Due to the development of intelligence and networking, the electrical architecture of automobiles is constantly changing, and software defining automobiles is gradually becoming possible. Currently, a car contains hundreds of millions of lines of code, and it is expected to reach 300 million lines by 2030. According to statistics, there are errors in every 1800 lines of code, of which 80% are security vulnerabilities. So automotive information security is the fourth major security issue for automobiles after active safety, passive safety, and functional safety.

　　Xu Siliang | Director of Qi'anxin Internet of Vehicles Security Laboratory

　　Due to the development of intelligence and networking, the electrical architecture of automobiles is constantly changing, and software defining automobiles is gradually becoming possible. Currently, a car contains hundreds of millions of lines of code, and it is expected to reach 300 million lines by 2030. According to statistics, there are errors in every 1800 lines of code, of which 80% are security vulnerabilities. So automotive information security is the fourth major security issue for automobiles after active safety, passive safety, and functional safety.

　　In response to information security, Qi'anxin has built an intelligent connected vehicle trusted protection system. Through the security protection of the vehicle and roadside, it can timely detect security risks, eliminate potential security incidents, and provide risk management measures through overall security protection and multi-level linkage.

　　Xu Siliang, director of the Internet of Vehicles Security Laboratory, stated that the application of information security governance in the financial field is already in a mature stage, and relevant governance of the Internet of Vehicles can be used for reference. First, manage and then govern, sort out business and identify important assets; Secondly, make up for the shortcomings and strengthen the foundation, and do a good job in basic safety protection; Three system governance, classification and grading of vehicle networking data; Fourth, carry out system planning and architecture development; Fifth, orderly construction, hierarchical control and protection, and scenario based scheme construction.

　　The following is a summary of the speech content:

　　The automotive industry is the pearl of modern industry, and intelligent connected vehicles are the product of the deep integration of the automotive industry and the digital industry, driving the development of industries such as information communication, the Internet of Things, big data, and artificial intelligence. Intelligent connected vehicles have become an advanced manufacturing new development highland for building a digital and technological powerhouse.

　　The car ownership is continuously increasing at a rate of nearly 20 million units per year. Compared to gasoline powered vehicles, new energy and electric vehicles have a quieter space. Nowadays, many manufacturers are developing a third space, which is to use intelligent connected vehicles as large mobile spaces to seamlessly connect the entire home road office digital services. Extend new digital scenes beyond traffic attributes.

　　Due to the rapid development of intelligent connected vehicles, the development of the intelligent connected vehicle industry has risen to the level of national strategic deployment. The country has also introduced relevant development strategies and released the "Intelligent Vehicle Innovation and Development Strategy" in 2020. It is expected that by 2025, the technical innovation, industrial ecology, infrastructure, regulatory standards, product supervision, and network security system of China's standard intelligent vehicles will be basically formed.

　　Intelligent connected vehicles are facing network security risks

　　Based on the development trend of intelligent connected vehicles, it has mainly had an impact on three aspects.

　　Firstly, software defines cars. The automotive telecommunications architecture is in a period of transformation, with software complexity increasing from distributed ECUs to domain integration, as well as centralized architectures with central clusters. It is expected to reach 300 million lines of code by 2030. For the information security industry, there is a bug every 1800 rows, of which 80% are security vulnerabilities. Especially with the rapid development in the future, more open source libraries or software, as well as supply chain software, will be introduced, which will lead to more security risks for automotive software.

　　Secondly, networking is irreversible. It is estimated that 20 million new ICVs will be built in 2025, with a cumulative market penetration rate of more than 100 million, and a market penetration rate of more than 75%.

　　Thirdly, unmanned driving is developing rapidly. The L4/L5 level features will be mass-produced around 2025, with a penetration rate expected to reach 5%. By 2040, all new cars will be equipped with autonomous driving functions.

　　From the development and trend of intelligence and networking, automotive information security is the fourth major security issue in automobiles after active safety, passive safety, and functional safety.

　　Image source: Guest speech materials

　　The security threats of intelligent connected vehicles involve a wide range of aspects. From the perspective of the supply chain, they can be divided into supply chain security risks, namely internal security threats, and eight supply security risks, namely external security threats, involving four levels: vehicle, network, road, cloud, and so on.

　　In intelligent connected vehicles, many related components are affected by data security risks. From the collection of data on the Mechanical floor of the vehicle end to the cloud layer, the whole process of circulation is very complex, and the risks of the Internet of Vehicles are: the integration of the Internet of Vehicles and big data technology is prone to excessive data collection and abuse. In order to improve the user experience, the OEMs may collect some sensitive data, including the owner's real name, facial features and other identity information, resulting in data abuse; The long industrial chain and direct communication methods increase the risk of data theft and tampering, and the security protection objects in each link are complex and diverse. However, lax access control, improper data storage, or network attacks in any link may lead to malicious theft of user data; The highly integrated global industrial chain of the Internet of Vehicles (IoV) poses security risks to cross-border data flow. The automotive industry is a highly globalized industry, and there are also many imported components. How to ensure compliant cross-border data flow is also a security risk that needs to be paid attention to.

　　In terms of policies and regulations, various countries have successively introduced privacy laws related to data, such as the California Consumer Privacy Act in the United States, the GDPR in the European Union, and the "Privacy Protection Principles for Automotive Data and Services" proposed by the International Manufacturers Association, which also emphasize regulations on data flow. China has also introduced relevant laws and regulations, and the laws and regulations of the automotive industry are based on three major laws: the Personal Information Protection Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Cybersecurity Law of the People's Republic of China. The automotive industry has completed the implementation and implementation of data security in response to the three upper level laws. Including the "Several Regulations on Automotive Data Security Management (Trial)" launched in 2021, many standards related to data security are based on the implementation and dismantling of this regulation, and gradually formed a domestic data security guarantee system for the Internet of Vehicles.

　　Image source: Guest speech materials

　　Both the components and the entire vehicle must undergo safety testing and evaluation before leaving the factory, and any safety issues should be promptly repaired.

　　Exploration and Practice of Intelligent Connected Vehicle Network Security

　　Qi'anxin's exploration of intelligent connected vehicle safety has formed an overall architecture system for intelligent connected vehicle safety.

　　Image source: Guest speech materials

　　Starting from the Internet of Vehicles security standard system, we provide VSOC Internet of Vehicles Security Operation Center, Internet of Vehicles Security Compliance Testing Platform, Internet of Vehicles Security Empowerment Platform, and Vehicle Road Collaborative Security Protection System for the entire enterprise and institution.

　　Qi'anxin has also built an intelligent connected vehicle trusted protection system network topology, which embeds probes for security awareness from the vehicle end. There are also security protection devices on the access switch of the vehicle road collaboration, which can sense the asset situation under the intersection switch. The firmware in the asset can be compared by extracting fingerprints to identify whether the asset is forged. If the device is tampered with by humans, it can be detected in a timely manner. It is possible to timely identify safety risks, eliminate potential safety incidents, and provide risk management measures while meeting policy and regulatory requirements.

　　The intelligent connected vehicle trusted protection system built by Qi'anxin can provide terminals for hybrid networks; Having a rich device fingerprint library and protocol parsing library, it can parse the entire vehicle road collaboration related protocols, including IT related protocols and V2X related protocols; Accurately perceive the access of counterfeit devices through machine learning modeling; Rich access compliance inspection schemes, isolating anomalies and real-time blocking; Bypass deployment does not change the network, increase fault points, or affect business; Support centralized management and decentralized zoning management mode.

　　Image source: Guest speech materials

　　Qi'anxin and enterprises and institutions have also established an automobile safety protection and monitoring platform, which completes abnormal threat assessment through multi-layer processing of collection layer, data layer, service layer, and business layer.

　　Due to the fact that data security is already relatively complete in other industries, especially in the financial industry, it is necessary to sort out how to build an intelligent connected vehicle data security management system based on this. It can be divided into three major stages. The first stage is to first manage and then treat, and to supplement and solidify the foundation; The second is system governance and system planning; The third is orderly construction and continuous operation.

　　In the first stage, we will first sort out the business, identify important assets, and then make up for the shortcomings and strengthen the foundation. We will do a good job in basic security protection. Data security and information security are inseparable, and without a good foundation in information security, let alone data security. For example, data leakage may be due to insufficient information security construction, and doing more products on this is futile. Therefore, it is necessary to do a good job in basic security protection.

　　In the second stage, system governance will be carried out, with the classification of vehicle networking data, followed by system planning, setting goals, management systems, technical systems, operational systems, etc.

　　In the third stage, orderly construction will be completed, with graded control and protection, as well as scenario based scheme construction. Finally, continuous operation will be achieved through experts, processes, and platforms.

　　Qi'anxin provides ground preparation security protection for the vehicle road collaboration demonstration area through the vehicle road collaboration comprehensive security protection system. In the vehicle road collaboration scenario, Qi'anxin's vehicle network edge trusted protection system achieves security management functions such as discovery and identification of vehicle network devices, access perception and user identification, unified access control of multiple types of devices, counterfeit detection and disposal, security compliance inspection, status monitoring, IP address management and usage monitoring.

　　Image source: Guest speech materials

　　Qi'anxin's vision is to create smart cars, smart roads, and safe car networking.

　　(The above content is from Xu Siliang, Director of Qi'anxin Vehicle Internet Security Laboratory, who delivered a keynote speech on "Building an Intelligent Connected Vehicle Deep Security Protection System with One Vehicle, One Road, One Data" at the 2nd China Automotive Information Security and Data Security Conference on April 20-21, 2023.)