Connected vehicle technologies and applications have significant security requirements, not only for the applications themselves, but also as potential access points that could enable attackers to get inside an agency’s broader network and operations. Safety-critical messaging between vehicles and infrastructure (and vice versa) needs to be trusted as being from a valid source and not spoofed by a hacker or malevolent agency. These cybersecurity requirements and technologies exceed the experience levels of most current DOT and local agency staff responsible for intelligent transportation equipment, as well as being more complex than most existing security schemes for commonly used services, such as online banking. Agencies need to understand the implications of these technologies on the design of their communications networks, networking equipment configuration, field device security, and operations best practices. AV technologies have similar vulnerabilities to hacking that could result in liability and public safety exposure to public agency owner/operators. While a proof of concept for the Security Credential Management System (SCMS) has been demonstrated in the Safety Pilot and will be further evaluated in the DOT CV pilot deployment programs, the ultimate scalability of the security approach(es) will still need to be determined as the market penetration levels increase dramatically. The role of AASHTO and state and local agencies in the development of security standards and certification for AV/CV operation in a locality needs to be clearly identified.
The objective of the research was to develop a primer on cybersecurity and related privacy issues in state DOT and local agency environments, based on experience gained in other domains where security and privacy issues are currently being managed (such as financial services). The report will focus initially on recommendations for best practices on a general level and then describe techniques that will support the agency in planning for the security environment and practices necessary for safety-critical CV applications, including the SCMS. The primer will provide recommendations for best practices and explore the development of standard requirements and testing and certification protocols for protecting the liability and burden of the protection of public safety for agencies when CV/AV technologies are in widespread deployment.