Analysis of Cybersecurity in Intelligent Connected Vehicles

Analysis of Cybersecurity in Intelligent Connected VehiclesAnalysis of Cybersecurity in Intelligent Connected VehiclesAnalysis of Cybersecurity in Intelligent Connected VehiclesAnalysis of Cybersecurity in Intelligent Connected VehiclesAnalysis of Cybersecurity in Intelligent Connected Vehicles

Scan to Subscribe to “China Information Security”

Postal code 2-786

Subscription hotline: 010-82341063

Written by | National Industrial Information Security Development Research Center Li Li Liu Dong Liu YangWith the deep integration of automobiles with artificial intelligence, information communication, electrical automation, and other technologies, intelligent connected vehicles have gradually developed into a new generation of mobile intelligent terminals, significantly promoting the innovation of transportation methods. As the process of automobile intelligence, connectivity, and electrification accelerates, new safety risks and challenges are increasingly prominent. How to ensure the network security and data security of intelligent connected vehicles has become a key issue for ensuring the healthy development of the industry.

1. Analysis of the Security Situation of Intelligent Connected Vehicles in China

(1) China Places High Importance on the Development of Intelligent Connected Vehicle Security

General Secretary Xi Jinping has repeatedly issued important instructions, emphasizing that there is no national security without cybersecurity. Under the guidance of Xi Jinping’s important thoughts on building a strong network and manufacturing power, China has successively introduced laws and regulations such as the “Cybersecurity Law”, “Data Security Law”, “Personal Information Protection Law”, and “Regulations on the Security Protection of Critical Information Infrastructure”, taking a series of measures to promote the establishment of a comprehensive governance system for national cybersecurity. As an important strategic direction for the transformation and upgrading of the automotive industry, the network security and data security of intelligent connected vehicles have received high attention from the Chinese government. National authorities have formulated and issued a series of policy documents to strengthen the safety management and protection capability construction of intelligent connected vehicles, promoting the safe and healthy development of the automotive industry. In July 2021, the Ministry of Industry and Information Technology issued the “Opinions on Strengthening the Access Management of Intelligent Connected Vehicle Manufacturing Enterprises and Products”, reinforcing enterprise responsibility and enhancing management of automotive data security and network security to ensure product quality and production consistency. In November 2023, the Ministry of Industry and Information Technology and four other departments issued a notice on conducting pilot work for the access and road testing of intelligent connected vehicles. For intelligent connected vehicles equipped with autonomous driving functions, the notice proposed requirements for the network security and data security assurance capabilities of automotive manufacturing enterprises, product network and data security requirements, and user network and data security assurance capability requirements. Through pilot work, it aims to guide intelligent connected vehicle manufacturers and users to strengthen capability construction, promote product functionality and performance improvement, and optimize the industrial ecosystem. For pilot enterprises or users that fail to fulfill security responsibilities and obligations, a suspension of the pilot and rectification will be required. In January 2024, the Ministry of Industry and Information Technology and five other departments issued a notice on conducting pilot applications for the “Vehicle-Road-Cloud Integration” initiative, clarifying that pilot cities should have provincial or municipal intelligent connected vehicle security monitoring capabilities and automotive network security and data security management capabilities, promoting the enhancement of urban security assurance capabilities and the large-scale demonstration application of the “Vehicle-Road-Cloud Integration” and exploration of new business models.(2) Rapid Development of the Industry Accompanied by Cybersecurity RisksIn recent years, the intelligent connected vehicle industry has developed rapidly, and the market size has significantly increased. According to statistics from the Ministry of Public Security in January 2024, the number of vehicles in China has reached 336 million, with 94 cities having more than 1 million vehicles. By the end of 2023, the number of new energy vehicles reached 20.41 million, accounting for 6.07% of the total number of vehicles. According to relevant data from the Ministry of Industry and Information Technology, in 2022, about 7 million new intelligent connected passenger vehicles equipped with combined driving assistance systems were sold, with a market penetration rate of 34.9%. In the first half of 2023, the market penetration rate increased to 42.4%, indicating that the intelligent connected vehicle industry has entered a high-speed development stage. At the same time, as the innovation process of automotive connectivity and intelligence accelerates, safety features have become increasingly complex, and new safety risks and challenges have become more prominent. The application scenarios of the Internet of Vehicles (IoV) have raised higher requirements for network security and data security assurance capabilities. Research shows that the IoV has the safety characteristics of “five dangers and one integration”, which are closely related to personal safety, have a wide range of risks, involve massive data circulation that is difficult to control, pose challenges for intelligent network supervision, and have risks that spread across multiple networks, directly impacting personal safety, traffic safety, public safety, and even national security. If intelligent connected vehicles are attacked and remotely controlled by criminals, it could endanger the life and property safety of passengers and others. If the production systems and office networks of enterprises are invaded, it could paralyze production lines and affect normal operations, thereby impacting the entire industrial chain.(3) Increasing Threats from Cybersecurity and Data Security Risk EventsCurrently, cybersecurity incidents in the automotive industry are frequent, making it a potential target for cyber attacks, with a complex and severe security situation. According to Upstream’s “2023 Global Automotive Cybersecurity Report”, in 2022, remote communication and application servers accounted for 35% of cybersecurity incidents in the automotive industry, while keyless remote entry systems accounted for 18%. Remote contactless attacks have become a major form of security threat. Research indicates that in 2023, there were 29 major publicly disclosed vulnerability incidents globally, including 11 vehicle-side vulnerabilities, 8 IoV platform vulnerabilities, and 7 data leakage or ransom incidents, highlighting significant dangers. In recent years, data security incidents in the automotive industry have continued to occur, negatively impacting industrial development and public opinion. For example, at the end of 2022, millions of user data from a domestic new force automotive company were leaked, with hackers demanding a ransom of millions of dollars. The leaked data involved personal identity information, emergency contact information, home addresses, and intimate relationship details of vehicle owners. If analyzed and exploited by criminals, it could endanger users’ personal property and even life safety. In February 2023, Toyota’s global supplier information management system was hacked, exposing the email accounts of over 14,000 suppliers and related confidential documents, allowing criminals to modify data through this backdoor to disrupt Toyota’s global operations or conduct targeted phishing attacks, posing a significant security threat.

2. Analysis of Typical Practices for Network and Data Security of Intelligent Connected Vehicles

In response to the new challenges posed by network and data security for intelligent connected vehicles, relevant authorities, research institutions, enterprises, and other parties in China are actively taking action and continuously carrying out relevant practices to steadily promote the establishment and improvement of the safety management mechanism for intelligent connected vehicles, deeply serving the personal safety needs of vehicle owners, and continuously strengthening the technical assurance capabilities for the safety of intelligent connected vehicles.

(1) Establishing Standards and Norms to Steer Safety DevelopmentChina is focusing on the overall situation of intelligent connected vehicle safety development, coordinating and systematically planning the standardization work for IoV safety, and actively leveraging standards to guide and regulate safety development. In February 2022, the Ministry of Industry and Information Technology released the “Guidelines for the Construction of a Standard System for IoV Network Security and Data Security”, which clarified over 100 standard tasks in six directions, including overall and basic commonality, terminal and facility network security, connected communication security, data security, application service security, and security assurance and support. According to the “IoV Security Standardization White Paper (2023)”, China has published 21 IoV security standards and developed 68 standards, making positive progress in the overall standardization work. Relying on standardization organizations such as the China Communications Standardization Association, the National Automotive Standardization Technical Committee, and the National Information Security Standardization Technical Committee, as well as research institutions like the National Industrial Information Security Development Research Center, automotive companies like Zhejiang Geely Automobile Research Institute Co., Ltd., and security companies like Zhengzhou Xinda Jiexin Information Technology Co., Ltd., along with universities like Beijing Institute of Technology, actively promote the formulation of international, national, and industry standards, steadily advancing the construction of the standard system and practical guidance. For example, the National Industrial Information Security Development Research Center is actively promoting the development of industry standards for IoV network and data security in cooperation with the China Communications Standardization Association. In terms of data security, standards such as the “Classification and Important Data Identification Rules for IoV Data”, “Personal Information Security Protection Requirements and Evaluation Methods for IoV”, “IoV Data Outbound Security Assessment Specifications”, and “Implementation Specifications for Data and Personal Information Desensitization in IoV” have been developed. In terms of network security, standards such as the “IoV Network Security Risk Classification and Grading Guide” and the “IoV Network Security Risk Assessment Specifications” have been established. In terms of security testing, standards such as the “Safety Protection and Testing Requirements for Removable Connected Devices in Vehicles” and the “Safety Technical Requirements and Testing Methods for IoV Facilities and Equipment” have been formulated. In terms of security management, standards like the “IoV Supply Chain Network Security Risk Management Guidelines” and the “IoV Network Security Capability Maturity Model” have been established.(2) Enhancing Owner Services to Secure Personal ProtectionIntelligent connected vehicles are closely related to the personal safety, property safety, data, and personal information security of vehicle owners and pedestrians. In the event of a large-scale automotive data leakage incident, it can easily trigger nationwide negative public opinion, impacting the orderly development of the intelligent connected vehicle industry. To enhance vehicle owners’ confidence in personal privacy and driving safety, provide reference guidance for the safe development of the automotive industry, and support decision-making for regulatory authorities, it is necessary to conduct safety research on existing intelligent connected vehicles in China and organize targeted safety service assurance work for vehicle owners. From 2022 to 2023, the National Industrial Information Security Development Research Center and other institutions conducted a survey on personal privacy and data security risks of existing vehicle owners through interviews, questionnaires, on-site testing, desk analysis, and expert consultations. This research aimed to understand the current state of network and data security of existing vehicles in China, uncover the personal privacy and data security protection needs of vehicle owners, and provide important references for the next steps in advancing safety services and protections for vehicle owners. A total of 1,272 questionnaires were distributed, covering 29 provinces (municipalities, regions), with 100 on-site interviews conducted and safety tests completed for 53 automotive brands and 128 vehicle models, leading to the following three conclusions: Firstly, personal vehicle owners are highly concerned about government management measures and security risk events, lacking trust and a sense of security regarding automotive data security protection capabilities. The survey indicates that, on one hand, 57.4% of vehicle owners frequently pay attention to news about the release and interpretation of automotive data security-related laws and regulations, and 82% often follow news about violations related to the unauthorized collection or leakage of personal sensitive information. Vehicle owners generally have a high level of attention to automotive data security management and risk events. On the other hand, 91.7% of vehicle owners are most concerned about unauthorized collection or leakage of personal information such as names, contact information, addresses, and ID card numbers. Additionally, 75.3% of vehicle owners have concerns about sharing personal sensitive information for the convenience of vehicle use, indicating significant worries about the current state of automotive data security protection. Secondly, most existing vehicles still have many issues regarding data collection, processing, and compliant use, and most personal vehicle owners lack awareness of automotive data security. The survey shows that 83.3% of vehicles did not prompt authorization requests or privacy clauses before collecting data, or the clauses lacked an option to refuse, or refusal resulted in the inability to use related service functions and permissions. Furthermore, 54.2% of vehicles did not inform users significantly about the types of personal information being processed (including vehicle location trajectories, driving habits, audio, video, images, and biometric features). Meanwhile, 66.7% of vehicle owners are unclear about the collection of personal sensitive information by automotive cameras, audio-video devices, ECU, and other processing units, and 70.3% lack understanding of the automotive network data security situation. Thirdly, automotive data security risks are prominent, with most vehicle owners encountering various types of security issues and lacking effective channels for complaints and problem resolution, resulting in a sharp contradiction between development and security. The survey shows that, on one hand, most existing intelligent connected vehicles have varying degrees of security vulnerabilities, such as 35% of vehicles having unreliable communication protocols with service platforms, 31% lacking verification mechanisms for in-vehicle communication, and 17% missing secure data storage mechanisms for vehicle-side data, which can lead to malicious theft or tampering of personal information and important data. On the other hand, many vehicle owners have experienced various security issues during driving, such as automatic reboots of the vehicle system, loss of cached data, and ineffective verification of Bluetooth connections, with only 42.1% of vehicle owners stating they had a complaint channel to timely report issues, significantly reducing their trust in intelligent connected vehicles.(3) Promoting Application Assurance to Upgrade the Engine of Industrial GrowthStrengthening the technical assurance capabilities for intelligent connected vehicle safety effectively enhances security protection capabilities, ensuring the stable development of the intelligent connected vehicle industry. It is essential to strengthen the deep integration of industry, academia, and research, developing safety solutions that align with business realities and promoting widespread application in the industry. In June 2021, the Ministry of Industry and Information Technology organized pilot work for IoV identity authentication and security trust, focusing on four directions: secure communication between vehicles and the cloud, vehicles and vehicles, vehicles and roads, and vehicles and devices. It selected organizations such as basic telecommunications enterprises, automotive manufacturers, electronic component companies, cybersecurity enterprises, as well as construction and operation units of advanced demonstration zones for cybersecurity innovation applications and national IoV pilot zones to carry out pilot work, accelerating the construction of IoV network security assurance capabilities and establishing an IoV identity authentication and security trust system, promoting the application of commercial cryptography, and ensuring the security of cellular IoV (C-V2X) communication. The Ministry of Industry and Information Technology and 14 other departments actively carried out pilot demonstration work for cybersecurity technology applications. In the 2023 pilot work, it clarified typical scenarios such as online upgrades (OTA), remote diagnostics and monitoring, autonomous driving, vehicle-road collaboration, and smart transportation, addressing the security needs for communication between vehicles, clouds, and devices. It focused on security certification and communication security assurance for intelligent driving systems, critical connected devices, network infrastructure, and IoV service platforms, conducting pilot demonstrations in areas such as lightweight protection for IoV security, security certification, threat monitoring, emergency response, and testing and evaluation, guiding the application of advanced cybersecurity technologies, and promoting the high-quality development of the cybersecurity industry in the fields of IoV and intelligent connected vehicles. In September 2023, the Ministry of Industry and Information Technology organized the selection of typical cases for data security in the industrial and information technology fields, focusing on the automotive data security protection direction, selecting integrated solutions for the anonymization of facial information outside the vehicle, in-vehicle data processing, and significant notification of personal information processing, to fully leverage the exemplary role of typical cases in the development of the data security industry and effectively enhance the data security assurance level in the automotive and industrial information technology fields.

3. Reflections and Suggestions

Based on the new development stage and seizing the opportunities for the transformation and development of the intelligent connected vehicle industry, it is necessary to be guided by laws and regulations, conduct in-depth research and analysis of industry development trends, strengthen the supply of technical services in the industry, drive innovation in industrial safety development, and improve the automotive safety assurance system for the benefit of the people and the industry, creating a new pattern of “ensuring development through safety and promoting development through safety”.

(1) Use Standardized Development as a Guideline to Accelerate the Improvement of Safety Top-Level DesignImprove the legal system related to network and data security for intelligent connected vehicles, formulate detailed documents such as risk assessment methods for network and data security in the IoV field, and ensure compliance and safety throughout the entire lifecycle of intelligent connected vehicle product development, testing, and road use, establishing a comprehensive safety supervision system. Accelerate the release of urgently needed standards for personal information protection in automobiles, supply chain security management, capability maturity models, roadside device testing, and cryptography applications, comprehensively covering hardware, software, communication, and data security, promoting standard dissemination and pilot applications, strengthening the construction of safety assessment and certification systems, and providing effective guidance for enterprises to enhance their security capabilities.(2) Drive Industry Empowerment by Strengthening the Supply of Technical Service TalentEncourage the industry to conduct joint research and tackle challenges, strengthen breakthroughs and innovations in intelligent connected vehicle safety technologies, and support enterprises in increasing investment in key security technologies and product research and development to deliver high-quality safety products and services to the industry. Establish a cooperation mechanism among industry, academia, and research, develop relevant disciplines and training courses on network and data security for intelligent connected vehicles based on actual employment needs of enterprises, and set up safety training bases to cultivate high-level talent on a large scale. Improve network and data security testing and evaluation services for intelligent connected vehicles and onboard devices, enhance the safety level of automotive supply chain products, and establish a network security management mechanism for the supply chain. Promote and share excellent cases, disseminate enterprises’ safety practice experiences, innovate service models, and empower high-quality development in the industry.(3) Serve the Public as the Foundation to Deepen Promotion, Education, and ResearchTargeting individual users, conduct in-depth inspections and research on network and data security for intelligent connected vehicles, categorizing based on automotive brands, vehicle usage, user habits, etc., to investigate the risk status of existing intelligent connected vehicles and assist in enhancing protective capabilities. Through safety inspections, comprehensively identify safety hazards in existing vehicles and guide users to take timely safety measures to protect their legal rights. Through research, understand user driving conditions and actual safety needs, educate users on automotive safety protection knowledge and methods, and enhance user safety awareness. Based on the results of inspections and research, provide decision-making support and basis for relevant authorities, promote the iteration and optimization of automotive products, and encourage automotive companies to strengthen safety performance design, committed to enhancing the sense of acquisition, happiness, and safety of the majority of automotive users.

(This article was published in the “China Information Security” magazine, 2024 Issue 2)

Share Cybersecurity Knowledge to Strengthen Cybersecurity Awareness

Welcome to Follow the Official Douyin Account of “China Information Security” Magazine

Analysis of Cybersecurity in Intelligent Connected Vehicles

“China Information Security” Magazine Strongly Recommends

“Enterprise Growth Plan”

Click the image below for details

Analysis of Cybersecurity in Intelligent Connected Vehicles

Leave a Comment