[IEEE 2012 The 11th Annual Mediterranean Ad Hoc Networking Workshop (Med-Hoc-Net) - Ayia Napa, Cyprus (2012.06.19-2012.06.22)] 2012 The 11th Annual Mediterranean Ad Hoc Networking Workshop (Med-Hoc-Net) - How to secure ITS applications?
Post on 25-Dec-2016
Embed Size (px)
How to Secure ITS Applications? Rim MOALLA*#, Brigitte LONC*, Houda LABIOD#, Noemie SIMONI#
# Department of Computer Science and Networks, Institut telecom; Telecom ParisTech Paris, FRANCE
email@example.com * DIESE Sce 65608, RENAULT
1 avenue du Golf,F-78288 Guyancourt, FRANCE Rim.firstname.lastname@example.org
Abstract Intelligent Transportation Systems (ITS) based on vehicular communication enable cooperative applications to improve road safety and traffic efficiency. Security remains a major challenge because it has a great impact on implementation and deployment of ITS applications. In this paper, based on recent standardization activities, we give an overview of ITS applications and we detail a classification of road safety applications. Then, we investigate the security issues of cooperative ITS applications and we present their security profiles. Taking into account the communication architecture of an ITS Station, we advance a new application oriented security approach.
Keywords V2X communications; ITS applications; security requirements; ITS architecture; ETSI; IEEE 1609.2
I. INTRODUCTION Intelligent transportation systems (ITS) have been recently
attracting attention from industry and research communities as they promise to be a solution for enhancing road safety. ITS, as shown in fig1, are cooperative systems involving three types of entities or stations: vehicle, Road Side Unit (RSU) and central servers. They support three types of V2X communications: vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I) wireless communications, and Infrastructure-to-Infrastructure (I2I) communications. In addition to wireless technologies already deployed like 3G, the ITS G5 (5.9 GHz frequency band) is used for Wireless Access in Vehicular Environments (WAVE).
Fig. 1 Intelligent Transportation System
ITS propose diverse applications for driver and passengers. ITS applications which are generally critical applications that may affect human life, have specific requirements and challenges such as real-time constraints, high availability of network and accuracy of information. In fact, the main purpose of ITS applications is to assist driver on the right time with right information. Moreover almost ITS applications require personal data like location data. For these reasons, ITS applications must be secured and the major question is how to secure ITS applications? Actually, securing ITS applications is a complex task because it deals with securing various elements including data, communication links, communication protocols, servers, etc.
This work aims to give an up-to-date overview of ITS applications, their characteristics and their security requirements. We focus in this paper on the most recent work and information, presented in ETSI and IEEE standards related to ITS applications domain.
We introduce, in section II, a classification and basic characteristics of ITS applications. In section III, we explain their security requirements and challenges. In section IV, we present an overview of future ITS architecture and we advance our application security approach. The final section V concludes this article and gives an outlook for future activities.
II. ITS APPLICATIONS Within the first defined classification, vehicular
applications were classified into either ITS applications or non-ITS applications . ITS applications present the primary vision of vehicular applications and aim to minimize accidents and improve traffic conditions by providing drivers with useful information. Non-ITS applications are driver and passenger oriented applications, which include Internet connections and multimedia services. They also include commercial and comfort applications.
More recently, ETSI TC ITS standards  have classified vehicular applications, renamed ITS cooperative applications, into three classes: Road Safety, Traffic Efficiency, and other applications (eg comfort and business applications).
2012 Vehicular Communications and Applications Workshop
978-14577-0900-5/12/$26.00 2012 IEEE 113
Fig. 2 ITS applications classifications: (a) classic classification, (b) ETSI classification
A. Road Safety Road Safety applications presented in fig3 are primarily
defined to decrease the number of road accidents. We classify these applications, in two classes: Driver Assistance Applications which purpose is to inform and assist driver to avoid road dangers or accidents, and Actions on Vehicle Applications aiming to provide necessary information to vehicle systems to avoid or to reduce damage of accidents. In Driver Assistance Applications, the driver is continuously informed of road hazad and is the only responsible of evaluating the relevance of received data and then taking if necessary adequate actions like changing lane or braking. Generally, these applications generate a sound and light alarms/information in the range of 2 to 30 seconds before collision in order to instruct the driver to take an immediate action. Unlike Driver Assistance Applications, decisions and actions in Actions on Vehicle Applications are automatically initiated by vehicle systems a few seconds (between 1s and 3s) before a high probable event like crash. Actions on Vehicle Applications are the most sophisticated Road Safety applications and require a high level of security and safety of vehicle systems to be operational.
European and American ITS related standards and most of the projects carried out in this domain focus on Driver Assistance Applications, defined by OEMs as primarily Road Safety applications. These applications will be the first deployed cooperative Road Safety applications. In Driver Assistance Applications class, three applications are being standardized by ETSI: Cooperative Awareness Applications (CAA) , Longitudinal Collision Risk Warning (LCRW)  and Intersection Collision Risk Warning (ICRW) . CAA consists on increasing the vigilance of the driver by providing relevant information when another vehicle or RSU detects and reports a road hazard. CAA is involved in the range of 5 to 30 seconds before a probable collision. However, LCRW and ICRW are activated in the range of 3 to 5 seconds before a collision and aim at avoiding collision by sending an alert to driver requiring an immediate action. Driver Assistance Applications use two main types of safety messages: Cooperative Awareness Message (CAM)  and Decentralized Environmental Notification Message (DENM) . These messages are exchanged between vehicles and RSUs. CAM messages are constantly broadcasted at variable frequencies between 1Hz and 10Hz whereas DENM messages are event messages broadcasted when an event is detected.
Fig. 3 Road Safety applications
Fig. 4 CAM Message
Fig. 5 DENM Message
Multiple use cases related to Driver Assistance applications
are presented in ,  such as emergency electronic brake light, stationary vehicle warning, signal violation warning, etc. In fact, a use case represents the utilization of an application in a particular situation with a specific purpose . On the road, multiple situations and scenarios can occur. In order to cover most of scenarios of possible road collisions, different use cases related to each application class are defined. For example, wrong way driving warning is a use case of LCRW application and consists on sending a DENM message to warn vehicles when detecting a vehicle driving in a wrong way which may cause a longitudinal collision.
B. Traffic Efficiency Traffic efficiency applications aim to improve traffic flow
management, traffic assistance and cooperative navigation. Regulatory / contextual speed limits notification and Traffic information and recommended itinerary are two examples of these applications.
C. Other applications There are essentially business and mobility applications.
Typical examples of business applications are communities services, which include insurance and financial services. Point of interest notification is an example of mobility applications.
Traffic efficiency and others applications are based on different V2X messages like: -Service Announcement Message (SAM), which is a control message, sent by an RSU to announce provided services like internet access to vehicles, and Electric Vehicle Charging Spot Notification (EVCSN).
DENM Message ITS PDU HEADER
CAM Message ITS PDU HEADER
ITS enable diverse cooperative ITS applications with different communication characteristics and requirements. For example, some ITS applications generate periodic messages, other applications generate only event messages and others generate both types of messages. In addition, a number of ITS applications need critical time communications like road safety applications while other applications have no time constraints. Different applications and use cases give rise to different security requirements. The identification of security requirements covering various fields of applications and use cases is needed. This will allow the identification of potential optimized security solution with best technologies to integrate in future intelligent transportation systems.
III. SECURITY REQUIREMENTS AND CHALLENGES In the following, we present a number of basic ITS security
requirements. These security requirements and security challenges should be considered during the definition of security architecture and protocols.
Availability: ITS applications, particularly safety applications, require high availability of the system.
Authentication and Authorization: Authentication ensures that entities involved in communication are correctly identified and authentic. Entity authorization is necessary for applications that need definition of the rights that an entity (vehicle or infrastructure) has.
Integrity: Integrity is a key security requirement for ITS applications especially Road Safety applications and it is ensuring that exchanged information are not altered between sender and receiver.
Confidentiality: Some ITS applications require that the content of a message is accessible only by the sender and the receiver.
Non-repudiation: it may be crucial in some cases (eg wrong information that causes accident) not only to identify a sender but also to get the proof of the originator of the message (for accountability).
Privacy: privacy is a major security requirement as ITS applications exchange personal data in particular location data over wireless communications. The design of ITS security solution must take into consideration measures to ensure protection of personal data and privacy. ITS applications must comply with European Directives relevant to the protection of privacy and data protection: the Directive 95/46/EC on data protection.
Plausibility: plausibility checks are used to validate the correctness of the data and can be performed on the received message information. For example, the claimed information state sent from vehicles must reflect their actual physical state.
In addition to security requirements, ITS have specific security challenges, presented below and related to the vehicular environment.
Large scale and heterogeneous system: a large number of vehicles and road infrastructures will be communicating. Different manufacturers and carmakers will use different implementations.
High mobility: vehicles move at a fast velocity changing the reception area of vehicles (topology of system). ITS are highly dynamic environments.
Critical time constraints: A critical feature in ITS is their time sensitiveness. It is a very challenging task for application to send, process and receive messages on time. Security mechanisms should be optimized to meet critical time constraints.
Very low tolerance for errors: as decision in ITS, based on received information, may affect human life, ITS need right and correct information. Therefore, ITS applications have a very low tolerance for errors.
A huge number of ITS applications: ITS applications have different characteristics and may have different security requirements. The challenge is to define security requirement to each application and not applying the same security services to all ITS applications.
Trade-off authentication versus privacy: privacy of drivers is a basic right that must be protected. So, identity and personal data must not be disclosed. On the other hand, systems entities should be authenticated and authorized to access services/data.
We draw up a table I in which we list for different classes of ITS applications the needed security requirements.
IV. SECURITY ON FUTURE ITS ARCHITECTURES The design of an efficient communication architecture in an
ITS station is very critical in order to be able to propose a powerful and complete security solution adapted not only to ITS applications but also to ITS communication architecture.
Many organizations such as C2C-CC, projects like COMeSafety and standardization institutions like ISO-CALM, IEEE and ETSI have defined several ITS communication architectures. Focusing on ETSI architecture, we give in the following section an overview of the defined architecture.
A. ETSI based ITS communication architecture European ITS communication architecture is described in
ETSI standard EN 302 665 . The communication architecture, shown in fig 6, consists of four layers: access, networking/transport, facilities and applications. This architecture contains also two cross layers one for security and the other for management, which is the specificity of this architecture compared to the traditional OSI layered model. We present briefly the different layers of this communication architecture.
Access layer: aims to interface with both wired and wireless communication technologies that are available in an ITS station. ETSI ITS G5 is an access technology used for Safety applications and represents the European profile of IEEE 802.11p.
Networking & transport layer: provides data transport between source and destination ITS stations. It is composed of two parts: ITS specific network and transport protocols and IP-based network and transport protocols.
Fig. 6 Communication architecture of an ETSI ITS station 
Facilities layer: acts as a middleware and is composed of three function blocks: application support, information support, and communication functions support. These blocks contain support like messages generation and environment information to all ITS applications.
Application layer: implements and executes one or more ITS applications presented in section II.
Management cross layer: concerns transversal management of horizontal...