As connectivity technologies evolve, individual components of the ITS ecosystem have become more connected and reliant on both public and private networks. The rapid increase and importance of data flowing through public networks presents increased security risks that must be addressed. Concerns about ITS cybersecurity and traffic management deployments are related to:
- Security and resiliency of current implementations;
- Integration of current technologies with legacy systems that may not have security or privacy as part of their design or installation and may or may not have been designed to be connected to public networks;
- Growing trend to integrate ITS deployments with other systems, among other technological advances.
It is important to note that these concerns are common to many industries that have been building and evolving tools, as cyberattacks have evolved and become increasingly sophisticated. Transportation agencies have many industry tools to establish cyber-resilient ITS, maintain ITS cybersecurity, mitigate cybersecurity risks, and respond to cybersecurity incidents.
This report presents the cybersecurity procurement language document for intelligent transportation systems (ITS) equipment. The purpose of this document is to provide information about cybersecurity language that can be inserted into procurement specifications for the procurement of new ITS components. The document incorporates security principles to consider when designing and procuring ITS products and services (software updates/patches, systems, maintenance, vulnerability disclosure policies, breach notification, and initial device or system configurations) and provides example language to incorporate into procurement specifications.
ITS Architecture and Cybersecurity
ITS systems have been subject to security threats like any other IT system. For example, dynamic message signs could be subject to tampering and unauthorized use; traffic signal control systems must operate flawlessly and fail in a safe manner when errors do occur; and many ITS operations centers may be called on to play an important role in disaster response and recovery. ITS systems can contribute to a disaster response only if the ITS systems are robust and secure enough to operate reliably in crisis situations. Note from these examples that security is concerned not only with preventing unauthorized disclosure of sensitive information, comprehensive security also addresses a broad range of threats that can disrupt or alter system operation.
The National ITS Architecture Reference illustrates the overall connected and automated transportation environment, as well as individual applications, services, and systems and the connectivity and data exchanges among these individual elements. Known as the Architecture Reference for Cooperative and Intelligent Transportation (ARC-IT), the ITS architecture identifies general ITS security objectives, threats, and services that are implementation independent. It also includes a finer level of security objective assessment: all information flows have been assessed for their confidentiality, integrity, and availability objectives (consistent with Federal Information Processing Standards 199 [ FIPS 199 ] ). Assessment of the security objectives related to information flows allows the identification of security objectives for physical objects, resulting in the creation of device classes : groupings of device security classifications, organized to ease device manufacturing requirements as well as procurement requirements. In July 2021 the device classes page on the ARC-IT website was updated to include the results of a more detailed analysis conducted on the Vehicle to Infrastructure (V2I) environment that led to selection of specific security controls to be applied to Connected Vehicle Roadside Equipment (CVRSE), ITS Roadway Equipment (ITSRE), and Vehicle On-Board Equipment (OBE). The ITS architecture also represents areas of ITS that can be used to enhance surface transportation security. ARC-IT defines physical objects (subsystems and terminators), functions, and interfaces that cover aspects of eight ITS security areas that encompass emergency and disaster response, transit, freight, rail, infrastructure, wide-area alerts, hazardous materials, and traveler device security.
ITS Standards and Cybersecurity
ITS and Information and Communications Technology (ICT) standards are essential to facilitate safe, secure, and effective deployments. These standards define how devices in an ITS system exchange data and the types of data they exchange. They are a key factor in ensuring nationwide interoperability, providing common interfaces to which all ITS equipment vendors can build. This gives state, local, and tribal agencies confidence that the ITS equipment they procure will work with their existing system. Some ITS and ICT standards already provide robust cybersecurity solutions to protect these devices and the ITS standards community in addressing cybersecurity concerns where gaps exist in those standards.
The ITS Standards Program supports developing products to enhance security of ITS deployments and making cybersecurity enhancements available to the transportation industry. Examples include:
ITS and Information and Communications Technology (ICT) standards are essential to facilitate safe, secure, and effective deployments, and to enable interoperability between mobile parts of the ITS ecosystem (i.e., smartphones, vehicles) and deployments in different jurisdictions. These standards define how devices in an ITS system exchange data and the types of data they exchange. Standards are a key factor in ensuring nationwide interoperability, providing common interfaces to which all ITS equipment vendors can build. This gives state, local, and tribal agencies confidence that the ITS equipment they procure will work with their existing system. Some ITS and ICT standards already provide robust cybersecurity solutions to protect these devices and the ITS standards community is moving forward with addressing cybersecurity concerns where gaps exist in those standards.
- SAE J2945/5 Service Specific Permissions (SSP) and Security Guidelines for Connected Vehicle Applications . This document is issued by SAE International, previously known as the Society of Automotive Engineers. The document specifies a set of applications using message sets from the SAE J2735 data dictionary. It establishes a security-focused systems engineering process that can be used to develop Service Specific Permissions (SSPs) for connected vehicle application Provider Service Identifiers (PSIDs). The guidance in the document allows application developers to determine which fields and activities should be subject to SSP constraints and specifies a syntax and semantics for the SSPs for that application. It also addresses developing SSPs for scenarios not addressed in the original application specification; for example, arising from regional extensions, changes in application functionality, or future expansions of the base SAE J2735 standard.
- IEEE 1609.2-2016 - IEEE Standard for Wireless Access in Vehicular Environments – Security Services for Applications and Management Messages . The IEEE 1609.2-2016 standard defines the secure message formats and processing for use by Wireless Access in Vehicular Environments (WAVE) devices, including methods to secure WAVE management messages and methods to secure application messages. It also describes administrative functions necessary to support the core security functions. Two amendments to this standard (IEEE 1609.2a-2017 and IEEE 1609.2b-2019) are available from the same link and include corrections and clarifications for implementing IEEE 1609.2.
- Security Evolution for IEEE 1609 2.1 Standard for Wireless Access in Vehicular Environments (WAVE) – Certificate Management Interfaces for End-Entities . The IEEE 1609.2.1-2020 standard specifies certificate management protocols to support provisioning and management of digital certificates, as specified in IEEE 1609.2, to end entities. This document establishes standardized interfaces and protocols for interfacing with the Security Credential Management System (SCMS). These include protocols for requesting certificates, the format and structure of the certificate revocation lists (CRL) and how to download files such as the CRL. The standard is issued by the WAVE Security_P1609.2.1 – WAVE – Security Services Working Group of the VT/ITS Standards Committee of the IEEE Vehicular Technology Society.
Security Credential Management System (SCMS)
As connected vehicle applications exchange information among vehicles, roadway infrastructure, traffic management centers, and wireless mobile devices, a security system is needed to ensure that users can trust the validity of information received from other system users—indistinct users that they have never met and do not know personally. For this reason, the U.S. DOT partnered with the automotive industry and industry security experts through the Crash Avoidance Metrics Partnership (CAMP) to design and develop a state-of-the-art, over‑the-air credential security system that ensures user confidence in one another and the system as a whole.
Transportation Security Credential Management System (SCMS)
The Security Credential Management System (SCMS) Proof of Concept (POC) message security solution was developed jointly by U.S. DOT and CAMP to provide secure V2V and V2I communications. It used a public key infrastructure (PKI)-based approach that employed highly innovative methods of encryption and certificate management to facilitate trusted communication. Authorized system participants used digital certificates issued by the SCMS POC to authenticate and validate the safety and mobility messages that form the foundation for connected vehicle technologies. To protect the privacy of vehicle owners, these certificates contained no personal or equipment identity information but serve as system credentials so that other users in the system can trust the source of each message. The SCMS POC also played a key function in demonstrating that SCMS systems can protect the content of each message by identifying and removing misbehaving devices, while maintaining privacy.
The SCMS POC partnership project between U.S. DOT and CAMP ended in October 2018. Commercial SCMS providers are operating and providing certificates for a number of CV deployments throughout the U.S., removing the need to operate and maintain the POC system. Commercial SCMS providers are also participating in testing and plugfests to ensure interoperability between vendors.
Benefits of an SCMS
An SCMS provides several benefits:
- Ensures integrity – Users can trust that the message was not modified between sender and receiver.
- Ensures authenticity – Users can trust that the message originates from a trustworthy and legitimate source.
- Ensures privacy – Users can trust that the message appropriately protects their privacy.
- Helps achieve interoperability – Different vehicle makes and models can talk to each other and exchange trusted data without pre-existing agreements or altering vehicle designs.
SCMS FAQs
Why Do Connected Vehicles Need an SCMS?
Connected vehicle technology has the potential to transform the way
Americans travel by using dedicated short-range communication (DSRC);
long-term evolution cellular vehicle to everything (LTE-C-V2X); Global
Positioning System (GPS); and other wireless technologies to share safety,
mobility, and environmental information. An SCMS is a critical component of
this connected vehicle environment. In contrast to other types of safety
technologies currently found in the vehicle fleet, connected vehicle
applications are cooperative—meaning that vehicles must exchange and
analyze data in real time to realize the benefits of the system. This
cooperative exchange of messages generates data that applications use to
issue alerts and warnings to drivers about the driving situation around
them. It also enables applications to determine mobility and environmental
conditions. However, a cooperative system can work only when drivers can
trust the alerts and warnings issued by their CV devices, which are based,
at least in part, on information received from other CV devices.
An SCMS provides the mechanism for devices to exchange information in a trustworthy and privacy-protected manner using digital certificates.
How Does an SCMS Work?
An SCMS provides the security infrastructure to issue and manage the
security certificates that form the basis of trust for V2V and V2I
communication. Connected vehicle devices enroll in an SCMS, obtain security
certificates from certificate authorities, and attach those certificates to
their messages as part of a digital signature. The certificates prove the
device is a trusted actor in the system while also maintaining privacy.
Misbehavior detection and reporting allow the system to identify bad actors
and revoke message privileges, when necessary.
How Do You Enroll in an SCMS?
Currently, multiple SCMS providers are active and providing certificates to
deployed CV devices. Deployment agencies are encouraged to work with both
commercial SCMS providers and CV device vendors to find the best SCMS
solution to fit their deployment.
SCMS Proof of Concept
An initial SCMS Proof of Concept (POC) system was developed jointly through U.S. DOT and the CAMP. The key concepts, system architectures, and interfaces developed are still utilized by SCMS providers today and can be found in the Security Credential Management System (SCMS) Proof-of–Concept Implementation End-Entity (EE) Requirements and Specifications Supporting SCMS Software Release 1.2.1 document. Commercial providers continue to refine these requirements; new information is available at their sites.
Deployment Support
Related Fact Sheets
- Security Credential Management System Proof of Concept
- Connected Vehicle Pilot Deployment Program
- Connected Vehicles and Your Privacy
Related Research
- Architecture Reference for Cooperative and Intelligent Transportation (ARC-IT)
- Intelligent Transportation Systems (ITS) Standards Program
- Interoperability
- ITS CodeHub
Testing and Certification
Testing and certification are the means of assuring that products and systems comply with standards. Certification is the process of ensuring that system components, manufactured according to ITS interoperability requirements, perform as intended. Certification ensures that users can trust that the components will work with the system. The U.S. DOT worked with public and private sector partners to establish certification requirements and test procedures against which ITS equipment, applications, devices, and systems can demonstrate their compliance, including how they meet security requirements. The resulting test processes are available to the public, and industry stakeholders have expanded them to offer certification services in the marketplace.
Positioning, Navigation and Timing (PNT) / Global Positioning System
Positioning, Navigation, Timing (PNT)—which includes Global Positioning System (GPS) and radio frequency spectrum management services—are critical to the safe operation of transportation infrastructure and involve cross-cutting technology that supports multimodal applications. Resilient PNT is important not only to support critical infrastructure in the transportation sector, it is also essential for national and economic security.
The following is a list of PNT and GPS resources:
- GPS.gov - Official U.S. government information about GPS and related topics
- Positioning, Navigation and Timing (PNT) & Spectrum Management , U.S. Department of Transportation
- Cybersecurity and Infrastructure Security Agency (CISA)
- Executive Order on Strengthening National Resilience through Responsible Use of Positioning, Navigation, and Timing Services
- NISTIR 8323 - Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services
- Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services - Frequently Asked Questions
- NIST PNT Profile: A Quick Guide
Transportation Cybersecurity Glossary
Cybersecurity Glossary – The Transportation Cybersecurity Incident Response and Management Framework project developed a Glossary of established terminology that should be unified across the transportation and cybersecurity community to improve understanding and conversations about transportation cyber incident information sharing. The Glossary, which is contained within the project’s final report is also available in a searchable format.