WG Security 2024-08-28

[emiltin]

Participants

Christophe, Toni, David, Stefan, Emil

New Working Group

This is a new working group, approved by the steering group. From the activity plan:

There’s a growing focus on security in the operation of road-side equipment, and there are more and more requirements and regulations in this area.

We will make RSMP stay up-to-date and can meet all EU/national regulations.

An important aspect is encrypting messages, to prevent eavesdropping or manipulation of messages.

RSMP already supports TLS (transport layer security) which is the mechanism used to secure e.g. HTTPS and VPNs. However, TLS requires managing and renewing certificates, which is currently seen as a challenge when it comes to road-side equipment.

France is currently working on proposals related to encryption in HTML.

We would like to support end-to-end encryption in RSMP in a way that is practical to implement and manage by road authorities, either by not needing TLS certificates, or by having a convenient way to manage and update certificates.

Regulation

NEW EU cyber security directive NIS2: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
We should understand how this affects RSMP and roadside communication in general.

The NIS2 directive is implmented by national laws. National road authorities have problably though about how this affects road equipment?

Security Expertise

Do don't currrently have security experts in the working group. How do we get the needed expertise into the group?

Top-level risk and security review

What are the risks that we need to consider? What are the important security aspects that we need to deal with?

Current Situation

The current RMSP core spec does not use encryption. Instead we have optional requirements that the equipment can run RSMP through an encrypted channel using TLS version 1.3.
Another option is to run communication through a VPN channel.

Cerrtificates

TLS requires certificates, and these needs to be updated regularly both on equipment and supervisors. Updating certificates on equipment has historically been challenging for road authorities.

Example of a system that handles management of TLS certificates is Nerves (embedded Elixir) and Nerves Hub:
https://nerves-project.org/

End-to-end encryption

Using TLS does not really provide end-to-end encryption in situations where the message has to pass several severs, and is decrypted and reencypted along the way.

French ideas for end-to-end encryption

French partners is working on a concept for end-to-end encryption that is not based on TLS, but instead passwords.

Responsibilities

What is road authorities vs. manufacturers responsible for?

Update Strategies

Road authorities have traditionally used a model where software on equipment is rarely updated.
This probably needs to change, so that security patches and certificates can be installed remotely, regularly?

Next steps

Contact national road authorities and ask how NIS2 will affect how we operate road equipment.
C-ITS includes a lot of security considerations. Let's get in touch with people who can tell us more about this. STA was part of NordicWay3, perhaps they have expertise?

Invite relevant people to the WG, i ncluding french partners currently working on end-to-end encryption in RSMP.