1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1373 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (03/2017) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Intelligent transportation system (ITS) security Secure soft
2、ware update capability for intelligent transportation system communication devices Recommendation ITU-T X.1373 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.3
3、00X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Networ
4、k security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160
5、X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI
6、 related Recommendations X.1340X.1349 Internet of things (IoT) security X.1360X.1369 Intelligent transportation system (ITS) security X.1370X.1379 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.
7、1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing
8、 security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1373 (03/2017) i Recommendation ITU-T X.1373 Secure software upda
9、te capability for intelligent transportation system communication devices Summary As intelligent transportation system (ITS) technologies improve, it has become common for vehicles to communicate with other entities such as other vehicles, vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I)
10、 communications. Electric devices inside a vehicle such as electronic control units (ECUs), electronic toll collections (ETCs) and car navigation systems are becoming more sophisticated. As a result, software modules inside those electric devices need to be appropriately updated for the purpose of b
11、ug fixing, and for performance and security improvements to avoid accidents. In order to fulfil the above requirement, Recommendation ITU-T X.1373 provides secure software update procedures between a software update server and vehicles with appropriate security controls. This Recommendation can be p
12、ractically utilized by car manufacturers and ITS-related industries as a set of standard capabilities for best practices. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1373 2017-03-30 17 11.1002/1000/13197 Keywords Communication devices, denial of service attack, DoS, em
13、bedded system, hardware security module, HSM, intelligent transportation system, ITS, malware, privacy, risk analysis, vehicle-to-vehicle, V2V, vehicle-to-infrastructure, V2I, vehicle-to-X (vehicle/infrastructure) (V2X), wireless communications. * To access the Recommendation, type the URL http:/han
14、dle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1373 (03/2017) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of
15、telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing te
16、lecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by th
17、e procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both
18、a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when al
19、l of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RI
20、GHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by IT
21、U members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may
22、not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2017 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.13
23、73 (03/2017) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 2 5 Conventions 3 6 Basic model of remote software update 3 6.1 Modules of ITS environment for software update
24、. 3 6.2 Model of software update procedure 4 7 Specification of secure software update procedure 6 7.1 General message format with security functions 6 7.2 Protocol definition and data format 7 Appendix I Methodology on risk analysis 22 I.1 Methodology on risk analysis based on b-JASO TP15002 . 22 I
25、.2 Data verification using MAC algorithms . 29 Appendix II Threats, security requirements and security controls . 30 II.1 Definition of target of evaluation . 30 II.2 Identification of major threats 32 II.3 Security Requirements in TOE . 35 II.4 Security controls . 38 Bibliography. 40 Rec. ITU-T X.1
26、373 (03/2017) 1 Recommendation ITU-T X.1373 Secure software update capability for intelligent transportation system communication devices 1 Scope In the context of updates of software modules in the electric devices of vehicles in the intelligent transportation system (ITS) communication environment
27、, this Recommendation aims to provide a procedure of secure software updating for ITS communication devices for the application layer in order to prevent threats such as tampering of and malicious intrusion to communication devices in vehicles. This includes a basic model of software update, securit
28、y controls for software update and a specification of abstract data format of update software module. The procedure related to in-vehicle communication is the out of scope of this Recommendation. For reference, the procedure used in-vehicle in this Recommendation is informative. The procedure is int
29、ended to be applied to communication devices on ITS vehicles under vehicle-to-infrastructure (V2I) communication by means of the Internet and/or ITS dedicated networks. The procedure provides a technical guideline without compliance requirements and can be practically utilized by car manufactures an
30、d ITS-related industries as a set of secure procedures and security controls. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicat
31、ed were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Reco
32、mmendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.509 Recommendation ITU-T X.509 (2012) | ISO/IEC 9594-8:2014, Information technology Open Systems Interconnection The Directo
33、ry: Public-key and attribute certificate frameworks. ITU-T X.1521 Recommendation ITU-T X.1521 (2011), Common vulnerability scoring system. ISO/IEC 15408-1 ISO/IEC 15408:2009, Information technology Security techniques Evaluation criteria for IT security Part 1: Introduction and general model. ISO/IE
34、C 27000 ISO/IEC 27000:2014, Information technology Security techniques Information security management systems Overview and vocabulary. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following term defined elsewhere: 3.1.1 threat ISO/IEC 27000: Potential cause of an unwanted
35、incident, which may result in harm to a system or organization. 2 Rec. ITU-T X.1373 (03/2017) 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 risk score: A score that a risk analysis method calculates for each threat. 3.2.2 vehicle mobile gateway (VMG)
36、: A module which provides communication between electronic control units (ECUs) in the controller area network (CAN) (in-vehicle buses) and exterior intelligent transportation system (ITS) entities in the external network. 4 Abbreviations and acronyms This Recommendation uses the following abbreviat
37、ions and acronyms: CA Certification Authority CAN Controller Area Network CD Compact Disc CRSS CVSS based Risk Scoring System CVSS Common Vulnerability Scoring System DoS Denial of Service DVD Digital Versatile Disc ECU Electronic Control Unit ETC Electronic Toll Collection FT Fault Tree GPS Global
38、Positioning System GUID Global User ID HSM Hardware Security Module HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure ID Identifier IT Information Technology ITS Intelligent Transportation System LIN Local Interconnect Network MAC Message Authentication Code MOST Media Orient
39、ed Systems Transport OBD On-board diagnostics OEM Original Equipment Manufacturer PC Personal Computer RPM Revolutions per Minute RSS Risk Scoring System SD Secure Digital SHA Secure Hash Algorithm SSL Secure Socket Layer Rec. ITU-T X.1373 (03/2017) 3 TLS Transport Layer Security TOE Target of Evalu
40、ation TPM Trusted Platform Module TV Television UI User Interface URL Uniform Resource Locator USB Universal Serial Bus Usvr Update server V2I Vehicle-to-Infrastructure V2V Vehicle-to-Vehicle V2X Vehicle-to-X (vehicle/infrastructure) VMG Vehicle Mobile Gateway Wi-Fi Wireless-Fidelity XML Extended Ma
41、rk-up Language 5 Conventions None. 6 Basic model of remote software update For considerations of a practical security architecture, this clause introduces a basic model of conventional architecture of software update, where a definition of principal modules and typical software update processes are
42、provided. 6.1 Modules of ITS environment for software update Figure 1 provides a view of principal modules around a vehicle for a remote software update in the ITS communication environment. The principal modules are information devices, electronic control units (ECUs), and vehicle mobile gateway (V
43、MG) on a vehicle, update server (Usvr) and log database of car manufacturer and supplier. The procedure related to in-vehicle communication (e.g., between ECUs and vehicle mobile gateway) is out of the scope of this Recommendation. Modules used for in-vehicle communication (such as User Interface an
44、d ECUs) are described below in an informative manner. Figure 1 Principal modules around a vehicle 4 Rec. ITU-T X.1373 (03/2017) 6.1.1 User interface (informative) The user interface (UI) is generally an on-board or an aftermarket information device with display and input devices on a vehicle. Such a
45、n information device is directly connected to other devices on a vehicle (e.g., VMG or ECU (see clause 6.1.2) so that it can obtain and indicate various status information of the vehicle such as speed, revolutions per minute (RPM), fuel level, and so on. Particularly, in this Recommendation, a user
46、interface is used to notify car drivers of the necessity for updates. 6.1.2 Electronic control unit (ECU) (informative) ECU is a generic term for computers which control various kinds of devices in a vehicle. In the earliest years of ECU, its main functions were controls of ignition timing, injectio
47、n, idling adjustment and limiter of engine in order to improve fuel efficiency and reduce gas emissions. According to the computerization of the vehicle, ECU has expanded its applications to various kinds of functions such as power management, seat belt control, driving support, parking assist, skid
48、 control, automatic transmission, etc. In recent years, the number of ECUs within a vehicle increased from 50 to 100, and the importance of ECUs for safety control and communication is especially growing. However, since the development of ECU involves sophisticated software implementations, the rece
49、nt increase of ECUs in vehicles imposes a heavy burden on car manufacturers. 6.1.3 Vehicle mobile gateway A vehicle mobile gateway is a module assigned for facing to Update Server (in clause 6.1.4) in order for the vehicle to conduct software update. Software update process located in vehicle is out of the scope in this Recommendation. VMG can be a conceptual entity which is practically implemented with a set of multiple components. For example, the connection management entity (a.k.a