Port cranes: Cause for concern?
Feds fear Chinese cranes may pose security risk
The Port of Virginia may have as many as 30 Chinese ship-to-shore cranes that have come under scrutiny from Pentagon officials over national security concerns. Five more cranes are scheduled for delivery next year.
Manufactured by state-owned company Shanghai Zhenhua Heavy Industries Co., known as ZPMC, the cranes are a possible security risk, according to a March report from The Wall Street Journal. U.S. defense and national security officials have voiced concerns that China could gather information about materiel shipments supporting U.S. military operations by using sensors on the cranes that can track containers’ origins and destinations. They told the Journal that the cranes also could be vulnerable to remote access attacks that could disrupt shipping.
A U.S. Department of Transportation study examining whether cranes from foreign manufacturers pose security risks is due by the end of the year.
The WSJ story came amid heightened U.S. concerns about Chinese spying, including the surveillance balloon saga in February and Gov. Glenn Youngkin’s decision late last year to remove Virginia from consideration for a $3.5 billion Ford Motor Co. battery plant due to its ties to a Chinese company. Following the U.S. reports about the cranes, South Korea said it would inspect its ZPMC-made cranes.
The American Association of Port Authorities, however, disputed the existence of a threat in a statement: “There have been no known security breaches as the result of any cranes at U.S. ports, despite alarmist media reports. Further, modern cranes are very fast and sophisticated, but even they can’t track the origin, destination or nature of the cargo.”
However, a bad actor could use a crane’s camera system to view a container’s serial number and then track it, says Chris Wolski, a former information security officer for Port Houston. One could also potentially disable crane systems by overriding safety sensors or causing false readings.
Even so, gathering materiel shipments’ origins and destinations wouldn’t be very useful, says Lonnie Henley, a retired intelligence officer and a Foreign Policy Research Institute senior fellow. “If I had information like that and had all the processing power in the world, I’m still not sure what military operational benefit I can gain from it.”
Virginia Port Authority spokesperson Joe Harris declined to confirm the port’s number of ZPMC-made cranes.
In January, the Port of Virginia announced it had finalized a $61.6 million purchase of five ZPMC-manufactured cranes that will be able to handle ultra-large container vessels. Delivery is set for December 2024, and the 1,827-ton cranes will replace two units at the Virginia International Gateway and three at the Norfolk International Terminals.
The port began using ZPMC cranes in 2000. The Newport News Marine Terminal’s crane, which has been in service since 1982, appears to be the only crane at the port made by a different manufacturer.
“We are confident that all of the cranes owned and operated by the Port of Virginia are safe and secure,” Harris said in a statement. “We employ best practices and will continue to collaborate with multiple federal law enforcement agencies to ensure the equipment we purchase, own and operate is here for its intended use, which is to move cargo.”
One way port authorities can mitigate risks from foreign-made technology, Wolski says, is by conducting a post-delivery systems check of the system code. “Anything that’s connected to a computer network is vulnerable to a cyberattack. It’s a matter of how well they’ve set up the defense for the cybersecurity of the organization and of the equipment.”
The Port of Virginia appears to be taking these precautions, according to a statement from Harris: “Before any new cranes are put into service, they are subject to a detailed forensic cyberanalysis that is performed by one of the nation’s federal law enforcement agencies. New cranes awaiting analysis are isolated with dedicated firewalls to ensure there is no contact with port networks or the internet.”