SIST-TS CEN ISO/TS 17574:2005

SLOVENSKI STANDARD
SIST-TS CEN ISO/TS 17574:2005
01-april-2005
&HVWQDWUDQVSRUWQDLQSURPHWQDWHOHPDWLND(OHNWURQVNRSRELUDQMHSULVWRMELQ
()&±6PHUQLFH]D]DãþLWRYDUQRVWQLKSURILORY()&
Road transport and traffic telematics - Electronic Fee Collection (EFC) - Guidelines for
EFC security protection profiles
Straßentransport- und Verkehrstelematik - Elektronische Gebührenerhebung -
Sicherheitsrahmenbedingungen
Transports routiers et télématique routiere - Systemes de péage électronique - Lignes
directrices concernant les profils de protection de la sécurité des péages
Ta slovenski standard je istoveten z: CEN ISO/TS 17574:2004
ICS:
35.240.60 Uporabniške rešitve IT v IT applications in transport
transportu in trgovini and trade
SIST-TS CEN ISO/TS 17574:2005 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TS CEN ISO/TS 17574:2005

---------------------- Page: 2 ----------------------

SIST-TS CEN ISO/TS 17574:2005
TECHNICAL SPECIFICATION
CEN ISO/TS 17574
SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
November 2004
ICS 35.240.60
English version
Road transport and traffic telematics - Electronic Fee Collection
(EFC) - Guidelines for EFC security protection profiles
Transports routiers et télématique routière - Systèmes de
péage électronique - Lignes directrices concernant les
profils de protection de la sécurité des péages
This Technical Specification (CEN/TS) was approved by CEN on 30 October 2003 for provisional application.
The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their
comments, particularly on the question whether the CEN/TS can be converted into a European Standard.
CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS available
promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the CEN/TS)
until the final decision about the possible conversion of the CEN/TS into an EN is reached.
CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia,
Slovenia, Spain, Sweden, Switzerland and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36  B-1050 Brussels
© 2004 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN ISO/TS 17574:2004: E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)
Contents page
Foreword.3
Introduction .4
1 Scope .5
2 Normative references.10
3 Terms and definitions .11
4 Abbreviations.14
5 Outlines of Protection Profile.16
5.1 Structure.16
Annex A (informative) Procedures of Preparing Documents.18
A.1 Introduction .18
Annex B (informative) Example of Threat Analysis Evaluation Method .50
B.1 Identification of threats .50
Annex C (informative) Abstract from “Definition of threats and security controls for the
Charging Interface in Electronic Fee Collection”.53
C.1 Introduction .53
Annex D (informative) Common Criteria Recognition Arrangement (CCRA).65
D.1 Overview .65
Bibliography .69

2

---------------------- Page: 4 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)

Foreword
This document was prepared by Technical Committee CEN/TC 278, “Road Transport and Traffic Telematics” in
collaboration with ISO/TC 204 “Transport information and control systems”.
According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to announce this Technical Specification : Austria, Belgium, Cyprus, Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and
United Kingdom.

3

---------------------- Page: 5 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)
Introduction
Electronic Fee Collection systems are subject to several ways of fraud both by users and operators but also from
people outside the system. These security threats have to be met by different types of security measures including
security requirements specifications. This document provides a guideline for preparation and evaluation of security
requirements specifications, referred to as Protection Profiles (PP) in ISO/IEC 15408 Information technology -
Security techniques - Evaluation criteria for IT security and ISO/IEC PDTR 15446 Guide for the production of
protection profiles and security target. By a Protection Profile (PP) is meant a set of security requirements for a
category of products or systems that meet specific needs. A typical example would be a PP for On-Board
Equipment (OBEs) to be used in an EFC system.
This document should be read in conjunction with the underlying standards ISO/IEC 15408 and ISO/IEC
PDTR 15446. Although a layman can read the first part of the document to have an overview on how to prepare a
Protection Profile for EFC equipment, the Annexes, and more particularly Clauses A.4 and A.5, require that the
reader is familiar with the ISO/IEC 15408.
It is recommended that Electronic Fee Collection (EFC) operators or national organisations, e.g. Highway
authorities or Transport Ministries, use this guideline to prepare their own EFC/PP, as security requirements should
be described from the standpoint of the operators and/or operators organisations.
It should be noted that this standard is of a more informative than normative nature and it can not be used without
also using the ISO/IEC 15408. Most of the content of the standard is an example shown in Annex A on how to
prepare the security requirements for EFC equipment, in this case an OBE with an IC-card loaded with crucial data
needed for the EFC. The example refers to a Japanese national EFC system and should only be regarded and
used as an example. The Clauses 1 to 5 are normative while Annexes A to D are informative.
After an EFC/PP is prepared, it can be internationally registered by the organisation that prepared the EFC/PP so
that other operators or countries that want to develop their EFC system security services, can refer to an already
registered EFC/PPs.
This EFC related standard on security service framework and EFC/PP is based on the ISO/IEC 15408, Evaluation
criteria for information technology (IT) security. ISO/IEC 15408 includes a set of requirements for the security
functions and assurance of IT relevant products and systems. Operators, organisations or authorities defining their
own EFC/PP can use these requirements. This will be similar to the different PPs registered by several financial
institutions, e.g. for payment instruments like IC-cards.
The products and systems, which were developed in accordance with ISO/IEC 15408, can be publicly assured by
the authentication of the government or designated private evaluation agencies.
4

---------------------- Page: 6 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)

1 Scope
This document gives guidelines for the preparation and evaluation of security requirements specifications, referred
to as Protection Profiles (PP) in ISO/IEC 15408 Evaluation criteria for IT security and ISO/IEC PDTR 15446 Guide
for the production of protection profiles and security target. By a Protection Profile (PP) is meant a set of security
requirements for a category of products or systems which meet specific needs. A typical example would be a PP
for OBEs to be used in an EFC system and in this case the PP would be an implementation-independent set of
security requirements for the OBEs meeting the operators and users needs for security.
The document uses an OBE with an integrated circuit(s) card (ICC) as an example describing both the structure of
the PP as well as the proposed content.
Figure 1 shows how this document fits in the overall picture of EFC security architecture. The shaded boxes are the
aspects mostly related to the preparation of PPs for EFC systems.


Figure 1 — Overall view of security architecture

The main purpose of a PP is to analyse the security environment of a subject and then to specify the requirements
meeting the threats being the output of the security environment analysis. The subject studied is called the Target
of Evaluation (TOE). In this document, an OBE with an ICC is used as an example of the TOE.
The preparatory work of EFC/PP consists of the steps shown in Figure 2 (items 1 to 6):
5

---------------------- Page: 7 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)

Figure 2 — The process of preparing a Protection Profile for EFC equipment

A PP can be registered publicly by the entity preparing the PP in order to make it known and available to other
parties that can use the same PP for their own EFC systems.
By a Security Target (ST) is meant a set of security requirements and specifications to be used as the basis for
evaluation of an identified TOE. While the PP can be looked upon as the EFC operator requirements the ST can be
looked upon as the documentation of a supplier as for the compliance with and fulfilment of the PP for the TOE,
e.g. an OBE.
Figure 3 shows a simplified picture and example of the relationships between the EFC operator, the EFC
equipment supplier and an evaluator. As for international registry organisation, i.e. Common Criteria Recognition
Arrangement (CCRA) and current registered PPs, reference is made to Annex D.
6

---------------------- Page: 8 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)


Figure 3 — Relationships between operators, suppliers and evaluators
The ST is similar to the PP, except that it contains additional implementation-specific information detailing how the
security requirements are realised in a particular product or system. Hence, the ST includes the following parts not
found in a PP:
— a TOE summary specification that presents the TOE-specific security functions and assurance measures;
— an optional PP claims portion that explains PPs the ST is claimed to be conformant with (if any);
— finally the rational contains additional evidence establishing that the TOE summary specifications ensures
satisfaction of the implementation-independent requirements, and that claims about PP conformance are
satisfied.
Actual security functions of EFC products will be designed based on this ST, see example in Figure 4.
7

---------------------- Page: 9 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)


Figure 4 — Example on design based on a PP
TOE for EFC is limited to EFC specific entities and interfaces such as for Users, Service Providers and
communication link (DSRC or CN) between Users and Service Providers, which are essential to EFC systems and
are shown shadowed in Figure 5. Since the existing financial security standards and criteria are applicable to other
entities and interfaces, they are assumed to be outside the scope of TOE for EFC.
The security evaluation is performed by assessing the security related properties of entities and interfaces defined
in STs, as opposed to assessing complete processes which often are distributed over more entities and interfaces
than those covered by the TOE of this document.
NOTE Assessing security issues for complete processes is a complimentary approach, which may well be beneficial to apply
when evaluating the security of a system.
In Annex A, the guideline for preparing EFC/PP is described by using an OBE as an example of EFC products. The
crucial communication link in this Annex (between the OBE and the RSE) is based on DSRC.
8

---------------------- Page: 10 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)


Figure 5 — Scope of TOE for EFC

Figure 6 below shows the entities involved in the charging interface, i.e. the User, the Service Provider, and a
Dishonest Party, the latter trying to gain from tampering segments or communication.

Figure 6 — Entities involved in the Charging Interface of EFC
9

---------------------- Page: 11 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references,
only the edition cited applies. For undated references, the latest edition of the referenced document (including any
amendments) applies.
ISO/IEC 15408-1:1999, Information technology - Security techniques - Evaluation criteria for IT security –
Part 1: Introduction and general model
ISO/IEC 15408-2:1999, Information technology - Security techniques - Evaluation criteria for IT security –
Part 2: Security functional requirements
ISO/IEC 15408-3:1999, Information technology - Security techniques - Evaluation criteria for IT security –
Part 3: Security assurance requirements

10

---------------------- Page: 12 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)

3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
assurance requirement
security requirements to assure confidence in the implementation of functional requirements
3.2
audit
recognising errors such as illicit systems and/or illicit access. In addition, recording and analysing information
related to security relevant activities and events in order to attain proper security control in accordance with security
policy
3.3
availability
dependability with respect to readiness for usage. A measure of correct service delivery based on the alternation of
correct and incorrect service
3.4
Central Communication Unit
part of the Central Equipment serving as a mobile communication interface to the OBU
3.5
Central Equipment
system components at fixed centralised locations
NOTE Central equipment is not the same as Central system. Central equipment is used in the GNSS/CN based EFC system.
3.6
certification
action by a third party, demonstrating that adequate confidence is provided that a duly identified product, process
or service is in conformity with a specific standard or other normative document
3.7
Clearing Operator
the entity that collects and possibly aggregates transactions from one or more Transport Service Providers for
delivery to the Issuer(s). The Clearing Operator can also handle the Apportionment between the Transport Service
Providers. In the financial world this operator is equivalent to an Acquirer
3.8
Collection Agent
the entity responsible for selling, reloading or delivering the Payment Means to the User and collecting the payment
from the User on behalf of the Issuer. The Collection Agent can also collect user related application specific data
from the User. The Collection Agent is also referred to as Retailer
3.9
confidentiality
prevention of information leakage to non-authenticated individuals, parties and/or processes
3.10
Evaluation Assurance Level (EAL)
assurance levels to evaluate securities for products and systems
3.11
functional requirement
security requirements to determine the security functions, which are required for systems and/or products
11

---------------------- Page: 13 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)
3.12
issuer
the entity responsible for the payment system and responsible for issuing the Payment Means to the User
3.13
integrity
the property that information (data) has not been altered or destroyed in an unauthorised manner
3.14
Key Management (Encryption Key Control)
the generation, distribution, storage, application and deletion of encryption keys
3.15
On-Board Equipment (OBE)
equipment located within the vehicle and supporting the information exchange with the Road Side Unit or the
Central Communication Unit. It is composed of the On-Board Unit and other sub-units whose presence have to be
considered optional for the exception of a Transaction
3.16
On-Board Unit (OBU)
minimum component of an On-Board Equipment, whose functionality always includes at least the support of the
DSRC interface or/and the Central Communication Unit and the protection of the data stored in the OBU
3.17
operator
generic term for the entities: Issuer, Clearing Operator, Collection Agent and Service Provider
3.18
Personalisation card (Set-up card)
an IC card to transcribe individual data such as vehicle information into an On-Board unit
3.19
privacy
the right of individuals to control or influence what information related to them can be collected and stored and by
whom and to whom that information may be disclosed
3.20
protection
the act of protecting, or the state of being protected; preservation from loss, theft, damage or unauthorised access
3.21
rationale (verification)
a process determining that a product of each phase of the system life cycle development process fulfils all the
requirements specified in the previous phase
3.22
reliability
An attribute of any system that consistently produces the same results, preferably meeting or exceeding its
specifications
3.23
responsibility
the state of being responsible, accountable, or answerable, as for an entity, function, system, security service or
obligation
3.24
Road Side Equipment (RSE)
equipment located at a fixed position along the road transport network, for the purpose of communication and data
exchanges with the On-Board Equipment of passing vehicles
12

---------------------- Page: 14 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)

3.25
Secure Application Module (SAM)
a module intended to contain algorithm(s), related keys, security procedures and information to protect an
application in such a way that unauthorised access is not possible. This can be achieved through physically,
electrically and logically protection of the module
3.26
Security Policy
a set of rules that regulate how to cope with security threats or what degree of security levels should be kept
3.27
Security Threat
a potential action or manner to violate security systems
3.28
Security Target (ST)
a set of security requirements and specifications to be used as the basis for evaluation of an identified TOE
3.29
Service Provider
the person, company, authority or abstract entity offering a transport service to the User for which the user has to
pay a fee (the fee will in some cases be zero, e.g. emergency vehicles)
3.30
Target Of Evaluation (TOE)
information security product or system for the subject of security evaluation
3.31
User
the entity that uses services provided by the Service Provider according to the terms of the Contract expressed by
the Payment Means. The User receives and reloads the electronic Payment Means through the Collection Agent
3.32
validity
the quality or state of being valid; having legal force
13

---------------------- Page: 15 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)
4 Abbreviations
4.1
CC
Common Criteria
4.2
CCRA
Common Criteria Recognition Arrangement
4.3
CN
Cellular Networks
4.4
DSRC
Dedicated Short Range Communication
4.5
EAL
Evaluation Assurance Level
4.6
EFC
Electronic Fee Collection
4.7
GNSS
Global Navigation Satellite Systems
4.8
HMI
Human Machine Interface
4.9
I/F
Interface
4.10
ICC
Integrated Circuit(s) Card
4.11
IT
Information Technology
4.12
OBE
On-Board Equipment
4.13
OBU
On-Board Unit
4.14
PP
Protection Profile
14

---------------------- Page: 16 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)

4.15
RSE
Road Side Equipment
4.16
SAM
Secure Application Module
4.17
SFP
Security Function Policy
4.18
SOF
Strength of Function
4.19
ST
Security Target
4.20
TOE
Target of Evaluation
4.21
TSF
TOE Security Functions
15

---------------------- Page: 17 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)
5 Outlines of Protection Profile
5.1 Structure
The content of a Protection Profile for a part or interface of an EFC system is shown in Figure 7.

Figure 7 — Content of a Protection Profile

5.2 Context
Guidelines for preparing PP are shown as follows:
a) Introduction (see Clause A.1)
b) Target of Evaluation (TOE, see Clause A.2)
The scope of the TOE shall be specified.
c) Security Environments (see Clause A.3)
Development, operation and control methods of TOE is described to clarify the working/operation
requirements. Regarding these requirements, IT assets, which TOE protects and security threats, to which
TOE is exposed, are specified.
d) Security Objectives (see Clause A.4)
Security policies for threats to TOE are determined. The policies are divided into technical policy and
operational/control policy.
Security objectives should be consistent with the operational aim or product purpose of the TOE.
Operational/control policy is defined as personnel and physical objectives in the status that TOE is used or
operated. The operational/control policy includes control and operational rules for operators.
16

---------------------- Page: 18 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)

e) Security Requirements (see Clause A.5)
In accordance with the security objectives defined in Clause A.4, concrete security requirements for security
threats stated in Clause A.3 are specified. The security requirements consist of functional requirements
(technical requirements) and assurance requirements for security quality.
Functional requirements are provided selecting necessary requirements from ISO/IEC 15408-2 and
determining parameters.
Regarding assurance requirements, assurance requirements designated in ISO/IEC 15408-3 are adopted by
determining evaluation levels (EAL) for assurance requirements, which are provided in ISO/IEC 15408.
f) Rationale of justification/effectiveness (see Clause A.6)
The contents of PP are checked when necessary and cover security requirements for TOE. The checked
items are shown as follows:
1) All security environments needed are covered;
2) Security objectives should completely meet the security environments;
3) Security requirements should implement security objectives.
17

---------------------- Page: 19 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)
Annex A
(informative)

Procedures of Preparing Documents
A.1 Introduction
A.1.1 General
General outline of the document for Protection Profile (PP) is described.
It should be noted that this chapter is informative nature. Most of the content is an example on how to prepare the
security requirements for EFC equipment; in this case an OBE with a smart card loaded with crucial data needed
for the Electronic Fee Collection.
NOTE The examples should only be regarded and used as an example.
A.1.2 Identification Information
Identification Information for the document is as follow:
a) Document title;
b) Version/Release number;
c) Preparation date;
d) Prepared by.

EXAMPLE Identification information
a) Document title: EFC On-Board Unit Security Protection Profile
b) Reference / Version number: 1.0
c) Preparation date 2002-10-20
d) Prepared by: ABC Association.

A.1.3 Target Of Evaluation (TOE) Description
TOE is identified as follows:
a) Product;
b) Version/Release number;
c) Developer.

EXAMPLE TOE description
a) Product EFC On-Board unit
b) Version/Release number 1.0
c) Developer ABC Co., Ltd.
18

---------------------- Page: 20 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)

A.1.4 Accordance with ISO/IEC 15408
The prepared “Protection Profile” in accordance with ISO/IEC 15408 is stated explicitly.
The version and preparation data of referenced ISO/IEC15408 are stated as well.
EXAMPLE
ISO/IEC 15408 conformance statement according to:
 ISO/IEC 15408-1:1999;
 ISO/IEC 15408-2:1999;
 ISO/IEC 15408-3:1999.
A.1.5 Outline of TOE
The following is provided as TOE in this document.
A.1.5.1 Classification of TOE
EXAMPLE
A.1.5.1 Classification of TOE
EFC on-board units
A.1.5.2 TOE functional outline
For users of security “Protection Profile”, types of devises described in “Protection Profile” are described explicitly
to help them determine the application.
EXAMPLE
A.1.5.2 TOE functional outline (OBU for EFC system)
The functional outline is as follows:
a) EFC function:
1) Mutual authentication with IC card;
2) Transcription(caching) of IC card data to OBU(On board unit);
3) Encryption of radio communication with RSE;
4) Assurance of message integrity;
5) Mutual authentication with RSE;
6) Storage of secured information (encryption key) used in OBU during EFC transaction;
b) Set-up function:
1) Authentication of set-up card;
2) Caching of vehicle information from IC card to OBU;
c) HMI function:
1) Report of EFC billing results to users;
2) Guidance of EFC lane.
A.1.5.3 Evaluation assurance level (EAL)
Evaluation assurance levels (EAL) for objectives are selected. Each EAL defines a package consisting of
assurance components and determines the degree of assurance requirements on security systems. The
justification for the selected EAL is stated.
19

---------------------- Page: 21 ----------------------

SIST-TS CEN ISO/TS 17574:2005
CEN ISO/TS 17574:2004 (E)

EXAMPLE
A.1.5.3 EFC OBU (EAL is 5)
OBU functions as equipment for e-Commerce in EFC transactions. The security systems of EFC OBU are vulnerable to attack
under the control of individual users. Therefore, a high assurance level (EAL) will be required for EFC OBU.
A.2 Target of Evaluation (TOE)
A.2.1 TOE objectives and methodology
A.2.1.1 TOE use objectives
The following indicates objectives for TOE use and the type of environment in which it is used.
EXAMPLE EFC members (users) use the EFC system at tollgates by inserting the IC card with EFC member contract
information for settlement. Vehicle information such as automobile inspection certification is stored in OBU beforehand. For
storing vehicle information, a Personalisation card for initialisation is used. The OBU (TOE), which read/write data to IC cards for
set-ups/settlement and transmit/receive data to roadside equipment for toll collection transactions, protects interface and internal
data from external threats.
A.2.1.2 TOE use methodology
a) User preparations
Steps to be taken by users before use of TOE
b) Operators preparation
Necessary hardware/software and control systems are described when operators operate TOE
c) Operational procedures
Procedures for operation and maintenance are described.
d) Use procedures
Procedures for users are described.
e) Limitations of use
Limitations of use such as time zones and geographical zones are described.

EXAMPLE
a) User preparations
Users request an operator to install an OBU and set-up vehicle informa
...