OnBoard Security InSights

The country’s largest V2X implementation – Securing New York’s Connected Vehicle Pilot

Posted by Gene Carter on Jul 20, 2017 9:25:00 AM

In September 2016, the U.S. Department of Transportation (USDOT) awarded three Connected Vehicle (CV) Pilot Deployment Programs: New York City (NYC), Tampa and Wyoming. The CV Pilot Program will test and operationalize cutting-edge vehicle to vehicle (V2V) and vehicle to infrastructure (V2I) technologies, including in-vehicle wireless, mobile devices, and roadside equipment that have the potential to reduce accidents, save lives, improve productivity, enhance mobility, and lessen the environmental impact of city traffic. The NYC CV pilot will feature an estimated 8,000 vehicles outfitted with V2X equipment, including 5,850 taxis, 1,250 MTA vehicles, 400 UPS trucks, and 500 city vehicles. There will be approximately 350 roadside units installed at Manhattan and Brooklyn intersections and on FDR drive. Additionally, 100 vulnerable road user (pedestrians and bicyclists) devices will be deployed to study the effectiveness of V2X technology in reducing NYC's high rate (5 times the national average) of crash fatalities involving pedestrians.ConnectedVeh.png

The program will spur innovation among early developers of connected vehicle applications by allowing them to test new technologies in real-world situations. The pilot deployments will capture data from a range of sources and provide a cost-benefit analysis of connected vehicle concepts and technologies.

For the New York City CV Pilot Deployment, OnBoard Security was brought in on Day One to oversee all aspects of security planning, procurement, and deployment. First, we carried out a comprehensive security requirements analysis of all the applications to be deployed, starting with deriving confidentiality, integrity, and assurance (CIA) requirements for each individual information flow.

Based on this analysis, we recommended security requirements for each device in the system. We then recommended specific security mechanisms, including set-up and tear-down mechanisms, for each of the flows to achieve the required level of security. These recommendations formed a comprehensive framework for the CV Pilot security deployment, which has been followed closely by the deployment team. This comprehensive framework has established a de facto standard for the development of trusted Cooperative Intelligent Transport Systems (C-ITS).

Our involvement didn't end with the security framework; we are now helping the City of New York specify software and hardware requirements for procurement as well. We also developed a plan for over-the-air software updates and configuration management to keep the CV Pilot secure after initial deployment. On top of that, our team of security experts created a Data Privacy plan to protect any Personally Identifiable Information (PII) collected by the CV Pilot program.

Furthermore, we carried out a detailed analysis of the device-specific permissions requirements. Our subsequent recommendations led to the Service Specific Permissions specification for applications that will be used not just in NYC, but also in all other Pilot Deployment sites. Finally, we helped communicate and negotiate local communication requirements for the Security Credential Management Systems (SCMS) team so they would be able to create and distribute authorized messages via the network.

Although the CV Pilot Deployment is an ambitious program that is unprecedented in its breadth and scope, these broad range of technologies also open up a correspondingly broad attack surface. By designing security into the system from the start and adopting best-practices, the NY City CV Pilot Deployment will become a model for all future V2X deployments.

Topics: Automotive, Privacy, V2X, Embedded Security, Cyber Security, V2V, Connected Vehicles