In March 2024, the U.S. government sent a letter to Shanghai Zhenhua Heavy Industries (ZPMC), a Chinese-based manufacturer with close ties to the Chinese Communist Party (CCP), demanding answers about cellular modems discovered on Chinese-built cranes deployed in US seaports. The modems were installed during manufacturing, but were not part of the equipment contract and offered no functional benefit to the ports that purchased the cranes. 

In some cases, the modems were connected to the crane’s operating control system. Officials believe these could have been used to spy on ports, disrupt port operations, and interfere with a U.S. economy that is highly reliant on moving goods through its ports. 

This case highlights the growing concern critical infrastructure sites and manufacturers have about vulnerabilities in their supply chain.

Whether it’s machinery with components that are no longer supported or modern machinery with components that were compromised before they were even shipped, supply chain security is a serious concern for operational technology (OT) and one that must be addressed immediately.

Length and Depth of an OT Supply Chain

To better understand the security issue facing OT facilities, it's instructive to think about cars: they have multiple systems that all interact with one another, including the steering system, the engine, brakes, and infotainment system. 

Each system has multiple components, which are built by various manufacturers based on the automaker’s specs, and shipped to the automaker's assembly plant. Once there, the automaker runs the parts through its assembly line and builds the car. 

If any of those components have been compromised, or if any have security vulnerabilities, it could put the car and its passengers at risk. Threat actors might find it easier to introduce a backdoor into the infotainment operating system. Upon gaining initial access, they can move laterally across car networks to take control of the engine, brakes, or steering with potentially dire consequences.

Even more complex than automobile systems, OT sites manage numerous interconnected systems comprising many components. Unlike a car, which can be taken off the road temporarily to upgrade its firmware or replace a component, many OT sites run 24x7 with limited maintenance windows. Patches may need to wait for weeks or even months before they can be implemented, during which time the network is vulnerable to attack. In addition, plants and ports often run legacy machinery, deployed decades ago but still in operation as they are capable of doing the job but lack adequate defences against cybersecurity threats.

Securing the OT Supply Chain

Unsecured supply chains represent a critical vulnerability for facilities, jeopardising their integrity, reliability, and safety, as well as the security of their products. A compromised facility could face a range of devastating consequences, including intellectual property theft and product counterfeiting, crippling ransomware attacks costing millions of dollars, and even physical destruction that puts worker safety at risk.

There are a number of steps organisations must take to protect themselves from cybersecurity threats from their supply chains. Begin with mapping all assets within the facility. This map should be made via a comprehensive, automated process that also visualises the connections and communications between assets. Note which assets run especially vulnerable legacy operating systems and consider ways to segment or cloak them so they can’t be used as gateways into the rest of the OT environment.

Regular risk assessments help identify vulnerabilities in the supply chain and their risks to business processes. Continuous monitoring of networks, assets, and communications can detect anomalous behaviour and flag potential threats. Operators should update operating systems, firmware, and software as soon as patches become available since exploitation of unpatched vulnerabilities is a favourite tactic of threat actors. 

Adhering to cybersecurity standards like IEC 62443 helps secure the OT supply chain by providing a structured and comprehensive framework that addresses cybersecurity across the entire lifecycle of OT systems. Its strict requirements for suppliers ensures they implement robust security practices during product development and maintenance.

Additionally, IEC 62443 emphasises incident response, continuous monitoring, and collaboration among all stakeholders in the supply chain.

Perhaps most importantly, operators must vet their vendors’ cybersecurity practices. Those who fail to meet standards should be avoided at all costs. Be sure to maintain communication channels with vendors to keep track of vulnerabilities and patches as they are made available.

The Road to OT Supply Chain Security 

OT environments are attractive targets to nation-state threat actors and sophisticated hacker syndicates. Adequate defence requires constant vigilance supported by automated tools capable of detecting even slight variances in operational behaviour.

New regulations, including NIS2 in the EU, recognize the importance of securing these facilities and demand stronger counter measures against existing and future threats. 

OT cybersecurity doesn’t happen overnight, it requires a long-term commitment. With the right effort in place, organisations can maximise the security posture of their facilities as they minimise the risk of supply chain attacks.

Ilan Barda Founder and CEO Radiflow