Ports Provide Context Refuting Overblown Reports of “Chinese Spy Cranes"

China's ZMPC builds the cranes and ships them fulyl assembled for installation at the ports (PortHouston file photo)

PUBLISHED MAR 8, 2024 5:07 PM BY THE MARITIME EXECUTIVE

 

The American Association of Port Authorities (AAPA), the more than 100-year-old trade association representing port leaders, is speaking out on the media reports about Chinese “spy cranes” and in response to the media reports after the recent hearing by the U.S. House of Representative’s Homeland Security Committee. The organization says there needs to be “more context” on the story so that the public knows the reality of the situation.

“Coast Guard Rear Admiral John Vann recently testified under oath that there have been no known security breaches involving port equipment,” stated Cary Davis, American Association of Port Authorities President and CEO. “Our ports proactively work with the U.S. Coast Guard, other federal law enforcement, and private sector experts to mitigate risks through inspections and defensive measures.”

AAPA is responding after the wide media coverage first reported by The Wall Street Journal that said a pattern of “suspicious devices” had been discovered on the installations on the Chinese-built STS cranes. The U.S. Coast Guard revealed last month that it was assessing 200 cranes for cybersecurity vulnerabilities. Vann told reporters in February that by design the cranes and software have remote programming capabilities and tracking devices built into their systems which he contended are “vulnerable to exploitation.”

The trade group is highlighting that while speaking at Homeland Security Committee on February 29, Vann however also said “What we have not found is instances…of malware or a trojan horse type software.” The group says that there are extensive efforts to monitor potential threats with a strong focus on cyber defense and domain awareness.

When the issue first surfaced in the media in March 2023, AAP called the stories “alarmist media reporting.” They said at the time, all the efforts at examining the cranes and the software employed showed no evidence of the accusations, saying simply “There’s no smoke in this story,” referring to the lack of a smoking gun.

The group called attention to the lack of U.S. manufacturing capabilities for cranes highlighting that China has subsidized crane manufacturing in a way that makes its cranes half the cost of the competition. Chinese manufacturer ZMPC is reported to have between 70 and 80 percent of the market worldwide for the large cranes used to move containers on and off boxships.

“Without reshoring our domestic manufacturing capacity, legislative proposals to hastily remove cranes from U.S. ports without immediate replacements would harm U.S. supply chains, jack up prices for everyone, and exacerbate inflation even further,” AAPA warned in March 2023.

The politically charged issue was picked up by the Biden administration which in February launched an Executive Order saying, “Every day malicious cyber actors attempt to gain unauthorized access to the Marine Transportation System’s control systems and networks.” The administration ordered the US Coast Guard to develop a mandatory cybersecurity bulletin and made reporting cybersecurity events mandatory for ports.

They also used the issue as part of the broader effort to reinvigorate domestic manufacturing. The administration announced that after an absence of more than 30 years, a U.S.-based subsidiary of Japan’s Mitsui E&S Co. is planning to relaunch a U.S. manufacturing capability for cranes.

The Chinese responded after the Biden Executive Order was announced saying the premise of the initiative of port cybersecurity and the focus on Chinese-manufactured cranes was “entirely paranoia.” Chinese officials criticize the U.S. for not understanding China calling the repeated use of the “China card” by the U.S. “irresponsible.”

Chinese-Built Port Cranes May Be Able to Call Home On Their Own

Brand new cranes leave the ZPMC yard, bound for an American port (ZPMC file image)

PUBLISHED MAR 7, 2024 10:30 PM BY THE MARITIME EXECUTIVE

 

The House Homeland Security Committee has discovered a pattern of suspicious device installations on the Chinese-built STS cranes that dot almost every American container port. The committee's inquiry into Chinese threats to American maritime security has uncovered dozens of cranes with previously-unidentified cellular modems attached to their electronic systems, reports the Wall Street Journal. 

While there are legitimate reasons for industrial systems like cranes to be fitted with their own telecom access points - for example, remote diagnostics data for aftersales support - the purpose of these particular devices is unknown, and they were not documented in any sales contract. The modems appear to have been installed in China, before the cranes' delivery. One port's staff told the Journal that they were not sure what the modems were for; in some cases, these devices connected to the cranes' operating control systems. 

The suspicious hardware is another example of Chinese government efforts to "systematically burrow into America’s critical infrastructure," committee chairman Rep. Mark Green (R-TN) told the WSJ. Green is concerned that this effort is not just intended for spying, but for creating the capability to disrupt American commerce at will. 

One single Chinese manufacturer, ZPMC, holds a dominant position in the global STS crane market. It accounts for about 70 percent of all STS crane installations worldwide, and the percentage is even higher in the United States. ZPMC's heavy-lift delivery ships are a familiar sight whenever an American container terminal expands its quays.

The U.S. Coast Guard's cyber command has previously said that it has found intentional vulnerability points for hackers in the operating systems for these cranes. 

The Biden administration believes that Chinese cranes are such a serious cybersecurity risk that it is willing to invest billions in restoring an American-made replacement option. The last U.S.-based builder of STS cranes exited the business three decades ago, but that firm - a division of Mitsui - is willing to partner with the government and with American manufacturers to restart production. 

The administration has also empowered the U.S. Coast Guard to require vessels and ports to address "cyber conditions that may endanger the safety of a vessel, facility, or harbor." It also implemented a mandatory reporting requirement for cyber incidents along the waterfront. Cybersecurity concerns are also now an explicit justification for controlling a vessel's movement.