Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Risk Analysis for Container Transport Harald Sauff, Dieter Gollmann Institute for Security in Distributed Applications Hamburg University of Technology We will present findings from a research project that investigated the feasibility of using IT to improve physical security aspects of the container transport system. The logistics sector moves physical objects (containers) where movement is controlled by various documents, originally mainly on paper, with a growing reliance on IT systems. In our risk analysis, we therefore treat the IT systems not as infrastructure (to be secured with traditional IT security measures) but as a control system that moves containers. This transport system can, almost by necessity, only be specified incompletely. First, there is wide range of business processes that are often only known to the participants directly involved. Secondly, hiding aspects of a transport can be part of a business strategy. We are therefore not in a position to have a complete model of the transport system as the basis for our risk analysis methodology. The control system uses information (identifiers, destination addresses, etc.) to determine container movements. In a distributed system, data representing the same piece of information can be stored in many places. Data inconsistencies are therefore theoretically – and practically – possible. The existing control system has inbuilt consistency checks, e.g. messages sent to other parties with updates on changes to container status. We are concerned about attacks that have the goal of diverting containers, either by physically taking control of a container or by using the control system. In the latter case, data has to be changed so that a container is routed according to the attacker’s plan. Such an attack has to modify or insert data into the system and avoid detection by consistency checks. The latter can be achieved by suppressing messages, modifying data in more places so that a consistency check does not trigger an alarm, or involving parties with sloppy consistency checks. We may also consider denial-of-service attacks aiming at (large scale) disruption of the container flows. This appears to be a generic attack pattern with generic countermeasures: resilient IT systems and redundant communication channels, e.g. Internet with telephone as a backup. One major challenge faced in our project related to the modelling of the transport system. We are modelling a cyber-physical system and it is important to capture the interfaces between the IT systems and the physical world. It is also important to capture the data flows supporting consistency checks. The risk analysis would then proceed from a list of generic attack goals expressed at the level of containers, referring to their origin, status (sealed – unsealed, original content – changed content), and destination. At that point, there are no attack goals relating to the ICT system. For each generic attack goal, the following questions are asked: Which data may be modified/inserted/deleted to take control of a container? Where can those data be modified? During transmission? In a server? Physically on a container? How can data be modified/inserted/deleted? Raw data? Via an interface provided by the control system? Rating of exploitability of vulnerabilities should not be performed at this step. Otherwise, the process is unlikely to terminate. Countermeasures include standard IT countermeasures such as access control at servers or cryptographic protection during transmission. In addition there are the consistency checks specific to the container control system. Questions to ask here are: Which information is provided to facilitate consistency checks? Where may consistency checks be performed? What happens if information is being suppressed? Ratings of the exploitability of vulnerabilities will depend on the specific conditions found in a concrete scenario. We have provided – and experimented with – ratings for generic vulnerabilities on a four value scale as in Mehari. Our case studies highlighted the challenges in providing guidance to evaluators that would be interpreted consistently. When rating impact, it makes sense dividing the risk analysis in a part that estimates the likelihood that a container can be routed according to the attacker’s plan and a part that estimates the damage (physical damage, economic damage) caused by an attack involving containers.