Skip to content

Overview

ITS Stakeholder Groups and Their Cybersecurity Focus Areas

Each layer of the ITS cybersecurity model depends on the actions of specific stakeholder groups. The sections below outline the roles and responsibilities of standards developers, certificate authorities, infrastructure operators, OEMs, service providers, policy authorities, and deployers.

Roles and Responsibilities in the ITS Cybersecurity Ecosystem

Standards Development Organizations (SDOs): SDOs author the standards that enable the various components within an ITS to operate safely and effectively. Types of standards applicable to ITS include information models, application profiles, interfaces, functional safety, human factors, and many more. SDOs should work to ensure that cybersecurity and resilience are considered when developing any standard. Cyber security specific standards also exist, which detail how to invoke various security services, including secure messaging, privilege management, trust management, misbehaviour detection and more.

Cybersecurity Oversight and Policy Authorities: Executive-level stakeholders play an important role in establishing governance frameworks, ensuring that an ITS complies with applicable laws and regulations, and quantifying and prioritizing risk-based decisions.

Infrastructure Owner Operators (IOOs); IOOs are responsible for deploying, configuring, and maintaining ITS equipment. To accomplish this, an IOO should define and enforce lifecycle procedures for the onboarding, monitoring, management, and decommissioning of any electronic equipment that operates within an ITS. IOOs also must have processes in place for post-market operation of ITS equipment, for example processes for certificate enrolment, security configuration management, audit collection and storage, and incident management.

Original Equipment Manufacturers (OEMs). The OEM role has evolved recently to encompass more responsibilities. OEMs may now offer services that include telematics, software update, and data management. OEMs are responsible for manufacturing secure vehicles (e.g,. in accordance with ISO/SAE 21434) and deploying trusted services.

ITS Manufacturers and Application Developers: ITS vendors should design and deliver ITS devices using a secure development methodology that protects the supply chain, development environment, and results in products that meet minimum baseline cybersecurity requirements. This could include for example, secure boot, tamper detection, and certificate validation. ITS vendors are responsible for obtaining test and certification for devices that will be provisioned PKI certificates, to demonstrate that devices are secured according to any given PKI providers' enrolment requirements.

Certificate Management Authorities: Certificate management authorities design, develop and operate PKI systems, such as CCMS and SCMS. They are responsible for ensuring that these systems comply with published certificate policy and practices, and that they successfully pass audits on a routine basis.