1、 ETSI TR 102 893 V1.1.1 (2010-03)Technical Report Intelligent Transport Systems (ITS);Security;Threat, Vulnerability and Risk Analysis (TVRA)ETSI ETSI TR 102 893 V1.1.1 (2010-03)2Reference DTR/ITS-0050005 Keywords ITS, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.
2、: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made a
3、vailable in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept o
4、n a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you fin
5、d errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction
6、 in all media. European Telecommunications Standards Institute 2010. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Membe
7、rs and of the 3GPP Organizational Partners. LTE is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 102 893 V1.1.1 (2010-03)3Contents
8、Intellectual Property Rights 6g3Foreword . 6g31 Scope 7g32 References 7g32.1 Normative references . 7g32.2 Informative references 7g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 8g34 The TVRA Method 9g35 The ETSI Intelligent Transport System 10g35.1 ITS architecture 10
9、g35.2 The Basic Set of Applications (BSA) . 11g35.2.1 BSA use case descriptions 11g35.2.1.1 Stationary vehicle warning 12g35.2.1.2 Traffic condition warning . 12g35.2.1.3 Signal violation warning . 12g35.2.1.4 Road work warning . 12g35.2.1.5 Collision risk warning from RSU 12g35.2.1.6 Decentralized
10、floating car data 12g35.2.1.7 Regulatory/contextual speed limits . 12g35.2.1.8 Traffic information Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp
11、.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
12、 essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Intelligent Transport System (ITS). ETSI ETSI TR 102 893 V1.1.1 (2010-03)71 Scope The present document summarizes the results of a Threat, Vulnerability and Risk Analysis (TVRA) of 5
13、,9 GHz radio communications in an Intelligent Transport System (ITS). The analysis considers vehicle-to-vehicle and vehicle-to-roadside network infrastructure communications services in the ITS Basic Set of Applications (BSA) i.8 operating in a fully deployed ITS. The analysis in the present documen
14、t considers issues of privacy implicitly with confidentiality. It does not consider regulatory requirements for privacy The present document was prepared using the TVRA method described in TS 102 165-1 i.1. NOTE: Whilst the present document is a technical report it identifies requirements for future
15、 work. In all cases these requirements are considered indicative pending their ratification in formal ETSI Technical Specifications within the ETSI ITS Work Programme. 2 References References are either specific (identified by date of publication and/or edition number or version number) or non-speci
16、fic. For a specific reference, subsequent revisions do not apply. Non-specific reference may be made only to a complete document or a part thereof and only in the following cases: - if it is accepted that it will be possible to use all future changes of the referenced document for the purposes of th
17、e referring document; - for informative references. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guara
18、ntee their long term validity. 2.1 Normative references The following referenced documents are indispensable for the application of the present document. For dated references, only the edition cited applies. For non-specific references, the latest edition of the referenced document (including any am
19、endments) applies. Not applicable. 2.2 Informative references The following referenced documents are not essential to the use of the present document but they assist the user with regard to a particular subject area. For non-specific references, the latest version of the referenced document (includi
20、ng any amendments) applies. i.1 ETSI TS 102 165-1: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Methods and protocols; Part 1: Method and proforma for Threat, Risk, Vulnerability Analysis“. i.2 ETSI TS 102 637-1: “Intelligent Transport Systems (
21、ITS); Vehicular Communications; Basic Set of Applications; Part 1: Functional Requirements. ETSI ETSI TR 102 893 V1.1.1 (2010-03)8i.3 ETSI TS 102 637-2: “Intelligent Transport Systems (ITS); Vehicular Communications; Basic Set of Applications; Part 2: Specification of Co-operative Awareness Basic Se
22、rvice“. i.4 ETSI TS 102 637-3: “Intelligent Transport Systems (ITS); Vehicular Communications; Basic Set of Application; Part 3: Specification of Decentralized Environmental Notification Basic Service“. i.5 ETSI EN 302 665: “Intelligent Transport Systems (ITS); Communications Architecture“. i.6 ETSI
23、 TS 102 731: “Intelligent Transportation Systems (ITS); Security; Security Services and Architecture“. i.7 Brown, C. (Aalborg. 2007): “Vehicles as Sensors for Cooperative Systems“. Presentation on ITS in Europe i.8 ETSI TR 102 638: “Intelligent Transport Systems (ITS); Vehicular Communications; Basi
24、c Set of Applications; Definitions“. i.9 IEEE 802.11 IEEE Standard for Information technology-Telecommunications and information exchange between systems-Local and metropolitan area networks-Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specificat
25、ions“. i.10 ITU-T Recommendation X.509: “Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks“. i.11 ETSI TS 102 637-4: “Intelligent Transport Systems (ITS); Vehicular Communications; Basic set of applications; Part 4: Operational Req
26、uirements.“. i.12 IETF RFC 4120: “The Kerberos Network Authentication Service (V5)“. NOTE: Available at http:/tools.ietf.org/html/rfc4120. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: beaconing: network layer ser
27、vice which retransmits requested information End user: functional agent directly representing the human user of the ITS or the ITS service provider geo-addressing: Network layer service that enables the addressing a specific geographic region. ITS use case: specific scenario in which ITS messages ar
28、e exchanged ITS user: any ITS application or functional agent sending, receiving or accessing ITS-related information ITS application: entity that defines and implements an ITS use case or a set of ITS use cases local dynamic map: dynamically maintained information on driving and environmental condi
29、tions in the vicinity of the ITS-S restricted local ITS station data: data to be shared only with authorized parties unrestricted local ITS station data: data that may be shared without requiring authorization from the recipient 3.2 Abbreviations For the purposes of the present document, the followi
30、ng abbreviations apply: AA Attribute Authority AC Attribute CertificateETSI ETSI TR 102 893 V1.1.1 (2010-03)9BSA Basic Set of Applications CAM Cooperative Awareness Message CCH Control CHannel CDMA Code Division Multiple Access DNM Decentralized environmental Notification Message FA Functional Asset
31、 GNSS Global Navigation Satellite System I2V Infrastructure to Vehicle ITS Intelligent Transport System ITS-G5A ITS radio signalling in the 5,875 GHz to 5,905 GHz frequency range ITS-S ITS Station LDM Local Dynamic Map OS Operating SystemOSI Open Systems Interconnection PKC Public Key Cryptography P
32、KI Public Keying Infrastructure PMI Privilege Management Infrastructure PMI Privilege Management Infrastructure RSU Road Side Unit SAML Security Assertion Markup Language SCH Service CHannel ToE Target of Evaluation TTP Trusted Third PartyTVRA Threat, Vulnerability and Risk Analysis UTC Universal Co
33、ordinated Time V2I Vehicle to Infrastructure V2V Vehicle to Vehicle VIN Vehicle Identification Number 4 The TVRA Method Without an understanding of the threats posed to a system it is impossible to select or devise appropriate measures to counter these threats. The ETSI Threat, Vulnerability and Ris
34、k Analysis (TVRA) i.1 is used to identify risks to a system by isolating the vulnerabilities of the system, assessing the likelihood of a malicious attack on that vulnerability and determining the impact that such an attack will have on the system. The TVRA method involves the following seven steps:
35、 1) Identify security objectives. 2) Identify security requirements. 3) Produce an inventory of system assets. 4) Classify system vulnerabilities and threats. 5) Quantify the likelihood and impact of attack. 6) Determine the risks involved. 7) Specify detailed security requirements (countermeasures)
36、. The present document summarizes the results from each of these steps in the analysis of the ETSI Intelligent Transport System (ITS) standards. ETSI ETSI TR 102 893 V1.1.1 (2010-03)10 5 The ETSI Intelligent Transport System 5.1 ITS architecture Intelligent Transport Systems comprise the following c
37、ommunicating entities (as shown in Figure 1): Vehicles Roadside units A network infrastructure Figure 1: Communicating ITS entities This simplified architecture can be represented in functional terms by the overlay shown in Figure 2. Figure 2: ITS functional entities For the purpose of the TVRA, ref
38、erence points are named and mapped to the ITS functional model as shown in Figure 3. The physical interface at reference point K may be implemented in a number of ways but, within the ITS functional model, the reference point itself represents the direct management relationship that an in-vehicle IT
39、S station may have with the ITS infrastructure for the purpose of maintaining security parameters such as cryptographic keys. ETSI ETSI TR 102 893 V1.1.1 (2010-03)11 Figure 3: ITS functional model with reference points The reference points indicated in Figure 3 are defined as follows: A describes th
40、e temporary relationship between two vehicles. B describes the temporary relationship between a vehicle and a roadside station. J describes the relationship between an ITS roadside station and the ITS network infrastructure. K describes the relationship between an ITS vehicle station and the ITS net
41、work infrastructure. For the purpose of this TVRA, the interfaces at A and B are assumed to use communications in the 5,9 GHz band. It is also assumed that the interface at K could be routed to the ITS infrastructure indirectly through a roadside station, also in the 5,9 GHz band. 5.2 The Basic Set
42、of Applications (BSA) The Basic Set of Applications (BSA) i.1 represents the mandatory set of services to be deployed in an ITS station. The BSA is described as a collection of traffic and transport use cases. For the purposes of the TVRA, these have been re-specified in clause 5.3 as a much smaller
43、 set of communications services. The use cases in the BSA and, thus, included in the TVRA are as follows: 1) Stationary vehicle warning - accident/vehicle problem. 2) Traffic condition warning (includes traffic jam ahead warning). 3) Signal violation warning (includes stop sign violation). 4) Road w
44、ork warning. 5) Collision Risk Warning from RSU. 6) Decentralized Floating Car Data - Precipitations/Road Adhesion/Visibility/Wind. 7) Regulatory/Contextual speed limits. 8) Traffic information or contextual, e.g. reduced limit due to rain. NOTE: Use cases 5.2.1.7 and 5.2.1.10 are the same. 5.2.1.8
45、Traffic information I2V, DNM, geo-addressed; V2V, CAM, in network layer beacons; I2V, CAM, in network layer beacons; V2I, CAM, in network layer beacons. The following major ITS communication services are defined regardless of originator or receiver type (vehicle or infrastructure): a periodic status
46、 update service (CAM); an event notification service (DNM); a local service announcement service; an internet-based service announcement service; a transparent communication service. NOTE: The transparent communication service is not specified in EN 302 665 i.5 and is not included in the scope of th
47、e present document. ETSI ETSI TR 102 893 V1.1.1 (2010-03)15 EN 302 665 i.5 describes a layered model for ITS communications as shown in Figure 4. Access TechnologyLayerApplication LayerFacilities LayerNetwork and Transport LayerApplicationTelematics / sensor dataDNM/CAM message constructionNetwork e
48、ntityApplicationLocal dynamic mapDNM/CAM message receiptNetwork entityTelematics / sensor dataFigure 4: ITS architectural model from EN 302 665 This model ascribes functional capabilities to the layers which would not be permitted in an OSI model. As an example, it would not normally be possible for
49、 application-specific message contents to be interpreted or modified by a lower layer in the stack. Such capabilities represent a significant security vulnerability to an ITS station in that the integrity of the higher layer message cannot be fully assured. Security can be improved by using the combined processing and protocol model shown in Figure 5 and, consequently, this is the one that is assumed in the TVRA. This shows the relationships between the ITS protocol stack, the ITS applications and the
