1、NEMA Standards PublicationNational Electrical Manufacturers AssociationNEMA TS 8-2018Cyber and Physical Security for Intelligent Transportation Systems (ITS)NEMA Standards Publication TS 8-2018 Cyber and Physical Security for Intelligent Transportation Systems (ITS) Published by: National Electrical
2、 Manufacturers Association 1300 North 17thStreet, Suite 900 Rosslyn, Virginia 22209 www.nema.org 2018 National Electrical Manufacturers Association. All rights including translation into other languages, reserved under the Universal Copyright Convention, the Berne Convention for the Protection of Li
3、terary and Artistic Works, and the International and Pan American Copyright Conventions. 2018 National Electrical Manufacturers Association NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of persons engaged in the development and approval o
4、f the document at the time it was developed. Consensus does not necessarily mean that there is unanimous agreement among every person participating in the development of this document. The National Electrical Manufacturers Association (NEMA) standards and guideline publications, of which the documen
5、t contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest in the topic covered by this publication. While NEMA administers the process and establishes rules
6、to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications. NEMA disclaims liabilit
7、y for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. NEMA disclaims and makes no guaranty or warranty, expre
8、ss or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any of your particular purposes or needs. NEMA does not undertake to guarantee the performance of any individual manufacturer
9、or sellers products or services by virtue of this standard or guide. In publishing and making this document available, NEMA is not undertaking to render professional or other services for or on behalf of any person or entity, nor is NEMA undertaking to perform any duty owed by any person or entity t
10、o someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this public
11、ation may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication. NEMA has no power, nor does it undertake to police or enforce compliance with the contents of this document. NEMA does not certify, test, or inspect prod
12、ucts, designs, or installations for safety or health purposes. Any certification or other statement of compliance with any health or safetyrelated information in this document shall not be attributable to NEMA and is solely the responsibility of the certifier or maker of the statement. NEMA TS 8-201
13、8 Page i 2018 National Electrical Manufacturers Association CONTENTS Section 1 General 1 1.1 Summary 1 1.2 Scope 1 1.3 Background 2 1.4 References . 2 1.4.1 Normative References. 2 1.4.2 Other References 2 1.4.3 Contacts 3 1.4.4 Definitions, Acronyms, and Abbreviations. 3 Section 2 Concept of Operat
14、ions Normative . 5 2.1 Tutorial Informative . 5 2.2 Current Situation and Problem Statement Informative . 5 2.2.1 Problem Statement 5 2.3 Reference Physical Architecture Informative 11 2.4 Architectural Needs . 11 2.5 Features 11 2.6 Security User Needs 11 2.6.1 Physical SecurityUser Needs 11 2.6.2
15、Central Systems Physical Security . 12 2.6.3 Local Access Security User Needs 13 2.6.4 Communications SecurityUser Needs . 13 2.6.5 Central Systems SecurityUser Needs . 14 Section 3 Functional Requirements Normative . 17 3.1 Security . 17 3.1.1 Physical Security . 17 3.1.2 Local Access Security . 18
16、 3.1.3 Communications Security . 19 3.1.4 Central System Security 20 Section 4 Testing/Conformance Assessment and Certification 23 4.1 Manufacturers Certification . 23 4.2 Agency Certification Requirements 23 4.3 Detailed Requirements 23 4.3.1 Physical . 23 4.3.2 Local Access Security . 24 4.3.3 Com
17、munications Security . 24 4.3.4 Central System Security 24 TABLES Table 21 Physical Security Threats 6 Table 22 Local Access Security Threats . 6 Table 23 Communication Security Threats . 8 Table 24 Central System Security Threats . 9 NEMA TS 8-2018 Page ii 2018 National Electrical Manufacturers Ass
18、ociation Foreword This NEMA Standards Publication, TS 8-2018 Cyber and Physical Security for Intelligent Transportation Systems (ITS), was developed to meet the needs for security in the traffic control and ITS industries. In the preparation of NEMA TS 8-2018, input of users and other interested par
19、ties has been sought and evaluated. Inquiries, comments, and proposed or recommended revisions should be submitted to the concerned NEMA product subdivision by contacting: Senior Technical Director, Operations National Electrical Manufacturers Association 1300 North 17th Street, Suite 900 Rosslyn, V
20、irginia 22209 The NEMA 3TS Cybersecurity Working Group developed NEMA TS 8-2018 under the auspices of the NEMA Transportation Management Systems and Associated Control Devices Section (3TS), of which it is a part. The following companies and their representatives were members of the working group: A
21、daptive Micro Systems Michael Bolz, Steve Gattoni, Jeremy Pape Applied Information, Inc. Bryan Mulligan Daktronics Steve Bostrom Intelight Doug Crawford Parsons Russ Brookshire (Chair) Peek Traffic Ray Deer Siemens Industry Jonathan Grant, Dave Miller, Andrew Valdez Skyline Products James Barnhart,
22、Bill Bishop, Pat Cochran Ver-Mac Inc. Serge Beaudry 3TS Section approval of NEMA TS 8-2018 does not necessarily imply that all 3TS Section members voted for its approval or participated in its development. When NEMA TS 8-2018 was approved, the Transportation Management Systems and Associated Control
23、 Devices Section was composed of the following members: Adaptive Micro Systems, Inc. Applied Information, Inc. Daktronics, Inc. Eberle Design, Inc. Horizon Signal Technologies Intelight Inc. intelight- John Thomas, Inc. Miovision Technologies https:/ OMJC Signal, Inc. Parsons Corporation Pee
24、k Traffic Corporation SES America, Inc. Siemens Industry, Inc. Skyline Products, Inc. Ver-Mac Inc. www.ver- NEMA TS 8-2018 Page 1 2018 National Electrical Manufacturers Association Section 1 General 1.1 Summary NEMA TS 8, this standard, is designed to allow agencies and other transportation infr
25、astructure owners to implement security of the surface transportation electronic systems. The goal is to allow, using NEMA TS 8, security to be implemented on both existing legacy systems, as well as new and planned future systems. The security requirements proposed are designed to be practical to i
26、mplement, and not place an excessive burden on agencies and implementers of transportation systems. No security measures can ever be perfect and provide 100% security. The measures and requirements of NEMA TS 8 provide a reasonable balance between the security needs, and the reasonable needs to have
27、 transportation systems continue to function without requiring wholesale changes to the equipment, processes, and practices of the transportation community. 1.2 Scope NEMA TS 8 defines functional cybersecurity attributes along with minimum performance baselines that owners and operators of critical
28、infrastructure transportation systems can use for procurement purposes. NEMA TS 8 addresses the following products: a) Signal display and signal elements, e.g., signal heads, pedestrian displays, and dynamic message signs (DMS). b) Fixed, configurable and programmable traffic controllers and associa
29、ted cabinet devices, including traffic controllers, conflict monitors (e.g., MMU, CMU), ramp meters, and auxiliary devices. c) Communications interface devices and systems, e.g., National Transportation Communications for Intelligent Transportation System Protocol (NTCIP) interface units, and other
30、communication interface devices. d) Software and firmware modules, e.g., application system software, and Transportation Management Center (TMC) software. e) Mounting, protection, power supply, and fastening equipment, e.g., cabinets and enclosures. f) Computing assemblies for transportation managem
31、ent systems, e.g., incident monitoring and reporting stations and toll collection and management stations. g) Associated devices for transportation system management control devices, e.g., automatic vehicle location devices, weigh-in-motion systems, and detection devices such as loop detectors, traf
32、fic cameras, and ultrasonic sensors. The security of other elements of a complete Intelligent Transportation System (ITS), such as communications networks, is outside the scope of NEMA TS 8. NEMA TS 8 addresses the following areas of concern: physical security, local access security, communications
33、security (between field and central system), and central system security. For each of these areas, NEMA TS 8 identifies potential threat areas and the severity of their consequences, prevention and mitigation techniques that manufacturers can use to minimize their impacts, and methods to effectively
34、 rate security performance. Communication between individual components of a field system is outside the scope of NEMA TS 8, for example: NEMA TS 8-2018 Page 2 2018 National Electrical Manufacturers Association a) Communication between a signal head and a traffic controller; b) Communication between
35、 a sign controller and display boards, and c) Communication between a traffic controller and an MMU 1.3 Background In Executive Order 13636, Improving Critical Infrastructure Cybersecurity, President Obama ordered a consultative process to coordinate improvements to the cybersecurity of critical inf
36、rastructure sectors. Transportation systems were identified in Presidential Policy Directive/PPD-21 as one of the 16 critical infrastructure sectors, with both the Department of Homeland Security and the Department of Transportation being designated as the co-sector-specific agencies. Owners and ope
37、rators of transportation systems critical infrastructure have a responsibility to implement security as required by this Executive Order 13636 while still maintaining reliability of the systems themselves. Executive Order 13636 also directed the National Institute of Standards and Technology (NIST)
38、to develop a voluntary, risk-based, cybersecurity framework based on existing industry standards and best practices to help organizations manage cybersecurity risk. 1.4 References The following standards (normative references) contain provisions that, through reference in this text, constitute provi
39、sions of NEMA TS 8. Additional documents and standards (other references) are referenced that might provide a more complete understanding. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on NEMA TS 8 should apply t
40、he most recent editions of the standards indicated. 1.4.1 Normative References ISO/IEC 18033-3:2010 Information TechnologySecurity TechniquesEncryption AlgorithmsPart 3: Block Ciphers FIPS PUB 197 Specification for the Advanced Encryption Standard (AES) NEMA 250-2014 Enclosures for Electrical Equipm
41、ent (1,000 V Maximum) NTCIP 1103 v03 Transportation Management Protocols (TMP), AASHTO / ITE / NEMA, published December 2016 NTCIP 2103 v02 Point-to-Point Protocol over RS 2-32 Subnetwork, AASHTO / ITE / NEMA, published December 2008 NTCIP 8004 v02 Structure and Identification of Management Informat
42、ion (SMI), AASHTO / ITE / NEMA, published June 2010 RFC 1157 A Simple Network Management Protocol (SNMP) 1.4.2 Other References National ITS Architecture 7.1 National ITS Architecture 7.1, USDOT Executive Order 13636 Improving Critical Infrastructure Cybersecurity NEMA TS 8-2018 Page 3 2018 Nationa
43、l Electrical Manufacturers Association 1.4.3 Contacts 1.4.3.1 Internet Documents Obtain Request for Comment (RFC) electronic documents from several repositories on the internet, or by “anonymous” File Transfer Protocol (FTP) with several hosts. Browse or FTP to: www.rfc-editor.org www.rfc-editor.org
44、/repositories.html for FTP sites, read ftp:/ftp.isi.edu/in-notes/rfc-retrieval.txt 1.4.3.2 Executive Order For a copy of Executive Order 13636, see: www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf 1.4.3.3 National Electrical Manufacturers Association (NEMA) For information concerning NEMA, co
45、ntact: National Electrical Manufacturers Association 1300 North 17th Street, Suite 900 Rosslyn, VA 22209-3801 www.nema.org 1.4.3.4 National ITS Architecture The National ITS Architecture may be viewed online at: www.its.dot.gov/arch/index.htm 1.4.3.5 NTCIP Standards Copies of NTCIP standards may be
46、obtained from: NTCIP Coordinator National Electrical Manufacturers Association 1300 N.17th Street, Suite 900 Rosslyn, Virginia 22209-3801 www.ntcip.org ntcipnema.org 1.4.4 Definitions, Acronyms, and Abbreviations In NEMA TS 8, the following definitions apply. Electrical and electronic terms are used
47、 in accordance with their definitions in IEEE Std 100. Authentication: The act of confirming the truth of an attribute of a single piece of data (a datum) claimed true by an entity. Authorization: The function of specifying access rights to resources related to information security and computer secu
48、rity in general and access control in particular. Central System: A system of servers and connected computers, typically installed as part of a traffic management center, which is used to monitor, control, configure, and process data of an intelligent transportation system, provide user access to these functions and interface with other central systems. NEMA TS 8-2018 Page 4 2018 National Electrical Manufacturers Association Challenge-Handshake Authentication Protocol (CHAP): An authentication method in which a representation of the users password,
