The 2023 National Defense Authorization Act (NDAA)  (made into law in December 2022) included some specific military-related cybersecurity provisions, including a required study of cybersecurity and national security threats posed by foreign-manufactured cranes at United States ports” to assess whether foreign manufactured cranes at United States ports pose cybersecurity or national security threats.” The study was completed late last year – and the response to the findings has sparked global controversy and debate.  Details here. 

January 2023

US Maritime Administrator to study port crane cybersecurity concerns

Recently passed legislation might have been spurred by supply chain disruption and surveillance concerns enabled by Chinese-made cranes.

The 2023 National Defense Authorization Act (NDAA) passed by Congress and signed by President Biden in late December 2022 was filled with a host of military-related cybersecurity provisions. One little-noticed provision in the bill called for a study of cybersecurity and national security threats posed by foreign-manufactured cranes at United States ports.  Under this provision, the Maritime Administrator, working with Homeland Security, the Pentagon, and the Cybersecurity and Infrastructure Security Agency (CISA), is required to conduct a study to assess whether foreign manufactured cranes at United States ports pose cybersecurity or national security threats. It must be completed by late December 2023 and submitted to the Senate Commerce and Armed Services Committees and House Transportation and Armed Services Committees.

FBI boarded Chinese ship in a mysterious incident

Concerns about cybersecurity at the nation’s increasingly digitized ports have been rising for years. As far back as 2013, a Brookings study concluded that the cybersecurity awareness and culture level in US port facilities was low and that basic cybersecurity hygiene measures were missing in most ports. Of the ports studied by the Brookings researchers, only one had conducted a cybersecurity vulnerability assessment, and none had developed a cyber incident response plan.

In 2015, cybersecurity firm CyberKeel, now owned by Improsec, warned that 37% of maritime companies with Windows web servers weren’t adequately installing security patches from Microsoft. Earlier in 2015, US Coast Guard officials reported that interference with GPS signals disrupted operations for seven hours at a significant, unidentified east coast port, affecting four cranes.

Given the digitized nature of modern cranes, the NDAA study could have its origins in fears that the costly (typically starting at $15 million) and all-important port machines could come equipped with destructive malware or be vulnerable to malicious cyber incidents. But experts say it is more likely that the concern stems from the communications technology that controls the cranes’ operations.

September 2023

U.S. Maritime Trade and Port Cybersecurity

Vulnerabilities within the Maritime Transportation System Caused by Foreign Adversarial Access to Port Equipment and Supply Chain Management Systems

Abstract

The U.S. Maritime Trade and Port Cybersecurity team examined the current threat landscape, challenges, and mitigations affecting the maritime trade and port sector. In an increasingly connected world, the security of our ports is paramount. The interconnected network of third-party vendors, and the foreign acquisitions of U.S. port infrastructure, present significant vulnerabilities for U.S. port authorities. While significant advances have occurred in recent years, more improvement is needed to ensure this sector is adequately protected from current and future threats. Vulnerabilities, whether old or new, must be addressed before cyber adversaries are able to compromise critical systems and assets within ports.

In this report, the team examines the challenges to U.S. port facilities from foreign investment and application programming interfaces. Worldwide maritime ports, facilities, and infrastructure are vulnerable to physical and cybersecurity exposure through foreign adversarial access to port equipment and supply chain information management systems. Specifically, proprietary foreign adversarial companies manufacture, install, and maintain port equipment that poses potential vulnerabilities to global maritime infrastructure information technology and operational technology systems. Utilizing a case study related to the issue of foreign cranes in U.S. ports, the team highlights challenges, and vulnerabilities, and recommends courses of action regarding how to mitigate potential vulnerabilities introduced by foreign investment in U.S. ports.

February 2024

FACT SHEET: Biden-⁠Harris Administration Announces Initiative to Bolster Cybersecurity of U.S. Ports

…the Biden-Harris Administration will issue an Executive Order to bolster the security of the nation’s ports, alongside a series of additional actions that will strengthen maritime cybersecurity, fortify our supply chains and strengthen the United States industrial base. The Administration will also announce its intent to bring domestic onshore manufacturing capacity back to America to provide safe, secure cranes to U.S. ports – thanks to an over $20 billion investment in U.S. port infrastructure under President Biden’s Investing in America Agenda. 

The U.S. Coast Guard will issue a Maritime Security Directive on cyber risk management actions for ship-to-shore cranes manufactured by the People’s Republic of China located at U.S. Commercial Strategic Seaports. Owners and operators of these cranes must acknowledge the directive and take a series of actions on these cranes and associated Information Technology (IT) and Operational Technology (OT) systems. This action is a vital step to securing our maritime infrastructure’s digital ecosystem and addresses several vulnerabilities that have been identified in the updated U.S. Maritime Advisory, 2024-00X – Worldwide Foreign Adversarial Technological, Physical, and Cyber Influence…

The Administration continues to deliver for the American people by rebuilding the U.S.’s industrial capacity to produce port cranes with trusted partners. The Administration will invest over $20 billion, including through grants, into U.S. port infrastructure over the next 5 years through the President’s Investing in America Agenda, including the Bipartisan Infrastructure Law and the Inflation Reduction Act. As a result, PACECO Corp., a U.S.-based subsidiary of Mitsui E&S Co., Ltd (Japan), is planning to onshore U.S. manufacturing capacity for its crane production. PACECO has a deep history in the container shipping industry, manufacturing the first dedicated ship-to-shore container crane in 1958 as PACECO Inc., and it continued U.S.-based crane manufacturing until the late 1980s. PACECO intends to partner with other trusted manufacturing companies to bring port crane manufacturing capabilities back to the U.S. for the first time in 30 years, pending final site and partner selection. 

US Coast Guard issues cybersecurity directive for Chinese-made cranes after Biden’s Executive Order

…the U.S. Coast Guard (USCG) released a Maritime Security (MARSEC) directive…this directive focuses on cyber risk management for ship-to-shore cranes made by companies from the People’s Republic of China (PRC). It targets owners and operators of specific critical port infrastructure, urging them to address vulnerabilities and improve cyber security conditions.  The action comes in response to the risks associated with the widespread use of PRC-manufactured STS cranes in the U.S. and their potential to disrupt critical infrastructure. The directive outlines specific cyber risk management steps for those managing or operating these cranes.  “The directive contains security-sensitive information and, therefore, cannot be made available to the general public,” according to a notice published Wednesday by the Department of Homeland Security (DHS) on the Federal Register. “Owners or operators of PRC-manufactured STS cranes should immediately contact their local Coast Guard Captain of the Port (COTP) or District Commander for a copy of MARSEC Directive 105-4.”

In addition to the MARSEC directive 105-4, the U.S. Maritime Administration, also issued…an advisory that seeks to alert maritime stakeholders of potential vulnerabilities to maritime port equipment, networks, operating systems, software, and infrastructure.  Often referred to as PRC-manufactured STS cranes, the USCG now has express authority to respond to malicious cyber activity, including by requiring vessels and facilities to mitigate unsatisfactory cyber conditions that may endanger the safety of a vessel, facility, or harbor. They also require the reporting of any actual or threatened cyber incidents involving or endangering any vessel, harbor, port, or waterfront facility to the USCG and Federal Bureau of Investigation (FBI); and taking control of vessels that present a known or suspected cyber threat to U.S. maritime infrastructure.   The federal action comes as PRC-manufactured STS cranes make up the largest share of the global ship-to-shore crane market and account for nearly 80 percent of the STS cranes at U.S. ports. By design, these cranes may be controlled, serviced, and programmed from remote locations, and those features potentially leave PRC-manufactured STS cranes vulnerable to exploitation, threatening the maritime elements of the national transportation system.

CHINA DAILY: Port Cranes Lifted into the Realms of Spy Movies

while ports are of great importance to national security, it is going too far to allege that China-sourced cranes could be controlled remotely and are therefore a threat to the country. It has even been suggested that the cranes may be collecting information from the ports about what is being shipped and to and from where. Which may be an imaginative premise for a Hollywood movie. But it is more alarming as a possible sign that it is part of the US efforts to “set the theater” with its scaremongering.  Taking it one step further, according to these voices crying the wolf is at the door, anything connected with the internet poses a risk as it can potentially be accessed and exploited by hostile hackers. Their concerns are misplaced as they should be worried about the network itself, the core of which is controlled by the US.

They should be reminded that the Chinese port crane manufacturers still rely heavily on hydraulic machines, frequency converters, electric machines, electric programmable logic controllers, machine vision control systems, and various other core parts and technologies from the US, Germany, Japan, the Republic of Korea and Sweden.  That China’s port crane industry has prospered quickly over the past decade is mainly due to its increasingly prominent advantages of scale rather than its control of the core technologies and parts. Previously, the cranes were mainly manufactured in Japan, the ROK, and Europe.

If the US government wants to localize the assembly and manufacturing of such large-scale port infrastructure and facilities, it will require a reshuffle of the global industry and supply chains in the sector.  The difficulties the US government has encountered in attracting chipmakers to relocate their production from China to the US by promising them subsidies, which have subsequently proved to be hard to get, suggest the port crane initiative is doomed to almost certain failure.  The Chinese port cranes are by no means Trojan horses but the results of market competition, the international division of labor, and cooperation.

March 2024

Espionage Probe Finds Communications Device on Chinese Cranes at U.S. Ports

“Lawmakers’ discovery has fueled worries in Washington that the China-built equipment could be a national-security threat at America’s ports”

A congressional probe of Chinese-built cargo cranes deployed at ports throughout the U.S. has found communications equipment that doesn’t appear to support normal operations, fueling concerns that the foreign machines may pose a covert national-security risk.  The installed components in some cases include cellular modems, according to congressional aides and documents, that could be remotely accessed.

Pentagon Sees Giant Cargo Cranes as Possible Chinese Spying Tools

U.S. officials are growing concerned that giant Chinese-made cranes operating at American ports across the country, including at several used by the military, could give Beijing a possible spying tool hiding in plain sight.

Some national-security and Pentagon officials have compared ship-to-shore cranes made by the China-based manufacturer, ZPMC, to a Trojan horse. While comparably well-made and inexpensive, they contain sophisticated sensors that can register and track the provenance and destination of containers, prompting concerns that China could capture information about materials being shipped in or out of the country to support U.S. military operations around the world.

Cranes at US Ports Pose No Security Risk: Shanghai Zhenhua

US lawmakers say cellular modems were found installed on cranes made by China’s Shanghai Zhenhua, but the company says its cranes pose no security risk to any ports

A Chinese conglomerate has denied claims that cranes it made and provided to US ports represent a cybersecurity threat.  The response from Shanghai Zhenhua Heavy Industries (ZPMC) follows a congressional investigation that found some Chinese-made cranes used at US ports contain communications equipment with no clear purpose or record of their installation.  The probe has heightened US concern that the cranes – said to number over 200 – could be used for surveillance or infrastructure sabotage.

A spokesperson for the Chinese Embassy in Washington DC said claims that Chinese-made cranes pose a security risk were “entirely paranoia.”  But the company’s response was straightforward.  “ZPMC takes the US concerns seriously and believes that these reports can easily mislead the public without sufficient factual review,” it said in a filing, referring to the probe by the Homeland Security and Strategic Competition committees.  “The cranes provided by ZPMC do not pose a cybersecurity risk to any ports,” it said.  A House of Representatives security panel, which is scrutinizing ZPMC’s installation of Swiss engineering group ABB’s equipment onto US-bound ship-to-shore cranes, invited ABB executives to public hearings in January to clarify its relationship with ZPMC, which they said raised “significant concerns”.  ABB has said it sold its control and electrification equipment to many crane manufacturers, including Chinese companies, which in turn sold cranes directly to US ports.

What Next?

Ship-to-shore port cranes play an indispensable role in the orchestration of global trade and, by extension, are pivotal to national security and economic stability. These cranes are the linchpins in the loading and unloading process of cargo containers from ships to docks, facilitating the seamless movement of goods across international borders. Given the criticality of this function, any disruption to their operation can have far-reaching implications, not just for the economy but for the security posture of a nation as well.

• The strategic importance of these cranes becomes even more pronounced when considering the volume of trade they support. Ports like Los Angeles and Long Beach, which handle a significant portion of the United States’ cargo container throughput, are vital nodes in the global supply chain.  The efficient and secure operation of ship-to-shore port cranes at these and other major ports is essential for maintaining the flow of commerce, which, if impeded, could lead to significant economic repercussions and potentially destabilize global markets.
• From a national security perspective, the role of these cranes extends beyond economic considerations. The integrity and resilience of critical infrastructure, including port facilities and their cranes, are paramount in safeguarding against threats. The potential for maritime hijackings, terrorism, and other forms of illicit activities underscores the necessity for robust security measures at ports.  Ship-to-shore port cranes, therefore, are not merely tools for cargo handling but are integral components of a broader security apparatus that protects the maritime domain and, by extension, national interests.
• The strategic implications of these cranes are highlighted by the evolving nature of threats in the maritime environment. The sophistication of adversaries, coupled with the increasing reliance on technology, necessitates a forward-looking approach to securing port infrastructure. This includes not only the physical security of cranes and other assets but also the cyber resilience of the systems that control them. The interconnectedness of modern ports means that a cyberattack targeting operational technology, such as that which controls ship-to-shore cranes, could have devastating effects on cargo operations and, by extension, the supply chain.
• Ship-to-shore port cranes are more than just mechanical leviathans pivotal to the logistics of global trade; they are critical assets that must be protected to ensure the security and economic well-being of nations. Their role in critical infrastructure scenarios for national security cannot be overstated, necessitating a comprehensive approach to their protection that encompasses both physical and cyber dimensions. 

Replacing Port Cranes Just One Portion of Maritime Commerce Vulnerabilities

A broader perspective from experts at the Wilson Center:   “The White House just announced a new executive order to bolster cybersecurity at US ports, part of the government’s efforts to secure critical infrastructure at home. The most consequential step will be the onshoring of the manufacturing of cranes that are vital to port operations. Cranes now in place that were produced by the People’s Republic of China’s (PRC) state-owned company ZPMC will be replaced by cranes produced by PACEO Corp., a US-based subsidiary company of Japanese Mitsui E&S. This step also further bolsters the US-Japan partnership. Yet replacing domestic cranes just addresses the tip of the iceberg regarding maritime commerce vulnerabilities.