In order to participate in this service package, each physical object should meet or exceed the following security levels.
In order to participate in this service package, each information flow triple should meet or exceed the following security levels.
| Information Flow Security |
| Source |
Destination |
Information Flow |
Confidentiality |
Integrity |
Availability |
| Basis |
Basis |
Basis |
| Basic Vehicle |
Vehicle |
host vehicle status |
Low |
Moderate |
High |
| Unlikely that this includes any information that could be used against the originator. |
This can be MODERATE or HIGH, depending on the application: This is used later on to determine whether a vehicle is likely going to violate a red light or infringe a work zone. This needs to be correct in order for the application to work correctly. |
Since this monitors the health and safety of the vehicle and that information is eventually reported to the driver, it should be available at all times as it directly affects vehicle and operator safety. |
| Connected Vehicle Roadside Equipment |
ITS Roadway Equipment |
detected unequipped vehicles and VRUs |
Moderate |
High |
Moderate |
| This data is intended to be shared with all nearby vehicles, traffic control devices and vulnerable road users; it is essentially public. However, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. If manipulated or incorrect, a crash may occur; though vehicles able to use this data also have sensory capabilities, this flow will often contain data describing objects/vehicles/VRUs that are obscured and not observable by on-board sensors. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. This data enable collision avoidance actions that are impractical without it, as vehicles able to use this data to sense-by-proxy other vehicles/VRUs/obstacles that are obscured by on-board sensors. Considered MODERATE and not HIGH only because the lack of availability reverts to existing operations and does not actively make safety worse. |
| Connected Vehicle Roadside Equipment |
ITS Roadway Equipment |
personal location information |
Moderate |
Moderate |
Low |
| This is simply passing on received broadcast messages. It is intended to be received by everyone; however, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
We assume that this information is not able to cause the ITS RE to behave in extreme ways, e.g. to keep all the lights red forever because it thinks there’s a baby in the middle of the road. In other words, the ITS RE has maximum durations for the different phases of the cycle which it will not go beyond not matter what this information flow contains. Bad information can cause annoyances and disrupt traffic flow to a limited extent but will not have a large impact. NYC: location should be accurate and should not be tampered; however, we assume the info is not able to cause the ITS RE to behave in extreme ways (i.e., there should be maximum different cycle phases) |
If this is down, the ITS RE goes back to default behavior, which we assume is set sensibly. NYC: if down, the ITS RE should revert to default behavior which we assume is sensible |
| Connected Vehicle Roadside Equipment |
ITS Roadway Equipment |
signal service request |
Moderate |
Moderate |
Low |
| info is not confidential and could be exposed with little harm to participants; however, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
requests should be accurate and not tampered with, otherwise incorrect or malicious requests could be granted which could lead to delays |
requests should be timely and available immediately but availability cannot be guaranteed over a wireless medium; also worst case scenario is the vehicle or pedestrian has to wait for the appropriate signal |
| Connected Vehicle Roadside Equipment |
Micromobility Vehicle OBE |
personal crossing safety information |
Not Applicable |
Moderate |
Low |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
People will use this information to determine if they can cross, so incorrect information increases the risk of accidents. DISC: THEA believes this to be HIGH: "info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information" |
If this is down, the pedestrian still gets information from the RE and from the rest of the environment. DISC: NYC and THEA believe this to be MODERATE: info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information; however, overall I level is M, not H, because message is still just information and pedestrian needs to use their own awareness
A: needs to be readily available to give permission to cross, time remaining, etc. but cannot guarantee wireless communication; however, worst case is the pedestrian has to wait; also cannot guarantee wireless communication |
| Connected Vehicle Roadside Equipment |
Personal Information Device |
detected unequipped vehicles and VRUs |
Not Applicable |
High |
Moderate |
| This data is intended to be shared with all nearby vehicles, traffic control devices and vulnerable road users; it is essentially public. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. If manipulated or incorrect, a crash may occur; though vehicles able to use this data also have sensory capabilities, this flow will often contain data describing objects/vehicles/VRUs that are obscured and not observable by on-board sensors. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. This data enable collision avoidance actions that are impractical without it, as vehicles able to use this data to sense-by-proxy other vehicles/VRUs/obstacles that are obscured by on-board sensors. Considered MODERATE and not HIGH only because the lack of availability reverts to existing operations and does not actively make safety worse. |
| Connected Vehicle Roadside Equipment |
Personal Information Device |
intersection geometry |
Low |
High |
Moderate |
| Map data intended for general use by any C-ITS component than needs it. No information here includes PII or anything else that, if viewed by someone other than the participant, would lead to harm. |
Map data is used for a host of application purposes. This widespread use means that any corruption in the data has a widespread and far reaching effect. |
Occasional outages of this flow will delay updates and lead to a loss of accurate function of some applications. Depending on the application this could be HIGH. |
| Connected Vehicle Roadside Equipment |
Personal Information Device |
intersection safety warning |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
This message is broadcast as a warning, allowing infringing drivers to avoid a collision with a pedestrian and all other drivers to avoid the infringing driver. If this message is falsely broadcast it could cause drivers who think they may be infringing to break suddenly, increasing the chance of a collisions from behind. If it were constantly broadcast incorrectly, it may lead to drivers ignoring this notifications. All of these cases have an impact on safety. NYC believes some scenarios may only require MODERATE, but some do require HIGH. |
This message has a very short window in which it is valid. If it is not delivered until after the driver has passed the point of no return before entering the crosswalk, they will not gain any information from it, rendering the application useless. |
| Connected Vehicle Roadside Equipment |
Personal Information Device |
intersection status |
Not Applicable |
High |
Moderate |
| This data is intended for all vehicles in the immediate area of the sender. |
info needs to be accurate and should not be tampered so the vehicle OBE has correct SPaT info for all lanes; however the driver can still see the traffic signals. From NYC: This information will be used by the vehicle ASD to determine whether or not to issue a red light violation warning to the driver. False information could lead to the vehicle ASD not issuing a warning when in fact it should have. The vehicle operator is not using this information to decide whether or not to travel through the intersection. They will still have visual cues, such as traffic lights, indicating whether or not they can travel through the intersection. |
needs to be available so the vehicle OBE has correct SPaT info; identifies signal priority and preemption status and pedestrian crossing status information, etc. However availability cannot be guaranteed over a wireless medium. From NYC: Without this information, vehicle ASD may not properly issue a red light violation warning to the driver. The vehicle operator will still use the traffic |
| Connected Vehicle Roadside Equipment |
Personal Information Device |
personal crossing safety information |
Not Applicable |
Moderate |
Low |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
People will use this information to determine if they can cross, so incorrect information increases the risk of accidents. DISC: THEA believes this to be HIGH: "info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information" |
If this is down, the pedestrian still gets information from the RE and from the rest of the environment. DISC: NYC and THEA believe this to be MODERATE: info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information; however, overall I level is M, not H, because message is still just information and pedestrian needs to use their own awareness
A: needs to be readily available to give permission to cross, time remaining, etc. but cannot guarantee wireless communication; however, worst case is the pedestrian has to wait; also cannot guarantee wireless communication |
| Connected Vehicle Roadside Equipment |
Traffic Management Center |
intersection safety application status |
Moderate |
Moderate |
Low |
| This information could be of interest to a malicious individual who is attempting to determine the best way to accomplish a crime. As such it would be best to not make it easily accessible. DISC: THEA and NYC believe this may be LOW for some applications |
If this is compromised, it could send unnecessary maintenance workers, or cause the appearance of excessive traffic violations, leading to further unnecessary investigation. NYC: should be able to cope with some bad information on the status and record of alerts/warnings; aggregate info; however could cause appearance of excessive traffic violations or unnecessary maintenance caused if data is compromised |
A delay in reporting this may cause a delay in necessary maintenance, but (a) this is not time-critical and (b) there are other channels for reporting malfunctioning. Additionally, there is a message received notification, which means that RSE can ensure that all intersection safety issues are delivered. |
| Connected Vehicle Roadside Equipment |
Vehicle |
detected unequipped vehicles and VRUs |
Not Applicable |
High |
Moderate |
| This data is intended to be shared with all nearby vehicles, traffic control devices and vulnerable road users; it is essentially public. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. If manipulated or incorrect, a crash may occur; though vehicles able to use this data also have sensory capabilities, this flow will often contain data describing objects/vehicles/VRUs that are obscured and not observable by on-board sensors. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. This data enable collision avoidance actions that are impractical without it, as vehicles able to use this data to sense-by-proxy other vehicles/VRUs/obstacles that are obscured by on-board sensors. Considered MODERATE and not HIGH only because the lack of availability reverts to existing operations and does not actively make safety worse. |
| Connected Vehicle Roadside Equipment |
Vehicle |
intersection geometry |
Low |
High |
Moderate |
| Map data intended for general use by any C-ITS component than needs it. No information here includes PII or anything else that, if viewed by someone other than the participant, would lead to harm. |
Map data is used for a host of application purposes. This widespread use means that any corruption in the data has a widespread and far reaching effect. |
Occasional outages of this flow will delay updates and lead to a loss of accurate function of some applications. Depending on the application this could be HIGH. |
| Connected Vehicle Roadside Equipment |
Vehicle |
intersection safety warning |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
This message is broadcast as a warning, allowing infringing drivers to avoid a collision with a pedestrian and all other drivers to avoid the infringing driver. If this message is falsely broadcast it could cause drivers who think they may be infringing to break suddenly, increasing the chance of a collisions from behind. If it were constantly broadcast incorrectly, it may lead to drivers ignoring this notifications. All of these cases have an impact on safety. NYC believes some scenarios may only require MODERATE, but some do require HIGH. |
This message has a very short window in which it is valid. If it is not delivered until after the driver has passed the point of no return before entering the crosswalk, they will not gain any information from it, rendering the application useless. |
| Connected Vehicle Roadside Equipment |
Vehicle |
intersection status |
Not Applicable |
High |
Moderate |
| This data is intended for all vehicles in the immediate area of the sender. |
If this is compromised, the Vehicle OBE will receive messages that are inconsistent with what the traffic signals are displaying. This could lead to confusion and reduce the ability of the application to provide value. |
If this is down, the Vehicle OBE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having this application. We assume that the Vehicle OBE will detect a lack of availability and choose not to send out-of-date information, so a failure of availability cannot have worse consequences than a failure of integrity which we have previously assessed at MEDIUM. |
| Connected Vehicle Roadside Equipment |
Vehicle |
proxied personal location |
Not Applicable |
Moderate |
Moderate |
| This information is intended for widespread local distribution; effectively broadcast to every mobile device in the area. |
Incorrect information could lead to a person not being properly located by a receiving vehicle, which could have catastrophic effects. |
This data is required for the system to operate properly. If this data is not available, the system cannot give accurate warning information. |
| Driver |
Vehicle |
driver input |
Moderate |
High |
High |
| Data included in this flow may include origin and destination information, which should be protected from other's viewing as it may compromise the driver's privacy. |
Commands from from the driver to the vehicle must be correct or the vehicle may behave in an unpredictable and possibly unsafe manner |
Commands must always be able to be given or the driver has no control. |
| ITS Roadway Equipment |
Connected Vehicle Roadside Equipment |
detected unequipped vehicles and VRUs |
Moderate |
High |
Moderate |
| This data is intended to be shared with all nearby vehicles, traffic control devices and vulnerable road users; it is essentially public. However, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. If manipulated or incorrect, a crash may occur; though vehicles able to use this data also have sensory capabilities, this flow will often contain data describing objects/vehicles/VRUs that are obscured and not observable by on-board sensors. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. This data enable collision avoidance actions that are impractical without it, as vehicles able to use this data to sense-by-proxy other vehicles/VRUs/obstacles that are obscured by on-board sensors. Considered MODERATE and not HIGH only because the lack of availability reverts to existing operations and does not actively make safety worse. |
| ITS Roadway Equipment |
Connected Vehicle Roadside Equipment |
intersection control status |
Moderate |
High |
Moderate |
| This data is intentionally transmitted to everyone via a While this information is broadcast and can also be determined via other visual indicators, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
If this is compromised, the Roadway Equipment and Roadside Equipment will be sending messages that are inconsistent with each other, leading to confusion and possible accidents. |
If this is down, the RSE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having this application. The RSE must detect a lack of availability and choose not to send out-of-date information, so a failure of availability could be interpreted as having the same value as Integrity. However, this data is semi-predictable and there are other indicators (such as the lights themselves) of the intersection status.
From NYC, who believe this should be HIGH for some applications: If this is down, the RSE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having this application. The RSE must detect a lack of availability and choose not to send out-of-date information, so a failure of availability cannot have worse consequences than a failure of integrity which we have previously assessed at HIGH. |
| ITS Roadway Equipment |
Connected Vehicle Roadside Equipment |
intersection infringement detection |
Moderate |
High |
Moderate |
| This data is intentionally transmitted to everyone via a While this information is broadcast and can also be determined via other visual indicators, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
This message is an indication of a potential hazard and should not be easy to forge. False messages here may lead to confusion that causes a traffic accident. |
This message is an indication of a potential hazard. If it isn’t received it increases the risk to other road users. If a vehicle is infringing on an intersection, it must report this. |
| ITS Roadway Equipment |
Connected Vehicle Roadside Equipment |
mixed use crossing status |
Moderate |
High |
Moderate |
| This data can be ascertained by examining indicators, but all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
If this is compromised, the ITS RE and RSE will be sending messages that are inconsistent with each other, leading to confusion and possible accidents and reducing the ability of the application to provide value. If this information is incorrect, it could lead to a collision between a vehicle and a pedestrian. |
If this is down, the RSE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having the RSE. We assume that the RSE will detect a lack of availability and choose not to send out-of-date information, so a failure of availability cannot have worse consequences than a failure of integrity which we have previously assessed at MEDIUM. |
| ITS Roadway Equipment |
Driver |
driver information |
Not Applicable |
High |
Moderate |
| This data is sent to all drivers and is also directly observable, by design. |
This is the primary signal trusted by the driver to decide whether to go through the intersection and what speed to go through the intersection at; if it’s wrong, accidents could happen. |
If the lights are out you have to get a policeman to direct traffic – expensive and inefficient and may cause a cascading effect due to lack of coordination with other intersections. |
| ITS Roadway Equipment |
MMV User |
crossing permission |
Not Applicable |
High |
Low |
| This data is intentionally transmitted to everyone via a broadcast. |
Although pedestrians have a responsibility to make sure the road is safe before they cross, they may react instinctively to incorrect information and be led to cross at unsafe times if they get incorrect information. Also, if the traffic signals are wrong and an accident happens, the pedestrian involved could sue, causing financial loss and other undesirable outcomes. |
It is easy to tell whether this information flow is available and pedestrians are used to using crosswalks that do not provide this service. |
| ITS Roadway Equipment |
Multi-Access Edge Computing |
detected unequipped vehicles and VRUs |
Moderate |
High |
Moderate |
| This data is intended to be shared with all nearby vehicles, traffic control devices and vulnerable road users; it is essentially public. However, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. If manipulated or incorrect, a crash may occur; though vehicles able to use this data also have sensory capabilities, this flow will often contain data describing objects/vehicles/VRUs that are obscured and not observable by on-board sensors. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. This data enable collision avoidance actions that are impractical without it, as vehicles able to use this data to sense-by-proxy other vehicles/VRUs/obstacles that are obscured by on-board sensors. Considered MODERATE and not HIGH only because the lack of availability reverts to existing operations and does not actively make safety worse. |
| ITS Roadway Equipment |
Multi-Access Edge Computing |
intersection control status |
Moderate |
High |
Moderate |
| This data is intentionally transmitted to everyone via a While this information is broadcast and can also be determined via other visual indicators, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
If this is compromised, the Roadway Equipment and Roadside Equipment will be sending messages that are inconsistent with each other, leading to confusion and possible accidents. |
If this is down, the RSE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having this application. The RSE must detect a lack of availability and choose not to send out-of-date information, so a failure of availability could be interpreted as having the same value as Integrity. However, this data is semi-predictable and there are other indicators (such as the lights themselves) of the intersection status.
From NYC, who believe this should be HIGH for some applications: If this is down, the RSE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having this application. The RSE must detect a lack of availability and choose not to send out-of-date information, so a failure of availability cannot have worse consequences than a failure of integrity which we have previously assessed at HIGH. |
| ITS Roadway Equipment |
Multi-Access Edge Computing |
intersection infringement detection |
Moderate |
High |
Moderate |
| This data is intentionally transmitted to everyone via a While this information is broadcast and can also be determined via other visual indicators, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
This message is an indication of a potential hazard and should not be easy to forge. False messages here may lead to confusion that causes a traffic accident. |
This message is an indication of a potential hazard. If it isn’t received it increases the risk to other road users. If a vehicle is infringing on an intersection, it must report this. |
| ITS Roadway Equipment |
Multi-Access Edge Computing |
mixed use crossing status |
Moderate |
High |
Moderate |
| This data can be ascertained by examining indicators, but all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
If this is compromised, the ITS RE and RSE will be sending messages that are inconsistent with each other, leading to confusion and possible accidents and reducing the ability of the application to provide value. If this information is incorrect, it could lead to a collision between a vehicle and a pedestrian. |
If this is down, the RSE doesn’t get the information it needs to stay in synch with the actual signal state, reducing or eliminating the value add from having the RSE. We assume that the RSE will detect a lack of availability and choose not to send out-of-date information, so a failure of availability cannot have worse consequences than a failure of integrity which we have previously assessed at MEDIUM. |
| ITS Roadway Equipment |
Pedestrian |
crossing permission |
Not Applicable |
High |
Low |
| This data is intentionally transmitted to everyone via a broadcast. |
Although pedestrians have a responsibility to make sure the road is safe before they cross, they may react instinctively to incorrect information and be led to cross at unsafe times if they get incorrect information. Also, if the traffic signals are wrong and an accident happens, the pedestrian involved could sue, causing financial loss and other undesirable outcomes. |
It is easy to tell whether this information flow is available and pedestrians are used to using crosswalks that do not provide this service. |
| ITS Roadway Equipment |
Traffic Management Center |
mixed use safety warning status |
Low |
Moderate |
Low |
| Unless otherwise determined by the supplier (for example, because this flow contains proprietary or security-sensitive information about the device). |
If this is compromised, the TMC might for example send maintenance teams to fix a traffic signal that isn’t broken, incurring unnecessary expense. |
A delay in reporting the state of the ITS RE may lead to a delay in providing necessary maintenance, but (a) this is not time-critical and (b) there are other channels for reporting malfunctioning ITS REs. |
| Micromobility Vehicle OBE |
Connected Vehicle Roadside Equipment |
personal location |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
An incorrect location message could lead to a false warning or lack of warning. A lack of warning can have obvious catastrophic consequences, while a false warning could lead to users ignoring warnings due to perceived inaccuracy. Given that this triple may apply to highly dynamic environments (such as work zones), its accuracy is paramount, and thus if sent, must have HIGH integrity. |
There are other visual indicators about the geofenced areas. PID users in dynamic environments (incident and work zones) should know when they are leaving a geofenced area. As long as they remain in the geofenced area, this information is not as necessary. Not all pedestrians will carry a personal information device, and the system should be able to operate without this information. |
| Micromobility Vehicle OBE |
Connected Vehicle Roadside Equipment |
personal signal service request |
Low |
Moderate |
Low |
| Info is not confidential and there is little to be gained by observing it. |
Requests should be accurate and not tampered with, otherwise incorrect or malicious requests could be granted which could lead to delays. |
Requests should be timely and available immediately but availability cannot be guaranteed over a wireless medium; also worst case scenario is the vehicle or pedestrian has to wait for the appropriate signal |
| Micromobility Vehicle OBE |
MMV User |
personal updates |
Not Applicable |
Moderate |
Moderate |
| This data is informing the pedestrian about the safety of the intersections. It should not contain anything sensitive, and does not matter if another person can observe it. |
This is the information that is presented to the individual. If they receive incorrect information, they may act in an unsafe manner. However, there are other indicators that would alert them to any hazards, such as an oncoming vehicle or crossing safety lights. |
If this information is not made available to the pedestrian, then the system has not operated correctly. |
| Micromobility Vehicle OBE |
Multi-Access Edge Computing |
personal location |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
An incorrect location message could lead to a false warning or lack of warning. A lack of warning can have obvious catastrophic consequences, while a false warning could lead to users ignoring warnings due to perceived inaccuracy. Given that this triple may apply to highly dynamic environments (such as work zones), its accuracy is paramount, and thus if sent, must have HIGH integrity. |
There are other visual indicators about the geofenced areas. PID users in dynamic environments (incident and work zones) should know when they are leaving a geofenced area. As long as they remain in the geofenced area, this information is not as necessary. Not all pedestrians will carry a personal information device, and the system should be able to operate without this information. |
| Micromobility Vehicle OBE |
Multi-Access Edge Computing |
personal signal service request |
Low |
Moderate |
Low |
| Info is not confidential and there is little to be gained by observing it. |
Requests should be accurate and not tampered with, otherwise incorrect or malicious requests could be granted which could lead to delays. |
Requests should be timely and available immediately but availability cannot be guaranteed over a wireless medium; also worst case scenario is the vehicle or pedestrian has to wait for the appropriate signal |
| Micromobility Vehicle OBE |
Transportation Information Center |
personal signal service request |
Low |
Moderate |
Low |
| Info is not confidential and there is little to be gained by observing it. |
Requests should be accurate and not tampered with, otherwise incorrect or malicious requests could be granted which could lead to delays. |
Requests should be timely and available immediately but availability cannot be guaranteed over a wireless medium; also worst case scenario is the vehicle or pedestrian has to wait for the appropriate signal |
| Micromobility Vehicle OBE |
Vehicle |
personal location |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
An incorrect location message could lead to a false warning or lack of warning. A lack of warning can have obvious catastrophic consequences, while a false warning could lead to users ignoring warnings due to perceived inaccuracy. Given that this triple may apply to highly dynamic environments (such as work zones), its accuracy is paramount, and thus if sent, must have HIGH integrity. |
There are other visual indicators about the geofenced areas. PID users in dynamic environments (incident and work zones) should know when they are leaving a geofenced area. As long as they remain in the geofenced area, this information is not as necessary. Not all pedestrians will carry a personal information device, and the system should be able to operate without this information. |
| MMV User |
ITS Roadway Equipment |
crossing call |
Not Applicable |
High |
Low |
| The "Not Applicable" group includes information flows that do not actually carry information; for example, flows that represent the physical environment. |
Although pedestrians have a responsibility to make sure the road is safe before they cross, and should ensure that they are detected by pedestrian detection systems, they may not always be detected and be led to cross at unsafe times if the ITS RE obtains incorrect information. |
It is easy to tell whether this information flow is available and pedestrians are used to using crosswalks that do not provide this service. |
| MMV User |
Micromobility Vehicle OBE |
personal input |
Not Applicable |
Moderate |
Low |
| Personal input similar to pressing the button on a pedestrian call at a stop light, nothing that could not be otherwise observed. |
This data does have to be correct, so the signal receives the pedestrian call. Given that the pedestrian should still not enter the intersection without feedback, this could be considered LOW. |
There are generally other ways to accomplish this flow. Depending on the pedestrian this might be MODERATE, for example for pedestrians unable to easily access the call button. |
| Multi-Access Edge Computing |
ITS Roadway Equipment |
detected unequipped vehicles and VRUs |
Moderate |
High |
Moderate |
| This data is intended to be shared with all nearby vehicles, traffic control devices and vulnerable road users; it is essentially public. However, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. If manipulated or incorrect, a crash may occur; though vehicles able to use this data also have sensory capabilities, this flow will often contain data describing objects/vehicles/VRUs that are obscured and not observable by on-board sensors. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. This data enable collision avoidance actions that are impractical without it, as vehicles able to use this data to sense-by-proxy other vehicles/VRUs/obstacles that are obscured by on-board sensors. Considered MODERATE and not HIGH only because the lack of availability reverts to existing operations and does not actively make safety worse. |
| Multi-Access Edge Computing |
ITS Roadway Equipment |
personal location information |
Moderate |
Moderate |
Low |
| This is simply passing on received broadcast messages. It is intended to be received by everyone; however, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
We assume that this information is not able to cause the ITS RE to behave in extreme ways, e.g. to keep all the lights red forever because it thinks there’s a baby in the middle of the road. In other words, the ITS RE has maximum durations for the different phases of the cycle which it will not go beyond not matter what this information flow contains. Bad information can cause annoyances and disrupt traffic flow to a limited extent but will not have a large impact. NYC: location should be accurate and should not be tampered; however, we assume the info is not able to cause the ITS RE to behave in extreme ways (i.e., there should be maximum different cycle phases) |
If this is down, the ITS RE goes back to default behavior, which we assume is set sensibly. NYC: if down, the ITS RE should revert to default behavior which we assume is sensible |
| Multi-Access Edge Computing |
ITS Roadway Equipment |
signal service request |
Moderate |
Moderate |
Low |
| info is not confidential and could be exposed with little harm to participants; however, all communications between field infrastructure should be protected from viewing to prevent attackers from analyzing traffic and developing attack methods. |
requests should be accurate and not tampered with, otherwise incorrect or malicious requests could be granted which could lead to delays |
requests should be timely and available immediately but availability cannot be guaranteed over a wireless medium; also worst case scenario is the vehicle or pedestrian has to wait for the appropriate signal |
| Multi-Access Edge Computing |
Micromobility Vehicle OBE |
personal crossing safety information |
Not Applicable |
Moderate |
Low |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
People will use this information to determine if they can cross, so incorrect information increases the risk of accidents. DISC: THEA believes this to be HIGH: "info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information" |
If this is down, the pedestrian still gets information from the RE and from the rest of the environment. DISC: NYC and THEA believe this to be MODERATE: info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information; however, overall I level is M, not H, because message is still just information and pedestrian needs to use their own awareness
A: needs to be readily available to give permission to cross, time remaining, etc. but cannot guarantee wireless communication; however, worst case is the pedestrian has to wait; also cannot guarantee wireless communication |
| Multi-Access Edge Computing |
Personal Information Device |
detected unequipped vehicles and VRUs |
Not Applicable |
High |
Moderate |
| This data is intended to be shared with all nearby vehicles, traffic control devices and vulnerable road users; it is essentially public. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. If manipulated or incorrect, a crash may occur; though vehicles able to use this data also have sensory capabilities, this flow will often contain data describing objects/vehicles/VRUs that are obscured and not observable by on-board sensors. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. This data enable collision avoidance actions that are impractical without it, as vehicles able to use this data to sense-by-proxy other vehicles/VRUs/obstacles that are obscured by on-board sensors. Considered MODERATE and not HIGH only because the lack of availability reverts to existing operations and does not actively make safety worse. |
| Multi-Access Edge Computing |
Personal Information Device |
intersection geometry |
Low |
High |
Moderate |
| Map data intended for general use by any C-ITS component than needs it. No information here includes PII or anything else that, if viewed by someone other than the participant, would lead to harm. |
Map data is used for a host of application purposes. This widespread use means that any corruption in the data has a widespread and far reaching effect. |
Occasional outages of this flow will delay updates and lead to a loss of accurate function of some applications. Depending on the application this could be HIGH. |
| Multi-Access Edge Computing |
Personal Information Device |
intersection safety warning |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
This message is broadcast as a warning, allowing infringing drivers to avoid a collision with a pedestrian and all other drivers to avoid the infringing driver. If this message is falsely broadcast it could cause drivers who think they may be infringing to break suddenly, increasing the chance of a collisions from behind. If it were constantly broadcast incorrectly, it may lead to drivers ignoring this notifications. All of these cases have an impact on safety. NYC believes some scenarios may only require MODERATE, but some do require HIGH. |
This message has a very short window in which it is valid. If it is not delivered until after the driver has passed the point of no return before entering the crosswalk, they will not gain any information from it, rendering the application useless. |
| Multi-Access Edge Computing |
Personal Information Device |
intersection status |
Not Applicable |
High |
Moderate |
| This data is distributed using a variety of mechanisms, some of which are localized broadcast; it is desireable that all potential users get this information. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
| Multi-Access Edge Computing |
Personal Information Device |
personal crossing safety information |
Not Applicable |
Moderate |
Low |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
People will use this information to determine if they can cross, so incorrect information increases the risk of accidents. DISC: THEA believes this to be HIGH: "info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information" |
If this is down, the pedestrian still gets information from the RE and from the rest of the environment. DISC: NYC and THEA believe this to be MODERATE: info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information; however, overall I level is M, not H, because message is still just information and pedestrian needs to use their own awareness
A: needs to be readily available to give permission to cross, time remaining, etc. but cannot guarantee wireless communication; however, worst case is the pedestrian has to wait; also cannot guarantee wireless communication |
| Multi-Access Edge Computing |
Traffic Management Center |
intersection safety application status |
Moderate |
Moderate |
Low |
| This information could be of interest to a malicious individual who is attempting to determine the best way to accomplish a crime. As such it would be best to not make it easily accessible. DISC: THEA and NYC believe this may be LOW for some applications |
If this is compromised, it could send unnecessary maintenance workers, or cause the appearance of excessive traffic violations, leading to further unnecessary investigation. NYC: should be able to cope with some bad information on the status and record of alerts/warnings; aggregate info; however could cause appearance of excessive traffic violations or unnecessary maintenance caused if data is compromised |
A delay in reporting this may cause a delay in necessary maintenance, but (a) this is not time-critical and (b) there are other channels for reporting malfunctioning. Additionally, there is a message received notification, which means that RSE can ensure that all intersection safety issues are delivered. |
| Multi-Access Edge Computing |
Vehicle |
detected unequipped vehicles and VRUs |
Not Applicable |
High |
Moderate |
| This data is intended to be shared with all nearby vehicles, traffic control devices and vulnerable road users; it is essentially public. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. If manipulated or incorrect, a crash may occur; though vehicles able to use this data also have sensory capabilities, this flow will often contain data describing objects/vehicles/VRUs that are obscured and not observable by on-board sensors. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. This data enable collision avoidance actions that are impractical without it, as vehicles able to use this data to sense-by-proxy other vehicles/VRUs/obstacles that are obscured by on-board sensors. Considered MODERATE and not HIGH only because the lack of availability reverts to existing operations and does not actively make safety worse. |
| Multi-Access Edge Computing |
Vehicle |
intersection geometry |
Low |
High |
Moderate |
| Map data intended for general use by any C-ITS component than needs it. No information here includes PII or anything else that, if viewed by someone other than the participant, would lead to harm. |
Map data is used for a host of application purposes. This widespread use means that any corruption in the data has a widespread and far reaching effect. |
Occasional outages of this flow will delay updates and lead to a loss of accurate function of some applications. Depending on the application this could be HIGH. |
| Multi-Access Edge Computing |
Vehicle |
intersection safety warning |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
This message is broadcast as a warning, allowing infringing drivers to avoid a collision with a pedestrian and all other drivers to avoid the infringing driver. If this message is falsely broadcast it could cause drivers who think they may be infringing to break suddenly, increasing the chance of a collisions from behind. If it were constantly broadcast incorrectly, it may lead to drivers ignoring this notifications. All of these cases have an impact on safety. NYC believes some scenarios may only require MODERATE, but some do require HIGH. |
This message has a very short window in which it is valid. If it is not delivered until after the driver has passed the point of no return before entering the crosswalk, they will not gain any information from it, rendering the application useless. |
| Multi-Access Edge Computing |
Vehicle |
intersection status |
Not Applicable |
High |
Moderate |
| This data is distributed using a variety of mechanisms, some of which are localized broadcast; it is desireable that all potential users get this information. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
| Multi-Access Edge Computing |
Vehicle |
proxied personal location |
Not Applicable |
Moderate |
Moderate |
| This information is intended for widespread local distribution; effectively broadcast to every mobile device in the area. |
Incorrect information could lead to a person not being properly located by a receiving vehicle, which could have catastrophic effects. |
This data is required for the system to operate properly. If this data is not available, the system cannot give accurate warning information. |
| Pedestrian |
ITS Roadway Equipment |
crossing call |
Not Applicable |
High |
Low |
| The "Not Applicable" group includes information flows that do not actually carry information; for example, flows that represent the physical environment. |
Although pedestrians have a responsibility to make sure the road is safe before they cross, and should ensure that they are detected by pedestrian detection systems, they may not always be detected and be led to cross at unsafe times if the ITS RE obtains incorrect information. |
It is easy to tell whether this information flow is available and pedestrians are used to using crosswalks that do not provide this service. |
| Pedestrian |
Personal Information Device |
personal input |
Not Applicable |
Moderate |
Low |
| Personal input similar to pressing the button on a pedestrian call at a stop light, nothing that could not be otherwise observed. |
This data does have to be correct, so the signal receives the pedestrian call. Given that the pedestrian should still not enter the intersection without feedback, this could be considered LOW. |
There are generally other ways to accomplish this flow. Depending on the pedestrian this might be MODERATE, for example for pedestrians unable to easily access the call button. |
| Personal Information Device |
Connected Vehicle Roadside Equipment |
personal location |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
An incorrect location message could lead to a false warning or lack of warning. A lack of warning can have obvious catastrophic consequences, while a false warning could lead to users ignoring warnings due to perceived inaccuracy. Given that this triple may apply to highly dynamic environments (such as work zones), its accuracy is paramount, and thus if sent, must have HIGH integrity. |
There are other visual indicators about the geofenced areas. PID users in dynamic environments (incident and work zones) should know when they are leaving a geofenced area. As long as they remain in the geofenced area, this information is not as necessary. Not all pedestrians will carry a personal information device, and the system should be able to operate without this information. |
| Personal Information Device |
Connected Vehicle Roadside Equipment |
personal signal service request |
Low |
Moderate |
Low |
| Info is not confidential and there is little to be gained by observing it. |
Requests should be accurate and not tampered with, otherwise incorrect or malicious requests could be granted which could lead to delays. |
Requests should be timely and available immediately but availability cannot be guaranteed over a wireless medium; also worst case scenario is the vehicle or pedestrian has to wait for the appropriate signal |
| Personal Information Device |
Multi-Access Edge Computing |
personal location |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
An incorrect location message could lead to a false warning or lack of warning. A lack of warning can have obvious catastrophic consequences, while a false warning could lead to users ignoring warnings due to perceived inaccuracy. Given that this triple may apply to highly dynamic environments (such as work zones), its accuracy is paramount, and thus if sent, must have HIGH integrity. |
There are other visual indicators about the geofenced areas. PID users in dynamic environments (incident and work zones) should know when they are leaving a geofenced area. As long as they remain in the geofenced area, this information is not as necessary. Not all pedestrians will carry a personal information device, and the system should be able to operate without this information. |
| Personal Information Device |
Multi-Access Edge Computing |
personal signal service request |
Low |
Moderate |
Low |
| Info is not confidential and there is little to be gained by observing it. |
Requests should be accurate and not tampered with, otherwise incorrect or malicious requests could be granted which could lead to delays. |
Requests should be timely and available immediately but availability cannot be guaranteed over a wireless medium; also worst case scenario is the vehicle or pedestrian has to wait for the appropriate signal |
| Personal Information Device |
Pedestrian |
personal updates |
Not Applicable |
Moderate |
Moderate |
| This data is informing the pedestrian about the safety of the intersections. It should not contain anything sensitive, and does not matter if another person can observe it. |
This is the information that is presented to the individual. If they receive incorrect information, they may act in an unsafe manner. However, there are other indicators that would alert them to any hazards, such as an oncoming vehicle or crossing safety lights. |
If this information is not made available to the pedestrian, then the system has not operated correctly. |
| Personal Information Device |
Transportation Information Center |
personal signal service request |
Low |
Moderate |
Low |
| Info is not confidential and there is little to be gained by observing it. |
Requests should be accurate and not tampered with, otherwise incorrect or malicious requests could be granted which could lead to delays. |
Requests should be timely and available immediately but availability cannot be guaranteed over a wireless medium; also worst case scenario is the vehicle or pedestrian has to wait for the appropriate signal |
| Personal Information Device |
Vehicle |
personal location |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. THEA believes this to be 'LOW.' |
An incorrect location message could lead to a false warning or lack of warning. A lack of warning can have obvious catastrophic consequences, while a false warning could lead to users ignoring warnings due to perceived inaccuracy. Given that this triple may apply to highly dynamic environments (such as work zones), its accuracy is paramount, and thus if sent, must have HIGH integrity. |
This information should not be required to determine if a pedestrian is in an intersection. Not all pedestrians will carry a personal information device, and the system should be able to operate without this information. DISC: CCHANGED to Moderate from Low based on THEA justification: "location needs to be immediately available to enable warnings and messages from the PID to OBE but availability cannot be guaranteed over a wireless medium." |
| Traffic Management Center |
Connected Vehicle Roadside Equipment |
intersection safety application info |
Moderate |
Moderate |
Low |
| This information could be of interest to a malicious individual who is attempting to determine the best way to accomplish a crime. As such it would be best to not make it easily accessible. May be LOW in some cases. |
If this is compromised, it could send unnecessary maintenance workers, or worse report plausible data that is erroneous. From THEA: should be able to cope with some bad information on the status and record of alerts/warnings; aggregate info; however could cause appearance of excessive traffic violations or unnecessary maintenance caused if data is compromised (operational state, status, log); should not affect the application functionality |
Incident status information should be presented in timely fashion as large scale mobility and safety issues are related. There are other mechanisms for reporting this information however, thus MODERATE. From THEA: Only limited adverse effect of info is not timely/readily available |
| Traffic Management Center |
ITS Roadway Equipment |
mixed use safety warning control |
Moderate |
Moderate |
Low |
| Application configuration: The displays and warnings on the controlled device are not confidential, so messages containing possible displays and warnings or setting the conditions under which they are displayed should not be confidential.
O Device management: If this information flow includes device management as well as display and alert configuration, the device management may include proprietary information about the particular device being managed such as firmware details, memory size, processor limitations etc. The confidentiality requirement for the roadway equipment should be set by the supplier based on their understanding of the confidentiality requirements of the management messages. Note that the supplier can be assumed to provide devices that meet their own security requirements; however, the confidentiality requirements of this flow will also apply to the TMC. |
Fake instances of this information flow can cause drivers and pedestrians to get incorrect information. However, it would not be possible to put the traffic signal into an inconsistent. DISC: THEA and NYC believe this should be HIGH: proprietary info that should not be tampered with; equipment monitors and manages pedestrian crossings and provides visual displays and warnings |
Control flow availability is related to the criticality of being able to remotely control the device. For most devices, this is MODERATE. For purely passive devices with no incident relationship, this will be LOW. All devices should have default modes that enable them to operate without backhaul connectivity, so no device warrants a HIGH. Assuming that the traffic signal is configured reasonably well to start off with, the system should be robust if it goes an arbitrary amount of time without reconfiguration. |
| Traffic Management Center |
Multi-Access Edge Computing |
intersection safety application info |
Moderate |
Moderate |
Low |
| This information could be of interest to a malicious individual who is attempting to determine the best way to accomplish a crime. As such it would be best to not make it easily accessible. May be LOW in some cases. |
If this is compromised, it could send unnecessary maintenance workers, or worse report plausible data that is erroneous. From THEA: should be able to cope with some bad information on the status and record of alerts/warnings; aggregate info; however could cause appearance of excessive traffic violations or unnecessary maintenance caused if data is compromised (operational state, status, log); should not affect the application functionality |
Incident status information should be presented in timely fashion as large scale mobility and safety issues are related. There are other mechanisms for reporting this information however, thus MODERATE. From THEA: Only limited adverse effect of info is not timely/readily available |
| Transportation Information Center |
Micromobility Vehicle OBE |
personal crossing safety information |
Not Applicable |
Moderate |
Low |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
People will use this information to determine if they can cross, so incorrect information increases the risk of accidents. DISC: THEA believes this to be HIGH: "info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information" |
If this is down, the pedestrian still gets information from the RE and from the rest of the environment. DISC: NYC and THEA believe this to be MODERATE: info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information; however, overall I level is M, not H, because message is still just information and pedestrian needs to use their own awareness
A: needs to be readily available to give permission to cross, time remaining, etc. but cannot guarantee wireless communication; however, worst case is the pedestrian has to wait; also cannot guarantee wireless communication |
| Transportation Information Center |
Personal Information Device |
intersection status |
Not Applicable |
High |
Moderate |
| This data is distributed using a variety of mechanisms, some of which are localized broadcast; it is desireable that all potential users get this information. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
If this flow is not accurate or delivered in a timely fashion then a large variety of mobility and safety services that depend on it will not work properly. |
| Transportation Information Center |
Personal Information Device |
personal crossing safety information |
Not Applicable |
Moderate |
Low |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
People will use this information to determine if they can cross, so incorrect information increases the risk of accidents. DISC: THEA believes this to be HIGH: "info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information" |
If this is down, the pedestrian still gets information from the RE and from the rest of the environment. DISC: NYC and THEA believe this to be MODERATE: info needs to be accurate and should not be tampered with (used to warn pedestrians of infringement, etc.); higher because enables accessibility; pedestrians may not be able to see/hear the information; however, overall I level is M, not H, because message is still just information and pedestrian needs to use their own awareness
A: needs to be readily available to give permission to cross, time remaining, etc. but cannot guarantee wireless communication; however, worst case is the pedestrian has to wait; also cannot guarantee wireless communication |
| Transportation Information Center |
Traffic Management Center |
personal signal service request |
Low |
Moderate |
Low |
| Info is not confidential and there is little to be gained by observing it. |
Requests should be accurate and not tampered with, otherwise incorrect or malicious requests could be granted which could lead to delays. |
Requests should be timely and available immediately but availability cannot be guaranteed over a wireless medium; also worst case scenario is the vehicle or pedestrian has to wait for the appropriate signal |
| Vehicle |
Basic Vehicle |
driver update information |
Low |
Moderate |
Moderate |
| This information is all presented to the vehicle operator. Encrypting this information may make it harder to reverse engineer vehicle systems, and may defeat criminal tracking tools when the vehicle has already been compromised. Unless those scenarios are of concern to the operator or manufacturer, this can safely be set LOW. |
Any information presented to the operator of a vehicle should be both accurate and timely. By definition this includes safety information, but given that the driver has other means of learning about most threats, it seems difficult to justify HIGH. If HIGH is warranted, it should apply to both availability and integrity. |
Any information presented to the operator of a vehicle should be both accurate and timely. By definition this includes safety information, but given that the driver has other means of learning about most threats, it seems difficult to justify HIGH. If HIGH is warranted, it should apply to both availability and integrity. |
| Vehicle |
Basic Vehicle |
vehicle control |
Moderate |
High |
High |
| Internal vehicle flow that if reverse engineered could enable third party vehicle control. Largely a competitive question, could be set LOW if manufacturer and operator are not concerned with this type of compromise. |
Includes vehicle control commands, which must be timely and accurate to support safe vehicle operation. |
Includes vehicle control commands, which must be timely and accurate to support safe vehicle operation. |
| Vehicle |
Connected Vehicle Roadside Equipment |
detected unequipped vehicles and VRUs |
Not Applicable |
High |
Moderate |
| This data is intended to be shared with all nearby vehicles, traffic control devices and vulnerable road users; it is essentially public. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. If manipulated or incorrect, a crash may occur; though vehicles able to use this data also have sensory capabilities, this flow will often contain data describing objects/vehicles/VRUs that are obscured and not observable by on-board sensors. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. This data enable collision avoidance actions that are impractical without it, as vehicles able to use this data to sense-by-proxy other vehicles/VRUs/obstacles that are obscured by on-board sensors. Considered MODERATE and not HIGH only because the lack of availability reverts to existing operations and does not actively make safety worse. |
| Vehicle |
Connected Vehicle Roadside Equipment |
intersection infringement info |
Low |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
This message is an indication of a potential hazard and should not be easy to forge. False messages here may lead to confusion that causes a traffic accident. |
This message is an indication of a potential hazard. If it isn’t received it increases the risk to other road users. If a vehicle is infringing on an intersection, it must report this. |
| Vehicle |
Connected Vehicle Roadside Equipment |
vehicle location and motion |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. Much of its information content can also be determined via other visual indicators |
Incorrect information could lead to the system not operating properly. If the system does not properly know where the vehicle is, it cannot make an accurate decision about whether there is going to be a pedestrian in the crosswalk that the vehicle is approaching. This can have a safety impact.; DISC: NYC believes this to be MODERATE |
This data is required for the system to operate properly. If this data is not available, the system cannot give accurate warning information. |
| Vehicle |
Connected Vehicle Roadside Equipment |
vehicle path prediction |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to other vehicles operating in a cluster. |
Path prediction is intended for collision avoidance applications, which have high integrity requirements to avoid potentially catastrophic consequences. |
Path prediction is intended for collision avoidance applications, which ideally would have HIGH availability requirements, but given the constraints of the wireless medium are reduced to MODERATE. |
| Vehicle |
Driver |
driver updates |
Not Applicable |
Moderate |
Moderate |
| This data is informing the driver about the safety of a nearby area. It should not contain anything sensitive, and does not matter if another person can observe it. |
This is the information that is presented to the driver. If they receive incorrect information, they may act in an unsafe manner. However, there are other indicators that would alert them to any hazards, such as an oncoming vehicle or crossing safety lights. |
If this information is not made available to the driver, then the system has not operated correctly. |
| Vehicle |
Micromobility Vehicle OBE |
vehicle location and motion |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. Much of its information content can also be determined via other visual indicators |
Incorrect information could lead to the system not operating properly. If the system does not properly know where the vehicle is, it cannot make an accurate decision about whether there is going to be a pedestrian in the crosswalk that the vehicle is approaching. This can have a safety impact. |
This data is required for the system to operate properly. If this data is not available, the system cannot give accurate warning information. |
| Vehicle |
Multi-Access Edge Computing |
detected unequipped vehicles and VRUs |
Not Applicable |
High |
Moderate |
| This data is intended to be shared with all nearby vehicles, traffic control devices and vulnerable road users; it is essentially public. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. If manipulated or incorrect, a crash may occur; though vehicles able to use this data also have sensory capabilities, this flow will often contain data describing objects/vehicles/VRUs that are obscured and not observable by on-board sensors. |
This data may be used as input to vehicle situational awareness and thus trigger crash-avoidance actions. This data enable collision avoidance actions that are impractical without it, as vehicles able to use this data to sense-by-proxy other vehicles/VRUs/obstacles that are obscured by on-board sensors. Considered MODERATE and not HIGH only because the lack of availability reverts to existing operations and does not actively make safety worse. |
| Vehicle |
Multi-Access Edge Computing |
intersection infringement info |
Low |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. It can also be determined via other visual indicators. |
This message is an indication of a potential hazard and should not be easy to forge. False messages here may lead to confusion that causes a traffic accident. |
This message is an indication of a potential hazard. If it isn’t received it increases the risk to other road users. If a vehicle is infringing on an intersection, it must report this. |
| Vehicle |
Multi-Access Edge Computing |
vehicle location and motion |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. Much of its information content can also be determined via other visual indicators |
Incorrect information could lead to the system not operating properly. If the system does not properly know where the vehicle is, it cannot make an accurate decision about whether there is going to be a pedestrian in the crosswalk that the vehicle is approaching. This can have a safety impact. |
This data is required for the system to operate properly. If this data is not available, the system cannot give accurate warning information. |
| Vehicle |
Multi-Access Edge Computing |
vehicle path prediction |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to other vehicles operating in a cluster. |
Path prediction is intended for collision avoidance applications, which have high integrity requirements to avoid potentially catastrophic consequences. |
Path prediction is intended for collision avoidance applications, which ideally would have HIGH availability requirements, but given the constraints of the wireless medium are reduced to MODERATE. |
| Vehicle |
Personal Information Device |
vehicle location and motion |
Not Applicable |
High |
Moderate |
| This data is intentionally transmitted to everyone via a broadcast. Much of its information content can also be determined via other visual indicators |
Incorrect information could lead to the system not operating properly. If the system does not properly know where the vehicle is, it cannot make an accurate decision about whether there is going to be a pedestrian in the crosswalk that the vehicle is approaching. This can have a safety impact. |
This data is required for the system to operate properly. If this data is not available, the system cannot give accurate warning information. |
| Vulnerable Road Users |
ITS Roadway Equipment |
vulnerable road user presence |
|
|
|
|
|
|
| Vulnerable Road Users |
Vehicle |
vulnerable road user presence |
|
|
|
|
|
|
