Securing ITS
ITS systems are subject to security threats like any other information technology system. This is true not only for systems that process personal or financial information (i.e., electronic toll collection systems), but also for many other types of ITS systems. Dynamic message signs are subject to tampering and unauthorized use, traffic signal control systems must operate flawlessly and fail in a safe manner when errors do occur, and many ITS operations centers may be called upon to play an important role in disaster response and recovery. ITS systems can only contribute to a disaster response if the ITS systems are robust and secure enough to operate reliably in crisis situations. Note from these examples that security is not only concerned with preventing unauthorized disclosure of sensitive information. Comprehensive security also addresses a broad range of threats that can disrupt or alter system operation.
The ITS Architecture was enhanced in version 5.0 to include general security objectives, threats, and services that are implementation independent. Instead of the specific computer and communications systems that are considered in a traditional security analysis, these general security concepts were applied to the functions and information flows of the ITS Architecture.
With version 8.0, the Architecture integrated input from a series of other analyses, including FHWA's V2I cybersecurity tasks, the connected vehicle pilot projects in Tampa, Wyoming and New York City, and the outputs of Harmonization Task Groups 6 and 7. The result is a finer level of security objective assessment: all information flows have been assessed for their Confidentiality, Integrity and Availability objectives, and those assessments justified. These assessments and justifications are viewable on the information flow detail pages.
Assessment of the security objectives related to information flows allows us to derive security objectives for physical objects. This has resulted in the creation of device classes: groupings of device security classifications, organized to ease manufacture and procurement. Subsequent analysis of the V2I environment led to the selection of security controls that apply to Connected Vehicle Roadside Equipment, ITS Roadway Equipment, and all variations of Vehicle OBEs.
Cooperative-ITS (C-ITS) applications have particular security related requirements due to the need to establish and maintain trust between disconnected entities with no prior relationship. While any communications system needs to provide a mechanism to allow communicating partners to trust each other, the environmental and performance characteristics of the system have an impact on what kinds of technologies might work. For C-ITS, a particular type of public-key infrastructure (PKI) has been developed to support the needs unique to the wireless vehicle environment.
This PKI may be applicable to other systems in C-ITS. In order to better understand the policies surrounding applicability of PKI and other security mechanisms, Harmonization Task Group 6 produced an analysis of the systems necessary to operate this PKI and how they might interact, in case there were more than one Cooperative ITS Credential Management System (CCMS). HTG6-4 Functional Decomposition Analysis goes into detail about the issues surrounding the deployment of multiple CCMS.