Defines transactions and data for Compliance Checking - Secure Monitoring.

1.1 General scope

This Technical Specification specifies transactions and data for Compliance Checking - Secure Monitoring. The scope of this technical specification consists of:

• The concept and involved processes for Secure Monitoring.

• The definition of new transactions and data.

• The use of the OBE compliance checking transaction as specified in CEN ISO/TS 12813:2009, for the purpose of Compliance Checking - Secure Monitoring.

• The use of back end transactions as specified in EN ISO 12855:2012, for the purpose of Compliance Checking – Secure Monitoring. This includes definitions for the use of optional elements and reserved attributes.

• A specification of technical and organisational security measures involved in Secure Monitoring, on top of measures provided for in the EFC Security Framework.

• The interrelations between different options in the OBE, TSP and TC domain and their high level impacts. Outside the scope of this Technical Specification are:

• Information exchange between OBE and TR.

• Choices related to compliance checking policies e.g. which options are used, whether undetected/unexpected observations are applied, whether fixed, transportable and/or mobile compliance checking are deployed, locations and intensity of checking of itinerary freezing and checking of toll declaration.

• Details of procedures and criteria for assessing the validity or plausibility of Itinerary Records.

• Choices concerning the storage location of itinerary records, and data retention policy.

• Recommendations for a single specific implementation due to different applicable privacy laws. Instead, a set of options is provided.

1.2 Relation to CEN/TS 16439

Secure Monitoring can be regarded as a set of specific measures addressing a number of serious threats identified in the EFC Security Framework, namely:

Threats assigned to the User agent:

• Manipulating the system to not register road usage.

• Manipulating the system to register the wrong (lower) road usage.

• Manipulating the system to lose road usage data.

Threats assigned to Toll Service Provider agent:

• Modifying usage data reported from the OBE.

• Suppressing reporting of road use.

• Faulty interpretation of usage data.

• Wrongly configuring the front end.

NOTE The Technical Specification EFC Security Framework (CEN/TS 16439:2013) analyses the general requirements of the stakeholders and provides a comprehensive threat analysis for an interoperable EFC scheme. A number of identified threats may result in less revenue of the toll charger, incorrect charging and billing and not meeting required service levels between Toll Service Provider and Toll Charger. The EFC Security Framework further specifies requirements to counter the identified threats. Some of these requirements can be fulfilled by implementing basic security measures that are specified in the same document, but more specific security measures are left to other standards and specifications or to local choices.

Secure Monitoring makes use of basic cryptographic security measures and procedures provided for in the EFC Security Framework as far as possible. The relation between the EFC Security Framework and the Secure Monitoring technical specifications is illustrated in Figure 2.

Based on the threat analysis that has been carried out in the EFC Security Framework, Figure 2 specifies which attacks Secure Monitoring addresses.

1.3 Relation to other standards

This Technical Specification complies with the allocation of roles and responsibilities as specified in ISO 17573:2010 Electronic fee collection – Systems architecture for vehicle related tolling.

This Technical Specification defines transactions in the interfaces between the TSP Front end and the Toll Charger\'s road side equipment (RSE) as well as between the Toll Service Providers and the Toll Chargers back end. As these interfaces are also covered by CEN ISO/TS 12813:2009 (Compliance Checking Communication) and EN ISO 12855:2012 (Information Exchange between service provision and Toll Charging), SM_CC reuses these standards by specifying which options to choose and by defining the content of data fields. Extensions and additions are only specified in cases where it is not possible to specify the SM_CC with the tools available in these standards. The relation between this Technical Specification, the interfaces between TC and TSP and the aforementioned standards is illustrated in Figure 3 below.