United States Coast Guard and federal maritime agency officials assured congressional lawmakers on April 5 that potential vulnerabilities to cyber attacks against the nation’s ports are being rapidly addressed, an urgency underscored by revelations that Chinese-made ship-to-shore “dual-use-designed” cranes that could potentially sabotage vital infrastructure are operating in many of the nation’s 361 ports.
The Coast Guard reported in February that more than 200 China-manufactured cranes were operating in U.S. ports, with possible threats identified on 92 of them, prompting President Joe Biden in a Feb. 21 executive order to authorize an amped-up cyber security program within a $20 billion ports infrastructure package from the 2021 Bipartisan Infrastructure Law (BIL).
“The increased use of automated systems in shipping offshore platforms and port and cargo facilities creates enormous efficiencies—and introduces additional attack vectors for malicious cyber actors,” RAdm. John Vann, who leads the Coast Guard’s Cyber Command, told a joint congressional hearing in the Port of Miami,
Much of the hearing before the House Transportation & Infrastructure Committee’s Coast Guard & Maritime Transportation Subcommittee and the House Homeland Security Committee’s Transportation & Maritime Security Subcommittee focused on port infrastructure in the wake of the March 26 catastrophe when an errant container ship struck Baltimore’s Francis Scott Key Bridge, causing it to collapse, killing six and shutting down one of the East Coast’s busiest ports.
Those infrastructure issues were addressed by a panel added to the Port of Miami field hearing, which was originally set to discuss port cyber security and concerns about Chinese-made cranes.
“Cyber threats and the risks of cyber-attack have increased with the advance of technology, particularly in the port environment with the implementation of automation and various software operational technologies” that balance “efficiency of our ports with … increased vulnerabilities,” said RAdm. Vann.
Fellow Coast Guard RAdm. Wayne Arguin, assistant commandant for prevention policy, and U.S. Maritime Administration (MARAD) Associate Administrator for Ports & Waterways William Paape, joined RAdm. Vann in explaining how the February executive order authorized immediate responses to cyber threats.
Since 2021, more than 12 cellular modems that can be used remotely have been found in cranes made by Shanghai Zhenhua Heavy Industries Company (ZPMC), a Chinese Communist Party-owned manufacturer. Nearly 80 percent of cranes used in U.S. ports are made by ZPMC.
“The ship-to-shore cranes hovering over our docks, including the ones here, while instrumental to our port operations,” are “under direct control of the Chinese Communist Party,” said House Homeland Security Committee’s Transportation & Maritime Security Subcommittee Chair Rep. Carlos Giménez (R-Fla.).
“This near monopoly allows for ZPMC to compromise U.S.-bound cranes that could cause malfunctions or facilitate cyber espionage at U.S. ports,” he said, noting the cranes have components that “include programmable logic controllers, which control many ship-to-shore crane systems, as well as crane drives and motors” that can be remotely manipulated.
Immediate Actions
The Feb. 21 executive order bans U.S. ports from purchasing ZPMC cranes and authorizes PACECO Corp., a U.S.-based subsidiary of Mitsui E&S, to begin domestically manufacturing ship-to-shore cranes, and launches three initiatives, RAdm. Vann said.
The “Coast Guard has invested in growing and maturing Coast Guard Cyber Command” to bolster the capacities of its three cyber protection teams (CPTs), which were created in 2021 “to identify probable port network intrusion by the People’s Republic of China actor known now as ‘Volt Typhoon,’” he said.
CPTs work with the Coast Guard’s Maritime Cyber Readiness team, which the executive order also adds muscle to “regularly engage with industry support and area maritime security committees for planning and execution of cyber exercises,” he said.
The third component, said RAdm. Vann, is the release of a “third annual cyber trends and insights in the marine environment report,” which will deliver “key insights and trends to aid industry and other stakeholders in identifying and addressing current and emerging cyber risks.”
The new directive “empowers the Coast Guard to prescribe conditions and restrictions for the safety of waterfront facilities and vessels and ports. including reporting requirements for actual or threatened cyber incidents,” said RAdm. Arguin.
Under its new authorities, he said, the Coast Guard is “requiring specific risk-management actions for all owners and operators of cranes manufactured by companies from the People’s Republic of China.”
“While the specific requirements are deemed sensitive security information and cannot be shared publicly,” RAdm. Arguin said, “Our captains of ports around the country are working directly with crane owners and operators to ensure compliance.”
Also on Feb. 21, the Coast Guard released a proposed rule that would “set baseline cybersecurity requirements for vessels, facilities, and Outer Continental Shelf facilities,” he said, noting the public comment period for the proposed rule “is open and the service stresses the need for public participation.”
Mr. Paape, whose MARAD agency manages 25,000 miles of navigable channels and 3,500 marine terminals nationwide, which generate $5.4 trillion in annual economic activity and employs 30 million Americans, said several other cyber initiatives are being launched under the executive order.
MARAD chairs the National Port Readiness Network, he said, which “ensures readiness of commercial strategic seaports to support the deployment of military forces and national contingencies” with eight other federal agencies and military commands.
MARAD has published a “Notice of Funding Opportunity” that provides grants to ports to “safeguard against potential security risks,” Mr. Paape said, adding, “Each application selected for federal funding must demonstrate consideration and mitigation of physical and cybersecurity risks. Projects failing to adequately address these risks will be required to do so before receiving funds.”
He said the Fiscal Year 2023 defense budget directed MARAD to spearhead “a study to assess whether there are cyber security or national security risks posed by foreign manufacturer cranes” in American ports that will be delivered soon.
Port Crane Security & Inspection Act
“I commend the administration on this initial action, but I believe we need to continue examining this critical topic and ensure that our ports are protected from security threats,” said Mr. Giménez, a former Miami city manager and Miami-Dade County mayor who served 25 years as a Miami firefighter.
While the Coast Guard and MARAD studies, initiatives, and recommendations for further actions are good, he’s also “brought together a group” of House China Select and Homeland Security committee lawmakers to “investigate some of the vulnerabilities associated with the PRC-manufactured port cranes and the consequences of having a supply chain that is overly reliant upon equipment from our greatest geopolitical opponent.”
Mr. Giménez said his proposed ‘Port Crane Security & Inspection Act” would ensure the Coast Guard and federal agencies “responsible for safeguarding maritime ports have the tools and authorities necessary to deter hostile actors from operating against our ports.”
House Transportation & Infrastructure Committee’s Coast Guard & Maritime Transportation Subcommittee Chair Rep. Daniel Webster (R-Fla.) said the threat is not limited to cranes, noting the Port of Los Angeles “faces approximately 40 million cyber-attacks per month.
“We must also confront the reality of China’s influence in the maritime domain—and it’s growing—that, if left unchecked, threatens to overthrow or oppress or destroy or disrupt the global maritime transportation sector,” he said.
Major port equipment “such as terminal cranes … and logistics management systems developed by China provides shipment tracking and other logistical services while collecting significant amounts of data that could be used for multiple purposes or to gain unfair economic advantage,” Mr. Webster said.
In a Feb. 29 letter (pdf) addressed to New Jersey-based ZPMC USA Corp. President Richard Pope and Shanghai-based ZMPC President/CEO Liu Chengyun, the House Homeland Security Committee’s Select Committee on Strategic Competition demanded to know the purpose of the cellular modems discovered on crane components in a U.S. seaport’s server room that houses firewall and networking equipment.
“These components do not contribute to the operation of the cranes or maritime infrastructure and are not part of any existing contract between ZPMC and the receiving U.S. maritime port,” the letter said, noting ZPMC’s manufacturing facility is adjacent to China’s most advanced ship-making facility, where CCP regime builds aircraft carriers, and houses advanced intelligence capabilities.
Though the investigation is still ongoing, the committees identified serious concerns regarding ZPMC’s relationship with the CCP, particularly given the recent discovery of Chinese malware on vital infrastructure related to the port system.
As part of another cybersecurity investigation, some of the modems in question were also found to have active connections to the operational components of the STS cranes, suggesting they could be remotely controlled by a device no one previously knew was there.
Speaking to reporters in February, White House Deputy National Security Adviser Anne Neuberger said the cranes were designed to be serviceable from a remote location, which leaves them open to such exploitation.
“By design, these cranes may be controlled, serviced, and programmed from remote locations,” Ms. Neuberger said. “These features potentially leave [China]-manufactured cranes vulnerable to exploitation.
As such, the letter suggests that every U.S. seaport with ZPMC cranes could already be, or is at risk of being, compromised by the CCP.
Retired Army Col. John Mills told The Epoch Times the cranes were effectively an extension of the CCP’s global cybercrime operation, which could be used during an invasion of Taiwan to sow chaos in the United States.
“Those container cranes are not cranes,” Mr. Mills said. “They’re IP endpoints on a worldwide intelligence collection system.”
