CEN ISO/TS 17574:2004
(Main)Road transport and traffic telematics - Electronic Fee Collection (EFC) - Guidelines for EFC security protection profiles
Road transport and traffic telematics - Electronic Fee Collection (EFC) - Guidelines for EFC security protection profiles
This document gives guidelines for the preparation and evaluation of security requirements specifications, referred to as Protection Profiles (PP) in ISO/IEC 15408 Evaluation criteria for IT security and ISO/IEC PDTR 15446 Guide for the production of protection profiles and security target. By a Protection Profile (PP) is meant a set of security requirements for a category of products or systems which meet specific needs. A typical example would be a PP for OBEs to be used in an EFC system and in this case the PP would be an implementation-independent set of security requirements for the OBEs meeting the operators and users needs for security.
The document uses an OBE with an integrated circuit(s) card (ICC) as an example describing both the structure of the PP as well as the proposed content.
Figure 1 shows how this document fits in the overall picture of EFC security architecture. The shaded boxes are the aspects mostly related to the preparation of PPs for EFC systems.
Straßentransport- und Verkehrstelematik - Elektronische Gebührenerhebung - Sicherheitsrahmenbedingungen
Transports routiers et télématique routière - Systèmes de péage électronique - Lignes directrices concernant les profils de protection de la sécurité des péages
Cestna transportna in prometna telematika - Elektronsko pobiranje pristojbin (EFC) – Smernice za zaščito varnostnih profilov EFC
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-april-2005
&HVWQDWUDQVSRUWQDLQSURPHWQDWHOHPDWLND(OHNWURQVNRSRELUDQMHSULVWRMELQ
()&±6PHUQLFH]D]DãþLWRYDUQRVWQLKSURILORY()&
Road transport and traffic telematics - Electronic Fee Collection (EFC) - Guidelines for
EFC security protection profiles
Straßentransport- und Verkehrstelematik - Elektronische Gebührenerhebung -
Sicherheitsrahmenbedingungen
Transports routiers et télématique routiere - Systemes de péage électronique - Lignes
directrices concernant les profils de protection de la sécurité des péages
Ta slovenski standard je istoveten z: CEN ISO/TS 17574:2004
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
transportu in trgovini and trade
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
TECHNICAL SPECIFICATION
CEN ISO/TS 17574
SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
November 2004
ICS 35.240.60
English version
Road transport and traffic telematics - Electronic Fee Collection
(EFC) - Guidelines for EFC security protection profiles
Transports routiers et télématique routière - Systèmes de
péage électronique - Lignes directrices concernant les
profils de protection de la sécurité des péages
This Technical Specification (CEN/TS) was approved by CEN on 30 October 2003 for provisional application.
The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their
comments, particularly on the question whether the CEN/TS can be converted into a European Standard.
CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS available
promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the CEN/TS)
until the final decision about the possible conversion of the CEN/TS into an EN is reached.
CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia,
Slovenia, Spain, Sweden, Switzerland and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36 B-1050 Brussels
© 2004 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN ISO/TS 17574:2004: E
worldwide for CEN national Members.
Contents page
Foreword.3
Introduction .4
1 Scope .5
2 Normative references.10
3 Terms and definitions .11
4 Abbreviations.14
5 Outlines of Protection Profile.16
5.1 Structure.16
Annex A (informative) Procedures of Preparing Documents.18
A.1 Introduction .18
Annex B (informative) Example of Threat Analysis Evaluation Method .50
B.1 Identification of threats .50
Annex C (informative) Abstract from “Definition of threats and security controls for the
Charging Interface in Electronic Fee Collection”.53
C.1 Introduction .53
Annex D (informative) Common Criteria Recognition Arrangement (CCRA).65
D.1 Overview .65
Bibliography .69
Foreword
This document was prepared by Technical Committee CEN/TC 278, “Road Transport and Traffic Telematics” in
collaboration with ISO/TC 204 “Transport information and control systems”.
According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to announce this Technical Specification : Austria, Belgium, Cyprus, Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and
United Kingdom.
Introduction
Electronic Fee Collection systems are subject to several ways of fraud both by users and operators but also from
people outside the system. These security threats have to be met by different types of security measures including
security requirements specifications. This document provides a guideline for preparation and evaluation of security
requirements specifications, referred to as Protection Profiles (PP) in ISO/IEC 15408 Information technology -
Security techniques - Evaluation criteria for IT security and ISO/IEC PDTR 15446 Guide for the production of
protection profiles and security target. By a Protection Profile (PP) is meant a set of security requirements for a
category of products or systems that meet specific needs. A typical example would be a PP for On-Board
Equipment (OBEs) to be used in an EFC system.
This document should be read in conjunction with the underlying standards ISO/IEC 15408 and ISO/IEC
PDTR 15446. Although a layman can read the first part of the document to have an overview on how to prepare a
Protection Profile for EFC equipment, the Annexes, and more particularly Clauses A.4 and A.5, require that the
reader is familiar with the ISO/IEC 15408.
It is recommended that Electronic Fee Collection (EFC) operators or national organisations, e.g. Highway
authorities or Transport Ministries, use this guideline to prepare their own EFC/PP, as security requirements should
be described from the standpoint of the operators and/or operators organisations.
It should be noted that this standard is of a more informative than normative nature and it can not be used without
also using the ISO/IEC 15408. Most of the content of the standard is an example shown in Annex A on how to
prepare the security requirements for EFC equipment, in this case an OBE with an IC-card loaded with crucial data
needed for the EFC. The example refers to a Japanese national EFC system and should only be regarded and
used as an example. The Clauses 1 to 5 are normative while Annexes A to D are informative.
After an EFC/PP is prepared, it can be internationally registered by the organisation that prepared the EFC/PP so
that other operators or countries that want to develop their EFC system security services, can refer to an already
registered EFC/PPs.
This EFC related standard on security service framework and EFC/PP is based on the ISO/IEC 15408, Evaluation
criteria for information technology (IT) security. ISO/IEC 15408 includes a set of requirements for the security
functions and assurance of IT relevant products and systems. Operators, organisations or authorities defining their
own EFC/PP can use these requirements. This will be similar to the different PPs registered by several financial
institutions, e.g. for payment instruments like IC-cards.
The products and systems, which were developed in accordance with ISO/IEC 15408, can be publicly assured by
the authentication of the government or designated private evaluation agencies.
1 Scope
This document gives guidelines for the preparation and evaluation of security requirements specifications, referred
to as Protection Profiles (PP) in ISO/IEC 15408 Evaluation criteria for IT security and ISO/IEC PDTR 15446 Guide
for the production of protection profiles and security target. By a Protection Profile (PP) is meant a set of security
requirements for a category of products or systems which meet specific needs. A typical example would be a PP
for OBEs to be used in an EFC system and in this case the PP would be an implementation-independent set of
security requirements for the OBEs meeting the operators and users needs for security.
The document uses an OBE with an integrated circuit(s) card (ICC) as an example describing both the structure of
the PP as well as the proposed content.
Figure 1 shows how this document fits in the overall picture of EFC security architecture. The shaded boxes are the
aspects mostly related to the preparation of PPs for EFC systems.
Figure 1 — Overall view of security architecture
The main purpose of a PP is to analyse the security environment of a subject and then to specify the requirements
meeting the threats being the output of the security environment analysis. The subject studied is called the Target
of Evaluation (TOE). In this document, an OBE with an ICC is used as an example of the TOE.
The preparatory work of EFC/PP consists of the steps shown in Figure 2 (items 1 to 6):
Figure 2 — The process of preparing a Protection Profile for EFC equipment
A PP can be registered publicly by the entity preparing the PP in order to make it known and available to other
parties that can use the same PP for their own EFC systems.
By a Security Target (ST) is meant a set of security requirements and specifications to be used as the basis for
evaluation of an identified TOE. While the PP can be looked upon as the EFC operator requirements the ST can be
looked upon as the documentation of a supplier as for the compliance with and fulfilment of the PP for the TOE,
e.g. an OBE.
Figure 3 shows a simplified picture and example of the relationships between the EFC operator, the EFC
equipment supplier and an evaluator. As for international registry organisation, i.e. Common Criteria Recognition
Arrangement (CCRA) and current registered PPs, reference is made to Annex D.
Figure 3 — Relationships between operators, suppliers and evaluators
The ST is similar to the PP, except that it contains additional implementation-specific information detailing how the
security requirements are realised in a particular product or system. Hence, the ST includes the following parts not
found in a PP:
— a TOE summary specification that presents the TOE-specific security functions and assurance measures;
— an optional PP claims portion that explains PPs the ST is claimed to be conformant with (if any);
— finally the rational contains additional evidence establishing that the TOE summary specifications ensures
satisfaction of the implementation-independent requirements, and that claims about PP conformance are
satisfied.
Actual security functions of EFC products will be designed based on this ST, see example in Figure 4.
Figure 4 — Example on design based on a PP
TOE for EFC is limited to EFC specific entities and interfaces such as for Users, Service Providers and
communication link (DSRC or CN) between Users and Service Providers, which are essential to EFC systems and
are shown shadowed in Figure 5. Since the existing financial security standards and criteria are applicable to other
entities and interfaces, they are assumed to be outside the scope of TOE for EFC.
The security evaluation is performed by assessing the security related properties of entities and interfaces defined
in STs, as opposed to assessing complete processes which often are distributed over more entities and interfaces
than those covered by the TOE of this document.
NOTE Assessing security issues for complete processes is a complimentary approach, which may well be beneficial to apply
when evaluating the security of a system.
In Annex A, the guideline for preparing EFC/PP is described by using an OBE as an example of EFC products. The
crucial communication link in this Annex (between the OBE and the RSE) is based on DSRC.
Figure 5 — Scope of TOE for EFC
Figure 6 below shows the entities involved in the charging interface, i.e. the User, the Service Provider, and a
Dishonest Party, the latter trying to gain from tampering segments or communication.
Figure 6 — Entities involved in the Charging Interface of EFC
---------------------- Pag
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.