Setting the Stage
The frenzied buzzing of the seaport manager’s cell phone interrupted his weekly staff meeting. There were urgent text messages and voice mails signaling that there was a major problem at Container Terminal 5. One text message said, “Crane 5A has stopped functioning! Crane 5C can’t be stopped! Help!”
Apparently when one of the world’s largest container ships containing over 20,000 Twenty-Foot Equivalent Units (TEUs) docked at Terminal 5, all hell broke loose.
But why?
Even though this is a hypothetical story, the U.S. Government and FBI are worried that such a scenario could come true. On Feb. 21, the Biden Administration, Coast Guard and Department of Transportation’s Maritime Administration (MARAD) all issued alerts to “…bolster the security of the nation’s ports, alongside a series of additional actions that will strengthen maritime cybersecurity, fortify our supply chains, and strengthen the United States industrial base.”
Executive Order
President Biden has initiated a comprehensive Executive Order aimed at enhancing the cybersecurity of maritime operations by expanding the powers of the Department of Homeland Security and the Coast Guard.
The strategic move is part of a broader effort to strengthen the nation’s maritime infrastructure against cyber threats and to bolster the resilience of domestic supply chains.
“Every day malicious cyber actors attempt to gain unauthorized access to the Marine Transportation System’s control systems and networks,” according to the Executive Order.
In conjunction with the cybersecurity initiative, the Biden administration has outlined a significant investment strategy, committing over $20 billion over the next five years to upgrade U.S. seaport infrastructure.
A key component of this investment plan is to revive the domestic production of seaport cranes, thus reducing reliance on foreign-manufactured—particularly Chinese—cargo cranes, which currently dominate the market.
This dual approach not only aims to secure the digital and physical aspects of the nation’s maritime operations, but also seeks to reinvigorate the American industrial base by bringing critical manufacturing capabilities back to American shores.
The Executive Order can be viewed at https://bit.ly/49QxwjH.
Crane Cyber Security Concerns: Ongoing Since 2021
In September 2021, FBI counterintelligence agents searched the Chinese merchant ship Zhen Hua after delivering four neo-Panamax port container cranes to the Port of Baltimore. Sources reported that the FBI agents had uncovered intelligence-gathering equipment on the ship—possibly associated with the cranes.
In 2022, Rep. Carlos Gimenez (R-Florida) introduced a bill entitled the Port Crane Security and Inspection Act. The bill would include security checks of port cranes made by U.S. “adversaries.” The bill, however, died in committee.
According to CSOonline.com, the 2023 National Defense Authorization Act (NDAA) signed by President Biden in December 2022 included a provision “…for a study of cybersecurity and national security threats posed by foreign-manufactured cranes at United States ports” which may have been a concession to Gimenez.
In March 2023, the Department of Defense raised concerns about Chinese-made cranes in U.S. ports—including those used by the U.S. military—as potential tools for espionage.
Questions about Container Cranes
In February, a National Public Radio report quoted White House estimates that there are over 200 cranes manufactured by China at U.S. seaports. This constitutes more than 80% of U.S. seaport cranes in use.
Rear Admiral Jay Vann, leader of the Coast Guard Cyber Command, noted that the container cranes could be vulnerable to Chinese exploitation, particularly because they could be operated remotely. Concerns also have been raised that cameras on the cranes can be remotely viewed by China.
But the threat from the Chinese is bigger than just container cranes.
On Feb. 15, at the Munich Security Conference, FBI Director Christopher Wray stated that China is suspected of continuing “… to attack the economic security, national security and sovereignty of rule-of-law nations worldwide.”
“The cyber threat posed by the Chinese government is massive,” he said. “China’s hacking program is larger than that of every other major nation combined. And that size advantage is only magnified because (China) uses AI (artificial intelligence)—built in large part on stolen innovation and stolen data—to improve its hacking operations, including to steal yet more AI tech and data.” (www.fbi.gov)
Most of the cranes in question are manufactured by Shanghai Zhenhua Heavy Industries (ZPMC). They became a major player in the U.S. seaport market by selling high-quality cranes at cheaper prices than Western suppliers.
ZPMC has worked with Microsoft and other software companies to offer automated systems that can analyze data in real time. However, the U.S. Defense Intelligence Agency has reportedly said China could potentially disrupt port traffic or gather data on military equipment being shipped. (Port Technology News, March 8, 2023)
This concern was also raised in a March 5, 2023, Wall Street Journal article entitled “Pentagon Sees Giant Cargo Cranes as Possible Chinese Spying Tools.”
The Coast Guard has warned that “…by design, these cranes may be controlled, serviced and programmed from remote locations, and those features potentially leave the (China)-manufactured cranes vulnerable to exploitation, threatening the maritime elements of the national transportation system.”
One added concern about the ZPMC cranes is that the cameras installed on the machines themselves could be surveillance tools that communicate operations information back to China.
Solving the Problem
Port of Los Angeles Executive Director Gene Seroka agrees that the Chinese-dominated port crane business is a potential concern, but said there’s a shortage of other supply options for the cranes.
That said, President Biden’s Executive Order includes investment in U.S. port infrastructure over the next five years through the President’s Investing in America agenda. PACECO Corp.—a U.S.-based subsidiary of Mitsui E&S Co., Ltd. (Japan) is planning to onshore U.S. crane manufacturing capacity.
PACECO intends to partner with other trusted manufacturing companies to bring port crane manufacturing capability back to the U.S. after being out of play for 30 years.
At a Feb. 20 White House briefing, Vann said that Coast Guard teams have “…assessed cybersecurity or hunted for threats…” on 92 of the cranes so far.
Maritime Industry Advisory
A day later, MARAD issued a new advisory, “2024-002-Worldwide-Foreign Adversarial Technological, Physical, and Cyber Influence,” which can be found at https://bit.ly/3uOvi5t.
In summary, this document offers specific guidance to seaport administrators on actions they should take to recognize threats to their cranes and mitigate the vulnerabilities.
The advisory specifically states that maritime industry stakeholders, including port and vessel owners/operators and shippers exposed to risks should apply cybersecurity best practices for Access Control (identity and access management), vulnerability mitigation and configuration management.
Other suggestions in the advisory for operators:
- Be positioned to increase their cybersecurity and cyber resiliency to respond to and report any incidents that could inhibit their ability to continue operations.
- Maintain a comprehensive understanding of data sharing and network access permissions within contractual agreements.
- Stress to personnel the importance of understanding and knowing who maintains access to maritime technology throughout any port or facility they utilize.
- Be wary of untrusted network traffic and treat all traffic transiting their networks—especially third-party traffic—as untrusted until it is validated as legitimate.
- Ensure infrastructure operational resiliency, regarding system security, as well as the ability to maintain equipment and sourcing for critical parts and upgrades.
- Maintain fully recoverable backups and practice recovery from backups.
- Partner with academia and government to develop and maintain optimal cybersecurity hygiene by participating in information-sharing exchanges and cyber drills and exercises.
For automated port cranes, the advisory offers the following mitigation measures to be implemented by industry stakeholders:
- Improve segmentation between the crane and other port systems/networks to reduce an adversary’s initial cyber access. Reduce unnecessary communications and network services between business and management networks and the crane network and disallow multi-homed systems across these networks.
- Utilize secure file transfer tools/maintain secure file transfers to reduce the risk of malware when moving files, such as firmware updates, onto the crane network, reducing dependency on removable media (e.g., USBs).
- Provide dedicated remote access systems and processes for crane devices which utilize and enforce multi-factor authentication (MFA). Define formal policies and procedures for firewall rule changes needed to control access.
- Separate and segment crane management functions from crane operational systems to reduce cyber access by adversaries.
- Keep crane management functions (e.g., diagnostics, patching, programmable logic controller (PLC) program modification/updating) on separate segments and restrict modifications from crane operational systems, including the on-board and remote crane management systems (RCMS).
- Monitor all communications on the crane network (all ingress and egress traffic), especially those between the crane and broader port operational and management systems. Monitor all communications paths used to connect to the crane, including from the RCMS remotely. Monitor host activities for operational management systems.
- Require vendor update completion through physical visits at crane operating sites whenever possible and discourage vendors from completing remote updates.
The advisory also offers guidance on:
Verifying the integrity and security of on-board crane devices and networks.
Ensuring strong physical security and access control of devices and infrastructure used to operate and manage the cranes.
The advisory closes with the requirement that maritime stakeholders who discover compromised equipment or suspicious activity within the Maritime Transportation System (MTS) or Operational Technology (OT)/Information Technology (IT) assets should contact:
- U.S. Coast Guard National Response Center: 1-800-424-8802.
- Coast Guard Cyber Command (CGCYBER), Maritime Cyber Readiness Branch (MCRB): maritimecyber@uscg.mil.
- Cybersecurity and Infrastructure Security Agency (CISA) Central: 1-888-282-0870 or central@cisa.gov.
- FBI Cyber Division: (855) 292-3937 or CyWatch@fbi.gov.
Ernie Hayden’s background includes management and technical roles focused on cyber and physical security since the 9/11 attacks. He was previously a U.S. Navy Nuclear and Surface Warfare Officer and has published a book, Critical Infrastructure Risk Assessment – The Definitive Threat Identification and Threat Reduction Handbook, that was named the 2021 ASIS Security Book of the Year. Please send your questions or suggested article ideas to enhayden1321@gmail.com.