ETSI TR 102 893 V1.1.1 (2010-03)

ETSI TR 102 893 V1.1.1 (2010-03)
Technical Report


Intelligent Transport Systems (ITS);
Security;
Threat, Vulnerability and Risk Analysis (TVRA)

---------------------- Page: 1 ----------------------
2 ETSI TR 102 893 V1.1.1 (2010-03)



Reference
DTR/ITS-0050005
Keywords
ITS, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In
case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2010.
All rights reserved.

TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for
the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
LTE™ is a Trade Mark of ETSI currently being registered
for the benefit of its Members and of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TR 102 893 V1.1.1 (2010-03)
Contents
Intellectual Property Rights . 6
Foreword . 6
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 7
3 Definitions and abbreviations . 8
3.1 Definitions . 8
3.2 Abbreviations . 8
4 The TVRA Method . 9
5 The ETSI Intelligent Transport System . 10
5.1 ITS architecture . 10
5.2 The Basic Set of Applications (BSA) . 11
5.2.1 BSA use case descriptions . 11
5.2.1.1 Stationary vehicle warning . 12
5.2.1.2 Traffic condition warning . 12
5.2.1.3 Signal violation warning . 12
5.2.1.4 Road work warning . 12
5.2.1.5 Collision risk warning from RSU. 12
5.2.1.6 Decentralized floating car data . 12
5.2.1.7 Regulatory/contextual speed limits . 12
5.2.1.8 Traffic information & recommended itinerary . 12
5.2.1.9 Limited access warning, detour notification . 12
5.2.1.10 In-vehicle signage . 12
5.2.1.11 Emergency vehicle warning . 12
5.2.1.12 Slow vehicle warning . 13
5.2.1.13 Motorcycle warning . 13
5.2.1.14 Emergency electronic brake lights . 13
5.2.1.15 Wrong way driving warning . 13
5.2.1.16 Traffic light optimal speed advisory . 13
5.2.1.17 Point of Interest notification . 13
5.2.1.18 Automatic access control and parking management . 13
5.2.1.19 Local electronic commerce . 13
5.2.1.20 Enhanced route guidance and navigation . 13
5.2.1.21 Media downloading . 13
5.2.1.22 Insurance and financial services . 13
5.2.1.23 Fleet management . 14
5.2.1.24 Automatic access control/parking access . 14
5.2.1.25 Vehicle software/data provisioning and update . 14
5.2.1.26 Personal data synchronization . 14
5.3 ITS communication services . 14
5.3.1 Cooperative Awareness Message (CAM) service. 16
5.3.1.1 General description . 16
5.3.1.2 Outgoing information . 17
5.3.1.3 Incoming information. 18
5.3.1.4 Local Dynamic Map (LDM) . 18
5.3.1.5 Information elements within CAM . 18
5.3.1.6 Procedure for outgoing messages . 18
5.3.1.7 Procedure for incoming messages . 18
5.3.2 Decentralized environmental Notification Message (DNM) service . 19
5.3.2.1 General description . 19
5.3.2.2 Outgoing information . 20
5.3.2.3 Incoming information. 20
5.3.2.4 LDM . 21
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TR 102 893 V1.1.1 (2010-03)
5.3.2.5 Information elements within DNM messages . 21
5.3.2.6 Procedure for outgoing messages . 21
5.3.2.7 Procedure for incoming messages . 22
5.3.3 Local service advertisement service . 22
5.3.3.1 General description . 22
5.3.4 Internet-based service advertisement service . 22
5.3.4.1 General description . 22
6 ITS Security Objectives. 22
6.1 Confidentiality . 22
6.2 Integrity . 23
6.3 Availability . 23
6.4 Accountability . 23
6.5 Authenticity . 23
7 ITS Functional Security requirements . 23
7.1 Confidentiality . 24
7.2 Integrity . 24
7.3 Availability . 25
7.4 Accountability . 25
7.5 Authenticity . 25
8 ITS Target of Evaluation (ToE) . . 26
8.1 Assumptions on the ToE . 28
8.2 Assumptions on the ToE environment . 28
9 ITS system assets . 29
9.1 ITS station functional models . 29
9.2 Functional assets . 30
9.2.1 ITS-S (Vehicle) . 30
9.2.1.1 Protocol Control . 30
9.2.1.1.1 General description . 30
9.2.1.1.2 Vehicle to ITS infrastructure . 31
9.2.1.1.3 Vehicle to vehicle . 31
9.2.1.2 Service Control . 31
9.2.1.3 ITS Applications . 31
9.2.1.4 Sensor Monitor . 32
9.2.1.5 Vehicle System Control . 32
9.2.2 ITS-S (Roadside) . 33
9.2.2.1 Protocol Control . 33
9.2.2.1.1 General description . 33
9.2.2.1.2 RSU to vehicle . 33
9.2.2.1.3 RSU to ITS network . 33
9.2.2.2 Service Control . 33
9.2.2.3 ITS Applications . 34
9.2.2.4 Sensor Monitor . 34
9.2.2.5 Display Control . 34
9.3 Data assets . 35
9.3.1 ITS-S (Vehicle) . 35
9.3.1.1 Local Dynamic Map . 35
9.3.1.2 Local Vehicle Information . 35
9.3.1.3 Service Profile . 36
9.3.2 ITS-S (Roadside) . 36
9.3.2.1 Local Dynamic Map (LDM) . 36
9.3.2.2 Local Station Information . 37
9.3.2.3 Service Profile . 37
10 ITS threat analysis . 37
10.1 Attack interfaces and threat agents . 37
10.1.1 Attack interfaces and threat agents for ITS-S (Vehicle) ToE . 37
10.1.2 Attack interfaces and threat agents for ITS-S (Roadside) ToE . 38
10.2 Vulnerabilities and threats . 38
10.2.1 Threats to all ITS stations . 38
10.2.2 Availability . 39
ETSI

---------------------- Page: 4 ----------------------
5 ETSI TR 102 893 V1.1.1 (2010-03)
10.2.2.1 General threats to availability . 39
10.2.3 Integrity . 39
10.2.3.1 General threats to integrity . 39
10.2.4 Authenticity . 40
10.2.4.1 General threats to authenticity. 40
10.2.5 Confidentiality . 41
10.2.5.1 General threats to confidentiality . 41
10.2.6 General threats to accountability . 41
10.2.7 Vulnerabilities and threats . 41
10.2.7.1 Determining system vulnerabilities . 41
10.2.7.2 Threats and vulnerabilities within an ITS-S (Vehicle) . 42
10.2.7.3 Threats and vulnerabilities within an ITS-S (Roadside) . 49
10.3 Security risks in an ITS system . 55
10.3.1 Risks in an ITS-S (Vehicle) . 55
10.3.2 Risks in an ITS-S (Roadside) . 57
11 Countermeasures . 58
11.1 List of Countermeasures . 58
11.2 Evaluation of Countermeasures . 59
11.3 Countermeasure Analysis . 60
11.3.1 Reduce frequency of beaconing and other repeated messages . 60
11.3.2 Add source identification (IP address equivalent) in V2V messages . 60
11.3.3 Limit message traffic to V2I/I2V when infrastructure is available and implement message flow control
and station registration . 61
11.3.4 Implement frequency agility within the 5,9 GHz band . 62
11.3.5 Implement ITS G5A as a CDMA/spread-spectrum system . 62
rd
11.3.6 Integrate 3 Generation mobile technology into ITS G5A communications . 63
11.3.7 Digitally sign each message using a Kerberos/PKI-like token system . 64
11.3.7.1 Kerberos-like solution . 64
11.3.7.1.1 General requirements . 64
11.3.7.1.2 Countermeasure analysis . 65
11.3.7.2 PKI-like solution . 65
11.3.7.2.1 General requirements . 65
11.3.7.2.2 Countermeasure analysis . 65
11.3.8 Include a non-cryptographic checksum of the message in each message sent . 66
11.3.9 Remove requirements for message relay in the ITS BSA . 67
11.3.10 Include an authoritative identity in each message and authenticate it . 67
11.3.11 Use broadcast time (Universal Coordinated Time - UTC - or GNSS) to timestamp all messages . 68
11.3.12 Include a sequence number in each new message . 69
11.3.13 Use INS or existing dead-reckoning methods (with regular - but possibly infrequent - GNSS
corrections) to provide positional data . 70
11.3.14 Implement differential monitoring on the GNSS system to identify unusual changes in position . 70
11.3.15 Encrypt the transmission of personal and private data . 71
11.3.16 Implement a Privilege Management Infrastructure (PMI). . 72
11.3.17 Software authenticity and integrity are certified before it is installed . 73
11.3.18 Use a pseudonym that cannot be linked to the true identity of either the user or the user's vehicle . 73
11.3.19 Maintain an audit log of the type and content of each message sent to and from an ITS-S . 74
11.3.20 Perform plausibility tests on incoming messages . 75
11.3.21 Provide remote deactivation of misbehaving ITS-S (Vehicle) . 76
11.3.22 Use hardware-based identity and protection of software on an ITS-S . 76
11.4 Countermeasure Set . 77
11.4.1 ITS Countermeasure Set . 78
11.4.1.1 Countermeasures to Denial of Service (DoS) and availability threats . 78
11.4.1.2 Countermeasures to integrity threats . 80
11.4.1.3 Countermeasures to confidentiality and privacy threats. 80
11.4.1.4 Countermeasures to non-repudiation and accountability threats . 81
11.4.2 Residual risk . 81
Annex A: Cost - Benefit analysis of the selected countermeasures . 82
History . 86
ETSI

---------------------- Page: 5 ----------------------
6 ETSI TR 102 893 V1.1.1 (2010-03)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining
to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in
ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect
of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server
(http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can
be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server)
which are, or may be, or may become, essential to the present document.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Intelligent Transport System (ITS).
ETSI

---------------------- Page: 6 -
...