Application of Common Criteria in Cooperative Intelligent Transportation Systems (L31a)
Over recent years, the emphasis in intelligent vehicle research has turned to Cooperative Intelligent Transportation Systems (C-ITS), in which vehicles communicate with each other and/or with the infrastructure via C-ITS stations that are deployed either in the vehicles or the environment. These new infrastructures open a window of opportunity for the occurrence of cybersecurity incidents whose mitigation require a holistic analysis of the systems, including the establishment of cybersecurity management systems for deployments, for managing software updates, and for maintaining granular control of the OEM´s supply chain.
The security of systems and infrastructures rely on the security of products and their deployment, and for providing reasonable assurance, some regulations are beginning to reference the use of security certification schemes for products and processes and, in particular, those that are being developed in the EU. An example would be the DIRECTIVE 2010/40/EU for the deployment of C-ITS where the cybersecurity at a product level is managed by requiring SOG-IS ISO15408 certifications for key components involved in V2X communications, like C-ITS stations (both on-board or road-side). Accordingly, the functional requirements demanded to the C-ITS stations are defined via a set of protection profiles (PP) to be developed under a C-Road task force. These PPs are still being discussed and developed.
However, the regulation does not leave this problem unresolved and provides a temporary patch whereby the manufacturer can develop its own ST based on the expected security objectives for the product defined in the regulation and requires the use of functional requirements and assurance that cover these objectives based on existing PPs developed in other working groups or schemes. Given this scenario, this talk addresses lessons learnt when applying the characteristics of CC evaluations in this field according to the regulation by understanding the needs of the OEMs and Tiers-X of the supply chain in the automotive industry. How to deal with OEMs and tiers suppliers ecosystem, what the security requirements and testing environment should be like, or which assurance should be required in the development life cycle of products in these complex supply chains, are questions that do not have an easy answer and will be addressed in this interesting talk.