TRANSPORTATION RESEARCH BOARD SPECIAL REPORT 274
CYBERSECURITY OF FREIGHT INFORMATION SYSTEMS
A SCOPING STUDY
TRANSPORTATION RESEARCH BOARD
Transportation Research Board Special Report 274
VIII freight transportation (multimodal)
IX marine transportation
Transportation Research Board publications are available by ordering individual publications directly from the TRB Business Office, through the Internet at www.TRB.org or national-academies.org/trb, or by annual subscription through organizational or individual affiliation with TRB. Affiliates and library subscribers are eligible for substantial discounts. For further information, contact the
Transportation Research Board Business Office,
500 Fifth Street, NW, Washington, DC 20001 (telephone 202-334-3213; fax ; or e-mail TRBsales@nas.edu).
Copyright 2003 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America.
NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competencies and with regard for appropriate balance.
This report has been reviewed by a group other than the authors according to the procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine.
The study was sponsored by the Research and Special Programs Administration of the U.S. Department of Transportation.
Library of Congress Cataloging-in-Publication Data
National Research Council (U.S.). Committee on Freight Transportation Information Systems Security.
Cybersecurity of freight information systems : a scoping study / Committee on Freight Transportation Information Systems Security, Transportation Research Board of the National Academies.
p. cm.—(Special report)
1. Telecommunication—Safety measures. 2. Freight and freightage—Security measures. I. Title. II. Special report (National Research Council (U.S.). Transportation Research Board)
THE NATIONAL ACADEMIES
Advisers to the Nation on Science, Engineering, and Medicine
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. On the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. William A. Wulf is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, on its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both the Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. William A. Wulf are chair and vice chair, respectively, of the National Research Council.
The Transportation Research Board is a division of the National Research Council, which serves the National Academy of Sciences and the National Academy of Engineering. The Board’s mission is to promote innovation and progress in transportation through research. In an objective and interdisciplinary setting, the Board facilitates the sharing of information on transportation practice and policy by researchers and practitioners; stimulates research and offers research management services that promote technical excellence; provides expert advice on transportation policy and programs; and disseminates research results broadly and encourages their implementation. The Board’s varied activities annually engage more than 4,000 engineers, scientists, and other transportation researchers and practitioners from the public and private sectors and academia, all of whom contribute their expertise in the public interest. The program is supported by state transportation departments, federal agencies including the component administrations of the U.S. Department of Transportation, and other organizations and individuals interested in the development of transportation. www.TRB.org
TRANSPORTATION RESEARCH BOARD 2003 EXECUTIVE COMMITTEE*
Chair: Genevieve Giuliano, Director,
Metrans Transportation Center, and
School of Policy, Planning, and Development, University of Southern California, Los Angeles
Vice Chair: Michael S. Townes, President and CEO,
Hampton Roads Transit, Virginia
Executive Director: Robert E. Skinner, Jr.,
Transportation Research Board
Michael W. Behrens, Executive Director,
Texas Department of Transportation, Austin
Joseph H. Boardman, Commissioner,
New York State Department of Transportation, Albany
Sarah C. Campbell, President,
TransManagement, Inc., Washington, D.C.
E. Dean Carlson, President,
Carlson Associates, Topeka, Kansas (Past Chair, 2002)
Joanne F. Casey, President and CEO,
Intermodal Association of North America, Greenbelt, Maryland
James C. Codell III, Secretary,
Kentucky Transportation Cabinet, Frankfort
John L. Craig, Director,
Nebraska Department of Roads, Lincoln
Bernard S. Groseclose, Jr., President and CEO,
South Carolina State Ports Authority, Charleston
Susan Hanson, Landry University Professor of Geography,
Graduate School of Geography, Clark University, Worcester, Massachusetts
Lester A. Hoel, L.A. Lacy Distinguished Professor of Engineering,
Department of Civil Engineering, University of Virginia, Charlottesville (Past Chair, 1986)
Henry L. Hungerbeeler, Director,
Missouri Department of Transportation, Jefferson City
Adib K. Kanafani, Cahill Professor and Chairman,
Department of Civil and Environmental Engineering, University of California, Berkeley
Ronald F. Kirby, Director of Transportation Planning,
Metropolitan Washington Council of Governments, Washington, D.C.
Herbert S. Levinson, Principal, Herbert S. Levinson Transportation Consultant,
New Haven, Connecticut
Michael D. Meyer, Professor,
School of Civil and Environmental Engineering, Georgia Institute of Technology, Atlanta
Jeff P. Morales, Director of Transportation,
California Department of Transportation, Sacramento
Kam Movassaghi, Secretary,
Louisiana Department of Transportation and Development, Baton Rouge
Carol A. Murray, Commissioner,
New Hampshire Department of Transportation, Concord
David Plavin, President,
Airports Council International, Washington, D.C.
John Rebensdorf, Vice President,
Network and Service Planning, Union Pacific Railroad Company, Omaha, Nebraska
Catherine L. Ross, Harry West Chair of Quality Growth and Regional Development,
College of Architecture, Georgia Institute of Technology, Atlanta
John M. Samuels, Senior Vice President,
Operations Planning and Support, Norfolk Southern Corporation, Norfolk, Virginia (Past Chair, 2001)
Paul P. Skoutelas, CEO,
Port Authority of Allegheny County, Pittsburgh, Pennsylvania
Martin Wachs, Director,
Institute of Transportation Studies, University of California, Berkeley (Past Chair, 2000)
Michael W. Wickham, Chairman and CEO,
Roadway Express, Inc., Akron, Ohio
Marion C. Blakey, Administrator,
Federal Aviation Administration, U.S. Department of Transportation (ex officio)
Samuel G. Bonasso, Acting Administrator,
Research and Special Programs Administration, U.S. Department of Transportation (ex officio)
Rebecca M. Brewster, President and COO,
American Transportation Research Institute, Smyrna, Georgia (ex officio)
Thomas H. Collins (Adm., U.S. Coast Guard), Commandant,
U.S. Coast Guard, Washington, D.C. (ex officio)
Jennifer L. Dorn, Administrator,
Federal Transit Administration, U.S. Department of Transportation (ex officio)
Robert B. Flowers (Lt. Gen., U.S. Army), Chief of Engineers and Commander,
U.S. Army Corps of Engineers, Washington, D.C. (ex officio)
Harold K. Forsen, Foreign Secretary,
National Academy of Engineering, Washington, D.C. (ex officio)
Edward R. Hamberger, President and CEO,
Association of American Railroads, Washington, D.C. (ex officio)
John C. Horsley, Executive Director,
American Association of State Highway and Transportation Officials, Washington, D.C. (ex officio)
Michael P. Jackson, Deputy Secretary,
U.S. Department of Transportation (ex officio)
Roger L. King, Chief Technologist,
Applications Division, National Aeronautics and Space Administration, Washington, D.C. (ex officio)
Robert S. Kirk, Director,
Office of Advanced Automotive Technologies, U.S. Department of Energy (ex officio)
Rick Kowalewski, Acting Director,
Bureau of Transportation Statistics, U.S. Department of Transportation (ex officio)
William W. Millar, President,
American Public Transportation Association, Washington, D.C. (ex officio) (Past Chair, 1992)
Mary E. Peters, Administrator,
Federal Highway Administration, U.S. Department of Transportation (ex officio)
Suzanne Rudzinski, Director,
Transportation and Regional Programs, U.S. Environmental Protection Agency (ex officio)
Jeffrey W. Runge, Administrator,
National Highway Traffic Safety Administration, U.S. Department of Transportation (ex officio)
Allan Rutter, Administrator,
Federal Railroad Administration, U.S. Department of Transportation (ex officio)
Annette M. Sandberg, Administrator,
Federal Motor Carrier Safety Administration, U.S. Department of Transportation (ex officio)
William G. Schubert, Administrator,
Maritime Administration, U.S. Department of Transportation (ex officio)
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
David D. Clark,
Massachusetts Institute of Technology,
John M. Cioffi,
University of Utah
W. Bruce Croft,
University of Massachusetts, Amherst
Thomas E. Darcie,
University of Victoria
University of California, Berkeley
IBM T.J. Watson Research Center
Butler W. Lampson,
U.S. Venture Partners
Tom M. Mitchell,
Carnegie Mellon University
David A. Patterson,
University of California, Berkeley
Henry (Hank) Perritt,
Chicago-Kent College of Law
GCI Cable and Entertainment
Fred B. Schneider,
New York University
Jeannette M. Wing,
Microsoft Research; Carnegie Mellon University (on leave)
Marjory S. Blumenthal, Director
COMMITTEE ON FREIGHT TRANSPORTATION INFORMATION SYSTEMS SECURITY
Robert E. Gallamore, Chair, Director,
Transportation Center, Northwestern University
A. Ray Chamberlain, Vice Chair, Vice President,
Parsons Brinckerhoff, Inc.
Frank J. Anstett, Manager,
Infrastructure Security, Raytheon Company
Samuel H. Banks, Senior Vice President,
U.S. Customs Modernization Project, Sandler and Travis Trade Advisory Services
Richard A. Holmes, Jr., General Director,
Security and Quality Assurance, Union Pacific Railroad
Barry Horowitz, NAE, Professor,
Department of Systems Engineering, University of Virginia
John L. King, Professor and Dean,
School of Information, University of Michigan
Lars Kjaer, Vice President,
World Shipping Council
Art Kosatka, Chief Executive Officer,
Steven J. Lambright, Vice President,
Daniel Murray, Director of Research,
American Transportation Research Institute
Frank M. Pittelli, President,
Navius Technologies, LLC
Alan F. Spear, President,
MRC Investigations (USA), Inc.
Karen Ryan Tobia, Manager,
Technology Planning, Port Commerce Department, Port Authority of New York and New Jersey
NATIONAL RESEARCH COUNCIL STAFF
Alan T. Crane, Study Director
Steven Woo, Program Officer
The merger of information system technology and transportation infrastructure is transforming the freight transportation industry in a variety of ways. These changes are producing new ways to organize companies’ supply chains as well as military logistics. As the new freight information systems become more fully integrated, they are expected to have great private and public benefits.
These systems, however, may be vulnerable to cyberattack. In accordance with the national initiative to increase security of critical infrastructure, the U.S. Department of Transportation (DOT) requested that the National Research Council (NRC) review trends in the use of information technology in the freight transportation industry and assess potential vulnerabilities to a cyberattack. In response, NRC formed the Committee on Freight Transportation Information Systems Security, under the Transportation Research Board (TRB) and the Computer Science and Telecommunications Board, to conduct a scoping study to develop an approach, study, or other process that DOT could use to address the vulnerabilities of freight information systems.
Specifically, the committee was charged with recommending how to conduct a study that would result in
A baseline description of the U.S. freight transportation communication and information systems, including interconnectivity with international carriers, government entities (U.S. and non-U.S.), customers, and other business partners;
A summary of ongoing and emerging efforts in such areas as electronic data interchange, telecommunications and data transfer, trends in the use of the Internet, business practices, customs, immigration and agriculture clearance processes, electronic letters of credit, integrated logistics software, positive train control, intelligent transportation systems, and all other information-and communication-based processes and technology improvements that affect transportation, shipping, and logistics;
A review of current industry practices addressing security (with emphasis on information technology–related dimensions); and
An identification and summary of the potential vulnerabilities that may be created by the interconnection/interface and possible integration of these new systems.
One of the complexities of a project such as this is that developers and operators of the relevant system will be reluctant to discuss or admit to specific security weaknesses publicly. Thus the committee had to recommend a process that would permit the problems to be identified and addressed.
The committee held its first meeting on November 25–26, 2002. The project, from committee formation to final report, took 7 months. During that time the committee met twice at NRC headquarters in Washington, D.C. In addition, its members and staff held numerous telephone conferences to discuss their findings.
After the start of the study, the Department of Homeland Security (DHS), which incorporates many of the relevant functions formerly performed by DOT, was created. Hence the committee directs many of its recommendations andcomments to DHS as well as to DOT.
This report has been reviewed in draft form by individuals selected for their diverse technical expertise, in accordance with procedures approved by the NRC’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making the published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments remain confidential to protect the integrity of the deliberative process.
The reviewers of this report were Noel D. Matchett, Information Security, Inc.; Steven B. Lipner, Microsoft Corporation; Peter Martin, Lakeville Motor Express; and David Zanca, Federal Express. The committee is grateful for the many constructive comments and suggestions the reviewers provided. The reviewers were not, however, asked to endorse the findings and conclusions, nor did they see the final draft before its release. Responsibility for the final content of this report rests entirely with the authoring committee and NRC.
The review of this report was overseen by Lester A. Hoel, University of Virginia, Charlottesville. He was appointed by NRC to ensure that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Suzanne
Schneider, Associate Executive Director of TRB, managed the report review process. The committee appreciates the speed and efficiency of this review.
This study was managed by Alan T. Crane under the direction of the committee and the supervision of Stephen Godwin, Director of TRB’s Studies and Information Services.
The report was written by the committee members and the NRC staff. The committee also appreciates the vital contributions of Jocelyn Sands, Frances E. Holland, and Amelia B. Mathis. Joedy W. Cambridge and Joseph A. Breen provided valuable suggestions while the committee was being formed. This report has been edited by Norman Solomon under the supervision of Nancy Ackerman, Director of Publications.
Robert E. Gallamore, Chair
A. Ray Chamberlain, Vice-Chair
Committee on Freight Transportation Information Systems Security
ACRONYMS AND GLOSSARY
ABI Automated Broker Interface.
ACE Automated Commercial Environment.
ACS Automated Commercial System.
AES U.S. Bureau of Customs and Border Protection’s Automated Export System.
Airbill Receipt for carriage of air freight.
AMS U.S. Bureau of Customs and Border Protection’s Automated Manifest System.
ANSI X12 Voluntary standards, maintained by the American National Standards Institute (ANSI), defining the structure, format, and content of business transactions conducted through electronic data interchange (EDI). ANSI X12 is produced by the committee ASC X12, supported by the Data Interchange Standards Association, Inc. (DISA).
APIS Advanced passenger information system.
ATIS Advanced traffic information system.
ATRI American Transportation Research Institute.
ATS Advance targeting system.
AVI Automatic vehicle identification.
BASSC Business Anti-Smuggling Security Coalition.
Bill of lading A statement of the nature and value of goods being transported, especially by ship, along with the conditions applying to their transport. Drawn up by the carrier, this document serves as a contract between the owner of the goods and the carrier.
CAMIR Customs Automated Interface Requirements.
CHCP Cargo Handling Cooperative Program.
CRM Customer relationship management.
CSTB Computer Science and Telecommunications Board of the National Academies.
CSI Container Security Initiative.
Cyberterrorism Terrorism related to computer and information systems.
DASD Direct-access storage device.
Denial-of-service (DOS) attack An attack on a computer network effected by overloading the access points, so that further access is slowed or stopped altogether.
DHS Department of Homeland Security.
DNS Domain name service.
DOT Department of Transportation.
Drayage Generally, carriage of freight, often by truck.
EA Enterprise architecture.
EDI Electronic data interchange.
ERP Enterprise resource planning.
ESCM Electronic supply chain manifest.
ExpressLink Proprietary system for interconnecting the corporate-level systems of four regional trucking companies.
FAA Federal Aviation Administration.
FAST Free and Secure Trade.
FBI Federal Bureau of Investigation.
FHWA Federal Highway Administration.
Firewalls Hardware and software systems intended to isolate a local area network from access.
FIRST Freight Information Real-Time System (for Port Authority of New York and New Jersey).
Forwarder A company that ships cargo for hire.
Freight brokers A company that arranges or consolidates freight shipments.
Freight forwarder See “forwarder.”
GPS Global Positioning System.
Hazmat Hazardous material.
IBIS Interagency Border Information System.
INS Immigration and Naturalization Service.
ISAC Information Sharing and Analysis Center.
ISO International Standards Organization.
IT Information technology.
ITDS International Trade Data System.
ITS Intelligent transportation systems.
Jones Act The Merchant Marine Act of 1920 and related statutes, requiring that vessels used to transport cargo and passengers between U.S. ports be owned by U.S. citizens, built in U.S. shipyards, and manned by U.S.-citizen crews.
Just-in-time (JIT) A business system of supplying to each process what is needed at the time it is needed, and in the quantity needed, to minimize production lead times and reduce inventory.
LIA Logistics Integration Agency.
Load bidding For carriers, the practice of negotiating for freight.
Merchant haulage Transport of cargo in shipping containers arranged by the owner or possessor of the goods.
MTMC Military Traffic Management Command.
NHS National Highway System.
NOA Notice of arrival.
NRC National Research Council of the National Academies.
NVMC National Vessel Movement Center.
NVOCC Non–vessel operating common carrier.
OSC Operation Safe Commerce.
Positive train control The use of digital data communications, automatic positioning systems, wayside interface units (to communicate with switches and wayside detectors), onboard and control center computers, and other advanced display, sensor, and control technologies to manage and control railroad operations.
Red teaming Acting as an adversary for the unauthorized access to a physical or computer system to expose the system’s vulnerabilities.
RFID Radio frequency identification.
R&D Research and development.
SCADA Supervisory control and data acquisition.
Sim-Tag Simulator for RFID tags.
SSTL Smart and Secure Trade Lanes.
TECS Treasury Enforcement Communications System.
Third-party logistics provider (3PL) Provider of logistics services for hire.
TRB Transportation Research Board of the National Academies.
TSA Transportation Security Administration.
TSWG Trucking Security and Anti-Terrorism Working Group.
TWIC Transportation worker identification card.
USDOT U.S. Department of Transportation.
VHF Very high frequency.
VPN Virtual private network.
Waybill Shipping document.
WCO World Customs Organization.
XML Extensible markup language.