Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Epsiode 2" Cyber Cranes
25 Plays7 months ago
In this episode I chat about the recent White House announcement around foreign manufactured quay cranes, the risks they pose, and how the specific guidance can be applied in a non mariitime environment.
Transcript
Introduction & Episode Title
00:00:01
Speaker
Welcome to the Scotch and Security Podcast with me, your host, Matt Egan. Today is March 25th, 2024, and today's episode is titled, Cyber Cranes.
00:00:29
Speaker
All right, so first of all, you may have noticed that I created a little bit of a lead-in for this podcast. What I read and heard was apparently to be a real podcaster, you need to actually have music and a lead-in and descriptions. So we're going to give that a shot. Is it going to stay the same? No, probably not. I will probably change it. Even listening to it now, I really don't like it. But anyway, we'll see what happens. Hopefully this will make this at least slightly more interesting.
00:00:56
Speaker
You'll also notice that I decided to give this episode a title and kind of in keeping with one of my favorite TV shows, The Streets of San Francisco. If you've never seen it, please go out watch it. It's one of the greatest television detective shows ever made.
00:01:11
Speaker
But it also had some fairly interesting, I guess, titles to their shows, like The Frog in the Milk. It's just one of the episodes that's always struck in my head.
US Maritime Cybersecurity Announcement
00:01:21
Speaker
But today we're going to be talking about what I'm calling cyber grains or the relatively recent, last month, announcement by the White House about bolstering US maritime cybersecurity and onshoring
00:01:36
Speaker
what are called key cranes or ship to shore cranes into the United States. The reason I wanted to talk about this one a little bit is it's an interesting intersection in my own personal history. For those who don't know me, and it's not surprising that you don't because this is after all only the second episode, but before I worked for my present employer for the last 10 years, for the 10 years prior to that,
00:01:59
Speaker
I actually worked in the maritime shipping industry. I wrote software to handle cargo and gate operations at shipping terminals, also managed
00:02:10
Speaker
the infrastructure, technical computer systems, et cetera, at a number of ports. My software actually was in ports here in the United States as well as around the world. So it was just an interesting thing from a cybersecurity and maritime industry background in history that tickled my fancy a little bit. So I figured we'd talk about it and unpack it a little bit.
Executive Order on Cybersecurity
00:02:35
Speaker
So the issue, the announcement rather that was made by the White House back on February 21st was an executive order that actually expanded the capabilities as well as the oversight that the Coast Guard could give to the cybersecurity at the different shipping ports here in the United States. Specifically, it grants additional capabilities around
00:03:05
Speaker
managing cybersecurity risk reporting, et cetera. And the other part of it, which was the $20 billion over the next five years, $20 billion announcement to reshore the manufacturing of ship to shore cranes or key cranes here in the United States. Now,
00:03:26
Speaker
What's interesting about that is if you don't know the maritime industry, you may first of all be asking what the heck is a key crane? A key crane spelled Q-U-A-Y. It's not pronounced the way it's spelled. Is the crane or the device that is actually responsible for picking up and putting down containers at the maritime ports?
Role and Risks of Key Cranes
00:03:48
Speaker
It is responsible for the loading and unloading of the vessel.
00:03:51
Speaker
And basically, there are these big, well, cranes that operate at the ports. If you live in any sort of maritime adjacent area, I think that's the phrase I'm going to go with, anywhere where there's a shipping port, you are probably familiar with seeing these here in the San Francisco Bay Area. If you know Oakland, there is the Port of Oakland that has all of their shipping cranes. If you go to Los Angeles, you'll see them all there, New Orleans, New York,
00:04:18
Speaker
anywhere really where there is a major maritime port, you're going to see a key crane, maybe not even in the major ones. And what these things are is these massive metal structures that have the capability to load and unload vessels.
00:04:38
Speaker
Now, what's interesting about them is that according to sources in Congress and the US, et cetera, 80% of the cranes in use in the United States are manufactured by one company, which is ZPMC, which is a company out of China. Now, ZPMC has been doing this for years and years and years making these cranes. They also are a major fabricator of other things.
00:05:06
Speaker
Like, for example, here in San Francisco Bay Area, if you know the Oakland Bay Bridge, the new section of the Bay Bridge was fabricated in part, at least, by ZPMC. So they are a major manufacturer of these metal cranes as well as other large structures.
00:05:25
Speaker
where the concern comes isn't necessarily from the structures themselves, from the physical cranes, but from the digital and cyber components that are installed on these cranes as well as some of the software that may be getting installed on these cranes as well. It appears that the concerns are that these cranes themselves may either have security vulnerabilities inherently in them or may have
00:05:55
Speaker
unpatched vulnerabilities or unexpected entry points into the network or into the system from these cranes themselves. Now, you may ask, why are you being so wishy-washy on what the actual risk is? Well, because I don't really know what the actual risk is.
00:06:15
Speaker
There was also on February 21st, a issuance of a maritime security or a Marsec directive, specifically 105 stroke four, which is titled the cyber risk management actions for ship to shore cranes manufactured by People's Republic of China companies.
00:06:31
Speaker
This was issued by the Coast Guard, and basically it gives cyber risk management actions for owners or operators of ship-to-shore STS cranes manufactured by People's Republic of China companies, and it contains security-sensitive information. And so because of that, it is not made available to the general public.
00:06:53
Speaker
I did reach out to the Coast Guard to see if they could share anything around this or if they could make a statement. Unsurprisingly, they didn't respond to me. I'm hoping that it was just that my email got lost, but it's probably more so that, hey, who is this guy that has a single episode podcast and I don't think we want to share SSI information with him necessarily.
00:07:15
Speaker
But there were other announcements at the same time or roughly the same time that provided some generalized guidance. And there was also a House committee investigation that was done on the 29th of February that might give us a little bit more information and a little bit more understanding. We'll start off with the House statement because I think that's kind of the
00:07:44
Speaker
one that shows us a little bit more information there. So back on the 29th, the House Homeland Security Subcommittee on Transportation and Maritime Security, the chairman of that is Carlos Jimenez, and he
00:08:02
Speaker
spoke about the risks associated with these cranes and that the systems themselves could potentially be compromised, et cetera. He doesn't really call out any particular component of it, but he does call out
00:08:21
Speaker
different pieces of software, as well as the crane drives, the motors. And he specifically states that in most cases, ZPMC, the manufacturer, requires that these companies ship their components to the PRC, People's Republic of China, where they can be installed by ZPMC engineers or technicians.
00:08:41
Speaker
I think that's really where the concern comes about here, is that by having the manufacturer installing these crane control software systems and other hardware, that it could potentially lead to a higher risk. Now, the announcement from the Maritime Administration or MARAD actually gives some guidance to
00:09:06
Speaker
people that might be interested in protecting their environments, and the guidance that they give is granted somewhat generic in nature. But there's nothing there that I wouldn't actually recommend to anybody trying to protect their own networks.
00:09:21
Speaker
whether or not you have a key crane in your network or not, because they're really just good general common sense cybersecurity things. For example, be wary of untrusted network traffic and treat all traffic transiting their networks, especially third party traffic as untrusted until it is validated as legitimate.
00:09:43
Speaker
That, by the way, is a quote from the MERAD 2024-002, Worldwide Foreign Adversarial Technological Physical and Cyber Influence announcement that they made.
General Port Cybersecurity Practices
00:09:55
Speaker
And the rest of this document goes on to talk about improving segmentation between the crane and other port systems, utilizing secure file transfers, providing dedicated remote access systems and processes for crane devices, which utilize and enforce multi-factor authentication.
00:10:12
Speaker
All of these, again, so far make perfect sense and perfect recommendations as to how you should be treating a untrusted or unknown system in your environment. To put that in terms that are not maritime security related, let's think about a restaurant, right? If I have a restaurant and I provide, say, free Wi-Fi to my customers,
00:10:36
Speaker
And then I have a network in the back of house that is handling all of my order taking, my inventory, my payroll, my bookkeeping, et cetera. I wouldn't want those two to mix, right? It shouldn't be that if somebody's in the front of house sipping a latte, that they could also be sipping data from my database on the same network. So what we do is we segment those networks away from each other and these can either be full
00:11:00
Speaker
network segmentation, meaning that they have no interconnectivity to each other, completely separate routers, completely separate switches, completely separate connections to the internet, and that way the two can never talk.
00:11:12
Speaker
Or it could be done on something called a VLAN, which is a virtual LAN, where there is a software and somewhat hardware-based separation of those signals so that the two can't talk to each other. As far as the front-of-house system and the free Wi-Fi is concerned, there is no back-of-house system. All they can see is out to the internet so they can go on to Instagram or any of those things and take photos of your food and advertise it for you online.
00:11:40
Speaker
The segmentation of those networks is critical. You really want to make sure that the two can't talk to each other. You also want to make sure that the systems that you're installing in your back of house environment are known and trusted.
00:11:56
Speaker
that you know where they came from, that you know what they can do and that you are not just trusting that they are correct, right? You wouldn't let somebody just walk into the back of house and just put a piece of hardware into your environment without asking at least the question of, hey, what is that? And what do you think you're doing here? And please stop stealing my French fries.
00:12:19
Speaker
everything that the MERAD announcement has is pretty logical. It's all that same sort of basic integrity and security and segmentation information that I wouldn't give anybody else. Now, in the worst case in these scenarios, what people are talking about these cranes being able to do
00:12:40
Speaker
is I've seen a lot of things in the news throwing around things like intelligence gathering or being used to attack or gather signals, et cetera. I don't know how true that would be. I mean, is it possible that you could potentially use that crane as a signals gathering platform? I mean, sure, you could do that with anything really, as long as it had some sort of connectivity or
00:13:03
Speaker
visibility to other systems and solutions and networks around them. But I think the bigger concern is that it could be used to potentially disable those cranes remotely.
Intelligence Risks and Software Concerns
00:13:15
Speaker
If you have, for example, unexpected hardware on these cranes or there are vulnerabilities with potentially backdoors on these cranes, those could get exploited by a malicious actor.
00:13:27
Speaker
to either damage the crane itself and shut it down or cause a disruption at the port and shut it down, which would then have a negative impact on us. As we all recall from the pandemic, supply chain issues cause all sorts of problems. If we can't get the things shipped into us that we're expecting, that creates problems for manufacturers, creates problems for retail.
00:13:52
Speaker
creates problems in the healthcare space, especially when we're thinking about maritime traffic because a lot of people don't realize that 95-ish percent of the cargo that comes in and out of the United States comes in via boats and ships. Thus, it is critical to be able to keep those ports up and running and operating as efficiently and securely as possible.
00:14:15
Speaker
Basically, this White House announcement, this change in cybersecurity procedures, this giving the Coast Guard authority over the cybersecurity operations of the ports, etc., is bolstering that port security and making sure that we keep them online and up and running.
00:14:33
Speaker
I think that there are some other components that are called out that are also very interesting beyond the cranes themselves. There is a reference, for example, in the MERAD announcement to a management logistics piece of software called Loggink, where doing some research into that, it appears to be a very large logistics platform.
00:14:58
Speaker
and there was a research piece that was done by Rice University, their Baker Institute for Public Policy, back in 2023, April of 2023 specifically, titled China's Log Inc Logistics Platform and its Strategic Potential for Economic, Political, and Military Power Projection. It is a very long read, but basically describes how Log Inc grew from being a small
00:15:25
Speaker
regional information platform, sharing information about logistics data for trucking and ships, et cetera, and has now grown into effectively this sort of global system. Why is it important or why should we be concerned about that? Well,
00:15:43
Speaker
Basically, it has visibility into what containers are going where, what ships are going where, and that sort of information can tell you an awful lot about what's happening. There was actually a house decision back in 2023 as well that forbade
00:16:03
Speaker
the DOD from using any port that actually had this logging software in it. Because if you think about it, if you know that the DOD is loading a container ship up and sending it down to Antarctica, that something might be going on in Antarctica, and that may not be something you want others to know about. So keeping that information secure, or at least as secure as you can, is beneficial.
00:16:30
Speaker
The other concern that was raised in the Marad notification was specifically around another PRC entity that is manufacturing programmable logic controllers
00:16:45
Speaker
inspection systems, et cetera, and how that could actually have an impact as well. And so it's very interesting, I think, that these other pieces of software and hardware and systems are also part of this announcement. But really, they're not the ones that were picked up by the media, probably because of that onshoring of the manufacturing capability.
Benefits of Onshoring Crane Manufacturing
00:17:12
Speaker
The US hasn't actually manufactured ship to shore cranes since I think the 80s or the 90s. So bringing that capability back on shore, well, it's not going to eliminate all vulnerabilities because let's be honest, all software, all systems have vulnerabilities.
00:17:30
Speaker
but it will at least make it so that you don't have to ship your software, your systems, your controllers over to another country and having those being installed onto those systems. So overall, I think it's going to be a good thing probably for maritime security, not just in that
00:17:50
Speaker
the onshoring, but I think the renewed attention to cybersecurity practices, putting into place more of those basic controls, putting into place more responsibility for those controls, more reporting is going to make it better and more robust overall. And then bringing things onshore, I think is good for the industry as a whole. It gives more manufacturing capability to the United States so that if
00:18:19
Speaker
anything were to happen or come up around the world were not reliant on some of these key pieces of infrastructure being manufactured outside of our control. Anyway, hopefully you found this interesting. I mean, I found it interesting and I find the entirety of the subject to be rather interesting, but let me know if you didn't find it interesting or if you did, if you have something that I got wrong, because let's be honest, I probably got something wrong somewhere inside of there.
00:18:45
Speaker
I had an earlier version of this podcast where I actually started describing the actual key cranes themselves and sort of how they worked with regards to the spreaders and the buckles and how everything got connected and hoisted and all the equipment on the systems, including things like, you know,
00:19:01
Speaker
optical character recognition that can read the containers and tell you which ones are correctly loaded and how those work into the sale plans of the actual vessels so that you know that the vessel was properly balanced and loaded. And I realized that one, I was probably going to bore everybody to tears with that one. And two, I was probably going to get something wrong because it has been
00:19:20
Speaker
10 years at least since I've had to think about any of those systems. But if you have any experience, background, history in maritime, or if you just want to talk about it, let me know. Drop me a line and we can chat about it and maybe have you on the show and you can tell me all the places I got wrong or the places I got right.
00:19:37
Speaker
Anyway, as always, thanks for listening. I really do appreciate you taking the time out of your busy life to listen to a guy sit here and talk about key grains, but hopefully you're having yourself a great time and stay safe out there.