The Department of Transportation (DoT) issued a warning today about the threat from Chinese suppliers to U.S. port infrastructure. At the same time, the White House issued an executive order aimed at strengthening cybersecurity at ports.
Threats to the global shipping industry have evolved significantly in recent months. In the Red Sea, merchant ships and their crews have faced deadly attacks from Houthi rebels. In cyberspace, meanwhile, shipping companies have seen a surge targeted espionage attacks and interruption. The DoTs Maritime Notice 2024-002 and the latest from the White House port safety initiative they aim to keep the latter problem, at least, as far away from US borders as possible.
“Does it have the right lens in terms of: How do you ensure that operational infrastructure isn’t disrupted by cyber attacks?” says Ravi Srinivasan, CEO of Votiro. However, he adds, “the next step we would like to see is a similar focus on disruptions that may occur in the commercial operations of these ports.”
DoT cites Chinese threats to US ports
According to the DoT, foreign manufacturers pose both IT- and OT-related threats to the U.S. maritime industry.
In particular, the department highlighted three popular Chinese port technologies: the National Public Information Platform for Transportation and Logistics (Logink) developed by China’s Ministry of Transportation, scanners from state-owned Nuctech, and cranes built by Shanghai Zhenhua Heavy Industries Company Limited (ZPMC).
Logink is a logistics management platform that aggregates data across global ports, shipping companies and related entities. The Chinese government has promoted widespread use and has at least two dozen global ports under its umbrella. As explained by the DoT, Logink “can collect massive amounts of sensitive data on foreign companies and governments” and “most likely provides the PRC with access to and/or collection of sensitive logistics data.”
Then there’s Nuctech, a state-controlled manufacturer of security inspection equipment such as X-ray, thermal, radiation and explosives detection. In 2020, the U.S. Department of Commerce has added Nuctech to its list of trade restrictions because its “underperforming equipment undermines U.S. efforts to counter illicit international trafficking of nuclear and other radioactive materials. Underperforming equipment means less stringent cargo controls, increasing the risk of proliferation.”
Finally there is ZPMC, the largest manufacturer of ship-to-shore cranes in the world. According to the DoT, “These cranes can, depending on their individual configurations, be controlled, maintained and programmed from remote locations. These characteristics make them potentially vulnerable to exploitation.”
The White House executive order
In conjunction with the DoT advisory, the Biden administration’s executive order established a series of measures to help strengthen cybersecurity at U.S. ports.
For example, it will now be mandatory to report any cyber incidents or threats that endanger ports, ships, harbors or other waterfront facilities.
The U.S. Coast Guard will also have new authority to respond to major cyber incidents and direct vessels and facilities to mitigate hazardous cyber conditions. It will be able to inspect or otherwise control the movement of vessels deemed to pose a cybersecurity threat to U.S. maritime infrastructure.
The Coast Guard will also create new minimum cybersecurity requirements for the maritime industry. And as for those pesky Chinese ship-to-shore cranes, a directive will be issued outlining the relevant risk management actions.
Finally, the government will invest $20 billion in port infrastructure over the next five years. Among other benefits, this money will be used to finance domestic crane production.
The flip side of maritime safety
As Srinivasan tells it, the White House’s head is in the right place, but half the problem is missing.
“Attackers aren’t just trying to destroy critical infrastructure. This is certainly a vulnerability they can exploit, but an easier vulnerability to exploit is in business operations,” Srinivasan says. “Because in a very hybrid and connected world there are ship containers that connect and send content and data to the IT infrastructure of the ports. If I’m a bad actor, I can use that content as a weapon and disrupt business operations.”
Threats embedded in a crane, as real as they may be, are less achievable for an average APT than an online attack against, for example, a logistics platform like Logink. And the latter might be more interesting anyway, considering how interconnected these platforms tend to be. “For example,” says Srinivasan, “we work with a supply chain organization that connects to over 1,000 ports around the world. Each of these ports sends content to this centralized system.”
For now, however, the government’s actions will help at least half of the infrastructure issue.
“A lot of businesses during the pandemic had to go back and bring a lot of normalcy back into the supply chain, so the spotlight was on them to get their business running quickly,” Srinivasan says. “And that’s when a lot of potential shortcuts happened. And that’s why I think an executive order like this helps, by prioritizing the resources needed to put infrastructure security in place.”