Critical Infrastructure Security , Security Operations
Chinese Crane Giant Poses Cybersecurity Threat to US Ports
House Report Says Chinese State-Owned Crane Company Threatens US National SecurityA Chinese company dominating the global market share of ship-to-shore port cranes poses "significant cybersecurity and national security vulnerabilities" for the United States and its allies, according to a new congressional report.
Shanghai Zhenhua Heavy Industries, the Chinese state-owned company also known as ZPMC, is currently the world's most popular supplier of STS container cranes and provides nearly 80% of all STS cranes in the American market. The report says ZPMC is a wholly owned subsidiary of a Chinese firm with significant involvement in militarizing the South China Sea and warns that Beijing could use the company to disrupt or manipulate U.S. maritime supply chains during a potential future dispute over Taiwan (see: Hackers Target Taiwan UAV, Military Industries).
The chairs of the House Committee on Homeland Security Subcommittee on Transportation and Maritime Security and the Select Committee on the Chinese Communist Party issued a joint statement Thursday that says ZPMC "could, if desired, serve as a Trojan horse" capable of helping Beijing "exploit and manipulate U.S. maritime equipment and technology at their request."
"Our greatest geopolitical adversary could wield this power to influence global military and commercial activity in the event of escalation," the statement says.
The 52-page report details how the People's Republic of China strategically invests in the U.S. maritime industry, while ZPMC provides comprehensive "smart" port infrastructure to a substantial number of cranes across U.S. ports.
ZPMC partnered with Microsoft in 2017 to develop a suite of tools to analyze real-time port activity and cargo movement, according to the report, which says Chinese law enforcement requires mandatory backdoors into its information technology infrastructure. The committees found a "high risk" that the PRC government could manipulate ZPMC's advanced port systems for strategic reasons, "including the disruption of U.S. critical infrastructure."
The report also says U.S.-based companies have identified "dozens" of ZPMC vulnerabilities, while China's publicly accessible national cybersecurity vulnerability database returned zero results for investigators. The committees were also told by security stakeholders "that it is an open secret among ports and terminal operators that throughout the process of procuring a ZPMC crane, they will be pressured to provide remote access" under the auspices of maintaining oversight.
President Joe Biden in February signed an executive order that aims to improve cybersecurity at maritime ports across the country, ordering the U.S. Coast Guard to develop minimum cybersecurity standards for the marine transportation system and mandating that vessel operators report cyber incidents. The order followed a 2022 ransomware attack that paralyzed the Seattle-based logistics and freight-forwarding giant Expeditors International for nearly three weeks (see: Biden to Sign Executive Order Raising Maritime Cybersecurity).
The report urged the Coast Guard to immediately issue guidance to all U.S. ports to disassemble connections of ZPMC cranes to cellular modems "or any other method of connection to ZPMC," absent contractual obligations. The Cybersecurity and Infrastructure Security Agency is also encouraged to issue guidance to all U.S. ports to install operational technology monitoring software and "immediately prioritize closing cybersecurity gaps at Guam's port."
The committees provided a classified annex to congressional members and appropriately cleared staff, according to the report.