Cybersecurity for maritime infrastructure: New executive order

During and after the COVID-19 pandemic emergency, we all learned just how fragile global supply chains can be. And the recent collapse of the Francis Scott Key Bridge in Baltimore, Maryland — expected to have a significant impact on automotive-industry shipping — serves as a stark reminder that those supply chains are highly dependent on secure infrastructure.

The collision that caused the bridge to collapse appears very likely to have been an accident. But there is every reason to believe that in the case of international crisis or conflict, deliberate sabotage of port infrastructure would be an effective way to inflict strategic damage. And that infrastructure is increasingly automated and IT-dependent, making it potentially vulnerable to cyberattacks.

New executive order

On Feb. 21 this year, the Biden-Harris administration announced a new executive order designed to strengthen the cybersecurity of United States maritime infrastructure.

The executive order has several components:

• The order increases the Department of Homeland Security’s (DHS) authority to address maritime cybersecurity threats and gives the U.S. Coast Guard the power to require and enforce specific cybersecurity standards for shipping vessels and harbor facilities. Cyber incidents involving maritime technology systems (MTS) must henceforth be reported to the Coast Guard, which also gains the authority to control the movement of vessels deemed to present a cybersecurity threat.
• In accordance with the executive order, the U.S. Coast Guard has issued a Notice of Proposed Rulemaking on cybersecurity in the marine transportation system in order to establish minimum cybersecurity requirements that meet international and industry-recognized standards to best manage cyberthreats.
• The order also directs the Coast Guard to issue a Maritime Security Directive requiring specific cybersecurity risk management actions with regard to ship-to-shore cranes manufactured in the People's Republic of China (PRC).

The China angle

The specific attention to Chinese-made cranes is interesting. It's based on the findings that these cranes — which are in use in a large number of ports around the world, including in the U.S. — contain vulnerabilities that could make them prone to exploitation by malicious parties.

In addition, there is a concern that these cranes’ software may include backdoors or other types of malware designed to allow Chinese government entities to seize control of or sabotage these critical pieces of equipment in the case of a crisis or conflict.

The U.S. Department of Transportation has also issued a new advisory document that spells out the specific nature of these concerns. The advisory notes that the largest share of ship-to-shore cranes are manufactured by ZPMC (Shanghai Zhenhua Heavy Industries Company Limited), and that they are designed to be controlled, serviced, and programmed from remote locations depending on their configuration.

In addition, the advisory points out that there are risks to the increasing integration and utilization of the LOGINK logistics management platform, which aggregates logistics data from many sources including potentially protected and sensitive data about shipping and transportation.

Finally, the advisory notes the risks of using security inspection equipment manufactured by Nuctech Company, Ltd., a Chinese state-controlled entity. The fact that this equipment includes highly sophisticated artificial intelligence and facial recognition capabilities, among many others, presents significant potential national security risks. In addition, the U.S. government has determined that Nuctech’s lower-performing equipment may impair U.S. efforts to intercept international trafficking in nuclear and other radioactive materials.

The advisory closes with a lengthy and specific list of recommended actions to be taken by any owners or operators of MTS equipment, including improving access controls, segmentation, and monitoring of communications.

Costs and benefits

These new rules will impose significant costs on owners and operators of shipping and port equipment, but many of these costs will be offset by funding provided through the 2023 Bipartisan Infrastructure Law and Inflation Reduction Act.

In addition, the government is providing funds to support the onshoring of MTS equipment manufacturing by U.S. companies, in order to enable the cost-effective replacement of vulnerable Chinese-built equipment with more secure domestically produced equipment over time.

As far as the benefits of these measures, the obvious top-line benefit will be reduced cyber risks to the U.S. and global supply chains. An additional benefit will be measured in new manufacturing jobs for U.S. workers.