Concerns over supply-chain attacks on U.S. seaports grow

As the United States looks to shore up the cyber-resilience of its critical infrastructure, a congressional report has highlighted that the nation’s maritime shipping and port operations rely too much on Chinese-made cranes and other systems whose software is often vulnerable and can be communicated with remotely.

Last week, the House of Representatives’ Select Committee on the Chinese Communist Party released a report on the potential threats to the US port infrastructure, revealing that 80% of the ship-to-shore (STS) cranes at US ports are manufactured by a single Chinese government-owned company, Shanghai Zhenhua Heavy Industries (ZPMC). While the committee did not turn up evidence that the company used its access maliciously, the firm failed to address software vulnerabilities and retained the ability to remotely access the crane’s systems via a cellular modem, often without explicit notification.

Even though the report does not find a smoking gun, the concerns are reasonable, says John Terrill, chief information security officer (CISO) at extended Internet-of-Things (IoT) security firm Phosphorus Cybersecurity.

“There could be legitimate purposes for [a cellular modem], but I think the general sentiment — because it’s a Chinese-owned company — the [committee] is concerned that allowing access is setting up a ticking time bomb,” he says. “If something happens geopolitically, the ports may, all of a sudden, not be able to operate the cranes.”

The supply chains for critical economic sectors are attracting intense scrutiny from policymakers and security organizations. When Russia invaded Ukraine, the military targeted cyberattacks at infrastructure, such as satellite communications and nuclear power generation. The recent attacks on Lebanon-based Hezbollah militants — considered a terrorist organization by the US government — using pagers likely compromised through a supply-chain attack by Israel demonstrated the potential of cyber-physical attacks.

Sea Change in Supply-Chain Focus

Port facilities are often overlooked, but critically important, especially as drivers of the economy. US port facilities handle about 40% of the value of all international freight, with the top 12 ports processing about 47 million twenty-foot equivalent units (TEUs) of cargo in 2023. Cyber-physical attacks on such facilities could significantly disrupt the US economy. Cybersecurity experts have already warned that China-linked cyber-espionage groups are compromising critical infrastructure systems at facilities — such as ports — in preparation for future conflicts.

The long-term risks outweigh the short-term gains of purchasing inexpensive port equipment, the House Select Committee stated in its report.

“The evidence gathered during our joint investigation indicates that ZPMC could, if desired, serve as a Trojan horse capable of helping the CCP and the PRC military exploit and manipulate US maritime equipment and technology at their request,” the lawmakers stated. “This vulnerability in our critical infrastructure has the potential to affect Americans from coast to coast.”

While historically overlooked, maritime supply-chain security and cybersecurity has become an increasing issue. In February, the US Department of Transportation warned that port facilities’ over-reliance on Chinese vendors allowed China’s government to collect information on trade and could lead to potential compromises if Sino-American relations worsen.

To read the complete article, visit Dark Reading.