DoT, White House Tackle the Chinese Threat to US Port Security

The Department of Transportation (DoT) issued a warning today about the threat of Chinese vendors to US port infrastructure. At the same time, the White House issued an executive order aimed at bolstering port cybersecurity.

Threats to the worldwide maritime industry have evolved significantly in recent months. In the Red Sea, cargo ships and their crews have faced life-threatening attacks by Houthi rebels. In cyberspace, meanwhile, maritime companies have been subject to increased attacks aimed at espionage and disruption. The DoT's Maritime Advisory 2024-002 and the White House's latest port security initiative aim to keep the latter problem, at least, as far from US borders as possible.

"It's got the right lens in terms of: How do you ensure that operational infrastructure doesn't get disrupted by cyberattacks?" says Ravi Srinivasan, CEO of Votiro. However, he adds, "the next step we would love to see is a similar focus on the disruption that can happen to the business operations of these ports."

DoT Cites Chinese Threats to US Ports

According to the DoT, foreign manufacturers pose both IT- and OT-related threats to the US maritime sector.

In particular, the department highlighted three popular Chinese port technologies: the Chinese Ministry of Transport-developed National Public Information Platform for Transportation and Logistics (Logink), scanners from the state-owned company Nuctech, and cranes built by Shanghai Zhenhua Heavy Industries Company Limited (ZPMC).

Logink is a logistics management platform that aggregates data between global ports, shipping companies, and related entities. The Chinese government has been promoting its widespread use and counts at least two dozen global ports under its umbrella. As the DoT explained, Logink "can collect massive amounts of sensitive business and foreign government data," and it "very likely provides the PRC access to and/or collection of sensitive logistics data."

Then there's Nuctech, a state-controlled manufacturer of security inspection equipment such as X-ray, thermal, radiation, and explosives detection. In 2020, the US Department of Commerce added Nuctech to its trade restriction list because its "lower performing equipment impair US efforts to counter illicit international trafficking in nuclear and other radioactive materials. Lower performing equipment means less stringent cargo screening, raising the risk of proliferation."

Finally there's ZPMC, the world's largest ship-to-shore crane manufacturer. According to the DoT, "These cranes may, depending on their individual configurations, be controlled, serviced, and programmed from remote locations. These features potentially leave them vulnerable to exploitation."

The White House Executive Order

In concurrence with the DoT advisory, the Biden administration's executive order laid out a series of measures to help bolster cybersecurity at US ports.

For example, it will now be mandatory to report any cyber incidents or threats endangering harbors, vessels, ports, or other waterfront facilities.

The US Coast Guard will also enjoy new authority to respond to relevant cyber incidents and direct vessels and facilities to mitigate dangerous cyber conditions. It will be able to inspect or otherwise control the movement of vessels deemed to pose a cybersecurity threat to US maritime infrastructure.

The Coast Guard will also create new minimum cybersecurity requirements for the maritime industry. And with regard to those pesky Chinese ship-to-shore cranes, it will be issuing a directive outlining relevant risk management actions.

Finally, the government will be investing $20 billion into port infrastructure in the next five years. Among other benefits, this money will be used to fund domestic crane production.

The Flip Side of Maritime Security

As Srinivasan tells it, the White House's head is in the right place, but it's missing half of the problem.

"Attackers aren't just looking at how to disrupt critical infrastructure. That's certainly a vulnerability they can exploit, but an easier vulnerability to exploit is business operations," Srinivasan says. "Because in a very hybrid, connected world you have containers from ships connecting and sending content and data to the ports' IT infrastructure. If I'm a bad actor, I can weaponize that content and disrupt business operations."

Threats embedded in a crane, real though they may be, are less attainable to your average APT than an online attack against, say, a logistics platform such as Logink. And the latter may be more interesting, anyway, considering how interconnected these platforms tend to be. "For example," Srinivasan says, "we work with one supplier chain organization that connects to over 1,000 ports around the world. Each of those ports are sending content to this centralized system."

For now, though, the government's actions will help with at least the infrastructure half of the issue. 

"A lot of businesses through the pandemic had to come back and bring a lot of normalcy into the supply chain, so the spotlight was on them to run their business quickly," Srinivasan says. "And that's when a lot of potential shortcuts happened. And that's why I think an executive order like this helps, prioritizing the resources needed to put infrastructure security in place."