背景

4.General Cybersecurity Best Practices 一般網(wǎng)絡(luò)安全最佳實(shí)踐

4.1 Leadership Priority on Product Cybersecurity 領(lǐng)導(dǎo)層對(duì)產(chǎn)品網(wǎng)絡(luò)安全的重視

4.2 Vehicle Development Process With Explicit Cybersecurity Considerations 具有明確網(wǎng)絡(luò)安全考慮的車輛開發(fā)流程

4.2.1 Process 流程

4.2.2 Risk Assessment 風(fēng)險(xiǎn)評(píng)估

4.2.3 Sensor Vulnerability Risks 傳感器的脆弱性風(fēng)險(xiǎn)

4.2.4 Removal or Mitigation of Safety-Critical Risks 消除或減輕安全關(guān)鍵性的風(fēng)險(xiǎn)

4.2.5 Protections 保護(hù)措施

4.2.6 Inventory and Management of Hardware and Software Assets on Vehicles 車輛上硬件和軟件資產(chǎn)的清點(diǎn)和管理

4.2.7 Cybersecurity Testing and Vulnerability Identification 網(wǎng)絡(luò)安全測(cè)試和弱點(diǎn)識(shí)別

4.2.8 Monitoring, Containment, Remediation 監(jiān)測(cè)、遏制、補(bǔ)救

4.2.9 Data, documentation, Information Sharing 數(shù)據(jù)、文件、信息共享

4.2.10 Continuous Risk Monitoring and Assessment 持續(xù)的風(fēng)險(xiǎn)監(jiān)測(cè)和評(píng)估

4.2.11 Industry Best Practices 行業(yè)最佳實(shí)踐

4.3 Information Sharing 信息共享

4.4 Security Vulnerability Reporting Program 安全漏洞報(bào)告計(jì)劃

4.5 Organizational Incident Response Process 組織事件響應(yīng)程序

4.6 Self-Auditing 自我審計(jì)

4.6.1 Process Management documentation 流程管理文件

4.6.2 Review and Audit 審查和審計(jì)

5. Education 教育

6. Aftermarket/User-Owned Devices 售后市場(chǎng)/用戶擁有的設(shè)備

6.1 Vehicle Manufacturers 車輛制造商

6.2 Aftermarket Device Manufacturers 售后市場(chǎng)設(shè)備制造商

7. Serviceability 可維修性

8. Technical Vehicle Cybersecurity Best Practices 技術(shù)性車輛網(wǎng)絡(luò)安全最佳實(shí)踐

8.1 Developer/Debugging Access in Production Devices 生產(chǎn)設(shè)備中的開發(fā)人員/調(diào)試訪問

8.2 Cryptographic Techniques and Credentials 加密技術(shù)和憑證

8.3 Vehicle Diagnostic Functionality 車輛診斷功能

8.4 Diagnostic Tools 診斷工具

8.5 Vehicle Internal Communications 車輛內(nèi)部通信

8.6 Event Logs 事件日志

8.7 Wireless Paths Into Vehicles 進(jìn)入車輛的無線途徑

8.7.1 Wireless Interfaces  無線接口

8.7.2 Segmentation and Isolation Techniques in Vehicle Architecture Design 車輛結(jié)構(gòu)設(shè)計(jì)中的分割和隔離技術(shù)

8.7.3 Network Ports, Protocols, and Services網(wǎng)絡(luò)端口、協(xié)議和服務(wù)

8.7.4 Communication to Back-End Servers與后端服務(wù)器的通信

8.7.5 Capability to Alter Routing Rules改變路由規(guī)則的能力

8.8 Software Updates/Modifications軟件更新/修改

8.9 Over-the-Air Software Updates OTA軟件更新

Appendix 附錄

Terms and Descriptions 術(shù)語和說明

三、最佳實(shí)踐內(nèi)容概覽

45條通用的車輛網(wǎng)絡(luò)安全最佳實(shí)踐

[G.1] The automotive industry should follow the National Institute of Standards and Technology’s (NIST’s) documented Cybersecurity framework, which is structured around the five principal functions, “Identify, Protect, Detect, Respond, and Recover,” to build a comprehensive and systematic approach to developing layered cybersecurity protections for vehicles.

汽車行業(yè)應(yīng)該遵循 (NIST）美國(guó)國(guó)家標(biāo)準(zhǔn)與技術(shù)協(xié)會(huì)記錄的網(wǎng)絡(luò)安全框架。這個(gè)框架構(gòu)建圍繞5個(gè)主要功能“識(shí)別、保護(hù)、監(jiān)測(cè)、反饋、恢復(fù)”構(gòu)建，從而建立了一個(gè)全面且系統(tǒng)的方法來開發(fā)針對(duì)汽車的分層網(wǎng)絡(luò)安全保護(hù)。

[G.2] Companies developing or integrating vehicle electronic systems or software should prioritize vehicle cybersecurity and demonstrate executive management commitment and accountability by:

開發(fā)或者集成車輛電子系統(tǒng)或者軟件的公司，應(yīng)該將網(wǎng)絡(luò)安全置于首要位置，并且通過以下的方式證明執(zhí)行管理層的承諾和責(zé)任。

[a] Allocating dedicated resources within the organization focused on researching, investigating, implementing, testing, and validating product cybersecurity measures and vulnerabilities;

在組織內(nèi)分配指定的資源去關(guān)注研究，調(diào)查，實(shí)施，測(cè)試，驗(yàn)證產(chǎn)品的網(wǎng)絡(luò)安全和弱點(diǎn)。

[b] Facilitating seamless and direct communication channels through organizational ranks related to product cybersecurity matters; and

通過與產(chǎn)品網(wǎng)絡(luò)安全事項(xiàng)相關(guān)的組織排名，促進(jìn)不間斷且直接的交流渠道，以及。

[c] Enabling an independent voice for vehicle cybersecurity-related considerations within the vehicle safety design process.

在車輛安全設(shè)計(jì)過程中，應(yīng)該使得網(wǎng)絡(luò)安全相關(guān)的考慮成為一個(gè)獨(dú)立的意見。

[G.3] The automotive industry should follow a robust product development process based on a systems-engineering approach with the goal of designing systems free of unreasonable safety risks, including those from potential cybersecurity threats and vulnerabilities.

汽車行業(yè)應(yīng)該遵循基于系統(tǒng)工程方法的強(qiáng)有力的產(chǎn)品開發(fā)流程，致力于設(shè)計(jì)完全合理的無安全風(fēng)險(xiǎn)的系統(tǒng)，包括那些潛在的網(wǎng)絡(luò)安全威脅和漏洞。

[G.4] This process should include a cybersecurity risk assessment step that is appropriate and reflects mitigation of risk for the full lifecycle of the vehicle.

開發(fā)流程應(yīng)該包括合適的網(wǎng)絡(luò)安全風(fēng)險(xiǎn)評(píng)估的步驟，這個(gè)步驟能夠反映出整車生命周期的風(fēng)險(xiǎn)緩解。

[G.5] Safety of vehicle occupants and other road users should be of primary consideration when assessing risks.

當(dāng)評(píng)估風(fēng)險(xiǎn)的時(shí)候，也應(yīng)該首先考慮車輛乘員和其他道路使用的安全。

[G.6] Manufacturers should consider the risks associated with sensor vulnerabilities and potential sensor signal manipulation efforts such as GPS spoofing, road sign modification, Lidar/Radar jamming and spoofing, camera blinding, and excitation of machine learning false positives.

OEM應(yīng)該考慮涉及傳感器弱點(diǎn)和潛在的傳感器信號(hào)操縱力的風(fēng)險(xiǎn)，比如GPS欺騙，道路標(biāo)注的修改，激光雷達(dá)/普通雷達(dá)的干擾和欺騙，攝像頭致盲以及機(jī)器學(xué)習(xí)誤報(bào)的激發(fā)。

[G.7] Any unreasonable risk to safety-critical systems should be removed or mitigated to acceptable levels through design, and any functionality that presents an unavoidable and unnecessary risk should be eliminated where possible.

任何針對(duì)安全關(guān)鍵系統(tǒng)的不合理風(fēng)險(xiǎn)都應(yīng)該被移除或者通過設(shè)計(jì)緩解到可以接受的水平。只要條件允許，應(yīng)盡可能消除存在不可避免和不必要風(fēng)險(xiǎn)的任何功能。

[G.8] For remaining functionality and underlying risks, layers of protection that are appropriate for the assessed risks should be designed and implemented.

對(duì)于剩余功能和潛在風(fēng)險(xiǎn)，應(yīng)該設(shè)計(jì)和實(shí)施合適的進(jìn)行過評(píng)估風(fēng)險(xiǎn)的保護(hù)層。

[G.9] Clear cybersecurity expectations should be specified and communicated to the suppliers that support the intended protections.

應(yīng)該規(guī)定清晰的網(wǎng)絡(luò)安全期望，并且將該期望傳達(dá)給提供主動(dòng)保護(hù)支持的供應(yīng)商。

[G.10] Suppliers and vehicle manufacturers should maintain a database of their operational hardware and software components used in each automotive ECU, each assembled vehicle, and a history log of version updates applied over the vehicle’s lifetime.

供應(yīng)商和OEM應(yīng)該維護(hù)一個(gè)軟件物料清單（SBOM），涵蓋每一個(gè)電子控制單元中運(yùn)行的硬件和軟件的零部件，每一輛整車，以及跨越全生命周期的版本升級(jí)的歷史記錄。

[G.11] Manufacturers should track sufficient details related to software components, such that when a newly identified vulnerability is identified related to an open source or off-the-shelf software, manufacturers can quickly identify what ECUs and specific vehicles would be affected by it.

OEM應(yīng)該追蹤到足夠的與軟件零件相關(guān)的細(xì)節(jié)，比如當(dāng)一個(gè)新識(shí)別出來的缺陷被認(rèn)為是一個(gè)開放資源或者流行軟件，制造商能夠快速地識(shí)別出影響到了哪些電子控制單元和車輛。

[G.12] Manufacturers should evaluate all commercial off-the-shelf and open-source software components used in vehicle ECUs against known vulnerabilities.

評(píng)估用在汽車電子控制單元中的所有的商業(yè)流行軟件和開源軟件來抵御已知的缺陷。

[G.13] Manufacturers should also pursue product cybersecurity testing, including using penetration tests, as part of the development process.

進(jìn)行產(chǎn)品網(wǎng)絡(luò)安全測(cè)試，比如使用滲透測(cè)試作為開發(fā)流程的一部分。

[G.14] Test stages should employ qualified testers who have not been part of the development team, and who are highly incentivized to identify vulnerabilities.

測(cè)試環(huán)節(jié)應(yīng)該使用非開發(fā)組成員的有資格的測(cè)試人員，并且充分發(fā)揮該測(cè)試員能力識(shí)別網(wǎng)絡(luò)安全弱點(diǎn)。

[G.15] A vulnerability analysis should be generated for each known vulnerability assessed or new vulnerability identified during cybersecurity testing. The disposition of the vulnerability and the rationale for the how the vulnerability is managed should also be documented.

對(duì)于每一個(gè)評(píng)估的已知軟件或者在網(wǎng)絡(luò)網(wǎng)絡(luò)安全測(cè)試中識(shí)別出的新的弱點(diǎn)，應(yīng)該生成一份軟件分析報(bào)告，并且應(yīng)該記錄下弱點(diǎn)的處置以及如何管理弱點(diǎn)的基本方法。

[G.16] In addition to design protections, the automotive industry should establish rapid vehicle cybersecurity incident detection and remediation capabilities.

除了設(shè)計(jì)保護(hù)外，汽車行業(yè)應(yīng)該具有快速的汽車網(wǎng)絡(luò)安全事件監(jiān)測(cè)和補(bǔ)救的能力。

[G.17] Such capabilities should be able to mitigate safety risks to vehicle occupants and surrounding road users when a cyberattack is detected and transition the vehicle to a minimal risk condition, as appropriate for the identified risk.

當(dāng)檢測(cè)到網(wǎng)絡(luò)攻擊時(shí)，此類能力應(yīng)能夠緩解車輛乘員和周圍道路使用者的安全風(fēng)險(xiǎn)，并將車輛轉(zhuǎn)換至最低風(fēng)險(xiǎn)狀態(tài)，視識(shí)別的風(fēng)險(xiǎn)而定。

[G.18] Manufacturers should collect information on potential attacks, and this information should be analyzed and shared with industry through the Auto-ISAC and other sharing mechanisms.

OEM應(yīng)該收集潛在攻擊的信息，并且分析這些信息以及通過其他信息交換機(jī)構(gòu)與行業(yè)進(jìn)行分享。

[G.19] Manufacturers should fully document any actions, design choices, analyses, supporting evidence, and changes related to its management of vehicle cybersecurity.

OEM應(yīng)該完全記錄所有的關(guān)于汽車網(wǎng)絡(luò)安全管理的行為，如設(shè)計(jì)選擇，分析，支持證據(jù)及變更。

[G.20] All related work products should be traceable within a robust document version control system.

所有相關(guān)的工作產(chǎn)出應(yīng)在一個(gè)穩(wěn)健的文件版本控制系統(tǒng)中確?？勺匪荨?

[G.21] Companies should use a systematic and ongoing process to periodically reevaluate risks and make appropriate updates to processes and designs due to changes in the vehicle cybersecurity landscape, as appropriate.

在合適的情況下，公司應(yīng)該使用成體系的，持續(xù)的流程來周期性重新評(píng)估風(fēng)險(xiǎn)，并依據(jù)汽車網(wǎng)絡(luò)安全環(huán)境的變化對(duì)于流程和設(shè)計(jì)作出適當(dāng)?shù)母隆?

[G.22] Best practices for secure software development should be followed, for example as outlined in NIST publications and ISO/SAE 21434.

應(yīng)該遵循安全軟件開發(fā)的最佳實(shí)踐，比如，NIST美國(guó)國(guó)家標(biāo)準(zhǔn)與技術(shù)協(xié)會(huì)的公開發(fā)布物和ISO 21434描述的內(nèi)容。

[G.23] Manufacturers should actively participate in automotive industry-specific best practices and standards development activities through recognized standards development organizations and Auto-ISAC.

制造商應(yīng)該通過權(quán)威的標(biāo)準(zhǔn)制定機(jī)構(gòu)及汽車安全信息共享和分析中心主動(dòng)地參加汽車行業(yè)指定的最佳實(shí)踐和標(biāo)準(zhǔn)開發(fā)的活動(dòng)。

[G.24] As future risks emerge; industry should collaborate to expediently develop mitigation measures and best practices to address new risks.

隨著未來風(fēng)險(xiǎn)的出現(xiàn)，行業(yè)內(nèi)部應(yīng)通力合作，以便于開發(fā)出緩解的措施和最佳實(shí)踐以應(yīng)對(duì)新的風(fēng)險(xiǎn)。

[G.25] Members of the extended automotive industry (including, but not limited to, vehicle manufacturers, automotive equipment suppliers, software developers, communication services providers, aftermarket system suppliers, and fleet managers) are strongly encouraged to:

大力鼓勵(lì)擴(kuò)展汽車行業(yè)的成員（包括但不限于車輛制造商、汽車設(shè)備供應(yīng)商、軟件開發(fā)商、通信服務(wù)提供商、售后市場(chǎng)系統(tǒng)供應(yīng)商和車隊(duì)管理者）：

[a] Join Auto-ISAC;

加入汽車信息共享和分析中心；

[b] Share timely information concerning cybersecurity issues, including vulnerabilities, and intelligence information with Auto-ISAC.

及時(shí)地與美國(guó)汽車信息分享和分析中心分享包括漏洞在內(nèi)的有關(guān)網(wǎng)絡(luò)安全問題信息和情報(bào)信息。

[G.26] Members of Auto-ISAC are strongly encouraged to collaborate in expeditiously exploring containment options and countermeasures to reported vulnerabilities, regardless of an impact on their own systems.

不論對(duì)這些成員自己的系統(tǒng)有什么影響，鼓勵(lì)汽車信息共享和分析中心的成員合作以便快速地探索出應(yīng)對(duì)報(bào)告漏洞抑制選項(xiàng)和應(yīng)對(duì)措施。

[G.27] Automotive industry members should create their own vulnerability reporting policies and mechanisms.

汽車行業(yè)成員應(yīng)該建立自己的漏洞報(bào)告策略和機(jī)制。

[G.28] Members of the automotive industry should develop a product cybersecurity incident response process. This process should include:

汽車行業(yè)的所有成員應(yīng)該擁有一個(gè)產(chǎn)品網(wǎng)絡(luò)安全事件響應(yīng)流程。這個(gè)流程包括：

[a] A documented incident response plan;

有文檔記錄的事件響應(yīng)計(jì)劃；

[b] Clearly identified roles and responsibilities within the organization;

組織內(nèi)有清晰識(shí)別的角色和職責(zé)；

[c] Clearly identified communication channels and contacts outside the organization; and

組織外有清晰識(shí)別的交流渠道和聯(lián)系方式；以及

[d] Procedures for keeping this information, [G.28[a]-[c]], up to date.

保持[G.28[a]-[c]]持續(xù)更新狀態(tài)的流程。

[G.29] Organizations should develop metrics to periodically assess the effectiveness of their response process.

組織應(yīng)該開發(fā)出能夠定期評(píng)估它們響應(yīng)流程有效性的矩陣。

[G.30] Organizations should document the details of each identified and reported vulnerability, exploit, or incident applicable to their products.

組織應(yīng)記錄適用于其產(chǎn)品的每個(gè)已識(shí)別和報(bào)告的漏洞、利用或事件的詳細(xì)信息。

[G.31] The nature of the vulnerability and the rationale for how the vulnerability is managed should be documented.

應(yīng)該記錄漏洞的屬性和如何管理漏洞的基本原理。

[G.32] Commensurate to assessed risks, organizations should have a plan for addressing newly identified vulnerabilities on consumer-owned vehicles in the field, inventories of vehicles built but not yet distributed to dealers, vehicles delivered to dealerships but not yet sold to consumers, as well as future products and vehicles.

與評(píng)估的風(fēng)險(xiǎn)相適應(yīng)，組織應(yīng)制定計(jì)劃，以解決現(xiàn)場(chǎng)消費(fèi)者擁有的車輛、已制造但尚未分銷給經(jīng)銷商的車輛庫(kù)存、已交付給經(jīng)銷商但尚未銷售給消費(fèi)者的車輛以及未來產(chǎn)品和車輛的新發(fā)現(xiàn)的漏洞。

[G.33] Any incidents should also be reported to CISA/United States Computer Emergency Readiness Team (US-CERT) in accordance with the US-CERT Federal Incident Notification Guidelines.

任何事故也應(yīng)根據(jù)CERT聯(lián)邦事故通知指南報(bào)告給CISA/計(jì)算機(jī)應(yīng)急準(zhǔn)備小組（CERT）。

[G.34] Industry members should periodically conduct and participate in organized, cyber incident response exercises.

行業(yè)成員應(yīng)該定期進(jìn)行和參與有組織的網(wǎng)絡(luò)安全事件演練。

[G.35] The automotive industry should document the details related to their vehicle cybersecurity risk management process to facilitate auditing and accountability.

汽車行業(yè)應(yīng)該記錄于汽車網(wǎng)絡(luò)安全風(fēng)險(xiǎn)管理過程相關(guān)的細(xì)節(jié)，以便應(yīng)對(duì)審核和問責(zé)。

[G.36] Further, such documents should be retained through the expected lifespan of the associated product.

此外，這類文件應(yīng)該在相關(guān)產(chǎn)品的預(yù)期生命周期中妥善保存。

[G.37] documents should follow a robust version control protocol, and should be revised regularly as new information, data, and research results become available.

文檔應(yīng)該遵循一個(gè)強(qiáng)有力的版本控制計(jì)劃，也應(yīng)該隨著新的信息，數(shù)據(jù)，研究成果落地進(jìn)行定期升級(jí)。

[G.38] The automotive industry should establish procedures for internal review of its management and documentation of cybersecurity-related activities.

汽車行業(yè)應(yīng)該建立網(wǎng)絡(luò)安全相關(guān)活動(dòng)的管理和文檔內(nèi)部評(píng)估的流程。

[G.39] The automotive industry should consider carrying out organizational and product cybersecurity audits annually.

汽車行業(yè)應(yīng)考慮每年進(jìn)行組織和產(chǎn)品網(wǎng)絡(luò)安全審計(jì)。

[G.40] Vehicle manufacturers, suppliers, universities, and other stakeholders should work together to help support educational efforts targeted at workforce development in the field of automotive cybersecurity.

OEM，供應(yīng)商，大學(xué)，和其他利益相關(guān)者應(yīng)該一起合作來幫助支持針對(duì)在汽車網(wǎng)絡(luò)安全領(lǐng)域中從業(yè)者的教育工作。

[G.41] The automotive industry should consider the risks that could be presented by user-owned or aftermarket devices when connected with vehicle systems and provide reasonable protections.

汽車行業(yè)應(yīng)該考慮到用戶手里或者售后設(shè)備在連接車輛系統(tǒng)的風(fēng)險(xiǎn)并提供合理的保護(hù)。

[G.42] Any connection to a third-party device should be authenticated and provided with appropriate limited access.

應(yīng)該經(jīng)過授權(quán)才能連接所有的第三方設(shè)備，并提供合適的有限的訪問權(quán)限。

[G.43] Aftermarket device manufacturers should employ strong cybersecurity protections on their products.

售后設(shè)備制造商應(yīng)該在它們的產(chǎn)品使用強(qiáng)有力的網(wǎng)絡(luò)安全保護(hù)措施。

[G.44] The automotive industry should consider the serviceability of vehicle components and systems by individuals and third parties.

業(yè)內(nèi)應(yīng)考慮車輛部件和系統(tǒng)的可維修性，以便于個(gè)人和第三方使用。

[G.45] The automotive industry should provide strong vehicle cybersecurity protections that do not unduly restrict access by alternative third-party repair services authorized by the vehicle owner.

業(yè)內(nèi)應(yīng)該提供強(qiáng)有力的汽車網(wǎng)絡(luò)安全保護(hù)，不過度限制汽車所有者授權(quán)的替代第三方維修服務(wù)的訪問權(quán)限。

25個(gè)車輛網(wǎng)絡(luò)安全技術(shù)最佳實(shí)踐

[T.1] Developer-level access should be limited or eliminated if there is no foreseeable operational reason for the continued access to an ECU for deployed units.

如果沒有因?yàn)閷?duì)正在使用單元的電子控制單元的持續(xù)訪問權(quán)限的預(yù)期操作，那么應(yīng)該限制或者消除開發(fā)者級(jí)別的訪問權(quán)限

[T.2] If continued developer-level access is necessary, any developer-level debugging interfaces should be appropriately protected to limit access to authorized privileged users.

如果持續(xù)的開發(fā)者級(jí)別的訪問權(quán)限是必要的，應(yīng)該通過限制對(duì)授權(quán)優(yōu)先使用者訪問權(quán)限的限制，來正確地保護(hù)開發(fā)者級(jí)別的調(diào)試接口。

[T.3] Cryptographic techniques should be current and non-obsolescent for the intended application.

對(duì)于預(yù)期應(yīng)用，應(yīng)該使用最新且不過時(shí)的加密技術(shù)。

[T.4] Cryptographic credentials that provide an authorized, elevated level of access to vehicle computing platforms should be protected from unauthorized disclosure or modification.

應(yīng)保護(hù)提供對(duì)車輛計(jì)算平臺(tái)的授權(quán)的、提高的訪問級(jí)別的加密憑證，以防止未經(jīng)授權(quán)的披露或修改。

[T.5] Any credential obtained from a single vehicle’s computing platform should not provide access to other vehicles.

從某一汽車計(jì)算平臺(tái)獲得的任何憑證應(yīng)該不能訪問其他車輛。

[T.6] Diagnostic features should be limited, as much as possible, to a specific mode of vehicle operation which accomplishes the intended purpose of the associated feature.

盡可能將診斷功能限制在滿足相關(guān)功能的預(yù)期目的汽車運(yùn)行指定模式。

[T.7] Diagnostic operations should be designed to eliminate or minimize potentially dangerous ramifications if they were misused or abused outside of their intended purposes.

如果診斷功能在預(yù)期目的之外被錯(cuò)誤使用或者隨意亂用，那么應(yīng)該將診斷操作設(shè)計(jì)為可以消除或者最小化危險(xiǎn)的且復(fù)雜很難預(yù)料的結(jié)果。

[T.8] The use of global symmetric keys and ad-hoc cryptographic techniques for diagnostic access should be minimized.

應(yīng)該將針對(duì)診斷功能的全球?qū)ΨQ密匙和點(diǎn)對(duì)點(diǎn)加密技術(shù)的使用降到最小范圍。

[T.9] Vehicle and diagnostic tool manufacturers should control tools’ access to vehicle systems that can perform diagnostic operations and reprogramming by providing for appropriate authentication and access control.

整車和診斷工具制造商應(yīng)該控制進(jìn)入汽車系統(tǒng)工具的訪問權(quán)限，通過合理的授權(quán)和訪問權(quán)限的控制來進(jìn)行診斷操作和重新編程。

[T.10] When possible, critical safety signals should be transported in a manner inaccessible through external vehicle interfaces.

如果可能的話，關(guān)鍵的安全信號(hào)應(yīng)該通過外部汽車接口無法訪問的方式進(jìn)行傳輸。

[T.11] Employ best practices for communication of critical information over shared and possibly insecure channels. Limit the possibility of replay, integrity compromise, and spoofing. Physical and logical access should also be highly restricted.

采用最佳實(shí)踐，通過共享和可能不安全的渠道交流關(guān)鍵信息。限制重放、完整性損害和欺騙的可能性。物理和邏輯訪問也應(yīng)受到嚴(yán)格限制。

[T.12] A log of events sufficient to reveal the nature of a cybersecurity attack or successful breach and support event reconstruction should be created and maintained.

應(yīng)該創(chuàng)建和維護(hù)能夠充分揭露網(wǎng)路安全攻擊或者成功入侵特性的事件日志，并能夠支持事件重建。

[T.13] Such logs that can be aggregated across vehicles should be periodically reviewed to assess potential trends of cyberattacks.

應(yīng)該定期總結(jié)評(píng)價(jià)涉及到整個(gè)車輛的總體日志，來評(píng)價(jià)網(wǎng)絡(luò)攻擊的潛在趨勢(shì)。

[T.14] Manufacturers should treat all networks and systems external to a vehicle’s wireless interfaces as untrusted and use appropriate techniques to mitigate potential threats.

OEM應(yīng)該將所有連接車輛無線接口的外部所有網(wǎng)絡(luò)和系統(tǒng)視為不可信的，并且應(yīng)該使用合適的技術(shù)來緩解潛在的威脅。

[T.15] Network segmentation and isolation techniques should be used to limit connections between wireless-connected ECUs and low-level vehicle control systems, particularly those controlling safety critical functions, such as braking, steering, propulsion, and power management.

應(yīng)使用網(wǎng)絡(luò)分段和隔離技術(shù)來限制無線連接ECU和低級(jí)別車輛控制系統(tǒng)之間的連接，特別是控制安全關(guān)鍵功能的系統(tǒng)，如制動(dòng)、轉(zhuǎn)向、驅(qū)動(dòng)和電源管理。

[T.16] Gateways with strong boundary controls, such as strict whitelist-based filtering of message flows between different network segments, should be used to secure interfaces between networks.

應(yīng)該使用帶有強(qiáng)力邊界控制的網(wǎng)關(guān)來確保網(wǎng)絡(luò)之間的接口安全，比如基于嚴(yán)格白名單制度的不同網(wǎng)絡(luò)分割體的信息流的過濾機(jī)制。

[T.17] Eliminating unnecessary internet protocol services from production vehicles;

關(guān)閉量產(chǎn)車不必要的網(wǎng)絡(luò)協(xié)議服務(wù)。

[T.18] Limiting the use of network services on vehicle ECUs to essential functionality only; and

限制只針對(duì)關(guān)鍵功能塊的汽車電子控制單元的網(wǎng)絡(luò)服務(wù)的使用。

[T.19] Appropriately protecting services over such ports to limit use to authorized parties.

正確地報(bào)告這些接口之間的服務(wù)，來限制授權(quán)團(tuán)體的使用。

[T.20] Manufacturers should use appropriate encryption and authentication methods in any operational communication between external servers and the vehicle.

針對(duì)車輛與外部服務(wù)商之間的任何運(yùn)行通訊，OEM應(yīng)該使用合適的加密技術(shù)和授權(quán)方法。

[T.21] Manufacturers should plan for and create processes that could allow for quickly propagating and applying changes in network routing rules to a single vehicle, subsets of vehicles, or all vehicles connected to the network.

OEM應(yīng)該計(jì)劃并創(chuàng)建一個(gè)可以快速傳播和應(yīng)用網(wǎng)絡(luò)路由規(guī)則的變更，網(wǎng)絡(luò)路由規(guī)則是針對(duì)單車，車輛的子系統(tǒng)，或者所有連接到網(wǎng)絡(luò)里的車輛。

[T.22] Automotive manufacturers should employ state-of-the-art techniques for limiting the ability to modify firmware to authorized and appropriately authenticated parties.

OEM應(yīng)該應(yīng)用最先進(jìn)的針對(duì)授權(quán)和合適的授權(quán)機(jī)構(gòu)，限制其更改硬件系統(tǒng)能力的技術(shù)。

[T.23] Manufacturers should employ measures to limit firmware version rollback attacks.

OEM應(yīng)該采取措施來限制固件版本回滾攻擊。

[T.24] Maintain the integrity of OTA updates, update servers, the transmission mechanism, and the updating process in general.

總體上維護(hù)遠(yuǎn)程升級(jí)，升級(jí)服務(wù)器，傳遞機(jī)構(gòu)和升級(jí)過程的完整性。

[T.25] Take into account, when designing security measures, the risks associated with compromised servers, insider threats, men-in-the-middle attacks, and protocol vulnerabilities.

在設(shè)計(jì)安全措施時(shí)，應(yīng)考慮到與受損服務(wù)器、內(nèi)部威脅、中間人攻擊和協(xié)議漏洞相關(guān)的風(fēng)險(xiǎn)。