The Biden administration released an ambitious set of initiatives that includes an executive order and a series of other actions to strengthen the cybersecurity of the American marine transportation system (MTS). The administration also wants to pave the way for a revived domestic port crane manufacturing sector to ease US reliance on increasingly distrusted Chinese-made port cranes.
“Right now, America’s ports employ 31 million Americans, contribute $5.4 trillion to our economy, and are the main domestic point of entry for cargo entering the United States,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said during a press call on the initiatives. âThe continuity of their operations has a clear and direct impact on the success of our country, our economy, and our national security, and that’s why the Biden-Harris administration is taking a series of actions to strengthen the cybersecurity of our nation’s ports to not just shore up our cyber defenses, but fortify our supply chains and deliver for the American people.”
Coast Guard gets greater cybersecurity authority
Chief among the items in the administration’s push is an executive order (EO) to bolster the Department of Homeland Security’s (DHS) authority to directly address maritime cyber threats through the Coast Guard, which is the only military organization within DHS. The executive order institutes mandatory reporting of cyber incidents or active cyber threats endangering any vessel, harbor, port, or waterfront facility. Additionally, the Coast Guard will now have the authority to control the movement of vessels that present a known or suspected cyber threat to US maritime infrastructure and be able to inspect those vessels and facilities that pose a threat to US cybersecurity.
Although the Coast Guard, in the form of Captains of the Ports under the command of District Commanders, as the EO puts it, has presumably long had the authority to intervene with vessels known to pose cyber threats, the EO solidifies the Coast Guard’s authority and obligation to do so. “I think there’s some clarification here to make sure that the word cybersecurity is explicitly called out,” Marty Edwards, deputy CTO of OT/IoT at Tenable, tells CSO. “Because too many times we’ve seen where organizations will say, oh, well, it doesn’t say cyber, so that means I don’t have to do it for cyber.”
New Maritime Security Directive and Maritime Advisory
After the EO’s release, the Coast Guard issued a Maritime Security Directive, or MARSEC, on cyber risk management actions for owners and operators of ship-to-shore cranes manufactured by the People’s Republic of China located at US commercial strategic seaports. The White House said that this action is “a vital step to securing our maritime infrastructure’s digital ecosystem and addresses several vulnerabilities” identified in the updated US Maritime Advisory, 2024-00X â Worldwide Foreign Adversarial Technological, Physical, and Cyber Influence, which also appeared after the EO’s release.
The MARSEC contains security-sensitive information and, therefore, cannot be made available to the general public. Owners or operators of PRC-manufactured STS cranes can contact their local Coast Guard Captain of the Port (COTP) or District Commander for a copy of the directive.
The Maritime Advisory seeks to alert maritime stakeholders of potential vulnerabilities to maritime port equipment, networks, operating systems, software, and infrastructure. It specifically mentions “the risks associated with integrating and utilizing the People’s Republic of China’s (PRC’s) state-supported National Public Information Platform for Transportation and Logistics (LOGINK), Nuctech scanners, and automated ship-to-shore cranes worldwide.”
The advisory says at least 24 global ports have cooperation agreements with LOGINK, which “can collect massive amounts of sensitive business and foreign government data, such as corporate registries and vessel and cargo data. The PRC government is promoting logistics data standards that support LOGINK’s widespread use, and LOGINK’s installation and utilization in critical port infrastructure very likely provides the PRC access to and/or collection of sensitive logistics data.”
According to the advisory, Nuctech is a PRC state-controlled entity that manufactures and fields data-centric, partially state-owned security inspection equipment at key logistic nodes worldwide. “Several countries have raised concerns about the security risks posed by Nuctech equipment deployed in critical infrastructure given the company’s control by the PRC government,” the advisory states. The US added Nuctech to the Department of Commerce’s Entity List for its involvement in activities contrary to the national security interests of the United States. It made the list after the government determined Nuctech’s lower-performing equipment, which requires less stringent cargo screening, impairs US efforts to counter illicit international trafficking in nuclear and other radioactive materials.
Regarding automated ship-to-shore cranes, the advisory flags ZPMC (Shanghai Zhenhua Heavy Industries Company Limited), the world’s biggest port crane supplier. These cranes “may, depending on their individual configurations, be controlled, serviced, and programmed from remote locations,” leaving them vulnerable to exploitation, according to the advisory.
During the press call, Rear Admiral John Vann, commander of Coast Guard Cyber Command, said there are over 200 PRC-manufactured cranes across US ports and regulated facilities. Most, if not likely all, are made by ZPMC, which dominates the global crane market. Vann added that Coast Guard cyber protection teams have so far assessed cybersecurity or hunted for threats on 92 of those cranes.
Establishing minimum cybersecurity requirements for vessels
Shortly after the EO’s release, the Coast Guard issued a notice of proposed rulemaking (NPRM) focused on establishing minimum cybersecurity requirements for US-flagged vessels, Outer Continental Shelf facilities, and US facilities subject to the Maritime Transportation Security Act of 2002 regulations.
The rules do not apply to foreign-flagged vessels because pulling them under domestic law “may create unintended consequences with the ongoing and future diplomatic efforts to address maritime cybersecurity in the international arena,” the NPRM states. The NPRM points to cybersecurity measures already established by the International Maritime Organization (IMO) that should help safeguard against relevant threats from foreign-flagged vessels.
The 230-page NPRM seeks public comment on a wide range of new regulatory requirements to address the maritime industry’s current and emerging cybersecurity threats. These proposed requirements deal with account security measures, device security measures, data security measures, governance and training, risk management, supply chain management, resilience, network segmentation, reporting, and physical security.
The Coast Guard is seeking comments on two alternative potential regulatory measures for reporting cyber incidents. In one alternative, the Coast Guard would require that reportable cyber incidents be reported to the National Response Center (NRC) without delay to select toll-free numbers. Cyber incidents without physical or pollution effects could also be reported directly to CISA via report@cisa.gov or 1-888-282-0870. All such reports would be shared between the NRC and CISA Central and satisfy the requirement to report to the Coast Guard.
In the second alternative, the Coast Guard could require that reportable cyber incidents be reported to CISA as mandated under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) or within 72 hours under regulations that CISA is developing. The Coast Guard also seeks comments on whether it should require reporting of ransomware incidents, as is also stipulated in CIRCIA.
Fostering a domestic crane industry
Given China’s dominance in the global supply of port cranes, the Biden administration seeks to revive a US-based crane industry. “The Administration continues to deliver for the American people by rebuilding the US’s industrial capacity to produce port cranes with trusted partners,” the White House said in its fact sheet.
“The Administration will invest over $20 billion, including through grants, into US port infrastructure over the next five years through the President’s Investing in America Agenda, including the Bipartisan Infrastructure Law and the Inflation Reduction Act.” One of the beneficiaries of that funding appears to be PACECO Corp., a US-based subsidiary of Mitsui E&S Co., Ltd in Japan, which is planning to onshore US manufacturing capacity for its crane production, according to the White House. “PACECO intends to partner with other trusted manufacturing companies to bring port crane manufacturing capabilities back to the US for the first time in 30 years, pending final site and partner selection.”
Although jump-starting a moribund heavy manufacturing industry such as crane production that the US ceded to China decades ago might seem unrealistic, some experts are optimistic. “Look at, for example, what’s changed very quickly with the CHIPS Act and how fast the private sector has been able to respond to that,” Lisa Plaggemier, executive director at the National Cybersecurity Alliance (NCA), tells CSO, “There are now a number of new chip manufacturing facilities where companies have broken ground and are making progress there to transition us away from the dependency we’ve had on China in that space.”
“I applaud the onshoring of some of the manufacturing capability,” Tenable’s Edwards says.” We’re seeing that in many sectors, it’s not as much or as fast as some people would like to see, but it’s a definite start, and we have to start somewhere.”
Biden port security initiative a good start and long overdue
Lawmakers embraced the Biden administration’s steps to improve maritime security. Congressman Carlos A. Giménez (R-FL), chairman of the Homeland Security Subcommittee on Transportation and Maritime Security, said, “Our ports are critical hubs of economic activity, a cyberattack by Communist China would cause a cascading impact to domestic and global supply chains. Finally, the Biden Administration has taken action to enhance port cybersecurity.”
Some cybersecurity experts likewise embraced the initiatives. “I think this is the right step,” says Tom Guarente, vice president of external and government affairs at Armis. However, he cautions that “the devil is in the details” and hopes that when it comes to funding these initiatives, the budget will be sufficient to meet all the objectives. “I absolutely support the fact that this executive order has come out, but it’s going to be important to see how the funding flows.”
NCA’s Plaggemier says, “I welcome this because I think that when it comes to all critical national infrastructure, and ports are a part of that, we have some security debt there.”