2
Assessing Vulnerability

The starting point of the study that produced this report was a vulnerability assessment prepared by DOT (1998a). The committee's first task was to review that assessment as a foundation for defining areas that new technologies and processes could make less vulnerable and for identifying which of those technologies and processes might be effective, affordable, and acceptable to users. This chapter presents key elements of the committee's review.1 It also addresses the important question of strategic vulnerabilities, that is, the effect of attacks on the transportation system as a whole, beyond their effect on any individual targeted element of the system.

Review of the Methodology and Findings of the Department of Transportation Vulnerability Assessment

Overall, the DOT vulnerability assessment is excellent, and DOT is to be commended for producing a useful report. The assessment clearly demonstrates the validity of concerns about security in surface transportation and lays a good foundation for addressing those concerns via an R&D program.

1  

Many of these points were made in previous communications from the committee to DOT (which are superceded by this report). The committee understands that DOT is revising the vulnerability assessment in response to those communications.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 13
2 Assessing Vulnerability The starting point of the study that produced this report was a vulnerability assessment prepared by DOT (1998a). The committee's first task was to review that assessment as a foundation for defining areas that new technologies and processes could make less vulnerable and for identifying which of those technologies and processes might be effective, affordable, and acceptable to users. This chapter presents key elements of the committee's review.1 It also addresses the important question of strategic vulnerabilities, that is, the effect of attacks on the transportation system as a whole, beyond their effect on any individual targeted element of the system. Review of the Methodology and Findings of the Department of Transportation Vulnerability Assessment Overall, the DOT vulnerability assessment is excellent, and DOT is to be commended for producing a useful report. The assessment clearly demonstrates the validity of concerns about security in surface transportation and lays a good foundation for addressing those concerns via an R&D program. 1   Many of these points were made in previous communications from the committee to DOT (which are superceded by this report). The committee understands that DOT is revising the vulnerability assessment in response to those communications.

OCR for page 13
General Methodology The DOT vulnerability assessment explicitly avoids assessing the probability of any given type of attack occurring. Instead, it examines a variety of scenarios for possible attacks and assesses the damage that could be caused in each scenario, including both human casualties and economic losses. A key finding of the assessment is a categorization of each scenario as to the likelihood of success if the attack were attempted and the resulting impact if the attack succeeded. The likelihood of success is rated as improbable, moderately probable, highly probable, or certain. The potential impact is rated as not serious, moderately serious, very serious, or catastrophic. The assessment process used a nine-step methodology: 1.   Identification of assets, such as facilities, vehicles, and equipment, based on the expert knowledge of DOT and industry personnel 2.   Screening of the criticality of assets and selection of key assets for further evaluation based on the high impact their loss would have (as determined by expert opinion) on people or system operations or both 3.   Identification of threats to critical assets based on historical data and expert opinion; 4.   Formulation of scenarios by pairing the critical assets identified in Step 2 with the threats identified in Step 3 5.   Assessment of the vulnerability of assets in each scenario, i.e., assessment of the characteristics (such as ease of access or presence of security measures) that make an asset easy or difficult to attack 6.   Assessment of the impact of an attack in each scenario, focusing on deaths, injuries, property damage, and loss of service 7.   Categorization of scenarios by likelihood of loss and severity of impact 8.   Review of consistency by a panel of experts to ensure that scenarios involving different modes of transportation were assessed on comparable scales 9.   Identification of potential countermeasures DOT acknowledges that the scenarios are illustrative, not exhaustive, but they cover a wide range of possible targets and attacks (see Table 2-1). The vulnerability assessment states clearly that it analyzes only the vulnerabilities of surface transportation assets, without regard to the likelihood of any particular threat. (Presumably, though, the threats identified in Step 3 above are considered at least plausible. Just selecting scenarios for consideration implicitly constitutes a first-order assessment of their likelihood.) The methodology used is appropriate and adequate for such an analysis, and for the most part, the selection of scenarios is comprehensive and illustrates the methodology well. In addition

OCR for page 13
TABLE 2-1 Scenarios Considered in the DOT Vulnerability Assessment Physical Attacks   car bomb at bridge approach series of small explosives on highway bridge single small explosive on highway bridge single small explosive in highway tunnel car bomb in highway tunnel series of car bombs on adjacent bridges or tunnels bomb(s) detonated at pipeline compressor stations bomb detonated at pipeline storage facility bomb detonated on pipeline segment simultaneous attacks on ports terrorist bombing of waterfront pavilion container vessel fire at marine terminal ramming of railroad bridge by maritime vessel attack on passenger vessel in port shooting in rail station vehicle bomb adjacent to rail station bombing of airport transit station bombing of underwater transit tunnel bus bombing deliberate blocking of highway-rail grade crossing terrorist bombing of rail tunnel bomb detonated on train in rail station vandalism of track structure and signal system terrorist bombing of rail bridge explosives attack on multiple rail bridges explosive in cargo of passenger aircraft Biological Attacks   biological release in highway tunnel anthrax release from freight ship anthrax release in transit station anthrax release on passenger train Chemical Attacks   sarin release in multiple subway stations physical attack on railcar carrying a toxic chemical Cyber and C3 Attacks   cyber attack on highway traffic control system cyber attack on pipeline automated control system attack on port power and telecommunications facility sabotage of train control system tampering with rail signals cyber attack on train control center

OCR for page 13
to the review of consistency that was conducted by an expert panel (Step 8), the basic assumptions and predicted consequences of each scenario should be subjected to a further reality check, in cooperation with representatives of the relevant transportation industries. (The present study does not attempt to examine individual scenarios at this level of detail. Doing so would require input from a much larger, broader group.) Threat Analysis In order to develop an appropriate response strategy consisting of policy changes or a program of R&D, further analysis of the likelihood of different threats is highly desirable. The DOT assessment identified threats based on input from a combination of historical data, surveys, and the advice of security experts, but its goal was to assess vulnerabilities, not risks or threats. A threat analysis would require much more detailed consideration of these inputs. It would also, of course, make the resulting report a much more sensitive document. Moreover, the committee recognizes the great difficulty of such an analysis, including the limitations of extrapolating from historical data as the methods and targets of attackers continue to evolve. This question is revisited briefly in Chapter 3 in the discussion of setting priorities for R&D. Means of Attack The vulnerability assessment includes a nine-page chapter on possible means of attack against surface transportation. Such a brief discussion is appropriate as background for the vulnerability assessment, but future efforts to extend the assessment will have to be based on a more complete, balanced, and clearly defined analysis of the various means of threat delivery. Cyber and C3 Attacks Cyber attacks and other attacks on the command, control, and communications (C3) systems of surface transportation are not given enough attention or analysis in the assessment. This lack of emphasis may have been an attempt to avoid duplicating other ongoing efforts, such as the work of the PCCIP. Nevertheless, the transportation industries' increasing use of automation and telecommunications makes consideration of cyber and C3 attacks essential, especially the interrelationships among cyber attacks and noncyber attacks directed against C3 targets. Discussion of the transportation sector's use of the Global Positioning System (GPS) is also lacking. The need to examine cyber and C3 vulnerabilities is part of the broader need to examine systemic, or strategic, interdependencies and vulnerabilities. The discussion of cyber attacks that does appear in the DOT assessment

OCR for page 13
focuses mostly on the introduction of computer viruses into computer-based control centers and the resulting disruption or denial of automated services. Unfortunately, one can easily envision scenarios with much more destructive effects, (Box 2-1). As this report was nearing completion, an outbreak of the Melissa computer virus drew considerable media attention. Implemented as a computer program BOX 2-1 Nonvirus Cyber Attacks on Surface Transportation Not all cyber attacks involve computer viruses. Moreover, other types of cyber attack can sometimes be moro damaging. For example, vulnerabilities may be created if intelligent transportation system (ITS) control centers are linked to the Internet so that travelers can assess traffic levels and delays before departing on their journeys. An attacker could exploit an improperly configured traffic information web server to modify and execute programs known as CGI scripts. The ability to execute such programs would allow an attacker to take control of the web server. From there, an attacker would have to penetrate a firewall to get to the network where the ITS control system computers reside. If that firewall were improperly configured, and if the attacker could gain access to CGI scripts or other programs on a computer on the control system network, he or she would probably be able to disrupt or modify the ITS real-time control computers. Because these computers are protected by the firewall and used for real-time applications, they are likely to be configured with little or no security. The attacker's choices would then range from crashing the control system, which would simply be disruptive, to changing control parameters, programs, or data, which might cause a system-wide incident and result in delays or loss of life. Achieving maximum impact would require considerable knowledge about the ITS control system, of course, which could probably only be gained by exhaustively and painstakingly reviewing purloined data and programs or by exploiting the expertise of a current or former control center programmer or operator. Another way to attack an ITS system would be to modify the control software during development. Software developers and development systems are often not as well protected as operational systems. Moreover, the presence in the development environment of programming source code (and probably documentation regarding requirements and designs) makes it easier to design an attack. The attack software would have to pass the developer's quality assurance and configuration management systems, but methods for embedding hostile software that does not appear in source code listings and is not detectable by functional testing have long been known in the computer science community (see Thompson, 1984). The usual process of software distribution would then distribute the attack to all sites that used the ITS software. As these and other examples show, the vulnerability of the surface transportation system to cyber attacks is a real concern, and DOT should take it very seriously.

OCR for page 13
embedded in a word processor document, Melissa spread copies of itself automatically via e-mail when the document was read. This caused network congestion and user confusion, but like most virus incidents, it was apparently not intended to destroy or disclose sensitive information. The Melissa experience is instructive, however, because another attacker might use a similar mechanism to propagate a more targeted, more hostile code with the aim of damaging a particular user or system. For example, such a mechanism might be used to attack an ITS control center or an ITS software development site. Chemical and Biological Attacks In scenarios involving chemical and biological attacks, future assessments should make more careful distinctions between the consequences of chemical attacks and biological attacks and between the consequences of attacks involving various agents with different properties. Although chemical and biological attacks are often considered together—the phrase "chem/bio" is sometimes used almost as a single word—they are in fact different in many ways, particularly as a consequence of the incubation period associated with biological agents (see Box 2-2 and Appendix B).2 For example, the "first responders" after a biological attack are likely to be hospital staff or public health officials, not police, fire, or emergency medical personnel at the scene of an incident. Unless real-time biological detection systems are developed and deployed (which seems highly unlikely for the foreseeable future), a biological attack may not even be noticed until well after it has taken place. It is also important to consider differences between the physical and chemical properties of different agents, such as density, phase, toxicity, and speed of action. The DOT assessment includes just two scenarios for chemical attacks, a release of the liquid nerve agent sarin as an aerosol and a release of a toxic industrial gas. Of the four biological scenarios, three involve anthrax and one does not specify the agent. Attacks with other agents could have quite different characteristics and implications with regard to the dispersion of the agent and other factors. A wider variety of scenarios should be considered, therefore, including agents that may not be suitable for military use. Some military requirements, such as mass production, weaponization, and safe storage, may not apply to nonmilitary attackers. Thus chemical and biological terrorism are not necessarily the same as chemical and biological warfare. For example, a variety of dangerous 2   The "most basic" general conclusion of a recent study was that "terrorist incidents involving biological agents, especially infectious agents, are likely to be very different from those involving chemical agents and thus demand very different preparation and response (the myriad of 'chemical/biological' response teams being developed at federal, state, and local levels are, in fact, almost entirely focused on detection, decontamination, and expedient treatment of chemical casualties)" (IOM and NRC, 1999).

OCR for page 13
BOX 2-2 Differences between Chemical and Biological Attacks It is a serious misapprehension to assume that chemical and biological attacks are similar. Here are some of the important differences: A chemical attack disperses a highly toxic chemical (which may be either synthetic or biological in origin) that acts rapidly on the target. Symptoms become evident after only a short time. The release site can be easily and quickly identified. Emergency personnel at the scene are the first responders. Decontamination is usually critical, but once victims have been decontaminated, they need not be kept in isolation. A biological attack delivers living organisms, such as bacteria or viruses, that require an incubation period, often days or even weeks, to reach full potency. Identifying the time and location of the release may be extremely difficult. Medical and public health personnel throughout the community are the ''first responders." No decontamination is necessary, but in many cases, isolating victims is essential to prevent the spread of the disease. Source: Henderson, 1999. chemicals are easily available from sources such as hardware and farm supply stores. These chemicals do not have the military-grade toxicity of satin, but they are still highly toxic. Finally, chemical and biological vulnerabilities should be considered carefully and seriously and not left to others to worry about. The Need for a Continuing Effort The DOT vulnerability assessment, although very valuable to the transportation industry and others, should not be a one-time effort. Rather, it should be the first installment in a continuing series of analyses. The same is true of the analysis of R&D strategies that this report seeks to initiate. Future assessments should draw on the wide variety of techniques used by other public and private organizations to evaluate and manage threats and risks and protect assets and operations. For example, just as computer security companies sometimes have a staff of "red team" hackers, DOT might establish a working group (or participate actively in one with broader sponsorship) in which some participants play the role of attackers and others seek improved defenses. At a minimum, this would improve DOT's understanding of best practices in the use of existing security technologies and processes.

OCR for page 13
Sensitive Information A final concern, which the committee shares with DOT and others, is the potential that this type of assessment could be misused by groups or individuals with hostile intentions. It is unfortunate that current guidelines for the protection of sensitive information provide no solution to this problem. This topic is discussed further in Chapter 3. Assessing Interdependencies and Strategic Vulnerability A recurring theme of discussion during the course of this study was the distinction between attacks against a single element of the surface transportation infrastructure (point attacks) and attacks against the infrastructure as a whole (systemic attacks). The diverse elements of the surface transportation system are often highly interdependent; for example, disabling a major urban subway system during rush hour could cause an overflow of travelers onto local roads and highways that are already extremely crowded. The growing use of information technology in command and control systems for surface transportation is introducing new interdependencies. Transportation is highly interdependent with other infrastructure sectors, too, such as the power grid and the telecommunications network. Finally, attacks against certain critical nodes, such as a port that might be the single planned point of departure for military units during an international crisis, could have an impact far beyond the impact of a similar attack on an otherwise similar target. These strategic vulnerabilities, and ways to respond to them, are the subject of the remainder of this chapter. They were not considered in any depth in the DOT vulnerability assessment, but they warrant close attention. Interdependencies in the Surface Transportation System Because of the decentralized, multimodal character of surface transportation, mounting a system-wide attack with large spatial and temporal impact would be difficult. Experience with natural disasters suggests that even the simultaneous destruction of multiple elements of the system has less impact on its ability to operate than one might expect. The surface transportation infrastructure has many redundancies and is quite resilient. In most places, at most times, a variety of transportation options and alternate routes are available. Moreover, although multiple, coordinated attacks could have systemic consequences, the logistical difficulty of coordinating them would increase both the required expertise and the likelihood of detection or prevention. Nevertheless, in order to understand surface transportation's systemic vulnerabilities better, DOT should undertake a study of the system's redundancies. The study should identify interdependencies and redundancies among the

OCR for page 13
components of the surface transportation system and critical nodes (perhaps major bridges, pipelines, harbors, or transit interchanges) where a lack of redundancy creates systemic vulnerability. Besides identifying areas of vulnerability, the results would probably provide useful insights into ways of taking advantage of redundancies when seeking to recover smoothly from a point attack. This type of study, focused on strategic vulnerabilities rather than tactical vulnerabilities (as in the work DOT has undertaken so far), might require simulation or "wargaming" exercises. Interdependencies and Cyber Attacks The growing and evolving automation of the transportation infrastructure, particularly the introduction of infrastructure-wide automation systems, may increase the opportunities for infrastructure-wide attacks. Such attacks could interfere with routing or resource allocation mechanisms or cause physical damage to infrastructure elements across a wide area. Most computer and network systems have a variety of software vulnerabilities, and attackers have developed many techniques for exploiting them to gain control of individual computers or entire networks. It is extremely difficult to build a complex piece of software that not only performs its intended function but also is invulnerable to malicious abuse. For example, despite the widespread attention given to the 1988 Internet Worm, a highly publicized attack on the program that routes electronic mail from computer to computer across the Internet, attacks on the same program continue to be reported. The computers and networks that control and monitor transportation systems are no exception to this general situation in their vulnerability to cyber attacks. A malicious and effective attack against a network or infrastructure, however, could be far more serious than the attacks by hackers that are so often reported in the popular and trade press. Hackers regularly demonstrate their ability to take control of systems and crash them or destroy data. Security products are commercially available that, when properly configured, can defeat many such attacks, even by relatively sophisticated and hostile hackers. A sufficiently sophisticated attacker may still have a reasonable chance of success, however, and in any case, many institutions either have no security products or lack the ability or will to configure them properly. More importantly, if an attacker takes control of a computer system and wishes to cause maximum harm, his or her task is considerably more complex than causing the system to crash. To maximize harm in an ITS control system, for example, an attacker might attempt to alter the vehicle headway control software to cause simultaneous vehicle collisions system-wide. (Independent on-vehicle systems might preclude such an attack.) Of course, carrying out such an attack would require substantial knowledge of the system's design and operation. Acquiring this knowledge is more difficult

OCR for page 13
than breaking into a computer. It requires the support of an insider (in the ITS operation or the software vendor), access to maintenance documentation (probably stored on a computer that can be broken into), or substantial reverse engineering of software downloaded from the network under attack. An attack-development team would have to be as competent, patient, and detail oriented as any software product-development team. The committee is not aware of any current plans for surface transportation systems that would be vulnerable to such attacks. Even the air traffic control system, which is far more highly automated and centralized than any part of the surface transportation infrastructure, is still relatively decentralized and retains the option for individual controllers to control traffic, albeit at reduced capacity. ITS technology may offer comparable levels of automated control in the future, but it seems likely that the highway infrastructure as a whole will remain distributed and decentralized and retain reduced-capacity fallback modes for the foreseeable future. Nevertheless, as infrastructure operators deploy higher levels of infrastructure-wide automation, they would be well advised to consider the need for the infrastructure to operate even if the control systems are degraded or unavailable. In addition, wherever possible, operators should isolate control systems from public networks, such as the Internet or the public switched telephone network. Current trends in telecommunications make it very difficult to achieve complete isolation—for example, two otherwise separate circuits may happen to travel on the same fiber, or at least traverse the same bridge over a river but—intentional and unintentional connectivity should be minimized. As explained below, sharing a communications link (e.g., a fiber or a wireless connection) is less of a security concern than sharing a switching node in the network. If network access is provided, it should be limited, and the systems that provide access should be reviewed for options that provide unauthorized access. In the long term, as control systems become more automated, the security consequences will vary depending on the type of technology used and on whether the automated control is centralized or distributed. One-of-a-kind software or hardware is often extremely expensive. Commercial, off-the-shelf (COTS) technology is cheaper, but commercial developers usually emphasize new features and rapid time-to-market rather than reliability or security. Centralized automation increases vulnerability to natural disasters, operator failures, and software bugs. Decentralized automation requires orchestrated cooperation among mutually suspicious systems, a task for which today's science and technology base is limited. The security of information systems is discussed in much greater detail in a recent National Research Council report, Trust in Cyberspace (NRC, 1998).

OCR for page 13
Learning about Interdependencies from Accidents and Natural Disasters In addition to the redundancy study suggested above, internal interdependencies of the surface transportation system can be identified and understood by analogy with lessons learned from accidents and natural disasters. Most disasters, whether natural or caused by accidental or intentional human action, have been extensively studied after the fact. The committee is not aware, however, of any unified assessment of best practices and lessons learned, based on a large sample of disasters. (A recent study conducted at San Jose State University attempts such an assessment of four terrorist incidents [Mineta Institute, 1997].) A compendium of such postmortem analyses would be useful. It should focus on how surface transportation was affected and include an evaluation of successful and unsuccessful approaches to preventing or mitigating adverse consequences. It might be similar in some ways, though more general in scope, to information gathered by the National Bomb Data Center of the Federal Bureau of Investigation. One incident that could be included is the multiple disaster on January 13, 1982, in Washington, D.C. Shortly after 4 o'clock on a Wednesday afternoon, an airplane crashed into the 14th Street Bridge, which carries the I-395 and US-1 highways. As a result, all 12 lanes of the busiest bridge across the Potomac were closed for several days. Just 30 minutes later, a train derailment blocked two of the city's three subway lines in both directions, again for several days. And at the same time, a major snowstorm affected road and highway traffic, as well as rescue and repair efforts. Another obvious candidate for analysis is the simultaneous damage to multiple highways often caused by major earthquakes (see Box 2-3). "Y2K" computer problems associated with the year 2000, which have the advantage of occurring on a date that is known in advance, may provide interesting lessons about interdependencies in the cyber domain. These lessons could emerge from the many modeling and planning exercises that are being conducted before the event, as well as from the actual consequences. The analogy between Y2K and the threat of cyber attacks may be similar to the analogy between hazardous materials and the threat of chemical attacks. Interdependencies with Other Infrastructure Sectors The surface transportation system relies on a variety of other infrastructure sectors. The power grid, for example, is needed to run subway trains, traffic management systems, the cranes that load cargo vessels, the pumps that supply vehicles with gasoline and other fuels, and many other aspects of the system. All

OCR for page 13
BOX 2-3 The Impact of Earthquakes on Surface Transportation The Northridge earthquake in 1994 which was centered 20 miles northwest of downtown Los Angeles, caused structural damage that cost an estimated $25 billion (Gordon et al., 1998). Four major highways were blocked, including sections of the Santa Monica Freeway (1-10, "the world's busiest freeway") and the Golden State Freeway (1-5, California's main north-south artery). Despite this damage, the surface transportation system showed remarkable resiliency. Freeway traffic was rerouted onto parallel local arteries. Many commuters adjusted their destinations and times of departure or found ways to telecommute. The use of commuter rail increased. The collapsed section of the Bay Bridge after the 1989 Loma Prieta earthquake. Photo courtesy of E.V. Leyendecker, U.S. Geological Survey. Similarly, the Loma Prieta earthquake in 1989 caused extensive damage to several highways, including the collapse of a section of the Bay Bridge, the major surface link between the northern San Francisco Peninsula and the rest of the country. To compensate, travelers made increased use of ferry service and the Bay Area Rapid Transit system, several major employers Instituted shuffle services, and many commuters adjusted their routes and travel schedules. Natural disasters like these suggest that "transportation system redundancy and the ability of individuals to make a variety of short-term adjustments in travel patterns make rapid recovery possible even from major disasters" (Giuliano and Golob, 1998). There is good reason for optimism that the same would be true in the aftermath of a disaster caused by intentional hostile acts, such as bombings of highways or bridges. Intentional attacks and natural disasters may affect public confidence quite differently, however. After the December 1996 bombing of a Paris commuter train, for example, in which four were killed and 86 injured, restoration of normal service took only three days, but ridership did not return to its previous level for several months (U.S. Department of State, 1997; Aymeric, 1999). Further analysis of past natural disasters and major accidents could be very helpful in understanding possible future hostile attacks, to identify both what can be done in advance to minimize vulnerability and what can be done after an incident occurs to mitigate the consequences. Despite a number of studies of individual disasters and an extensive literature on travel behavior under everyday conditions, "prior research on travel behavior responses to major disasters is virtually nonexistent" (Giuliano and Golob, 1998). Moreover, changing commuting patterns and the growing prevalence of telecommuting and online shopping may have important effects on travel behavior.

OCR for page 13
modes of transportation are becoming increasingly reliant on the information infrastructure, such as networked telecommunications, computer databases, and GPS. Attacks on these systems could have large-scale consequences for transportation, perhaps greater than the consequences of most direct attacks on transportation assets. For example, a variety of communications technologies are important for surface transportation. Among these are GPS, used for navigation; satellite-based tracking systems used by some trucking companies; wired and wireless systems for command, control, and dispatch; communications links between video surveillance cameras and monitors; and voice communications between control centers and vehicle operators. These systems can be attacked in two main ways: disrupting the link itself (e.g., severing a cable or jamming a radio signal) or disrupting the computer-controlled network nodes that perform signaling, routing, and database functions. Attacking the control nodes is potentially more damaging. For example, some taxi companies use a commercial wireless data service for dispatching. This service could be disrupted by jamming one or more base stations. But it would be much more effective to introduce or exploit a software bug in the mobile switching office to disrupt signaling protocols to base stations across a wide area. Attacks on the communications services used by surface transportation could have serious consequences, but the committee agrees with the judgment of the DOT vulnerability assessment that the consequences would probably be inconveniences and economic losses rather than loss of life. The communications infrastructure itself is quite resilient, with redundant communications links and fall-back navigational systems. Moreover, communications security concerns are not unique to the transportation sector. Communications service providers and equipment manufacturers are already actively seeking ways to protect their customers. DOT should keep informed of developments in this area (see Box 2-4), but its main role should be to learn from others and, where appropriate, transfer that knowledge to surface transportation owners and operators. The situation is similar for most other infrastructure sectors with which transportation is interdependent. In general, DOT should remain aware of developments, learn from others, and transfer knowledge to surface transportation owners and operators, but not participate directly in R&D. However, the two studies suggested above—an assessment of strategic vulnerabilities and a compendium of lessons learned from past incidents—should certainly take into account interdependencies with other sectors. For example, it might be instructive to examine the impact on surface transportation of major power blackouts, such as the one in San Francisco in December 1998 that halted the Bay Area Rapid Transit subway system and many city buses and disabled traffic signals.

OCR for page 13
BOX 2-4 Implications for Surface Transportation of Trends in Communications Current developments in communications are primarily aimed at providing the following improvements: 1.   higher data rates at lower cost 2.   integrated services, such as voice, data, and video, over the same communications substrate, such as the Internet or other facilities managed by local operators 3.   services to mobile and portable hosts The data rates required for control signaling are typically quite low, except perhaps for video monitoring, so Trend 1 is largely irrelevant for surface transportation. Trend 2 is relevant in that it may make purchasing data services from a communications service provider more attractive than building a private network. Trend 3 implies the possibility of using commercial wireless services, such as cellular or wireless local area networks, to transmit control information. Special Circumstances Another circumstance in which the impact of a point attack on surface transportation might be significantly magnified is if the target were critical to a nationally important function. A prime example of this would be an attack during a military emergency or during military preparations to respond to a potential emergency. An attack against the surface transportation system of a major port city responsible for moving military cargo, for example, could delay significantly the rapid response on which today's defense strategies depend. Military logistics today depend heavily on commercial rail, truck, and port terminals.3 Despite the resiliency of the transportation system, point attacks on major bridges or tunnels or fuel terminals could disrupt traffic for hours, perhaps even days. In the context of a military emergency or another crisis, a disruption that might be less significant under ordinary circumstances could have major consequences. An assessment of strategic vulnerabilities, by identifying key transportation nodes that lack redundant alternatives, would help to highlight potential situations of this kind. 3   The military also relies on commercial air transport, but that is outside the scope of this report.

OCR for page 13
Summary Overall, the DOT vulnerability assessment is excellent, but it should not be a one-time effort. Attention to the following points will help improve future assessments: The basic assumptions and predicted consequences of each scenario should be given a further reality check, in cooperation with appropriate industry representatives. Further assessment of threat likelihood is highly desirable, although very difficult. A more complete, balanced, and clearly defined analysis of possible means of attack will be needed for future assessment efforts. Cyber and other attacks on the C3 systems of surface transportation are given insufficient attention in the assessment. The discussion that does appear is focused too narrowly on the introduction of computer viruses. Chemical and biological vulnerabilities must be considered carefully and seriously—not left to others to worry about. Future assessment efforts should distinguish carefully between chemical attacks and biological attacks and between attacks involving agents with different properties. Strategic, systemic vulnerabilities deserve close attention. These may result from interdependencies within the surface transportation system, interdependencies with other infrastructure sectors, or special circumstances involving nationally important functions. To improve its understanding of these issues, DOT should undertake (1) a strategic assessment of the surface transportation system's redundancies and interdependencies, and (2) an analysis of lessons learned about impact and mitigation from past accidents and natural disasters.