China is making strides in vehicle cybersecurity with the release of a new standard, GB 44495-2024, which is set to raise the bar for protecting vehicles from cyber threats. This new regulation aligns with international guidelines such as UNECE R155 and ISO/SAE 21434 but introduces unique requirements tailored to the Chinese market. As the world moves towards connected and autonomous vehicles, these standards are critical to ensuring that vehicles remain secure throughout their lifecycle.
What Is GB 44495-2024 About?
GB 44495-2024 focuses on two main areas to enhance vehicle cybersecurity in China:
- Cybersecurity Management System (CSMS): This requirement ensures that companies have robust processes in place to manage cybersecurity risks across the entire vehicle lifecycle, from design to decommissioning.
- Technical Requirements for Vehicles: These are specific rules and tests designed to evaluate whether a vehicle meets the required cybersecurity standards. It includes a checklist of tests that manufacturers must perform to validate the security of their vehicles.
How GB 44495-2024 Aligns with UNECE R155 and ISO/SAE 21434
GB 44495-2024 is not just a national regulation; it aligns closely with global standards to ensure consistency.
- CSMS Requirements: Both UNECE R155 and ISO/SAE 21434 demand a strong cybersecurity management system. This involves creating processes and systems to manage cybersecurity risks throughout a vehicle’s lifecycle. The Chinese standard follows this principle but has its own set of criteria for companies operating in China.
- Risk Management: Just like ISO/SAE 21434, GB 44495-2024 emphasizes the importance of risk management. This involves continuous monitoring, risk assessments, and response measures to ensure that vehicles remain secure even as new threats emerge.
Key Differences from UNECE R155
Despite the alignment with international guidelines, GB 44495-2024 introduces some unique elements that differentiate it from UNECE R155.
CSMS Audit vs. Certification:
- GB 44495-2024: Companies need to pass a CSMS audit to prove compliance with the cybersecurity standards. However, unlike UNR155, this audit does not result in a certificate. This audit acts as a technical guideline and does not carry legal force unless incorporated into China’s Compulsory Certification (CCC) system. Additionally, there is no requirement for a three-year renewal or follow-up audits.
- UNR155: Requires companies to obtain a CSMS certificate, which must be renewed every three years. This process includes ongoing checks and follow-up audits to maintain certification.
Specific Testing Requirements:
- GB 44495-2024: Lists 27 specific cybersecurity tests that manufacturers must perform. These tests cover various aspects of vehicle cybersecurity, including external connections, communication systems, software updates, and data security. Each test comes with detailed instructions on how to comply.
- UNR155: Does not provide a detailed list of required tests, leaving it up to companies to determine how to meet the standard. This provides more flexibility but also requires companies to design their own testing protocols.
Rules for Extending Vehicle Approvals:
- GB 44495-2024: Introduces strict rules for extending cybersecurity approvals to other vehicle models. If there are differences between models, manufacturers must perform a risk assessment and possibly undergo additional testing before approval can be granted.
- UNR155: Offers more flexible guidelines for extending approvals, with fewer specific conditions for handling variations between models.
Implications for Manufacturers
The introduction of GB 44495-2024 will significantly impact automotive manufacturers, especially those targeting the massive and growing Chinese market. Vehicles in China will benefit from stronger protection against cyber threats, enhancing consumer safety as cybersecurity becomes crucial for connected vehicles. Manufacturers must comply with these new standards, which may require investing in new processes and technologies to maintain access to this critical market.
List of Tests
Network Entry Protection
Prevent unauthorized access to vehicle networks.
Remote Access Security
Shield against unauthorized remote access attempts.
Data Transmission Encryption
Prevent unauthorized access to vehicle networks
Firmware Update Security
Secure the process of firmware updates.
Malware Detection
Identify and mitigate malware threats.
Data Storage Security
Protect sensitive data that is stored.
Vehicle Network Isolation
Distinguish between critical and non-critical networks.
Wireless Communication Security
Protect wireless communication protocols.
Anomaly Detection
Identify unusual behavior within the system.
System Redundancy
Ensure operational continuity through redundant systems.
Cryptographic Key Management
Manage cryptographic keys securely.
Physical Access Control
Restrict physical access to critical systems.
Vehicle Immobilization
Prevent unauthorized immobilization of vehicles.
End-of-Life Security
Maintain security throughout the vehicle’s lifecycle.
External Connection Security
Safeguard USB, Wi-Fi, and Bluetooth interfaces.
Authentication Mechanism
Implement strong user authentication processes.
Data Integrity Check
Prevent unauthorized alterations to data.
Software Integrity Check
Confirm the integrity of software remains intact.
Incident Response
Establish effective responses to cybersecurity incidents.
Access Control
Limit system access based on user roles.
Inter-Module Communication Security
Secure communication within internal systems.
Cybersecurity Logging
Maintain logs of cybersecurity events for auditing purposes.
DoS Protection
Implement defenses against Denial of Service attacks.
Security Patch Management
Apply security patches in a timely manner.
Third-Party Component Security
Verify the security of third-party components.
User Data Privacy Protection
Safeguard the privacy of user data.
Supply Chain Security
Secure components throughout the supply chain.
Conclusion
GB 44495-2024 helps China close the gap in vehicle cybersecurity by aligning with international standards while adding market-specific requirements. As the automotive industry evolves, compliance with these new regulations will be crucial for manufacturers operating in China.
dissecto HydraVision simplifies this compliance process. Our intelligent security test environment allows manufacturers and suppliers to conduct cybersecurity tests on their products automatically and remotely. We continuously develop test cases for new threats reported by developers, dissecto Research, or third parties like Auto-ISAC. With dissecto HydraVision, you gain full control over all platform components, ensuring your vehicles are compliant and secure against emerging threats.
Do you have questions or need support?
We’re here to help! Reach out to us if you have and questions regarding dissecto HydraVision or our other services: