Increasing tensions with China have created a ripple effect of concerns about the impact of its technologies in and on the U.S. In a recent Supply Chain Dive post, reporter David Jones describes the growing concerns regarding “nation-state threats to U.S. critical infrastructure,” as well as “larger security concerns” about the dependency of “key industries” on supply chains located overseas.
“U.S. authorities in late January warned that nation-state hackers linked to the People‘s Republic of China are burrowing their way into key U.S. sectors’ IT infrastructure to launch a potential diversionary attack in the event of military action in the Asia-Pacific region,” Jones writes.
In such an environment — and in light of new cybersecurity and espionage concerns about ship-to-shore cranes with Chinese ties — the Biden administration’s recent Executive Order (EO) may come as no surprise.
Executive Order to bolster cybersecurity at ports
On February 21, the Biden Administration announced an EO “to bolster the security of the nation’s ports, alongside a series of additional actions that will strengthen maritime cybersecurity, fortify our supply chains and strengthen the United States industrial base.”
Along with other specifics, the announcement included a planned investment of over $20 billion into U.S. port infrastructure over the next five years to “bring domestic onshore manufacturing capacity back to America to provide safe, secure cranes to U.S. ports.”
Plans to achieve this will be implemented through PACECO Corp., “a U.S.-based subsidiary of Mitsui E&S Co., Ltd (Japan),” which is planning to “onshore U.S. manufacturing capacity for its crane production.” The announcement says PACECO manufactured the “first dedicated ship-to-shore container crane in 1958 as PACECO Inc., and…continued U.S.-based crane manufacturing until the late 1980s.”
“PACECO intends to partner with other trusted manufacturing companies to bring port crane manufacturing capabilities back to the U.S. for the first time in 30 years, pending final site and partner selection,” the announcement said.
Saying that the country’s prosperity is “directly linked to maritime trade and the integrated network of ports, terminals, vessels, waterways, and land-side connections that constitute the Nation’s Marine Transportation System (MTS),” the announcement notes that the digital systems used to optimize MTS operations also make them vulnerable: “…the increasing digital interconnectedness of our economy and supply chains have also introduced vulnerabilities that, if exploited, could have cascading impacts on America’s ports, the economy, and everyday hard-working Americans.”
Increased cyber authority for the U.S. Coast Guard
As a result of the concerns described, the EO gives the U.S. Coast Guard “express authority to respond to malicious cyber activity in the nation’s MTS by requiring vessels and waterfront facilities to mitigate cyber conditions that may endanger the safety of a vessel, facility, or harbor.”
Additionally, the U.S. Coast Guard will:
- “have the authority to control the movement of vessels that present a known or suspected cyber threat to U.S. maritime infrastructure, and be able to inspect those vessels and facilities that pose a threat to our cybersecurity”
- “issue a Maritime Security Directive on cyber risk management actions for ship-to-shore cranes manufactured by the People’s Republic of China located at U.S. Commercial Strategic Seaports”
The announcement notes that owners and operators of these cranes must “acknowledge the directive and take a series of actions on these cranes and associated Information Technology (IT) and Operational Technology (OT) systems,” and says this is a “vital step to securing our maritime infrastructure’s digital ecosystem and addresses several vulnerabilities that have been identified in the updated U.S. Maritime Advisory, 2024-00X – Worldwide Foreign Adversarial Technological, Physical, and Cyber Influence,” also released on February 21.
In an article for the American Journal of Transportation (AJOT), Stas Margaronis cites a February 20th White House media briefing in which Rear Admiral Jay Vann, Commander of the United States Coast Guard Cyber Command commented on the new EO, saying it “empowers the Commandant of the Coast Guard to prescribe measures to prevent, detect, assess, and remediate an actual or threatened cyber incident.”
“As we undertake measures to prevent cyber incidents, let me address a specific, acute MTS (Maritime Transportation System) cyber vulnerability … The People’s Republic of China-manufactured ship-to-shore cranes make up the largest share of the global market and account for nearly 80% of cranes at U.S. ports.,” Vann reportedly said. “By design, these cranes may be controlled, serviced, and programmed from remote locations. These features potentially leave PRC-manufactured cranes vulnerable to exploitation.”
A “wake-up call” for U.S. ports?
In the AJOT article, Margaronis also cites Eugene Seroka, Executive Director, Port of Los Angeles, who referred to the EO’s cybersecurity investment plans as a “a wakeup call for all of us in the port and supply chain industry.”
In a February 27th interview with the outlet, Seroka responded to concerns about container cranes posing a national security threat.
“Well, safe to say that the cranes collect data,” he told AJOT. “There’s analysis that goes along with it. But like so many of today’s assets, whether it’s our connected cars, our mobile devices, and the equipment that’s being used at ports, there is a vulnerability. And that’s why we’ve got to shore up our lines of communication, protect that data, like we protect our infrastructure and make sure we limit any type of accessibility by unauthorized users.”
Seroka also underscored the fact that the Port of Los Angeles is a pioneer of port cybersecurity operations.
“We opened the nation’s first cyber security operations center back in September of 2014, aided in part by a grant from the United States Department of Homeland Security,” he said. “Last year, this cybersecurity operations center, or CSO as we call it, stopped nearly three quarters of a billion intrusion attempts, an average of about 63 million intrusion attempts per month that we stopped.”
He added that the port’s work in this area has also led to the creation of “one of the world’s first cyber resilience centers,” which he referred to as an “early warning system.”
“It allowed us to bring about two dozen private sector partners in, including our dock workers with the International Longshore and Warehouse Union, along with marine clerks, board members, … and others to help work together with the private sector to stop intrusions in their spaces,” Seroka added. “And so far, co-created with IBM, the Cyber Resilience Center, has stopped a half a dozen attacks onto private sector interests that they were unaware were targeting them. So, this work needs to be replicated across ports throughout the nation.”
Espionage concerns
More recently, a congressional investigation into cranes supplied by a “CCP-backed company” led to some “shocking” findings.
A March 12 press release details the concerns.
“Last week, House Homeland Security Chairman Mark E. Green (R-TN), Subcommittee on Transportation and Maritime Security Chairman Carlos Gimenez (R-FL), and House Select Committee on the Chinese Communist Party Chairman Mike Gallagher (R-WI) sent a letter to Shanghai Zhenhua Heavy Industries (ZPMC), a company with close ties to the Chinese Communist Party (CCP), demanding answers following numerous findings by the Committees’ ongoing joint investigation into critical infrastructure security vulnerabilities at U.S. ports,” the statement said, noting that the Chairmen were joined on the letter by Subcommittee on Counterterrorism, Law Enforcement, and Intelligence Chairman August Pfluger (R-TX) and Select Committee on the Chinese Communist Party members, Rep. Dusty Johnson (R-SD) and Rep. Michelle Steele (R-CA).
The letter describes “concerns related to cellular modems discovered on ZPMC ship-to-shore (STS) crane components at a U.S. seaport and a cellular modem discovered in another U.S. seaport’s server room that houses STS cranes’ firewall and networking equipment.”
“These communication devices were not part of the equipment contracts, nor could port officials determine why the components had been installed,” the statement said. “The letter also requests information regarding ZPMC’s engagement with the CCP and any requests from the CCP to ZPMC. The Committees are also investigating the Swiss company ABB, as many of the operational components manufactured by ABB are shipped to the People’s Republic of China (PRC), where they are stored for several months and later installed onto U.S.-bound port equipment by ZPMC engineers.”
A related press release issued on March 8 provides additional details.
“While the investigation is still ongoing, the Committees have identified serious concerns regarding ZPMC’s relationship with the Chinese Communist Party (CCP), especially in the wake of reports that CCP-affiliated hackers maintained access to U.S. critical infrastructure for years, including the maritime sector,” the release says.
Referencing the cellular modems described previously, the release also notes that another cybersecurity investigation revealed that “some of these modems were found to have active connections to the operational components of the STS cranes,” and that the Committees “remain concerned that every U.S. seaport with ZPMC cranes could already be, or is at risk of being, compromised by the CCP.”
In response, one Chinese official said the U.S. is being paranoid.
