US Increases Port Cybersecurity Citing Threat of Chinese Cargo Cranes
President Joe Biden today launched a sweeping Executive Order designed to give the Department of Homeland Security and the U.S. Coast Guard broader authority in strengthening maritime cybersecurity. Under the guise of strengthening the nation’s supply chains and security, the administration is highlighting a plan to invest over $20 billion over the next five years in port infrastructure including an effort to reestablish domestic crane manufacturing to end Chinese dominance in large cargo cranes.
“Every day malicious cyber actors attempt to gain unauthorized access to the Marine Transportation System’s control systems and networks,” The White House wrote in announcing the Executive Order. Without citing any specific examples and saying the move was not in response to a specific threat, the order is designed to bolster the security of the nation’s ports along with actions to strengthen maritime cybersecurity, fortify supply chains, and strengthen the U.S. industrial base they said.
While there have been multiple instances of port authorities, terminal operators, and shipping companies all experiencing hacking and cyberattacks, the issue of Chinese-manufactured cargo cranes surfaced nearly a year ago after The Wall Street Journal ran a story citing unnamed sources alleging a threat from the Chinese either spying on U.S. ports or having the potential to control the cranes remotely. The American Association of Port Authorities (AAPA) strongly refuted the accusations calling them “sensationalized claims” and saying that there is no evidence of the cranes being used to harm or track port operations.
In the Executive Order signed today by President Biden, the Department of Homeland Security is directed to address maritime cyber threats, including setting cybersecurity standards. The U.S. Coast Guard is given authority to respond to malicious cyber activity, including the authority to “control the movements of vessels that present a known or suspected cyber threat.”
It also institutes mandatory reporting of cyber incidents or active cyber threats. This includes threats to vessels, harbors, ports, or waterfront facilities. The U.S. also intends to name a Maritime Security Director.
The USCG is directed to issue a Maritime Security Directive “on cyber risk management actions for ship-to-shore cranes manufactured by the People’s Republic of China located at U.S. commercial strategic seaports.” The owners and operators of the cranes “must acknowledge the directive” and take action on the cranes and the associated information and operational technologies.
“Several vulnerabilities have been identified,” according to The White House in a MARAD advisory that is being released today. In a background briefing, Rear Admiral John Vann of the USCG said they were already assessing 200 cranes for cybersecurity vulnerabilities. He pointed out that by design the cranes and software have remote programming capabilities and tracking devices built into their systems which he contended are “vulnerable to exploitation.”
Without specifically citing the cranes, the FBI and other security agencies have warned of a potential threat from China or other malicious actors to U.S. infrastructure.
The White House today highlighted an agreement with PACECO Corp., a U.S.-based subsidiary of Japan’s Mitsui E&S Co., which they report is planning to relaunch a U.S. manufacturing capability for cranes. They emphasized that the company was a pioneer in 1958 with the first dedicated ship-to-shore container crane but ended U.S.-based crane manufacturing in the late 1980s. PACECO is reported to be looking for partners and a site but plans on manufacturing cranes in the U.S. for the first time in 30 years.
Currently, 70 to 80 percent of the large, container cranes used in ports worldwide are manufactured by ZPMC, a company headquartered in China. Emerging as a lower-cost alternative, and in many cases, the only viable supplier, the company’s large ship-to-shore cranes are deployed in over 100 countries.
Last year, lawmakers in the U.S. House of Representatives proposed the Port Crane Security & Inspection Act addressing any crane manufactured by a “foreign adversary,” and also a “crane for which any information technology and operational technology components in such crane is connected into cyberinfrastructure at a port located in the United States.”
AAPA highlighted that the Chinese company built its lead by being the only major manufacturer of large cranes. They called on the U.S. Congress to focus on efforts to reshore the manufacturing of cranes to the U.S. as a means of supporting American industry and ports.
Many of the elements of these initiatives appear to have influenced the content of the Executive Order signed today. The USCG reports it opened a public comment period running until late April as it moves forward to enact the new rules.