1.1 General scope

This Technical Specification specifies transactions and data for Compliance Checking – Secure Monitoring. The scope of this technical specification consists of:

The concept and involved processes for Secure Monitoring.
The definition of new transactions and data.
The use of the OBE compliance checking transaction as specified in CEN ISO/TS 12813:2009, for the purpose of Compliance Checking – Secure Monitoring.
The use of back end transactions as specified in EN ISO 12855:2012, for the purpose of Compliance Checking – Secure Monitoring. This includes definitions for the use of optional elements and reserved attributes.
A specification of technical and organisational security measures involved in Secure Monitoring, on top of measures provided for in the EFC Security Framework.
The interrelations between different options in the OBE, TSP and TC domain and their high level impacts. Outside the scope of this Technical Specification are:
Information exchange between OBE and TR.
Choices related to compliance checking policies e.g. which options are used, whether undetected/unexpected observations are applied, whether fixed, transportable and/or mobile compliance checking are deployed, locations and intensity of checking of itinerary freezing and checking of toll declaration.
Details of procedures and criteria for assessing the validity or plausibility of Itinerary Records.
Choices concerning the storage location of itinerary records, and data retention policy.
Recommendations for a single specific implementation due to different applicable privacy laws. Instead, a set of options is provided.

1.2 Relation to CEN/TS 16439

Secure Monitoring can be regarded as a set of specific measures addressing a number of serious threats identified in the EFC Security Framework, namely:

Threats assigned to the User agent:

Manipulating the system to not register road usage.
Manipulating the system to register the wrong (lower) road usage.
Manipulating the system to lose road usage data.

Threats assigned to Toll Service Provider agent:

Modifying usage data reported from the OBE.
Suppressing reporting of road use.
Faulty interpretation of usage data.
Wrongly configuring the front end.

NOTE The Technical Specification EFC Security Framework (CEN/TS 16439:2013) analyses the general requirements of the stakeholders and provides a comprehensive threat analysis for an interoperable EFC scheme. A number of identified threats may result in less revenue of the toll charger, incorrect charging and billing and not meeting required service levels between Toll Service Provider and Toll Charger. The EFC Security Framework further specifies requirements to counter the identified threats. Some of these requirements can be fulfilled by implementing basic security measures that are specified in the same document, but more specific security measures are left to other standards and specifications or to local choices.

Secure Monitoring makes use of basic cryptographic security measures and procedures provided for in the EFC Security Framework as far as possible. The relation between the EFC Security Framework and the Secure Monitoring technical specifications is illustrated in Figure 2.

Based on the threat analysis that has been carried out in the EFC Security Framework, Figure 2 specifies which attacks Secure Monitoring addresses.

1.3 Relation to other standards

This Technical Specification complies with the allocation of roles and responsibilities as specified in ISO 17573:2010 Electronic fee collection – Systems architecture for vehicle related tolling.

This Technical Specification defines transactions in the interfaces between the TSP Front end and the Toll Charger’s road side equipment (RSE) as well as between the Toll Service Providers and the Toll Chargers back end. As these interfaces are also covered by CEN ISO/TS 12813:2009 (Compliance Checking Communication) and EN ISO 12855:2012 (Information Exchange between service provision and Toll Charging), SM_CC reuses these standards by specifying which options to choose and by defining the content of data fields. Extensions and additions are only specified in cases where it is not possible to specify the SM_CC with the tools available in these standards. The relation between this Technical Specification, the interfaces between TC and TSP and the aforementioned standards is illustrated in Figure 3 below.

PDF Catalog

PDF Pages	PDF Title
7	Foreword
8	0 Introduction 0.1 Overview 0.2 Processes
9	Figure 1 — The sub-processes of Compliance Checking (UML use case diagram)
10	0.3 Options
11	Table 1 — Different types of Secure Monitoring
13	0.4 Privacy aspects
14	1 Scope 1.1 General scope 1.2 Relation to CEN/TS 16439
15	Figure 2 — Relation between the EFC Security Framework, Secure Monitoring – Compliance Checking and Secure Monitoring – Trusted Recorder
16	1.3 Relation to other standards Figure 3 — Relation between Secure Monitoring – Compliance Checking, Compliance Checking Communication (CEN ISO/TS 12813:2009) and Information Exchange between service provision and Toll Chargers (EN ISO 12855:2012) 2 Normative references
17	3 Terms and definitions
19	4 Abbreviations
20	5 Processes 5.1 Introduction and overview
21	Figure 4 — The main stakeholders and processes of Secure Monitoring (UML use case diagram) 5.2 Processes needed for different types of Secure Monitoring
22	Table 2 — Processes to be implemented by the TSP Table 3 — Processes to be implemented by the TC
23	5.3 Itinerary Freezing 5.3.1 Introduction Figure 5 — The sub-processes of Itinerary Freezing (UML use case diagram) 5.3.2 Generate Itinerary
25	5.3.3 Real-time freezing Figure 6 — The sub-processes of Itinerary Freezing in Real-Time (UML use case diagram)
26	5.3.4 Freezing per declaration Figure 7 — The sub-processes of Itinerary Freezing per Declaration (UML use case diagram)
27	5.4 Checking of Itinerary Freezing 5.4.1 Introduction Figure 8 — The sub processes of Checking Itinerary Freezing (UML use case diagram) 5.4.2 Observing a vehicle
28	5.4.3 Retrieving Proof of Itinerary Freezing (PIF) Figure 9 — The sub processes of Retrieving Proof of Itinerary Freezing (UML use case diagram)
29	5.4.4 Checking PIF against Observation 5.5 Checking of Toll Declaration 5.5.1 Introduction Figure 10 — The sub processes of Checking of Toll Declaration (UML use case diagram) 5.5.2 Retrieve Itinerary Data
30	5.5.3 Check Itinerary Consistency 5.5.4 Checking Toll Declaration against Itinerary
31	5.6 Claiming incorrectness 5.7 Providing EFC Context Data 5.8 Key Management 5.8.1 Introduction 5.8.2 Requirements
32	Table 4 — overview of keys in the SM_CC context 6 Transactions 6.1 Introduction
33	Figure 11 — Overview of relations between procedures and supporting transactions
34	Table 5 — Rules for transactions for the information exchanges between Toll Chargers’ and Toll Service Providers’ Back Ends 6.2 Description of Itinerary Data 6.2.1 Introduction
35	Figure 12 — The information objects of ItineraryBatchRtf (UML class diagram)
36	Figure 13 — The information objects of ItineraryBatchFpd (UML class diagram) 6.2.2 Itinerary Batch
37	6.2.3 Itinerary Record Data Elements 6.2.3.1 Introduction 6.2.3.2 Common Data Elements for all Itinerary Records 6.2.3.3 Common data elements for Itinerary Records frozen in real-time
38	Table 6 — Data elements used for input for the calculation of the authenticator data element 6.2.3.4 Common data elements for Context Independent Itinerary Records
39	6.2.3.5 Common data elements for Context Dependent Itinerary Records – Detected Charge Object 6.2.3.6 Common data elements for Context Dependent Itinerary Records – Number of detected Events 6.3 Retrieving PIF in real-time (DSRC Transaction) 6.3.1 Introduction
40	6.3.2 Transactional Model Figure 14 — The messages of Checking of Itinerary Freezing in real-time synchronous transaction (UML sequence diagram) 6.3.3 Syntax and Semantics
41	Table 7 — CCC-ContextMark structure for SM_CC Table 8 — SM_CC Attributes
42	6.3.4 Security 6.4 Toll Declaration 6.4.1 Introduction 6.4.2 Transactional Model Figure 15 — Typical exchange of messages in the Toll Declaration asynchronous transaction, initiated by TSP (UML sequence diagram)
43	6.4.3 Syntax and semantics Figure 16 — The information objects of TollDeclarationADU (UML class diagram)
44	6.4.4 Itinerary Sequence Figure 17 — The information objects of ItinerarySequenceFpD and ItinerarySequenceRtf (UML class diagram)
45	Figure 18 — Overview of how the TollDeclarationADU, the itinerary sequence structures and the itinerary batch structures are connected by hashes and authenticators (UML class diagram)
46	6.4.5 Security 6.5 Back End Data Checking 6.5.1 Introduction
47	6.5.2 Transactional model Figure 19 — Typical exchange of messages in the Checking of Toll Declaration asynchronous transaction, initiated by TC (UML sequence diagram)
48	6.5.3 Checks of the Itinerary
49	6.5.4 Syntax and semantics Figure 20 — The information objects of RetrieveItineraryCheckADU (UML class diagram). Generalization (hollow arrow) used to represent the ASN.1 construct CHOICE (observation or tollDomainCounter)
51	Figure 21 — The information objects of ItineraryCheckADU (UML class diagram)
52	Table 9 — Present data fields in an instance of ItineraryCheckingADU 6.5.5 Security 6.6 Claiming incorrectness 6.6.1 Introduction
53	6.6.2 Transactional model Figure 22 — Exchange of messages in the Claiming Incorrectness asynchronous transaction (UML sequence diagram)
54	6.6.3 Syntax and semantics Figure 23 — The information objects of SmccClaimADU (UML class diagram) 6.6.4 Security
55	6.7 Providing EFC Context Data 6.7.1 Introduction 6.7.2 Transactional Model Figure 24 — Typical exchange of messages in the Originating and Providing EFC Context Data (initiated by TC) asynchronous transaction (UML sequence diagram) 6.7.3 Syntax and semantics
56	Figure 25 — The information objects of EfcContextDataSmccADU (UML class diagram)
57	6.7.4 Security 7 Security 7.1 Security functions and elements 7.1.1 Hash functions 7.1.2 MAC 7.1.3 Digital signatures 7.1.4 Public Keys, Certificates and CRL
58	7.2 Key Management 7.2.1 Key Exchange between Stakeholders 7.2.2 Key generation and certification
59	7.3 Trusted Recorder and SM_CC Verification SAM characteristics 7.3.1 Introduction 7.3.2 Trusted Recorder
60	7.3.3 SM_CC Verification SAM
61	Annex A (normative) Data type specification
69	Annex B (normative) Protocol Implementation Conformance Statement B.1 Guidance for completing the PICS proforma B.1.1 Purposes and structure B.1.2 Abbreviations and conventions
71	B.1.3 Instructions for completing the PICS proforma B.2 Identification of the implementation B.2.1 General B.2.2 Date of the statement B.2.3 Implementation Under Test (IUT) identification B.2.4 System Under Test (SUT) identification
72	B.2.5 Product supplier B.2.6 Applicant (if different from product supplier) B.2.7 PICS contact person
73	B.3 Identification of the protocol B.4 Global statement of conformance B.5 Roles Table B.1 — Roles B.6 Types of Secure Monitoring
74	Table B.2 — Types of Secure Monitoring B.7 Capabilities and conditions Table B.3 — Capabilities and conditions
75	B.8 Processes Table B.4 — Processes
76	Annex C (informative) Example transactions Table C.1 — Example SM_CC transaction with CIIR read-out
77	Table C.2 — Example combined CCC and SM_CC transaction
79	Table C.3 — Example optimised combined CCC and SM_CC transaction
80	Annex D (informative) Addressed threats (in CEN/TS 16439) D.1 Introduction D.2 Threats where Secure Monitoring can provide Security Measures Table D.1 — EFC Security Framework threats where Secure Monitoring can provide Security Measures
82	D.3 Related Requirements Table D.2 — EFC Security Framework Requirements related to Secure Monitoring relevant threats
83	D.4 Related Security Measures Table D.3 — EFC Security Framework Security Measures related to Secure Monitoring relevant requirements
86	Annex E (informative) Essentials of the SM_CC concept E.1 Introduction E.2 The SM_CC concept – FAQs
88	E.3 SM_CC options E.3.1 SM_CC_1
89	Figure E.1 — Illustration of the concept of itinerary freezing in real-time
90	Figure E.2 — Illustration of the concept of checking of itinerary freezing in real-time
92	Figure E.3 — Illustration of the concept of checking of toll declaration E.3.2 SM_CC_2
93	Figure E.4 — Illustration of the concept of itinerary freezing in real-time using a TR with trusted time source
94	Figure E.5 — Illustration of the concept of delayed checking of itinerary freezing using a TR with trusted time source
95	E.3.3 SM_CC_3a Figure E.6 — Illustration of the concept of freezing per declaration
97	Figure E.7 — Illustration of the concept of checking of itinerary freezing in case of itinerary freezing per declaration E.3.4 SM_CC_3b
98	E.4 Managing multiple toll domains E.4.1 Overlapping toll domains Figure E.8 — Illustration of neighbouring and overlapping toll domains
100	E.4.2 The ‘catch-all’ toll domain counter
101	Annex F (informative) Use of this Technical Specification for the EETS F.1 General F.2 Overall relationship between European standardization and the EETS F.3 European standardization work supporting the EETS
102	F.4 Correspondence between this technical specification and the EETS Table F.1 — Technical requirements of SM_CC in relation to 2009/750/EC
103	Bibliography

Published By	Publication Date	Number of Pages
BSI	2014	106


PDF Format	Searchable	Printable	Preview Now

Status	Withdrawn
Title	Electronic fee collection. Secure monitoring for autonomous toll system – Compliance checking
Publisher	BSI
Committee	EPL/278
Pages	106
Publication Date	2014-11-30
Withdrawn Date	2020-04-15
Replaced By	PD CEN/TS 16702-1:2020
ISBN	978 0 580 84810 0
Standard Number	PD CEN/TS 16702-1:2014
Identical National Standard Of	CEN/TS 16702-1:2014
Descriptors	Traffic control, Transportation, Data transmission, Addresses (data processing), Road transport, Application layer (OSI), Electronic equipment and components, Syntax, Data processing, Traffic, Character strings, Interfaces (data processing), Information exchange, Data transmission methods, Computer applications, Data handling, Toll systems, Messages
ICS Codes	35.240.60 - IT applications in transport

BSI PD CEN/TS 16702-1:2014

PDF Catalog

Related products

BSI PD CEN/TR 16968:2016

BSI PD CEN/TS 16702-2:2015