US House Committees deepen investigation into maritime sector security risks, request testimony from ABB

​​The U.S. House Homeland Security Committee along with the Select Committee on the Chinese Communist Party (CCP) has deepened their joint investigation into security vulnerabilities in the nation’s maritime sector, particularly relating to CCP cybersecurity and supply chain risks. In their latest move, the committee requested testimony from Swiss Company ASEA Brown Boveri Ltd. (ABB) on its ‘concerning’ ties to Chinese state-owned enterprises. 

In a letter last week House Homeland Security Committee Chairman Mark E. Green, MD (R-TN), Subcommittee on Transportation and Maritime Security Chairman Carlos Gimenez (R-FL), and Subcommittee on Counterterrorism, Law Enforcement, and Intelligence Chairman August Pfluger (R-TX), along with Select Committee on the Chinese Communist Party (CCP) Chairman Mike Gallagher (R-WI), wrote to Björn Rosengren, chief executive officer at ABB, on the committee’s requested documents and information from ABB concerning cybersecurity risks, foreign intelligence threats, and supply chain vulnerabilities at seaports in the U.S.

“Among other requests, the Committees asked that ABB provide documents and information explaining its commercial relationship with Shanghai Zhenhua Heavy Industries (ZPMC), a Chinese state-owned enterprise,” the letter disclosed. “Furthermore, the Committees requested that ABB produce documents and information sufficient to describe ABB’s work with U.S. government agencies involved in defense, intelligence, and other elements of U.S. national security. The Committees requested these documents and information to determine whether ABB’s commercial ties to PRC state-owned enterprises and its ongoing work for U.S. government agencies pose a potential conflict of interest.” 

The letter also identified that “we were also seeking to determine whether they expose U.S. government agencies and U.S.-based seaports to cybersecurity risks, foreign intelligence threats, and supply chain vulnerabilities that could jeopardize U.S. national security.”

ABB works with ZPMC to provide the U.S. maritime industry with hardware and equipment. At the same time, ABB maintains significant commercial ties to the People’s Republic of China (PRC), all while holding numerous contracts with U.S. government agencies, including the Department of Homeland Security (DHS) and the Department of Defense (DOD). In July, the Committee sent a private letter to ABB concerning these security risks. The concerns raised in the letter were not properly addressed by the company.

In August, ABB provided over 650 documents in response to the committee’s requests. However, ABB failed to sufficiently answer several important questions. “This curt response is troubling and implies that ABB may have previously complied with the CCP’s authoritarian national intelligence, cybersecurity, or national security laws,” the letter identified.

The letter also detailed that over the past five months, the Committees engaged in a good-faith effort to work with ABB to remedy the alarming security vulnerability created by the installation of ABB equipment and technology by ZPMC engineers in China onto U.S.-bound ship-to-shore cranes. 

“The Committees raised significant concerns about the fact that the installation has been performed, and continues to be performed, by ZPMC in China,” according to the letter. “On September 27, 2023, the Committees engaged with ABB and asked that they take steps to identify concrete remedial action to address the problem. After additional meetings on October 11 and October 25, the Committees communicated on October 27, 2023, that ABB should consider are evaluation of its contracting practices with ZPMC regarding future ship-to-shore crane orders for U.S. seaports.”

The letter also said that the Committee specifically “asked ABB to consider installing its software and hardware in the United States once the ZPMC cranes arrived instead of being installed by ZPMC engineers in China. The Committees requested a response from ABB by November 23, 2023. The November deadline passed, however, without an answer or any communication from ABB.”

The Committees met with ABB personnel and counsel on several occasions and offered to brief Bruce Matthews, ABB’s U.S. head of security, regarding the legitimate vulnerabilities to ABB software and hardware on U.S. ship-to-shore cranes. 

“In light of the breakdown in good faith negotiations and to better understand how ABB is securing its software and hardware on U.S. ship-to-shore cranes, we request that you please direct your counsel to provide Mr. Gray’s availability to testify at an upcoming public hearing in front of both Committees,” the letter said. “Please contact Committee staff as soon as possible but no later than 5:00 pm on January 23, 2024, to schedule Mr. Gray’s appearance.” 

It added that it is vital to the Committees, “as part of our critical work investigating and understanding the wide range of security threats and risks posed by the PRC, that ABB explains its relationships with PRC state-owned enterprises, and whether ABB should be trusted to continue working on behalf of U.S. government agencies while simultaneously engaging with entities owned, controlled, subsidized, or influenced by the PRC.”

Furthermore, the letter said that allowing ZPMC to install ABB equipment and technology in China onto cranes bound for the U.S. is unacceptable and must be remedied without any further delay.

The letter concludes by stating the Committee’s need for a briefing with specific ABB employees to fulfill their ongoing oversight responsibilities. The requested individuals for the briefing are Bruce Matthews, head of security of the Americas region; Chunyuan Gu, president of ABB Asia, Middle East, and Africa, and former Managing Director of ABB (China) Ltd from 2014 to 2018; and the current most senior official serving for ABB (China) Ltd (i.e., Managing Director or Senior Vice President of ABB (China) Ltd). The Committee requests that this briefing take place as soon as possible, but no later than 5:00 pm on January 30, 2024.

News outlet Reuters reported Friday that ABB said it sold its control and electrification equipment to many crane manufacturers, including Chinese companies, which in turn sold the cranes directly to U.S. ports. Still, the Swiss company said it was taking the committee’s request for further information ‘seriously.’

Marco Ayala, president at InfraGard Houston wrote in a LinkedIn post that modern port cranes today fully incorporate automation and connectivity features for improved efficiency. “While these advancements bring benefits, they also introduce points of vulnerability if not adequately secured.”

The maritime industry must prioritize cybersecurity measures regardless of the make, model, vendor, or even sub-vendors of the final crane build, full stop, Ayala added. “This includes implementing robust access controls, regular review of software and integrated architecture, conducting qualified and competent security assessments specific to control systems, and providing cybersecurity training for personnel.” 

He also pointed to the need for collaborative efforts between industry stakeholders, government agencies, and cybersecurity experts to develop and enforce standards that enhance the overall cybersecurity posture of port cranes and related systems.

In April, the U.S. House Committee on Homeland Security sought answers this week from the DHS on the cybersecurity threats posed to business, military, and industrial operations by Chinese-manufactured cranes operating at U.S. maritime ports. The members have now called for conducting oversight on threats posed by these cranes at U.S. ports.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.