logo
stripes
logo
stripes

Risk Management (GB/T 44495)

This page outlines a practical, non-normative risk management approach aligned with GB/T 44495 and consistent with ISO/SAE 21434 and UNECE R155. It focuses on lifecycle coverage, supplier integration, and traceable evidence suitable for China-market vehicle types and variants.

Objectives

  • Identify assets, threats, and vulnerabilities relevant to the vehicle and services.
  • Evaluate feasibility and impact to prioritize risks.
  • Select proportionate treatments and verify their effectiveness.
  • Maintain end-to-end traceability and keep risks updated from field feedback.

Process (At a Glance)

  1. Context & Scope – define item boundaries, interfaces, dependencies, and CN variants.
  2. Asset Identification – ECUs, networks, credentials, data, tooling, backends, and service tools.
  3. Threats & Vulnerabilities – curate catalogs (in-vehicle, telematics, V2X, diagnostics, supply chain).
  4. Risk Evaluation – feasibility (time/skills/opportunity/equipment) × impact (safety, regulatory, operations, privacy).
  5. Treatments – preventive, detective, corrective; defense-in-depth with measurable acceptance criteria.
  6. Requirements & Design – derive and allocate security requirements; plan V&V proportionate to risk.
  7. Verification & Validation – reviews, analysis, testing (incl. fuzz/pentest for high-risk areas).
  8. Operational Feedback – monitoring, vulnerability intake, incidents → periodic re-assessment.

TARA Elements (ISO/SAE 21434-style)

  • Assets & attack paths – telematics, OTA agent, infotainment, BLE/Wi-Fi, V2X, OBD, service tools, backend APIs.
  • Threat scenarios – spoofing, tampering, elevation, data breach, DoS, supply-chain insertion.
  • Vulnerabilities – design flaws, weak crypto/config, unsafe parsers, build/pipeline gaps.
  • Impact categories – safety, regulatory/compliance, operational continuity, privacy/reputation.
  • Feasibility factors – expertise, knowledge of item, window of opportunity, equipment, time.
  • Risk rating & decision – treatment vs. acceptance with documented rationale and monitors.

Treatment Strategy

  • Preventive – secure boot, isolation/partitioning, authenticated comms, rate-limit, hardening baselines.
  • Detective – logging/IDS, anomaly detection, integrity monitors (vehicle + backend).
  • Corrective – secure updates/rollback (align with GB/T 44496 / ISO 24089); service tool procedures.
  • Assurance – test depth tied to risk (static/dynamic, fuzzing of parsers, pentest, fault-injection where justified).
  • Defense-in-depth – layered controls across ECUs, networks, apps, cloud interfaces, and tools.

Supplier & External Interfaces

  • Flow down security requirements, acceptance criteria, and evidence packaging (tests, SBOM).
  • Run risk-based assessments/audits; track CAPA and re-test triggers.
  • Define responsibility splits for monitoring, vuln handling, incident response, and updates.
  • Control keys/credentials and service tool access; record custody and revocation paths.

Traceability & Evidence

Keep bidirectional links so auditors can follow the chain:

  • Threat scenario ⇄ asset ⇄ requirement ⇄ design control ⇄ test case ⇄ result ⇄ operational control.
  • Stable IDs, change history, and coverage metrics (e.g., % of high risks with implemented & verified controls).
  • China-market applicability tags (variants, regions, services) and bilingual labels where needed.

Operational Feedback

  • Vulnerability intake (researchers, suppliers, internal testing) with triage SLAs.
  • Monitoring & PSIRT linkage; severity classes and escalation defined.
  • Re-assessment cadence for significant incidents, new threat intel, or major changes.
  • Update alignment – corrective actions executed via GB/T 44496 (campaign dossiers, validation, records).

Practical Do / Don’t

Do

  • Use a single, versioned TARA method; train teams and suppliers on it.
  • Quantify risk acceptance criteria; require documented approvals and review dates.
  • Tie test depth to risk (e.g., fuzz high-risk parsers; pentest external interfaces).
  • Tag artifacts for China applicability; keep bilingual indexes for audits.
  • Integrate PSIRT outcomes into periodic re-assessments and design updates.

Don’t

  • Retrofit controls late without revisiting TARA and requirements.
  • Accept residual risk without monitoring hooks and re-review dates.
  • Rely on certificates alone—ask for targeted supplier evidence.
  • Mix dev/test findings with type-approval evidence repositories.

KPIs & Review

  • Risk aging (time open), % high risks treated/verified, defect discovery pre- vs post-release.
  • Supplier risk closure time, % deliveries meeting acceptance first-time.
  • Incident MTTA/MTTR, re-assessment throughput after incidents or updates.

Typical Outputs / Evidence

  • Approved TARA method & templates; competence/training records.
  • TARAs per item/type with decisions, residual risks, and acceptance records.
  • Requirements & traceability matrices; V&V plans and reports tied to risk.
  • Supplier assessments and exchanged evidence packages (incl. SBOMs).
  • Operational monitoring KPIs, vulnerability/incident records, re-assessment logs.
  • China-specific evidence index (stable IDs, applicability, translation pointers).
Disclaimer: This page summarizes risk management practices relevant to GB/T 44495. For authoritative requirements, consult the official standard and applicable guidance.