Security for V2X Communications ITS Canada Annual General Meeting May 1-4, 2016 Brian Romansky VP Strategic Technology Your Connected Car Your Connected Car Security Security Partner Partner
TrustPoint - Security Leadership and Innovation Security Consulting Security Software Toolkits Certificate Authority Experts in Security and Cryptography Leading experts in public-key policy and implementation Team that developed the Blackberry security model Technical security experts for US DOT V2X initiative Experience in implementing security for large scale deployments for companies worldwide Excellence in Solutions and Products for Connected Car and IoT Security Toolkits and Infrastructure Components Implements flawless efficient security Simplifies security implementation by removing complexity 2
V2X Technology Basic Safety Messages (BSMs): Vehicle position and speed Steering angle, throttle and brake status Vehicle size and bumper height Transmitted wirelessly 5 times per second Additional V2I Capabilities Unique Security Requirements 3
The Promise of V2X Technology Potential for an 80% reduction in collisions Augment existing Advanced Driver Assistance Systems (ADAS) technology Improve interoperability between human drivers and autonomous vehicles 2015 US NHTSA revised report 24 million reported vehicle crashes 33,000 fatalities 3.9 million injuries $836 billion economic loss Enable advanced infrastructure and emergency management solutions 4
Augment Advanced Driver Assisted Systems V2V Adds New Capabilities: Extended range -increased response time Predictive data -respond to steering, brake, throttle changes Two-way communication - negotiate collision avoidance Communicate with roadside equipment 5
Example: Google Car / City Bus Crash Car had to change lanes to avoid construction. Algorithm did not account for the size and response time of the bus. Software assumed that the approaching vehicle would yield. Vehicle data + two-way communication could have avoided this crash. 6
Security Requirements Security Need to validate that BSMs are from real cars Prevent attackers from creating fake messages to change traffic patterns or create a road hazard VS. Privacy Can t make it easy to track personal cars Each BSM contains exact position information Data is sent unencrypted to enable fast response time 7
Security Credential Management System (SCMS) Crucial requirements that must be met are: Ensure authenticity and integrity of messages Minimize opportunity for tracking personal vehicles System also mandates: Privacy for users: No PII can be collected Prevent tracking by insiders & outsiders Assume errors will happen and hackers will attack the system Detect and remove misbehaving systems Minimize over the air messaging bandwidth Tricky Result: Create a high volume of anonymous short lived identities and still be able to revoke these identities when needed 8
Crash Avoidance Metrics Partnership CAMP is under contract with the US DOT Design the Security Credential Management System (SCMS) Develop a working prototype system Support the US Connected Vehicle (CV) pilots in New York, Florida, and Wisconsin TrustPoint is a security technical advisor to the SCMS design program 9
Design for Security and Privacy Security Every message is digitally signed (but not encrypted) Linkage values allow for misbehavior detection and revocation Privacy No unique information about the car or the owner Certificate changes every 5 minutes Cycle through 20 certificates every week 20 new certificates per week per car with ~250M cars (US) = 260B certificates per year 10
SCMS Architecture 11
SCMS Architecture Central SCMS Manager Distributed ICA Managers 12
ICA Manager Role Operate a secure Intermediate Certificate Authority Back-end hardware and software Policies and operating procedures Issue certificates to equipment Vehicle On-Board Units (OBUs) or Road-Side Equipment (RSEs) Define and issue special application certificates for locally defined use cases Participate in misbehavior detection and revocation Submit misbehavior reports for equipment that is not functioning normally Respond to central Misbehavior Authority (MA) requests Manage Certificate Revocation Lists (CRLs) or equipment blacklists 13
Application Permissions and Roles Traffic Management: Adaptive traffic light mgmt and secure pre-emption Emergency work zone warnings and lane closures Road condition warnings and temporary speed restrictions Speed Harmonization Public Transportation: Public vehicle lane or zone prioritization and signal priority Intelligent bus stop Platooning and speed harmonization Infrastructure Management: Emergency vehicle lane and signal priority Work zone warning Temporary road hazard warning 14
SCMS Current Status Core design is complete Version 1.1 prototype is in testing, will support CV pilots & Smart City program launching in ~12 months Version 2.0 design work is in progress, will add critical details on misbehavior detection and CRL distribution Design is heavily influenced by vehicle manufacturers CV Pilot plans are introducing new needs from municipal operators More participation and early pilot test programs can bring balance to the design Initial Deployments are uncovering unanticipated conditions Mobile and temporary road signs (such as lane closure signs) Procedures to authorize replacements for failed or outdated equipment 15
Recommendations for Government Agencies Track progress of CV Pilot deployments US DOT website: http://www.its.dot.gov/pilots/ Develop your own Concept of Operations Develop a wish-list of custom applications and deployments Start planning for incremental deployments as standards mature Engage with hardware & software vendors, discuss your needs Deploy and test technology early and learn before making a major commitment Participate in local trials 16