The Biden Administration is moving to bolster cybersecurity at U.S. shipping ports, not only arming the Coast Guard with more responsibilities but also warning about the dangers of using Chinese-made equipment and promising to leverage the United States’ newfound manufacturing strength to make such systems at home.

President Biden on Wednesday signed an Executive Order to set this in motion, the latest move by the federal government to strengthen the critical infrastructure against cyberthreats from state-sponsored threat groups and financially driven cybercriminal gangs.

Maritime ports are a significant part of the larger critical infrastructure environment, with the country’s complex Maritime Transportation System (MTS) – which includes an integrated network of ports, terminals, vessels, waterways, and connections to land-based operations – is foundational to $5.4 trillion in annual economic activity and jobs for more than 31 Americans, the White House wrote in a fact sheet outlining the President’s intentions.

It also supports almost 95% of cargo that enters the United States. As the complexity of the environment has grown, so have the threats to it, according to the Administration. MTS operators now leverage networks of digital systems that hit on everything from ship navigation and cargo movement to engineering, safety, and security monitoring.

“These systems have revolutionized the maritime shipping industry and American supply chains by enhancing the speed and efficiency of moving goods to market, but the increasing digital interconnectedness of our economy and supply chains have also introduced vulnerabilities that, if exploited, could have cascading impacts on America’s ports, the economy, and everyday hard-working Americans,” the White House wrote.

In a press conference this week, Rear Admiral Jay Vann, head of Coast Guard Cyber Command, said the MTS “enables critical national security sealift capabilities that enable the U.S. Armed Forces to project and maintain power around the globe. Any disruption to the MTS, whether man-made or natural, physical or in cyberspace, has the potential to cause cascading impacts to our domestic or global supply chains.”

China is a Focus

As with other critical infrastructure, such as water, energy, and healthcare sectors, a focus is on cyberattacks launched by foreign adversaries and, in this case, China in particular. The Department of Defense – as well as other agencies and private cybersecurity companies – have pointed to China as a significant ongoing cyberthreat. In a report last year, the Pentagon wrote that “both the People’s Republic of China (PRC) and Russia have embraced malicious cyber activity as a means to counter U.S. conventional military power and degrade the combat capability of the Joint Force. The PRC in particular sees superiority in cyberspace as core to its theories of victory and represents the Department’s pacing challenge in cyberspace.”

More recently, multiple federal agencies – including the FBI, National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) – wrote that China-backed APT group Volt Typhoon was hiding in compromised in systems and networks of U.S. critical infrastructure entities, essentially lying in wait until it was time to strike.

The White House said that it will invest more than $20 billion to bring domestic onshore manufacturing back to the United States to build secure ship-to-shore cranes. In a related notice, the U.S. Transportation Department (DOT) warned maritime operators about possible vulnerabilities in the IT and OT equipment, networks, operating systems, software, and infrastructure built by foreign companies and used in U.S. ports.

An Ongoing Concern

It’s a familiar worry, with the federal government issuing several documents over the past few years highlighting the risks that come with integrating and using China’s National Public Information Platform for Transportation and Logistics (LOGINK), inspection scanners built by Chinese-controlled Nutech, and automated ship-to-shore cranes, also built in China.

LOGINK is a massive logistics management platform first offered outside of China in 2010 that aggregates logistics data from such sources as domestic ports, foreign logistics networks, shipping companies, public databases, and “hundreds of thousands of users” in China, according to the DOT.

“At least 24 global ports have cooperation agreements with LOGINK, which can collect massive amounts of sensitive business and foreign government data, such as corporate registries and vessel/cargo data,” the department wrote. “The PRC government is promoting logistics data standards that support LOGINK’s widespread use, and LOGINK’s installation and utilization in critical port infrastructure very likely provides the PRC access to and/or collection of sensitive logistics data.”

The capabilities of Nutech’s products include X-ray, explosives detection, facial recognition, and AI. Meanwhile, Shanghai Zhenhua Heavy Industries Company Ltd. (ZPMC) has the largest revenue share of the global crane market and, depending on how they’re configured, can be controlled and programmed remotely, leaving them open to exploitation.

The Coast Guard’s Vann said that almost 80% of cranes at U.S. ports are made in China. That said, Anne Neuberger, deputy national security advisor for cyber and emerging technologies, noted that while China is a focus, there also are concerns about threats from criminal organizations, pointing to a ransomware attack last year on Nagoya, a large Japanese port that was temporarily shut down.

The DOT outlined cybersecurity best practices for U.S. vessel owners, shippers, and port operators that use these products and mitigation measures to reduce the risk, including improving segmentation in port operations networks and those used by the cranes and use dedicated remote access systems and process for crane devices that enforce multifactor authentication.

Coast Guard is the Tip of the Spear

Biden’s order will give the Coast Guard the authority to respond to malicious cyber-incidents in the MTS, including requiring ships and waterfront facilities to address conditions that could open the ships, facilities, or harbors to threats and mandatory report of such incidents.

The Coast Guard also will be able to control the movement of vessels that are deemed to be a cyberthreat and to inspect them.

The agency also will issue a directive for managing the cyber-risks presented by Chinese-made cranes and located in Commercial Strategic Seaports in the United States. The owners and operators of the cranes will have to abide by the directive.

In addition, the Coast Guard issued a Notice of Proposed Rulemaking on Cybersecurity in the MTS aimed at strengthening systems and networks by establishing minimum cybersecurity requirements. The White House will put it out for public comment.