Cybersecurity , Government , Industry Innovations
Coast Guard Warns of Continued Risks in Chinese Port Cranes
Military Says Ship-to-Shore Cranes Made in China Include Dangerous Security FlawsThe U.S. Coast Guard is warning that Chinese-made ship-to-shore cranes come with "built-in vulnerabilities" enabling remote access and control, urging operators across the country to adopt enhanced security protocols.
See Also: Nation-State, Ransomware Trends in Critical Infrastructure
Cranes manufactured by state-owned Chinese companies account for nearly 80% of all heavy lift gantry cranes used to load and unload container ships at American ports. Their design can include remote control, Coast Guard said in a Tuesday notice. A February executive order gave the Coast Guard new authorities to help improve cyber conditions at ports nationwide (see: Biden to Sign Executive Order Raising Maritime Cybersecurity).
"Additional measures are necessary to prevent a transportation security incident," the notice states, attributing the new requirements "to the prevalence of STS cranes manufactured by PRC companies in the U.S." and "threat intelligence related to the PRC's interest in disrupting U.S. critical infrastructure."
The notice instructs owners and operators of Chinese-made STS cranes to obtain a copy of the official directive from their local Coast Guard officials, stating the materials contain sensitive security information. A congressional report published in September warned a Chinese company with a major share of the global market of STS port cranes posed "significant cybersecurity and national security vulnerabilities" to the U.S.
The Chinese state-owned company known as ZPMC supplies 80% of all STS cranes in the U.S. market and has significant involvement in militarizing the South China Sea, according to the report. Lawmakers warned the company and its cranes could "serve as a Trojan horse" allowing Beijing to "exploit and manipulate U.S. maritime equipment and technology at their request."
The Coast Guard has built out its cybersecurity protection teams in recent years while investing in growing and maturing the military branch's ability to identify and respond to threats, according to officials. A February directive mandated port operators to implement specific cyber risk management measures as the branch expanded its deployable units with active-duty and civilian cybersecurity experts (see: US Coast Guard Expands Cyber Command to Combat New Threats).
It remains unclear what measures the Coast Guard could implement to restrict the remote functionality of STS cranes, a vital feature integral to port operations nationwide. The Coast Guard did not respond to requests for comment.
Industry stakeholders have expressed reluctance to use critical cybersecurity resources the Coast Guard offers to port operators, potentially leaving the nation's complex network of navigable waterways susceptible to major cybersecurity risks. A recent report published by the Department of Homeland Security Office of Inspector General said only 36% of private operators have requested and received services from the Coast Guard's cyber protection teams to enhance their cyber posture (see: Coast Guard Battles Cyberthreats Amid Industry Resistance).
The report also said the military branch lacks the required staffing and resources required to protect the marine transportation system "which remains vulnerable to the exploitation, misuse or failure of cyber systems."