Cybersecurity Assurance Center

This page brings collects cybersecurity information and details relevant to our customers. Here you can find our cybersecurity certificates, Frequently Asked Questions (FAQ) documents and a list of our key security controls. Our current and future cybersecurity whitepapers and other documents will also be published on this page.

Cybersecurity certifications

Cybersecurity certification provides our customers and partners concrete assurance of our security capabilities. ​At the same time, they also form a clearly defined set of rules and best practices that create a baseline for our security practices.

ISO/IEC 27001:2022

A management system standard for information security, cybersecurity and privacy protection. The certifications cover Port Solutions, Industrial Equipment and Service, and all group functions.​

This certificate is valid for the following scope: The development and operations of Konecranes business applications, IT infrastructure and customer portals, productivity-enhancing mobile applications and TRUCONNECT® suite of remote service products and applications.
View certification

ISO/IEC 27001:2013

This certificate is valid for the following scope: The Information Security Management System (ISMS) covers TBA and ECSS offices in The Netherlands, UK, Romania and Germany, and applies to developing, delivering (also “as a service”) and maintaining software and automation, and rendering consultancy services for ports, container and bulk/general cargo terminals, airports, manufacturing plants and other logistic systems.
View certification

ISO/IEC 62443​

A series of standards addressing cybersecurity for operational technology in automation and control systems. At Konecranes, our current focus is on secure development, system level security and product/component security.​

The scope of the certification covers secure product development lifecycle process for selected sites.
View certification

UK Cyber Essentials​

A UK government backed scheme providing baseline cybersecurity requirements that are mandatory for operating under government contracts.​
View certification
Konecranes X-series crane
Konecranes X-series crane
Regulatory Compliance

Cyber Resilience Act

The Cyber Resilience Act (CRA) is an EU regulation enhancing cybersecurity for digital products in the market. It requires manufacturers to design, develop, and maintain secure hardware and software throughout their lifecycle, including post-sale security updates and vulnerability monitoring. The CRA fosters transparency, helping users assess product cybersecurity, and establishes uniform rules across the EU, reducing fragmentation and aligning with global standards. 

At Konecranes, we're reviewing our portfolio to identify products affected by the CRA. Many of our products with digital components already follow robust security protocols, ensuring compliance with these new requirements.

Security Controls

Information security of Konecranes products and services is achieved by implementing a relevant set of security controls. The list below describes security controls implemented by Konecranes to protect its information assets and ensure the confidentiality, integrity and availability of the Konecranes products and services. More details on the measures are available upon request.

Konecranes established the following technical and organizational security measures, under the ISO 27001 standard, to protect its information assets.

Konecranes identity and access management processes and systems ensure that employees, suppliers and customers access to IT systems are authorized and restricted based on the business and security requirements. Internal employees account lifecycle is linked with HR system for real time entry – exit process. Supplier user accounts have defined ownership and lifecycle management.

Konecranes maintain an asset inventory for servers, databases, workstations and mobile devices. The disposal of assets is done in a secure and environmentally friendly way. Konecranes is implementing an information classification system and labelling to ensure that information assets are protected.

Konecranes uses network security controls, such as enterprise firewalls, layered DMZ architectures, intrusion detection and managed security services. Konecranes network domains are segregated based on trust levels.

Konecranes ensures its compliance with legal and contractual requirements by following legislation, keeping a register of information systems including personally identifiable information, and providing personal data privacy statements for such systems.

Cryptography controls ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. Konecranes equipment containing company information, such as workstations and mobile devices, are encrypted. Konecranes utilizes cryptographic protocols (TLS) to protect information in transit over public networks.

Information security requirements are taken included into employee onboarding and exit processes.

Information security risks are evaluated as part of the Konecranes yearly risk management process.

Konecranes has a defined information security incident management process, working 24/7 across all countries where Konecranes is present.

Konecranes information security policy provides management direction and support for information security in accordance with business requirements, relevant laws and regulations. The policy covers information technology and operational technology.

Konecranes monitors devices and networks and uses security information and event management (SIEM) to identify abnormal behaviour or potential cyberattacks. Konecranes has processes in place for vulnerability management, malware protection and information system audits. Information Technology function and IT suppliers also follow incident, problem and change management processes to ensure the availability, stability and security of our IT environment.

Information security programs and processes are defined, implemented and developed by a dedicated staff, guided by the Information Security Steering group.

Konecranes prevents unauthorized physical access, damage and interference to the organization’s information by setting secure areas at our facilities and data centers. These physical security perimeters are controlled by electronic systems. All Konecranes employees, external workers and visitors have unique badges with access rights to the defined facilities.

Suppliers must comply with Konecranes information security policy, processes and practices. Konecranes conducts supplier background checks, uses NDAs and contractually requires all relevant IT suppliers to define their information security processes and controls.

The information security requirements are included in the requirements for acquiring new information systems or enhancements to existing systems.

FAQ

Konecranes has an information security policy in place that provides management direction and support for information security in accordance with business requirements, relevant laws and regulations. The policy covers information technology and operational technology.​

Konecranes has an Information Security Management System (ISMS) certified against the ISO/IEC 27001 information security management standard. The scope of the certification covers the development and operations of Konecranes business applications, IT infrastructure, and customer portals, productivity-enhancing mobile applications and TRUCONNECT® suite of remote service products and applications.​

Konecranes also has ISO/IEC 27001 certification for TBA software, port planning and optimizing consultancy business.​

Konecranes has a mandatory cybersecurity training for all employees. Additionally, Konecranes has role-based training paths for software developers, procurement and factory employees. Konecranes runs weekly email phishing simulations to maintain employee awareness and capability to identify phishing threats.​

Data is protected by technical and organizational measures against accidental and/or unlawful access, alteration, destruction or other processing including unauthorized disclosure and transfer of data.​

Such measures include, but are not limited to, proper firewall management, appropriate encryption of data in rest and transit, comprehensive access control, as well as use of secure and monitored endpoint devices. Data security is also an area of focus with third parties (e.g. data processing subcontractors) providing and implementing IT systems and services.

Konecranes prevents unauthorized physical access, damage and interference to the organization’s information by setting secure areas at our facilities and data centres. These physical security perimeters are controlled by electronic systems. All Konecranes employees, external workers and visitors have unique badges with access rights to the defined facilities. All visitors are always accompanied by Konecranes personnel​.

Suppliers must comply with Konecranes information security policy, processes and practices. Konecranes conducts supplier background checks, uses NDAs and applies contractual security requirements to relevant suppliers.

Konecranes business critical technology solutions have defined recovery time and recovery point objectives and disaster recovery plans. The disaster recovery plans are tested at least annually. The business continuity requirements are also extended to relevant supplier agreements.​

Our Information Technology function follows incident, problem and change management processes to ensure the availability, stability and security of our IT environment.

Konecranes monitors devices and networks with a dedicated 24/7 service to identify abnormal behaviour or potential cyberattacks.

Konecranes regularly tests its backups and backup processes to ensure it can always adhere to required recovery point objectives and recovery time objectives.​

Konecranes has a process to identify, assess and manage security requirements relevant for information and operational technology. Regulations and legislation are monitored in cooperation with legal to ensure compliance with requirements impacting products, networks, information systems and data transfers. This includes for example NIS2 and CRA.​

Konecranes runs an internal audit program and is subjected to annual external security certification audits (ISO 27001, IEC 62443).

Vulnerabilities are managed according to Konecranes vulnerability management process which defines requirements for vulnerability detection, analysis and remediation, incl. remediation timelines.​

Patch management covers all aspects of IT infrastructure. Zero-day vulnerabilities are patched as soon as possible, whereas high, medium and low criticality patches are done within their own cycles based on criticality. Where applicable, updates are always first tested before being applied to production.

Konecranes has a defined information security incident management process, working 24/7 across all countries where Konecranes is present. A highly skilled team identifies, assesses and categorizes incidents following a defined process to mitigate their impact. Through proactive monitoring and continuous improvement, Konecranes strives to swiftly restore normal operation and minimize any potential negative consequences.​

Log Management within Konecranes is implemented to maintain a comprehensive audit trail and to ensure regulatory compliance. Closely monitoring and correlating log data enables Konecranes to proactively detect and investigate any suspicious activities and to swiftly respond to potential security incidents to maintain the integrity and confidentiality of data.​

Konecranes product and application security requirements are based on ISO 27001 and IEC 62443 standards, which set industry best practices for secure software and product development lifecycle. This covers for instance threat modelling, secure coding, security testing and vulnerability management.​

Konecranes has an IEC 62443 4-1 certification for secure product development lifecycle. Konecranes has also the UK Cyber Essentials Plus certification which is required for governmental and critical infrastructure contracting in the UK.