Security Analysis Methodology

All information flows were analyzed for their Confidentiality, Integrity and Availability (C-I-A) requirements as per FIPS-199. This analysis considered the information contained in the information flow, but also the application or service package context of the information flow. Then, for each physical object in each service package, overall C-I-A requirements were derived by as follows:

• The Confidentiality requirement is the maximum confidentiality requirement on any incoming or outgoing information flow.
• The Integrity requirement is the maximum of:
  • The integrity requirement on any outgoing information flow.
  • The confidentiality requirement on any incoming information flow. This reflects the fact that there is no good putting confidentiality requirements on a flow without a similar guarantee that the flow is going to the right recipient.
• The Availability requirement is the maximum availability requirement on any outgoing information flow.

There are two exceptions to this process:

• This aggregation only takes into account network data flows, i.e. information flows of digital data that go across an open networked interface. In other words, it excludes:
  • Non-digital (human) flows such as traffic signal lights, alerts within the vehicle, etc.
  • Non-networked flows such as flows across an in-vehicle network (IVN): in these cases the supplier may conceivably achieve the information flow's requirements by how the component devices are installed and physically connected rather than by digital protection.
• Some physical flows are proxied. In other words, the application involves a logical information flow between two objects which passes over multiple physical interfaces. There are two types of proxied flow:
  • An outgoing flow with elevated integrity requirements where the intermediate physical object does not modify the incoming message. In this case the intermediate physical object's integrity requirements are not affected by the integrity requirements on the flow.
  • Any flow with elevated confidentiality requirements where the intermediate physical object does not read the message. In this case the intermediate physical object's confidentiality requirements are not affected by the confidentiality requirements on the flow.

All other flows are used in the aggregation. In some cases there is more than one plausible level for the security requirements on an information flow. In this case, we indicate the level we think is most likely to be correct in the default case and, when doing the aggregation, we have used that most plausible level.

FIPS 199 defines LOW, MEDIUM and HIGH requirements as follows. (The text is unchanged but reformatted from the original in FIPS 199):

• The potential impact is LOW if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.
• The potential impact is MODERATE if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
• The potential impact is HIGH if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

We provide our own amplification below:

• Confidentiality:
  • The confidentiality requirements are HIGH for flows that contain information which if revealed would cause a substantial risk to business operations, national security, or personal life and limb.
  • The confidentiality requirements are MODERATE for flows that contain information such as:
    • personal identifiable information that the owner has a reasonable desire not be disclosed
    • sensitive business information that would allow a competitor to gain some advantage
    • personal financial information that could lead to personal financial loss
  • The confidentiality requirements are LOW for flows which are intended to be received by any nearby device. These flows can typically be broadcast.
• Integrity: generally MODERATE. The integrity requirements come from a consideration of the consequences of a false message being accepted by a receiver. Note that a false message being accepted can lead either to false positives or to false negatives, i.e. either to an action not being taken that should be, or to an action being taken that should not be. The integrity analysis needs to consider both possibilities.
  • If a false message could directly affect safety, mobility, and security, or cause severe financial damage, the integrity requirements are HIGH.
  • If a false message can increase physical risk without directly causing physical harm, the integrity requirements are MODERATE. The integrity requirements are also MODERATE if the message contains information that cannot be obtained or verified by other means: for example, with the intersection status information flow, a receiver can gain assurance about the current signal state by observing traffic behavior, but only the intersection status message gives information about future signal state; therefore the integrity requirement for intersection status will in general be MODERATE except if the receiver is not expected to make any use of the future signal state information.
  • The integrity requirements are LOW if the receiver does not directly make use of the message, if the message contents are aggregated with many other messages such that the resulting information need only be true "on average", or if the information in the message can be trivially confirmed by use of information from other sources with higher integrity.
• Availability:
  • The requirement for availability is essentially the answer to the question "what level of availability is necessary for this application to be safe and overall beneficial to use?". A LOW availability requirement indicates that the information flow is useful even if it is unavailable much of the time. A MODERATE availability requirement indicates that in order to be useful the information flow must be available a significant amount of the time. A HIGH availability requirement indicates that unless the information is available almost all the time there will be significant safety consequences.
  • One consideration regarding availability is what we call availability status information. Consider the case where a user is approaching a traffic signal and is used to getting an alert if the signal is about to turn red. In this case, if the intersection status message is not received, the driver (who has developed a dependency on / trust in the system) may assume that the signal is still green and drive through, causing an accident. However, if the system alerts the driver that no message was received and so the driver pays more attention to the visual signal, then the accidents can be avoided. This illustrates that even if the message itself is not available, information about its availability may be useful. Given that the majority of information flows in the system occur over a wireless medium where availability cannot be guaranteed, our definitions of LOW and MODERATE availability requirements are: in the case of LOW requirements, there is no requirement that a receiver has availability status information; in the case of MODERATE requirements, availability status information is necessary for the safe operation of the application.
  • The availability requirements are HIGH where failure to receive a message could have an adverse effect on safety, or severe financial damage. Both of these impacts are to be considered relative to the baseline of no deployment of the application, rather than relative to the baseline of 100% successful deployment of the application. NOTE: Many information flows in the ITS Architecture occur over a wireless medium where availability cannot be guaranteed; these information flows by definition cannot meet HIGH availability requirements, and so any application for which the availability requirements are HIGH must provide a different medium to support those information flows.
  • The availability requirements are MODERATE if the receiver can operate successfully if all receivers receive some messages and most receivers receive most messages, and if availability status information is necessary for the safe operation of the application.
  • The availability requirements are LOW if the system can operate successfully if some receivers receive no messages and most receivers receive some messages, and if there is no requirement that a receiver has availability status information. LOW also requires that the information is not acted upon immediately, and not used for real time decision making.