Computers & Security, 11 (1992) 525-528

Understanding EDI Security Issues Belden Menkus Post Ojice Box 129, Hilkboro, TN37342, USA (615) 7282421

Electronic data interchange (EDI) is a major innovation in the practical use of computing. It is already being used extensively in some segments of the retailing and manufacturing sectors. EDI has demonstrated that it can improve significantly the way in which various routine business transactions are carried out. For instance, EDI arrangements are already being used to handle some forms of routine customs processes. This use of ED1 is expected to grow significantly throughout the rest of this decade. Again, ED1 plays a major role in the operation of so-called just-in-time parts and subassembly replenishment in a manufacturing setting.

The EDI concept represents the first major change in nearly 4000 years in both the form and content of these transactions. Its use raises significant legal issues that legislators, regulators, and the courts largely have yet to address authoritative1y.l For instance, many ED1 trading arrangements already cross international boundaries, and it is not clear in

’ Legal and regulatory requirements related to EDI vary by country. For a comprehensive discussion ofthese issues as they apply to the U.S. see The LAW Qf Elcctronk Cor~~n~crcc: EDI, Fux, ad E-mail: Xc/rnolc~~: Proo$ and Liability by Benjamin Wright. (Little Brown and Co., Boston and London, 199 1.)

most instances how and where significant disputes would be resolved. In addition, the adoption of ED1 presents significant information security, control, and auditing problems. Among other things, it eliminates long established paper document processing activities and the division of responsibilities and the audit trails associated with those operations. Also, an ED1 arrange- ment effectively changes the timing of the transactions that it encompasses.

The inherent nature of an ED1 arrangement requires structurally that it be open always to accept incoming transaction related data. This means that both the system and the data that it processes and maintains are exposed continu- ously to attack and possible compromise. Thus, in most instances an ED1 arrangement cannot be protected through the use of conventional access control mechanisms. Also, the concise and highly structured format ofmost of the messages moving through this environment will facilitate an effort by any outsider to compromise either their content

or the mechanism that processes them.

These vulnerabilities have not been addressed by most ED1 arrangements. Fortunately, it does not appear, thus far, that most computer hackers have recognized the role of ED1 arrangements in commerce and the value of the assetS that potentially are exposed to manipulation through outside attacks upon them. But they can be expected to discover these systems eventually and, as has happened already with some international funds transfer arrangements, to begin using them to divert the assets represented by the data moving through the system.

Part of A Larger Issue

A similar vulnerability exists in most electronic funds transfer and securities trading and ownership transfer arrangements. The design concepts upon which these information processing applica- tions have been structured are more than two decades old. They date from the early years of so-called second-generation

0167-4048/92/$5.00 0 1992 Elsevier Science Publishers Ltd 525

Computers t!? Security, Vol. I 7, No. 6

computing. At that time the designers of these applications, understandably, did not envisage such things as computer hackers, satellite movement of data, and the distribution of a major amount of computing power to the desktop and laptop. Continued failure to find ways of engineering back enhanced security into this type of ‘worth transfer’ information processing application can lead to significant economic problems.

definitions

Development of what eventually became EDI began in 1968 with an inter-industry attempt to create a standard arrangement for describing goods as they moved through the various modes of transportation. This effort to develop a so-called common commodity classification structure eventually evolved into the current ED1 mechanism. Electronic data interchange is defined as:

The routine exchange of business documents between trading partners in elcctronicfornt between computers in a ~~~~ion that pc~iits Toledo routinel}~ to be received, vahdatcd, acccptcd, and entered directly into the job stream of the target information processing application.

But the habitual interchange of such things as electronic mail or facsimile messages or the processing of documents with highly structured formats does not, of itself, constitute the maintenance of an EDI arrange- ment.

An EDI arrangement may be established directly between two trading partners, or it may be

carried out by exchanging messages through a third party service or~a~za~on that handles routing, content format translation, and other network management tasks. The content and format of EDI activities normally are governed by particular industry and Government standards and by formal agreements entered into between teams of trading partners. Typically, EDI arrangements involve the routine electronic exchange of such things as requests for quotations, purchase orders, stock replenishment directives, shipping instructions, invoices, and payment orders. (Inclusion of the last document category reflects the gradual merger of certain ED1 and electronic funds transfer mechanisms. This type of functional blend can be expected to become more common during the next decade.)

The operational environment in which an ED1 arrangement functions typically will be defined by the structure of either the software product or service oRering that the participants in this relationship are using. Despite possible claims to the contrary, this structure normally will favour interests of the dominant participant in the relationship. Often, this may be the service organization. And the dominant participant in this alliance may resist any attempts to modify the structure of this process. (This can occur even when the desired change is well intentioned or is permitted by the terms of the ED1 arrangement.) Thus, it may prove difficult once this relationship has been established to remedy any perceived security or control problems. Unfortunately, it may

not be possible to have such issues resolved before the ED1 arrangement is established.

Benefits And Risks

In some instances competitive pressures within an industry ot the demands placed upon an organization by one of its prime customers will force it to enter into an ED1 arrangement. Apart from the these considerations, ED1 typically will be adopted in an effort to decrease transaction processing cost, shorten the time to process each transaction, reduce the investment in inventory reserves, and to improve the organization’s response to the requirement in the accuracy and currency of relevant source data.

However, most ED1 arrangements apparently fail to recog-rize such things as the trading partners’ increased reliance for their survival upon the endurance of the telecon~nlunication links that they are using and the loss of some aspects of information confidentiality in the routine flow of data between the two entities. (In some incidents ED1 trading arrangements have provided one or two major suppliers with effective control ofa large aspect ofthe daily operations ofa particular retailer or manufacturer who is a customer.) Also, most ED1 trading agreements fail to recognize the need to provide for apportioning between the participants in this arrangement of responsibility and liability for errors and other problems that may impact the integrity of shared database content. This can be expected to become an even more significant

526

issue in those instances where the participants in a trading arrangement effectively are sharing common database content.

Failure to define accountability can be a particular concern when a third party service organization plays a role in the trading relationship. It is possible for a serious problem to develop in this multi-part relationship and no one of the participants in the rela~onship be willing to accept responsibility for it. It is possible, as well, for spurious transactions to be introduced into the EDI dataflow by the employees of the service organization. Several other difficulties may develop when one is dealing with an EDI service organization. These may include:

1. The service organization’s unw~linb~ess to permit auditors representing the EDI trading partners to examine relevant records, operations, and the controls associated with them.

2. Lack of the trading partners’ declaration of their ownership rights to data processed or stored on their behalf. (Negligence in this regard could create significant problems if the service organization5 ownership changes or it ceases operations.)

3. The service or~nization’s failure to make suitable provisions for promptly restoring its data processing and teleconlnlunication activities after a disaster, whether it affects only the service organiz- ation or involves the trading partners as well.

4. Questions about the accuracy and consistency of the service organization’s processing of

transactions and its charges for doing so.

Security and Control Concerns

Errors can be introduced into direct EDI trading arrangements by either the transmission process itself, insiders, or outsiders - including competitors who have been excluded from this relation- ship.These errors can appearin data as well as software content. The transmission process itself can destroy or distort the content of ED1 transqction data moving through it.- When the trading arrangement extends across international boundaries all such errors could prove to be exceptionally difficult to identify and correct. In addition, in situations where an international trading arrangement exists or the ED1 process is interconnected, say, with an electronic funds transfer arrangement, 3 particular error may cascade far beyond its source and be difficult to contain.

In some ED1 trading arrangements the intended benefits have been realized but they have been offset by the elin~ination of some of the information content and transaction processing integrity controls traditionally applied to the handling of this type of data. In an ED1 environment the structure of the transaction handling process electively has been collapsed to expedite the movement of data

through it. Moreover, this change also has been accompanied by an eradication of the multiple transaction content reviews associated with conventional methods for handling such a matter. The numerous visua1 inspections of the integrity of transaction content identified with the so-called checks and balances that are encompassed by the auditor’s prizedseparation ofduties disappear. Individual transactions are effectively accepted on face value and can only be corrected or reversed if a defect in their content or timing is discovered after the fact.

Security and Control Techniques

In its simplest form an EDI trading arrangement is a mechanism for the exchange of data among geographically dispersed participants. Basically this mechanism is exposed to all of the threats to which any distributed telecommunication process may be subjected. And the basic data protection requirements for an EDI trading arrangement are similar to those of any geographically distributed telecommunication process.

In addition, as suggested earlier, in an ED1 trading arrangement integrity preservation measures must focus on protecting data and file content. Data and tran~ction accuracy and completeness - and the timeliness of its processing - should be preserved. It seems reasonable at least to consider employing in this environment the same type of data encryption and message authentication

527

Computers & Security, Vol. I I, No. 6

mechanisms that are already being used in electronic funds transfer arrangements. If this is done, comparable encryption key generation, distribution, and management problems will have to be resolved.

It follows, then, too that a so-called continuous process audit module or comparable mechanism will need to be added to the trading arrangement. Such a thing can take the form of an expert system. In whatever fashion it is realized this mechanism should be capable of monitoring the occurrence and activate the resolution of such things as an interruption in message sequence, an alteration in message content, a failure of the message authentication process, or any form of possible compromise of the encryption operation itself

In addition, an ED1 trading arrangement should have at least these six operational features that will serve to enhance the effectiveness of its internal control structure:

1. Maintenance of a non- modifiable record of message content. Ideally, this data will contain date, time and source elements and will be created on an optical disk.

2. Computer generated assignment of message sequence numbers. Ideally, these will be generatee on a genuinely random basis to discourage the insertion of spurious messages in the sequence. However, the movement of legitimate messages will be traced through the system by its supervisor entity.

3. Matches of message header and

trailer content and checks of the internal structure of the messages themselves. Among the things to be validated are the range and reasonableness of data form and content value, message sequence consistency, and the appropriateness of the its origin and destination data.

4. Prompt recording,reporting,and resolution of irregularities and problems. Certain types of questions should be referred directly to a designated person for prompt resolution. All items in this Problem Log should be reconciled quickly.

5. Maintenance of some form of conventional segregation of duties that is integral to the regular operation of the trading arrange- ment. This can be based upon the functional segmentation of the processes of originating, authorizing, and acknowledging of individual messages and the transactions associated with them. (Negative acknowledgement of messages should be provided for, when it is appropriate.)

6. Employment ofbatch processing (which is easier to control) wherever feasible. This might be accomplished through a form of remote job entry in which messages may be aggregated at a local server and transmitted later in individual packets.

0 1992, Belden Menkus. All Rights Reserved.

3. The n~rsmge tr;~ff~c generated through an ED1 arrangement. typic:~lly, will bc too rxtensivc to make tht- use of any so-called pseudo random nunlhrr generation process effective.

528