汽车网络信息安全-ISO/SAE 21434解析(下)


第十二~十四章 - 后开发阶段

第12章 生产 ,第13章 运营与维护 和第14章 结束网络安全支持和停用被统称为"后开发阶段(Post-development)"这三章的内容相对较少,在这里合为一篇进行解读

1. 十二章节 - 生产



a) 适用于开发后的网络安全要求的步骤顺序。

b) 生产工具和设备。

c) 防止在生产过程中发生未经授权的改变的网络安全控制;以及

d) 确认开发后的网络安全要求得到满足的方法。


2. 十三章节 - 运营与维护



a) 补救行动。

b) 沟通计划。(沟通计划的创建可以涉及到内部相关方,如营销或公共关系、产品开发团队、法律、客户关系、质量管理、采购。 )

c) 为补救行动分配的责任。


  • 受影响项目或部件的专业知识,包括遗留项目和部件。

  • 组织知识(如:业务流程、通信、采购、法律);和/或 - 决策权。

d) 记录与网络安全事件有关的新的网络安全信息的程序;

  • 受影响的组件。

  • 相关事件和漏洞。

  • 法证数据,如数据日志、崩溃传感器数据;和/或 - 终端用户投诉。

e) 一种确定进展的方法。

f) 关闭网络安全事件响应的标准;以及

g) 采取行动关闭。




3. 十四章节 - 结束网络安全支持和停用








第十五章 - TARA分析方法

1. 概述

威胁分析和风险评估 (Threat analysis and risk assessment methods, 后文简称TARA)通过识别整车/系统的网络安全资产,分析其的潜在安全威胁,综合考虑威胁攻击可行性、危害影响等因素,识别出整车/系统可能存在的风险,并确定其风险等级,为网络安全正向开发、安全漏洞修复提供依据。



  • 资产识别
  • 威胁场景识别
  • 影响评级
  • 攻击路径分析
  • 攻击可行性等级
  • 风险确定
  • 风险处置决策


Item definition


  1. 事项的边界item boundary: 用架构图,整个系统描述一下,绘制出来,加一个框,语言描述,什么在框里面,什么在框外面,接口是什么

  2. 功能:分析的对象有哪些功能,用例,执行哪些活动,这个活动既可能是整车活动,也可能是考虑到整个生命周期的活动

  3. 初始架构:数据流



  1. 约束:功能,技术,法规的约束

  2. 假设:帮助我们的报告聚焦于那些有效的攻击和有效的防护上,那些没有必要的就以假设型式删除


Cybersecurity claim:公司需要的承诺,监控

2. 资产识别


资产可分为实体资产、数据资产(包括ECU固件、通讯数据、用户隐私数据、安全算法等)。识别资产所带有的网络安全属性(Cybersecurity Properties)得到带有网络安全属性的资产,进一步可分析其潜在的损害场景(Damage Scenarios,DS)。


首字母 威胁 安全属性 描述 对应安全措施
S Spoofing欺骗 Authenticity真实性 攻击者通过伪造身份来欺骗用户或系统。 身份验证
T Tampering篡改 Integrity完整性 完整性确保某些数据(例如,消息或存储的数据)没有以任何方式改变。 数字签名
R Repudiation否认 Non-repudiation 不可抵赖 攻击者否认自己的行为。 日志,数字证书
I Information Disclosure 信息泄露 Confidentiality 机密性 机密性确保只有经过授权的实体才能读取数据,因此明确禁止未经授权的实体窃听,例如,受限制的信息 加密
D Denial of Service 拒绝服务 Availability可用性 攻击者使系统或服务不可用。 备份、冗余
E Elevation of Privilege 提升权限 Authorization授权 授权确保特定实体、功能或数据只能由授权用户或实体使用权。 攻击者获得超出其权限的访问权限。 访问控制,权限管理


  1. 带有网络安全属性的资产

  2. 分析其潜在的损害场景(Damage Scenarios,DS)

损害场景 = 破坏资产X的安全属性Y后可能导致的损害

  1. 非预期的行为

  2. 在什么条件情况下

  3. 和什么资产属性相关

3. 威胁场景识别


威胁场景 = 何种方式破坏资产X的安全属性Y

4. 影响评级

对于影响等级的评定可从以下四个评判因子:Safety 安全、Financial 财产、Operational 操作、Privacy 隐私(S、F、O、P)来评定DS的危害影响。每个评判因子评级分为四档:Severe 严重的、Major 重大的、Moderate 中等的、Negligible 微不足道的。

| Impact Level | Safety | Financial | Operability | Privacy |
| Impact Level | Decription | Decription | Decription | Decription |
| Severe | S3: 威胁生命的伤害(生存不确定),致命的伤害 | 经济损失导致的灾难性后果,受影响的道路使用者可能无法克服。 | 操作上的损坏导致了车辆核心功能的丧失或受损。 例子1 车辆不工作或显示出核心功能的意外行为,如启用跛行回家模式或自主驾驶到一个非预期的地点。 | 隐私的损害导致了对道路使用者的重大甚至不可逆转的影响。 有关道路使用者的信息是高度敏感的,很容易与PII主体联系起来。 |
| Major | S2: 严重和有生命危险的伤害(可能存活)。 | 经济损失导致了受影响的道路使用者能够克服的实质性后果。 | 操作上的损坏导致一个重要的车辆功能的损失或损害。 例2 驾驶员的严重烦扰。 | 隐私损害导致对道路使用者的严重影响。 有关道路使用者的信息是 a) 高度敏感且难以与PII主体相联系;或 b) 敏感且容易与PII主体相联系. |
| Moderate | S1: 轻度和中度受伤 | 经济损失导致不便的后果,受影响的道路使用者将能够用有限的资源来克服。 | 操作上的损坏导致车辆功能的部分退化。例子3 用户满意度受到负面影响。 | 隐私损害导致道路使用者不方便的后果。 有关该道路使用者的信息是 a) 敏感但很难与PII主体联系起来;或 b) 不敏感,但容易与PII主体相联系。 |
| Negligible | S0: 没有受伤 | 经济损失导致没有影响,后果可忽略不计或与道路使用者无关。 | 操作上的损坏导致车辆功能的无损或不可察觉的损害。 | 隐私损害没有导致任何影响或,可忽略不计的后果或与道路使用者无关。 有关该道路使用者的信息不敏感,且难以与PII主体相联系. |

5. 攻击路径分析


Top down approaches: 是目前的产品是新开发,很多输入信息都没有的情况下适用的方法

Bottom up approach:需要我们目前对组件,攻击模式是清楚的情况下。比如已经知道item内部有一个漏洞,关于这个漏洞我们可以一步一步分析到根节点

6. 攻击可行性等级

攻击潜力方法对攻击路径实现的难易程度评估分为四个等级:High、Medium、Low、Very Low,主要从以下五个角度考虑:

  1. 经历时长(Elapsed Time), 指基于专家知识来识别漏洞到最后利用漏洞所花费的时间

  2. **专业知识(Specialist Expertise),**指攻击者的能力包括技能、经验等;(小白;需要一定的专业知识;专家;多个专家)

  3. 对象或 组件 的知识(Knowledge of the Item or Component **),**指攻击者对于对象和组件所需要的信息;(从网站上就能获取了解到攻破知识;有一些限制信息;保密信息;严格保密信息)

  4. **窗口期(Window of Opportunity),**指能够成功攻击的条件因素;(什么时候可以攻击)

  5. **设备(Equipment),**指攻击者发现漏洞或执行攻击所需要的工具。(标准设备;专业设备;定制;多个定制)

| Parameters | Description | Enumerate | Explain | More Comments or Example |
| Elapsed Time | The elapsed time parameter includes the time to identify a vulnerability and develop and (successfully) apply an exploit. Therefore, this rating is based on the state of expert knowledge at the time of rating | ≤1 day | Identifying vulnerabilities, developing and attacking successfully takes a very short time | 识别漏洞、开发和攻击成功需要极短的时间 |
| Elapsed Time | The elapsed time parameter includes the time to identify a vulnerability and develop and (successfully) apply an exploit. Therefore, this rating is based on the state of expert knowledge at the time of rating | ≤1 week | A relatively short period of time to identify vulnerabilities, develop and attack successfully | 识别漏洞、开发和攻击成功需要比较短的时间 |
| Elapsed Time | The elapsed time parameter includes the time to identify a vulnerability and develop and (successfully) apply an exploit. Therefore, this rating is based on the state of expert knowledge at the time of rating | ≤1 month | Several months to identify vulnerabilities, develop and attack successfully | 识别漏洞、开发和攻击成功需要几个月的时间 |
| Elapsed Time | The elapsed time parameter includes the time to identify a vulnerability and develop and (successfully) apply an exploit. Therefore, this rating is based on the state of expert knowledge at the time of rating | ≤6 months | Longer time to identify vulnerabilities, develop and attack successfully | 识别漏洞、开发和攻击成功需要较长的时间 |
| Elapsed Time | The elapsed time parameter includes the time to identify a vulnerability and develop and (successfully) apply an exploit. Therefore, this rating is based on the state of expert knowledge at the time of rating | >6 months | Identifying vulnerabilities, developing and attacking successfully takes a particularly long time | 识别漏洞、开发和攻击成功需要特别长的时间 |
| Specialist Expertise | The expertise parameter is related to the capabilities of the attacker, relative to their skill and experience | Layman | Layman is unknowledgeable compared to experts or proficient persons, with no particular expertise; Examples may include persons who can only follow simple instructions that come with the available tools to mount simple attacks, but not capable of making progresses himself/herself if the instructions or the tools do not work as expected. | 没有专业知识,涉猎较浅。如:只会遵从可用工具或设备附带的简单的指导书的知道而去进行简单的攻击的工程师,一旦指导书或工具未按照预期的进行,就无法开展后续的工作。 |
| Specialist Expertise | The expertise parameter is related to the capabilities of the attacker, relative to their skill and experience | Proficient | Proficient persons have general knowledge about the security field and are involved in the business, for example, workshop professionals. Proficient persons know about simple and popular attacks. They are capable of mounting attacks, for example, odometer tuning and installing counterfeit parts, by using available tools and if required, are capable of improvising to achieve the desired results. | 具有安全领域的专业知识,并参与过业务,对系统的类型和安全行为比较熟悉,能够发动简单的攻击。如:通过使用可用的工具调整里程表和安装假冒部件 |
| Specialist Expertise | The expertise parameter is related to the capabilities of the attacker, relative to their skill and experience | Expert | Expert is familiar with the underlying algorithms, protocols, hardware, structures, security behaviour, principles and concepts of security employed, techniques and tools for the definition of new attacks, cryptography, classical attacks for the product type, attack methods, etc. implemented in the product or system type | 熟悉底层算法、协议、硬件、结构、安全行为、安全准则并能够使用工具和技术构造新的攻击方法和加密技术等 |
| Specialist Expertise | The expertise parameter is related to the capabilities of the attacker, relative to their skill and experience | Multiple Experts | The level "Multiple Experts" is introduced to allow for a situation, where different fields of expertise are required at an Expert level for distinct steps of an attack. | 对于一个真实完整的攻击过程,攻击链路各节点需涉及多个不同领域的专家水平 |
| Product Knowledge | The knowledge of the item or component parameter is related to the amount of information the attacker has acquired about the item or component | Public | Available from the product homepage, on the Internet or from information not restricted by a confidentiality agreement | 可以从产品主页、互联网上或无保密协议限制的信息中获得 |
| Product Knowledge | The knowledge of the item or component parameter is related to the amount of information the attacker has acquired about the item or component | Restricted | Distributed only within the developer, with a signed NDA for the shared parts. For example: documents shared between OEMs and suppliers (requirements, design specifications, etc.) | 仅在开发者内部传播,共享部分签订保密协议。如:OEM和供应商之间共享的文档(需求、设计规范等) |
| Product Knowledge | The knowledge of the item or component parameter is related to the amount of information the attacker has acquired about the item or component | Confidential | Distributed only among specific teams or specific members within the developer. e.g. source code | 仅在开发者内特定团队或特定成员间传播。如:源代码 |
| Product Knowledge | The knowledge of the item or component parameter is related to the amount of information the attacker has acquired about the item or component | Strictly Confidential | Only known to a few members, strictly controlled by core technical and managerial staff, and access to which requires strict control and auditing. e.g., internal documentation describing customer-related calibrations or memory layouts, root keys, signing keys, etc. | 仅有个别成员知晓,严格的控制在核心技术人厌和管理人员的范围内,并且访问需要严格的控制和审计。如:内部文档描述的客户相关标定或内存布局,根密钥、签名密钥等 |
| Window of Opportunity | The window of opportunity parameter is related to the access conditions (time, type) to successfully perform an attack. It combines access type (e.g. logical and physical) and access duration (e.g. unlimited and limited). Depending on the type of attack this might include discovery of possible targets, access to a target, exploit works on the target, time to perform attack on a target, remaining undiscovered, circumventing detections and cybersecurity controls, etc. | Unlimited | High availability via public/untrusted network without any time limitation (i.e., TOE/asset is always accessible). Logical or remote access without physical presence and time limitation as well as unlimited physical access to the TOE/asset. Examples include wireless or via Internet (e.g., V2X or cellular interfaces). | 攻击可以在任何时刻进行,不需要物理接触或是没有时间限制的远程访问,以及不受限的物理访问。如:通过无线或网络接口访问 |
| Window of Opportunity | The window of opportunity parameter is related to the access conditions (time, type) to successfully perform an attack. It combines access type (e.g. logical and physical) and access duration (e.g. unlimited and limited). Depending on the type of attack this might include discovery of possible targets, access to a target, exploit works on the target, time to perform attack on a target, remaining undiscovered, circumventing detections and cybersecurity controls, etc. | Easy | High availability and limited time. Logical or remote access without physical presence. | 不需要物理接触的远程访问,以及受限的物理接触。如:进入没有锁门的车辆,访问暴露的物理接口,或是需要 车辆处于静止状态的远程攻击 |
| Window of Opportunity | The window of opportunity parameter is related to the access conditions (time, type) to successfully perform an attack. It combines access type (e.g. logical and physical) and access duration (e.g. unlimited and limited). Depending on the type of attack this might include discovery of possible targets, access to a target, exploit works on the target, time to perform attack on a target, remaining undiscovered, circumventing detections and cybersecurity controls, etc. | Moderate | Low availability of the TOE. Limited physical and/or logical access to the TOE. Physical access to vehicle interior or exterior without using any special tool (e.g., opening the hood to access wires). | 受限的物理访问或本地访问。物理访问不需要使用任何专业工具 |
| Window of Opportunity | The window of opportunity parameter is related to the access conditions (time, type) to successfully perform an attack. It combines access type (e.g. logical and physical) and access duration (e.g. unlimited and limited). Depending on the type of attack this might include discovery of possible targets, access to a target, exploit works on the target, time to perform attack on a target, remaining undiscovered, circumventing detections and cybersecurity controls, etc. | Difficult | Very low availability of the TOE. Physical access required to perform complex disassembly of vehicle parts to access internals to mount an attack on the TOE." | 找不到适合的攻击窗口(因为需要的时间太长了,或者执行攻击的目标数太多了) |
| Equipment | The equipment parameter is related to the tools the attacker has available to discover the vulnerability and/or to execute the attack | Standard | An attacker can readily use a "standard" device to identify a vulnerability or attack, which may be part of the TOE itself (e.g., a debugger in an operating system) or may be readily available (e.g., an Internet download, a protocol analyzer, or a simple attack script). Examples include simple OBD diagnostic devices, common IT devices, such as laptops. | 攻击者可以随时使用"标准"设备,以识别漏洞或攻击,这种设备可能是TOE本身的一部分(例如操作系统中的调试器),也可能很容易获得(例如互联网下载、协议分析器或简单的攻击脚本)。例子包括简单的OBD诊断设备,常见的IT设备,如笔记本电脑。 |
| Equipment | The equipment parameter is related to the tools the attacker has available to discover the vulnerability and/or to execute the attack | Specialized | Devices that are not available to the attacker, easily purchased and relatively simple to operate, such as power analysis tools, complex networks that require hundreds of computers to build, or attack scripts or programs that are more heavily developed, such as in-car communication devices, expensive in-car diagnostic devices; if different steps of an attack require different specialized equipment components, they may be considered custom | 攻击者没有,很容易购买到,并且操作相对简单的设备,如电源分析工具,需数百台电脑搭建的复杂的网络,或开发量较大的攻击脚本或程序,如车内通讯设备,昂贵的车内诊断设备;如果一个攻击的不同步骤需要不同的专门的设备组成,则可将被认为是定制的 |
| Equipment | The equipment parameter is related to the tools the attacker has available to discover the vulnerability and/or to execute the attack | Bespoke | Not available to the attacker, not readily available to the public, requiring customization through, for example, very complex software equipment, or equipment that is stored in strictly restricted conditions because of its specialized nature or its expensive nature | 攻击者没有,不容易为公众使用,需要通过定制,如非常复杂的软件设备,或因为其专业性而存放条件严格受限的设备或及其昂贵的设备。 |
| Equipment | The equipment parameter is related to the tools the attacker has available to discover the vulnerability and/or to execute the attack | Multiple Bespoke | Multiple pieces of equipment need to be customized in order to combine to achieve the attack | 需要定制多个装备,才能组合实现攻击 |


7. 风险确定

8. 风险处置决策


1. 消除风险:


2. 缓解风险,通过提供网络安全目标和概念来降低风险;


3. 分担风险,购买保险或者与供应商签订风险转移合同;


4. 保留风险,通过提供关于风险的网络安全声明来保留风险。






Cybersecurtiy Goal, Concept, Specification的区别

  1. Cybersecurity Properties:C.I.A.

  2. Cybersecurity Goals: 举例:保护个人隐私数据的机密性

  3. Cybersecurity Concept: 举例:需要把个人数据进行加密

  4. Cybersecurity Specification:举例:个人数据用AES128进行加密



供应商: 功能级TARA


