Skip to content
Get in touch

Industrial Crane Manufacturer Secures Remote Access
Learn about OT SRA
Create in image of industrial cranes at a port-1

Customer

The customer is a global industrial crane manufacturer and services provider with operations in major ports for loading and unloading containers using automation.

Customer's security and operational concerns

Production disruptions: Remote-operated cranes are vulnerable to cybersecurity attacks, whether they are connected to the internet. A hacker accessing a crane could disrupt port operations, cause material accidents or jeopardize the safety of the harbor workforce.

Industrial espionage: Ungoverned access to port operations could allow stealing optimization, diagnostics or other type of data from cranes.

Regulatory violations: With the emergence of the Network and Information Security 2 (NIS2) Directive, poorly secured ports are subject to substantial fines

placeholder-1

Customer challenge: Complex access management, incomplete control

The customer had segmented its networks and was running a private port network with basic level access control to the 5G port network itself. However, with this set up:

The customer was not able to limit access even per maritime facility, meaning that a technician operating in Asia could access ports in Europe, and vice versa

A general lack of oversight of remote access to ports (who did what, when and with what rights). Internal employee and third-party access tracking and identification was limited.

Once a technician was inside the network, they had access to many cranes. Restricting privileges to the minimum for the task at hand was hard to configure or limited.

The customer had multiple point solutions in use for access. Access credentials were insufficiently managed.

PrivX OT deployment in the customer environment

The customer decided to radically simplify their access management environment by replacing the point solution approach they had implemented earlier. Instead of using VPN tunnels per access, they centralized their management under one Digital Gatekeeper, PrivX OT.
Remote_Port_operations_architecture
  1. PrivX was integrated with multiple IAMs and ADs to always link an ID to a role for each session.
  2. Both employees and vendor technicians log in to a VPN service, opening access to a VPN gateways zone behind a firewall.
  3. After this phase, PrivX restrict access to a minimum needed to get the job done.
  4. PrivX offers multiple authentication methods, including:
    • AD/LDAP user & password
    • Local user & password
    • OpenID Connect
    • MFA (TOTP & Biometric)
    • Passkeys / FIDO2
    • TLS client certificate
    • SSH public key
    • External JSON web token
    • PrivX Authorizer
  5. After authentication, PrivX automatically maps the identity to the right role for access.
  6. PrivX stores and rotates the credentials needed for access or enables passwordless access. Credentials are vaulted and rotated after use, or in the case of passwordless access, the user never even sees or handles any credentials.
  7. The user (maintenance engineer, vendor engineer, ship technician, etc.) only sees a list of available targets based on the role – and nothing else.
  8. The user selects the target from the list and gets access to it. The target can be a single application, gauge, or crane operation module, depending on the task at hand. The actions the user is allowed to perform can be restricted as necessary, allowing options ranging from read-only or to full access.
  9. Through AWS Direct Connect, the traffic is routed to a cloud-hosted PrivX instance best suited for the connection, based on the load and location.
  10. All sessions produce an audit trail. For the most important connections, session recording or live monitoring is available. It also possible to require external authorization by the site admin for critical sessions.
  11. After the session is over, offboarding is automatic. Every session is verified each time it is made, in a just-in-time (JIT) fashion to align with the Zero Trust security framework.

Benefits
icon_globe

Regional restrictions to access maritime ports. Increased security and control over vendor technician access for debugging and maintenance sessions.

Icon

Automated linking of a role to an identity ensuring that all sessions can be verified with strong IDs.

 

Users-gear

Adding granular access control with minimal changes to existing VPN/Firewall/technology infrastructure.

Hourglass

Just-in-time (JIT) access instead of always-on connections to cranes. Each connection to a port or crane is establish at the same time as the authorization and is verified each time it is made – in a true Zero Trust fashion.

Priviledged-access-management (1)

All the secrets (passwords) are managed centrally for risk mitigation

Secure-file-transfer-1

Centralized and streamlined access for all the cranes at port. Any employee or third party gets access from any location to an individual crane in a uniform, controlled way.

Checklist

All connections are tracked and produce a solid audit trail – with session recordings and live monitoring available.

Cloud

Scalable cloud deployment ensures that the solution can expand as the port operations expand.

Learn more about Secure Remote Access for OT