Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Threat Landscape
Transportation
Vulnerabilities

US Coast Guard issues cybersecurity directive for Chinese-made cranes after Biden’s Executive Order

February 22, 2024
US Coast Guard issues cybersecurity directive for Chinese-made cranes after Biden's Executive Order

Following an Executive Order by President Joe Biden aimed at addressing maritime cyber threats, the U.S. Coast Guard (USCG) released a Maritime Security (MARSEC) directive on Wednesday. This directive focuses on cyber risk management for ship-to-shore cranes made by companies from the People’s Republic of China (PRC). It targets owners and operators of specific critical port infrastructure, urging them to address vulnerabilities and improve cyber security conditions. 

The action comes in response to the risks associated with the widespread use of PRC-manufactured STS cranes in the U.S. and their potential to disrupt critical infrastructure. The directive outlines specific cyber risk management steps for those managing or operating these cranes.

“The directive contains security-sensitive information and, therefore, cannot be made available to the general public,” according to a notice published Wednesday by the Department of Homeland Security (DHS) on the Federal Register. “Owners or operators of PRC-manufactured STS cranes should immediately contact their local Coast Guard Captain of the Port (COTP) or District Commander for a copy of MARSEC Directive 105-4.”

In addition to the MARSEC directive 105-4, the U.S. Maritime Administration, also issued on Wednesday an advisory that seeks to alert maritime stakeholders of potential vulnerabilities to maritime port equipment, networks, operating systems, software, and infrastructure. 

Often referred to as PRC-manufactured STS cranes, the USCG now has express authority to respond to malicious cyber activity, including by requiring vessels and facilities to mitigate unsatisfactory cyber conditions that may endanger the safety of a vessel, facility, or harbor. They also require the reporting of any actual or threatened cyber incidents involving or endangering any vessel, harbor, port, or waterfront facility to the USCG and Federal Bureau of Investigation (FBI); and taking control of vessels that present a known or suspected cyber threat to U.S. maritime infrastructure. 

The federal action comes as PRC-manufactured STS cranes make up the largest share of the global ship-to-shore crane market and account for nearly 80 percent of the STS cranes at U.S. ports. By design, these cranes may be controlled, serviced, and programmed from remote locations, and those features potentially leave PRC-manufactured STS cranes vulnerable to exploitation, threatening the maritime elements of the national transportation system.

“The Maritime Transportation Security Act’s implementing regulations in 33 CFR parts 101-105 are designed to protect the maritime elements of the national transportation system,” Amy M. Beach, captain of USCG and director of inspections and compliance, wrote in the Federal Register notice. “Under 33 CFR 101.405, the Coast Guard may set forth additional security measures to respond to a threat assessment or to a specific threat against those maritime elements.” 

Additionally, Beach pointed out that per 33 CFR 6.14-1, the Commandant ‘may prescribe such conditions and restrictions relating to the safety of waterfront facilities and vessels in port as the Commandant finds to be necessary under existing circumstances.’

The notice added that as such, additional measures are necessary to prevent a transportation security Incident in the national transportation system due to the prevalence of PRC-manufactured STS cranes in the U.S., threat intelligence related to the PRC’s interest in disrupting the nation’s critical infrastructure, and the built-in vulnerabilities for remote access and control of these STS cranes. 

According to 33 CFR 101.405, Beach wrote in the notice that “we consulted with the Department of State, Department of Defense, Department of Transportation/Maritime Administration, Department of Homeland Security, Transportation Security Administration, Cybersecurity and Infrastructure Security Agency, and National Maritime Intelligence-Integration Office.”

All MARSEC directives issued according to 33 CFR 101.405 are marked as SSI under 49 CFR Part 1520. 

The Maritime Administration advisory pointed out that foreign companies manufacture, install, and maintain port equipment that creates vulnerabilities to global maritime infrastructure information technology (IT) and operational technology (OT) systems. “In the past few years, the U.S. Government has published several documents illuminating the risks associated with integrating and utilizing the People’s Republic of China’s (PRC’s) state-supported National Public Information Platform for Transportation and Logistics (LOGINK), Nuctech scanners, and automated ship-to-shore cranes worldwide.”

The advisory said that “at least 24 global ports have cooperation agreements with LOGINK, which can collect massive amounts of sensitive business and foreign government data, such as corporate registries and vessel/cargo data. The PRC government is promoting logistics data standards that support LOGINK’s widespread use, and LOGINK’s installation and utilization in critical port infrastructure very likely provides the PRC access to and/or collection of sensitive logistics data.”

Pointing out that several countries have raised concerns about the security risks posed by Nuctech equipment deployed in critical infrastructure given the company’s control by the PRC government, the advisory disclosed that the U.S added Nuctech to the Department of Commerce’s Entity List for its involvement in activities contrary to the national security interests of the U.S. 

Specifically, the U.S. government determined Nuctech’s lower-performing equipment impairs U.S. efforts to counter illicit international trafficking in nuclear and other radioactive materials. Lower-performing equipment means less stringent cargo screening, raising the risk of proliferation.

The advisory added that ZPMC (Shanghai Zhenhua Heavy Industries Company Limited) maintains the largest share, by sales revenue, of the ship-to-shore crane market worldwide. These cranes may, depending on their configurations, be controlled, serviced, and programmed from remote locations. These features potentially leave them vulnerable to exploitation.

The advisory outlines that maritime industry stakeholders, including vessel owners/operators, shippers, and port operators exposed to cyber risks should apply cybersecurity best practices for access control (identity and access management), vulnerability mitigation, and configuration management. 

They should position themselves to increase their cybersecurity and cyber resiliency to respond to and report any incidents that could inhibit their ability to continue operations, maintain a comprehensive understanding of data sharing and network access permissions within contractual agreements; and stress to their personnel the importance of understanding and knowing who maintains access to maritime technology throughout any port or facility they utilize.

Furthermore, these asset owners and operators should be wary of untrusted network traffic and treat all traffic transiting their networks – especially third-party traffic – as untrusted until it is validated as legitimate. 

They must ensure infrastructure operational resiliency, regarding system security, as well as the ability to maintain equipment and sourcing for critical parts and upgrades, maintain fully recoverable backups and practice recovery from backups, and partner with academia and government to develop and maintain optimal cybersecurity hygiene by participating in information sharing exchanges and cyber drills and exercises.

It also provided mitigation measures to be utilized to reduce the risks associated with automated port cranes.

The U.S. administration also announced that it will invest over US$20 billion into the nation’s port infrastructure over the next five years through the President’s Investing in America agenda. As part of that, PACECO Corporation, a U.S.-based subsidiary of Mitsui E&S, is planning to onshore domestic manufacturing capacity for American and Korean production for the first time in 30 years, pending final site and partner selection.

Furthermore, the U.S. Coast Guard (USCG) has issued a Notice of Proposed Rulemaking (NPRM) aimed at establishing foundational cybersecurity requirements, which are designed to safeguard the extensive network encompassing ports, terminals, vessels, waterways, and their land-side connections that make up the U.S. Marine Transportation System (MTS) against cyber threats.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings