Information Security Issues in the Freight Industry

Information Security Issues in the Freight Industry

Ian McIntyre
11/17/2014

The modern freight industry in the United States consists of a tightly woven network of ships, trains, and trucks all working together to move containers at a breakneck speed throughout the country.  As intermodal containers have emerged as the primary method of goods conveyance over bulk break cargo, bulk cargo, and personal shipments, the freight system has adapted itself to the point where container ships, freight trains, and tractor trailer trucks work together seamlessly.  

The challenge comes in tracking and managing all of these containers, carrying different goods via different transportation methods to different locations.  ISO 6346 helps mandate classification codes for freight containers, allowing operators to identify specific containers and track their status in a corresponding database.  These databases all work in concert to track container yard inventories and terminal operations as containers are transferred between shipping methods, as well as the status of in-transit containers.  The result is a complex system tracking millions of containers across thousands of companies.

Protecting this complex system with so many operators and so many moving parts is no small task.  Information security is typically broken down into three primary objectives:

1. Confidentiality

2. Integrity

3. Availability

All systems should be protected from the leak of confidential information (for example, which containers contain what goods, and where are they headed), from the manipulation of data (changing the routing orders so that containers are accidentally sent to the incorrect location), and from operational downtime (if nobody knows where the containers are going then they cannot be loaded up for transport).  These three components, abbreviated CIA, are essential to a functioning freight transportation system.  

Compromises of these three components of information security can have dramatic affects, particularly integrity and availability.  With the loss of data integrity, the error rate increases significantly as containers get shipped to incorrect locations.  This results in freight companies losing profits to correct these mistakes and get containers to their proper location.  

Availability is even worse.  During the last strike at the Los Angeles port, the flow of billions of dollars of goods was disrupted.  In these days of just-in-time inventory, the potential loss of availability and the subsequent halt on all freight transportation until system availability can be restored would have similar effects to the strikes in L.A. that ground a significant amount of the United States freight industry to a halt.  

Attacks can come from outside actors, and can range from complex infiltration's over the course of many months to simple distributed denial of service attacks by bored script kiddies looking to break something.  The challenge of getting all involved companies on the same page and using secure systems to track container movements and destinations is a significant one, but it is something that needs to be addressed.  The Transportation Systems Sector is one that has been identified by the Department of Homeland Security as a critical infrastructure sector of the United States, and I don't disagree.  The ability to quickly transport goods from point A to point B drives industry, and the inability to do that could significantly impact our economy.  Protecting the confidentiality, integrity, and availability of containerized freight management systems in the United States is extremely important.

One question to ask is what sort of policy and technological solutions might be needed to protect an industry that relies on thousands of companies communicating with one another on such a close and regular basis?  These connections can frequently be leveraged as points of attack into a system, yet they are essential for this sort of system to operate effectively. 

Edit: General Editing