Concerns Over Supply Chain Attacks on US Seaports Grow

As the United States looks to shore up the cyber-resilience of its critical infrastructure, a congressional report has highlighted that the nation's maritime shipping and port operations rely too much on Chinese-made cranes and other systems whose software is often vulnerable and can be communicated with remotely.

Last week, the House of Representatives' Select Committee on the Chinese Communist Party released a report on the potential threats to the US port infrastructure, revealing that 80% of the ship-to-shore (STS) cranes at US ports are manufactured by a single Chinese government-owned company, Shanghai Zhenhua Heavy Industries (ZPMC). While the committee did not turn up evidence that the company used its access maliciously, the firm failed to address software vulnerabilities and retained the ability to remotely access the crane's systems via a cellular modem, often without explicit notification.

Even though the report does not find a smoking gun, the concerns are reasonable, says John Terrill, chief information security officer (CISO) at extended Internet-of-Things (IoT) security firm Phosphorus Cybersecurity.

"There could be legitimate purposes for [a cellular modem], but I think the general sentiment — because it's a Chinese-owned company — the [committee] is concerned that allowing access is setting up a ticking time bomb," he says. "If something happens geopolitically, the ports may, all of a sudden, not be able to operate the cranes."

Related:Name That Toon: Tug of War

The supply chains for critical economic sectors are attracting intense scrutiny from policymakers and security organizations. When Russia invaded Ukraine, the military targeted cyberattacks at infrastructure, such as satellite communications and nuclear power generation. The recent attacks on Lebanon-based Hezbollah militants — considered a terrorist organization by the US government — using pagers likely compromised through a supply-chain attack by Israel demonstrated the potential of cyber-physical attacks.

Sea Change in Supply-Chain Focus

Port facilities are often overlooked, but critically important, especially as drivers of the economy. US port facilities handle about 40% of the value of all international freight, with the top 12 ports processing about 47 million twenty-foot equivalent units (TEUs) of cargo in 2023. Cyber-physical attacks on such facilities could significantly disrupt the US economy. Cybersecurity experts have already warned that China-linked cyber-espionage groups are compromising critical infrastructure systems at facilities — such as ports — in preparation for future conflicts.

Related:SCADA Market Is Set to Reach $18.7B by 2031

The long-term risks outweigh the short-term gains of purchasing inexpensive port equipment, the House Select Committee stated in its report.

"The evidence gathered during our joint investigation indicates that ZPMC could, if desired, serve as a Trojan horse capable of helping the CCP and the PRC military exploit and manipulate US maritime equipment and technology at their request," the lawmakers stated. "This vulnerability in our critical infrastructure has the potential to affect Americans from coast to coast."

While historically overlooked, maritime supply-chain security and cybersecurity has become an increasing issue. In February, the US Department of Transportation warned that port facilities' over-reliance on Chinese vendors allowed China's government to collect information on trade and could lead to potential compromises if Sino-American relations worsen.

Rough Seas for Cybersecurity

Attacks on ports and ships are not unheard of. In February, the US reportedly hacked an Iranian military ship aiding Houthi rebels in the Red Sea and disrupting communications. An Indian nation-state cyber-operations group attacked maritime facilities and ports around in the Indian Ocean and as far away as the Mediterranean Sea. And spoofing of GPS signals have enabled rogue nations to cause problems for freighters and other shipping near their shores.

Related:Remote Access Sprawl Strains Industrial OT Network Security

Because so much of the infrastructure has integrated communications connected to software controlling physical equipment, cybersecurity is a significant issue, says Ron Fabela, strategic advisor to ICS/OT security firm Xona.

"Everything is remotely accessible now," he says. "If you haven't been in the industry, you might think our super-critical stuff isn't accessible from the Internet, surely, right? And oftentimes, that is not the case."

Port operators are looking to buy inexpensive port equipment, such as cranes, but then rely on the manufacturer to provide service, which leads to remote communications and data collection. In addition, numerous vulnerabilities have been found in ZPMC equipment, but bug reports disappear and are never publicized, and likely never fixed. Given China's law that forces disclosure of vulnerabilities to the government, it's likely that those vulnerabilities are being used or are being stockpiled for use, says Phosphorus' Terrill.

"A known vulnerability that is not patched is a backdoor by any other definition," he says.

Protecting Untrusted Infrastructure

The House CCP Committee's report recommends that the Department of Homeland Security and US Coast Guard make recommendations to disable the cellular modems in the ZPMC cranes, install technology to monitor and ensure the security of the cranes during operation, and focus extra security measures on critical ports, such as the seaport in Guam — a resupply point for the US military in the Pacific Ocean — and those designated by the Department of Defense as critical.

Port operators, however, may push back on mandates to disable the cellular devices. Turning off the cellular modems will likely mean hobbling the maintenance of the cranes and other equipment, says Xona's Fabela.

"In critical infrastructure, what I've seen is the asset owner — the purchaser of this equipment — doesn't want to maintain it," he says. "They want to have someone on the hook, if something goes wrong ... they want to ensure that the OEM or the manufacturer is the one supporting it, and being that a lot of our heavy industry is still being manufactured outside of our borders, it becomes a difficult problem."

Instead, operators should treat digital access like physical access, he says. Any session should be tightly controlled and scheduled, keeping devices offline at all other times.

"We'll monitor, and we'll over-the-shoulder their access — this is how they do it with physical access," he says. "A vendor can't just walk into a port and walk around. You have to have a reason to be there, usually a job order; you have to have a background check; and someone will escort you. So just extending those best practices to the cyber domain is often all that's needed."

In the long term, the House CCP Committee's report recommends that the US Department of Commerce study whether building cranes is the United States is feasible, as well as ways to improve US manufacturing competitiveness.