Policy and Organizational Challenges for Vehicular Communications Security

Transcription

1 Policy and Organizational Challenges for Vehicular Communications Security Secure Vehicular Communications Workshop. EPFL, Emilio Davila Gonzalez EC DG INFSO.G4

2 Contents The Framework: Trust and Security in electronic communications EC research activities on Trust and Security The special case of vehicular communications The ecall case 1 st Workshop in-vehicle telematics and cooperative systems Privacy and data protection esecurity Working Group Research activities Security in VC, EPFL, , 2

3 The Framework Information Society (r)evolution has caused massive amounts of personal data generated, processed, exchanged and stored i2010 Initiative identifies security (trust and privacy) as one of the main challenges posed by digital convergence Personalised, dynamic open services need trust and security PETs can allow deployment of services while respecting personal privacy User centric - empowerment approach, data protection and proportionality are key issues Security in VC, EPFL, , 3

4 Relevant EC regulation Directive 95/46/EC: Protection of individuals with regard to the processing of personal data and on the free movement of such data. Directive 2002/58/EC: The processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) COM(2006) 251: A strategy for a Secure Information Society Dialogue, partnership and empowerment COM(2007) 96: Radio Frequency Identification (RFID) in Europe: steps towards a policy framework COM(2007) 228: Promoting Data Protection by Privacy Enhancing Technologies (PETs) Security in VC, EPFL, , 4

5 Contents The Framework: Trust and Security in electronic communications EC research activities on Trust and Security The special case of vehicular communications The ecall case 1 st Workshop in-vehicle telematics and cooperative systems Privacy and data protection esecurity Working Group Research activities Security in VC, EPFL, , 5

6 ICT WP , Objective 1.4: Secure, dependable & trusted infrastructures 90 M Car/Railway Mobile Office/Factory DVC PC TV Personal Information STB Game Machine Audio SIM SD MMC Map Information SD MMC Intranet Information Enabling Technologies Web Technologies Crypto, trusted computing, secure software (virtual environments, collaborative communities ) Digital contents IC Card Public expectation E-Tower SD MMC DVD Telephone Security in VC, EPFL, , 6 Home Coordination Outdoor Actions Street/Shop

7 ICT Objective 1.4: Secure, dependable & trusted infrastructures 90 M Network infrastructures Identity management, Service privacy, trust policies infrastructures 4 Projects 11 m 2 Projects 1 Project 5.8 m 9.4 m Enabling Technologies Crypto, trusted 3 computing, Projects secure software 4 Projects 20.5 m 18 m Enabling technologies for trustworthy infrastructures Biometrics, trusted computing, cryptography, secure SW 6 Projects: 22 m Coordination Actions Research roadmaps, metrics and benchmarks, Security in VC, EPFL, , 7 Coordination Actions international cooperation, coordination activities 4 Projects: 3.3 m

8 7 th EU Research Framework Programme ( ) Secure, dependable & trusted infrastructures Type of projects 90 M Coordination Actions STREPs NoEs IP projects PICOS privacy PRIMELIFE TURBINE biometry MOBIO ACTIBIO INTERSECTION network WOMBAT PRISM SWIFT AWISSENET GEMOM FORWARD ECRYPT II networking & coordination THINK TRUST INCO-TRUST TAS3 AMBER CONSEQUENCE MASTER services SecureSCM AVANTSSAR trusted computing TECOM CACE SHIELDS secure implementation

9 Security in network infrastructures: 4 projects, 11 m EC funding Main R&D project priorities An integrated security framework and tools for the security and resilience of heterogeneous networks (INTERSECTION) A networking protocol stack for security and resilience across ad-hoc PANs & WSNs (Awissenet) A message-oriented MW platform for increasing resilience of information systems (GEMOM) Data gathering and analysis for understanding and preventing cyber Security in VC, EPFL, , 9 threats (WOMBAT)

10 Security enabling Technologies 6 projects, 22 m EC funding Main R&D project priorities Trusted Computing IP TECOMT trusted embedded systems: HW platforms with integrated trust components Cryptography NoE ecrypt II Multi-modal Biometrics multi-biometric authentication (based on face and voice) for mobile devices (MOBIO) activity related and soft biometrics technologies for supporting continuous authentication and monitoring of users in ambient environments (ACTIBIO) Secure SW implementation providing SW developers with the means to prevent occurrences of known vulnerabilities Security in VC, EPFL, when , building 10 software (SHIELDS) A toolbox for cryptographic software engineering (CACE)

11 Contents The Framework: Trust and Security in electronic communications EC research activities on Trust and Security The special case of vehicular communications The ecall case 1 st Workshop in-vehicle telematics and cooperative systems Privacy and data protection esecurity Working Group Research activities Security in VC, EPFL, , 11

12 ecall: Data Protection issues (1) Legitimate processing of MSD: Solution: Unambiguous consent -7(a) => Possibility of easy deactivation Adequate processing by data controllers: Publicly appointed organisations to act as PSAPs Adequate storage periods Security of the communications and of data stored IVS, MNOs, PSAPs Security in VC, EPFL, , 12

13 ecall: Data Protection issues (2) Citizen Trust Fair, adequate and not excessive processing No secondary use of information MSD => Minimum information for effective handling of the emergency call System not permanently tracked User awareness Security in VC, EPFL, , 13

14 ecall: Data Protection issues (3) Service providers (contract) Specific rules for FSD: Service providers should respect the data protection and privacy regulation: Clear definition of the use of data Proportionality Transparency Freely given consent Security in VC, EPFL, , 14

15 1 st Workshop in-vehicle telematics and cooperative systems Privacy and data protection Privacy may be a barrier for the deployment of services Objective: bring together ITS & DPO experts to discuss common guidelines for the design of applications in this area 1 st WS: 13/02/ participants, including 8 DPO Security in VC, EPFL, , 15

16 1 st WS: Conclusions Privacy/data protection issues should be integrated from the early design. Liaison with Data Protection Authorities to clarify concepts/provide guidelines Data protection/limits depend on the type of applications Use the personal data for the sole purpose is collected. Anonymous data can be used for other purposes PETs are important tools to allow services deployment while improving privacy protection Inspire public confidence: user awareness about protection of their privacy is a plus Transparency and right of choice to the user Cost effectiveness should be taken into consideration Security in VC, EPFL, , 16

17 1 st WS: Way forward: Next steps Continue collaboration with art. 29 WP Creation of a CIRCA repository for exchanging of information esafety Forum to elaborate code of practice in collaboration with art. 29 WP (ITF) Security and Data protection by better design Security in VC, EPFL, , 17

18 esecurity Working Group (1) Objectives Two focus: Data protection Intrusion avoidance Support the reliability of esafety Protection of esafety functions Prevention of critical road safety effects which result from electronic vehicle systems Preventing of misuse or malpractice, including privacy infringement Establishment of new R&D fields Providing of recommendations, code of practice, standardisation Security in VC, EPFL, , 18

19 esecurity Working Group (2) Topics Protection against unauthorised mobile remote access and wired access on networked vehicles including the full electronic system and its components and data against manipulation and subsequent misuse (e.g. wired & tele- data / software transfer) Protection of electronic motor vehicle components against eassaults (e.g. viruses, trojans, spy-ware, spam, etc.) and of digital data stored in the motor vehicle and road infrastructure against unauthorised access and manipulation Protection of motor vehicles, fleets and road infrastructure by securing telematics and cooperative system applications Establishment of the legal requirement catalogue on necessities in MS and European legislation, certification, and inspection procedures next to the esecurity Standards survey Security in VC, EPFL, , 19

20 Research Activities in the ICT for mobility: The Potential of Co-operative Systems The potential benefits include: increased road network capacity reduced congestion and pollution shorter and more predictable journey times improved traffic safety for all road users lower vehicle operating costs more efficient logistics improved management and control of the road network (both urban and inter-urban) increased efficiency of the public transport systems better and more efficient response to hazards, incidents and accidents Car-to-Infrastructure Communication Security in VC, EPFL, , 20 Car-to-Car Communication

21 The EU Approach Actions: Not only RTD Co-operative Systems will enhance the support available to drivers and other road users RTD Coordination & support Policy Research & Development Wider Adoption Best Use Right Regulatory Environment Projects: GST CVIS Safespot Coopers Security in VC, EPFL, , 21 COMeSafety Sevecom Spectrum policy (CEPT) esafety WG on communications esafety WG on Security esafety WG on Service oriented architectures

22 Trust & Security on in-vehicle telematics: GST Goal: open and standardised framework architecture enabling end-to-end in-vehicle telematics services GST functionalities include service deployment, service provisioning, access to vehicle and handling of nomadic devices GST has developed and implemented telematics certification, security and payment services GST architecture and functionality has been tested with three services (Rescue/eCall, Safety Channel, Enhanced FCD) on six test sites GST results are already used by CVIS Security in VC, EPFL, , 22

23 Security in VC, EPFL, , 23 FP6 VC Projects: Collaboration and Synergies

24 On-going projects FP6: SEVECOM Mission: define a consistent and futureproof solution to the problem of V2V/V2I security Focus: Threats, such as bogus information, denial of service or identity cheating. Requirements: authentication, availability, and privacy. Operational Properties: network scale, privacy, cost and trust. Coordinator: Coordinator: TRIALOG TRIALOG Total costs: ± K Total costs: ± K EC contribution: K EC contribution: K Start date: 1/02/2006 Start date: 1/02/2006 Duration: 36 months Duration: 36 months Security in VC, EPFL, , 24 Research Topics: gspecify an architecture and security mechanisms iwhich provide the right level of protection. iwhich address issues such as liability versus privacy gfully addressed topics ikey and identity management, isecure communication protocols (including secure routing), itamper proof device and decision on crypto-system, iprivacy. ginvestigated topics iintrusion Detection, idata consistency, isecure positioning, isecure user interface.

25 FP7 New projects: PRECIOSA Mission: demonstrate that co-operative systems can comply with privacy regulations using an example application endowed with PET for location data Coordinator: Coordinator: TRIALOG TRIALOG Total costs: ± 2,465 K Total costs: ± 2,465 K EC contribution: 1,667 K EC contribution: 1,667 K Start date: 1/03/2008 Start date: 1/03/2008 Duration: 24 months Duration: 24 months Security in VC, EPFL, , 25 Under Negotiation Objectives: Picture: C2C consortium g Define an approach for evaluation of co-operative systems in terms of: icommunication privacy idata storage privacy g Define a privacy aware architecture for co-operative systems, involving: isuitable trust models and ontologies iv2v and V2I privacy verifiable architecture, including: iprotection iinfringement detection iauditing g Define and validate guidelines for privacy aware co-operative systems g Investigate specific challenges for privacy

26 FP7 New projects: EVITA Mission: avoid un-authorised manipulation of on-board systems to prevent intrusion into the in-vehicular systems and transmission of corrupted data outside Coordinator: Coordinator: Fraunhofer Fraunhofer (SIT) (SIT) Total costs: ± 6,000 K Total costs: ± 6,000 K EC contribution: 3,857 K EC contribution: 3,857 K Start date:??/??/2008 Start date:??/??/2008 Duration: 36 months Duration: 36 months Objective: g Develop open standard secure architecture and protocol specification Methodology: The project will: g g g g g Under Negotiation Identify idustrial use cases (assembly, field maintenance) Compile scenarios of possible threats Define of overall security requirements Compile secure trust model Specify, verify, validate and demonstrate a secure on-board architecture and protocol. Security in VC, EPFL, , 26

27 Thank you for your attention! Security in VC, EPFL, , 27