ETSI TR 102 893-2017 Intelligent Transport Systems (ITS) Security Threat Vulnerability and Risk Analysis (TVRA) (V1 2 1)《智能运输系统(ITS) 安全 威胁、脆弱性和风险分析(TVRA)(V1 2 1)》.pdf

1、 ETSI TR 102 893 V1.2.1 (2017-03) Intelligent Transport Systems (ITS); Security; Threat, Vulnerability and Risk Analysis (TVRA) TECHNICAL REPORT ETSI ETSI TR 102 893 V1.2.1 (2017-03) 2 Reference RTR/ITS-0050018 Keywords authentication, authorization, confidentiality, security ETSI 650 Route des Luci

2、oles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standa

3、rds-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents

4、 between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. In

5、formation on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyrig

6、ht Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The co

7、pyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI

8、 registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 102 893 V1.2.1 (2017-03) 3 Contents Intellectual Property Rights 6g3Foreword . 6g3Modal verbs terminology 6g31 Scope 7g32

9、 References 7g32.1 Normative references . 7g32.2 Informative references 7g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 8g34 The TVRA Method 9g35 The ETSI Intelligent Transport System 10g35.1 ITS architecture 10g35.1.1 General 10g35.1.2 Summary of ITS applications . 11

10、g36 ITS Security Objectives 14g36.1 Confidentiality 14g36.2 Integrity 14g36.3 Availability . 15g36.4 Accountability 15g36.5 Authenticity 15g37 ITS Functional Security classes . 15g37.1 Confidentiality 15g37.2 Integrity 16g37.3 Availability . 17g37.4 Accountability 17g37.5 Authenticity 17g38 ITS Targ

11、et of Evaluation (ToE) . 18g38.1 General . 18g38.2 Assumptions on the ToE 19g38.3 Assumptions on the ToE environment . 19g39 ITS system assets . 20g39.1 ITS station functional models . 20g39.2 Functional assets 21g39.2.1 ITS-S (Vehicle) . 21g39.2.1.0 General 21g39.2.1.1 Protocol Control 22g39.2.1.1.

12、1 General description 22g39.2.1.1.2 Vehicle to ITS infrastructure . 22g39.2.1.1.3 Vehicle to vehicle 22g39.2.1.2 Service Control . 22g39.2.1.3 ITS Applications . 22g39.2.1.4 Sensor Monitor 23g39.2.1.5 Vehicle System Control 23g39.2.2 ITS-S (Roadside) 24g39.2.2.0 General 24g39.2.2.1 Protocol Control

13、24g39.2.2.1.1 General description 24g39.2.2.1.2 RSU to vehicle . 24g39.2.2.1.3 RSU to ITS network 24g39.2.2.2 Service Control . 24g39.2.2.3 ITS Applications . 25g3ETSI ETSI TR 102 893 V1.2.1 (2017-03) 4 9.2.2.4 Sensor Monitor 25g39.2.2.5 Display Control . 26g39.3 Data assets 26g39.3.1 ITS-S (Vehicle

14、) . 26g39.3.1.1 Local Dynamic Map 26g39.3.1.2 Local Vehicle Information 27g39.3.1.3 Service Profile . 27g39.3.2 ITS-S (Roadside) 27g39.3.2.1 Local Dynamic Map (LDM) . 27g39.3.2.2 Local Station Information . 28g39.3.2.3 Service Profile . 28g310 ITS threat analysis 28g310.1 Attack interfaces and threa

15、t agents . 28g310.1.1 Attack interfaces and threat agents for ITS-S (Vehicle) ToE . 28g310.1.2 Attack interfaces and threat agents for ITS-S (Roadside) ToE . 29g310.2 Vulnerabilities and threats 30g310.2.1 Threats to all ITS stations . 30g310.2.2 Availability . 30g310.2.2.1 General threats to availa

16、bility . 30g310.2.3 Integrity 31g310.2.3.1 General threats to integrity 31g310.2.4 Authenticity 31g310.2.4.1 General threats to authenticity. 31g310.2.5 Confidentiality 32g310.2.5.1 General threats to confidentiality 32g310.2.6 General threats to accountability 32g310.2.7 Vulnerabilities and threats

17、 33g310.2.7.1 Determining system vulnerabilities . 33g310.2.7.2 Threats and vulnerabilities within an ITS-S (Vehicle) 34g310.2.7.3 Threats and vulnerabilities within an ITS-S (Roadside) . 41g310.3 Security risks in an ITS system 46g310.3.0 Introduction. 46g310.3.1 Risks in an ITS-S (Vehicle) 47g310.

18、3.2 Risks in an ITS-S (Roadside) 48g311 Countermeasures 49g311.1 List of Countermeasures . 49g311.2 Evaluation of Countermeasures 50g311.3 Countermeasure Analysis . 51g311.3.1 Reduce frequency of beaconing and other repeated messages . 51g311.3.2 Add source identification (IP address equivalent) in

19、V2V messages . 51g311.3.3 Limit message traffic to V2I/I2V when infrastructure is available and implement message flow control and station registration 52g311.3.4 Implement frequency agility within the 5,9 GHz band . 53g311.3.5 Implement ITS G5A as a CDMA/spread-spectrum system 53g311.3.6 Integrate

20、3rdGeneration mobile technology into ITS G5A communications 54g311.3.7 Digitally sign each message using a Kerberos/PKI-like token system . 55g311.3.7.0 General 55g311.3.7.1 Kerberos-like solution . 55g311.3.7.1.1 General requirements . 55g311.3.7.1.2 Countermeasure analysis . 56g311.3.7.2 PKI-like

21、solution . 56g311.3.7.2.1 General requirements . 56g311.3.7.2.2 Countermeasure analysis . 57g311.3.8 Include a non-cryptographic checksum of the message in each message sent 57g311.3.9 Remove requirements for message relay in the ITS BSA . 58g311.3.10 Include an authoritative identity in each messag

22、e and authenticate it 58g311.3.11 Use broadcast time (Universal Coordinated Time - UTC - or GNSS) to timestamp all messages . 59g311.3.12 Include a sequence number in each new message 60g311.3.13 Use INS or existing dead-reckoning methods (with regular - but possibly infrequent - GNSS corrections) t

23、o provide positional data 61g311.3.14 Implement differential monitoring on the GNSS system to identify unusual changes in position . 61g3ETSI ETSI TR 102 893 V1.2.1 (2017-03) 5 11.3.15 Encrypt the transmission of personal and private data 62g311.3.16 Implement a Privilege Management Infrastructure (

24、PMI) 63g311.3.17 Software authenticity and integrity are certified before it is installed 64g311.3.18 Use a pseudonym that cannot be linked to the true identity of either the user or the users vehicle . 64g311.3.19 Maintain an audit log of the type and content of each message sent to and from an ITS

25、-S 65g311.3.20 Perform plausibility tests on incoming messages . 66g311.3.21 Provide remote deactivation of misbehaving ITS-S (Vehicle) . 67g311.3.22 Use hardware-based identity and protection of software on an ITS-S 67g311.4 Countermeasure Set 68g311.4.0 Introduction. 68g311.4.1 ITS Countermeasure

26、Set . 69g311.4.1.1 Countermeasures to Denial of Service (DoS) and availability threats 69g311.4.1.2 Countermeasures to integrity threats . 71g311.4.1.3 Countermeasures to confidentiality and privacy threats 71g311.4.1.4 Countermeasures to non-repudiation and accountability threats . 72g311.4.2 Resid

27、ual risk . 72g3Annex A: Cost - Benefit analysis of the selected countermeasures 73g3Annex B: GeoNetworking Risk Assessment 77g3B.1 Introduction 77g3B.2 GeoNetworking Model . 77g3B.3 Packet Structure 78g3B.4 Target of Evaluation . 78g3B.4.1 General . 78g3B.4.2 Assumptions . 78g3B.4.3 Assets . 79g3B.4

28、.3.1 Data Assets . 79g3B.4.4 GeoNetworking Threat Analysis 79g3B.4.4.1 General Assumptions 79g3B.4.4.2 Attacks 79g3B.4.4.2.1 General 79g3B.4.4.2.2 Availability 79g3B.4.4.2.3 Integrity . 79g3B.4.4.2.4 Confidentiality 80g3B.4.4.2.5 Privacy 80g3B.4.4.3 Security Risks of GeoNetworking 80g3B.4.5 Counterm

29、easures 81g3B.4.5.1 General 81g3B.4.5.2 Security Design Premise . 81g3B.4.5.3 List of Countermeasures . 81g3B.4.5.3.1 Overview . 81g3B.4.5.3.2 C1: Consistency check, incoming plausibility check and global misbehavior detection 82g3B.4.5.3.3 C2: Restrict maximum range and maximum number of hops a pac

30、ket is routed 83g3B.4.5.3.4 C3: Restrict frequency to send messages 84g3B.4.5.3.5 C4: Verify (forwarding ITS-S) packet payload on demand 84g3B.4.5.3.6 C5: Optionally encrypt packet payload in an end-to-end manner . 85g3B.4.5.3.7 C6: Always sign (original sender and forwarding ITS-S) common header an

31、d verify (forwarding and final receiver ITS-S) common header on demand 85g3B.4.5.4 Further Countermeasures 86g3B.4.6 Incentive Schemes 86g3B.4.7 Security Performance . 87g3B.4.7.1 General 87g3B.4.7.2 Confidentiality (Countermeasure C5) . 87g3B.4.7.3 Integrity (Countermeasures C4 and C6) . 87g3B.4.7.

32、4 Confidentiality + Integrity (Countermeasures C4, C5 and C6) 87g3History 88g3ETSI ETSI TR 102 893 V1.2.1 (2017-03) 6 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if an

33、y, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available o

34、n the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or m

35、ay be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Intelligent Transport Systems (ITS). Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “ca

36、nnot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TR 102 893 V1.2.1 (2017-03) 7 1 Scope The present document summ

37、arizes the results of a Threat, Vulnerability and Risk Analysis (TVRA) of 5,9 GHz radio communications in an Intelligent Transport System (ITS). The analysis considers vehicle-to-vehicle and vehicle-to-roadside network infrastructure communications services in the ITS Basic Set of Applications (BSA)

38、 i.3 operating in a fully deployed ITS. The present document was prepared using the TVRA method described in ETSI TS 102 165-1 i.1. NOTE: Whilst the present document is a technical report it identifies requirements for future work. In all cases these requirements are considered indicative pending th

39、eir ratification in formal ETSI Technical Specifications within the ETSI ITS Work Programme. 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2 Informative references References are either specific (identified by date of publication and/or edit

40、ion number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publicat

41、ion, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI TS 102 165-1: “Telecommunications and Internet converged Services and Prot

42、ocols for Advanced Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for Threat, Risk, Vulnerability Analysis“. i.2 ETSI TS 102 731: “Intelligent Transport Systems (ITS); Security; Security Services and Architecture“. i.3 ETSI TR 102 638: “Intelligent Transport Systems (ITS); V

43、ehicular Communications; Basic Set of Applications; Definitions“. i.4 IEEE 802.11TM: “IEEE Standard for Information Technology - Telecommunications and Information Exchange Between Systems - Local and Metropolitan Area Networks - Specific Requirements - Part 11: Wireless LAN Medium Access Control (M

44、AC) and Physical Layer (PHY) Specifications“. i.5 Recommendation ITU-T X.509: “Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks“. i.6 IETF RFC 4120: “The Kerberos Network Authentication Service (V5)“. NOTE: Available at http:/tool

45、s.ietf.org/html/rfc4120. i.7 ETSI TS 102 636-4-1: “Intelligent Transport System (ITS); Vehicular communications; GeoNetworking; Part 4: Geographical addressing and forwarding for point-to-point and point-to-multipoint communications; Sub-part 1: Media-Independent Functionality“. i.8 ETSI TS 102 940:

46、 “Intelligent Transport Systems (ITS); Security; ITS communications security architecture and security management“. ETSI ETSI TR 102 893 V1.2.1 (2017-03) 8 i.9 ETSI TR 102 863: “Intelligent Transport Systems (ITS); Vehicular Communications; Basic Set of Applications; Local Dynamic Map (LDM); Rationa

47、le for and guidance on standardization“. i.10 ETSI EN 302 636-4-1: “Intelligent Transport Systems (ITS); Vehicular Communications; GeoNetworking; Part 4: Geographical addressing and forwarding for point-to-point and point-to-multipoint communications; Sub-part 1: Media-Independent Functionality“. i.

48、11 Risk analysis study of ITS communication architecture, R Moalla, H Labiod, B Lonc, N Simoni, IEEE Network of the Future conference, 2012. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: beaconing: network layer s

49、ervice which retransmits requested information end user: functional agent directly representing the human user of the ITS or the ITS service provider geo-addressing: network layer service that enables the addressing a specific geographic region ITS application: entity that defines and implements an ITS use case or a set of ITS use cases ITS use case: specific scenario in which ITS messages are exchanged ITS user: any ITS application or functional agent sending, receiving or accessing ITS-related information local dynamic map: dynamically maintained