1.1 EFC specific scope
ISO 17573
defines the roles and functions as well as the internal and external entities of
the EFC system environment. Based on the system architecture defined in ISO 17573, the security framework describes a set of requirements and security measures for
stakeholders to implement and operate their part of an EFC system as required for a trustworthy environment according to its basic information
securitypolicy. In general, the overall scope is an information security framework for all organisational and technical entities and in detail for the interfaces between them.
Figure 3 below illustrates the abstract EFC system model used to analyse the threats, define the security requirements and security measures of this Technical Specification.
This Technical Specification is based on the assumption of an OBE which is dedicated to EFC purposes only and neither considers value added services based on EFCOBE, nor more
generic OBE platforms (called in-vehicle ITS Stations) used to host the EFC application.
Figure 3
—
EFC system model of the EFC Security Framework
The scope of this security framework comprises the following:
-
— general information security objectives of the stakeholders;
-
—
threat analysis;
-
— definition of a trust model;
-
— security requirements;
-
— security measures – countermeasures;
-
— security specifications for interface implementation;
-
— key management;
-
—
security policies;
-
—
privacy-enabled implementations.
The following is outside the scope of this Technical Specification:
NOTE Security issues associated with an EFC application running on an ITS station will be covered in a CEN Technical Report on
"Guidelines for EFC-applications based on in vehicle ITS Stations" that is being developed at the time
of publication of this document.
-
— entities and interfaces of the interoperability management role;
-
— the technical trust relation of the model between TSP and User;
-
— a complete specification and description of all necessary security measures to all
identified threats;
-
— concrete implementation specifications for implementation of security for EFC system, e.g. European electronic toll service (EETS);
-
— detailed specifications required for privacy-friendly EFC implementations.
The detailed scope of the bullet points and the clause with the corresponding content
is given below:
To derive actual security requirements and define implementations, it is crucial to
gain a common understanding of the possible different perspectives and objectives
of such stakeholders of a toll charging environment.
The threat analysis is the basis and motivation for all the security requirements resulting
in this framework. The results from two complementary approaches will be combined
in one common set of requirements. The first approach considers a number of threat scenarios from the perspective of various attackers. The second approach looks in
depth on threats against the various identified assets (tangible and intangible entities).
The trust model comprises all basic assumptions and principles for establishing trust
between the stakeholders. The trust model forms the basis for the implementation of
cryptographic procedures to ensure confidentiality, integrity, authenticity and partly non-repudiation of exchanged data.
Based on the threat analysis, security requirements are defined (e.g. for organisational and technical
entities, interfaces, information etc) from which a system operator can draw its own applicable set according
to the actual security policy. No concrete implementation specifications will be given as they are strongly dependent
on the actual context of the toll charging environment and the relations between the stakeholders. A basic risk analysis
of the interfaces shown in Figure 4 introduces the minimum set of security requirements for the protection of these interfaces.
Figure 4
—
Scope of EFC security framework for secure communication
A set of security measures mainly for data protocol layer of interfaces according to Figure 4 based on the requirements is defined to support actual EFC system implementations and as a base for the security specifications for interoperable
interface implementation.
To support the future implementation of (interoperable) toll charging environments, this specification provides precise implementation specifications
for the interfaces, e.g. the detailed definition of message authenticators. These specifications represent
an add-on for security to the corresponding standards. Figure 4 shows the relevant interfaces and the corresponding standards which need to be enhanced by proper security provisions.
The toll charging environment uses cryptographic elements (keys, certificates, revocation
lists etc) to support security services like confidentiality, authenticity, integrity and non-repudiation. This section of the specification covers the initial setup of
key exchange between stakeholders and several operational procedures like key renewal,
certificate revocation etc.
Annex B defines the implementation conformance statement proforma to be used by an equipment
supplier, a system implementation or an actor of a role declaring his conformity to
this Technical Specification.
As an aid for using this Technical Specification to build up a secure system, some
examples are provided of what security policies could look like for a concrete interoperability framework (including European electronic toll service).
Respecting privacy is crucial for the implementation of every toll charging environment. However, different Toll Chargers may have different requirements on the level of privacy. This Technical Specification supports implementations with respect to privacy, but does not mandate one specific implementation. Therefore, it summarises the general
requirements and conditions in relation to data privacy.