Skip to content

ITS Manufacturers and Application Developers

This stakeholder category includes manufacturers of OBUs, RSUs, TMCs, traffic applications, and any other software or service that supports an ITS. Application developers and manufacturers have a responsibility to develop devices that are secured against common attacks. A useful source for cataloguing common attacks and techniques that can be used to infiltrate ITS networks is the MITRE Industrial Control System (ICS) ATT&CK framework. Although tailored to ICS, many of these attacks can be levied on ITS devices and networks as well.

Cybersecurity Processes and Considerations for ITS Manufacturers and Application Developers

ITS manufacturers and application developers should consider multiple aspects that can reduce the risk of cybersecurity exploitation for their customers.

  1. Establish and document secure product development practices for the product line. This includes performing static and dynamic security tests, in addition to tests such as fuzzing. A comprehensive software /hardware quality control program should also be put in place, to quickly identify and resolve bugs that could otherwise lead to vulnerabilities in the product.
  2. Work to harden the product against common attacks. There are numerous security capabilities that should be considered for any given product, for example secure boot load, comprehensive audit data collection settings, encrypted hard drive settings, secure remote management settings, authentication settings, privilege management settings, and more. Reference Device Security Policy Recommendations for detailed configuration setting recommendations.
  3. Establish a vulnerability management program that allows customers and security researchers to provide feedback on potential vulnerabilities identified for the product. Establish a process to triage these inputs, ranking each to identify those that require priority patching. Establish a routine cadence with customers to deploy new patches, and work to deploy patches that address security vulnerabilities in a timely manner.
  4. Provide customers with configuration guidance to ensure that products are setup and operated in a secure manner, given their operational context. Programs like the U.S. Federal Highway Administration (FHWA)'s ITS Secure Prototype provide an electronic security configuration guide that app developers and manufacturers can tailor to their product lines.
  5. Establish a supply chain security program, in accordance with ISO/SAE 21434, to ensure that tiered suppliers have implemented the appropriate cybersecurity controls to mitigate risks that may be introduced into your product.
  6. Consider data privacy concerns by performing a privacy impact assessment (PIA) and implementing necessary measures to mitigate privacy risk to your customers. This includes anonymity concerns.
  7. Publish lifecycle and end-of-support dates and details to ensure that customers understand end-of-support impacts, and establish transition plans accordingly.
  8. Establish and implement sound cryptographic key management approaches for product security. This includes ensuring that cryptographic keys are generated directly on product, that appropriate cryptographic libraries are used, and that all secure messaging aligns with relevant standards.