ETSI TR 102 893 V1.2.1 (2017-03)

ETSI TR 102 893 V1.2.1 (2017-03)






TECHNICAL REPORT
Intelligent Transport Systems (ITS);
Security;
Threat, Vulnerability and Risk Analysis (TVRA)

---------------------- Page: 1 ----------------------
2 ETSI TR 102 893 V1.2.1 (2017-03)



Reference
RTR/ITS-0050018
Keywords
authentication, authorization, confidentiality,
security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2017.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TR 102 893 V1.2.1 (2017-03)
Contents
Intellectual Property Rights . 6
Foreword . 6
Modal verbs terminology . 6
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 7
3 Definitions and abbreviations . 8
3.1 Definitions . 8
3.2 Abbreviations . 8
4 The TVRA Method . 9
5 The ETSI Intelligent Transport System . 10
5.1 ITS architecture . 10
5.1.1 General . 10
5.1.2 Summary of ITS applications . 11
6 ITS Security Objectives. 14
6.1 Confidentiality . 14
6.2 Integrity . 14
6.3 Availability . 15
6.4 Accountability . 15
6.5 Authenticity . 15
7 ITS Functional Security classes . 15
7.1 Confidentiality . 15
7.2 Integrity . 16
7.3 Availability . 17
7.4 Accountability . 17
7.5 Authenticity . 17
8 ITS Target of Evaluation (ToE) . 18
8.1 General . 18
8.2 Assumptions on the ToE . 19
8.3 Assumptions on the ToE environment . 19
9 ITS system assets . 20
9.1 ITS station functional models . 20
9.2 Functional assets . 21
9.2.1 ITS-S (Vehicle) . 21
9.2.1.0 General . 21
9.2.1.1 Protocol Control . 22
9.2.1.1.1 General description . 22
9.2.1.1.2 Vehicle to ITS infrastructure . 22
9.2.1.1.3 Vehicle to vehicle . 22
9.2.1.2 Service Control . 22
9.2.1.3 ITS Applications . 22
9.2.1.4 Sensor Monitor . 23
9.2.1.5 Vehicle System Control . 23
9.2.2 ITS-S (Roadside) . 24
9.2.2.0 General . 24
9.2.2.1 Protocol Control . 24
9.2.2.1.1 General description . 24
9.2.2.1.2 RSU to vehicle . 24
9.2.2.1.3 RSU to ITS network . 24
9.2.2.2 Service Control . 24
9.2.2.3 ITS Applications . 25
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TR 102 893 V1.2.1 (2017-03)
9.2.2.4 Sensor Monitor . 25
9.2.2.5 Display Control . 26
9.3 Data assets . 26
9.3.1 ITS-S (Vehicle) . 26
9.3.1.1 Local Dynamic Map . 26
9.3.1.2 Local Vehicle Information . 27
9.3.1.3 Service Profile . 27
9.3.2 ITS-S (Roadside) . 27
9.3.2.1 Local Dynamic Map (LDM) . 27
9.3.2.2 Local Station Information . 28
9.3.2.3 Service Profile . 28
10 ITS threat analysis . 28
10.1 Attack interfaces and threat agents . 28
10.1.1 Attack interfaces and threat agents for ITS-S (Vehicle) ToE . 28
10.1.2 Attack interfaces and threat agents for ITS-S (Roadside) ToE . 29
10.2 Vulnerabilities and threats . 30
10.2.1 Threats to all ITS stations . 30
10.2.2 Availability . 30
10.2.2.1 General threats to availability . 30
10.2.3 Integrity . 31
10.2.3.1 General threats to integrity . 31
10.2.4 Authenticity . 31
10.2.4.1 General threats to authenticity. 31
10.2.5 Confidentiality . 32
10.2.5.1 General threats to confidentiality . 32
10.2.6 General threats to accountability . 32
10.2.7 Vulnerabilities and threats . 33
10.2.7.1 Determining system vulnerabilities . 33
10.2.7.2 Threats and vulnerabilities within an ITS-S (Vehicle) . 34
10.2.7.3 Threats and vulnerabilities within an ITS-S (Roadside) . 41
10.3 Security risks in an ITS system . 46
10.3.0 Introduction. 46
10.3.1 Risks in an ITS-S (Vehicle) . 47
10.3.2 Risks in an ITS-S (Roadside) . 48
11 Countermeasures . 49
11.1 List of Countermeasures . 49
11.2 Evaluation of Countermeasures . 50
11.3 Countermeasure Analysis . 51
11.3.1 Reduce frequency of beaconing and other repeated messages . 51
11.3.2 Add source identification (IP address equivalent) in V2V messages . 51
11.3.3 Limit message traffic to V2I/I2V when infrastructure is available and implement message flow
control and station registration. 52
11.3.4 Implement frequency agility within the 5,9 GHz band . 53
11.3.5 Implement ITS G5A as a CDMA/spread-spectrum system . 53
rd
11.3.6 Integrate 3 Generation mobile technology into ITS G5A communications . 54
11.3.7 Digitally sign each message using a Kerberos/PKI-like token system . 55
11.3.7.0 General . 55
11.3.7.1 Kerberos-like solution . 55
11.3.7.1.1 General requirements . 55
11.3.7.1.2 Countermeasure analysis . 56
11.3.7.2 PKI-like solution . 56
11.3.7.2.1 General requirements . 56
11.3.7.2.2 Countermeasure analysis . 57
11.3.8 Include a non-cryptographic checksum of the message in each message sent . 57
11.3.9 Remove requirements for message relay in the ITS BSA . 58
11.3.10 Include an authoritative identity in each message and authenticate it . 58
11.3.11 Use broadcast time (Universal Coordinated Time - UTC - or GNSS) to timestamp all messages . 59
11.3.12 Include a sequence number in each new message . 60
11.3.13 Use INS or existing dead-reckoning methods (with regular - but possibly infrequent - GNSS
corrections) to provide positional data . 61
11.3.14 Implement differential monitoring on the GNSS system to identify unusual changes in position . 61
ETSI

---------------------- Page: 4 ----------------------
5 ETSI TR 102 893 V1.2.1 (2017-03)
11.3.15 Encrypt the transmission of personal and private data . 62
11.3.16 Implement a Privilege Management Infrastructure (PMI) . 63
11.3.17 Software authenticity and integrity are certified before it is installed . 64
11.3.18 Use a pseudonym that cannot be linked to the true identity of either the user or the user's vehicle . 64
11.3.19 Maintain an audit log of the type and content of each message sent to and from an ITS-S . 65
11.3.20 Perform plausibility tests on incoming messages . 66
11.3.21 Provide remote deactivation of misbehaving ITS-S (Vehicle) . 67
11.3.22 Use hardware-based identity and protection of software on an ITS-S . 67
11.4 Countermeasure Set . 68
11.4.0 Introduction. 68
11.4.1 ITS Countermeasure Set . 69
11.4.1.1 Countermeasures to Denial of Service (DoS) and availability threats . 69
11.4.1.2 Countermeasures to integrity threats . 71
11.4.1.3 Countermeasures to confidentiality and privacy threats. 71
11.4.1.4 Countermeasures to non-repudiation and accountability threats . 72
11.4.2 Residual risk . 72
Annex A: Cost - Benefit analysis of the selected countermeasures . 73
Annex B: GeoNetworking Risk Assessment . 77
B.1 Introduction . 77
B.2 GeoNetworking Model . 77
B.3 Packet Structure . 78
B.4 Target of Evaluation . 78
B.4.1 General . 78
B.4.2 Assumptions . 78
B.4.3 Assets . 79
B.4.3.1 Data Assets . 79
B.4.4 GeoNetworking Threat Analysis . 79
B.4.4.1 General Assumptions . 79
B.4.4.2 Attacks . 79
B.4.4.2.1 General . 79
B.4.4.2.2 Availability. 79
B.4.4.2.3 Integrity . 79
B.4.4.2.4 Confidentiality . 80
B.4.4.2.5 Privacy . 80
B.4.4.3 Security Risks of GeoNetworking . 80
B.4.5 Countermeasures . 81
B.4.5.1 General . 81
B.4.5.2 Security Design Premise . 81
B.4.5.3 List of Countermeasures . 81
B.4.5.3.1 Overview . 81
B.4.5.3.2 C1: Consistency check, incoming plausibility check and global misbehavior detection . 82
B.4.5.3.3 C2: Restrict maximum range and maximum number of hops a packet is routed . 83
B.4.5.3.4 C3: Restrict frequency to send messages . 84
B.4.5.3.5 C4: Verify (forwarding ITS-S) packet payload on demand . 84
B.4.5.3.6 C5: Optionally encrypt packet payload in an end-to-end manner . 85
B.4.5.3.7 C6: Always sign (original sender and forwarding ITS-S) common header and verify (forwarding
and final receiver ITS-S) common header on demand . 85
B.4.5.4 Further Countermeasures . 86
B.4.6 Incentive Schemes . 86
B.4.7 Security Performance . 87
B.4.7.1 General . 87
B.4.7.2 Confidentiality (Countermeasure C5) . 87
B.4.7.3 Integrity (Countermeasures C4 and C6) . 87
B.4.7.4 Confidentiality + Integrity (Countermeasures C4, C5 and C6) . 87
History . 88

ETSI

---------------------- Page: 5 ----------------------
6 ETSI TR 102 893 V1.2.1 (2017-03)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Intelligent Transport Systems (ITS).
Modal verbs terminology
In the present document "should"
...