United States Coast Guard and federal maritime agency officials assured congressional lawmakers on April 5 that potential vulnerabilities to cyber attacks against the nation’s ports are being rapidly addressed, an urgency underscored by revelations that Chinese-made ship-to-shore “dual-use-designed” cranes that could potentially sabotage vital infrastructure are operating in many of the nation’s 361 ports.
The Coast Guard reported in February that more than 200 China-manufactured cranes were operating in U.S. ports, with possible threats identified on 92 of them, prompting President Joe Biden in a Feb. 21 executive order to authorize an amped-up cyber security program within a $20 billion ports infrastructure package from the 2021 Bipartisan Infrastructure Law (BIL).
“The increased use of automated systems in shipping offshore platforms and port and cargo facilities creates enormous efficiencies—and introduces additional attack vectors for malicious cyber actors,” RAdm. John Vann, who leads the Coast Guard’s Cyber Command, told a joint congressional hearing in the Port of Miami,
Much of the hearing before the House Transportation & Infrastructure Committee’s Coast Guard & Maritime Transportation Subcommittee and the House Homeland Security Committee’s Transportation & Maritime Security Subcommittee focused on port infrastructure in the wake of the March 26 catastrophe when an errant container ship struck Baltimore’s Francis Scott Key Bridge, causing it to collapse, killing six and shutting down one of the East Coast’s busiest ports.
Those infrastructure issues were addressed by a panel added to the Port of Miami field hearing, which was originally set to discuss port cyber security and concerns about Chinese-made cranes.
“Cyber threats and the risks of cyber-attack have increased with the advance of technology, particularly in the port environment with the implementation of automation and various software operational technologies” that balance “efficiency of our ports with … increased vulnerabilities,” said RAdm. Vann.
Fellow Coast Guard RAdm. Wayne Arguin, assistant commandant for prevention policy, and U.S. Maritime Administration (MARAD) Associate Administrator for Ports & Waterways William Paape, joined RAdm. Vann in explaining how the February executive order authorized immediate responses to cyber threats.
Since 2021, more than 12 cellular modems that can be used remotely have been found in cranes made by Shanghai Zhenhua Heavy Industries Company (ZPMC), a Chinese Communist Party-owned manufacturer. Nearly 80 percent of cranes used in U.S. ports are made by ZPMC.
“The ship-to-shore cranes hovering over our docks, including the ones here, while instrumental to our port operations,” are “under direct control of the Chinese Communist Party,” said House Homeland Security Committee’s Transportation & Maritime Security Subcommittee Chair Rep. Carlos Giménez (R-Fla.).
“This near monopoly allows for ZPMC to compromise U.S.-bound cranes that could cause malfunctions or facilitate cyber espionage at U.S. ports,” he said, noting the cranes have components that “include programmable logic controllers, which control many ship-to-shore crane systems, as well as crane drives and motors” that can be remotely manipulated.
