In this article appearing in PC World, the U.S. Government stated that the use of RFID devices by firms can create security and privacy risks. Thus, best practices should be implemented for retailers, manufacturers, hospitals, and federal agencies to alleviate security risks. The primary concern is that unlike desktop computers or other devices overseen by a company's network security crew, an RFID tag may be used by a multiple firms. That is, firms may use a different techniques to maintain their chain-of-custody than other firms. The National Institute of Standards (NIST) of the Department of Commerce released a report that mentions how suppliers, manufactures, retailers, and different organizations acquire the same data from RFID tags throughout its lifecycle, but do not implement an adequate security policy to protect the data from unauthorized personnel. This situation raises privacy and security risks.
The released publication is called, "Guidelines for Security Radio Frequency Identification (RFID) Systems." The following recommendations are: (1) Organizations should use Firewalls to separate RFID databases from other databases and IT Systems; (2) Encrypt radio signals when possible; (3) Authenticate approved users of RFID systems; (4)Shield RFID tags or tag reading areas with metal screens or films to prevent unauthorized access of tag readers; (5) Use managed audit procedures, logging and time stamping to help detect a breach of security (6) Implement a procedure for tag disposal and recycling that permanently disables or destroys sensitive data.
The report was mandated by Congress under the Federal Information Security Management Act of 2002. Besides the retail industry, RFID devices are used in hospitals to match patients to lab test results. This raises a concern about unauthorized personnel who can capture sensitive data. During handling and transportation of hazardous materials, RFID tags are handled by a number of organizations to track the materials. However, the risks are rather significant because of potential threats to target vehicles containing hazardous materials; eavesdrop on tag transactions to gather information on the characteristics of the materials; damage or disable a tag, making it easier to steal or change manifest data stored on the tag. Ultimately, this risk to security of hazardous material transport could be devastating to the organization or to the community.
As a result, the recommendation is to shield vehicles and containers from electromagnetic emissions, establish a 300 ft perimeter around storage locations, and use passwords to prevent unauthorized personnel from reading tags or changing information on the tags. The report states that is a general rule, tagged items should be identified only before products are transported out to their destinations and when products are received at their destination and inventory storage, but not during vehicle transport. The challenge to supply chain management is that only authorized personnel should have access to RFID information and that specialized training is required to sustain security of the contents.
I like the article because the recommendations are closely related to the Case Study in Chapter 8 of Laudon and Laudon where the Department of Veteran Affairs failed to implement a fail safe method to protect valuable data from being stolen. Millions of sensitive records were stolen from former veterans. A VA financial analyst took home a laptop computer having millions of records of sensitive data to work on a project, but the laptop and records were stolen from the employee's home. The VA required to implement a policy to safeguard all sensitive records. My place of employment, the NAVFAC Engineering Service Center, takes special precautions to safeguard classified materials. We employees take extensive security awareness training to become aware of our responsibilities to handle sensitive information. RFID technology has certainly made supply chain management more efficient, but security and privacy issues are always a concern.
Reference: Jon Brodkin, U.S. Government Calls for Better RFID Security, Department of Commerce report says RFID raises unique security concerns. Network World, PC World, May 1, 2007.
Hi Bob,
ReplyDeleteUsing RFID within supply-chains is really interesting. On the one hand it can tighten down a companies inventory by knowing where all their goods are within their supply chain, on the other hand there is the risk of data integrity by non-company intruders, as your article points out. Seems like another critical point of concern regarding overall IT security and sensitivity. I'm sure it will get resolved with security/antivirus software programs to enable RFID to become effective and ueseful to companies and government agencies.
John