Skip to content

Security Standards and Guidance Documents

This page identifies standards that support implementation of cybersecurity functions aligned with the ITS Security Architecture and ITS Cybersecurity Controls. Use this page to identify standards that support implementation of cybersecurity controls.

Secure Hardware and Physical Protection

Use these standards to select, evaluate, or require hardware that supports key storage, secure boot, tamper detection, and cryptographic processing. This supports trusted execution and resilience at the component level.

Standard Document Type Description Architectural Layer(s) Stakeholder Role(s)
IEEE 802.3 Standard Ethernet standard supporting wired communications among traffic infrastructure, including support for secure physical connections. Physical Layer Infrastructure Owners and Operators
IEEE 802.1X Standard Network access control protocol often used in Ethernet-based ITS backhaul networks to authenticate RSUs and field devices. Physical Layer Infrastructure Owners and Operators
SAE J3101 Standard Defines hardware security requirements for ground vehicles, including secure boot, key storage, and hardware protections against tampering. Physical Layer Vehicle Manufacturers and OEMs
ISO/IEC 19790:2025 Standard Requirements for cryptographic modules used to protect sensitive data, applicable to both software and hardware modules. Physical Layer Credential Management Authorities
NIST FIPS 140-3 Standard Federal standard for certifying cryptographic modules, used to evaluate tamper-resistant secure elements. Physical Layer Credential Management Authorities
Trusted Platform Module (TPM) / ISO/IEC 11889 Standard Guidance for secure boot and hardware-based trust anchors in automotive ECUs. Physical Layer Vehicle Manufacturers and OEMs
Protection Profile V2X Hardware Security Module Guidance Requirements for HSMs in V2X systems with secure key lifecycle and resistance to physical attacks. Physical Layer Credential Management Authorities
Vehicle C-ITS station profile Guidance Technical and operational requirements for C-ITS vehicle stations in Europe. Physical Layer Vehicle Manufacturers and OEMs
UNECE R155 Standard Regulation that mandates cybersecurity management systems for vehicle manufacturers, including hardware risk mitigation. Physical Layer Vehicle Manufacturers and OEMs

Network and Transport Security

Apply these standards to enforce confidentiality, integrity, and authentication of data in transit. They define secure sessions for V2X, center-to-field, and backend communications using IP and non-IP protocols.

Standard Document Type Description Architectural Layer Primary Role(s)
IEEE 1609.3 Standard Defines networking services for WAVE including IPv6 and WSM. Network Layer Infrastructure Owners and Operators
ISO 15118 Standard Secure protocols for EV charging with mutual authentication. Network Layer Application and Service Providers
TLS 1.3 (RFC 8446) Standard Modern cryptographic protocol for secure backend communications. Network Layer Infrastructure Owners and Operators
DTLS Standard Datagram version of TLS for UDP-based secure transport. Network Layer Application and Service Providers
ISO 21217 Standard ITS Station architecture defining network stack. Network Layer Application and Service Providers
ETSI TS 102 940 Standard Specifies high-level C-ITS security architecture. Network Layer Credential Management Authorities
ISO 21186-3 Standard Secure data exchange guidelines in C-ITS. Network Layer Application and Service Providers

Secure Access

Use these standards to control access across radio, wired, and management interfaces. They help ensure only authorized devices and users can connect to ITS infrastructure and services.

Standard Document Type Description Architectural Layer Primary Role(s)
IEEE 802.11p / IEEE 802.11-2016 Standard Specifies DSRC/WAVE radio communications at 5.9 GHz for vehicular networking. Access Layer Infrastructure Owners and Operators
3GPP LTE-V2X / NR-V2X Standard Specifies cellular V2X radio interfaces for sidelink communication. Access Layer Infrastructure Owners and Operators
IEEE 802.1X Standard Network access control protocol used in Ethernet-based ITS backhaul networks. Access Layer Infrastructure Owners and Operators
NTCIP / SNMPv3 (RFC 3410) Standard Management protocols with authentication and encryption for ITS field device communications. Access Layer Infrastructure Owners and Operators
Standard Document Type Description Architectural Layer Stakeholder Roles
IEEE 802.3 Standard Ethernet standard supporting wired communications among traffic infrastructure. Physical Layer Infrastructure Owner Operators, End Users and Deployers
IEEE Std. 1609.3 Standard Defines IPv6, WAVE short message protocol and service advertisement. Network and Transport Layer Infrastructure Owner Operators, Application and Service Providers
Vehicle C-ITS station profile Guidance Outlines technical and operational requirements for European vehicle ITS stations. Physical Layer Application and Service Providers
Protection Profile V2X Hardware Security Module Guidance Requirements for HSMs with secure key lifecycle and physical attack resistance. Physical Layer Credential Management Authorities, Application and Service Providers
SAE J2945/1 On-Board System Requirement for V2V Safety Communications Standard Security requirements for V2V including key provisioning and secure storage. Physical Layer Application and Service Providers

Authenticated Messaging and Data Exchange

These standards define how ITS messages are structured, signed, and validated. They enable cross-vendor and cross-jurisdiction interoperability and ensure message trustworthiness during exchange.

Standard Document Type Description Architectural Layer Primary Role(s)
SAE J2735 Standard Defines message formats like BSM, SPaT, MAP. Facilities Layer Application and Service Providers
SAE J2945/x series Standard Profiles for message behaviour and signing for V2X. Application Layer Application and Service Providers
ETSI EN 302 637-2 / -3 Standard Defines CAM and DENM message formats. Facilities Layer Application and Service Providers
ISO 16460 Standard Harmonized framework for V2X messages. Facilities Layer Standards Development Organizations
ETSI TS 102 894-2 Standard Common ITS data dictionary. Facilities Layer Application and Service Providers
ETSI TS 103 097 Standard European message authentication and trust validation. Facilities Layer Credential Management Authorities
ISO 19091 Standard Harmonized SPaT/MAP message format (internationalized SAE). Facilities Layer Application and Service Providers, End Users and Deployers
ISO/TR 21186-1 Standard Use cases and profiles for secure data exchange. Application Layer Application and Service Providers
ISO/TS 21184 / ISO/TS 21185 Standard Data and communication profiles for trusted ITS exchange. Facilities Layer Application and Service Providers, Credential Management Authorities
SAE J2945/4 Road Safety Applications Standard Security requirements for RSZW, LCW messages and digital signature enforcement. Application Layer Application and Service Providers
SAE J3161/1 Standard Security for LTE-V2X in light-duty and public safety vehicles. Application Layer Application and Service Providers, Infrastructure Owner Operators
SAE J3161/1B Standard Extends J3161/1 to non-light-duty vehicles and motorcycles. Application Layer Application and Service Providers
SAE J3161/1C Standard Covers school bus-specific V2V security and safety requirements. Application Layer Application and Service Providers
ISO 19091 Standard Harmonized SPaT/MAP message format (internationalized SAE) Facilities Layer Application and Service Providers, End Users and Deployers

Credential Management and Trust Establishment

Implement these standards to issue, validate, and revoke certificates and to manage permissions. They define how trust anchors and policies are enforced across ITS ecosystems and SCMS/CCMS deployments.

Standard Document Type Description Architectural Layer Primary Role(s)
IEEE 1609.2 Standard Defines secure message format and certificates. Management Layer Credential Management Authorities
IEEE 1609.2.1-2022 Standard Certificate lifecycle and permissions enforcement. Management Layer Credential Management Authorities
ETSI TS 102 941 Standard Trust and privacy management for C-ITS. Management Layer Credential Management Authorities
ETSI EN 319 411-1 Standard Trust service provider requirements for certs. Management Layer Cybersecurity Oversight and Policy Bodies
C-ITS Point of Contact Protocol Guidance CA cross-certification protocol in Europe. Management Layer Credential Management Authorities
ETSI TS 102 941 (Trust List Management) Standard CTL/CRL processes for European PKI trust frameworks. Management Layer Credential Management Authorities
ETSI TS 102 942 Standard Access control rules and cert-based enforcement. Management Layer Credential Management Authorities, Infrastructure Owner Operators
ETSI TS 102 943 Standard Encryption and confidentiality services. Management Layer Credential Management Authorities
ETSI TS 103 248 Standard Pseudonym management and privacy protection in C-ITS. Network and Transport Layer Credential Management Authorities, Application and Service Providers

Misbehaviour Detection and Revocation

Use these standards to structure misbehaviour reports, share them across SCMS entities, and apply adjudication processes. They support coordinated response to compromised or malicious actors in the ecosystem.

Standard Document Type Description Architectural Layer Primary Role(s)
SAE J3287 Standard Standard for V2X misbehaviour reports. Management Layer Credential Management Authorities
ETSI TS 102 941-2 Standard European misbehaviour reporting procedures. Management Layer Credential Management Authorities
ETSI TS 103 759 Standard Standardized misbehaviour message format. Management Layer Credential Management Authorities
SCMS ASN.1 Misbehaviour Reports Standard Misbehaviour report encoding for SCMS. Management Layer Credential Management Authorities
SCMS Misbehaviour Application Spec Standard SCMS adjudication and report format. Management Layer Credential Management Authorities
SCMS Manager: ASN.1 Specification for Misbehaviour Reports Standard Defines interoperable ASN.1 encoding for MBRs. Management Layer Credential Management Authorities, Infrastructure Owner Operators
SCMS Manager: Misbehaviour Report and Application Specification Standard MBR data format and adjudication rules. Management Layer Credential Management Authorities, Infrastructure Owner Operators
ETSI TR 103 460 Standard Survey of misbehaviour detection techniques. Management Layer Cybersecurity Oversight and Policy Bodies, Credential Management Authorities

Software Integrity and Update Security

Apply these standards to verify firmware and software authenticity, support secure updates, and monitor software state. They enable secure lifecycle management of fielded systems and components.

Standard Document Type Description Architectural Layer Primary Role(s)
ISO 24089 Standard Post-production update requirements. Application Layer Vehicle Manufacturers and OEMs
UNECE R156 Regulation Mandates secure update systems for vehicles. Application Layer Vehicle Manufacturers and OEMs
SAE J3101 Standard Hardware trust anchors and secure boot. Physical Layer Vehicle Manufacturers and OEMs
Trusted Platform Module (TPM) Standard Hardware-based trust and boot integrity. Physical Layer Vehicle Manufacturers and OEMs
ISO/IEC 19790:2025 Standard Cryptographic module security requirements. Physical Layer Application and Service Providers, Cybersecurity Oversight and Policy Bodies
ISO/TR 23786 Standard Security and risk methods for remote access to vehicle systems. Application Layer Infrastructure Owner Operators, Application and Service Providers

Incident Management and Operational Oversight

These standards guide incident coordination, event logging, and audit practices. Use them to establish oversight processes that detect, document, and respond to cybersecurity events across stakeholders.

Standard Document Type Description Architectural Layer Primary Role(s)
ISO 22320 Standard Incident management processes and protocols. Management Layer Infrastructure Owners and Operators
SAE J3061 / ISO/SAE 21434 Standard Cybersecurity lifecycle and incident response. Management Layer Vehicle Manufacturers and OEMs
NTCIP Secure Profiles (TLS, SSH) Guidance Secure management for center-to-field devices. Network Layer Infrastructure Owners and Operators