An information sharing and analysis center for the rail-freight industry distributed an early warning of last weekend's Internet attack and a patch to protect network computers - actions that helped avert a transportation slowdown, according to industry officials.

EWA Information Infrastructure Technologies (EWA/IIT), of Herndon, Va., the contractor for the Surface Transportation Information Sharing and Analysis Center (ST-ISAC), alerted the rail-freight industry to the computer worm late Jan. 24 or early Jan. 25, according to the company Vice President Paul Wolfe.

The worm, called SQL Slammer, crippled tens of thousands of computers and disabled Bank of America cash machines over the weekend. A worm is a program that replicates itself, unlike a computer virus, which requires opening an e-mail or some other action by the user that then spreads it to another machine.

The worm also could have "slowed down the operation of a surface transportation entity," Wolfe said, but the ISAC's alerts allowed the industry to protect its computers.

The U.S. Department of Transportation (DOT) announced Jan. 23 that mass transit systems were joining the Surface Transportation ISAC, which provides information on cyber and physical security threats to the center's industry members.

"We would hook up every public transit agency in the U.S. to receive information from this [Surface Transportation] ISAC," said Greg Hull, who handles security issues for the American Public Transit Association (APTA) of Washington, D.C.

Mass transit will join as "a node within that existing [Surface Transportation] ISAC," he said.

The DOT's Federal Transit Administration has provided a $1.2 million, two-year grant to the public transit ISAC, which Hull said would begin operating "within several weeks." APTA President William Millar will serve as public transit's ISAC sector coordinator.

EWA/IIT, which will also be the contractor for the public transit node, will tailor the analysis and information it provides to meet the sector's specific security needs. In some cases,such as the SQL Slammer worm, the same information would also go to rail-freight participants, according to Wolfe.

Within sectors, information is sent only to industry participants who have a need to know, said Wolfe. This avoids information overload and helps assure EWA/IIT that alerts are not ignored.

Nancy Wilson, senior assistant to vice president for regulatory and state affairs with the Association of American Railroads of Washington, D.C., said the ST-ISAC had been "very effective in giving the partners in the ISAC early warning about various security threats and vulnerabilities"

EWA/IIT employees with security clearances working at a company operations center analyze information on domestic and foreign threats from government and other sources. EWA/IIT also analyzes information about possible security breaches from industry participants, looking for trends that could warn of a larger threat.

The company's alert about the SQL worm originated with a member company calling in information that EWA/IIT analysts put together with information from the CERT Coordination Center, an Internet security reporting center at Carnegie Mellon University in Pittsburgh, according to Wolfe.

The ST-ISAC is trying to interest other industries, including trucking and maritime, in joining.

"It would add great value to their sector and certainly it will make the ISAC more robust to have broader reporting [of possible security threats] coming to the ISAC" from its participants, Wilson said.

- Harvey Smith (harvey_simon@AviationNow.com)