It is not easy to navigate through the regulations related to Intelligent Transport Systems in the European Union, especially when it comes to credential management and the related device requirements. There are many authoritative documents, standards and specifications related to C-ITS Security Credential Management System (CCMS), and it is not hard to get lost in the search for the applicable requirements. This blogpost series intends to help readers to understand the main security levels inside the ecosystem and provide guidance on the best way to reach interoperability in the EU; in this first part, we go through the basics of the European Certificate Trust List (ECTL) levels and provide all information needed to understand the basics of the ecosystem.
The most important European legislative document, which serves as a base for C-ITS across the EU, is DIRECTIVE 2010/40/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 7 July 2010 on the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of transport (or, as most call it, the ITS Directive). This directive establishes the framework for V2X across the European Union. There are several related documents to the ITS directive as well, which describe the ecosystem’s detailed requirements.
One document which may come to our help is the European Commission’s C-ITS Point of Contact (CPOC) Protocol in the EU C-ITS Security Credential Management System (EU CCMS), or with a shorter name, the CPOC Protocol, which has been recently updated to Release 3.0. This specification describes the interface between the EU C-ITS Point of Contact and the Root Certification Authorities present in the ecosystem; though its scope is mainly CA providers and the related entities, it also details the trust levels within the EU CCMS as well as the requirements related to these levels.
Another useful resource is the ANNEX to the Commission Delegated Regulation supplementing Directive 2010/40/EU of the European Parliament and of the Council with regard to the deployment and operational use of cooperative intelligent transport systems (C-ITS Certificate Policy or CP), which details the certificate issuance and usage in the CCMS. This document also contains applicable requirements on C-ITS Stations (i.e., ITS devices).
Finally, Security Policy for Deployment and Operation of European Cooperative Intelligent Transport Systems (C-ITS) can be of help, which outlines the information security requirements for the participants, mainly for the C-ITS station operators.
It is worth noting that these policies are developed by the European Commission C-ITS security subgroup, with PKI experts from Microsec actively participating in their development.
The CPOC protocol differentiates between 3 trust levels, namely L0, L1 and L2. The Protocol defines these levels as follows:
So, summarized, L0 is intended for testing and pilot infrastructures, L1 serves as an intermediate between L0 and L2, and L2 is the operative production environment.
The protocol also provides a transition phase until the end of 2025 for product development and the necessary certification to reach L2 requirements. Until then, the Level 1 environment is supported as an intermediary, but after that deadline, manufacturers of L1 devices shall either move the related products to L2 if they are fully conformant to the Certificate Policy, else the products stay in L1 as legacy units.
The below diagram of the CPOC Protocol helps in the visualization of the transition phase.
Figure 1: Overview and timeline of ECTL levels (source: CPOC Protocol v3.0)
One may wonder as a device manufacturer what are the steps to achieve certification regarding the various levels. This can be difficult, as these requirements may vary widely. If this is the case, hang in there, as the next posts in this series will go through the steps for each aimed levels from a device manufacturer viewpoint, detailing each level’s to-do list to be added to the specified ECTL levels.
At the time of writing this article, there is only a working ECTL for L0. The ECTL for L1 is expected to come in 2024, thus in response to this absence, Microsec has set up its L1-ready hierarchy, which supports trusted and interoperable production-ready C-ITS developments as of today.
The Microsec L1-ready solution enables interoperability with several manufacturers, including Car2X-capable Volkswagen cars on the road (more than 1.5 million cars of 8 vehicle lines).
The conditions and requirements for using the Microsec Level1-ready V2X PKI service will be described in the next post of our series.
© 2024 Microsec Ltd. | Company registration number: 01-10-047218 | Tax number: 23584497-2-41