Free cookie consent management tool by TermsFeed

Crane System Vulnerabilities: A Gateway to OT Cybersecurity Threats in Maritime Operations

October 10, 2024

A recent joint report by the Select Committee on the Chinese Communist Party (CCP) and the House Committee on Homeland Security highlights a serious vulnerability within U.S. port infrastructure—Shanghai Zhenhua Heavy Industries (ZPMC) cranes. Accounting for 80% of ship-to-shore (STS) cranes in U.S. ports, these systems, manufactured in China, present a significant Operational Technology (OT) cybersecurity not only to individual cranes and port operations but potentially to entire maritime fleets and the broader vessel network infrastructure.

How Crane System Compromises Impact Vessel and Fleet OT Security

Modern port cranes, such as those produced by ZPMC, are deeply integrated into the port's OT ecosystem, which communicates directly with vessels, port management systems, and broader logistics networks. If cyber attackers compromise crane systems, they can gain access to critical OT networks that handle everything from cargo management to communication with vessels at sea. Given the reliance of cranes on cellular modems and remote access features, these connections provide an entry point for attackers to infiltrate the network.

For example, ZPMC cranes have been found with unauthorized cellular modems, potentially installed without any oversight or within contract terms. These modems offer pathways for cyber attackers to remotely access the crane’s systems, and once inside, attackers could move laterally into more critical OT systems, impacting fleet communication, cargo data, or even the vessels' navigation systems. This lack of visibility and control over the supply chain heightens the risk.

Why Crane Systems Are Vulnerable to Cyber Attacks

Several factors make crane systems a prime target for cyber attackers:

Lack of Oversight in Assembly (Supply Chain Vulnerabilities) - Despite critical components originating from trusted manufacturers like Germany or Japan, these parts are shipped to China for assembly by ZPMC, without sufficient oversight. During the assembly process, there could be a breach in security due to a compromised device, say a USB, opening the door for backdoors, malicious code, or other vulnerabilities to be introduced. 

Inadequate Network Security Controls - U.S. ports' contracts with ZPMC do not explicitly prevent the installation of remote access or unauthorized modifications. This lack of stringent network controls or monitoring for OT systems makes these cranes a weak link in the overall cybersecurity of port operations.

Dependence on Cellular Modems - ZPMC cranes have been found with cellular modems that weren’t included in initial contracts, offering a potential point for remote access. This vulnerability is compounded by the People’s Republic of China (PRC)’s national security laws, which mandate that companies like ZPMC cooperate with state intelligence agencies, meaning the Chinese government could request access to these cranes, making remote access a necessity.

Consequences of Crane System Compromises

The implications of a successful cyber attack on crane systems are vast. If attackers manage to exploit vulnerabilities in the crane’s OT, they could:

  • Disrupt Cargo Operations: Hackers could manipulate crane operations to create physical damage or delays, significantly disrupting global supply chains.
  • Access Vessel Systems: Since STS cranes interact directly with vessel systems during loading and unloading operations, an attack on the crane's OT could bridge into the vessel’s systems, giving attackers control over navigation, communication, or even propulsion systems.
  • Compromise Port-Wide Operations: Even just one compromised crane could serve as an entry point for cybe hackers to move through interconnected port OT systems, gaining access to other critical infrastructure, such as fuel storage or traffic management systems.
  • Threaten National Security - In a geopolitical conflict, compromised crane systems could be used to hinder military operations or manipulate the supply chain of strategic materials needed for defense. 

How to Prevent Crane System Compromises: The OT Cybersecurity Way

From an OT cybersecurity perspective, there are critical steps that ports and government agencies can take to reduce the risk of such compromises:

  1. Network Monitoring: Installing operational technology monitoring software on crane systems is vital. These systems should continuously track for abnormal behavior or unauthorized access, ensuring real-time detection of suspicious activities.
  1. Implement Zero-Trust Access Control: Remote access to crane systems should be restricted under a zero-trust framework, for example, secure remote access (SRA). This means verifying every attempt to access the system, whether it's from a technician or a machine, ensuring that only authorized personnel can interact with the crane’s OT.
  1. Sever Cellular Modem Connections: The report recommends that ports disconnect cellular modems installed on ZPMC cranes. These unauthorized devices provide a significant vulnerability that must be addressed immediately to prevent remote attacks.
  1. Conduct Regular OT Security Audits: Ports need to regularly audit the entire supply chain for vulnerabilities, ensuring that critical components aren’t compromised during assembly. Independent audits should include inspections of cranes, their network connections, and any third-party devices.
  1. Strengthen Supply Chain Oversight: As critical components are assembled in China, independent oversight is necessary. Ports should consider using alternative manufacturers or ensuring more direct control over the assembly and installation process.

Conclusion

The increasing dependence on foreign-made cranes introduces critical OT cybersecurity vulnerabilities into U.S. seaports. Attackers can leverage weaknesses in crane systems to access vessel networks, disrupt cargo operations, and compromise national security. A more robust OT cybersecurity approach, including real-time monitoring, network segmentation, and stricter supply chain oversight, is essential to protect against these threats and ensure the safety of maritime operations.

Source: https://www.securityweek.com/house-report-shows-chinese-cranes-a-security-risk-to-us-ports/