CEN ISO/TS 17574:2009
(Main)Electronic fee collection - Guidelines for security protection profiles (ISO/TS 17574:2009)
Electronic fee collection - Guidelines for security protection profiles (ISO/TS 17574:2009)
ISO/TS 17574:2009 provides a guideline for preparation and evaluation of security requirements specifications, referred to as Protection Profiles (PP) in the ISO/IEC 15408 series and in ISO/IEC TR 15446. By a Protection Profile (PP) is meant a set of security requirements for a category of products or systems that meet specific needs. A typical example would be a PP for On-Board Equipment (OBEs) to be used in an EFC system.
ISO/TS 17574:2009 should be read in conjunction with the underlying standards ISO/IEC 15408 and ISO/IEC TR 15446. Although a layman could read the first part of the document to have an overview on how to prepare a Protection Profile for EFC equipment, the annexes, in particular A.4 and A.5, require that the reader be familiar with ISO/IEC 15408. The document uses an OBE with an integrated circuit(s) card (ICC) as an example to describe both the structure of the PP as well as the proposed content.
Elektronische Gebührenerfassung - Leitfaden für Sicherheitsprofile
Perception de télépéage - Lignes directrices concernant les profils de protection de la sécurité (ISO/TS 17574:2009)
Cestna transportna in prometna telematika - Elektronsko pobiranje pristojbin (EFC) - Smernice za zaščito varnostnih profilov EFC (ISO/TS 17574:2009)
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-november-2009
1DGRPHãþD
SIST-TS CEN ISO/TS 17574:2005
&HVWQDWUDQVSRUWQDLQSURPHWQDWHOHPDWLND(OHNWURQVNRSRELUDQMHSULVWRMELQ
()&6PHUQLFH]D]DãþLWRYDUQRVWQLKSURILORY()&,6276
Road transport and traffic telematics - Electronic fee collection (EFC) - Guidelines for
EFC security protection profiles (ISO/TS 17574:2009)
Elektronische Gebührenerfassung - Richtlinien für Sicherheitsprofile (ISO/TS
17574:2009)
Transports routiers et télématique routière - Systèmes de péage électronique - Lignes
directrices concernant les profils de protection de la sécurité des péages (ISO/TS
17574:2009)
Ta slovenski standard je istoveten z: CEN ISO/TS 17574:2009
ICS:
03.220.20 Cestni transport Road transport
35.240.60 Uporabniške rešitve IT v IT applications in transport
transportu in trgovini and trade
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
TECHNICAL SPECIFICATION
CEN ISO/TS 17574
SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
September 2009
ICS 35.240.60; 03.220.20 Supersedes CEN ISO/TS 17574:2004
English Version
Electronic fee collection - Guidelines for security protection
profiles (ISO/TS 17574:2009)
Perception de télépéage - Lignes directrices concernant les Elektronische Gebührenerfassung - Richtlinien für
profils de protection de la sécurité (ISO/TS 17574:2009) Sicherheitsprofile (ISO/TS 17574:2009)
This Technical Specification (CEN/TS) was approved by CEN on 14 September 2009 for provisional application.
The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to submit their
comments, particularly on the question whether the CEN/TS can be converted into a European Standard.
CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS available
promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in parallel to the CEN/TS)
until the final decision about the possible conversion of the CEN/TS into an EN is reached.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal,
Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2009 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN ISO/TS 17574:2009: E
worldwide for CEN national Members.
Contents Page
Foreword .3
Foreword
This document (CEN ISO/TS 17574:2009) has been prepared by Technical Committee CEN/TC 278 "Road
transport and traffic telematics", the secretariat of which is held by NEN, in collaboration with Technical
Committee ISO/TC 204 "Intelligent transport systems".
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This document supersedes CEN ISO/TS 17574:2004.
According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria, Cyprus, Czech
Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,
Sweden, Switzerland and the United Kingdom.
TECHNICAL ISO/TS
SPECIFICATION 17574
Second edition
2009-09-15
Electronic fee collection — Guidelines
for security protection profiles
Perception de télépéage — Lignes directrices concernant les profils
de protection de la sécurité
Reference number
ISO/TS 17574:2009(E)
©
ISO 2009
ISO/TS 17574:2009(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2009 – All rights reserved
ISO/TS 17574:2009(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 5
3 Terms and definitions. 5
4 Abbreviations . 8
5 Outlines of Protection Profile . 9
5.1 Structure . 9
5.2 Context. 9
Annex A (informative) Procedures for preparing documents. 11
Annex B (informative) Example of threat analysis evaluation method. 43
Annex C (informative) Abstract from Definition of threats and security controls for the Charging
Interface in Electronic Fee Collection. 46
Annex D (informative) Common Criteria Recognition Arrangement (CCRA). 58
Bibliography . 60
ISO/TS 17574:2009(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In other circumstances, particularly when there is an urgent market requirement for such documents, a
technical committee may decide to publish other types of document:
⎯ an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical experts in
an ISO working group and is accepted for publication if it is approved by more than 50 % of the members
of the parent committee casting a vote;
⎯ an ISO Technical Specification (ISO/TS) represents an agreement between the members of a technical
committee and is accepted for publication if it is approved by 2/3 of the members of the committee casting
a vote.
An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a
further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or ISO/TS is
confirmed, it is reviewed again after a further three years, at which time it must either be transformed into an
International Standard or be withdrawn.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/TS 17574:2009 was prepared by the European Committee for Standardization (CEN) Technical
Committee CEN/TC 278 Road Transport and Traffic Telematics in collaboration with Technical Committee
ISO/TC 204, Intelligent transport systems, in accordance with the Agreement on technical cooperation
between ISO and CEN (Vienna Agreement).
This second edition cancels and replaces the first edition (ISO/TS 17574:2004) which has been technically
revised.
iv © ISO 2009 – All rights reserved
ISO/TS 17574:2009(E)
Introduction
Electronic Fee Collection (EFC) systems are subject to several ways of fraud both by users and operators but
also from people outside the system. These security threats have to be met by different types of security
measures including security requirements specifications.
It is recommended that EFC operators or national organizations, e.g. highway authorities or transport
ministries, use the guideline provided by this Technical Specification to prepare their own EFC/PP, as security
requirements should be described from the standpoint of the operators and/or operators', organizations.
It should be noted that this Technical Specification is of a more informative than normative nature and it
cannot be used without also using the ISO/IEC 15408 series. Most of the content of this Technical
Specification is an example shown in Annex A on how to prepare the security requirements for EFC
equipment, in this case a DSRC based OBE with an IC-card loaded with crucial data needed for the EFC. The
example refers to a Japanese national EFC system and should only be regarded and used as an example.
After an EFC/PP is prepared, it can be internationally registered by the organization that prepared the EFC/PP
so that other operators or countries that want to develop their EFC system security services can refer to an
already registered EFC/PP.
This EFC related standard on security service framework and EFC/PP is based on the ISO/IEC 15408 series.
ISO/IEC 15408 includes a set of requirements for the security functions and assurance of IT relevant products
and systems. Operators, organizations or authorities defining their own EFC/PP can use these requirements.
This will be similar to the different PPs registered by several financial institutions, e.g. for payment instruments
like IC-cards.
The products and systems that were developed in accordance with ISO/IEC 15408, can be publicly assured
by the authentication of the government or designated private evaluation agencies.
TECHNICAL SPECIFICATION ISO/TS 17574:2009(E)
Electronic fee collection — Guidelines for security protection
profiles
1 Scope
This Technical Specification provides a guideline for preparation and evaluation of security requirements
specifications, referred to as Protection Profiles (PP) in the ISO/IEC 15408 series and in ISO/IEC TR 15446.
By a Protection Profile (PP) is meant a set of security requirements for a category of products or systems that
meet specific needs. A typical example would be a PP for On-Board Equipment (OBEs) to be used in an EFC
system.
This Technical Specification should be read in conjunction with the underlying standards ISO/IEC 15408 and
ISO/IEC TR 15446. Although a layman could read the first part of the document to have an ove
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.