Fighting Cyber Threats at America’s Ports


As Cyber Defense Ramps Up, Non-Adversarial Port Machinery Manufacturers May Win in the Short Term

By Lori Musser

Cranes and drones, forklifts and fleet cars – almost any hard asset deployed by seaports or terminal operators can be infected with malicious code, and U.S. officials are taking this threat seriously. Despite a preference for American-made equipment, there are gaps in the domestic supply chain, leading to opportunity for “friendly” foreign manufacturers.

From Issue 3, 2024 of Breakbulk Magazine.

(5-min read)



Cranes and drones, forklifts and fleet cars – almost any hard asset deployed by seaports or terminal operators can be infected with malicious code thanks to ever-present software. It can happen during manufacture or after deployment. U.S. seaports have expressed concern and take their role in preserving national security seriously, but they must balance risk with economic responsibility.

Ensuring a seamless, efficient and cost-effective flow of cargo to “deliver prosperity” is, after all, a top priority, according to the American Association of Port Authorities.

That means nobody expects to see a wholesale replacement of multi-million dollar cranes, equipment, operating software and other technology at America’s seaports, even if the tech was purchased from or assembled in a country that the U.S. now deems adversarial. The cost would be prohibitive in most cases. The riveting sight of behemoth cranes traversing oceans on heavy-lift vessels is not going away.

There are more cost-effective ways to manage cyber threats related to existing port assets and the U.S. is determined to ensure that new hard assets and software brought into seaports and the marine transportation system in general, do not inadvertently introduce more cyber threats.


An Ounce of Prevention

Regardless of the national origin of existing or new terminal equipment, software and infrastructure at America’s seaports, the federal government has upped its role in managing the related cyber risk.

On February 21, 2024, President Biden signed two executive orders. The first clearly addressed cyber threats: Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States, updating Title 33, Code of Federal Regulations, Part 6. The second expanded authorities for the United States Coast Guard, or USCG, to protect the nation’s marine transportation system against malicious cyber activity.

These announcements ensure “Coast Guard authorities are aligned with emerging cybersecurity threats, and reflects the commitment … to safeguard maritime critical infrastructure,” according to Rear Admiral Wayne Arguin, Coast Guard Assistant Commandant for Prevention Policy, in the Coast Guard’s maritime professionals blog of February 22, 2024.

On the same day, the Coast Guard published proposed updates to cybersecurity requirements for certain U.S.-flagged vessels, ports and other marine transportation facilities. Comments relating to reportable cyber incidents and reporting of such incidents were due April 22, 2024.

The U.S. Coast Guard now has Cyber Protection Teams that work with local Coast Guard units, ports and terminal operators, among others, evaluating system security and investigating incidents. The USCG is ramping up cyber defense in the country’s maritime transportation systems with an influx of 1,200 new Marine Science Technicians – cyber spotters.


Pre-emptive Action

Ports typically rely on competitive bidding with precise specifications to purchase new cranes and other high-dollar assets - specifications that can and often do name countries of origin and manufacture. Ports and terminal operators may have preferences for operational reasons. It may make sense, for instance, to stick to a single manufacturer of a particular crane, to streamline maintenance and minimize workforce re-training.

Of course, ports may prefer or be required to limit sourcing for national security purposes, or for U.S. federal grant funding eligibility. Many grants come with domestic content preferences known as Build American, Buy American, or BABA.

Glenn Wiltshire is the acting port director for Port Everglades. In a recent purchase of a series of ship-to-shore cranes, the port’s specifications included requirements related to software and security, brands and country of origin.

“When we started the purchasing process in 2017, we worked with Liftec as our crane consultant and developed a detailed component list. We named brands. It was more for consistency with systems we already had in an existing crane,” said Wiltshire.

The Chinese firm ZPMC was selected. While the port didn’t anticipate an issue with Chinese-made crane management software at the start of this multi-year procurement, it had specifically requested the Toshiba Mitsubishi- Electric Industrial Systems Corporation (TMEIC) crane automation system, a Japanese product.

That proved fortuitous. In February 2024, a U.S. Maritime Security Directive was issued related to China-manufactured ship-to-shore cranes and their operating software. Owners and operators of certain critical port infrastructure are now required to take immediate steps to close vulnerabilities and mitigate unsatisfactory cyber conditions posed by the prevalence of China-manufactured STS cranes in the U.S. and the threat of disruption to U.S. critical infrastructure.

Port Everglades was ahead of the curve. It had already specified TMEIC, a non-Chinese component/system. Moreover, multiple levels of security oversight, including port, county, state and federal, were already in place. “New cranes [and other equipment] are scrutinized. We look at layers of protection, firewalls and other measures, and add additional layers when needed,” Wiltshire added.

With new regulations looming, Wiltshire says the port is in a good position, but will further ramp up protective measures.


Real Threats

China-manufactured ship-to-shore cranes comprise the majority of the global market and about 80 percent of those in use in the U.S. Because they can be controlled, serviced and programmed remotely, these types of cranes are vulnerable to exploitation, which threatens the maritime elements of the national transportation system, according to the USCG.

Marine and port cyber threats are surging, with more sophisticated perpetrators trying new ways to disrupt systems in U.S. vessels, shipyards, waterways and port facilities, the USCG reports. Its recently released 2023 Cyber Trends and Insights in the Marine Environment reported “an uptick in nation-state actors targeting critical U.S. infrastructure,” including the Marine Transportation System (MTS).

The report said incursions by China-sponsored VOLT TYPHOON, “a group seeking to hack into U.S. infrastructure systems using network-facing devices,” in part triggered the February 2024 cyber executive order.

Rear Adm. John C. Vann is commander Coast Guard Cyber. He said, in an April 1, 2024 MyCG update, “As stewards of maritime trade, it is our collective responsibility to safeguard our ports and maritime infrastructure.” He noted the potential for financial losses and “cascading effects on global economies” following cyber attacks on American port infrastructure.

The cyber trends report noted that ransomware attacks increased 80 percent in 2023, with more sophisticated perpetrators and higher requested ransoms, and that shipping lines and service providers, liquid natural gas processors and distributors, and petrochemical companies are common targets. One of the nation’s weak spots was identified as network-connected operating technology in port facilities because they often “rely on outdated software and network protocols, and have insufficient access controls.”

Regulations are forthcoming that will allow the Coast Guard to require vessels and waterfront facilities to mitigate cyber incidents that could cause harm.


Invigorating American Production

Of course, using more American-made assets at America’s ports and terminals might make it easier to safeguard national security. Unfortunately, that dog won’t hunt – not today. Very little in the way of maritime cranes and equipment, or even software – especially the increasingly preferred zero-emissions types – is made or assembled in America.

There are, however, a number of prominent European-based manufacturers, including those who specialize in the highly desirable zero-emissions technology.

In a recent letter expressing support for the EPA’s proposed waiver of Build America, Buy America requirements for Clean Ports grant funding, the American Association of Port Authorities, or AAPA, documented preliminary research on the domestic market of zero-emissions port equipment manufacturers. They reported a paucity of domestic manufacturers.

In its letter, the AAPA underscored the importance of the EPA adopting the proposed BABA waiver. There simply isn’t enough domestic production, though there are broad federal broad plans to invigorate this type of manufacturing.

In the meantime, ports and terminal operators continue to buy cranes and equipment globally, and along with that, deploy strategies to ensure that all new assets that arrive on American soil are free of malicious technology and stay that way.


Grounded Espionage Drones

American concerns are not limited to ground-based assets and software. For example, over the last decade, there have been widespread reports of drones being used for hacking and interception of information.

In 2019, the U.S. Department of Homeland Security expressed particular concern over Chinese-made drones and by early 2020 the U.S. government had grounded hundreds of drones.

Brett Milutin is executive deputy port director at the Port of Galveston. Like other organizations across the country, the port, in an abundance of caution, disrupted its own fleet of Chinese-manufactured drones. Milutin said: “We had no evidence whatsoever, but when issues came to light [elsewhere] the port was proactive. We wanted to get ahead of potential threats, so we grounded our fleet.” In the case of drones, while it was difficult to find replacements, the investment was far less than that associated with replacing, for example, port cranes.

In late December 2023, the Biden Administration signed into law the American Security Drone Act as part of the National Defense Authorization Act for 2024. There is now a full ban on using drones (at the federal level) made in China, Russia, Iran and North Korea.


What Is in Store

The maritime industry is evolving at a record pace. Cyber-connected systems figure prominently in that evolution. While these systems improve seaport and marine transportation systems operations and efficiency, they also introduce new and challenging threats.

Those supply chain members involved in procuring and delivering port and terminal cranes and equipment have a rosy future ahead, sustained by large-scale U.S. federal funding programs. However, sourcing may shift in the long term, with domestic production capacity receiving new federal support. Where U.S. manufacturing falls short, production in non-adversarial countries may find new opportunities.


Port of Galveston will be exhibiting at Breakbulk Americas 2024 on 15-17 October.

TOP PHOTO: Cranes delivered to Port Everglades meet rigid specifications and multi-layered security approval processes. CREDIT: Port Everglades.
Back