Cybersecurity risks associated with Chinese-made cranes at the nation’s ports are not new, and recent White House action and hearings on Capitol Hill have escalated the claims about potentially serious national security vulnerabilities embedded in key infrastructure. But the Biden administration, lawmakers and ports management continue to differ in their views of the true nature of the threat.
In a press briefing ahead of the recent executive order from President Biden to strengthen the cybersecurity of America’s ports, Rear Adm. Jay Vann, commander of the U.S. Coast Guard Cyber Command, told reporters 80% of the “ship-to-shore” cranes moving trade at U.S. ports are made in China and use Chinese software. He said that has led to concern that the cranes could be “vulnerable to exploitation” and used in Chinese surveillance. The Biden Administration estimates the number of People’s Republic of China (PRC) manufacturer cranes in the U.S. at 200.
On February 29, a joint letter from the Subcommittee on Counterterrorism, Law Enforcement, and Intelligence Committee on Homeland Security and Select Committee on China, was sent to both the Chinese manufacturer of the cranes, ZPMC, inquiring about “certain components” including cellular modems installed on cranes that were not part of contracts with ports management and have no identified purpose.
The Chinese government has in recent years responded to the concerns as “paranoia-driven.” The ZPMC has not responded to recent CNBC requests for comment, but it did recently tell the press in response to the letter that its cranes do not pose a cybersecurity threat.
In interviews with CNBC, top officials at some of the nation’s largest ports stressed that the software to control their cranes does not come from China. Based on CNBC’s research, the crane operational software being used by the ports are made by Switzerland’s ABB, Germany’s Siemens, Japanese software companies TMEIC and NIDEC, and equipment manufacturers Liebherr (German-Swiss multinational) and Konecranes (Finnish). CNBC also learned that ports use multiple layers of firewalls related to the cranes, which silo the equipment to protect the port infrastructure.
“Despite utilizing Chinese-manufactured cranes at U.S. terminals, our members have ensured that these cranes operate independently of Chinese operating software,” said Robert Murray, president of the National Association of Waterfront Employers — which represents terminal operators that utilize cargo handling equipment at U.S. ports. “Emphasizing utmost precaution, the equipment deployed at ports maintains an exceptional level of isolation in crane control and auxiliary systems, bolstered by secure monitoring mechanisms and fortified by the impenetrable security of zero-trust policies.”
But according to the Biden administration, it’s not a software’s country of origin that is the issue. It’s the installation of software at the point of manufacture in the PRC that presents the risk of software being compromised.
Kurt Fredrickson, a Coast Guard spokesman, told CNBC via email that even if the software is not Chinese, all software has vulnerabilities, regardless of origin.
“People’s Republic of China (PRC)-manufactured ship-to-shore cranes make up the largest share of the global market and account for nearly 80% of the STS cranes at U.S. ports,” he said. “By design, these cranes may be controlled, serviced, and programmed from remote locations, and those features potentially leave PRC-manufactured STS cranes vulnerable to exploitation, threatening the maritime elements of the national transportation system.”
Murray told CNBC while most crane operating software is not designed in China, it is installed in the PRC as part of the crane manufacturing process, and the organization continues to stand by its commitment in providing Congress and the administration with technical expertise regarding cybersecurity imperatives in ports and terminals.
The office of Carlos Gimenez (R-FL), chairman of the Transportation and Maritime Security Subcommittee who led a recent hearing on the Chinese cranes concerns, did not respond to multiple requests for comment.
What the ports say about cybersecurity and Chinese-made cranes
The Port of South Carolina told CNBC its control system software must be installed during manufacturing in China to test cranes, and it occurs with “the mandatory oversight of their selected software vendor which is not a Chinese company.”
Not all ports install their software in China. Port of Long Beach officials tell CNBC their terminal operators typically install the operating software as part of the commissioning process which takes place at their terminals within the port.
The Northwest Seaport Alliance, which is comprised of Tacoma and Seattle ports, has a total of 38 ZPMC cranes and in the past year, according to port officials, the USCG has completed a full threat assessment on its operated cranes and security measures, and has passed successfully.
“We are evaluating new requirements against our existing security measures at our marine terminals and at this time do not suggest we will have to replace our operating cranes,” said Melanie Stambaugh, an NWSA spokeswoman. “We recognize guidelines are still emerging on this topic from the Biden administration and subsequent maritime security organizations and we are tracking this matter closely.”
The American Association of Port Authorities, a trade group that represents ports and has consistently said there is no evidence of Chinese-linked cyber vulnerabilities at ports, declined to comment.
Some of the ports tell CNBC regardless of the software in use, they have measures in place to keep the U.S. flow of trade safe but said they could not be more specific due to security concerns. Some ports indicated that they have three layers of siloed cyber protection for each crane.
The New York and New Jersey Port Authority software for terminals come from ABB and Siemens, according to CNBC research. The chief security officer for the New York and New Jersey Port Authority, Greg Ehrie, told CNBC via email that the port maintains industry-leading cyber security standards, and will continue to bolster its efforts through close relationships with operational partners alongside constant collaboration with local, state, and federal officials.
A spokesperson for the Port of New Orleans told CNBC the port prioritizes public safety and continually focuses on bolstering their cybersecurity and is already in compliance with the Biden administration’s executive order, but it declined to be more specific.
Doug Vogt, chief operating officer for North Carolina Ports, told CNBC that while its container cranes were manufactured by ZPMC, it uses crane operating software from ABB. “Any remote troubleshooting capabilities or external system connection are dependent on the permission of NC Ports and are actively monitored by skilled IT professionals who are keenly aware of and trained in cybersecurity protocols,” Vogt said, adding that it works closely with the United States Coast Guard to ensure its systems, equipment and operations are secure.
Mario Cordero, executive director of the Port of Long Beach, the nation’s second-largest port, said in an interview with CNBC at the recent TPM logistics conference that 59 of the port’s 76 cranes are from China. The others are a mix of Japanese and South Korean equipment, including Samsung cranes. Noel Hacegaba, chief operating officer at the Port of Long Beach, added that the software the terminals use to physically operate the cranes is not Chinese.
“In theory, if you have one crane go down, that’s a red flag for the entire system. So certainly that kind of scenario would be taken seriously,” Cordero said of a hypothetical cyber attack. “We are prepared and have the best practices of business continuity to address that scenario.”
At the Port of Los Angeles, 39 of the 82 cranes are made in China, and some of the software used comes from ABB and Siemens.
The Port of Oakland has more than two dozen container cranes, most of them made by ZPMC, and which are currently under review by U.S. Department of Homeland Security. The port declined to discuss its software, citing security concerns. “We continue to work routinely with DHS and the U.S. Coast Guard for any further actions needed to enhance the safety and security of our maritime infrastructure,” said a Port of Oakland spokesperson.
The Port of Georgia, the fourth largest port in the nation, has no Chinese-made cranes, with all of its crane infrastructure added over the past three decades provided by Finland-based Konecranes, and the software and hardware a combination of products from Finland, Japan, Taiwan, the U.S. and Europe.
The government focus on the issue comes amid a broader shift in industrial policy to bring more manufacturing back to the U.S. as part of both economic and national security strategy, and as the rivalry with China intensifies. It also comes amid greater concerns that nation-states in competition with the U.S. may seek in the future to take down key U.S. infrastructure as part of more severe hacking campaigns using cyber means to wage both physical and psychological war on the U.S. and its population.
According to national security experts, any smart system (also known as cyber/physical systems), using microchips to converge data with operational technologies (OT) and machinery, will have similar vulnerabilities. They warn the crane software concerns are part of a much larger societal risk.
“We need both the private and public sector to deploy a national cyber shield around our nation’s critical infrastructure,” said Lucian Niemeyer, CEO of the nonprofit Building Cyber Security, and former Assistant Secretary of Defense for Energy, Installations, and Environment under President Trump, who also led the National Security Programs for the Office of Management and Budget. “We are a connected society and these connections leave us with millions of new vectors for cyber attacks.”
“As for cranes, other port equipment, and even the building systems on site, the cyber risk remains regardless of the manufacturer or software,” Niemeyer said. He added that regardless of the origin of the crane software and the origin of a crane’s manufacturing, there are ways to mitigate cyber risk.
Port operators can access grant funds to establish or expand smart port network operations centers to monitor performance and manage the data, programming, and software in the cranes and other equipment. Ports also need to have a cyber specialist in the loop, a role that Niemeyer said is “essential” to clear all actions and cut external data connections with no impact to the crane or port operations.
Niemeyer said that the modems recently cited as a suspicious crane feature can be addressed. “Any non-operational modems that are found on the cranes can be either removed or a port’s operation center can install a cyber checkpoint between Shanghai and the crane,” he said.
The Coast Guard tells CNBC it will apply the same risk management framework to the prevention and mitigation of cyber threat risks as the Maritime Transportation System, part of a globally interconnected information network that enables the efficient and continual flow of commerce, and which uses a wide variety of techniques from the Coast Guard and Joint Force operational commanders.
“Additionally, MTS cyber specialists, along with deployable Cyber Protection Teams (CPTs) and a Maritime Cyber Readiness Branch (MCRB), will directly support operational commanders at the Sectors, Districts, and Areas to enhance the service’s ability to prevent and respond to cyber-related MTS disruptions,” the Coast Guard spokesman wrote.
Discussion about this post