The White House on Feb. 21 announced new measures to strengthen cybersecurity of U.S. ports and maritime supply chains, following the same-day release of a Maritime Advisory report.
An advisory from the U.S. Department of Transportation warned that foreign-built port equipment features vulnerabilities that may be used to impact or harm global maritime supply chains, pointing specifically to the dangers of software and hardware developed in China.
“The increasing digital interconnectedness of our economy and supply chains have also introduced vulnerabilities that, if exploited, could have cascading impacts on America’s ports, the economy, and everyday hard-working Americans,” the White House said in a press release.
An Executive Order aimed at countering these threats was signed on Feb. 21 by President Joe Biden, setting new cyber security standards and expanding the authority of the U.S. Coast Guard to tackle cyber threats against “any vessel, harbor, port, or waterfront facility.”
Chinese Communist Party Involvement
The Department of Transportation’s Maritime Security Communications with Industry (MSCI) advisory singled out three Chinese companies whose products exhibit vulnerabilities that may be used, or may even be designed to be used, for spying purposes—or even sabotage.
LOGINK, a digital logistics platform developed by the Chinese Communist Party’s (CCP) Ministry of Transport, is currently being used in at least 24 global ports. Confirming several earlier U.S. Government reports, the MSCI believes that the software platform, which handles massive amounts of business and government logistics data, “very likely” provides the CCP detailed access to said data—which in some cases may be sensitive.
A second suspect was Nuctech, a state-controlled company that manufactures software-focused security inspection equipment used in logistics worldwide, such as baggage and parcel inspection equipment, facial recognition software, AI, etc. Nuctech’s systems collect biometric information, personally identifiable information, cargo information, geo-locational metadata, etc.
The MSCI report further alleges that the ship-to-shore cranes manufactured by ZPMC (Shanghai Zhenhua Heavy Industries Company Limited)—currently the world’s biggest ship-to-shore crane manufacturer—may be “controlled, serviced, and programmed from remote locations.”
Counter-Measures
“The security of our critical infrastructure remains a national imperative in an increasingly complex threat environment,” the White House said.
The Executive Order gives the U.S. Coast Guard the authority to control the movement of vessels that present a known or suspected cyber threat to U.S. maritime infrastructure and allows them to inspect vessels and facilities that pose a threat to our cybersecurity.
To address the issue of a potential remote takeover of the Chinese-built ship-to-shore cranes, the Coast Guard will be issuing a Maritime Security Directive on cyber risk management, the White House said.
The Biden Administration will also be investing over $20 billion, including through grants, into U.S. port infrastructure over the next 5 years, notably in ship-to-shore crane manufacturer PACECO Corp., a U.S.-based subsidiary of the Japanese Mitsui E&S Co.
“PACECO intends to partner with other trusted manufacturing companies to bring port crane manufacturing capabilities back to the U.S. for the first time in 30 years, pending final site and partner selection,” the White House said.
Meanwhile, the White House also announced that the U.S. Coast Guard has issued a Notice of Proposed Rulemaking on MTS Cybersecurity in that proposes minimum cybersecurity requirements that meet international and industry-recognized standards.
The Executive Order further makes the reporting of all cyber incidents and active cyber threats mandatory.
According to the White House, malicious cyber actors attempt to gain access to MTS control systems and networks on a daily basis.