An examination of the authentic Chinese cyber threat present in the country's largest ports.

• The majority of "ship-to-shore" cranes used in U.S. port trade are manufactured in China, and the U.S. government has stated in recent testimony that they use Chinese software.
• According to CNBC's interviews with port executives, the software used on these cranes originates from Germany, Japan, and other countries outside China.
• Over 100 Chinese cranes at U.S. ports have been inspected by the U.S. Coast Guard, with Rear Adm. Jay Vann stating that the equipment could be susceptible to exploitation.

The threat posed by Chinese-made cranes at the nation's ports has been a concern for some time, and recent White House action and hearings on Capitol Hill have intensified the debate about the potential national security risks associated with these machines. However, there is disagreement among the Biden administration, lawmakers, and port management about the true nature of the threat.

Rear Adm. Jay Vann, commander of the U.S. Coast Guard Cyber Command, stated in a press briefing that 80% of the "ship-to-shore" cranes used in U.S. ports are made in China and run on Chinese software. This has raised concerns about the cranes' vulnerability to exploitation and potential use in Chinese surveillance. The Biden Administration estimates that there are approximately 200 PRC manufacturer cranes operating in the U.S.

The Subcommittee on Counterterrorism, Law Enforcement, and Intelligence Committee on Homeland Security and Select Committee on China sent a joint letter to ZPMC, the Chinese manufacturer of cranes, on February 29, inquiring about "certain components" including cellular modems installed on cranes that were not part of contracts with ports management and have no identified purpose.

The Chinese government has dismissed concerns about its response to cybersecurity threats as "paranoia-driven." The ZPMC has not responded to recent CNBC requests for comment, but it did recently tell the press that its cranes do not pose a cybersecurity threat.

According to CNBC's research, the software controlling the cranes at some of the nation's largest ports is not made in China. Instead, the software is produced by Switzerland's ABB, Germany's Siemens, Japanese companies TMEIC and NIDEC, and equipment manufacturers Liebherr (German-Swiss multinational) and Konecranes (Finnish). Additionally, ports use multiple layers of firewalls to protect their infrastructure by isolating the crane equipment.

"Although our members use Chinese-made cranes at U.S. terminals, we have ensured that these cranes operate independently of Chinese software. We prioritize safety and have implemented strict security measures to maintain the isolation of crane control and auxiliary systems. Our zero-trust policies provide an additional layer of protection."

The Biden administration believes that the risk of software being compromised lies in the installation of software at the point of manufacture in the PRC, not the country of origin of the software itself.

A Coast Guard spokesman, Kurt Fredrickson, stated via email to CNBC that all software, regardless of origin, contains vulnerabilities.

"The largest share of the global market for ship-to-shore cranes is held by PRC-manufactured cranes, which account for nearly 80% of the STS cranes at U.S. ports. However, the remote control, servicing, and programming features of these cranes may make them vulnerable to exploitation, posing a threat to the maritime elements of the national transportation system."

While most crane operating software is not made in China, it is installed in the PRC as part of the manufacturing process, and the organization remains committed to providing Congress and the administration with technical expertise on cybersecurity in ports and terminals.

Despite multiple requests for comment, the office of Carlos Gimenez (R-FL), who chaired a recent hearing on Chinese cranes concerns, did not respond.

What the ports say about cybersecurity and Chinese-made cranes

The Port of South Carolina mandates that its control system software be installed during manufacturing in China, but this is only possible with the mandatory oversight of a software vendor that is not a Chinese company.

Officials from the Port of Long Beach reveal that their terminal operators usually install the operating software during the commissioning process, which takes place at the port's terminals.

The Northwest Seaport Alliance, consisting of Tacoma and Seattle ports, has 38 ZPMC cranes, and the USCG has completed a full threat assessment on its operated cranes and security measures and passed successfully in the past year.

"Melanie Stambaugh, an NWSA spokeswoman, stated that they are assessing new security requirements against their current measures at their marine terminals and do not anticipate having to replace their operating cranes at this time. She added that they are closely monitoring guidelines from the Biden administration and maritime security organizations as they continue to emerge."

The American Association of Port Authorities, which represents ports and has consistently stated that there is no evidence of Chinese-linked cyber vulnerabilities at ports, declined to comment.

Ports in the U.S. have measures in place to ensure the safety of trade flow, but they cannot disclose specific details due to security concerns. Some ports have implemented three layers of siloed cyber protection for each crane.

The software for terminals used by the New York and New Jersey Port Authority is sourced from ABB and Siemens, as per CNBC research. According to Greg Ehrie, the chief security officer of the port, the port adheres to industry-leading cyber security standards and will continue to enhance its efforts through partnerships with operational partners and collaboration with local, state, and federal officials.

The Port of New Orleans prioritizes public safety and is committed to enhancing its cybersecurity. While it is already in compliance with the Biden administration's executive order, the port declined to provide further details.

North Carolina Ports' chief operating officer, Doug Vogt, stated that while their container cranes were manufactured by ZPMC, they use crane operating software from ABB. He emphasized that any remote troubleshooting or external system connections require permission from NC Ports and are closely monitored by skilled IT professionals who are trained in cybersecurity protocols. Vogt also noted that the port works closely with the United States Coast Guard to ensure the security of its systems, equipment, and operations.

The Port of Long Beach, the second-largest port in the US, has 59 cranes from China, while the remaining 27 are a mix of Japanese and South Korean equipment, including Samsung cranes. However, the software used by the terminals to operate the cranes is not Chinese, as stated by Noel Hacegaba, the chief operating officer at the Port of Long Beach.

"If a single crane goes down, it could signal a problem with the entire system. This scenario would be taken seriously, as Cordero stated. We are ready and have implemented the best practices of business continuity to handle this situation."

The Port of Los Angeles has 39 Chinese-made cranes and software from ABB and Siemens. Gene Seroka, the port's executive director, stated in a recent interview that software is ubiquitous and they will evaluate and look deeper into any potential cyber threats. However, when asked for more specific information, Seroka deferred to the intelligence community and the federal government.

The Port of Oakland has over 20 container cranes, most of which were made by ZPMC, and are currently being reviewed by the U.S. Department of Homeland Security. The port refused to disclose its software due to security concerns. "We regularly collaborate with DHS and the U.S. Coast Guard to ensure the safety and security of our maritime infrastructure," said a Port of Oakland spokesperson.

Konecranes, a Finland-based company, has provided all of the crane infrastructure at the Port of Georgia, which is the fourth largest port in the country. The software and hardware used at the port are a combination of products from Finland, Japan, Taiwan, the U.S., and Europe.

The government's focus on the issue coincides with a broader shift in industrial policy to bring more manufacturing back to the U.S. as part of both economic and national security strategy, and as the rivalry with China intensifies. Additionally, it comes amid growing concerns that nation-states competing with the U.S. may seek to take down key U.S. infrastructure in the future through more severe hacking campaigns using cyber means to wage both physical and psychological war on the U.S. and its population.

National security experts caution that any smart system that integrates data with operational technologies and machinery through microchips will be vulnerable. They emphasize that crane software risks are just a small part of a larger societal threat.

"To protect our nation's critical infrastructure, we require the collaboration of both the private and public sectors, as stated by Lucian Niemeyer, CEO of Building Cyber Security and former Assistant Secretary of Defense for Energy, Installations, and Environment under President Trump, who also led the National Security Programs for the Office of Management and Budget. As a society that is increasingly connected, we face millions of new potential targets for cyber attacks."

Regardless of the manufacturer or software, the cyber risk for cranes, other port equipment, and building systems on site remains constant. However, Niemeyer stated that there are ways to reduce cyber risk, regardless of the origin of the crane software or manufacturing.

Ports can obtain grant funds to establish or expand smart port network operations centers to monitor performance and manage data, programming, and software in cranes and other equipment. Additionally, ports must have a cyber specialist on board, a role that Niemeyer considers "essential" to ensure all actions and external data connections are secure and do not disrupt crane or port operations.

"Non-operational modems on cranes can be removed or a cyber checkpoint can be installed between Shanghai and the crane to address the suspicious crane feature," Niemeyer stated.

The Coast Guard will apply the same risk management framework to cyber threat risks as the Maritime Transportation System, which is part of a globally interconnected information network that facilitates the efficient and continual flow of commerce and employs a range of techniques from the Coast Guard and Joint Force operational commanders.

The Coast Guard spokesman stated that MTS cyber specialists, deployable Cyber Protection Teams (CPTs), and a Maritime Cyber Readiness Branch (MCRB) will directly support operational commanders at the Sectors, Districts, and Areas to improve the service's capacity to prevent and respond to cyber-related MTS disruptions.