The 2023 National Defense Authorization Act (NDAA) passed by Congress and signed by President Biden in late December 2022 was filled with a host of military-related cybersecurity provisions. One little-noticed provision in the bill called for a study of cybersecurity and national security threats posed by foreign-manufactured cranes at United States ports.
Under this provision, the Maritime Administrator, working with Homeland Security, the Pentagon, and the Cybersecurity and Infrastructure Security Agency (CISA), is required to conduct a study to assess whether foreign manufactured cranes at United States ports pose cybersecurity or national security threats. It must be completed by late December 2023 and submitted to the Senate Commerce and Armed Services committees and House Transportation and Armed Services committees.
Crane security study origins unclear
Little information is available on why this study appeared in the NDAA or why a study of port crane security was deemed critical enough to include in the annual must-pass legislation. However, the study could be a concession to Representative Carlos Gimenez (R-FL), who introduced a bill last year, H.R.6487, the Port Crane Security and Inspection Act of 2022, that died in committee.
Gimenez’s bill limited the operation at US ports of foreign cranes made by US adversaries. It required CISA to inspect foreign cranes before they are placed into operation for potential security vulnerabilities and assess the threat posed by security vulnerabilities on existing or newly constructed foreign cranes. Gimenez’s bill also called for CISA to report to Congress about critical and high-risk security vulnerabilities posed by foreign cranes at US ports. Gimenez’s office did not respond to requests for comments on his bill or the NDAA-mandated study.
FBI boarded Chinese ship in a mysterious incident
Concerns about cybersecurity at the nation’s increasingly digitized ports have been rising for years. As far back as 2013, a Brookings study concluded that the cybersecurity awareness and culture level in US port facilities was low and that basic cybersecurity hygiene measures were missing in most ports. Of the ports studied by the Brookings researchers, only one had conducted a cybersecurity vulnerability assessment, and none had developed a cyber incident response plan.
In 2015, cybersecurity firm CyberKeel, now owned by Improsec, warned that 37% of maritime companies with Windows web servers weren’t adequately installing security patches from Microsoft. Earlier in 2015, US Coast Guard officials reported that interference with GPS signals disrupted operations for seven hours at a significant, unidentified east coast port, affecting four cranes.
In a barely noticed incident on September 15, 2021, FBI counterintelligence agents conducted a search of the Chinese merchant ship Zhen Hua 24 that delivered four “Neo-Panamax” port container cranes to Baltimore harbor. The agents were said by informed sources to have uncovered intelligence-gathering equipment on the ship during the search, but no details are available about what specific equipment they discovered.
Shanghai Zhenhua Heavy Industries Company Limited, or ZPMC, manufactured the four cranes. ZPMC is the most prominent crane maker, boasting an 80% global market share. ZPMC’s US offices did not answer questions about the NDAA study or the FBI incident. Likewise, the FBI declined CSO’s request for an interview regarding the incident.
Cybersecurity concerns center on crane communications
Given the digitized nature of modern cranes, the NDAA study could have its origins in fears that the costly (typically starting at $15 million) and all-important port machines could come equipped with destructive malware or be vulnerable to malicious cyber incidents. But experts say it is more likely that the concern stems from the communications technology that controls the cranes’ operations.
“Without the intent of the client or the asset owner, some of these systems could be communicating outbound to possibly even the internet knowingly or unknowingly,” Marco Ayala, global director, ICS cybersecurity and sector lead, 1898 & Co., tells CSO. “If there is a possibility of ‘E.T. phone home’ or some type of beacon or communication link that could give a command, a control capability, to a foreign adversary, whether that is for financial gain or just to create a logistics nightmare,” that could create incredible bottlenecks at US ports, potentially causing substantial economic damage.
Cameras on cranes could be “surveillance tools”
Steve Gyurindak, CTO of network and operational technology at Armis, tells CSO that Chinese cranes, including the ZPMC cranes, might be under scrutiny because they come equipped with Chinese-made cameras that have “basically been branded surveillance tools” by the US government. Gyurindak was referring to a new rule issued in July 2020 by the Federal Acquisition Regulation Council that federal agencies can’t “enter into a contract (or extend … a contract) with an entity that uses any equipment, system, or services that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
Among the equipment banned under the new rule are video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, Dahua Technology Company, or any subsidiary or affiliate of these companies. “I would think if anything on the Chinese ship, the FBI was looking at the cameras,” Gyurindak says. “The Chinese have invested a lot of money in using video for intelligence.”
Supply chain disruption fears could be the impetus
Patrick Miller, president and CEO of Ampere Industrial Security, thinks it isn’t “out of the realm of possibility” that China could be using port cranes for surveillance. They could be “trying to gather as much manifest information on what is coming in and out of America as possible,” he tells CSO. “That would fit very well into their standard mode of operations and their motives.”
But, “I honestly think one of the bigger drivers behind [port crane cybersecurity fears] is we rely so much on trade through ports, and people in America freak out when there’s a supply chain issue,” Miller says. “If there were an attack on the ports in any way, shape, or form, that would be yet another reason for a supply chain problem.”
Port operational technology should be part of cybersecurity discussions
Cranes are emblematic of the uneasy mix of internet and operational technologies (OT) characteristic of most ports. “For us, all this part of the port infrastructure is something that should be considered when conducting a risk assessment and identifying proper mitigation controls,” Athanasios (Thanos) Drougkas, cybersecurity expert at European Union Agency for Cybersecurity (ENISA), tells CSO. “For us, it’s the starting point and where we see cranes in this whole process
Drougkas is encouraged by the NDAA-mandated study. “I’m very happy to see that operational technology is becoming more and more a part of cybersecurity discussions,” he says. “We’re happy to see that national authorities all over are actually picking up on this.”
Copyright © 2023 IDG Communications, Inc.