A First Security Analysis of a Secure Intermodal Goods Transport System

Rapport, 2013

The goods transport business involves a lot of money and is a big part of the infrastructure of any European country. There are often many different actors involved in each transport and the communication network is rather complex due to the point-topoint communication structure. It is easy to understand why there is a high demand for increased simplicity and effectiveness. With this in mind, the e-Freight project which is based on PEPPOL has moved towards a standardized solution by developing a communication system based on access points (APs). These APs act as the interface to the system and makes it easy to establish communication between any two connected actors. With PEPPOL and e-Freight as a foundation, VOLVO leads the SITS project in close cooperation with Stena Line and DSV. The goal is to develop a harmonized communication framework that promotes increased sharing of information between actors and enable new applications to increase effectiveness and security in the chain of transportation. This leads to simplified accessibility for actors to a set of services by being connected to an AP. At the same time service providers benefit from being able to easily set up cloud services available for all actors. In addition to the back-office communication between APs, external devices such as cellphones, in-vehicle computers and check-in terminals can communicate directly with each other over short distances. This type of communication is only partially specified and a mutual standard is yet to be decided upon. In this report we have analyzed the SITS project from an IT-security perspective. The back-end system derived from e-Freight is looked into and communication links, access points, protocols, certificate handling etc., are examined. Another concern in the SITS project is the short-range communication between trucks and terminals. Since RFID is a highly potential candidate for use in this area, we have studied the technology by categorizing a typical RFID system into three distinct layers and researched important security threats with the classic CIA approach. Based on the security issues found, countermeasures such as encryption, authentication and protection against man-in-themiddle attacks are reviewed.