ISO/TR 21186-3:2021

TECHNICAL ISO/TR
REPORT 21186-3
First edition
Cooperative intelligent transport
systems (C-ITS) — Guidelines on the
usage of standards —
Part 3:
Security
PROOF/ÉPREUVE
Reference number
ISO/TR 21186-3:2020(E)
©
ISO 2020

---------------------- Page: 1 ----------------------
ISO/TR 21186-3:2020(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO 2020 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TR 21186-3:2020(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 2
5 Security in C-ITS . 4
5.1 General . 4
5.2 Security design process for C-ITS applications . 4
5.3 Communications security mechanisms in C-ITS . 5
5.4 Source authentication and access control mechanisms . 7
5.5 Certificate authorities and certification processes .10
5.6 Introduction to the rest of this document .11
6 Security analysis and controls for an IDX device .12
6.1 Background .12
6.2 IDX device concept .12
6.2.1 General.12
6.2.2 System architecture and device .14
6.2.3 Threat modelling data scenarios and examples .16
6.2.4 Assumed device functions and activities .19
6.3 Device assets .22
6.4 Threats .24
6.4.1 General.24
6.4.2 Threat modelling process.25
6.4.3 Threat categories and actor motivations .25
6.4.4 Scenario comparison of threats .27
6.5 Security objectives .29
6.5.1 Summary and comparison by scenario .29
6.5.2 Analysis .31
6.6 SFR and rationales .32
6.7 Comparison to other common criteria PPs .39
6.7.1 General.39
6.7.2 Summary and analysis of gaps .39
6.7.3 Gap analysis with Car2Car HSM PP .39
6.7.4 Gap analysis against V-ITS base PP .41
6.7.5 Gap analysis against V-ITS Comms Module PP .45
7 ISO/TS 21177 access control implementation guidance .45
7.1 General .45
7.2 High level architecture and access scenario .46
7.3 Application protocol architecture and ISO/TS 21177 integration .47
7.3.1 General.47
7.3.2 Example protocol architecture .47
7.3.3 Protocol integration strategy .49
7.4 Access control policy structure .50
7.5 Access control approach .51
7.6 Access control use cases and sequence diagrams .54
7.6.1 General.54
7.6.2 Define an access policy .54
7.6.3 Load an access control policy .58
7.6.4 Configure TLS .62
7.6.5 Start a secure TLS session .64
7.6.6 Secure access-controlled resource discovery .67
© ISO 2020 – All rights reserved PROOF/ÉPREUVE iii

---------------------- Page: 3 ----------------------
ISO/TR 21186-3:2020(E)

7.6.7 Server controls access to UGP service based on role .73
8 C-ITS CP security requirements gaps and needs .77
8.1 General .77
8.2 Overview of European C-ITS CP .78
8.3 PKI threat categories and mitigations .79
8.4 European C-ITS CP changes to support news C-ITS applications .90
8.4.1 General.90
8.4.2 CP Section 1.6.1 .90
8.4.3 CP Section 1.6.2 .91
8.4.4 CP Section 6.1.5.2 .91
8.4.5 CP Section 4.1.2.4 .92
Annex A (informative) Scenario threats .93
Annex B (informative) Scenario security objectives to security functional requirements
mapping .107
Annex C (informative) Informative proposal for improvements of TS 21177:2019: CRL request 109
Annex D (informative) Informative proposal for complements to TS 21177:2019:
Ownership and access policy .116
Annex E (informative) Informative proposal for improvements of TS 21177:2019: Errata,
additional rationale material, and session persistence across certificate expiry.120
Bibliography .124
iv PROOF/ÉPREUVE © ISO 2020 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TR 21186-3:2020(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 204, Intelligent transport systems, in
collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/TC
278, Intelligent transport systems, in accordance with the Agreement on technical cooperation between
ISO and CEN (Vienna Agreement).
A list of all parts in the ISO 21186 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2020 – All rights reserved PROOF/ÉPREUVE v

---------------------- Page: 5 ----------------------
ISO/TR 21186-3:2020(E)

Introduction
This document provides informative material of interest to implementers deploying secure systems
to carry out ITS applications. ITS stations are rapidly maturing with regards to specification, use and
security conformance standards. In support of the ITS station ecosystem new standards have been
developed, such as ISO/TS 21177, which provide a framework for device-to-device secure sessions and
resource access authorization. Common criteria protection profiles have been developed and adopted
for use in distinctive European ITS service domains, such as automotive V2X safety services, as well as
a narrow set of infrastructure messaging based services.
NOTE ITS services are provided by means of ITS applications.
Given the diversity of anticipated ITS services and potential data sensitivities, this document was
constructed to provide ITS stakeholders with a holistic analysis and indication of possible extensions to
the ITS station security ecosystem.
This document includes the following sections:
1) An overview of security considerations for application specification and deployment in ITS. This
overview also provides a detailed rationale for the following sections.
2) A use-case driven threat model based roughly on common criteria processes in establishment of
threats, security objectives and SFR relative to three genericized ITS station data sensitivity and
access control scenarios. Each scenario can be used by security practitioners as a starting point to
baseline ITS station platform protection profiles of varying application types and data sensitivities.
The genericized protection profile security requirements are then compared to several existing (or
under development) protection profiles established for automotive use cases to determine possible
gaps in security controls that should be addressed when tailoring subsequent security targets or
related protection profiles.
3) An implementation example of the development of an access control policy implementation for an
ISO/TS 21177 conformant ITS station unit. The example access control policy is application-specific
and depends on many factors, including the type of ITS station unit on which the access control
policy is used. Consequently, this access control policy implementation example is not suitable for
being copy-pasted to the context of other ITS applications. Rather, the process described in this
example can be considered as a suitable template for a process aimed at creating an access control
policy for any ITS application running in an ISO/TS 21177 conformant unit.
4) Inputs for the development of a CP governing the issuance of certificates for ITS station units. A
CP is necessary for the deployment of a system to ensure consistent behaviour of different CAs (or,
more generally, credential issuance actors) within the system. This consistent behaviour enables
receiving devices to trust all received messages to the appropriate level, knowing that those
devices have been through the same certificate-issuing process no matter where the certificates
were obtained. In early 2019, the European Commission published a CP for use for "Day 1"
ITS applications, to be enforced by a top-level root of trust implemented in an entity called the
TLM. This document concludes with a set of high-level gaps and potential mitigations for ITS PKI
participants and implementers.
5) A description of additional functionality that extends the functionality of ISO/TS 21177. This
material is written in a manner which will enable it to be inserted into a future revision of
ISO/TS 21177.
These five areas of content significantly ease the process of deploying new ITS applications securely.
This document is forms part of the ISO 21186 series on "Guidelines on the usage of standards," which is
comprised of the following Parts:
1) Standardization landscape and releases;
2) Hybrid communications;
vi PROOF/ÉPREUVE © ISO 2020 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/TR 21186-3:2020(E)

3) Security (this document).
© ISO 2020 – All rights reserved PROOF/ÉPREUVE vii

---------------------- Page: 7 ----------------------
TECHNICAL REPORT ISO/TR 21186-3:2020(E)
Cooperative intelligent transport systems (C-ITS) —
Guidelines on the usage of standards —
Part 3:
Security
1 Scope
This document provides guidelines on security applicable in Intelligent Transport Systems (ITS) related
to communications and data access.
In particular, this document provides analyses and best practice content for secure ITS connectivity
using ISO/TS 21177.
This document analyses and identifies issues related to application security, access control, device
security and PKI for a secure ITS ecosystem.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management —
Overview and vocabulary
ISO/IEC 27032, Information technology — Security techniques — Guidelines for cybersecurity
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and ISO/IEC 27032
and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
attack vector
extensible program-code-template for creating objects, providing initial values for state (member
variables) and implementations of behaviour (member functions or methods) in object-oriented
programming
© ISO 2020 – All rights reserved PROOF/ÉPREUVE 1

---------------------- Page: 8 ----------------------
ISO/TR 21186-3:2020(E)

4 Symbols and abbreviated terms
AA authorization authority
ACL access control list
APDU application protocol data unit
API application programming interface
CA certificate authority
CAM cooperative awareness message
CP certificate policy
CPS certification practice statement
C-ITS cooperative intelligent transportation systems
COER canonical octet encoding rules
CPOC certification point of contact
CRL certificate revocation list
CTL certificate trust list
DEK data encryption key
DoS denial-of-service
EA enrolment authority
ECDSA elliptic curve digital signature algorithm
ECIES elliptic curve integrated encryption scheme
ECTL European certificate trust list
ECU electronic control unit
HSM hardware security module
IDX ITS data exchange
IVN in-vehicle network
ITS intelligent transport systems
ITS-AID ITS application object identifier
ITS-S ITS station
ITS-SU ITS station unit
IVIM infrastructure to vehicle information message
KEK key encryption key
MAPEM MAP extended massage
2 PROOF/ÉPREUVE © ISO 2020 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/TR 21186-3:2020(E)

ND nomadic device
NIST National Institute for Standards and Technology
OCSP online certificate status protocol
OEM original equipment manufacturer
PAKE password authenticated key exchanges
PDU protocol data unit
PII personally identifiable information
PKI public key infrastructure
PP protection profile
RSU roadside unit
SCMS security credentials management system
SCN sensor and control network
SDEE secure data exchange entity
SFR security functional requirements
SPaT signal phase and timing
SPaTEM SPaT extended message
SPDU secured protocol data unit
SPII sensitive or personally identifiable information
SREM signal request extended message
SSEM signal request status extended message
SSP service specific permission
TLM trust list manager
TOE target of evaluation
TSF TOE security functions
TVRA threat, vulnerability and risk analysis
UGP unified gateway protocol
V-ITS vehicle intelligent transport systems
VMS variable message sign
© ISO 2020 – All rights reserved PROOF/ÉPREUVE 3

---------------------- Page: 10 ----------------------
ISO/TR 21186-3:2020(E)

5 Security in C-ITS
5.1 General
This subclause provides an overview of security in C-ITS and a rationale for the material in the rest of
the document.
Systems have functional goals, and also have security goals which support these functional goals. The
details of security goals depend on context, but high-level security goals are always the same:
— Provide assurance that parties within the system receive the right information necessary for
acheiving their functional goals.
— Provide assurance that parties who are not authorized to receive information do not receive that
information.
Systems use security controls to achieve their security goals. A security control is a specific mechanism
implemented as part of a strategy to achieve the security goal. (For ease of discussion, this document
also uses the concept of a security service. A security service is an identifier of the kind of action which
needs to be performed in order to achieve a security goal, while a control is concrete and implementable).
There are many different kinds of security controls, including the following:
— Communications security controls, which provide assurance that communications between two
trusted parties meet the security goals of the system, i.e. that if two parties are legitimate, then
there can be a data exchange between them in which each party is assured that the data came from
the other party, is of known quality, and is not revealed in the course of the communications to
unapproved parties.
— Platform security controls, which provide assurance that a device that is trustworthy at one point
can remain trustworthy.
— Data processing security controls, which provide assurance that data is appropriately handled
before or after it is communicated.
— Access control security controls, which provide assurance that activities within the system are
carried out only by parties that have authorization to carry them out.
— Organizational and process security controls, which provide assurance that the other security
controls in the system are implemented properly.
5.2 Security design process for C-ITS applications
A number of security design process approaches have been proposed for ITS applications. ETSI has
[23] [24]
specified a TVRA process and applied it to the ETSI Day 1 ITS services . The output of this TVRA
process is a recommendation for specific security mechanisms. An alternative approach is outlined in
ISO/IEC 15408-1, ISO/IEC 15408-2 and ISO/IEC 27001, which form the basis for the common criteria
approach to security certification. A third approach is given in Federal Information Processing
[31] [26]
Standards (FIPS) 199 , published by the NIST in the USA. Finally, SAE J2945/5 specifies an
approach to deriving SSPs, a mechanism used to enable fine-grained access control statements to be
made with IEEE 1609.2 certificates. As part of this process, it outlines an overall approach to deriving
security requirements for a connected vehicle application.
All of these approaches use a systems engineering approach with three stages of the design: use case
and concept of operations, requirements, and detailed design. Each stage can be considered more
detailed than the previous one.
All of these approaches have a similar overall structure:
— Firstly, the ITS application is detailed to a level where information flows are specified allowing the
ITS application to achieve its functional goals.
4 PROOF/ÉPREUVE © ISO 2020 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/TR 21186-3:2020(E)

— Then, a security analysis is performed to identify the security requirements on the information
flows and on the parties and to derive from the requirements on the flows the corresponding
requirements on the parties that interact with each other in the ITS application.
— The security analysis can reveal that the application design needs to be changed, either to directly
address identified security issues, or because the security analysis has uncovered additional use
cases or features of the application which need to be incorporated into the main design.
— The analysis/design update process iterates until the design is stable at the current level of detail.
At that point, the design can be moved forwards to the next, more detailed, level of detail and the
security analysis is performed and iterated on that next level of detail until the third and final level
of detail is reached.
— The output is a full specification of the application, including the security controls.
Security controls to be specified include communications security controls, implementation security
controls, organizational security controls, policy security controls, and others. Details of how controls
are to be derived are given in the referenced methodologies ([23],[10],[31],[26]).
Clause 5 focuses on the communications security controls and supporting security controls necessary
for enabling communications security:
— An overview of communications security mechanisms in the C-ITS context is provided in 5.3.
— An overview of the role of CAs and certification processes is provided in 5.5.
— A rationale for the additional detailed technical material included in this document is provided in C.1.
Although interface standards typically focus on
...