Download Risk Analysis for Container Transport

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
Document related concepts
no text concepts found
Transcript 
Risk Analysis for Container Transport
Harald Sauff, Dieter Gollmann
Institute for Security in Distributed Applications
Hamburg University of Technology
We will present findings from a research project that investigated the feasibility of using IT to
improve physical security aspects of the container transport system. The logistics sector
moves physical objects (containers) where movement is controlled by various documents,
originally mainly on paper, with a growing reliance on IT systems. In our risk analysis, we
therefore treat the IT systems not as infrastructure (to be secured with traditional IT security
measures) but as a control system that moves containers.
This transport system can, almost by necessity, only be specified incompletely. First, there is
wide range of business processes that are often only known to the participants directly
involved. Secondly, hiding aspects of a transport can be part of a business strategy. We are
therefore not in a position to have a complete model of the transport system as the basis for
our risk analysis methodology.
The control system uses information (identifiers, destination addresses, etc.) to determine
container movements. In a distributed system, data representing the same piece of information
can be stored in many places. Data inconsistencies are therefore theoretically – and
practically – possible. The existing control system has inbuilt consistency checks, e.g.
messages sent to other parties with updates on changes to container status.
We are concerned about attacks that have the goal of diverting containers, either by physically
taking control of a container or by using the control system. In the latter case, data has to be
changed so that a container is routed according to the attacker’s plan. Such an attack has to
modify or insert data into the system and avoid detection by consistency checks. The latter can
be achieved by suppressing messages, modifying data in more places so that a consistency
check does not trigger an alarm, or involving parties with sloppy consistency checks.
We may also consider denial-of-service attacks aiming at (large scale) disruption of the
container flows. This appears to be a generic attack pattern with generic countermeasures:
resilient IT systems and redundant communication channels, e.g. Internet with telephone as a
backup.
One major challenge faced in our project related to the modelling of the transport system. We
are modelling a cyber-physical system and it is important to capture the interfaces between
the IT systems and the physical world. It is also important to capture the data flows supporting
consistency checks.
The risk analysis would then proceed from a list of generic attack goals expressed at the level
of containers, referring to their origin, status (sealed – unsealed, original content – changed
content), and destination. At that point, there are no attack goals relating to the ICT system.
For each generic attack goal, the following questions are asked:


Which data may be modified/inserted/deleted to take control of a container?
Where can those data be modified? During transmission? In a server? Physically on a
container?

How can data be modified/inserted/deleted? Raw data? Via an interface provided by
the control system?
Rating of exploitability of vulnerabilities should not be performed at this step. Otherwise, the
process is unlikely to terminate.
Countermeasures include standard IT countermeasures such as access control at servers or
cryptographic protection during transmission. In addition there are the consistency checks
specific to the container control system. Questions to ask here are:



Which information is provided to facilitate consistency checks?
Where may consistency checks be performed?
What happens if information is being suppressed?
Ratings of the exploitability of vulnerabilities will depend on the specific conditions found in
a concrete scenario. We have provided – and experimented with – ratings for generic
vulnerabilities on a four value scale as in Mehari. Our case studies highlighted the challenges
in providing guidance to evaluators that would be interpreted consistently.
When rating impact, it makes sense dividing the risk analysis in a part that estimates the
likelihood that a container can be routed according to the attacker’s plan and a part that
estimates the damage (physical damage, economic damage) caused by an attack involving
containers.
Related documents
Document 8937785
Document 8937785
portfolio problems set 3
portfolio problems set 3
Module 8 Indoor Gardening Part 4
Module 8 Indoor Gardening Part 4
BX-B Semi-automatic Blow Molding Machine • • • • • • • •
BX-B Semi-automatic Blow Molding Machine • • • • • • • •
500 mL EMPTY CONTAINER
500 mL EMPTY CONTAINER
Hazardous Material Information Sheet
Hazardous Material Information Sheet
C O N T A I N E R I... I n t e l l i L a b...
C O N T A I N E R I... I n t e l l i L a b...
What Do Plants Need?
What Do Plants Need?
Differential Heating, Convection, and Air Pressure
Differential Heating, Convection, and Air Pressure
1.4dThe Box Design Brief
1.4dThe Box Design Brief
The Standards Institution of Israel
The Standards Institution of Israel