TRANSPORTATION RESEARCH BOARD SPECIAL REPORT 274

CYBERSECURITY OF FREIGHT INFORMATION SYSTEMS

A SCOPING STUDY

Committee on Freight Transportation Information Systems Security

Computer Science and Telecommunications Board

Transportation Research Board

NATIONAL RESEARCH COUNCIL OF THE NATIONAL ACADEMIES

TRANSPORTATION RESEARCH BOARD

Washington, D.C.

2003

www.TRB.org



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page R1
TRANSPORTATION RESEARCH BOARD SPECIAL REPORT 274 CYBERSECURITY OF FREIGHT INFORMATION SYSTEMS A SCOPING STUDY Committee on Freight Transportation Information Systems Security Computer Science and Telecommunications Board Transportation Research Board TRANSPORTATION RESEARCH BOARD Washington, D.C. 2003 www.TRB.org

OCR for page R1
Transportation Research Board Special Report 274 Subscriber Categories VIII freight transportation (multimodal) IX marine transportation Transportation Research Board publications are available by ordering individual publications directly from the TRB Business Office, through the Internet at www.TRB.org or national-academies.org/trb, or by annual subscription through organizational or individual affiliation with TRB. Affiliates and library subscribers are eligible for substantial discounts. For further information, contact the Transportation Research Board Business Office, 500 Fifth Street, NW, Washington, DC 20001 (telephone 202-334-3213; fax 202-334-2519; or e-mail TRBsales@nas.edu). Copyright 2003 by the National Academy of Sciences. All rights reserved. Printed in the United States of America. NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competencies and with regard for appropriate balance. This report has been reviewed by a group other than the authors according to the procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The study was sponsored by the Research and Special Programs Administration of the U.S. Department of Transportation. Library of Congress Cataloging-in-Publication Data National Research Council (U.S.). Committee on Freight Transportation Information Systems Security. Cybersecurity of freight information systems : a scoping study / Committee on Freight Transportation Information Systems Security, Transportation Research Board of the National Academies. p. cm.—(Special report) ISBN 0-309-08555-1 1. Telecommunication—Safety measures. 2. Freight and freightage—Security measures. I. Title. II. Special report (National Research Council (U.S.). Transportation Research Board) TK5103.2.N39 2003 388Ј.044Ј028558—dc22 2003056526

OCR for page R1
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of dis- tinguished scholars engaged in scientific and engineering research, dedicated to the further- ance of science and technology and to their use for the general welfare. On the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. William A. Wulf is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of pol- icy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, on its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operat- ing agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engi- neering communities. The Council is administered jointly by both the Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. William A. Wulf are chair and vice chair, respectively, of the National Research Council. The Transportation Research Board is a division of the National Research Council, which serves the National Academy of Sciences and the National Academy of Engineering. The Board’s mission is to promote innovation and progress in transportation through research. In an objective and interdisciplinary setting, the Board facilitates the sharing of information on transportation practice and policy by researchers and practitioners; stimulates research and offers research management services that promote technical excellence; provides expert advice on transportation policy and programs; and disseminates research results broadly and encour- ages their implementation. The Board’s varied activities annually engage more than 4,000 engineers, scientists, and other transportation researchers and practitioners from the public and private sectors and academia, all of whom contribute their expertise in the public inter- est. The program is supported by state transportation departments, federal agencies including the component administrations of the U.S. Department of Transportation, and other organi- zations and individuals interested in the development of transportation. www.TRB.org www.national-academies.org

OCR for page R1
TRANSPORTATION RESEARCH BOARD 2003 EXECUTIVE COMMITTEE* Chair: Genevieve Giuliano, Director, Metrans Transportation Center, and Professor, School of Policy, Planning, and Development, University of Southern California, Los Angeles Vice Chair: Michael S. Townes, President and CEO, Hampton Roads Transit, Virginia Executive Director: Robert E. Skinner, Jr., Transportation Research Board Michael W. Behrens, Executive Director, Texas Department of Transportation, Austin Joseph H. Boardman, Commissioner, New York State Department of Transportation, Albany Sarah C. Campbell, President, TransManagement, Inc., Washington, D.C. E. Dean Carlson, President, Carlson Associates, Topeka, Kansas (Past Chair, 2002) Joanne F. Casey, President and CEO, Intermodal Association of North America, Greenbelt, Maryland James C. Codell III, Secretary, Kentucky Transportation Cabinet, Frankfort John L. Craig, Director, Nebraska Department of Roads, Lincoln Bernard S. Groseclose, Jr., President and CEO, South Carolina State Ports Authority, Charleston Susan Hanson, Landry University Professor of Geography, Graduate School of Geography, Clark University, Worcester, Massachusetts Lester A. Hoel, L.A. Lacy Distinguished Professor of Engineering, Department of Civil Engineering, University of Virginia, Charlottesville (Past Chair, 1986) Henry L. Hungerbeeler, Director, Missouri Department of Transportation, Jefferson City Adib K. Kanafani, Cahill Professor and Chairman, Department of Civil and Environmental Engineering, University of California, Berkeley Ronald F. Kirby, Director of Transportation Planning, Metropolitan Washington Council of Governments, Washington, D.C. Herbert S. Levinson, Principal, Herbert S. Levinson Transportation Consultant, New Haven, Connecticut Michael D. Meyer, Professor, School of Civil and Environmental Engineering, Georgia Institute of Technology, Atlanta Jeff P. Morales, Director of Transportation, California Department of Transportation, Sacramento Kam Movassaghi, Secretary, Louisiana Department of Transportation and Development, Baton Rouge Carol A. Murray, Commissioner, New Hampshire Department of Transportation, Concord David Plavin, President, Airports Council International, Washington, D.C. John Rebensdorf, Vice President, Network and Service Planning, Union Pacific Railroad Company, Omaha, Nebraska *Membership as of August 2003.

OCR for page R1
Catherine L. Ross, Harry West Chair of Quality Growth and Regional Development, College of Architecture, Georgia Institute of Technology, Atlanta John M. Samuels, Senior Vice President, Operations Planning and Support, Norfolk Southern Corporation, Norfolk, Virginia (Past Chair, 2001) Paul P. Skoutelas, CEO, Port Authority of Allegheny County, Pittsburgh, Pennsylvania Martin Wachs, Director, Institute of Transportation Studies, University of California, Berkeley (Past Chair, 2000) Michael W. Wickham, Chairman and CEO, Roadway Express, Inc., Akron, Ohio Marion C. Blakey, Administrator, Federal Aviation Administration, U.S. Department of Transportation (ex officio) Samuel G. Bonasso, Acting Administrator, Research and Special Programs Administration, U.S. Department of Transportation (ex officio) Rebecca M. Brewster, President and COO, American Transportation Research Institute, Smyrna, Georgia (ex officio) Thomas H. Collins (Adm., U.S. Coast Guard), Commandant, U.S. Coast Guard, Washington, D.C. (ex officio) Jennifer L. Dorn, Administrator, Federal Transit Administration, U.S. Department of Transportation (ex officio) Robert B. Flowers (Lt. Gen., U.S. Army), Chief of Engineers and Commander, U.S. Army Corps of Engineers, Washington, D.C. (ex officio) Harold K. Forsen, Foreign Secretary, National Academy of Engineering, Washington, D.C. (ex officio) Edward R. Hamberger, President and CEO, Association of American Railroads, Washington, D.C. (ex officio) John C. Horsley, Executive Director, American Association of State Highway and Transportation Officials, Washington, D.C. (ex officio) Michael P. Jackson, Deputy Secretary, U.S. Department of Transportation (ex officio) Roger L. King, Chief Technologist, Applications Division, National Aeronautics and Space Administration, Washington, D.C. (ex officio) Robert S. Kirk, Director, Office of Advanced Automotive Technologies, U.S. Department of Energy (ex officio) Rick Kowalewski, Acting Director, Bureau of Transportation Statistics, U.S. Department of Transportation (ex officio) William W. Millar, President, American Public Transportation Association, Washington, D.C. (ex officio) (Past Chair, 1992) Mary E. Peters, Administrator, Federal Highway Administration, U.S. Department of Transportation (ex officio) Suzanne Rudzinski, Director, Transportation and Regional Programs, U.S. Environmental Protection Agency (ex officio) Jeffrey W. Runge, Administrator, National Highway Traffic Safety Administration, U.S. Department of Transportation (ex officio) Allan Rutter, Administrator, Federal Railroad Administration, U.S. Department of Transportation (ex officio) Annette M. Sandberg, Administrator, Federal Motor Carrier Safety Administration, U.S. Department of Transportation (ex officio) William G. Schubert, Administrator, Maritime Administration, U.S. Department of Transportation (ex officio)

OCR for page R1
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD David D. Clark, Massachusetts Institute of Technology, Chair Eric Benhamou, 3Com Corporation David Borth, Motorola Labs John M. Cioffi, Stanford University Elaine Cohen, University of Utah W. Bruce Croft, University of Massachusetts, Amherst Thomas E. Darcie, University of Victoria Joseph Farrell, University of California, Berkeley Joan Feigenbaum, Yale University Hector Garcia-Molina, Stanford University Wendy Kellogg, IBM T.J. Watson Research Center Butler W. Lampson, Microsoft Corporation David Liddle, U.S. Venture Partners Tom M. Mitchell, Carnegie Mellon University David A. Patterson, University of California, Berkeley Henry (Hank) Perritt, Chicago-Kent College of Law Daniel Pike, GCI Cable and Entertainment Eric Schmidt, Google Inc. Fred B. Schneider, Cornell University Burton Smith, Cray Inc. Lee Sproull, New York University William Stead, Vanderbilt University Jeannette M. Wing, Microsoft Research; Carnegie Mellon University (on leave) Marjory S. Blumenthal, Director

OCR for page R1
COMMITTEE ON FREIGHT TRANSPORTATION INFORMATION SYSTEMS SECURITY Robert E. Gallamore, Chair, Director, Transportation Center, Northwestern University A. Ray Chamberlain, Vice Chair, Vice President, Parsons Brinckerhoff, Inc. Frank J. Anstett, Manager, Infrastructure Security, Raytheon Company Samuel H. Banks, Senior Vice President, U.S. Customs Modernization Project, Sandler and Travis Trade Advisory Services Richard A. Holmes, Jr., General Director, Security and Quality Assurance, Union Pacific Railroad Barry Horowitz, NAE, Professor, Department of Systems Engineering, University of Virginia John L. King, Professor and Dean, School of Information, University of Michigan Lars Kjaer, Vice President, World Shipping Council Art Kosatka, Chief Executive Officer, TranSecure LLC Steven J. Lambright, Vice President, Savi Technology Daniel Murray, Director of Research, American Transportation Research Institute Frank M. Pittelli, President, Navius Technologies, LLC Alan F. Spear, President, MRC Investigations (USA), Inc. Karen Ryan Tobia, Manager, Technology Planning, Port Commerce Department, Port Authority of New York and New Jersey NATIONAL RESEARCH COUNCIL STAFF Alan T. Crane, Study Director Steven Woo, Program Officer

OCR for page R1

OCR for page R1
PREFACE The merger of information system technology and transportation infrastructure is transforming the freight transportation industry in a variety of ways. These changes are producing new ways to organize companies’ supply chains as well as military logistics. As the new freight information systems become more fully integrated, they are expected to have great private and public benefits. These systems, however, may be vulnerable to cyberattack. In accordance with the national initiative to increase security of critical infrastructure, the U.S. Department of Transportation (DOT) requested that the National Research Council (NRC) review trends in the use of information technology in the freight transportation industry and assess potential vulnerabilities to a cyberattack. In response, NRC formed the Committee on Freight Transportation Information Systems Security, under the Transportation Research Board (TRB) and the Computer Science and Telecommunications Board, to conduct a scoping study to develop an approach, study, or other process that DOT could use to address the vulnerabilities of freight information systems. Specifically, the committee was charged with recommending how to conduct a study that would result in 1. A baseline description of the U.S. freight transportation communication and information systems, including interconnectivity with international carriers, gov- ernment entities (U.S. and non-U.S.), customers, and other business partners; 2. A summary of ongoing and emerging efforts in such areas as electronic data interchange, telecommunications and data transfer, trends in the use of the Internet, business practices, customs, immigration and agriculture clearance processes, electronic letters of credit, integrated logistics software, positive train control, intelligent transportation systems, and all other information- and communication-based processes and technology improvements that affect transportation, shipping, and logistics; 3. A review of current industry practices addressing security (with emphasis on information technology–related dimensions); and ix

OCR for page R1
x CYBERSECURITY OF FREIGHT INFORMATION SYSTEMS: A SCOPING STUDY 4. An identification and summary of the potential vulnerabilities that may be created by the interconnection/interface and possible integration of these new systems. One of the complexities of a project such as this is that developers and oper- ators of the relevant system will be reluctant to discuss or admit to specific secu- rity weaknesses publicly. Thus the committee had to recommend a process that would permit the problems to be identified and addressed. The committee held its first meeting on November 25–26, 2002. The project, from committee formation to final report, took 7 months. During that time the committee met twice at NRC headquarters in Washington, D.C. In addition, its members and staff held numerous telephone conferences to discuss their findings. After the start of the study, the Department of Homeland Security (DHS), which incorporates many of the relevant functions formerly performed by DOT, was created. Hence the committee directs many of its recommendations and comments to DHS as well as to DOT. ACKNOWLEDGMENTS This report has been reviewed in draft form by individuals selected for their diverse technical expertise, in accordance with procedures approved by the NRC’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in mak- ing the published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments remain confidential to protect the integrity of the deliberative process. The reviewers of this report were Noel D. Matchett, Information Security, Inc.; Steven B. Lipner, Microsoft Corporation; Peter Martin, Lakeville Motor Express; and David Zanca, Federal Express. The committee is grateful for the many constructive comments and suggestions the reviewers provided. The reviewers were not, however, asked to endorse the findings and conclusions, nor did they see the final draft before its release. Responsibility for the final content of this report rests entirely with the authoring committee and NRC. The review of this report was overseen by Lester A. Hoel, University of Virginia, Charlottesville. He was appointed by NRC to ensure that an indepen- dent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Suzanne

OCR for page R1
PREFACE xi Schneider, Associate Executive Director of TRB, managed the report review process. The committee appreciates the speed and efficiency of this review. This study was managed by Alan T. Crane under the direction of the com- mittee and the supervision of Stephen Godwin, Director of TRB’s Studies and Information Services. The report was written by the committee members and the NRC staff. The committee also appreciates the vital contributions of Jocelyn Sands, Frances E. Holland, and Amelia B. Mathis. Joedy W. Cambridge and Joseph A. Breen provided valuable suggestions while the committee was being formed. This report has been edited by Norman Solomon under the supervision of Nancy Ackerman, Director of Publications. Robert E. Gallamore, Chair A. Ray Chamberlain, Vice-Chair Committee on Freight Transportation Information Systems Security

OCR for page R1
ACRONYMS AND GLOSSARY ABI Automated Broker Interface. ACE Automated Commercial Environment. ACS Automated Commercial System. AES U.S. Bureau of Customs and Border Protection’s Automated Export System. Airbill Receipt for carriage of air freight. AMS U.S. Bureau of Customs and Border Protection’s Automated Manifest System. ANSI X12 Voluntary standards, maintained by the American National Standards Institute (ANSI), defining the structure, format, and content of business transactions conducted through electronic data interchange (EDI). ANSI X12 is produced by the committee ASC X12, supported by the Data Interchange Standards Association, Inc. (DISA). APIS Advanced passenger information system. ATIS Advanced traffic information system. ATRI American Transportation Research Institute. ATS Advance targeting system. AVI Automatic vehicle identification. BASSC Business Anti-Smuggling Security Coalition. Bill of lading A statement of the nature and value of goods being transported, especially by ship, along with the conditions applying to their transport. Drawn up by the carrier, this document serves as a contract between the owner of the goods and the carrier. CAMIR Customs Automated Interface Requirements. CHCP Cargo Handling Cooperative Program. CRM Customer relationship management. CSTB Computer Science and Telecommunications Board of the National Academies. CSI Container Security Initiative. Cyberterrorism Terrorism related to computer and information systems. DASD Direct-access storage device. xii

OCR for page R1
ACRONYMS AND GLOSSARY xiii Denial-of-service (DOS) attack An attack on a computer network effected by overloading the access points, so that further access is slowed or stopped altogether. DHS Department of Homeland Security. DNS Domain name service. DOT Department of Transportation. Drayage Generally, carriage of freight, often by truck. EA Enterprise architecture. EDI Electronic data interchange. ERP Enterprise resource planning. ESCM Electronic supply chain manifest. ExpressLink Proprietary system for interconnecting the corporate-level sys- tems of four regional trucking companies. FAA Federal Aviation Administration. FAST Free and Secure Trade. FBI Federal Bureau of Investigation. FHWA Federal Highway Administration. Firewalls Hardware and software systems intended to isolate a local area net- work from access. FIRST Freight Information Real-Time System (for Port Authority of New York and New Jersey). Forwarder A company that ships cargo for hire. Freight brokers A company that arranges or consolidates freight shipments. Freight forwarder See “forwarder.” GPS Global Positioning System. Hazmat Hazardous material. IBIS Interagency Border Information System. INS Immigration and Naturalization Service. ISAC Information Sharing and Analysis Center. ISO International Standards Organization. IT Information technology. ITDS International Trade Data System. ITS Intelligent transportation systems. Jones Act The Merchant Marine Act of 1920 and related statutes, requiring that vessels used to transport cargo and passengers between U.S. ports be owned by U.S. citizens, built in U.S. shipyards, and manned by U.S.-citizen crews.

OCR for page R1
xiv CYBERSECURITY OF FREIGHT INFORMATION SYSTEMS: A SCOPING STUDY Just-in-time (JIT) A business system of supplying to each process what is needed at the time it is needed, and in the quantity needed, to minimize production lead times and reduce inventory. LIA Logistics Integration Agency. Load bidding For carriers, the practice of negotiating for freight. Merchant haulage Transport of cargo in shipping containers arranged by the owner or possessor of the goods. MTMC Military Traffic Management Command. NHS National Highway System. NOA Notice of arrival. NRC National Research Council of the National Academies. NVMC National Vessel Movement Center. NVOCC Non–vessel operating common carrier. OSC Operation Safe Commerce. Positive train control The use of digital data communications, automatic positioning systems, wayside interface units (to communicate with switches and wayside detectors), onboard and control center computers, and other advanced display, sensor, and control technologies to manage and control railroad operations. Red teaming Acting as an adversary for the unauthorized access to a physical or computer system to expose the system’s vulnerabilities. RFID Radio frequency identification. R&D Research and development. SCADA Supervisory control and data acquisition. Sim-Tag Simulator for RFID tags. SSTL Smart and Secure Trade Lanes. TECS Treasury Enforcement Communications System. Third-party logistics provider (3PL) Provider of logistics services for hire. TRB Transportation Research Board of the National Academies. TSA Transportation Security Administration. TSWG Trucking Security and Anti-Terrorism Working Group. TWIC Transportation worker identification card. USDOT U.S. Department of Transportation. VHF Very high frequency. VPN Virtual private network. Waybill Shipping document. WCO World Customs Organization. XML Extensible markup language.

OCR for page R1
CONTENTS Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 The Evolving Freight Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 How Efficient Transportation Creates Economic Growth . . . . . . . . . . . . 13 Differences Among Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2 Freight Information System Technologies . . . . . . . . . . . . . . . . . . . . . 19 Existing IT Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 IT Trends and Emerging Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3 Planning a Full Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Assessing Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Study Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Appendixes A Information Management Systems in the International Liner Shipping Industry . . . . . . . . . . . . . . . . . . . . . . . . 47 B Security Initiatives and Programs with Cybersecurity Relevance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 C Protecting International Trade Corridors: The Operation Safe Commerce Initiative . . . . . . . . . . . . . . . . . . . . . . 63 D U.S. Bureau of Customs and Border Protection Use of Information Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Study Committee Biographical Information . . . . . . . . . . . . . . . . . . . . . 75

OCR for page R1