Tools and Resources

ITS systems have been subject to security threats like any other IT system. For example, dynamic message signs could be subject to tampering and unauthorized use; traffic signal control systems must operate flawlessly and fail in a safe manner when errors do occur; and many ITS operations centers may be called on to play an important role in disaster response and recovery. ITS systems can contribute to a disaster response only if the ITS systems are robust and secure enough to operate reliably in crisis situations. Note from these examples that security is concerned not only with preventing unauthorized disclosure of sensitive information, comprehensive security also addresses a broad range of threats that can disrupt or alter system operation.

The National ITS Architecture Reference illustrates the overall connected and automated transportation environment, as well as individual applications, services, and systems and the connectivity and data exchanges among these individual elements. Known as the Architecture Reference for Cooperative and Intelligent Transportation (ARC-IT), the ITS architecture identifies general ITS security objectives, threats, and services that are implementation independent. It also includes a finer level of security objective assessment: all information flows have been assessed for their confidentiality, integrity, and availability objectives (consistent with Federal Information Processing Standards 199 [ FIPS 199 ] ). Assessment of the security objectives related to information flows allows the identification of security objectives for physical objects, resulting in the creation of device classes : groupings of device security classifications, organized to ease device manufacturing requirements as well as procurement requirements. In July 2021 the device classes page on the ARC-IT website was updated to include the results of a more detailed analysis conducted on the Vehicle to Infrastructure (V2I) environment that led to selection of specific security controls to be applied to Connected Vehicle Roadside Equipment (CVRSE), ITS Roadway Equipment (ITSRE), and Vehicle On-Board Equipment (OBE). The ITS architecture also represents areas of ITS that can be used to enhance surface transportation security. ARC-IT defines physical objects (subsystems and terminators), functions, and interfaces that cover aspects of eight ITS security areas that encompass emergency and disaster response, transit, freight, rail, infrastructure, wide-area alerts, hazardous materials, and traveler device security.

ITS and Information and Communications Technology (ICT) standards are essential to facilitate safe, secure, and effective deployments. These standards define how devices in an ITS system exchange data and the types of data they exchange. They are a key factor in ensuring nationwide interoperability, providing common interfaces to which all ITS equipment vendors can build. This gives state, local, and tribal agencies confidence that the ITS equipment they procure will work with their existing system. Some ITS and ICT standards already provide robust cybersecurity solutions to protect these devices and the ITS standards community in addressing cybersecurity concerns where gaps exist in those standards.

The ITS Standards Program supports developing products to enhance security of ITS deployments and making cybersecurity enhancements available to the transportation industry. Examples include:

• ITS and Information and Communications Technology (ICT) standards are essential to facilitate safe, secure, and effective deployments, and to enable interoperability between mobile parts of the ITS ecosystem (i.e., smartphones, vehicles) and deployments in different jurisdictions. These standards define how devices in an ITS system exchange data and the types of data they exchange. Standards are a key factor in ensuring nationwide interoperability, providing common interfaces to which all ITS equipment vendors can build. This gives state, local, and tribal agencies confidence that the ITS equipment they procure will work with their existing system. Some ITS and ICT standards already provide robust cybersecurity solutions to protect these devices and the ITS standards community is moving forward with addressing cybersecurity concerns where gaps exist in those standards.
• Infrastructure Standards System Security Assessment . This activity is currently being conducted by the Institute for Transportation Engineers (ITE) in cooperation with the American Association of State Highway Transportation Officials (AASHTO) and National Electrical Manufacturers Associations (NEMA), supported by U.S. DOT ITS JPO. The purpose is to assess the current security guidance contained in the National Transportation Communications for ITS Protocol (NTCIP) family of standards and identify a roadmap for addressing security across these standards. This includes a detailed analysis of the changes required to move from Simple Network Management Protocol (SNMP) version1 to SNMP version3. Other resources and mechanisms for securing NTCIP communications will also be investigated. These include the government reporting organizations United States Computer Emergency Readiness Team (US-CERT) and Industrial Control Systems Computer Emergency Response Team (ICS-CERT), implemented by various commercial-off-the-shelf (COTS) software. The final deliverable of the project is a migration plan for using SNMP version 3 in NTCIP standards, along with the other mechanisms identified.
• SAE J2945/5 Service Specific Permissions (SSP) and Security Guidelines for Connected Vehicle Applications . This document is issued by SAE International, previously known as the Society of Automotive Engineers. The document specifies a set of applications using message sets from the SAE J2735 data dictionary. It establishes a security-focused systems engineering process that can be used to develop Service Specific Permissions (SSPs) for connected vehicle application Provider Service Identifiers (PSIDs). The guidance in the document allows application developers to determine which fields and activities should be subject to SSP constraints and specifies a syntax and semantics for the SSPs for that application. It also addresses developing SSPs for scenarios not addressed in the original application specification; for example, arising from regional extensions, changes in application functionality, or future expansions of the base SAE J2735 standard.
• IEEE 1609.2-2016 - IEEE Standard for Wireless Access in Vehicular Environments – Security Services for Applications and Management Messages . The IEEE 1609.2-2016 standard defines the secure message formats and processing for use by Wireless Access in Vehicular Environments (WAVE) devices, including methods to secure WAVE management messages and methods to secure application messages. It also describes administrative functions necessary to support the core security functions. Two amendments to this standard (IEEE 1609.2a-2017 and IEEE 1609.2b-2019) are available from the same link and include corrections and clarifications for implementing IEEE 1609.2.
• Security Evolution for IEEE 1609 2.1 Standard for Wireless Access in Vehicular Environments (WAVE) – Certificate Management Interfaces for End-Entities . The IEEE 1609.2.1-2020 standard specifies certificate management protocols to support provisioning and management of digital certificates, as specified in IEEE 1609.2, to end entities. This document establishes standardized interfaces and protocols for interfacing with the Security Credential Management System (SCMS). These include protocols for requesting certificates, the format and structure of the certificate revocation lists (CRL) and how to download files such as the CRL. The standard is issued by the WAVE Security_P1609.2.1 – WAVE – Security Services Working Group of the VT/ITS Standards Committee of the IEEE Vehicular Technology Society.

As connected vehicle applications exchange information among vehicles, roadway infrastructure, traffic management centers, and wireless mobile devices, a security system is needed to ensure that users can trust the validity of information received from other system users—indistinct users that they have never met and do not know personally. For this reason, the U.S. DOT partnered with the automotive industry and industry security experts through the Crash Avoidance Metrics Partnership (CAMP) to design and develop a state-of-the-art, over‑the-air credential security system that ensures user confidence in one another and the system as a whole.

Transportation Security Credential Management System (SCMS)

The Security Credential Management System (SCMS) Proof of Concept (POC) message security solution was developed jointly by U.S. DOT and CAMP to provide secure V2V and V2I communications. It used a public key infrastructure (PKI)-based approach that employed highly innovative methods of encryption and certificate management to facilitate trusted communication. Authorized system participants used digital certificates issued by the SCMS POC to authenticate and validate the safety and mobility messages that form the foundation for connected vehicle technologies. To protect the privacy of vehicle owners, these certificates contained no personal or equipment identity information but serve as system credentials so that other users in the system can trust the source of each message. The SCMS POC also played a key function in demonstrating that SCMS systems can protect the content of each message by identifying and removing misbehaving devices, while maintaining privacy.

The SCMS POC partnership project between U.S. DOT and CAMP ended in October 2018. Commercial SCMS providers are operating and providing certificates for a number of CV deployments throughout the U.S., removing the need to operate and maintain the POC system. Commercial SCMS providers are also participating in testing and plugfests to ensure interoperability between vendors.

Benefits of an SCMS

An SCMS provides several benefits:

• Ensures integrity – Users can trust that the message was not modified between sender and receiver.
• Ensures authenticity – Users can trust that the message originates from a trustworthy and legitimate source.
• Ensures privacy – Users can trust that the message appropriately protects their privacy.
• Helps achieve interoperability – Different vehicle makes and models can talk to each other and exchange trusted data without pre-existing agreements or altering vehicle designs.

SCMS FAQs

Why Do Connected Vehicles Need an SCMS?
Connected vehicle technology has the potential to transform the way Americans travel by using dedicated short-range communication (DSRC); long-term evolution cellular vehicle to everything (LTE-C-V2X); Global Positioning System (GPS); and other wireless technologies to share safety, mobility, and environmental information. An SCMS is a critical component of this connected vehicle environment. In contrast to other types of safety technologies currently found in the vehicle fleet, connected vehicle applications are cooperative—meaning that vehicles must exchange and analyze data in real time to realize the benefits of the system. This cooperative exchange of messages generates data that applications use to issue alerts and warnings to drivers about the driving situation around them. It also enables applications to determine mobility and environmental conditions. However, a cooperative system can work only when drivers can trust the alerts and warnings issued by their CV devices, which are based, at least in part, on information received from other CV devices.

An SCMS provides the mechanism for devices to exchange information in a trustworthy and privacy-protected manner using digital certificates.

How Does an SCMS Work?
An SCMS provides the security infrastructure to issue and manage the security certificates that form the basis of trust for V2V and V2I communication. Connected vehicle devices enroll in an SCMS, obtain security certificates from certificate authorities, and attach those certificates to their messages as part of a digital signature. The certificates prove the device is a trusted actor in the system while also maintaining privacy. Misbehavior detection and reporting allow the system to identify bad actors and revoke message privileges, when necessary.

How Do You Enroll in an SCMS?
Currently, multiple SCMS providers are active and providing certificates to deployed CV devices. Deployment agencies are encouraged to work with both commercial SCMS providers and CV device vendors to find the best SCMS solution to fit their deployment.

SCMS Proof of Concept

An initial SCMS Proof of Concept (POC) system was developed jointly through U.S. DOT and the CAMP. The key concepts, system architectures, and interfaces developed are still utilized by SCMS providers today and can be found in the Security Credential Management System (SCMS) Proof-of–Concept Implementation End-Entity (EE) Requirements and Specifications Supporting SCMS Software Release 1.2.1 document. Commercial providers continue to refine these requirements; new information is available at their sites.

View the HTML version of the SCMS EE Requirements and Specifications Supporting SCMS Software Release 1.2.1.

Related Fact Sheets

• Security Credential Management System Proof of Concept
• Connected Vehicle Pilot Deployment Program
• Connected Vehicles and Your Privacy

Related Research

• Architecture Reference for Cooperative and Intelligent Transportation (ARC-IT)
• Intelligent Transportation Systems (ITS) Standards Program
• Interoperability
• ITS CodeHub

Testing and certification are the means of assuring that products and systems comply with standards. Certification is the process of ensuring that system components, manufactured according to ITS interoperability requirements, perform as intended. Certification ensures that users can trust that the components will work with the system. The U.S. DOT worked with public and private sector partners to establish certification requirements and test procedures against which ITS equipment, applications, devices, and systems can demonstrate their compliance, including how they meet security requirements. The resulting test processes are available to the public, and industry stakeholders have expanded them to offer certification services in the marketplace.

Positioning, Navigation, Timing (PNT)—which includes Global Positioning System (GPS) and radio frequency spectrum management services—are critical to the safe operation of transportation infrastructure and involve cross-cutting technology that supports multimodal applications. Resilient PNT is important not only to support critical infrastructure in the transportation sector, it is also essential for national and economic security.

The following is a list of PNT and GPS resources:

• GPS.gov - Official U.S. government information about GPS and related topics
• Positioning, Navigation and Timing (PNT) & Spectrum Management , U.S. Department of Transportation
• Cybersecurity and Infrastructure Security Agency (CISA)
• Executive Order on Strengthening National Resilience through Responsible Use of Positioning, Navigation, and Timing Services
• NISTIR 8323 - Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services
• Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services - Frequently Asked Questions
• NIST PNT Profile: A Quick Guide

Cybersecurity Glossary – The Transportation Cybersecurity Incident Response and Management Framework project developed a Glossary of established terminology that should be unified across the transportation and cybersecurity community to improve understanding and conversations about transportation cyber incident information sharing. The Glossary, which is contained within the project’s final report is also available in a searchable format.