Why Your Next Pentest Should Include Ship-to-Shore Cranes

TLDR: Ship-to-shore (STS) cranes manufactured by state-owned enterprises often contain undocumented cellular modems and rely on insecure legacy protocols like Telnet. These devices frequently lack proper network segmentation, creating a direct path from the public internet or third-party maintenance networks into critical operational technology. Security researchers and pentesters should prioritize identifying these hidden hardware backdoors and testing the logical isolation between IT and OT segments during port assessments.

Global supply chains rely on massive, automated infrastructure that most security professionals never touch. Ship-to-shore (STS) cranes are the backbone of international trade, moving over 70% of the world’s non-bulk cargo. Recent research presented at DEF CON 2025 highlights a critical reality for anyone performing assessments on critical infrastructure: these cranes are not just mechanical giants, they are complex, networked endpoints often running outdated software and hidden hardware.

The Hidden Attack Surface of STS Cranes

The primary risk identified in this research is the presence of unauthorized or undocumented cellular modems installed directly on the cranes. These modems often bypass standard enterprise security controls, such as firewalls and access management systems, by providing a direct, persistent remote access channel for the manufacturer. For a pentester, this is a classic broken access control scenario. If you are conducting an assessment at a port, your scope should explicitly include identifying these cellular devices, which are often physically located on the crane's spreader or elevator.

These cranes also rely heavily on PROFINET, an industrial Ethernet protocol that lacks native encryption. Because PROFINET traffic is often unauthenticated, an attacker with access to the crane's local network can inject traffic to manipulate the programmable logic controllers (PLCs) that govern crane movement. The research demonstrates that these networks are frequently "chatty," with various OT devices constantly sending traffic to a primary PLC. If you can gain a foothold on the IT side of the network, you can often pivot into these OT subnets if the segmentation is not strictly enforced.

Technical Realities of Crane Networks

When analyzing these environments, you will likely encounter a mix of legacy and modern technology. It is not uncommon to find Windows Server 2003 or Windows XP systems still running in production, often because they are tied to proprietary software that cannot be updated. These systems are prime targets for T1190-exploit-public-facing-app or T1078-valid-accounts if credentials are leaked.

During a recent engagement, researchers found that shared administrative credentials were being used across multiple cranes and by third-party maintenance contractors. These credentials were often stored in plain text on sticky notes or within easily accessible configuration files. If you are performing a red team engagement, look for these shared accounts. They are the path of least resistance for lateral movement.

To capture and analyze this traffic, you need to be comfortable with Wireshark. Since PROFINET does not use IP, standard network monitoring tools might miss it. You must configure your capture to look for Layer 2 traffic. A typical capture filter for PROFINET traffic looks like this:

# Filter for PROFINET DCP (Discovery and Configuration Protocol)
profinet.dcp

# Filter for PROFINET IO cyclic data
profinet.io

The lack of IP in the PROFINET stack means that traditional network security appliances often ignore this traffic, leaving it completely unmonitored. If you can mirror a port on a managed switch within the crane's network, you can ingest this data into a SIEM or a dedicated OT monitoring tool to visualize the communication patterns.

Assessing Port Infrastructure

When you are on-site, your engagement should focus on the logical architecture. Map the connections between the industrial router, the primary PLC, and the managed switches. If you find that the IT network has a direct route to the OT network without a robust industrial firewall in between, you have found a critical finding.

The impact of exploiting these vulnerabilities is significant. While the research has not yet seen active, malicious cyber activity on physical cranes, the potential for physical disruption is high. An attacker could manipulate the crane's safe operating parameters, causing it to become inoperable or, in a worst-case scenario, causing physical damage to containers and cargo.

Mitigating the Risk

Defenders must treat these cranes as untrusted endpoints. The most effective mitigation is strict network segmentation. Ensure that the crane's OT network is physically or logically isolated from the IT network. If remote access is required for maintenance, it should be brokered through a secure, audited jump host with multi-factor authentication, rather than relying on manufacturer-installed cellular modems.

Furthermore, contract language is a security control. When procuring new equipment, mandate that the vendor provides full visibility into all hardware components, including cellular modems, and explicitly prohibit undocumented remote access channels. If you are a security researcher, keep digging into these industrial protocols. The gap between IT security and OT reality is where the most interesting research is happening right now. Don't just look for the low-hanging fruit in the web application; look at the hardware that keeps the world moving.