Oakland Port warns – risk with China’s ZPMC crane cybersecurity

February 27, 2024
1 min read


TLDR:

Port of Oakland received giant cranes from China’s ZPMC, sparking cybersecurity concerns. President Biden announced actions to secure ports due to these risks. Concerns include Chinese government link to ZPMC and potential for malicious code in crane software. White House is investing in U.S. crane production and requiring operators to address vulnerabilities. Other ports on the West Coast are evaluating risks and finding alternatives to Chinese manufacturers.

Full Article:

The Port of Oakland recently received giant cranes from China’s ZPMC, raising cybersecurity concerns due to the Chinese government’s link to the manufacturer. This has prompted President Biden to take executive action in securing ports nationwide. The Biden Administration aims to invest $20 billion in U.S. crane production in partnership with PACECO Corp., a subsidiary of Mitsui E&S Co., Ltd of Japan. Furthermore, the administration is requiring crane operators to address Information Technology (IT) and Operational Technology (OT) system vulnerabilities, as well as mandating the reporting of maritime cyber incidents or threats.

A key concern highlighted by cybersecurity experts is the potential for China to embed malicious code or spyware in the cranes’ operating software, which could disrupt U.S. supply chains or allow for data collection undetected. The fact that these cranes are computer-controlled further exacerbates the worry, as Chinese manufacturers handle the programming for these systems.

In a rare display of bipartisan agreement, a Republican House Homeland Security Subcommittee commended the executive order as a necessary measure. They noted that ZPMC currently accounts for nearly 80% of the ship-to-shore cranes at U.S. maritime ports and referenced FBI intelligence indicating the presence of collection devices on ZPMC cranes in the Port of Baltimore.

Other West Coast ports like Seattle, Tacoma, and Los Angeles are also evaluating the risks posed by relying on Chinese manufacturers for critical infrastructure. While the head of the Port of Los Angeles expressed uncertainty about China’s potential use of collected data, he acknowledged the challenge of finding alternative crane producers that match China’s performance and cost benefits.

As the U.S. reevaluates its economic ties with China, weighing the cybersecurity risks against manufacturing options within the country, the importance of supply chain security and technological sovereignty comes to the forefront. Moving forward, finding a balance between cost-effectiveness and national security will be crucial in ensuring the resilience of critical infrastructure like port operations.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and