Content uploaded by Ali Shoker
Author content
All content in this area was uploaded by Ali Shoker on May 20, 2021
Content may be subject to copyright.
A First Step Towards Holistic Trustworthy Platoons
Ali Shoker
VORTEX Co-Lab
Portugal
ali.shoker@vortex-colab.com
Peter Moertl
V2C2
Austria
peter.moertl@v2c2.at
Ramiro Robles
ISEP
Portugal
rasro@isep.ipp.pt
Abstract—Truck platooning is a form of convoy cooperative
driving of connected trucks assisted by a lead truck. The aim is
to reduce the fuel and driving costs, improve road safety, and
reduce CO2 emission. Being semi-autonomous, platoons must be
trustworthy in many perspectives. This paper presents a high-
level trustworthy requirements analysis on three key
perspectives: driver, communication, and security. In addition,
we observed that any trustworthy requirement analysis is
incomplete if perspectives are addressed independently.
Therefore, we propose a simple holistic methodology that
addresses the different perspectives as well as their
dependencies, and we exemplify the use of the methodology with
two use cases presented in the paper. However, we draw
attention to the importance of more research to drive a more
exhaustive and validated methodology
1
.
Keywords— trustworthiness, automotive, V2X, cybersecurity
I. INTRODUCTION
Truck platooning has got the attention of the automotive
industry driven by the fast evolution of software-based
vehicles and the Vehicle-to-Everything (V2X) wireless
communications. A platoon is a semi-autonomous convoy of
wirelessly connected trucks traveling in the same direction
and doing coordinated movements as a single system.
Typically, the first truck is actively driven by a human driver,
whereas the following ones are controlled by automation and
humans, i.e., performing various levels of supervisory tasks
depending on the ACEA platoon automation level [25].
Moreover, truck platooning has many benefits like reduced
fuel consumption—by creating an efficient airflow for the
trucks behind [1], improving transportation safety, and
reducing driving costs. Simulations have also shown the
advantages of platoons in urban environments [5].
Future trucks (and vehicles) are expected to have a substantial
software-base, sensing capabilities, as well as connectivity of
many forms (e.g., V2X, LTE, 5G, etc.). This makes them
smart things in the Internet of Things (IoT) ecosystem. Given
this, in addition to semi-automation, truck platoons have high
trustworthy requirements. The European Union (EU) gives
guidelines and requirements (see Fig.1(a)) for the
development of trustworthy smart things [18], including, not
only technical, but also individual, societal organizational,
and legal framework considerations. In contrast, Fig.1(b)
conveys the five trustworthiness pillars to be considered in a
smart system according to the definition adopted by the
ISO/EC 20924:2018 standard for trustworthiness of IoT
1
This research leading to these results was done within the InSecTT project
funded through the ECSEL Joint Undertaking (JU), supported by EU
Horizon 2020, under grant agreement No 876038. The document reflects
systems, and the Industrial Internet Consortium (IIC)
[12,13]: “property of deserving of trust or confidence within
the entire lifecycle of an Internet of Things implementation
to ensure information security, privacy, safety, reliability and
resiliency”. Unfortunately, the state of the art [2-8] has not
yet addressed this topic in a systematic way, considering the
dependencies that exist between the different platoon
perspectives, layers, and components.
(a) (b)
Fig. 1: The overlap and differences of trustworthiness pillars of the ISO/EC
20924:2018 and the EU regulations for Trustworthy AI.
This paper presents a high-level trustworthy platoon
requirements analysis from three key perspectives: drivers,
communications, and security. Our work—conducted within
the frame of the InSecTT project (https://www.insectt.eu/)—
is motivated by driving a comprehensive platoon
trustworthiness approach, given the several dependencies in
platoon trustworthy requirements. We concluded that any
trustworthiness requirements study will be incomplete if
there is no holistic view that considers the different pillars,
aspects, and components. Consequently, we proposed a first-
step holistic methodology for iterative requirements study.
We show how this methodology can be used with two cases
on platoons, and we present our observations and takeaways.
Although our work is preliminary, we believe the idea of
integrated trustworthiness is of considerable importance and
should not be overlooked by the community. This is
especially important when different researchers and
architects design and analyze systems independently. We
also think that this approach can be generalized to other
modern automotive applications beyond platooning.
Specifically, the ISO/IEC 20924:2018 standard does not yet
address all the areas that the EU guideline states. In particular,
transparency, diversity, human oversight, societal wellbeing
and accountability are not included. We appeal for more
only the author’s view and the Commission is not responsible for any use
that may be made of the information it contains
research to consider these aspects in platooning (and
automotive) trustworthiness analysis.
The rest of the paper is organized as follows. Section II gives
a short background on platoons. The following three sections
present the trustworthiness requirements analysis from the
three perspectives: drivers, communication, and security.
Section VI presents the preliminary methodology we
propose, followed by some conclusions in Section VII.
II. BACKGROUND ON PLATOONING
Platooning is a convoy-style coordination of connected
vehicles, mainly trucks, aimed at reduced costs (driving and
fuel) as well as safety. A platoon leader truck usually leads
the following trucks to a common destination—in one or
more trips, respecting the platoon application semantics,
protocols, and road safety regulations. The state-of-the-art
Ensemble platooning project [4] adopts the layered
architecture presented in Fig. 2. The typical use of each layer
is as follows: the (cloud) services and strategic layers are used
for logistic and non-frequent platoon planning (platoon
discovery, tracking, speed optimization, trajectory definition,
etc.). The tactical layer is where actual maneuvering
protocols run (e.g., join, leave, overtake, split). Part of the
platoon management can occur at this layer as well. The
operation layer is more concerned with the vehicle actuator
control (e.g., accelerating, braking, steering).
Platoon trucks usually have similar routes or destinations.
From a communication point of view, this makes traffic-flow
and network management (V2X) more efficient as vehicles
arranged in platoons can reduce processing complexity by
offloading functionalities to lead cars and/or edge/cloud
vehicular servers. One key enabler of platoons is the
coordination and reliable (real-time) exchange of information
between contiguous vehicles or between vehicles and
edge/cloud servers. Therefore, three communication patterns
can be identified in a vehicle platoon: Vehicle-to-Vehicle
(V2V), Vehicle-to-Infrastructure (V2I), and Vehicle-to-
Network (e.g., Internet). The former two patterns can be used
together to improve reliability at the tactical and operational
layers, while the latter is less critical being used at the
Services and Strategic layers.
Fig. 2: Platoon layers (Ensemble project [4]).
To describe the functionality requirements, we make use of a
model that combines the benefits of multiple other standards,
such as the ISO [19, 22], ITU [20], AIOTI [23], and IEEE
reference IoT architecture [21] standards. This functionality
model is depicted in its high-level view in Fig. 3, using four
main horizontal layers (device or DL, network or NL, service
or SL and application or AL). Each use case will organize
their specific functionalities in a functional stack model as the
one shown in Fig.3. For the platoon use case we address, the
figure shows a preliminary overview of the different
functionalities associated to all communications and
control/operation of different platoon scenarios.
Fig. 3: IoT-based platoon functional model.
III. DRIVER TRUSTWORTHINESS
Driver trustworthiness is here understood as “...the attitude
that an agent will help achieve an individual’s goals in a
situation characterized by uncertainty and vulnerability.”
[24]. Accordingly, trustworthiness are characteristics of a
system and its environment that help a human stakeholder to
form appropriate levels of trust.
In terms of truck platooning, we investigated those features
of a platooning system that may be necessary to achieve the
trust of truck drivers and therefore increase the likelihood of
sustained and acceptable platooning operations. Per-
categorization of truck platooning operations in [3], we
differentiate platooning operations at ACEA level 2 [25]
where the driver is still ready to intervene. (We leave level 3
where the driver of a trailing truck can rest for future work.)
These two types are presented in Fig. 4.
Fig. 4: Phases of two types platooning from a driver perspective. The green
boxes refer to level 2.
The general difference between these two types is not only on
the level of involved automation but also on the role of the
human driver. In the assisted driving, the automation is
restricted to specific applicability conditions and is supposed
to be continuously monitored by the human driver. Thereby,
the driver is challenged to monitor and supervise the
automated driving system while maintaining readiness to
intervene when needed. Such role of the human driver has
found to be a challenge in extensive research and therefore
stands against operational trustworthiness [10, 11]. Finally,
in Table 1, a high-level overview of the driver-based
trustworthiness requirements is given, based on a review
presented in [3]; whereas, level 3 is left as a future work.
Device layer
Massive MIMO
NOMA
V2x (5g, NB-IoT, WiMAX)
802.11p, G5
Beamforming Sensors
Vehicle control
SIC-RD
Network layer
Smart Routing Scheduling, adaptaion
Forwarding Anomaly detection
Network Security
Authentication
Service, security and Virtualization. layer
Smart Routing
Platoon servicesEncryption
Network Security V2x service resource orchestration
Cloud and application layer
Smart platoon Routing
Vehicular applicationsEDGE URLLC
Platoon operations control Traffic management
Safety control
Security, trustworthiness management
Cross-layer management
IV. COMMNUNICATION TRUSTWORTHINESS
In this section we present the trustworthy requirements from
a communication perspective. The requirements for
trustworthiness also consider a system-level network
perspective of platoon communications. The platoon
coordination and control system heavily depends on the
performance of the V2X communication technology. Any
issue in the links between the entities of the platooning
system is translated into a potential safety problem of the
whole system and therefore a perceived lack of
trustworthiness for the end users of the platoon.
A. Latency
The communications between the platoon elements need to
comply with certain levels of latency for different types of
platoon messaging. The latency bound for message
dissemination will determine the maximum or minimum
inter-vehicular distance, or speed limits, and the size of the
platoon under different traffic and channel conditions. In
general, V2V links can provide low latency for small size of
the platoon. Latency bounds are also needed to give enough
time for the truck driver to react given a road traffic event or
make a decision due to platoon splitting or reforming.
B. Outage
Signal outage is one of the main issues that platoon
communications will face. The loss of messages and their
retransmissions are key to design the system reliability and
latency bounds under different types of road and channel
conditions. A highly-reliable platooning system must ensure
some levels of outage probability to avoid communication
and coordination issues between the vehicles of the platoon
or between the platoon and the vehicular cloud servers.
Outage is translated into information availability and
integrity issues as trustworthiness metrics defined by the ISO
standard for trustworthiness IoT systems [19, 22].
C. Interference
Interference is a major issue in environments with multiple
platoons and co-channel users. In this aspect, V2I has the
advantage to provide city coverage with a centralized
interference management or control. On the other hand, V2V
technology is more prone to this type of impairment.
Solutions in both types of system exist and rely on different
control mechanisms, such as multiple antennas, orthogonal
signal waveform allocation, interference free scheduling,
successive interference cancellation, etc.
D. Multiple Antennas
Multiple antennas are perhaps the main improvement in the
new generation of wireless networks. Their importance stems
from their ability to increase capacity with limited bandwidth
expenditure. Multiple algorithms for beamforming, multiuser
detection and interference control can be used to ensure
signal quality over a range of different platooning scenarios.
Multiple antenna processing can also reduce jamming attacks
that can seriously affect the control of the platoons, but also
high-level vulnerabilities and other attacks such as Man-in-
the-Middle (MITM), spoofing and even Denial of Service
(DoS). Multiple antennas at the vehicles of the platoon
promise to efficiently counteract shadowing, fading, and
interference, while at the same time provide detection of
obstacles and challenging environments such as rain road
conditions, tunnel signal interference, etc.
E. LOS vs NLOS
Platoon communications must operate in a variety of channel
conditions, mainly Line and Non-Line of Sight (LOS/NLOS)
situations, which determine many of the properties of V2V
and V2I links. Modulation schemes such as OFDM and
CDMA can deal with some NLOS degrading scenarios [27].
The channel conditions highly determine the outcome of the
control communication of the platoon subsystem. The
platoon configuration and its vehicles can be modelled as a
connection matrix with NLOS and LOS indicators.
Therefore, particularly in platoon situations where no cellular
coverage is present, V2V-based communication must deal
with multiple links, some in LOS and others with NLOS
conditions depending on the configuration. This situation
may change with different platoon maneuvers, and therefore
the awareness of LOS and NLOS link status can be used also
as a detection mechanism of platoon spatial configuration
changes in case of platoon configuration detection alarms.
V. SECURITY TRUSTWORTHINESS REQUIREMENTS
Security is a key pillar of a trustworthy platoon being a semi-
autonomous intelligent system [12,13]. In general, a secure
platoon must satisfy the AIC triad requirements [13] in face
of (cyber)security threats. Truck platoons inherit the security
TABLE 1. ASSISTED SAFETY TRUSTWORTHINESS FROM A DRIVER PERSPECTIVE
threats and cyber-attacks of modern software-based
connected vehicles [15] due to their large attack surface and
connectivity (e.g., via V2X, 5G, Bluetooth, etc.) to the
surrounding smart ecosystem (vehicles, pedestrians,
infrastructure, etc.). These threats can compromise the
expected function of the platoon, and consequently leave
serious safety ramifications if the right countermeasures and
mitigations are not implemented.
Nevertheless, although considering security in trustworthy
V2X systems is not new [14,15], there are particular
considerations to secure platoon systems given the sticky and
group-based cooperation patterns. This paper only focuses on
filling this gap due to the size limits. (Interested readers can
refer to state of the art work of generic trustworthy V2X.) In
particular, we will present the security requirements in light
of the AIC triad model, while we refer to the STRIDE threat
model to discuss the possible (cyber)security threats [16].
A. Availability
A platoon is initiated by having at least two platoon-able
trucks identifiable via V2X Public Key Infrastructure
(PKI)—defined by IEEE 1609.2 [29] and ETSI TS 102 941
[30]—for safety and legal reasons. From there onward, new
trucks cannot join the platoon without having a platoon
identification (ID) that must be associated to one or more PKI
keys (e.g., the leader); otherwise, a malicious/compromised
truck can spoof the platoon ID and take control of the platoon.
Similarly, a following platoon can drive an elevation of
privilege attack by taking over the leader's role using a
platoon ID that is not-linked to any PKI certificate.
To reduce the cryptographic overhead (of authentication and
encryption), group-based crypto schemes are used to allow
for in-platoon message broadcast. Maintaining this scheme
requires to consider a centralized group-key generation and
revocation (a leaving truck can authenticate via the group key
until it is revoked). Nevertheless, this raises the classical
centralization issue as single point of failure prone to DoS
attacks, and thus calls for novel decentralized solutions at the
platoon management and security levels. As in other V2X
systems, platooning trucks are assumed to have a modern AI-
assisted Intrusion Detection System (IDS) and firewalls to
detect DoS attacks [28]. However, a trustworthy platoon must
at least detect a DoS attack to be able to fail-safe: dissolve
itself. An advanced AI-based IDS is also required to guard
against Sybil attacks [17]. A vehicle/truck is often supplied
with tens or hundreds of PKI keys that are used with some
key rotation scheme to obfuscate its identity and mitigate
traceability. In V2X applications, this makes the truck prone
to Sybil attacks; however, since platoon trucks expect
frequent messages from their counterparts in the platoon, a
malicious truck could drive an internal Sybil attack, e.g.,
against the leader, while the latter could not easily
differentiate between a Sybil attack or a legitimate message.
This requires an AI-assisted technique to differentiate
malicious from legitimate messaging patterns.
B. Integrity
Integrity requirement govern platoon software and data at rest
and in transit. Any firmware/software updates must be
secured, as in other V2X applications. However, the effect
here is on the platoon level since a malicious software (e.g.,
leader application) can violate the application semantics and
regulations, and thus drive the platoon to unexpected
situations. This requires secure wireless diagnostic and Over-
the-Air (OTA) updates that work together with the firewall
and IDS to protect the software and data from tampering
attacks and malwares. In the same vein, integrity measures
(e.g., signatures and hash digests) must be implemented in the
platoon message exchange protocols to prevent
compromising the entire platoon due to MITM attacks and in-
transport message tampering [16]. Future platoons with more
autonomy and decentralization will require additional
consideration to data integrity among platoon trucks and non-
repudiation.
C. Confidentiality
Confidentiality requirements specific to platooning span the
platoon specific data and communication pattern. Platoon
applications are expected to incur more information about the
truck manufacturers, suppliers, and cargo operators (e.g.,
speed and acceleration limits, wireless quality, cargo weight,
destinations, etc.). This may require encrypting the data and
communication channels to defend external eavesdroppers.
However, being a cooperative system, an in-platoon trusted-
but-curious model can be assumed, and thus truck
manufacturers and operators must consider this cooperative
model while defining their data disclosure level.
VI. A METHODOLOGY PROPOSAL
In this section, we present a preliminary methodology for
requirement definition of holistic trustworthy platoons. We
aim for an improved and validated methodology in future
work. The motivation is based on our observation from the
three aspects we presented that platoon trustworthy
requirements are incomplete if analyzed from independent
perspectives—likely by different analyst’s expertise. This
called for the need to address a holistic requirement analysis
by studying the dependencies of the involved perspectives,
layers, and components in a platoon system.
The methodology we propose is composed of two phases:
Definition and Iteration. We specify these phases in the
following, and we exemplify using two “instances” from the
requirements we defined in the previous sections.
A. Definition Phase
This phase starts by defining the dimensions to be considered
in the study, involving:
• Pill: the five trustworthiness pillars (e.g., Safety);
• Pers: the perspective in each pillars (e.g., driver);
• Sys: the system view of a platoon (e.g., tactical);
• Lay: the software layer (e.g., OSI stack layer).
Based on these dimensions, the general framework used to
define the trustworthiness requirement follows a conjunction
of instances of the form:
Pill(Pers.Sys.Lay).
To drive a comprehensive requirement analysis, different
levels of granularity can be addressed. A simple approach is
to pick each dimension, break it down into components,
exclude the non-considered ones (assumed trustworthy), and
then break down the component into sub-component. This
forms a tree-like structure where all non-excluded branches
are considered as instances to be analyzed.
B. Iteration Phase
In the Iteration phase, the analyst performs requirement
analysis in many iterative steps until all requirements are
covered at all dimensions defined in the Definition phase. We
propose in Fig. 5 a simple three-step iterative methodology,
based on the trustworthiness pillars, is followed per each
instance. The methodology starts with the functional
specification of the instance as a prerequisite. As shown in
Fig.5, each step defines the relevant requirement by
addressing the defined dimensions and considering the
requirements of the preceding step. In the case, at any step,
the trustworthy requirements cannot be satisfied, an Update
to the instance is made, e.g., modifying a technique or
functional requirements, adding a new component, etc., and
the iteration is repeated from step 1 until the requirements are
settled at all considered pillars. In Fig.5, safety and privacy
are chosen for step 1 being the most critical pillars pertinent
to the human or environment. As for step 2, in general,
reliability can be tackled before resilience since the latter is
considered a "backup" solution when reliability under normal
conditions is impossible. However, the dependency between
these two pillars may necessitate their joint consideration in
a solution. In step 3, the security analysis explicitly targets
reliability and resilience pillars (in step 2); further
investigation is required to ensure that the privacy and safety
are implicitly covered.
Fig. 5. Iterative methodology flowchart
C. Usage Examples
We demonstrate the methodology proposed in this paper by
giving two examples using the presented requirement
analysis in previous sections. We select the “Conduct of
Platooning” and “Emergency exiting and maneuvering”
presented in Table 1. Notice that the second case incurs
additional iterations since security requirements could not be
satisfied with the given communication requirements.
1) Dimension definition:
• Pill: Safety; Reliability; Security;
• Pers: driver; communication (comm);
• Sys: operational; tactical; strategic;
• Lay: OSI [1 to 7]; 0 means irrelevant; x means all.
2) Conduct of Platooning instance
Safety(driver.tactical.0) & Reliability(comm.tactical.1234)
& Security (comm.tactical.4567)
3) Emergency exiting and maneuvering instance
Safety(driver.tactical.0) & Reliability(comm.tactical.1234)
& Security (comm.tactical.4567)
D. Observations and Future Directions
The above methodology is a first step towards holistic
platoon trustworthy requirement analysis. It emphasizes the
need to address the dependencies across the different
dimensions and layers. We do not present an assessment to
the methodology, but we do provide some interesting
observations appealing for a more comprehensive and
systematic methodology in the future, together with a
convenient evaluation.
A key observation is the need to consider additional
trustworthiness pillars to ISO/IEC 20924:2018 (shown in Fig.
1) to bridge the gap between EU guidelines toward building
trustworthy AI [12, 18, 26]. Specifically, the role of the
human is not sufficiently addressed in current trustworthiness
considerations, both in terms of individual users and as
societal implications. As an example, the role of human
autonomy in platooning operations would prohibit systems
that require the human to monitor, for hours, a platooning
system in order to respond in split-seconds to a
disengagement. Such considerations are not visible from the
perspective of technical components and subcomponents and
therefore need to be taken into consideration of the planning
and designing process.
On the other hand, although the presented methodology
covers the dependencies across pillars for a single instance,
there is a need for more research to extend the methodology
to the transversal dependencies across different instances. We
also call for a more systematic approach for exhaustive and
rigorous trustworthy platoon analysis and evaluation. We
plan to address these open points in a future work.
VII. CONCLUSIONS
In this paper, we outlined three types of trustworthiness for
platooning operations that at first sight appear to be relatively
independent. In fact, these aspects of trustworthiness are
highly dependent on each other as they build on each other.
This drives towards a first-step methodology to consider
trustworthiness at a holistic platoon level. We present a
simple methodology in that direction. We consider extending
this into a more exhaustive approach with some validation.
Importantly, we draw the attention to this challenge, and in
particular, to bridge the gap between the ISO/IEC
20924:2018 and the EU guidelines of Trustworthy AI.
VIII. REFERENCES
[1] A. Fleury, M. Ackermann, F. Leonardi, and A. de Souza Mendes,
“Heavy-duty Truck Platooning: A Review,” presented at the 24th
ABCM International Congress of Mechanical Engineering, 2017, doi:
10.26678/ABCM.COBEM2017.COB17-0843.
[2] S. C. Calvert, G. Mecacci, D. D. Heikoop, and F. S. de Sio, “Full platoon
control in Truck Platooning: A Meaningful Human Control
perspective,” in 2018 21st International Conference on Intelligent
Transportation Systems (ITSC), Maui, HI, Nov. 2018, pp. 3320–3326,
doi: 10.1109/ITSC.2018.8570013.
[3] S.-M. Castritius, X.-Y. Lu, C. Bernhard, M. Liebherr, P. Schubert, and
H. Hecht, “Public acceptance of semi-automated truck platoon driving.
A comparison between Germany and California,” Transportation
Research Part F: Traffic Psychology and Behaviour, vol. 74, pp. 361–
374, Oct. 2020, doi: 10.1016/j.trf.2020.08.013.
[4] ENSEMBLE, “Functional Specification for white-label truck.” 2019,
Accessed: Mar. 15, 2021. [Online]. Available:
https://www.acea.be/uploads/publications/ACEA_Automated_Driving
_Roadmap.pdf.
[5] J. Axelsson, “Safety in Vehicle Platooning: A Systematic Literature
Review,” IEEE Transactions on Intelligent Transportation Systems, vol.
18, no. 5, pp. 1033–1045, May 2017, doi: 10.1109/TITS.2016.2598873.
[6] B. Zhang, E. S. Wilschut, D. M. C. Willemsen, T. Alkim, and M. H.
Martens, “The Effect of See-Through Truck on Driver Monitoring
Patterns and Responses to Critical Events in Truck Platooning,” in
Advances in Human Aspects of Transportation, vol. 597, N. A. Stanton,
Ed. Cham: Springer International Publishing, 2018, pp. 842–852.
[7] T. Robinson and E. Coelingh, “Operating Platoons On Public
Motorways: An Introduction To The SARTRE Platooning Programme,”
p. 11.
[8] US. Department of Transportation, “Cooperative Adaptive Cruise
Control: Human Factors Analysis.,” FHWA-HRT-13-045, p. 48, 2013.
[9] ACEA, “Automated Driving: Roadmap for the deployment fo
automated driving in the European Union,” 2019.
https://www.acea.be/uploads/publications/ACEA_Automated_Driving
_Roadmap.pdf (accessed Mar. 15, 2021).
[10] P. A. Hancock, “Some pitfalls in the promises of automated and
autonomous vehicles,” Ergonomics, pp. 1–17, Jan. 2019, doi:
10.1080/00140139.2018.1498136.
[11] M. R. Endsley, “From Here to Autonomy: Lessons Learned From
Human–Automation Research,” Human Factors: The Journal of the
Human Factors and Ergonomics Society, vol. 59, no. 1, pp. 5–27, Feb.
2017, doi: 10.1177/0018720816681350.
[12] ISO/IEC, “Internet of Things (IoT) - Vocabulary”, ISO/IEC
20924:2018 International Standard. Available:
https://webstore.iec.ch/publication/60582 (accessed Mar. 22, 2021).
[13] M. Buchheit, F. Hirsch, and S. Schrecker, “A Short Introduction into
Trustworthiness.” Industrial Internet Consortium (IIC) Journal of
Innovation. White paper. (accessed Mar. 22, 2021).
[14] Schmidt, Teresa, Ralf Philipsen, and Martina Ziefle. "From v2x to
control2trust." International Conference on Human Aspects of
Information Security, Privacy, and Trust. Springer, Cham, 2015.
[15] Ghosal, Amrita, and Mauro Conti. "Security issues and challenges in
V2X: A Survey." Computer Networks 169 (2020): 107093.
[16] Shostack, Adam. Threat modeling: Designing for security. John Wiley
& Sons, 2014.
[17] Douceur, John R. "The sybil attack." International workshop on peer-
to-peer systems. Springer, Berlin, Heidelberg, 20.
[18] High-Level Expert Group on Artificial Intelligence. "Ethics Guidelines
for Trustworthy AI", Brussels, 2019.
[19] ISO/IEC 29182, Information technology - Sensor networks: Sensor
Network Reference Architecture (SNRA)- Part 1 to 7
[20] ITU- Y.2060: Overview of the Internet of things (Reference
Architecture). Available online at https://www.itu.int/rec/T-REC-
Y.2060-201206-I.29.
[21] IEEE. “IEEE 2413-2019 IEEE Standard for an Architectural
Framework for the Internet of Things (IoT)” Available:
https://standards.ieee.org/standard/2413-2019.html, 2019.
[22] ISO/IEC 30141, Internet of Things (IoT) – Reference architecture
[23] Alliance for Internet of Things innovation http://www.aioti.eu/. Last
accessed April 2020
[24] Lee, John D., and Katrina A. See. "Trust in automation: Designing for
appropriate reliance." Human factors 46.1 (2004): 50-80.
[25] European Automobile Manufacturers’ Association (ACEA). "EU
Roadmap for Truck Platooning.", 2017. Available:
https://www.acea.be/publications/article/infographic-eu-roadmap-for-
truck-platooning
[26] ISO/IEC, “InternetInformation technology — Artificial intelligence —
Overview of trustworthiness in artificial intelligence”, ISO/IEC TR
24028:2020 International Standard. Available:
https://www.iso.org/standard/77608.html (accessed on May, 2021).
[27] Schulze, Henrik, and Christian Lüders. “Theory and applications of
OFDM and CDMA: Wideband wireless communications”. John Wiley
& Sons, 2005.
[28] El-Rewini, Zeinab, et al. "Cybersecurity challenges in vehicular
communications." Vehicular Communications 23 (2020): 100214.
[29] IEEE. “IEEE 1609.2-2016 - IEEE Standard for Wireless Access in
Vehicular Environments--Security Services for Applications and
Management Messages”. Available:
https://standards.ieee.org/standard/1609_2-2016.html (accessed on
May, 2021).
[30] ETSI. “ETSI TS 102 941 V1.4.1. Intelligent Transport Systems (ITS);
Security; Trust and Privacy Management”, Jan., 2021.