Cooperative intelligent transport systems (C-ITS) -- Guidelines on the usage of standards

This document provides guidelines on security applicable in Intelligent Transport Systems (ITS) related to communications and data access. In particular, this document provides analyses and best practice content for secure ITS connectivity using ISO/TS 21177. This document analyses and identifies issues related to application security, access control, device security and PKI for a secure ITS ecosystem.

Systèmes de transport intelligents coopératifs (C-ITS) - Lignes directrices pour l'utilisation des normes

General Information

Status
Published
Publication Date
05-Feb-2021
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
31-Dec-2020
Completion Date
31-Dec-2020
Ref Project

Buy Standard

Technical report
ISO/TR 21186-3:2021 - Cooperative intelligent transport systems (C-ITS) -- Guidelines on the usage of standards
English language
125 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/PRF TR 21186-3 - Cooperative intelligent transport systems (C-ITS) -- Guidelines on the usage of standards
English language
125 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

TECHNICAL ISO/TR
REPORT 21186-3
First edition
2021-02
Cooperative intelligent transport
systems (C-ITS) — Guidelines on the
usage of standards —
Part 3:
Security
Systèmes de transport intelligents coopératifs (C-ITS) - Lignes
directrices pour l'utilisation des normes —
Partie 3: Sécurité
Reference number
ISO/TR 21186-3:2021(E)
ISO 2021
---------------------- Page: 1 ----------------------
ISO/TR 21186-3:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/TR 21186-3:2021(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 2

5 Security in C-ITS .................................................................................................................................................................................................... 4

5.1 General ........................................................................................................................................................................................................... 4

5.2 Security design process for C-ITS applications ........................................................................................................... 4

5.3 Communications security mechanisms in C-ITS ....................................................................................................... 5

5.4 Source authentication and access control mechanisms ...................................................................................... 7

5.5 Certificate authorities and certification processes ...............................................................................................10

5.6 Introduction to the rest of this document ....................................................................................................................11

6 Security analysis and controls for an IDX device .............................................................................................................12

6.1 Background .............................................................................................................................................................................................12

6.2 IDX device concept ............................................................................................................................................................................12

6.2.1 General...................................................................................................................................................................................12

6.2.2 System architecture and device .......................................................................................................................14

6.2.3 Threat modelling data scenarios and examples ................................................................................16

6.2.4 Assumed device functions and activities .................................................................................................19

6.3 Device assets ..........................................................................................................................................................................................22

6.4 Threats ........................................................................................................................................................................................................24

6.4.1 General...................................................................................................................................................................................24

6.4.2 Threat modelling process......................................................................................................................................25

6.4.3 Threat categories and actor motivations .................................................................................................25

6.4.4 Scenario comparison of threats .......................................................................................................................27

6.5 Security objectives ............................................................................................................................................................................29

6.5.1 Summary and comparison by scenario .....................................................................................................29

6.5.2 Analysis .................................................................................................................................................................................31

6.6 SFR and rationales ............................................................................................................................................................................32

6.7 Comparison to other common criteria PPs .................................................................................................................39

6.7.1 General...................................................................................................................................................................................39

6.7.2 Summary and analysis of gaps ..........................................................................................................................39

6.7.3 Gap analysis with Car2Car HSM PP ..............................................................................................................39

6.7.4 Gap analysis against V-ITS base PP ...............................................................................................................41

6.7.5 Gap analysis against V-ITS Comms Module PP ...................................................................................45

7 ISO/TS 21177 access control implementation guidance .........................................................................................45

7.1 General ........................................................................................................................................................................................................45

7.2 High level architecture and access scenario ...............................................................................................................46

7.3 Application protocol architecture and ISO/TS 21177 integration ..........................................................47

7.3.1 General...................................................................................................................................................................................47

7.3.2 Example protocol architecture .........................................................................................................................47

7.3.3 Protocol integration strategy .............................................................................................................................49

7.4 Access control policy structure ..............................................................................................................................................50

7.5 Access control approach ..............................................................................................................................................................51

7.6 Access control use cases and sequence diagrams .................................................................................................54

7.6.1 General...................................................................................................................................................................................54

7.6.2 Define an access policy ............................................................................................................................................54

7.6.3 Load an access control policy ............................................................................................................................58

7.6.4 Configure TLS ..................................................................................................................................................................62

7.6.5 Start a secure TLS session .....................................................................................................................................64

7.6.6 Secure access-controlled resource discovery ......................................................................................67

© ISO 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/TR 21186-3:2021(E)

7.6.7 Server controls access to UGP service based on role ....................................................................73

8 C-ITS CP security requirements gaps and needs ..............................................................................................................77

8.1 General ........................................................................................................................................................................................................77

8.2 Overview of European C-ITS CP ............................................................................................................................................78

8.3 PKI threat categories and mitigations .............................................................................................................................79

8.4 European C-ITS CP changes to support news C-ITS applications ............................................................90

8.4.1 General...................................................................................................................................................................................90

8.4.2 CP Section 1.6.1 ..............................................................................................................................................................90

8.4.3 CP Section 1.6.2 ..............................................................................................................................................................91

8.4.4 CP Section 6.1.5.2 .........................................................................................................................................................91

8.4.5 CP Section 4.1.2.4 .........................................................................................................................................................92

Annex A (informative) Scenario threats .........................................................................................................................................................93

Annex B (informative) Scenario security objectives to security functional requirements

mapping ..................................................................................................................................................................................................................107

Annex C (informative) Informative proposal for improvements of TS 21177:2019: CRL request 109

Annex D (informative) Informative proposal for complements to TS 21177:2019:

Ownership and access policy ............................................................................................................................................................116

Annex E (informative) Informative proposal for improvements of TS 21177:2019: Errata,

additional rationale material, and session persistence across certificate expiry.....................120

Bibliography .........................................................................................................................................................................................................................124

iv © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/TR 21186-3:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 204, Intelligent transport systems, in

collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/TC

278, Intelligent transport systems, in accordance with the Agreement on technical cooperation between

ISO and CEN (Vienna Agreement).
A list of all parts in the ISO 21186 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/TR 21186-3:2021(E)
Introduction

This document provides informative material of interest to implementers deploying secure systems

to carry out ITS applications. ITS stations are rapidly maturing with regards to specification, use and

security conformance standards. In support of the ITS station ecosystem new standards have been

developed, such as ISO/TS 21177, which provide a framework for device-to-device secure sessions and

resource access authorization. Common criteria protection profiles have been developed and adopted

for use in distinctive European ITS service domains, such as automotive V2X safety services, as well as

a narrow set of infrastructure messaging based services.
NOTE ITS services are provided by means of ITS applications.

Given the diversity of anticipated ITS services and potential data sensitivities, this document was

constructed to provide ITS stakeholders with a holistic analysis and indication of possible extensions to

the ITS station security ecosystem.
This document includes the following sections:

1) An overview of security considerations for application specification and deployment in ITS. This

overview also provides a detailed rationale for the following sections.

2) A use-case driven threat model based roughly on common criteria processes in establishment of

threats, security objectives and SFR relative to three genericized ITS station data sensitivity and

access control scenarios. Each scenario can be used by security practitioners as a starting point to

baseline ITS station platform protection profiles of varying application types and data sensitivities.

The genericized protection profile security requirements are then compared to several existing (or

under development) protection profiles established for automotive use cases to determine possible

gaps in security controls that should be addressed when tailoring subsequent security targets or

related protection profiles.

3) An implementation example of the development of an access control policy implementation for an

ISO/TS 21177 conformant ITS station unit. The example access control policy is application-specific

and depends on many factors, including the type of ITS station unit on which the access control

policy is used. Consequently, this access control policy implementation example is not suitable for

being copy-pasted to the context of other ITS applications. Rather, the process described in this

example can be considered as a suitable template for a process aimed at creating an access control

policy for any ITS application running in an ISO/TS 21177 conformant unit.

4) Inputs for the development of a CP governing the issuance of certificates for ITS station units. A

CP is necessary for the deployment of a system to ensure consistent behaviour of different CAs (or,

more generally, credential issuance actors) within the system. This consistent behaviour enables

receiving devices to trust all received messages to the appropriate level, knowing that those

devices have been through the same certificate-issuing process no matter where the certificates

were obtained. In early 2019, the European Commission published a CP for use for "Day 1"

ITS applications, to be enforced by a top-level root of trust implemented in an entity called the

TLM. This document concludes with a set of high-level gaps and potential mitigations for ITS PKI

participants and implementers.

5) A description of additional functionality that extends the functionality of ISO/TS 21177. This

material is written in a manner which will enable it to be inserted into a future revision of

ISO/TS 21177.

These five areas of content significantly ease the process of deploying new ITS applications securely.

vi © ISO 2021 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/TR 21186-3:2021(E)

This document is forms part of the ISO 21186 series on "Guidelines on the usage of standards," which is

comprised of the following Parts:
1) Standardization landscape and releases;
2) Hybrid communications;
3) Security (this document).
© ISO 2021 – All rights reserved vii
---------------------- Page: 7 ----------------------
TECHNICAL REPORT ISO/TR 21186-3:2021(E)
Cooperative intelligent transport systems (C-ITS) —
Guidelines on the usage of standards —
Part 3:
Security
1 Scope

This document provides guidelines on security applicable in Intelligent Transport Systems (ITS) related

to communications and data access.

In particular, this document provides analyses and best practice content for secure ITS connectivity

using ISO/TS 21177.

This document analyses and identifies issues related to application security, access control, device

security and PKI for a secure ITS ecosystem.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management —

Overview and vocabulary

ISO/IEC 27032, Information technology — Security techniques — Guidelines for cybersecurity

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and ISO/IEC 27032

and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
attack vector

extensible program-code-template for creating objects, providing initial values for state (member

variables) and implementations of behaviour (member functions or methods) in object-oriented

programming
© ISO 2021 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/TR 21186-3:2021(E)
4 Symbols and abbreviated terms
AA authorization authority
ACL access control list
APDU application protocol data unit
API application programming interface
CA certificate authority
CAM cooperative awareness message
CP certificate policy
CPS certification practice statement
C-ITS cooperative intelligent transportation systems
COER canonical octet encoding rules
CPOC certification point of contact
CRL certificate revocation list
CTL certificate trust list
DEK data encryption key
DoS denial-of-service
EA enrolment authority
ECDSA elliptic curve digital signature algorithm
ECIES elliptic curve integrated encryption scheme
ECTL European certificate trust list
ECU electronic control unit
HSM hardware security module
IDX ITS data exchange
IVN in-vehicle network
ITS intelligent transport systems
ITS-AID ITS application object identifier
ITS-S ITS station
ITS-SU ITS station unit
IVIM infrastructure to vehicle information message
KEK key encryption key
MAPEM MAP extended massage
2 © ISO 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/TR 21186-3:2021(E)
ND nomadic device
NIST National Institute for Standards and Technology
OCSP online certificate status protocol
OEM original equipment manufacturer
PAKE password authenticated key exchanges
PDU protocol data unit
PII personally identifiable information
PKI public key infrastructure
PP protection profile
RSU roadside unit
SCMS security credentials management system
SCN sensor and control network
SDEE secure data exchange entity
SFR security functional requirements
SPaT signal phase and timing
SPaTEM SPaT extended message
SPDU secured protocol data unit
SPII sensitive or personally identifiable information
SREM signal request extended message
SSEM signal request status extended message
SSP service specific permission
TLM trust list manager
TOE target of evaluation
TSF TOE security functions
TVRA threat, vulnerability and risk analysis
UGP unified gateway protocol
V-ITS vehicle intelligent transport systems
VMS variable message sign
© ISO 2021 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO/TR 21186-3:2021(E)
5 Security in C-ITS
5.1 General

This subclause provides an overview of security in C-ITS and a rationale for the material in the rest of

the document.

Systems have functional goals, and also have security goals which support these functional goals. The

details of security goals depend on context, but high-level security goals are always the same:

— Provide assurance that parties within the system receive the right information necessary for

acheiving their functional goals.

— Provide assurance that parties who are not authorized to receive information do not receive that

information.

Systems use security controls to achieve their security goals. A security control is a specific mechanism

implemented as part of a strategy to achieve the security goal. (For ease of discussion, this document

also uses the concept of a security service. A security service is an identifier of the kind of action which

needs to be performed in order to achieve a security goal, while a control is concrete and implementable).

There are many different kinds of security controls, including the following:

— Communications security controls, which provide assurance that communications between two

trusted parties meet the security goals of the system, i.e. that if two parties are legitimate, then

there can be a data exchange between them in which each party is assured that the data came from

the other party, is of known quality, and is not revealed in the course of the communications to

unapproved parties.

— Platform security controls, which provide assurance that a device that is trustworthy at one point

can remain trustworthy.

— Data processing security controls, which provide assurance that data is appropriately handled

before or after it is communicated.

— Access control security controls, which provide assurance that activities within the system are

carried out only by parties that have authorization to carry them out.

— Organizational and process security controls, which provide assurance that the other security

controls in the system are implemented properly.
5.2 Security design process for C-ITS applications

A number of security design process approaches have been proposed for ITS applications. ETSI has

[23] [24]

specified a TVRA process and applied it to the ETSI Day 1 ITS services . The output of this TVRA

process is a recommendation for specific security mechanisms. An alternative approach is outlined in

ISO/IEC 15408-1, ISO/IEC 15408-2 and ISO/IEC 27001, which form the basis for the common criteria

approach to security certification. A third approach is given in Federal Information Processing

[31] [26]

Standards (FIPS) 199 , published by the NIST in the USA. Finally, SAE J2945/5 specifies an

approach to deriving SSPs, a mechanism used to enable fine-grained access control statements to be

made with IEEE 1609.2 certificates. As part of this process, it outlines an overall approach to deriving

security requirements for a connected vehicle application.

All of these approaches use a systems engineering approach with three stages of the design: use case

and concept of operations, requirements, and detailed design. Each stage can be considered more

detailed than the previous one.
All of these approaches have a similar overall structure:

— Firstly, the ITS application is detailed to a level where information flows are specified allowing the

ITS application to achieve its functional goals.
4 © ISO 2021 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/TR 21186-3:2021(E)

— Then, a security analysis is performed to identify the security requirements on the information

flows and on the parties and to derive from the requirements on the flows the corresponding

requirements on the parties that interact with each other in the ITS application.

— The security analysis can reveal that the application design needs to be changed, either to directly

address identified security issues, or because the security analysis has uncovered additional use

cases or features of the application which need to be incorporated into the main design.

— The analysis/design update process iterates until the design is stable at the current level of detail.

At that point, the design can be moved forwards to the next, more detailed, level of detail and the

security analysis is performed and iterated on that next level of detail until the third and final level

of detail is reached.

— The output is a full specification of the application, including the security controls.

Security controls to be specified include communications security controls, implementation security

controls, organizational security controls, policy security controls, and others. Details of how controls

are to be derived are given in the referenced methodologies ([23],[10],[31],[26]).

Clause 5 focuses on the communications security controls and supporting security controls necessary

for enabling communications security:

— An overview of communications security mechanisms in the C-ITS context is provided in 5.3.

— An overview of the role of CAs and certification processes is provided in 5.5.

— A rationale for the additional detailed technical material included in this document is provided in C.1.

Although interface standards typically focus on communi
...

TECHNICAL ISO/TR
REPORT 21186-3
First edition
Cooperative intelligent transport
systems (C-ITS) — Guidelines on the
usage of standards —
Part 3:
Security
PROOF/ÉPREUVE
Reference number
ISO/TR 21186-3:2020(E)
ISO 2020
---------------------- Page: 1 ----------------------
ISO/TR 21186-3:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/TR 21186-3:2020(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 2

5 Security in C-ITS .................................................................................................................................................................................................... 4

5.1 General ........................................................................................................................................................................................................... 4

5.2 Security design process for C-ITS applications ........................................................................................................... 4

5.3 Communications security mechanisms in C-ITS ....................................................................................................... 5

5.4 Source authentication and access control mechanisms ...................................................................................... 7

5.5 Certificate authorities and certification processes ...............................................................................................10

5.6 Introduction to the rest of this document ....................................................................................................................11

6 Security analysis and controls for an IDX device .............................................................................................................12

6.1 Background .............................................................................................................................................................................................12

6.2 IDX device concept ............................................................................................................................................................................12

6.2.1 General...................................................................................................................................................................................12

6.2.2 System architecture and device .......................................................................................................................14

6.2.3 Threat modelling data scenarios and examples ................................................................................16

6.2.4 Assumed device functions and activities .................................................................................................19

6.3 Device assets ..........................................................................................................................................................................................22

6.4 Threats ........................................................................................................................................................................................................24

6.4.1 General...................................................................................................................................................................................24

6.4.2 Threat modelling process......................................................................................................................................25

6.4.3 Threat categories and actor motivations .................................................................................................25

6.4.4 Scenario comparison of threats .......................................................................................................................27

6.5 Security objectives ............................................................................................................................................................................29

6.5.1 Summary and comparison by scenario .....................................................................................................29

6.5.2 Analysis .................................................................................................................................................................................31

6.6 SFR and rationales ............................................................................................................................................................................32

6.7 Comparison to other common criteria PPs .................................................................................................................39

6.7.1 General...................................................................................................................................................................................39

6.7.2 Summary and analysis of gaps ..........................................................................................................................39

6.7.3 Gap analysis with Car2Car HSM PP ..............................................................................................................39

6.7.4 Gap analysis against V-ITS base PP ...............................................................................................................41

6.7.5 Gap analysis against V-ITS Comms Module PP ...................................................................................45

7 ISO/TS 21177 access control implementation guidance .........................................................................................45

7.1 General ........................................................................................................................................................................................................45

7.2 High level architecture and access scenario ...............................................................................................................46

7.3 Application protocol architecture and ISO/TS 21177 integration ..........................................................47

7.3.1 General...................................................................................................................................................................................47

7.3.2 Example protocol architecture .........................................................................................................................47

7.3.3 Protocol integration strategy .............................................................................................................................49

7.4 Access control policy structure ..............................................................................................................................................50

7.5 Access control approach ..............................................................................................................................................................51

7.6 Access control use cases and sequence diagrams .................................................................................................54

7.6.1 General...................................................................................................................................................................................54

7.6.2 Define an access policy ............................................................................................................................................54

7.6.3 Load an access control policy ............................................................................................................................58

7.6.4 Configure TLS ..................................................................................................................................................................62

7.6.5 Start a secure TLS session .....................................................................................................................................64

7.6.6 Secure access-controlled resource discovery ......................................................................................67

© ISO 2020 – All rights reserved PROOF/ÉPREUVE iii
---------------------- Page: 3 ----------------------
ISO/TR 21186-3:2020(E)

7.6.7 Server controls access to UGP service based on role ....................................................................73

8 C-ITS CP security requirements gaps and needs ..............................................................................................................77

8.1 General ........................................................................................................................................................................................................77

8.2 Overview of European C-ITS CP ............................................................................................................................................78

8.3 PKI threat categories and mitigations .............................................................................................................................79

8.4 European C-ITS CP changes to support news C-ITS applications ............................................................90

8.4.1 General...................................................................................................................................................................................90

8.4.2 CP Section 1.6.1 ..............................................................................................................................................................90

8.4.3 CP Section 1.6.2 ..............................................................................................................................................................91

8.4.4 CP Section 6.1.5.2 .........................................................................................................................................................91

8.4.5 CP Section 4.1.2.4 .........................................................................................................................................................92

Annex A (informative) Scenario threats .........................................................................................................................................................93

Annex B (informative) Scenario security objectives to security functional requirements

mapping ..................................................................................................................................................................................................................107

Annex C (informative) Informative proposal for improvements of TS 21177:2019: CRL request 109

Annex D (informative) Informative proposal for complements to TS 21177:2019:

Ownership and access policy ............................................................................................................................................................116

Annex E (informative) Informative proposal for improvements of TS 21177:2019: Errata,

additional rationale material, and session persistence across certificate expiry.....................120

Bibliography .........................................................................................................................................................................................................................124

iv PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/TR 21186-3:2020(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 204, Intelligent transport systems, in

collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/TC

278, Intelligent transport systems, in accordance with the Agreement on technical cooperation between

ISO and CEN (Vienna Agreement).
A list of all parts in the ISO 21186 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2020 – All rights reserved PROOF/ÉPREUVE v
---------------------- Page: 5 ----------------------
ISO/TR 21186-3:2020(E)
Introduction

This document provides informative material of interest to implementers deploying secure systems

to carry out ITS applications. ITS stations are rapidly maturing with regards to specification, use and

security conformance standards. In support of the ITS station ecosystem new standards have been

developed, such as ISO/TS 21177, which provide a framework for device-to-device secure sessions and

resource access authorization. Common criteria protection profiles have been developed and adopted

for use in distinctive European ITS service domains, such as automotive V2X safety services, as well as

a narrow set of infrastructure messaging based services.
NOTE ITS services are provided by means of ITS applications.

Given the diversity of anticipated ITS services and potential data sensitivities, this document was

constructed to provide ITS stakeholders with a holistic analysis and indication of possible extensions to

the ITS station security ecosystem.
This document includes the following sections:

1) An overview of security considerations for application specification and deployment in ITS. This

overview also provides a detailed rationale for the following sections.

2) A use-case driven threat model based roughly on common criteria processes in establishment of

threats, security objectives and SFR relative to three genericized ITS station data sensitivity and

access control scenarios. Each scenario can be used by security practitioners as a starting point to

baseline ITS station platform protection profiles of varying application types and data sensitivities.

The genericized protection profile security requirements are then compared to several existing (or

under development) protection profiles established for automotive use cases to determine possible

gaps in security controls that should be addressed when tailoring subsequent security targets or

related protection profiles.

3) An implementation example of the development of an access control policy implementation for an

ISO/TS 21177 conformant ITS station unit. The example access control policy is application-specific

and depends on many factors, including the type of ITS station unit on which the access control

policy is used. Consequently, this access control policy implementation example is not suitable for

being copy-pasted to the context of other ITS applications. Rather, the process described in this

example can be considered as a suitable template for a process aimed at creating an access control

policy for any ITS application running in an ISO/TS 21177 conformant unit.

4) Inputs for the development of a CP governing the issuance of certificates for ITS station units. A

CP is necessary for the deployment of a system to ensure consistent behaviour of different CAs (or,

more generally, credential issuance actors) within the system. This consistent behaviour enables

receiving devices to trust all received messages to the appropriate level, knowing that those

devices have been through the same certificate-issuing process no matter where the certificates

were obtained. In early 2019, the European Commission published a CP for use for "Day 1"

ITS applications, to be enforced by a top-level root of trust implemented in an entity called the

TLM. This document concludes with a set of high-level gaps and potential mitigations for ITS PKI

participants and implementers.

5) A description of additional functionality that extends the functionality of ISO/TS 21177. This

material is written in a manner which will enable it to be inserted into a future revision of

ISO/TS 21177.

These five areas of content significantly ease the process of deploying new ITS applications securely.

This document is forms part of the ISO 21186 series on "Guidelines on the usage of standards," which is

comprised of the following Parts:
1) Standardization landscape and releases;
2) Hybrid communications;
vi PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/TR 21186-3:2020(E)
3) Security (this document).
© ISO 2020 – All rights reserved PROOF/ÉPREUVE vii
---------------------- Page: 7 ----------------------
TECHNICAL REPORT ISO/TR 21186-3:2020(E)
Cooperative intelligent transport systems (C-ITS) —
Guidelines on the usage of standards —
Part 3:
Security
1 Scope

This document provides guidelines on security applicable in Intelligent Transport Systems (ITS) related

to communications and data access.

In particular, this document provides analyses and best practice content for secure ITS connectivity

using ISO/TS 21177.

This document analyses and identifies issues related to application security, access control, device

security and PKI for a secure ITS ecosystem.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management —

Overview and vocabulary

ISO/IEC 27032, Information technology — Security techniques — Guidelines for cybersecurity

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and ISO/IEC 27032

and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
attack vector

extensible program-code-template for creating objects, providing initial values for state (member

variables) and implementations of behaviour (member functions or methods) in object-oriented

programming
© ISO 2020 – All rights reserved PROOF/ÉPREUVE 1
---------------------- Page: 8 ----------------------
ISO/TR 21186-3:2020(E)
4 Symbols and abbreviated terms
AA authorization authority
ACL access control list
APDU application protocol data unit
API application programming interface
CA certificate authority
CAM cooperative awareness message
CP certificate policy
CPS certification practice statement
C-ITS cooperative intelligent transportation systems
COER canonical octet encoding rules
CPOC certification point of contact
CRL certificate revocation list
CTL certificate trust list
DEK data encryption key
DoS denial-of-service
EA enrolment authority
ECDSA elliptic curve digital signature algorithm
ECIES elliptic curve integrated encryption scheme
ECTL European certificate trust list
ECU electronic control unit
HSM hardware security module
IDX ITS data exchange
IVN in-vehicle network
ITS intelligent transport systems
ITS-AID ITS application object identifier
ITS-S ITS station
ITS-SU ITS station unit
IVIM infrastructure to vehicle information message
KEK key encryption key
MAPEM MAP extended massage
2 PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/TR 21186-3:2020(E)
ND nomadic device
NIST National Institute for Standards and Technology
OCSP online certificate status protocol
OEM original equipment manufacturer
PAKE password authenticated key exchanges
PDU protocol data unit
PII personally identifiable information
PKI public key infrastructure
PP protection profile
RSU roadside unit
SCMS security credentials management system
SCN sensor and control network
SDEE secure data exchange entity
SFR security functional requirements
SPaT signal phase and timing
SPaTEM SPaT extended message
SPDU secured protocol data unit
SPII sensitive or personally identifiable information
SREM signal request extended message
SSEM signal request status extended message
SSP service specific permission
TLM trust list manager
TOE target of evaluation
TSF TOE security functions
TVRA threat, vulnerability and risk analysis
UGP unified gateway protocol
V-ITS vehicle intelligent transport systems
VMS variable message sign
© ISO 2020 – All rights reserved PROOF/ÉPREUVE 3
---------------------- Page: 10 ----------------------
ISO/TR 21186-3:2020(E)
5 Security in C-ITS
5.1 General

This subclause provides an overview of security in C-ITS and a rationale for the material in the rest of

the document.

Systems have functional goals, and also have security goals which support these functional goals. The

details of security goals depend on context, but high-level security goals are always the same:

— Provide assurance that parties within the system receive the right information necessary for

acheiving their functional goals.

— Provide assurance that parties who are not authorized to receive information do not receive that

information.

Systems use security controls to achieve their security goals. A security control is a specific mechanism

implemented as part of a strategy to achieve the security goal. (For ease of discussion, this document

also uses the concept of a security service. A security service is an identifier of the kind of action which

needs to be performed in order to achieve a security goal, while a control is concrete and implementable).

There are many different kinds of security controls, including the following:

— Communications security controls, which provide assurance that communications between two

trusted parties meet the security goals of the system, i.e. that if two parties are legitimate, then

there can be a data exchange between them in which each party is assured that the data came from

the other party, is of known quality, and is not revealed in the course of the communications to

unapproved parties.

— Platform security controls, which provide assurance that a device that is trustworthy at one point

can remain trustworthy.

— Data processing security controls, which provide assurance that data is appropriately handled

before or after it is communicated.

— Access control security controls, which provide assurance that activities within the system are

carried out only by parties that have authorization to carry them out.

— Organizational and process security controls, which provide assurance that the other security

controls in the system are implemented properly.
5.2 Security design process for C-ITS applications

A number of security design process approaches have been proposed for ITS applications. ETSI has

[23] [24]

specified a TVRA process and applied it to the ETSI Day 1 ITS services . The output of this TVRA

process is a recommendation for specific security mechanisms. An alternative approach is outlined in

ISO/IEC 15408-1, ISO/IEC 15408-2 and ISO/IEC 27001, which form the basis for the common criteria

approach to security certification. A third approach is given in Federal Information Processing

[31] [26]

Standards (FIPS) 199 , published by the NIST in the USA. Finally, SAE J2945/5 specifies an

approach to deriving SSPs, a mechanism used to enable fine-grained access control statements to be

made with IEEE 1609.2 certificates. As part of this process, it outlines an overall approach to deriving

security requirements for a connected vehicle application.

All of these approaches use a systems engineering approach with three stages of the design: use case

and concept of operations, requirements, and detailed design. Each stage can be considered more

detailed than the previous one.
All of these approaches have a similar overall structure:

— Firstly, the ITS application is detailed to a level where information flows are specified allowing the

ITS application to achieve its functional goals.
4 PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/TR 21186-3:2020(E)

— Then, a security analysis is performed to identify the security requirements on the information

flows and on the parties and to derive from the requirements on the flows the corresponding

requirements on the parties that interact with each other in the ITS application.

— The security analysis can reveal that the application design needs to be changed, either to directly

address identified security issues, or because the security analysis has uncovered additional use

cases or features of the application which need to be incorporated into the main design.

— The analysis/design update process iterates until the design is stable at the current level of detail.

At that point, the design can be moved forwards to the next, more detailed, level of detail and the

security analysis is performed and iterated on that next level of detail until the third and final level

of detail is reached.

— The output is a full specification of the application, including the security controls.

Security controls to be specified include communications security controls, implementation security

controls, organizational security controls, policy security controls, and others. Details of how controls

are to be derived are given in the referenced methodologies ([23],[10],[31],[26]).

Clause 5 focuses on the communications security controls and supporting security controls necessary

for enabling communications security:

— An overview of communications security mechanisms in the C-ITS context is provided in 5.3.

— An overview of the role of CAs and certification processes is provided in 5.5.

— A rationale for the additional detailed technical material included in this document is provided in C.1.

Although interface standards typically focus on
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.