prEN ISO 17574

SLOVENSKI STANDARD
01-september-2025
Elektronsko pobiranje pristojbin - Smernice za zaščito varnostnih profilov EFC
(ISO/DIS 17574:2025)
Electronic fee collection - Guidelines for security protection profiles (ISO/DIS
17574:2025)
Elektronische Gebührenerhebung - Leitfaden für Sicherheitsprofile (ISO/DIS
17574:2025)
Perception de télépéage - Lignes directrices concernant les profils de protection de la
sécurité (ISO/DIS 17574:2025)
Ta slovenski standard je istoveten z: prEN ISO 17574
ICS:
03.220.20 Cestni transport Road transport
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/DIS 17574
ISO/TC 204
Electronic fee collection —
Secretariat: ANSI
Guidelines for security protection
Voting begins on:
profiles
2025-07-18
Perception de télépéage — Lignes directrices concernant les
Voting terminates on:
profils de protection de la sécurité
2025-10-10
ICS: 35.240.60; 03.220.20
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
ISO/DIS 17574:2025(en)
DRAFT
ISO/DIS 17574:2025(en)
International
Standard
ISO/DIS 17574
ISO/TC 204
Electronic fee collection —
Secretariat: ANSI
Guidelines for security protection
Voting begins on:
profiles
Perception de télépéage — Lignes directrices concernant les
Voting terminates on:
profils de protection de la sécurité
ICS: 35.240.60; 03.220.20
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO 2025
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/DIS 17574:2025(en)
ii
ISO/DIS 17574:2025(en)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Abbreviated terms . 2
5 EFC security architecture and protection profile processes . 3
5.1 General .3
5.2 EFC security architecture . .3
5.3 Protection profile preparatory steps .4
5.4 Relationship between actors .5
6 Outlines of Protection Profile . 7
6.1 Structure .7
6.2 Context .8
Annex A (informative) Procedures for preparing documents . 9
Annex B (informative) Example of threat analysis evaluation method .42
Annex C (informative) Relevant security standards in the context of the EFC . 47
Annex D (informative) Common Criteria Recognition Arrangement (CCRA) .48
Bibliography .49

iii
ISO/DIS 17574:2025(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent
rights identified during the development of the document will be in the Introduction and/or on the ISO list of
patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.
The committee responsible for this document is ISO/TC 204, Intelligent transport systems.
This first edition cancels and replaces the third edition of ISO/TS 17574, which has been technically revised.
The main changes are as follows:
— Clause 3 has been updated and ISO 17573-2 has been made the primary source for terms and definitions,
— requirements updated as to reflect the latest version of the ISO/IEC 15408 series.

iv
ISO/DIS 17574:2025(en)
Introduction
Electronic fee collection (EFC) systems are subject to several ways of fraud both by users and operators but
also from people outside the system. These security threats have to be met by different types of security
measures including specified security requirements.
It is recommended that EFC operators use the guidelines provided by this document to prepare their own
EFC protection profile (PP), as security requirements should be described from the operator's point of view.
It should be noted that the guidelines provided in this document are intended to be read in conjunction with
the underlying international standards ISO/IEC 15408 (all parts). Most of the content of this document is an
example shown in Annex A on how to prepare the security requirements for EFC equipment, in this case, a
DSRC-based OBE with an integrated circuit(s) card (ICC) loaded with crucial data needed for the EFC. The
example refers to a Japanese national EFC system and should only be regarded as an example.
After an EFC/PP is prepared, it can be internationally registered by the organization that prepared the EFC/
PP so that other operators or countries that want to develop their EFC system security services can refer to
an already registered EFC/PP.
This EFC-related document on security service framework and EFC/PP is based on ISO/IEC 15408 (all parts).
ISO/IEC 15408 (all parts) includes a set of requirements for the security functions and assurance of IT-
relevant products and systems. Operators, organizations or authorities defining their own EFC/PP can use
these requirements. This will be similar to the different PPs registered by several financial institutions, e.g.
for payment instruments like IC cards (ICCs).
The products and systems that were developed in accordance with ISO/IEC 15408 (all parts) can be publicly
assured by the authentication of the government or designated private evaluation agencies.

v
DRAFT International Standard ISO/DIS 17574:2025(en)
Electronic fee collection — Guidelines for security protection
profiles
1 Scope
This document provides guidelines for preparation and evaluation of security requirements specifications,
referred to as Protection Profiles (PP) in ISO/IEC 15408 (all parts) and in ISO/IEC TR 15446.
By Protection Profile (PP), it means a set of security requirements for a category of products or systems that
meet specific needs. A typical example would be a PP for on-board equipment (OBE) to be used in an EFC
system. However, the guidelines in this document are superseded if a Protection Profile already exists for
the subsystem in consideration.
The target of evaluation (TOE) for EFC is limited to EFC specific roles and interfaces as shown in Figure 1.
Since the existing financial security standards and criteria are applicable to other external roles and
interfaces, they are assumed to be outside the scope of TOE for EFC.
Figure 1 — Scope of TOE for EFC
The security evaluation is performed by assessing the security-related properties of roles, entities and
interfaces defined in security targets (STs), as opposed to assessing complete processes which often are
distributed over more entities and interfaces than those covered by the TOE of this document.
NOTE Assessing security issues for complete processes is a complimentary approach, which may well be
beneficial to apply when evaluating the security of a system.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.

ISO/DIS 17574:2025(en)
ISO/IEC 15408-1, Information security — cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 1: Introduction and general model
ISO/IEC 15408-2, Information security — cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 2: Security functional components
ISO/IEC 15408-3, Information security — cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 3: Security assurance components
ISO/IEC 15408-4, Information security — cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 4: Framework for the specification of evaluation methods and activities
ISO/IEC 15408-5, Information security — cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 5: Pre-defined packages of security requirements
—1)
ISO 17573-2, , Electronic fee collection — System architecture for vehicle related tolling — Part 2: Vocabulary
3 Terms and definitions
—2)
For the purposes of this document, the terms and definitions given in ISO 17573-2:— apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at https:// www .electropedia .org/
— ISO Online browsing platform: available at https:// www .iso .org/ obp
4 Abbreviated terms
CC common criteria
CCRA common criteria recognition arrangement
CN cellular networks
DSRC dedicated short-range communication
EAL evaluation assurance level
EFC electronic fee collection
GNSS global navigation satellite systems
HMI human-machine interface
I/F Interface
ICC integrated circuit(s) card
IT information technology
OBE on-board equipment
PP protection profile
RSE roadside equipment
1) Stage at the time of publication: ISO/DIS 17573-2:2025
2) Stage at the time of publication: ISO/DIS 17573-2:2025

ISO/DIS 17574:2025(en)
SAM secure application module
SFP security function policy
SFR security functional requirement
ST security target
TOE target of evaluation
TSF target of evaluation security functions
5 EFC security architecture and protection profile processes
5.1 General
This clause gives an overview of the context and use of this document in terms of the EFC security
architecture and protection profile processes.
This document is intended to be read in conjunction with the underlying standards ISO/IEC 15408 (all parts)
and ISO/IEC TR 15446. Although a reader unfamiliar with the standards could read the first part of the
document to have an overview on how to prepare a Protection Profile for EFC equipment, the annexes,
particularly A.4 and A.5, require that the reader be familiar with ISO/IEC 15408 (all parts). The document
uses an OBE with an integrated circuit(s) card (ICC) as an example to describe both the structure of the PP,
as well as the proposed content.
In Annex A, the guideline for preparing EFC/PP is described by using an OBE as an example of EFC products.
The communication link (between the OBE and the RSE) is based on DSRC.
Annex B gives an example of how a threat analysis can be done, while Annex C provides an overview of
the relevant security standards in the context of the EFC, which provides the background of EFC roles and
interfaces.
5.2 EFC security architecture
Figure 2 shows how this document fits in the overall picture of EFC security architecture. The shaded boxes
are the aspects mostly related to the preparation of PPs for EFC systems.

ISO/DIS 17574:2025(en)
Figure 2 — Overall view of security architecture
5.3 Protection profile preparatory steps
The main purpose of a PP is to analyse the security environment of a subject and then to specify the
requirements meeting the threats that are the output of the security environment analysis. The subject
studied is called the target of evaluation (TOE). In this document, an OBE with an ICC is used as an example
of the TOE.
The preparatory work of EFC/PP consists of the steps shown in Figure 3, according to the contents described
in Clause 6.
ISO/DIS 17574:2025(en)
Figure 3 — Process of preparing a Protection Profile for EFC equipment
A PP may be registered publicly by the entity preparing the PP to make it known and available to other
parties that may use the same PP for their own EFC systems.
5.4 Relationship between actors
By security target (ST), it means a set of security requirements and specifications to be used as the basis
for evaluation of an identified TOE. While the PP could be looked upon as the EFC toll service providers’
requirements, the ST could be looked upon as the documentation of a supplier as for the compliance with
and fulfilment of the PP for the TOE, e.g. an OBE.
Figure 4 shows a simplified picture and example of the relationships between toll service provider, the
EFC equipment supplier and an evaluator. For an international registry organization, i.e. Common Criteria
Recognition Arrangement (CCRA) and current registered PPs, refer to Annex D.

ISO/DIS 17574:2025(en)
Figure 4 — Relationships between operators, suppliers and evaluators
The ST is similar to the PP, except that it contains additional implementation-specific information detailing
how the security requirements are realized in a particular product or system. Hence, the ST includes the
following parts not found in a PP:
— a TOE summary specification that presents the TOE-specific security functions and assurance measures;
— an optional PP part that explains PPs with which the ST is claimed to be conformant (if any);
— a rationale containing additional evidence establishing that the TOE summary specifications ensure
satisfaction of the implementation-independent requirements and that claims about PP conformance
are satisfied;
— actual security functions of EFC products will be designed based on this ST (see example in Figure 5).

ISO/DIS 17574:2025(en)
Figure 5 — Example of design based on a PP
6 Outlines of Protection Profile
6.1 Structure
The content of a Protection Profile for a part or interface of an EFC system is shown in Figure 6, which shall
be in accordance with ISO/IEC 15408-1, clause 10 and annex B.
Figure 6 — Contents of a Protection Profile

ISO/DIS 17574:2025(en)
6.2 Context
Guidelines for preparing PP are as follows:
a) Overview (see A.1)
b) Target of evaluation (TOE, see A.2)
The scope of the TOE shall be specified.
c) Conformance
The conformance claims of PPs shall be specified.
d) Security environment (see A.3)
Development, operation and control methods of the TOE are described to clarify the working/operation
requirements. Regarding these requirements, IT assets, for which the TOE must be protected, and the
security threats to which the TOE is exposed, shall be specified.
e) Security objectives (see A.4)
Security policies for threats to the TOE are determined. The policies are divided into technical, operational
and control policy.
Security objectives should be consistent with the operational aim or product purpose of the TOE.
Operational/control policy is defined as personnel and physical objectives applicable to the status, in which
the TOE is used or operated. The operational/control policy includes control and operational rules for
operators.
f) Security requirements (see A.5)
In accordance with the security objectives defined in A.4, concrete security requirements for security
threats stated in A.3 are specified. The security requirements consist of functional requirements (technical
requirements) and assurance requirements for security quality.
Functional requirements are provided, selecting necessary requirements from ISO/IEC 15408-2 and
determining parameters, which shall be in accordance with ISO/IEC 15408-2, from clause 6 to clause 18.
Regarding assurance requirements, assurance requirements specified in ISO/IEC 15408-3are adopted
by determining evaluation levels for assurance requirements, which shall be in accordance with
ISO/IEC 15408-3, from clause 5 to clause 15.
The evaluation method and activities are included in the security requirements, which shall be in accordance
with ISO/IEC 15408-4, clause 5 and 6.
The evaluation assurance levels are included in the security requirements, which shall be in accordance
with ISO/IEC 15408-5, clause 4.
g) Rationale of justification/effectiveness (see A.6)
The content of PP is checked when necessary and covers security requirements for the TOE. The checked
items are as follows:
1) all security environments needed are covered;
2) security objectives should completely meet the security environments;
3) security requirements should implement security objectives.

ISO/DIS 17574:2025(en)
Annex A
(informative)
Procedures for preparing documents
A.1 Overview
A.1.1 General
A general outline of the document for Protection Profile (PP) is described.
It should be noted that this clause is informative. Most of the content is an example of how to prepare the
security requirements for EFC equipment, in this case, an OBE with an ICC loaded with crucial data needed
for the electronic fee collection.
A.1.2 Identification information
Identification information for the document is as follows:
a) document title;
b) version/release number;
c) preparation date;
d) prepared by.
EXAMPLE Identification information:
1) document title: EFC OBE Security Protection Profile;
2) reference/version number: 1.0;
3) preparation date: 2002-10-20;
4) prepared by: ABC Association.
A.1.3 Target of evaluation (TOE) description
TOE is identified as follows:
a) product;
b) version/release number;
c) developer.
EXAMPLE TOE description:
1) product: EFC OBE;
2) version/release number: 1.0;
3) developer: ABC Co., Ltd.
A.1.4 In accordance with ISO/IEC 15408 (all parts)
The prepared “Protection Profile” in accordance with ISO/IEC 15408 (all parts) is stated explicitly.

ISO/DIS 17574:2025(en)
The version and preparation data of referenced ISO/IEC 15408 (all parts) are also stated.
EXAMPLE ISO/IEC 15408 (all parts) conformance statement according to:
— ISO/IEC 15408-1 Fourth Edition
— ISO/IEC 15408-2 Fourth Edition
— ISO/IEC 15408-3 Fourth Edition
— ISO/IEC 15408-4 First Edition
— ISO/IEC 15408-5 First Edition
A.1.5 Outline of TOE
A.1.5.1 Type of TOE
EXAMPLE
1.4.1 Type of TOE
EFC OBE
A.1.5.2 TOE functional outline
For users of security “Protection Profile”, a type of device described in “Protection Profile” is described
explicitly to help them determine the application.
EXAMPLE
1.4.2 TOE functional outline (OBE for EFC system)
The functional outline is as follows.
a) EFC function:
1) mutual authentication with ICC;
2) transcription (caching) of ICC data to OBE;
3) encryption of radio communication with RSE;
4) assurance of message integrity;
5) mutual authentication with RSE;
6) storage of secured information (encryption key) used in OBE during EFC transaction.
b) Set-up function:
1) authentication of set-up card;
2) caching of vehicle information from ICC to OBE.
c) HMI function:
1) report of EFC billing results to users;
2) guidance of EFC lane.
ISO/DIS 17574:2025(en)
A.1.5.3 Evaluation Assurance Level (EAL)
Evaluation Assurance Levels for objectives are selected. Each EAL defines a package consisting of assurance
components and determines the degree of assurance requirements on security systems. The justification for
the selected EAL is stated.
EXAMPLE
A.1.5.3 EFC OBE (EAL is 5)
OBE functions as equipment for e-Commerce in EFC transactions. The security systems of EFC OBE are vulnerable to
attack under the control of individual users. Therefore, a high assurance level (EAL) is required for EFC OBE.
A.2 Target of evaluation (TOE)
A.2.1 TOE objectives and methodology
A.2.1.1 TOE use objectives
The following example indicates objectives for TOE use and the type of environment in which it is used.
EXAMPLE EFC members (users) use the EFC system at tollgates by inserting the ICC with EFC member contract
information for settlement. Vehicle information such as an automobile inspection certification is stored in OBE
beforehand. For storing vehicle information, a personalization card for initialization is used. The OBE (TOE), which
reads/writes data to ICCs for set-ups/settlements and transmits/receives data to roadside equipment for toll collection
transactions, protects interface and internal data from external threats.
A.2.1.2 TOE use methodology
a) User preparations:
steps to be taken by user before use of TOE.
b) Operator’s preparation:
necessary hardware/software and control systems are described when operator operates TOE.
c) Operational procedures:
procedures for operation and maintenance are described.
d) Use procedures:
procedures for users are described.
e) Limitations of use:
limitations of use such as time zones and geographical zones are described.
EXAMPLE
a) User’s preparations:
Users request an operator to install an OBE and set up vehicle information such as automobile inspection certification
to OBE. In addition, users receive the ICC with EFC member contract information.
b) Operator preparations:
Operators issue set-up information in response to user’s requests.
c) Operation procedures:
ISO/DIS 17574:2025(en)
When a user is passing through tollgates, the toll is billed to the ICCs for settlement with EFC member contract
information, which is inserted in the installed OBE with vehicle information. When a legitimate ICC for settlement
is inserted in the OBE with correct vehicle information, the toll fee is calculated in the communication zone of RSE at
tollgates.
For a change or update of EFC member contract information, such as vehicle information, set-up cards and ICC are
updated (re-issued/re-registered).
d) Use procedures:
A user uses the ICCs with EFC member contract information at tollgates within the EFC system according to the EFC
member contract or OBE manuals.
e) Limitations of use:
In general, OBE is available at any time of day, as long as EFC lanes are open at tollgates.
A.2.2 TOE functions
A.2.2.1 Functions provided by TOE
Functions, which are provided by the TOE, are described. All functions for data transactions, which shall be
protected, are listed.
EXAMPLE
a) EFC transactions:
1) EFC communication control function;
2) non-secure data record function;
3) HMI input/output control function;
4) ICC insert status detect function;
5) OBE self-check function.
b) Security module:
1) data storage or protection function;
2) user access control function;
3) authentication function (DSRC, ICC);
4) encryption/decryption function;
5) ICC interface function;
6) EFC transaction interface function;
7) set-up card read function.
A.2.2.2 Functions not provided by TOE
When the TOE function is a part of the functions of an entire system, the scope of the TOE in the whole
system should be shown as in Figure A.1 which shows an example where the OBE is the scope of the TOE. For
reference, Figure A.2 showing the overall security policy scope should be included.

ISO/DIS 17574:2025(en)
Figure A.1 — Example where the TOE is shown in its context
Figure A.2 — Overall security policy scope
A.2.2.3 Missing functions
When functions, which usually should be provided by the TOE in this section, are not included in the TOE,
the function contents and reasoning for exclusion should be described.

ISO/DIS 17574:2025(en)
A.2.3 TOE structure
A.2.3.1 Hardware structure
The structure with related hardware units on TOE operation is described. The scope of TOE in the structure
should be shown as in the example in Figure A.3. Also, the overall EFC system model of the EFC Security
Framework should be shown as in Figure A.4.
EXAMPLE
Figure A.3 — Example of TOE hardware structure

ISO/DIS 17574:2025(en)
Figure A.4 — EFC system model of the EFC Security Framework
A.2.3.2 Software structure
The structure with related software in the operation of the TOE is described. In the structure, the scope of
the TOE in the structure should be stated. Especially, when the operation of the TOE depends on operating
system (OS) and data control programs, the distribution of functions should be described.
A.2.3.3 Rationale
It should be verified that the described items are consistent.
a) Absence of inconsistent provision items.
b) Absence of undefined or unclear sections of provided contents in this subclause.

ISO/DIS 17574:2025(en)
A.3 Conformance
A.3.1 Conformance claim and conformance statement of TOE
A.3.1.1 General
Regarding conformance related to the PP, two kinds of relationships are defined. One is the relationship
between the PP and the based common criteria (CC), the other relationship is between a ST and PP and the
PP. Regarding these relationships, both conformance claim and conformance statement are to be described.
A.3.1.2 Conformance claim
Conformance claim is related to the relationship between the PP and the based CC.
a) Edition of the relevant parts of the CC is defined.
If all security functional requirements (SFRs) are based only upon functional requirement in ISO/IEC 15408-2
and -3, “conformant” is selected otherwise “extended” is to be selected.
EXAMPLE conforms with ISO/IEC 15408
b) Conformance to the CC Part2 is defined.
EXAMPLE “CC part2 conformant and extended”
c) Conformance to the CC Part3 is defined.
EXAMPLE “CC part3 conformant and extended”
d) conformance claim rationale
Reason and logical basis of the choice of conformance claim is to be described.
A.3.1.3 Conformance statements
The conformance statement describes the way other PPs or STs shall conform to the PP. The conformance
statement shall be one of the three types of conformance as followings,
— Demonstrable,
— Strict,
— Exact
Example Conformance manner is “Strict”
A.4 Security environment
A.4.1.1 General
Security requirements to determine security objectives for the TOE operation are provided.
A.4.1.2 Operational environments
The methodology of the use of the TOE such as the operational environment, operational time, operational
site, use procedure and location of use is described.
a) Operational procedures
ISO/DIS 17574:2025(en)
Regarding the operational procedures of the TOE, the operation of an integrated EFC system including the
related vehicles and ICC for payment are described.
b) Operational time
The operational time zone of the TOE is described.
EXAMPLE The operational time is any time that EFC vehicles use on EFC toll roads.
c) Operational sites
Operational sites of the TOE are described.
d) Operational overview
The procedures from the purchase (obtain) to the disposal of the TOE by users are described including
installation of the TOE, set-up of the TOE and operation at toll roads.
EXAMPLE 1 Users purchase EFC OBE at OBE dealers (car dealers, car shops). An OBE is installed in a vehicle. In
addition, the on-board information needed for the EFC operation such as vehicle information is stored as on-board
information.
EXAMPLE 2 After an EFC member contract is established, users get an ICC, which is issued by credit card companies.
EXAMPLE 3 Users will be able to use the EFC system by inserting an ICC in an OBE installed in a vehicle. The
vehicles, which can use EFC systems, are called EFC vehicles.
EXAMPLE 4 Users use toll roads with the ICC inserted in an OBE in an EFC vehicle and pass through the tollgates
without stopping.
Users can voluntarily dispose of unnecessary OBE.
e) Use sites
Sites, where users can use TOE, are described.
EXAMPLE Toll roads, along which EFC RSE are installed.
f) Limits and requirements in use such as available numbers of TOE are described.
EXAMPLE 1 The number of OBE installed per vehicle is limited to one.
EXAMPLE 2 OBE is fixed (built-in) in a vehicle.
EXAMPLE 3 OBE can be used any time of day as long as EFC lanes are open for operation.
A.4.1.3 Physical control
Physical control related to the operation of the TOE is described.
a) Installation sites and control
Installation sites and physical control of the TOE are described.
EXAMPLE 1 OBE is fixed (built-in) in a vehicle.
b) User unit
For use of the TOE, the physical control requirements of ICC for payments, which users possess, are described.
EXAMPLE 2 Users are responsible for their ICC.

ISO/DIS 17574:2025(en)
A.4.1.4 Personnel requirements
The personnel requirements for the responsibility and confidence of the TOE operations are described. In
addition, the requirements for potential uses, motivations, methods and expertise of attacks are provided.
a) TOE-related agents
The following items regarding the manufacturers, operators and users of TOE are stated.
1) Type
2) Role
3) Authorization
4) Reliance
5) Risk of illicit use
6) Expertise
7) Trail
EXAMPLE 1 Personnel requirements:
Type: Manufacturer of OBE.
Role: Manufacturing and shipping based on standard specification of EFC OBE.
Authorization: None.
Reliance: No responsibility for security control.
Risk of illicit use: There are risks of illicit use since the responsibility for security control is absent.
Expertise: No need of expertise for security.
Trail: Negative list check is implemented while EFC vehicles are passing through tollgates.
b) Attackers
The following items are described for illicit user requirements against which countermeasures are
taken by the TOE.
1) Type
2) Purpose of illicit use
3) Motivation
4) Means
5) Expertise
EXAMPLE 2 Attackers:
Type: Illicit third party among EFC users.
Purpose of illicit use: OBE data forgery, manipulation, obtaining of personal information. Forgery and illicit
modification of OBE medium.
Motivation: To reduce toll fees or avoid toll fee claims by illicit use of information. Sale of forged OBE.

ISO/DIS 17574:2025(en)
Means: Forgery of vehicle information on OBE. Forgery of I/F data between OBE and ICC to counterfeit
someone’s card. Forgery of EFC OBE by analysing OBE internally.
Expertise: Comprehend the internal transaction by analysing EFC OBE internally.
A.4.1.5 Connectivity/operational environments
The environment for TOE connectivity and operation is provided. Only the structure, which is provided in
this subclause, shall be TOE.
a) Connectivity
Transactions for RSE at tollgates and ICC needed for the operation of the TOE are described.
EXAMPLE
— OBE exchanges information via radio communication (5,8 GHz) with RSE at tollgates.
— OBE reads ICC data (card number, EFC member contract information) before the vehicle passes through a tollgate.
When a vehicle passes through a tollgate, OBE sends applicable ICC internal data to RSE to transmit billing and
transaction record data.
b) Operational requirements
Hardware/software requirements (central processing unit, implementation speed, required memory, input/
output devices) needed for operation of the TOE are described.
A.4.1.6 Rationale
It is verified that the described items are consistent.
a) Absence of inconsistent provision items.
b) Absence of undefined or unclear sections of provided contents in this subclause.
A.4.2 Security threats
A.4.2.1 Determination of target resources for protection
a) Selection of target resources for protection
Target resources for protection, to be protected by the TOE, are determined. Resources, which negatively
impact services of the TOE by falsification, alteration and loss, are targeted for protection. Regarding
determined individual targeted resources for protection, the lifecycle such as generation, transaction,
storage and disposal are clearly described. If there are indirect resources for a TOE transaction, the indirect
resources are determined as well.
EXAMPLE 1
1) Target protection resources to be protected by the TOE:
— EFC member contract information: ICC internal data (i.e. ICC number);
— vehicle information: OBE internal data such as vehicle classification codes;
— tollgate information: exit/enter information, barrier information and transaction record information;
— information stated above, transmitted by radio communication through OBE between roadside units at
tollgates and ICC;
— toll information: storage in ICC such as billing information.

ISO/DIS 17574:2025(en)
2) Target resources for protection such as lifecycle:
— OBE installation in a vehicle;
— transcription of vehicle information into OBE;
— OBE operation at toll roads;
— OBE disposal.
b) Evaluation of target resources for protection
The values of determined target resources for protection are evaluated. The evaluation is divided into three
levels as follows:
Level 1: security problems are having an impact on the entire system for the TOE, e.g. the system might
be malfunctioning or down.
Level 2: security problems drastically compromise the value of the system for the TOE, e.g. the social
responsibility for the systems is impaired; however, restoration of systems is attainable.
Level 3: security problems hinder the operation of the TOE, e.g. operation of the system is temporarily
interrupted, resulting in serious impact on the users.
EXAMPLE 2
Evaluation of target resources for protection:
Level 1: None (no target resource for protection, which impacts systems such as destroying EFC systems);
Level 2: EFC member contract information;
Level 3: Vehicle information, tollgate information, toll information.
A.4.2.2 Identification of security threats
Potential threats are identified by level of determined target resources for protection. Concrete analysis of
target resources for protection is implemented in terms of who (what), where, when, how (counterfeiting,
tapping, destruction), means (available resources, interface, expertise), threats (falsification, exposure,
service interruption) and reasons.
a) Who (what):
who (what) generates threats is stated.
b) Target resource:
target resource for threats (billing data, personal information) is stated.
c) Contents of threats:
major threats are as follows:
1) lack of confidentiality;
2) lack of protection;
3) lack of availability;
4) lack of responsibility;
5) lack of integrity;
ISO/DIS 17574:2025(en)
6) lack of reliability.
d) Means:
means generating attacks are stated.
e) Methodology:
methodology of attacks is stated.
f) Motivation:
motivation of attacks is stated.
g) Opportunity:
opportunity of attacks is stated.
h) Weak points:
security weaknesses are stated.
The threat analysis shall be conducted at each stage of TOE’s lifecycle, shown in Figure A.5.
Figure A.5 — TOE’s lifecycle
Threat analysis for lifecycle of target data for protection at stage 3 of the TOE (i.e. “OBE in operation”) is
shown in Table A.1.
Table A.1 — Threat analysis for OBE at stage 3(OBE in operation) — Example
Informa- Threat
tion for
Who Where When Methodology, means Threats Why
protection
EFC
member Forge ICC or I/F
Forgery and altering of Avoid toll
contract OBE While inserting ICC data to falsify some-
ICC internal data fee claim
informa- one’s card
tion
Vehicle Forgery and
Anytime/while Forgery of vehicle Reduce
informa- OBE manipulation of OBE
Illicit
passing tollgates codes of OBE toll fee
tion internal data
third
party
Tollgate Obtain
Eavesdropping
Tapping of radio
informa- personal
of radio
communication data
tion informa-
communication
Tollgate Communication
tion
Communication data
lanes (billing)
Replay the
Toll fee
manipulation
Reduce or
eavesdropped
informa-
avoid toll
Replay attack
data
tion
fee
A.4.2.3 Rationale
It is verified that the described items are consistent.
a) Absence of inconsistent provision items.
b) Absence of undefined or unclear sections of provided contents in this subclause.

ISO/DIS 17574:2025(en)
A.4.3 Security policy of operational entity
A.4.3.1 General
Security items for operational entities for the TOE are provided in accordance with the rules and policies.
The document names describing concrete rules are described.
A.4.3.2 Identification of security policies of operational entities
a) Use policy of target resource for protection
Use policy (to whom, what capability, when, where) of target resource for protecti
...