Owners and operators of over 200 Chinese-made container cranes at U.S. ports will be subject to new cyber-risk management requirements aimed at reducing China’s ability to spy on America’s domestic supply chains.
The U.S. Coast Guard on Wednesday announced that owners or operators of Chinese manufactured ship-to-shore (STS) container gantry cranes may now obtain copies of Maritime Security Directive 105-4, which spells out required cyber-risk management actions related to the cranes.
The directive contains security-sensitive information, so it cannot be made available to the general public, according to the Coast Guard. The agency wants owners and operators of the cranes to immediately contact their local captain of the port or district commander for a copy of the directive.
The Coast Guard explained in the notice that the prevalence of such cranes around the country — and the technology that comes with them — is the motivation behind the directive. STS gantry cranes manufactured by China account for nearly 80% of the STS cranes at U.S. ports.
“By design, these cranes may be controlled, serviced, and programmed from remote locations, and those features potentially leave PRC [People’s Republic of China]-manufactured STS cranes vulnerable to exploitation, threatening the maritime elements of the national transportation system,” the Coast Guard warned.
“As such, additional measures are necessary to prevent a [security incident] in the national transportation system due to the prevalence of PRC-manufactured STS cranes in the U.S., threat intelligence related to the PRC’s interest in disrupting U.S. critical infrastructure, and the built-in vulnerabilities for remote access and control of these STS cranes.”
At a White House briefing on Tuesday, Coast Guard Rear Adm. John Vann, who heads the agency’s cybercommand, said that his teams have “assessed cybersecurity or hunted for threats” on 92 of the cranes so far.
“Those assessments determine the cybersecurity posture, and the hunt missions actually look for malicious cyberactivity on the cranes,” Vann said. “We’ve almost canvassed about 50% of the existing cranes,” he added, but did not state whether security concerns were discovered on those cranes.
A related advisory by the U.S. Maritime Administration, also issued on Wednesday, points out that China’s ZPMC (Shanghai Zhenhua Heavy Industries Co. Ltd.) has the largest share of the STS crane market worldwide, by sales revenue.
“These cranes may, depending on their individual configurations, be controlled, serviced, and programmed from remote locations. These features potentially leave them vulnerable to exploitation,” the advisory states.
The advisory lists guidance and mitigation measures for ports, vessel operators and shippers for protecting data at risk of being hacked in a cyberattack.
Part of larger maritime cyberagenda
The Coast Guard’s new requirements are part of a major initiative announced by the White House on Wednesday broadening the agency’s powers to address cybersecurity risks at U.S. ports as terminal operations rely increasingly on automation.
“These systems have revolutionized the maritime shipping industry and American supply chains by enhancing the speed and efficiency of moving goods to market, but the increasing digital interconnectedness of our economy and supply chains have also introduced vulnerabilities that, if exploited, could have cascading impacts on America’s ports, the economy, and everyday hard-working Americans,” according to a White House fact sheet.
An executive order signed by President Joe Biden gives the Coast Guard the authority to control the movement of vessels suspected of being cyberthreats to U.S. maritime infrastructure, along with the authority to inspect suspicious vessels and facilities.
In addition, reporting of cyber incidents by vessels, ports and terminals operators — which so far has been voluntary — will become mandatory.
“Evidence of sabotage, subversive activity, or an actual or threatened cyber incident involving or endangering any vessel, harbor, port, or waterfront facility, including any data, information, network, program, system, or other digital infrastructure thereon or therein, shall be reported immediately to the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency (for any cyber incident), and the Captain of the Port, or to their respective representatives,” the executive order states.
Additional cybersecurity requirements for U.S.-flagged vessels, ports and container terminal operators, including minimum requirements for cybersecurity plans, are part of a Coast Guard proposed rule published on Wednesday.