March 19, 2024

White House, U.S. Coast Guard Seek to Address Maritime Cyber Espionage and Cybersecurity Risks

Maritime Ports, Facilities and Vessels Face New Requirements in Effort to Protect Vital Supply Chains and Critical Infrastructure
Holland & Knight Alert
Sean T. Pribyl | Shardul Desai | Jameson B. Rice

Highlights

  • In support of the Biden Administration's efforts to protect vital supply chains and mitigate the risk of cyberattacks on critical infrastructure, the White House issued an Executive Order intended to bolster the U.S. Department of Homeland Security's (DHS) authority to directly address maritime cyber threats to the security of U.S. ports' operations, networks and systems.
  • The White House announced that it recognizes ship-to-shore cranes that were manufactured in the People's Republic of China and are operating at U.S. ports as a potential national security risk. To address the security risk, the White House has committed to investing more than $20 billion in U.S. port security, including "onshoring" manufacturing capabilities.
  • Owners and operators of U.S.-flagged vessels, as well as certain U.S. facilities and U.S. Outer Continental Shelf facilities, are the subject of a newly promulgated U.S. Coast Guard Notice of Proposed Rulemaking (NPRM) that proposes new minimum cybersecurity requirements for approximately 10,286 U.S. flag vessels and 3,411 marine facilities in the U.S. and its territories. The NPRM does not add requirements to foreign-flagged vessels.
  • Owners and operators of U.S. ports, U.S.-flagged vessels and U.S. facilities should develop robust cybersecurity and cyber supply chain risk management programs consistent with these maritime cybersecurity regulations and national security trends.

Topic Links

Maritime and Port Security Are Vital to National Security and the U.S. Economy

Maritime trade is essential to America's economic viability and national security interests. The U.S. Marine Transportation System (MTS) – comprising an intricate system of ports, terminals, vessels, waterways and land-based facilities – reportedly supports $5.4 trillion worth of economic activity each year and nearly 95 percent of cargo entering the United States.1 Not only is maritime transportation critical for the movement of trillions of dollars of economic goods into the U.S. supply chain, it is also essential for the U.S. military's movement of goods to defend American's vital interests. As such, the MTS has been long considered a part of the U.S. critical infrastructure sector.2

Over the past three decades, the maritime industry has increasingly implemented internet-connected technologies and digital systems intended to improve commercial vessel and port facility operations such as those used for the movement of cargo and ship navigation. However, this digital interconnectedness has introduced cybersecurity risks, including the threat of ransomware attacks that can disrupt operations, unauthorized access to MTS controls and navigation systems, espionage in supply chain practices and behaviors, and theft of port operations' trade secrets.

The White House announced on Feb. 21, 2023, multifaceted actions to confront these and other maritime cyber threats.3 First, the Biden Administration will invest more than $20 billion in U.S. port infrastructure over the next five years, including rebuilding the U.S. manufacturing capability of ship-to-shore port cranes. Second, the U.S. Coast Guard (USCG) issued a Maritime Security Directive on cyber risk management actions for Chinese-manufactured ship-to-shore cranes. Third, the White House issued an Executive Order on Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States to enhance maritime cybersecurity that bolsters the U.S. Department of Homeland Security's (DHS) authority to address maritime cyber threats. And fourth, the USCG issued a Notice of Proposed Rulemaking (NPRM) that proposes new minimum cybersecurity requirements for U.S.-flag vessels, U.S. Outer Continental Shelf (OCS) facilities and U.S. facilities subject to the Maritime Transportation Security Act of 2022 regulations. The maritime cyber threats, the Biden Administration's actions and key takeaways are discussed below.

Maritime Cyber Threats and Chinese Espionage

Ports are the entry and egress for seaborne commerce, and defense is a critical part of U.S. supply chain infrastructure. Thus, cyber threats to maritime facilities and assets are a national security concern. For example, a cyberattack that shuts down port operations could lead to disruptions in domestic supply chains, with imports or exports stalled at ports, creating massive downstream shortages of goods. 

These supply chain concerns are not merely theoretical. Over the last several months, multiple cyberattacks impacted port and vessel operations, causing substantial economic harm. Around Christmas 2022, the Port of Lisbon, Portugal, was the victim of a ransomware attack. Although the ransomware attack allegedly did not compromise operation activities, the Port's website was down for several days, and cybercriminals demanded a $1.5 million payment to not release the Port's financial reports, contracts, cargo information, ship logs, crew details and other port documents.4 In July 2023, the LockBit ransomware group successfully shutdown Japan's largest port, the Nagoya Port, for two days causing cargo congestion.5  In November 2023, a cyber intrusion on DP World Australia's systems – Australia's second largest port operator that manages nearly 40 percent of Australia's seaborne commerce – resulted in disconnection from the internet, operations being shut down for several days and cargo containers being stuck on docks.6

The Biden Administration also recently expressed unprecedented concerns about the Chinese government's ability to infiltrate U.S. critical infrastructure.7 Precipitating these concerns is the activities of Volt Typhoon, a People's Republic of China (PRC) state-sponsored cyber hacking group that was revealed to be dormant inside U.S. critical infrastructure. According to some news reports, Volt Typhoon maintained access in some critical infrastructure networks for more than five years and had infected small office and home office routers to establish a botnet (i.e., a network of infected systems) that the group used to conceal its activities within these infiltrated networks. A major West Coast port is alleged to be one of the victims.

Highlighting these respective cyber threats, the U.S. Government has expressed increased scrutiny concerning Chinese-manufactured ship-to-shore cranes. According to the Wall Street Journal, which has written a series of articles on the cybersecurity risks of these Chinese-manufactured port cranes, a Chinese state-owned enterprise, Shanghai Zhenhua Heavy Industries Company Limited (ZPMC), makes nearly 80 percent of the ship-to-shore cranes in use at U.S. ports.8 Government officials in the Biden Administration have expressed concerns of the potential threat of disruption and espionage presented by these ZPMC cranes – especially those that can be controlled, serviced and programmed from remote locations. USCG cyber protection teams also are inspecting these ZPMC cranes to assess cybersecurity or "hunt[]" for threats – USCG has reportedly inspected approximately half of the 200 cranes so far.

Since June 2023, the U.S. House Committee on Homeland Security's Subcommittee on Transportation and Maritime Security, as well as the U.S. House Select Committee on China, have held hearings to examine U.S. maritime port vulnerabilities and to investigate the risks posed by these ZPMC port cranes.9 Earlier this month, this joint congressional probe found installed communications equipment, such as cellular modems, that could be accessed remotely. Although it is not unusual for cranes to have modems installed, reportedly these were not necessary for the capabilities required at specific ports or part of existing contracts and, thereby, "raising questions as to their intended applications."10 In addition, members of this joint congressional probe released a Feb. 29, 2024, letter written to ZPMC raising these concerns.11

The Biden Administration's Investment in Port Supply Chain

The White House announced on Feb. 21, 2024, that the U.S. government will invest more than $20 billion over the next five years in U.S. port infrastructure through grants, the Bipartisan Infrastructure Law and the Inflation Reduction Act (IRA). Funding will reportedly support the rebuilding of the U.S. industrial capacity to manufacture domestically and to produce port cranes with "trusted partners," although the announcement did not include a time frame for implementation.

This undertaking is all the more daunting as the U.S. has not domestically manufactured ship-to-shore cranes for 30 years. Consequently, PACECO Corp., a U.S.-based subsidiary of Mitsui E&S Co. Ltd (Japan), is planning to onshore U.S. manufacturing capacity for its crane production and partner with other trusted manufacturing companies to revive U.S. port crane manufacturing capabilities. The goal of onshoring crane production capacity to "trusted" partners follows the continued efforts of the White House Council on Supply Chain Resilience to strengthen America's supply chains. 

USCG Maritime Security Directive Concerning Chinese-Manufactured Cranes

The Biden Administration clarified that it is not exploring a "rip and replace" policy that would require these Chinese-manufactured port cranes be replaced with "trusted" cranes. Instead, to address the current cyber threats associated with these ZPMC cranes, the USCG issued a Maritime Security Directive (MARSEC Directive 105-4) on cyber risk management actions related to these cranes.12 This MARSEC Directive imposes several cybersecurity requirements on the owners and operators of these Chinese-manufactured cranes; however, the specific requirements are not being disclosed publicly for security purposes.13

Executive Order 14116

On Feb. 21, 2024, President Biden issued an Executive Order on Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States (Executive Order 14116). Notably, the Executive Order updates several regulations in 33 CFR Part 6 to explicitly address maritime cyber threats upon finding that "the security of the United States is endangered by reason of disturbances in the international relations of the United States that exist as a result of persistent and increasingly sophisticated malicious cyber campaigns against the United States, and that such disturbances continue to endanger such relations." This follows maritime network security issues and agency responsibilities identified in the 2020 National Maritime Cybersecurity Plan

The Executive Order cites 46 U.S.C. 70051, commonly referred to as the Magnuson Act, which generally authorizes the president to issue regulations to safeguard vessels, harbors, ports and waterfront facilities in the U.S. against destruction, loss or injury from sabotage or other subversive acts, accidents or other similar causes. This new Executive Order further enables the protection and security of vessels, harbors, ports and waterfront facilities by explicitly addressing cyber threats. Among other amendments, the updated regulations provide a Coast Guard Captain of the Port (COTP) authority to respond to malicious cyber activity by establishing security zones, controlling the movement of vessels that present a known or suspected cyber threat to U.S. maritime infrastructure, inspecting and searching vessels and waterfront facilities – including cyber systems and networks as consistent with law and requiring facilities to correct unsatisfactory cyber conditions that may endanger the safety of a vessel, facility or harbor.

The Executive Order also mandates the reporting of cyber incidents. Specifically, 33 CFR 6.16-1 was amended to require immediate reporting of an actual or threatened cyber incident involving or endangering any vessel, harbor, port or waterfront facility, including any data, information, network, program, system or other digital infrastructure to the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the COTP or to their respective representatives. Reporting of cyber incidents under the Executive Order is a "requirement rather than a request."

The USCG published Navigation and Vessel Inspection Circular 02-24 (NVIC 02-24) to clarify this reporting requirement. NVIC 02-24 requires cyber incidents to be reported immediately to the FBI, CISA and COTP. Under the Executive Order, a cyber incident is "an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies." NVIC 02-24 clarifies that: 

MTS stakeholders should report those incidents that lead to or, if still under investigation, could reasonably lead to any of the following:

(a) A substantial loss of confidentiality, integrity, or availability of information systems, networks, or operational technology;

(b) A disruption or significant adverse impact on the MTS Stakeholder's or MTSA-regulated entity's ability to engage in business operations or deliver goods, or services;

(c) Disclosure or unauthorized access directly or indirectly to non-public personal information; or

(d) Potential operational disruption to other critical infrastructure systems or assets.

Routine spam, phishing attempts and other cyberattacks that do not breach a system's defenses and accidental violation of acceptable use policies are not considered a reportable cyber incident. Moreover, low-level cyber events that are addressed by standard antivirus programs are not reportable events.

Additionally, Executive Order 14116 amends 33 CFR 6.04-7 and generally authorizes respective Coast Guard COTPs to inspect and search at any time any vessel, waterfront facility or security zone, or any person, article or thing, including any data, information, network, program, system or other digital infrastructure within the jurisdiction of the United States – and remove same. The caveat is that the search, inspection and removal must be done "consistent with law," although NVIC 02-24 does not provide amplifying guidance to U.S.-flagged vessel and facility owners and operators regarding the procedures on which the USCG will rely when removing data or digital infrastructure from a vessel or facility, and whether an inspection, search and removal can be performed by a civilian member of a USCG Cyber Protection Team, or such activities must be undertaken by "commissioned, warrant, and petty officers" pursuant to the USCG's authority under 14 U.S.C. Section 522.

MTS Cybersecurity Notice of Proposed Rulemaking

Although the USCG has been addressing maritime cybersecurity as a matter of vital importance for several years, the USCG promulgated a NPRM on Cybersecurity in the Marine Transportation System to establish minimum cybersecurity requirements for U.S. flagged vessels, U.S. OCS facilities and U.S. facilities subject to the Marine Transportation Safety Act of 2002 regulations. (See Holland & Knight's previous blog post, "Keeping It Steady as She Goes: Coast Guard Living Up to Its Three Expectations," April 29, 2021.) Foreign-flagged vessels are exempt from this proposed rule since "cyber regulations for foreign-flagged vessels under domestic law may create unintended consequences with the ongoing and future diplomatic efforts to address maritime cybersecurity in the international arena." Instead, the USCG suggests that a Safety Management System (SMS) approved under the International Safety Management (ISM) Code should address foreign-flagged vessel cybersecurity, although reporting requirements of certain hazardous conditions remain in place that cover all foreign vessels that are bound for or departing from ports or places within the navigable waters of the United States. The NPRM requires regulated entities to develop cybersecurity programs that harmonize to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities must designate a Cybersecurity Officer (CySO) who is responsible to develop, implement and maintain the company's Cybersecurity Plan, and the CySo must be accessible to the USCG 24 hours a day, seven days a week.

Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities also must develop detailed Cybersecurity Plans that contain the specific requirements and standards – to varying degrees; such requirements and standards would be added to Facility Security Plans (FSP), OCS FSPs and Vessel Security Plans (VSP). Some of the items that must be included in the Cybersecurity Plan are the following:

  • Drills and Exercises: Every three months, owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities must conduct cybersecurity drills that will test the operational response of at least one specific element of the Cybersecurity Plan. In addition, at least once every calendar year with no more than 18 months between exercises, owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities must conduct cybersecurity exercises that fully test its cybersecurity regime. 
  • Access Controls: Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities must maintain minimum account measures concerning access to information technology (IT) and operational technology (OT) systems. These measures include automatic account lockout after repeated failed login attempts, no default passwords, minimum password strength requirements, multifactor authentication, principle of least privilege for privileged accounts, separate credential requirements on critical systems and account revocation upon the user leaving the organization. 
  • Device and Data Security: Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities must maintain an inventory of approved hardware, firmware and software, and an inventory of network-connected systems. Applications running executable code must be disabled by default on critical systems. Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities also must securely capture and store data logs and encrypt data in transit and at rest. 
  • Personnel Training: Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities must train personnel concerning cybersecurity risks, the Cybersecurity Plan and incident reporting obligations. 
  • Risk Management: On an annual basis or when substantial ownership and/or Cybersecurity Plan changes occur, owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities must conduct a cybersecurity assessment for each covered vessel, facility and OCS facility. Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities also must conduct penetration tests, patch vulnerabilities, assess cyber supply chain risks and receive threat and vulnerability intelligence from external stakeholders, vendors and services providers.
  • Network Segmentation: Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities should implement network segmentation between IT and OT networks. 
  • Audits: Annual audits of the Cybersecurity Plan must be conducted.

Owners and operators of applicable U.S.-flagged vessels, U.S. facilities, and OCS facilities must submit their Cybersecurity Plan to the USCG for review and approval. If the Cybersecurity Plan fails to meet the requirements, the owners and operators of applicable U.S.-flagged vessels, U.S. facilities, and OCS facilities will have at least 60 days to amend the plan and cure deficiencies. In addition, owners and operators of applicable U.S.-flagged vessels, U.S. facilities, and OCS facilities must follow recordkeeping requirements related to their Cybersecurity Plan, drills and exercises, training, assessments, cyber incidents and annual audits.

The NPRM requires mandatory reporting of cyber incidents to the National Response Center without delay. Notably, a cyber incident is defined more narrowly than in NVIC 02-24. Under the NPRM, a cyber incident is "an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system or actually jeopardizes, without lawful authority, an information system." Unlike the NVIC 02-24 definition, this NPRM definition does not include occurrence that "immediately" jeopardizes or violations of the law or a security policy. Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities must maintain a Cyber Incident Response Plan and test the plan through annual tabletop exercises. 

The NPRM seeks public comments on whether the USCG should use and define the term "reportable cyber incident" to limit cyber incidents that trigger reporting requirements, require cyber incident reporting to CISA in harmonization with the Cyber Incident Reporting for Critical Infrastructure Act and amend the definition of hazardous condition. Comments to the NPRM and related material must be received by the Coast Guard on or before April 22, 2024. Once final rules are adopted, the USCG is proposing an implementation period of 12 to 18 months.

Key Takeaways

The Biden Administration's above-described actions reflect its continued efforts to secure the country's supply chains and strengthen the cybersecurity of the nation's critical infrastructure. In the United States' interconnected economy, these efforts are necessary to protect against cyber threats and espionage. Nevertheless, the Biden Administration's actions create new risks, legal liabilities and increased costs for owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities.

Although there may be some time before the regulations become effective, owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities should start now to develop comprehensive cybersecurity programs that meet the proposed regulations codifying this program into a written Cybersecurity Plan. These efforts also should include developing a compliance program to help ensure quarterly and annual requirements are met and records are maintained in accordance with the proposed requirements. 

Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities also should be mindful that cyber incident reporting laws often create legal liabilities for regulated entities. Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities may face challenges in determining whether an incident is reportable and when notification requirements are triggered. Although the timing requirements in these regulations (i.e., "immediate" and "without delay") reflect a desire to have incidents reported as close to discovery as possible, some internal investigative efforts with the company’s outside counsel will be necessary and advisable to determine whether the incident is reportable in the first instance. Thus, owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities should develop Incident Response Plans and test the plans' effectiveness to respond and investigate incidents quickly and report incidents promptly. A component of effective incident response involves coordinating with incident response counsel prior to prepare appropriately. In addition, as adverse publicity and litigation often follows data breaches, internal investigations of a cyber incident often include outside counsel, so they may be conducted under legal privilege. As such, reporting cyber incidents to regulators and law enforcement should be appropriately tailored to avoid inadvertent waiver of privilege or the creation of unnecessary litigation risks. 

Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities should develop robust cyber supply chain risk management programs. Although the White House stopped short of issuing a blanket ban on Chinese-manufactured ship-to-shore cranes or a "rip-and-replace" policy, the Biden Administration's national security trends require a keen and cautionary eye on supply chain technologies that aren't procured from "trusted" partners. Owners and operators of applicable U.S.-flagged vessels, U.S. facilities and OCS facilities should assess cybersecurity risks associated with their supply chains with an emphasis on potential vulnerabilities and make purchase order decisions that align with their risk appetite. 

Finally, the NPRM and Executive Order build on prior actions by DHS and the USCG to develop regulatory requirements in pursuit of safeguarding critical infrastructure, including USCG Policy Letter 08-16 on reporting Suspicious Activity and Breaches of Security; NVIC 01-20 concerning requirements to assess, document and address computer system or network vulnerabilities; and Vessel Cyber Risk Management Work Instruction (CVC-WI-027(3)) regarding the USCG commercial vessel compliance program's approach to assessing the cyber risk on vessels. It remains to seen what role the Maritime Cyber Readiness Branch (MCRB) and CPTs will have as new and expanded cybersecurity requirements continue to develop, but stakeholders should expect that cyber security measures will continue to be a priority of the USCG, and thus prepare accordingly.

Holland & Knight maritime, international trade and cybersecurity attorneys are available to address any questions you may have.

Notes

1 White House, Fact Sheet: Biden-Harris Administration Announces Initiative to Bolster Cybersecurity of U.S. Ports

2 Presidential Policy Directive 21: Critical Infrastructure Security and Resilience; see also CISA, Critical Infrastructure Sectors: Transportation System Sector

3 White House, Fact Sheet: Biden-Harris Administration Announces Initiative to Bolster Cybersecurity of U.S. Ports

4 Industrial Cyber, "Port of Lisbon targeted by LockBit ransomware hackers, website still down"; Security Affairs, "Lockbit ransomware gang claims to have hacked the Port of Lisbon"

5 CPO Magazine, "Largest Japanese Port Suffered a Russian Ransomware Attack Halting Cargo Operations"

6 The Guardian, "DP World hack: port operator gradually restarting operations around Australia after cyber-attack"; The Wall Street Journal, "Major Australian Ports Reopen After Cyberattack Halts Operations"

7 The Wall Street Journal, "Chinese Hacking Against U.S. Infrastructure Threatens American Lives, Officials Say"; The Wall Street Journal, "FBI Director Says China Cyberattacks on U.S. Infrastructure Now at Unprecedented Scale"; Washington Post, "China's cyber intrusions have hit ports and utilities, officials say"

8 The Wall Street Journal, "Pentagon Sees Giant Cargo Cranes as Possible Chinese Spying Tools"

9 Committee on Homeland Security, Chairmen Green, Gallagher, Gimenez, and Pfluger Request Testimony from Swiss Company with Concerning Ties to Chinese State-Owned Enterprises; Committee on Homeland Security, "A Matter of National Urgency": Subcommittee Chairman Gimenez Delivers Opening Statement in Hearing on U.S. Port Security; Committee on Homeland Security, USCG, Navy, DHS Testify on Threats from China to U.S. Ports, Economic and Cybersecurity

10 The Wall Street Journal, "Espionage Probe Finds Communications Device on Chinese Cranes at U.S. Ports"; Congressional Letter, Feb. 29, 2024

11 Congressional Letter, Feb. 29, 2024

12 Federal Register, Vol. 89, No. 37 13726-27 (Feb. 23, 2024).

13 United States Coast Guard, Maritime Security (MARSEC) Directive 105–4


Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.


Related Insights