China’s New Vehicle Cybersecurity Standard: GB 44495-2024

|

China is making strides in vehicle cybersecurity with the release of a new standard, GB 44495-2024, which is set to raise the bar for protecting vehicles from cyber threats. This new regulation aligns with international guidelines such as UNECE R155 and ISO/SAE 21434 but introduces unique requirements tailored to the Chinese market. As the world moves towards connected and autonomous vehicles, these standards are critical to ensuring that vehicles remain secure throughout their lifecycle.

What Is GB 44495-2024 About?

GB 44495-2024 focuses on two main areas to enhance vehicle cybersecurity in China:

  • Cybersecurity Management System (CSMS): This requirement ensures that companies have robust processes in place to manage cybersecurity risks across the entire vehicle lifecycle, from design to decommissioning.
  • Technical Requirements for Vehicles: These are specific rules and tests designed to evaluate whether a vehicle meets the required cybersecurity standards. It includes a checklist of tests that manufacturers must perform to validate the security of their vehicles.

How GB 44495-2024 Aligns with UNECE R155 and ISO/SAE 21434

GB 44495-2024 is not just a national regulation; it aligns closely with global standards to ensure consistency.

  1. CSMS Requirements: Both UNECE R155 and ISO/SAE 21434 demand a strong cybersecurity management system. This involves creating processes and systems to manage cybersecurity risks throughout a vehicle’s lifecycle. The Chinese standard follows this principle but has its own set of criteria for companies operating in China.
  1. Risk Management: Just like ISO/SAE 21434, GB 44495-2024 emphasizes the importance of risk management. This involves continuous monitoring, risk assessments, and response measures to ensure that vehicles remain secure even as new threats emerge.

Key Differences from UNECE R155

Despite the alignment with international guidelines, GB 44495-2024 introduces some unique elements that differentiate it from UNECE R155.

CSMS Audit vs. Certification:

  • GB 44495-2024: Companies need to pass a CSMS audit to prove compliance with the cybersecurity standards. However, unlike UNR155, this audit does not result in a certificate. This audit acts as a technical guideline and does not carry legal force unless incorporated into China’s Compulsory Certification (CCC) system. Additionally, there is no requirement for a three-year renewal or follow-up audits.
  • UNR155: Requires companies to obtain a CSMS certificate, which must be renewed every three years. This process includes ongoing checks and follow-up audits to maintain certification.

Specific Testing Requirements:

  • GB 44495-2024: Lists 27 specific cybersecurity tests that manufacturers must perform. These tests cover various aspects of vehicle cybersecurity, including external connections, communication systems, software updates, and data security. Each test comes with detailed instructions on how to comply.
  • UNR155: Does not provide a detailed list of required tests, leaving it up to companies to determine how to meet the standard. This provides more flexibility but also requires companies to design their own testing protocols.

Rules for Extending Vehicle Approvals:

  • GB 44495-2024: Introduces strict rules for extending cybersecurity approvals to other vehicle models. If there are differences between models, manufacturers must perform a risk assessment and possibly undergo additional testing before approval can be granted.
  • UNR155: Offers more flexible guidelines for extending approvals, with fewer specific conditions for handling variations between models.

Implications for Manufacturers

The introduction of GB 44495-2024 will significantly impact automotive manufacturers, especially those targeting the massive and growing Chinese market. Vehicles in China will benefit from stronger protection against cyber threats, enhancing consumer safety as cybersecurity becomes crucial for connected vehicles. Manufacturers must comply with these new standards, which may require investing in new processes and technologies to maintain access to this critical market.

Conclusion

GB 44495-2024 helps China close the gap in vehicle cybersecurity by aligning with international standards while adding market-specific requirements. As the automotive industry evolves, compliance with these new regulations will be crucial for manufacturers operating in China.

dissecto HydraVision simplifies this compliance process. Our intelligent security test environment allows manufacturers and suppliers to conduct cybersecurity tests on their products automatically and remotely. We continuously develop test cases for new threats reported by developers, dissecto Research, or third parties like Auto-ISAC. With dissecto HydraVision, you gain full control over all platform components, ensuring your vehicles are compliant and secure against emerging threats.

Do you have questions or need support?

We’re here to help! Reach out to us if you have and questions regarding dissecto HydraVision or our other services:

+ 49 941 4629 7370

contact-us@dissec.to