In order to participate in this service package, each physical object should meet or exceed the following security levels.
In order to participate in this service package, each information flow triple should meet or exceed the following security levels.
| Information Flow Security |
| Source |
Destination |
Information Flow |
Confidentiality |
Integrity |
Availability |
| Basis |
Basis |
Basis |
| Connected Vehicle Roadside Equipment |
ITS Roadway Equipment |
intersection status monitoring |
Moderate |
High |
Moderate |
| This data is intentionally transmitted to everyone via a While this information can be ascertained by examining signal states, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
If this is compromised, the RSE could send incorrect data to the Roadway Equipment. Since the data contained herein directly affects human safety, the Roadway Equipment may react to tell the RSE it is in conflict, which in turn may result in the RSE modifying or disabling its outputs. DISC THEA: info needs to be accurate and should not be tampered so the ITS RE has correct SPaT info for all lanes to be able to detect conflicts and support failsafe operating mode. DISC: THEA belives this may be HIGH for ISIG. NYC also believes this to be HIGH for PED-SIG. |
A delay in reporting this may allow the RSE to distribute faulty information, but that information is contradicted by the signal state. Since there are multiple pathways for the information to be obtained, this is not ‘High. |
| Connected Vehicle Roadside Equipment |
ITS Roadway Equipment |
signal service request |
Moderate |
Moderate |
Low |
| info is not confidential and could be exposed with little harm to participants; however, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
requests should be accurate and not tampered with, otherwise incorrect or malicious requests could be granted which could lead to delays |
requests should be timely and available immediately but availability cannot be guaranteed over a wireless medium; also worst case scenario is the vehicle or pedestrian has to wait for the appropriate signal |
| Connected Vehicle Roadside Equipment |
ITS Roadway Equipment |
traffic situation data |
Moderate |
Moderate |
Moderate |
| Aggregated messages may have more privacy implications than individual ones, especially if an attacker can attack more than one RSE-to-TMC connection at once. |
This information is used to help with incident detection. It should be verified to ensure that it is not incorrectly influencing this.THEA: only limited adverse effect if raw/processed connected vehicle data is bad/compromised; could be LOW for ISIG |
This information is used as supplemental information. It should operate correctly if not every single message is received. THEA: only limited adverse effect if info is not timely/readily available, could be LOW for ISIG |
| Connected Vehicle Roadside Equipment |
Traffic Management Center |
intersection management application status |
Moderate |
Moderate |
Low |
| This information could be of interest to a malicious individual who is attempting to determine the best way to accomplish a crime. As such it would be best to not make it easily accessible. May be LOW in some cases. |
If this is compromised, it could send unnecessary maintenance workers, or worse report plausible data that is erroneous. From THEA: should be able to cope with some bad information on the status and record of alerts/warnings; aggregate info; however could cause appearance of excessive traffic violations or unnecessary maintenance caused if data is compromised (operational state, status, log); should not affect the application functionality |
Incident status information should be presented in timely fashion as large scale mobility and safety issues are related. There are other mechanisms for reporting this information however, thus MODERATE. From THEA: Only limited adverse effect of info is not timely/readily available |
| Connected Vehicle Roadside Equipment |
Traffic Management Center |
traffic situation data |
Moderate |
Moderate |
Low |
| Aggregated messages may have more privacy implications than individual ones, especially if an attacker can attack more than one RSE-to-TMC connection at once. |
only limited adverse effect if raw/processed connected vehicle data is bad/compromised; DISC: NYC believes this to be MODERATE: As investigation might be triggered if RF quality is reported as low, this data should be trusted. RES: Agree wih NYC. |
only limited adverse effect of info is not timely/readily available. NYC: This data is purely for statistical purposes so low availability does not harm the [RSE RF Monitoring] application. |
| Connected Vehicle Roadside Equipment |
Vehicle |
intersection geometry |
Low |
High |
Moderate |
| Map data intended for general use by any C-ITS component than needs it. No information here includes PII or anything else that, if viewed by someone other than the participant, would lead to harm. |
Map data is used for a host of application purposes. This widespread use means that any corruption in the data has a widespread and far reaching effect. |
Occasional outages of this flow will delay updates and lead to a loss of accurate function of some applications. Depending on the application this could be HIGH. |
| Connected Vehicle Roadside Equipment |
Vehicle |
intersection status |
Not Applicable |
High |
Moderate |
| This data is intended for all vehicles in the immediate area of the sender. |
If this is compromised, the Vehicle OBE will receive messages that are inconsistent with what the traffic signals are displaying. This could lead to confusion and reduce the ability of the application to provide value. |
If this is down, the Vehicle OBE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having this application. We assume that the Vehicle OBE will detect a lack of availability and choose not to send out-of-date information, so a failure of availability cannot have worse consequences than a failure of integrity which we have previously assessed at MEDIUM. |
| Connected Vehicle Roadside Equipment |
Vehicle |
vehicle situation data parameters |
Low |
Moderate |
Moderate |
| This isn't exactly a control flow, more like a 'suggestion flow', as the vehicle will always decide what to send. Probably no need for obfuscation. |
Info should be accurate and should not be tampered so that the vehicle only discloses the correctly requested data |
Parameters should be timely and readily available, but would not have severe/catastrophic consequences if not |
| Driver |
Vehicle |
driver input |
Moderate |
High |
High |
| Data included in this flow may include origin and destination information, which should be protected from other's viewing as it may compromise the driver's privacy. |
Commands from from the driver to the vehicle must be correct or the vehicle may behave in an unpredictable and possibly unsafe manner |
Commands must always be able to be given or the driver has no control. |
| ITS Roadway Equipment |
Connected Vehicle Roadside Equipment |
conflict monitor status |
Moderate |
High |
Moderate |
| Trains arriving should be visible, viewable and certainly not concealed. Reception of this information may indicate position or intended position of the recipient, which is slightly sensitive; thus LOW and not N/A is typically justified. However, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
If this is compromised, it could send incorrect data to the RSE. Since the data contained herein directly affects human safety, the RSE may react to modify its outputs, at the least disabling related outputs. if compromised, the ITS RE may not be able to support failsafe operating mode in the event of a conflict between the ITS RE and RSE. May not be ‘High’ because the signal state is also present. From NYC: This flow tells the RSE that the traffic controller is in a failed state – typically flashing signals not timing. |
A delay in reporting this may allow the RSE to distribute faulty information, but that information is contradicted by the signal state. Since there are multiple pathways for the information to be obtained, this is not ‘High.’ |
| ITS Roadway Equipment |
Connected Vehicle Roadside Equipment |
intersection control status |
Moderate |
High |
Moderate |
| This data is intentionally transmitted to everyone via a While this information is broadcast and can also be determined via other visual indicators, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
If this is compromised, the Roadway Equipment and Roadside Equipment will be sending messages that are inconsistent with each other, leading to confusion and possible accidents. |
If this is down, the RSE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having this application. The RSE must detect a lack of availability and choose not to send out-of-date information, so a failure of availability could be interpreted as having the same value as Integrity. However, this data is semi-predictable and there are other indicators (such as the lights themselves) of the intersection status.
From NYC, who believe this should be HIGH for some applications: If this is down, the RSE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having this application. The RSE must detect a lack of availability and choose not to send out-of-date information, so a failure of availability cannot have worse consequences than a failure of integrity which we have previously assessed at HIGH. |
| ITS Roadway Equipment |
Driver |
driver information |
Not Applicable |
High |
Moderate |
| This data is sent to all drivers and is also directly observable, by design. |
This is the primary signal trusted by the driver to decide whether to go through the intersection and what speed to go through the intersection at; if it’s wrong, accidents could happen. |
If the lights are out you have to get a policeman to direct traffic – expensive and inefficient and may cause a cascading effect due to lack of coordination with other intersections. |
| ITS Roadway Equipment |
MMV User |
crossing permission |
Not Applicable |
High |
Low |
| This data is intentionally transmitted to everyone via a broadcast. |
Although pedestrians have a responsibility to make sure the road is safe before they cross, they may react instinctively to incorrect information and be led to cross at unsafe times if they get incorrect information. Also, if the traffic signals are wrong and an accident happens, the pedestrian involved could sue, causing financial loss and other undesirable outcomes. |
It is easy to tell whether this information flow is available and pedestrians are used to using crosswalks that do not provide this service. |
| ITS Roadway Equipment |
Multi-Access Edge Computing |
conflict monitor status |
Moderate |
High |
Moderate |
| Trains arriving should be visible, viewable and certainly not concealed. Reception of this information may indicate position or intended position of the recipient, which is slightly sensitive; thus LOW and not N/A is typically justified. However, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
If this is compromised, it could send incorrect data to the RSE. Since the data contained herein directly affects human safety, the RSE may react to modify its outputs, at the least disabling related outputs. if compromised, the ITS RE may not be able to support failsafe operating mode in the event of a conflict between the ITS RE and RSE. May not be ‘High’ because the signal state is also present. From NYC: This flow tells the RSE that the traffic controller is in a failed state – typically flashing signals not timing. |
A delay in reporting this may allow the RSE to distribute faulty information, but that information is contradicted by the signal state. Since there are multiple pathways for the information to be obtained, this is not ‘High.’ |
| ITS Roadway Equipment |
Multi-Access Edge Computing |
intersection control status |
Moderate |
High |
Moderate |
| This data is intentionally transmitted to everyone via a While this information is broadcast and can also be determined via other visual indicators, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
If this is compromised, the Roadway Equipment and Roadside Equipment will be sending messages that are inconsistent with each other, leading to confusion and possible accidents. |
If this is down, the RSE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having this application. The RSE must detect a lack of availability and choose not to send out-of-date information, so a failure of availability could be interpreted as having the same value as Integrity. However, this data is semi-predictable and there are other indicators (such as the lights themselves) of the intersection status.
From NYC, who believe this should be HIGH for some applications: If this is down, the RSE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having this application. The RSE must detect a lack of availability and choose not to send out-of-date information, so a failure of availability cannot have worse consequences than a failure of integrity which we have previously assessed at HIGH. |
| ITS Roadway Equipment |
Other ITS Roadway Equipment |
right-of-way request coordination |
Moderate |
Moderate |
Moderate |
| Any control flow has some confidentiality requirement, as observation of the flow may enable an attacker to analyze and learn how to assume control. MODERATE for most flows as the potential damage is likely contained, though anything that could have a significant safety impact may be assigned HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH. |
| ITS Roadway Equipment |
Other ITS Roadway Equipment |
signal control coordination |
Moderate |
Moderate |
Moderate |
| Any control flow has some confidentiality requirement, as observation of the flow may enable an attacker to analyze and learn how to assume control. MODERATE for most flows as the potential damage is likely contained, though anything that could have a significant safety impact may be assigned HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH. |
| ITS Roadway Equipment |
Other ITS Roadway Equipment |
traffic detector coordination |
Moderate |
Moderate |
Low |
| Any control flow has some confidentiality requirement, as observation of the flow may enable an attacker to analyze and learn how to assume control. MODERATE for most flows as the potential damage is likely contained, though anything that could have a significant safety impact may be assigned HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH. |
| ITS Roadway Equipment |
Pedestrian |
crossing permission |
Not Applicable |
High |
Low |
| This data is intentionally transmitted to everyone via a broadcast. |
Although pedestrians have a responsibility to make sure the road is safe before they cross, they may react instinctively to incorrect information and be led to cross at unsafe times if they get incorrect information. Also, if the traffic signals are wrong and an accident happens, the pedestrian involved could sue, causing financial loss and other undesirable outcomes. |
It is easy to tell whether this information flow is available and pedestrians are used to using crosswalks that do not provide this service. |
| ITS Roadway Equipment |
Traffic Management Center |
right-of-way request notification |
Low |
Moderate |
Moderate |
| This can be reasonably guessed based on observing the ITS RE’s environment. It is obvious when a bus approaches an intersection. |
Invalid messages could lead to an unauthorized user gaining signal priority at an intersection. This could also be used to delay traffic, which could lead to a financial impact on the community. However, the traffic signal will have controls in place to ensure that it does not display an illegal configuration (such as green in every direction). |
Even if all of the Right-of-way Requests are not passed along from an ITS RE, the intersection will still operate as normal. There are other existing methods to assist a right-of-way requesting vehicle safely traveling through an intersection, such as lights and sirens, which prevent this from being a HIGH. DISC: THEA and NYC believe this to be LOW: "not necessary for the app to work; can cope with not having immediately available data" |
| ITS Roadway Equipment |
Traffic Management Center |
signal control status |
Low |
High |
Moderate |
| The current conditions of an ITS RE are completely observable, by design. |
This influences the TMC response to a right-of-way request. It should be as accurate as the right-of-way request themselves. For some applications (ISIG) this need only be moderate. Per THEA: info needs to be accurate and should not be tampered to enable effective monitoring and control by the TMC. DISC: THEA believes this to be MODERATE: "info needs to be accurate and should not be tampered to enable effective monitoring and control by the TMC; should be as accurate as the right of way request". NYC:TMC doesn’t play an active role in this application, i.e. even if the information contained in this flow were incorrect, it is unlikely to affect the outcome of this application one way or the other. On some applications NYC has this MODERATE though. RES: This value can obviously change a lot depending on the application context. |
The TMC will need the current status of the ITS RE in order to make an educated decision. If it is unavailable, the system is unable to operate. However, a few missed messages will not have a catastrophic impact. From NYC: TMC doesn’t play an active role in this application, i.e. even if it is unavailable, it is unlikely to affect the outcome of this application one way or the other. RES: This value can change a lot depending on the application context. |
| ITS Roadway Equipment |
Traffic Management Center |
signal fault data |
Low |
High |
Moderate |
| The current conditions of an ITS RE are completely observable, by design. |
Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. |
Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. |
| ITS Roadway Equipment |
Traffic Management Center |
traffic detector data |
Low |
Moderate |
Moderate |
| No impact if someone sees the data |
Some minimal guarantee of data integrity is necessary for all C-ITS flows. THEA believes this to be LOW.only limited adverse effect if raw/processed traffic detector data is bad/compromised; DISC: WYO believes this to be HIGH |
Only limited adverse effect of info is not timely/readily available, however without this information it will be difficult to perform traffic management activities, thus MODERATE. If not used for management, may be LOW. |
| MMV User |
ITS Roadway Equipment |
crossing call |
Not Applicable |
High |
Low |
| The "Not Applicable" group includes information flows that do not actually carry information; for example, flows that represent the physical environment. |
Although pedestrians have a responsibility to make sure the road is safe before they cross, and should ensure that they are detected by pedestrian detection systems, they may not always be detected and be led to cross at unsafe times if the ITS RE obtains incorrect information. |
It is easy to tell whether this information flow is available and pedestrians are used to using crosswalks that do not provide this service. |
| Multi-Access Edge Computing |
ITS Roadway Equipment |
intersection status monitoring |
Moderate |
High |
Moderate |
| This data is intentionally transmitted to everyone via a While this information can be ascertained by examining signal states, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
If this is compromised, the RSE could send incorrect data to the Roadway Equipment. Since the data contained herein directly affects human safety, the Roadway Equipment may react to tell the RSE it is in conflict, which in turn may result in the RSE modifying or disabling its outputs. DISC THEA: info needs to be accurate and should not be tampered so the ITS RE has correct SPaT info for all lanes to be able to detect conflicts and support failsafe operating mode. DISC: THEA belives this may be HIGH for ISIG. NYC also believes this to be HIGH for PED-SIG. |
A delay in reporting this may allow the RSE to distribute faulty information, but that information is contradicted by the signal state. Since there are multiple pathways for the information to be obtained, this is not ‘High. |
| Multi-Access Edge Computing |
ITS Roadway Equipment |
signal service request |
Moderate |
Moderate |
Low |
| info is not confidential and could be exposed with little harm to participants; however, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
requests should be accurate and not tampered with, otherwise incorrect or malicious requests could be granted which could lead to delays |
requests should be timely and available immediately but availability cannot be guaranteed over a wireless medium; also worst case scenario is the vehicle or pedestrian has to wait for the appropriate signal |
| Multi-Access Edge Computing |
ITS Roadway Equipment |
traffic situation data |
Moderate |
Moderate |
Moderate |
| Aggregated messages may have more privacy implications than individual ones, especially if an attacker can attack more than one RSE-to-TMC connection at once. |
This information is used to help with incident detection. It should be verified to ensure that it is not incorrectly influencing this.THEA: only limited adverse effect if raw/processed connected vehicle data is bad/compromised; could be LOW for ISIG |
This information is used as supplemental information. It should operate correctly if not every single message is received. THEA: only limited adverse effect if info is not timely/readily available, could be LOW for ISIG |
| Multi-Access Edge Computing |
Traffic Management Center |
intersection management application status |
Moderate |
Moderate |
Low |
| This information could be of interest to a malicious individual who is attempting to determine the best way to accomplish a crime. As such it would be best to not make it easily accessible. May be LOW in some cases. |
If this is compromised, it could send unnecessary maintenance workers, or worse report plausible data that is erroneous. From THEA: should be able to cope with some bad information on the status and record of alerts/warnings; aggregate info; however could cause appearance of excessive traffic violations or unnecessary maintenance caused if data is compromised (operational state, status, log); should not affect the application functionality |
Incident status information should be presented in timely fashion as large scale mobility and safety issues are related. There are other mechanisms for reporting this information however, thus MODERATE. From THEA: Only limited adverse effect of info is not timely/readily available |
| Multi-Access Edge Computing |
Traffic Management Center |
traffic situation data |
Moderate |
Moderate |
Moderate |
| Aggregated messages may have more privacy implications than individual ones, especially if an attacker can attack more than one RSE-to-TMC connection at once. |
This information is used to help with incident detection. It should be verified to ensure that it is not incorrectly influencing this.THEA: only limited adverse effect if raw/processed connected vehicle data is bad/compromised; could be LOW for ISIG |
This information is used as supplemental information. It should operate correctly if not every single message is received. THEA: only limited adverse effect if info is not timely/readily available, could be LOW for ISIG |
| Multi-Access Edge Computing |
Vehicle |
intersection geometry |
Low |
High |
Moderate |
| Map data intended for general use by any C-ITS component than needs it. No information here includes PII or anything else that, if viewed by someone other than the participant, would lead to harm. |
Map data is used for a host of application purposes. This widespread use means that any corruption in the data has a widespread and far reaching effect. |
Occasional outages of this flow will delay updates and lead to a loss of accurate function of some applications. Depending on the application this could be HIGH. |
| Multi-Access Edge Computing |
Vehicle |
intersection status |
Not Applicable |
High |
Moderate |
| This data is distributed using a variety of mechanisms, some of which are localized broadcast; it is desireable that all potential users get this information. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
| Multi-Access Edge Computing |
Vehicle |
vehicle situation data parameters |
Low |
Moderate |
Moderate |
| This isn't exactly a control flow, more like a 'suggestion flow', as the vehicle will always decide what to send. Probably no need for obfuscation. |
Info should be accurate and should not be tampered so that the vehicle only discloses the correctly requested data |
Parameters should be timely and readily available, but would not have severe/catastrophic consequences if not |
| Other ITS Roadway Equipment |
ITS Roadway Equipment |
right-of-way request coordination |
Moderate |
Moderate |
Moderate |
| Any control flow has some confidentiality requirement, as observation of the flow may enable an attacker to analyze and learn how to assume control. MODERATE for most flows as the potential damage is likely contained, though anything that could have a significant safety impact may be assigned HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH. |
| Other ITS Roadway Equipment |
ITS Roadway Equipment |
signal control coordination |
Moderate |
Moderate |
Moderate |
| Any control flow has some confidentiality requirement, as observation of the flow may enable an attacker to analyze and learn how to assume control. MODERATE for most flows as the potential damage is likely contained, though anything that could have a significant safety impact may be assigned HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH. |
| Other ITS Roadway Equipment |
ITS Roadway Equipment |
traffic detector coordination |
Moderate |
Moderate |
Low |
| Any control flow has some confidentiality requirement, as observation of the flow may enable an attacker to analyze and learn how to assume control. MODERATE for most flows as the potential damage is likely contained, though anything that could have a significant safety impact may be assigned HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. |
Since this directly impacts device control, we consider it the same as a control flow. Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH. |
| Pedestrian |
ITS Roadway Equipment |
crossing call |
Not Applicable |
High |
Low |
| The "Not Applicable" group includes information flows that do not actually carry information; for example, flows that represent the physical environment. |
Although pedestrians have a responsibility to make sure the road is safe before they cross, and should ensure that they are detected by pedestrian detection systems, they may not always be detected and be led to cross at unsafe times if the ITS RE obtains incorrect information. |
It is easy to tell whether this information flow is available and pedestrians are used to using crosswalks that do not provide this service. |
| Traffic Management Center |
Connected Vehicle Roadside Equipment |
intersection management application info |
Moderate |
High |
Low |
| Proprietary configuration data with warning parameters and thresholds. |
should be accurate and not be tampered with; could enable outside control of application |
This message is an indication of a potential hazard. If it isn’t received it increases the risk to other road users. If a vehicle is infringing on an intersection, it must report this. |
| Traffic Management Center |
ITS Roadway Equipment |
signal control commands |
Moderate |
High |
Moderate |
| Control flows, even for seemingly innocent devices, should be kept confidential to minimize attack vectors. While an individual installation may not be particularly impacted by a cyberattack of its sensor network, another installation might be severely impacted, and different installations are likely to use similar methods, so compromising one leads to compromising all. DISC: NYC believes this to be LOW: "The result of this will be directly observable." |
Invalid messages could lead to an unauthorized user gaining control of an intersection. This could also be used to bring traffic to a standstill, which could lead to a large financial impact on the community. DISC: NYC believes this to be MODERATE: The signal timing is critical to the intersection operation; incorrect signal timing can lead to significant congestion and unreliable operation; while unsafe operation is controlled by the cabinet monitoring system, attackers could “freeze” the signal or call a preemption. RES: This will vary depending on the application and implementation. |
These messages are important to help with preemption and signal priority applications. Without them, these applications mayl not work. However, if these signals are not received, the ITS RE will continue to function using its default configuration. The TMC should have an acknowledgement of the receipt of a message. DISC: NYC blieves this to be LOW: TMC doesn’t play an active role in this application, i.e. even if it is unavailable, it is unlikely to affect the outcome of this application one way or the other.
RES: This will vary depending on the application and implementation. |
| Traffic Management Center |
ITS Roadway Equipment |
signal control device configuration |
Moderate |
High |
Moderate |
| Control flows, even for seemingly innocent devices, should be kept confidential to minimize attack vectors. While an individual installation may not be particularly impacted by a cyberattack of its sensor network, another installation might be severely impacted, and different installations are likely to use similar methods, so compromising one leads to compromising all. DISC: THEA believes this to be LOW: "encrypted, authenticated, proprietary; however will not cause harm if seen, traffic light information is visible." |
Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. From THEA: proprietary info that should not be tampered with; includes local controllers and system masters; tampering with configurations could cause delays along with major safety issues |
Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH. From THEA: should be timely and readily available; however, should be able to function using a default configuration |
| Traffic Management Center |
ITS Roadway Equipment |
signal control plans |
Moderate |
High |
Moderate |
| Control flows, even for seemingly innocent devices, should be kept confidential to minimize attack vectors. While an individual installation may not be particularly impacted by a cyberattack of its sensor network, another installation might be severely impacted, and different installations are likely to use similar methods, so compromising one leads to compromising all. DISC: THEA believes this to be LOW: "encrypted, authenticated, proprietary; but the result is directly observable from traffic lights |
Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH. From THEA: proprietary info that should not be tampered with; tampering with these plans could cause delays along with major safety issues |
Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH. From THEA: should be timely and readily available; coordinated with other systems; however, should be able to function using a default configuration |
| Traffic Management Center |
ITS Roadway Equipment |
signal system configuration |
Low |
High |
Moderate |
| encrypted, authenticated, proprietary; however, the result is directly observable from traffic lights |
proprietary info that should not be tampered with; data used to configure traffic signal systems; could cause significant delays and traffic issues if compromised |
should be readily available; configurations can be time |
| Traffic Management Center |
ITS Roadway Equipment |
traffic detector control |
Moderate |
Moderate |
Low |
| Control flows, even for seemingly innocent devices, should be kept confidential to minimize attack vectors. While an individual installation may not be particularly impacted by a cyberattack of its sensor network, another installation might be severely impacted, and different installations are likely to use similar methods, so compromising one leads to compromising all. DISC: THEA, WYO believe this to be LOW: encrypted, authenticated, proprietary; but should not cause severe damage if seen |
Control flows, even for seemingly innocent devices, should have MODERATE integrity at minimum, just to guarantee that intended control messages are received. Incorrect, corrupted, intercepted and modified control messages can or will result in target field devices not behaving according to operator intent. The severity of this depends on the type of device, which is why some devices are set MODERATE and some HIGH.. From THEA: should be accurate and not be tampered with; could enable outside control of traffic sensors but should not cause severe harm, but could cause issues with traffic sensor data received and be detrimental to operations |
Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH.. From THEA: want updates but delayed information will not be severe; should be able to operate from a previous/default control/config. DISC: WYO believes this to be MODERATE |
| Traffic Management Center |
Multi-Access Edge Computing |
intersection management application info |
Moderate |
High |
Low |
| Proprietary configuration data with warning parameters and thresholds. |
should be accurate and not be tampered with; could enable outside control of application |
This message is an indication of a potential hazard. If it isn’t received it increases the risk to other road users. If a vehicle is infringing on an intersection, it must report this. |
| Traffic Management Center |
Traffic Operations Personnel |
traffic operator data |
Moderate |
Moderate |
Moderate |
| Backoffice operations flows should have minimal protection from casual viewing, as otherwise imposters could gain illicit control or information that should not be generally available. |
Information presented to backoffice system operators must be consistent or the operator may perform actions that are not appropriate to the real situation. |
The backoffice system operator should have access to system operation. If this interface is down then control is effectively lost, as without feedback from the system the operator has no way of knowing what is the correct action to take. |
| Traffic Management Center |
Transportation Information Center |
intersection status |
Not Applicable |
High |
Moderate |
| This data is distributed using a variety of mechanisms, some of which are localized broadcast; it is desireable that all potential users get this information. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
| Traffic Operations Personnel |
Traffic Management Center |
traffic operator input |
Moderate |
High |
High |
| Backoffice operations flows should have minimal protection from casual viewing, as otherwise imposters could gain illicit control or information that should not be generally available. |
Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system. |
Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system. |
| Transportation Information Center |
Vehicle |
intersection geometry |
Low |
High |
Moderate |
| Map data intended for general use by any C-ITS component than needs it. No information here includes PII or anything else that, if viewed by someone other than the participant, would lead to harm. |
Map data is used for a host of application purposes. This widespread use means that any corruption in the data has a widespread and far reaching effect. |
Occasional outages of this flow will delay updates and lead to a loss of accurate function of some applications. Depending on the application this could be HIGH. |
| Transportation Information Center |
Vehicle |
intersection status |
Not Applicable |
High |
Moderate |
| This data is distributed using a variety of mechanisms, some of which are localized broadcast; it is desireable that all potential users get this information. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
| Transportation Information Center |
Vehicle |
vehicle situation data parameters |
Low |
Moderate |
Moderate |
| This isn't exactly a control flow, more like a 'suggestion flow', as the vehicle will always decide what to send. Probably no need for obfuscation. |
Info should be accurate and should not be tampered so that the vehicle only discloses the correctly requested data |
Parameters should be timely and readily available, but would not have severe/catastrophic consequences if not |
| Vehicle |
Connected Vehicle Roadside Equipment |
vehicle location and motion for surveillance |
Not Applicable |
Moderate |
Moderate |
| This is directly observable data; DISC: WYO believes this to be MODERATE |
Incorrect information here could lead to the system not functioning properly. If they are unable to properly detect all vehicles crossing the border, it would lead to confusion. There are other factors, such as visual indicators, of vehicles crossing the border, which can be used to help mitigate contradicting information. DISC: THEA believes this should be HIGH: "BSM info needs to be accurate and should not be tampered with" WYO believes this to be HIGH |
This information must be available in a timely manner for the system to act upon it. The system can operate correctly if some messages are missed, but overall a majority of them should be received.; WYO believes this to be LOW |
| Vehicle |
Connected Vehicle Roadside Equipment |
vehicle situation data |
Moderate |
Moderate |
Low |
| Might be able to link multiple snapshots together and compromise some element of driver/traveler privacy. |
Some minimal guarantee of data integrity is necessary for all C-ITS flows. DISC: THEA believes this to be LOW: data should be accurate and not tampered with but should be able to cope with some bad data in traffic/environmental condition monitoring; aggregate data |
data should be timely and readily available, but limited adverse effect; aggregate data |
| Vehicle |
Driver |
driver updates |
Not Applicable |
Moderate |
Moderate |
| This data is informing the driver about the safety of a nearby area. It should not contain anything sensitive, and does not matter if another person can observe it. |
This is the information that is presented to the driver. If they receive incorrect information, they may act in an unsafe manner. However, there are other indicators that would alert them to any hazards, such as an oncoming vehicle or crossing safety lights. |
If this information is not made available to the driver, then the system has not operated correctly. |
| Vehicle |
Multi-Access Edge Computing |
vehicle location and motion for surveillance |
Not Applicable |
Moderate |
Moderate |
| This is directly observable data; DISC: WYO believes this to be MODERATE |
Incorrect information here could lead to the system not functioning properly. If they are unable to properly detect all vehicles crossing the border, it would lead to confusion. There are other factors, such as visual indicators, of vehicles crossing the border, which can be used to help mitigate contradicting information. DISC: THEA believes this should be HIGH: "BSM info needs to be accurate and should not be tampered with" WYO believes this to be HIGH |
This information must be available in a timely manner for the system to act upon it. The system can operate correctly if some messages are missed, but overall a majority of them should be received.; WYO believes this to be LOW |
| Vehicle |
Multi-Access Edge Computing |
vehicle situation data |
Moderate |
Moderate |
Low |
| Might be able to link multiple snapshots together and compromise some element of driver/traveler privacy. |
Event driven data can be used for various mobility monitoring applications, and as operational decisions may be made based on mobility conditions, this data's accuracy should be preserved or decisions may not align with real situations. |
While desireable, in most application contexts the provision of a single vehicle's data through this flow is not critical. |
| Vehicle |
Transportation Information Center |
vehicle situation data |
Moderate |
Moderate |
Low |
| Might be able to link multiple snapshots together and compromise some element of driver/traveler privacy. |
Event driven data can be used for various mobility monitoring applications, and as operational decisions may be made based on mobility conditions, this data's accuracy should be preserved or decisions may not align with real situations. |
While desireable, in most application contexts the provision of a single vehicle's data through this flow is not critical. |
| Vehicle Characteristics |
ITS Roadway Equipment |
vehicle characteristics |
|
|
|
|
|
|
