As discussed in previous chapters, the freight transportation industry’s information systems may be vulnerable to cyberattacks. The consequences of a cyber-attack could be serious, both economically and physically. Further study is needed to identify specific vulnerabilities and risks and develop possible strategies to address those vulnerabilities while minimizing the costs of doing so. Such studies are warranted for the following reasons:
Information technology (IT) is becoming increasingly central to freight transportation.
With all IT come cybersecurity issues that should be carefully considered, in particular in the post–September 11 environment.
Addressing cybersecurity issues presents the same conundrum as other security issues: a trade-off between risk reduction and the costs of implementation.
No mechanism exists for determining analytically how far to go in reducing vulnerability or which steps should have the highest priorities.
Not enough is yet known about cybersecurity as related to freight IT or the impact of potential measures to enhance security.
Therefore, the committee concludes that a need exists for a comprehensive study to assess the current challenges in cybersecurity in freight transportation information systems and to identify possible strategies to mitigate identified vulnerabilities. Such strategies must account for the company composition and structure in each mode, the operations the companies perform, and the information systems they use. They must be based on an analysis of security gaps, the
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 39
3 PLANNING A FULL STUDY As discussed in previous chapters, the freight transportation industry’s informa- tion systems may be vulnerable to cyberattacks. The consequences of a cyber- attack could be serious, both economically and physically. Further study is needed to identify speciﬁc vulnerabilities and risks and develop possible strategies to address those vulnerabilities while minimizing the costs of doing so. Such studies are warranted for the following reasons: • Information technology (IT) is becoming increasingly central to freight transportation. • With all IT come cybersecurity issues that should be carefully considered, in particular in the post–September 11 environment. • Addressing cybersecurity issues presents the same conundrum as other secu- rity issues: a trade-off between risk reduction and the costs of implementation. • No mechanism exists for determining analytically how far to go in reducing vulnerability or which steps should have the highest priorities. • Not enough is yet known about cybersecurity as related to freight IT or the impact of potential measures to enhance security. Therefore, the committee concludes that a need exists for a comprehensive study to assess the current challenges in cybersecurity in freight transportation information systems and to identify possible strategies to mitigate identiﬁed vul- nerabilities. Such strategies must account for the company composition and structure in each mode, the operations the companies perform, and the infor- mation systems they use. They must be based on an analysis of security gaps, the 39
OCR for page 39
40 CYBERSECURITY OF FREIGHT INFORMATION SYSTEMS: A SCOPING STUDY advantages and disadvantages of current and emerging technology and processes that could be implemented to enhance cybersecurity, and the ability of trans- port companies to implement them. The analysis that would permit such strate- gies to be developed has not been conducted. The committee discusses some elements of the required analysis below. ASSESSING SECURITY ISSUES It is generally understood that achieving cybersecurity requires a two-step risk assessment. First, an analysis must be performed to identify overall system vul- nerabilities, the threats that might exploit those vulnerabilities, and the con- sequences if the threats were indeed carried out. Figure 3-1 illustrates the interrelationship of these factors. Second, a risk management analysis must be conducted to evaluate possible measures to enhance cybersecurity, their costs, and their benefits. As discussed in Chapter 2, the nature of the coordinated information system that serves the nation’s freight transportation system makes this risk analysis extraordinarily difﬁcult compared with other computer secu- rity assessments. Nonetheless, this analysis of the overall interconnected sys- tem, as well as the individual subsystems, could be an important factor in reducing vulnerability to terrorist attacks. Actions to mitigate threats should depend on the speciﬁc threats considered plausible, the natures of the systems involved, and their owners. For example, a broad denial-of-service attack on the Bureau of Customs and Border Protection’s Automated Manifest System could shut down this necessary interaction point for all international shipments into the United States (see Appendix D). Vulnerabilities Threats Consequences FIGURE 3-1 Factors involved in cybersecurity assessments.
OCR for page 39
PLANNING A FULL STUDY 41 Without this system, international transportation activities could grind to a halt, with signiﬁcant economic consequences for U.S. manufacturers and businesses and, ultimately, the U.S. economy. The U.S. government is responsible for coun- tering such threats. Alternatively, a disabling attack on the dispatch system of a large carrier could bring that operation to a halt (and, correspondingly, all trans- portation activities linked to it). When potential targets are individually owned and operated systems, the design and implementation of the solution move to the companies that own these systems. Diversity characterizes the freight transportation sector. Achieving informa- tion system security demands a certain continuity of system design, implementa- tion, and security procedures that does not readily permit the ﬂexibility that might be desirable in accommodating such a diverse range of participants. As a result, careful identiﬁcation of possible measures is required. The choice of measures to counter cyberterrorism must consider economic as well as security issues. Ignoring cost could have serious economic consequences, handing terrorists one of their stated objectives. It is difﬁcult to estimate economic impacts across a broad sector such as freight transportation. Nonetheless, it must be recognized that this sector operates on tight proﬁt margins. Implementation of cybersecurity measures is unlikely to be optimal unless economic beneﬁts accom- pany the security solutions. Figure 3-2 provides a visualization of the overlap between measures to improve security and measures to improve economic perfor- mance; some security initiatives may improve economic performance, and others may not. Prioritization of possible measures for a diverse consortium of partici- pants must be sensitive to this point as a speciﬁc aspect of the risk management analysis. Another example of the tension between the diversity of the community and the continuity required for cybersecurity concerns evaluation of cybersecurity capabilities. Important questions must be addressed, including who would perform the monitoring role, how it would be accomplished (for example, whether pene- tration tests would be conducted), how frequently evaluations would occur, and how they would be reported. In view of these points, the process of evaluating possible measures and even- tually selecting some for implementation must be an integrated effort that is based on a risk prioritization methodology and a cost–beneﬁt methodology that are shared and understood by all affected members of the freight transportation com- munity. The prioritization methodology should account for the consequences of potential attacks; the availability, efﬁcacy, and cost of possible measures; their side beneﬁts; and the distribution of costs and beneﬁts to community members and the nation as a whole. At present, no such methodology is in use or under
OCR for page 39
42 CYBERSECURITY OF FREIGHT INFORMATION SYSTEMS: A SCOPING STUDY Security Economics (a) Security Economics (b) FIGURE 3-2 Relationship between security and economic beneﬁts: (a) little or no economic beneﬁt to security enhancements; (b) signiﬁcant economic beneﬁt to security enhancements. development. In addition, no single organization has a mandate to develop and manage the use of such a methodology. This report provides a set of recommen- dations that, if followed, would be the start of a process for selecting, implement- ing, and managing measures for countering potential terrorist cyberattacks. The study suggested here is intended to provide a strategy for approaching these issues. It might be necessary to involve several entities in the conduct of the study. The National Academies could do some of the work, but this is not a proposal for an Academies study. Industry consultants might collect data. One or more federally funded research and development centers could do the detailed analysis. Various academic research programs also could be involved. In all these tasks, it will be necessary to impose strict conditions on the infor- mation collected and on the way it is processed. Not only is company conﬁ- dentiality a major concern, but so is the possibility that the information might
OCR for page 39
PLANNING A FULL STUDY 43 be compromised by the terrorists that the study is intended to combat. Also, for all these tasks, it will be important to study not only private freight information systems, but also those government information systems that interface with the freight transportation sector (e.g., the various information systems operated by Customs and Border Protection). STUDY PLAN Task 1. Determine the chief vulnerabilities of freight transportation informa- tion systems. No complete system description exists of the use of IT in the transportation sector. The ﬁrst step of this task is to identify at least the major components that can affect cybersecurity and their interconnections. Part of this task would be to understand the role that these IT components play in normal operations so that the consequences of their loss to cyberattacks can be understood. Information on backup systems should also be sought. This information might be obtained with a survey (if consistent with cur- rent administration requirements) and then a series of interviews. A variety of companies in each mode must cooperate to ensure adequate coverage and mask company-speciﬁc data. In many cases, the information will be already available. It will not be necessary to have great detail as to which company uses which technology. Rather, information concerning the general prevalence of different types of systems in each mode and their interconnections is desired. Then the systems—and the intermodal, interconnected system—can be examined for vulnerabilities and the potential consequences if those vul- nerabilities should be exploited. Much of this work would reﬂect generic IT vulnerability studies, but the speciﬁc use of the technologies in the freight industry would have to be reviewed. A variety of plausible attack scenarios would then be tested on the different modes to assess the systems as they exist now and as they are evolving in order to understand the likelihood of suc- cess and the extent of the consequences. The purpose would be to develop a preliminary list of the vulnerabilities that should be considered in the tasks below. As shown in Figure 3-1, priority should be a function of the plausi- bility of the type of threat that could exploit the vulnerability, the ease of exploiting the vulnerability, and the consequences. Of particular interest would be the ease of shutting down large parts of the system and the possi- bility of malicious use of the system. This task might identify or develop a methodology to determine the prioritization analytically on the basis of these factors. The great diversity of transportation modes and company characteristics suggests that a large
OCR for page 39
44 CYBERSECURITY OF FREIGHT INFORMATION SYSTEMS: A SCOPING STUDY number of cases must be considered and that potential remedial measures could differ widely. However prioritization is determined, it will be important to maintain a system-level perspective to identify, assess, and compare the security issues at the level of components, subsystems, and the overall system. Task 2. Review current industry and government practices addressing IT security. Security practices will be difﬁcult to obtain in detail. Most compa- nies will be understandably reluctant to discuss their practices and protective hardware and software because of concern that any revelations could com- promise security. It may be possible, as in Task 1, to obtain this information by interviews conducted under stringent departmental assurances of nondis- closure. As in Task 1, an exhaustive list of which companies use which mea- sures is not necessary, just a general sense of the level of security in each mode. Representative companies and government agencies might be presented with a menu of security options and asked what they use. This information could then be compiled without identifying the source. One concern, however, is that the effectiveness of these options often lies in the stringency with which they are implemented. For example, if an employee forgets his smart token but can log on anyway through a back door, security will be compromised to some degree. That information will be even more difﬁcult to procure and may even be unknown to most company ofﬁ- cials. Interviewers must be well versed in the technology and its use and pre- pared to probe for details. Another possibility might be for the government to fund a series of pilot studies of various technologies and processes to see how well they work in speciﬁc contexts. Task 3. Determine the potential for IT-related security enhancements in the sector. This task is, in part, a follow-up to Tasks 1 and 2 and could lead to a prioritization of possible measures to reduce vulnerability. The purpose would not be to identify which measures speciﬁc companies should take, but to provide a general sense of the important identiﬁed cybervulnerabilities that could be addressed and the approximate costs of doing so. Possible measures to address the vulnerabilities identiﬁed in Tasks 1 and 2 should be identiﬁed for each mode and for the overall freight transportation system, because of its pervasive intermodal nature, as well as for technologies and processes as they are now and as they may evolve. Analyses should be made of the expected costs (including potential interference with normal operations) in countering these vulnerabilities.
OCR for page 39
PLANNING A FULL STUDY 45 Then an additional factor can be added to the prioritization of Task 1: the costs of reducing vulnerability. This reﬁnement may change the list of pri- orities. For example, a vulnerability that might result in only a moderate- consequence incident could rise on the list if the cost of remedying it were small and could actually involve signiﬁcant improvements in operational efﬁ- ciency. Alternatively, a vulnerability subject to a high-consequence attack that can only be addressed with very expensive ﬁxes might drop in priority. In connection with this task, emerging technologies and practices should be examined to determine what role, if any, they could play in addressing identiﬁed cybersecurity gaps and deﬁciencies. Integral to such an assessment should be both an analysis of various modes of the industry and an analysis of the overall, intermodal freight transportation system, along with an assess- ment of how realistic and attractive these technologies and practices would appear to decision makers—that is, their economic and operational incen- tives and disincentives. Companies must believe that the beneﬁts of their investments are commensurate with the costs. If a measure improves both security and efﬁciency at a reasonable cost, it may be implemented as a mat- ter of course (although these measures must compete for a place above the cutoff point on the list of potential investments that all companies consider). Other concepts might require government support because the beneﬁts to the company are insufﬁcient. In addition, IT may decline in cost with increasing scale of deployment. This pattern may or may not apply to cybersecurity technology. Therefore, this task should examine potential cost changes and the possibility that targeted deployment strategies might make prioritized cybersecurity measures more attractive. What might now be impractical could become cost-effective within a few years. In addition, there should be study of “upstream” scientiﬁc and techno- logical developments that may result in new opportunities for IT application in the future. Task 4. Analyze policies to reduce cybervulnerability. The U.S. government could play a useful role in disseminating information on new security options and best practices. For example, the pilot studies listed in Appendix B may identify promising measures to enhance cybersecurity, but unless they are recognized by companies that can use them, they will not be imple- mented. The study could identify likely means, such as an annual sympo- sium to discuss innovations or a series of training sessions. The study also might identify follow-up studies to determine the extent to which these options were being implemented. For example, it might suggest
OCR for page 39
46 CYBERSECURITY OF FREIGHT INFORMATION SYSTEMS: A SCOPING STUDY government–industry cooperation in performing cybersecurity validations, perhaps including “red teaming” to test security. It should apply the same tests to government’s connections to the private-sector IT systems. Finally, this task might develop a set of cybersecurity guidelines and rec- ommendations, or at least suggest a methodology to determine how much security is enough. It could analyze how to promote the use of such guide- lines most effectively. Task 5. Assess the economic impacts of cost increases in the freight trans- portation industry. Some cybersecurity measures may bring with them cor- responding economic beneﬁts. For example, the use of digital signatures might reduce costs related to errors and fraud detection and management. The result- ing improved service could also increase customer conﬁdence. However, cer- tain measures might protect against low-likelihood but very high-consequence events, such as those that may help enable the transport of weapons of mass destruction. Such measures are less likely to have ancillary beneﬁts but could result in signiﬁcant additional costs. The public might beneﬁt from a reduc- tion in the risk of a catastrophe, but the companies making the investment may not. Even cost-effective measures may be problematical for companies that are making no proﬁt. The costs of increased cybersecurity could ulti- mately affect all companies that rely on the transport industry. This task should deal with the following issues: 1. At what levels and distribution of costs for security does the economic impact become a concern, for the freight industry itself, its users, and the U.S. economy? 2. On the basis of existing models for relating economic inputs and outputs, what changes in economic outputs might result from varying levels of investment in security? 3. Given the tight margins associated with the freight industry, is there a signiﬁcant possibility of economic damage to the companies that consti- tute this industry? 4. For investments that may be needed for national security purposes but that provide little or no advantage to the company implementing the measures, what form of government participation (e.g., tax credits) would be most effective? Results should be quantitative and be developed for a wide set of assumptions in order to permit consideration of a signiﬁcant range of possible outputs.