Chinese-made ship-to-shore cranes being used at U.S. seaports have built-in design vulnerabilities, but Coast Guard inspections of these assets have not uncovered any evidence of tampering or malware, a service official said on Thursday.
The design vulnerabilities stem from open connections that enable outside monitoring and system maintenance of the cranes but are still a concern given the People’s Republic of China’s interest in having a cyber presence on critical infrastructure, Rear Adm. John “Jay” Vann, commander, Coast Guard Cyber Command, told the House Homeland Security Transportation and Maritime Security Subcommittee.
The Coast Guard has not found any compromise of the technology on the cranes, “but those vulnerabilities exist to be able to access what’s on the crane,” Vann said.
Nearly 80 percent of ship-to-shore cranes at U.S. seaports are Chinese-made, and combined concerns about the PRC’s threats to critical infrastructure, the Biden administration last week issued an executive order giving the Coast Guard authority to require U.S. port facilities to close cybersecurity gaps and vulnerabilities and to prescribe measures to rectify a real or potential incident (Defense Daily, Feb. 21).
Rep. Carlos Gimenez (R-Fla.), chairman of the subcommittee, said an investigation with the House Select Committee on the Chinese Communist Party into the security of the Chinese cranes has shown they could be “used as conduits for espionage, or as a CCP Trojan Horse, that threaten to undermine our national security.”
Vann said that the port operators differ in their approaches to maintaining network connections for their cranes. Some operate with the cranes always connected, others turn on the connection when maintenance or updates are needed, and others keep the crane disconnected and have technicians come on site to access the data, he said.
In addition to the maritime infrastructure cybersecurity executive order, the Coast Guard last week issued a maritime security directive imposing cybersecurity requirements on owners and operators of the Chinese-made cranes at U.S. ports. The content of the directive considered sensitive and is not being released.
Rear Adm. Wayne Arguin, the assistant commandant for prevention policy at the Coast Guard, said the service has contacted all affected crane operators and they in turn have “acknowledged” that the directive applies to their operations.
“And so, we’re now continuing the conversation about what needs to be done within the elements of the sensitive security information to close those vulnerabilities,” Arguin said. Coast Guard Cyber Command and others are available to help close those vulnerabilities, he said.