Skip to content

Overview

ITS Stakeholder Groups and Their Cybersecurity Focus Areas

Each layer of the ITS cybersecurity model depends on the actions of specific stakeholder groups. The sections below outline the roles and responsibilities of standards developers, certificate authorities, infrastructure operators, OEMs, service providers, policy authorities, and deployers.

Roles and Responsibilities in the ITS Cybersecurity Ecosystem

Standards Development Organizations (SDOs): Organizations such as ISO, IEEE, and ETSI define the technical frameworks and specifications that guide secure communication, certificate formats, permissions models, and interoperability. Their work enables regional and global consistency while allowing for tailored implementation.

Certificate Management Authorities: PKI Providers of systems such as the SCMS and CCMS manage the lifecycle of digital certificates. Their responsibilities include issuing, renewing, and revoking credentials, maintaining CTL'S, and enforcing policy constraints.

Infrastructure Owners and Operators: Public agencies, departments of transportation, and infrastructure providers are responsible for securing roadside units, traffic controllers, and other field equipment. This includes enforcing hardware protections, managing software updates, and coordinating with certificate authorities to onboard or revoke devices as needed.

Original Equipment Manufacturers (OEMs): Vehicle manufacturers. These stakeholders must meet requirements defined in vehicle cybersecurity standards such as ISO/SAE 21434.

ITS Application Developers: Manufacturers of OBUs, RSUs, and related equipment, along with developers of ITS applications and services, are responsible for implementing core security functions and ensuring compliance with certificate policies and interoperability standards. These stakeholders must support secure key storage, enable local misbehaviour detection, validate permissions (e.g., PSIDs/SSPs), and ensure their applications operate within defined authorization scopes.

Cybersecurity Oversight and Policy Authorities: Governance authorities, including national cybersecurity agencies and regional coordinating groups, develop cybersecurity policies, perform audits, and establish incident response processes. These bodies help ensure that security implementations align with risk management goals and regulatory expectations.