Concerns Over Supply Chain Attacks on US Seaports Grow

US ports rely on cranes manufactured by a Chinese state-owned company, many with unmonitored cellular connections, causing cybersecurity concerns.

As the United States looks to shore up the cyber-resilience of its critical infrastructure, a congressional report has highlighted that the nations maritime shipping and port operations rely too much on Chinese-made cranes and other systems whose software is often vulnerable and can be communicated with remotely.
Last week, the House of Representatives Select Committee on the Chinese Communist Party released a report on the potential threats to the US port infrastructure, revealing that 80% of the ship-to-shore (STS) cranes at US ports are manufactured by a single Chinese government-owned company, Shanghai Zhenhua Heavy Industries (ZPMC). While the committee did not turn up evidence that the company used its access maliciously, the firm failed to address software vulnerabilities and retained the ability to remotely access the cranes systems via a cellular modem, often without explicit notification.
Even though the report does not find a smoking gun, the concerns are reasonable, says John Terrill, chief information security officer (CISO) at extended Internet-of-Things (IoT) security firm Phosphorus Cybersecurity.
There could be legitimate purposes for [a cellular modem], but I think the general sentiment — because its a Chinese-owned company — the [committee] is concerned that allowing access is setting up a ticking time bomb, he says. If something happens geopolitically, the ports may, all of a sudden, not be able to operate the cranes.
The supply chains for critical economic sectors are attracting intense scrutiny from policymakers and security organizations. When Russia invaded Ukraine, the military targeted cyberattacks at infrastructure, such
as satellite communications
and
nuclear power generation
. The recent attacks on Lebanon-based Hezbollah militants — considered a terrorist organization by the US government —
using pagers likely compromised through a supply-chain attack
by Israel demonstrated the potential of cyber-physical attacks.
Port facilities are often overlooked, but critically important, especially as drivers of the economy. US port facilities handle about 40% of the value of all international freight, with the top 12 ports
processing about 47 million twenty-foot equivalent units (TEUs) of cargo in 2023
. Cyber-physical attacks on such facilities could significantly disrupt the US economy. Cybersecurity experts have already warned that China-linked cyber-espionage groups are
compromising critical infrastructure systems at facilities
— such as ports — in preparation for future conflicts.
The long-term risks outweigh the short-term gains of purchasing inexpensive port equipment,
the House Select Committee stated
in its report.
The evidence gathered during our joint investigation indicates that ZPMC could, if desired, serve as a Trojan horse capable of helping the CCP and the PRC military exploit and manipulate US maritime equipment and technology at their request, the lawmakers stated. This vulnerability in our critical infrastructure has the potential to affect Americans from coast to coast.
While historically overlooked, maritime supply-chain security and cybersecurity has become an increasing issue. In February, the US Department of Transportation warned that port facilities over-reliance on Chinese vendors allowed Chinas government to collect information on trade and could lead to potential compromises if Sino-American relations worsen.
Attacks on ports and ships are not unheard of. In February, the US
reportedly hacked an Iranian military ship
aiding Houthi rebels in the Red Sea and disrupting communications. An Indian nation-state cyber-operations group
attacked maritime facilities and ports
around in the Indian Ocean and as far away as the Mediterranean Sea. And
spoofing of GPS signals
have enabled rogue nations to cause problems for freighters and other shipping near their shores.
Because so much of the infrastructure has integrated communications connected to software controlling physical equipment, cybersecurity is a significant issue, says Ron Fabela, strategic advisor to ICS/OT security firm Xona.
Everything is remotely accessible now, he says. If you havent been in the industry, you might think our super-critical stuff isnt accessible from the Internet, surely, right? And oftentimes, that is not the case.
Port operators are looking to buy inexpensive port equipment, such as cranes, but then rely on the manufacturer to provide service, which leads to remote communications and data collection. In addition, numerous vulnerabilities have been found in ZPMC equipment, but bug reports disappear and are never publicized, and likely never fixed. Given Chinas law that forces disclosure of vulnerabilities to the government, its likely that those vulnerabilities are being used or are being stockpiled for use, says Phosphorus Terrill.
A known vulnerability that is not patched is a backdoor by any other definition, he says.
The House CCP Committees report recommends that the Department of Homeland Security and US Coast Guard make recommendations to disable the cellular modems in the ZPMC cranes, install technology to monitor and ensure the security of the cranes during operation, and focus extra security measures on critical ports, such as the seaport in Guam — a resupply point for the US military in the Pacific Ocean — and those designated by the Department of Defense as critical.
Port operators, however, may push back on mandates to disable the cellular devices. Turning off the cellular modems will likely mean hobbling the maintenance of the cranes and other equipment, says Xonas Fabela.
In critical infrastructure, what Ive seen is the asset owner — the purchaser of this equipment — doesnt want to maintain it, he says. They want to have someone on the hook, if something goes wrong ... they want to ensure that the OEM or the manufacturer is the one supporting it, and being that a lot of our heavy industry is still being manufactured outside of our borders, it becomes a difficult problem.
Instead, operators should treat digital access like physical access, he says. Any session should be tightly controlled and scheduled, keeping devices offline at all other times.
Well monitor, and well over-the-shoulder their access — this is how they do it with physical access, he says. A vendor cant just walk into a port and walk around. You have to have a reason to be there, usually a job order; you have to have a background check; and someone will escort you. So just extending those best practices to the cyber domain is often all thats needed.
In the long term, the House CCP Committees report recommends that the US Department of Commerce study whether building cranes is the United States is feasible, as well as ways to improve US manufacturing competitiveness.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Concerns Over Supply Chain Attacks on US Seaports Grow