1. Issue: This Advisory seeks to alert maritime stakeholders of potential vulnerabilities to maritime port equipment, networks, operating systems, software, and infrastructure. Foreign companies manufacture, install, and maintain port equipment that poses vulnerabilities to global maritime infrastructure information technology (IT) and operational technology (OT) systems. In the past few years, the U.S. Government has published several documents (see paragraph 4 below) illuminating the risks associated with integrating and utilizing the People’s Republic of China’s (PRC’s) state-supported National Public Information Platform for Transportation and Logistics (LOGINK), Nuctech scanners, and automated port cranes worldwide.
LOGINK is a single-window logistics management platform that aggregates logistics data from various sources — including domestic and foreign ports, foreign logistics networks, hundreds of thousands of users in the PRC, and other public databases. The LOGINK logistics platform, which was first marketed outside of the PRC in 2010, is subsidized and promoted by the PRC Ministry of Transport. At least 24 global ports have cooperation agreements with LOGINK, which has the ability to collect massive amounts of sensitive business and foreign government data, such as corporate registries and vessel and cargo data. The U.S.-China Economic and Security Review Commission (USCC) recently identified this ability as a threat to the United States and reported that the Chinese Communist Party (CCP) plans to use LOGINK to strengthen its influence over international maritime trade and port infrastructure. LOGINK’s installation and utilization in critical port infrastructure very likely provides the PRC access to and/or collection of sensitive logistics data.
Nuctech Company, Ltd. (Nuctech) is a PRC State-Owned Enterprise (SOE) that manufactures and fields data-centric partially state-owned security inspection equipment at key logistic nodes worldwide. Nuctech equipment capabilities include x-ray, backscatter, and thermal platforms; explosives detection; non-intrusive products (e.g., baggage and parcel inspection (NIIE); Artificial Intelligence (AI); as well as facial cognition/recognition capabilities). Nuctech equipment access includes biometric information, personally identifiable information (PII), patterns of life and/or behavioral migrant patterns, cargo information, proprietary data, and geo-locational metadata. Several countries have raised concerns about contracts for security scanning equipment due to the company’s state ownership and ties to the Chinese Communist Party and the People’s Liberation Army. The United States added Nuctech to the Department of Commerce’s Entity List for its involvement in activities that are contrary to the national security interests of the United States. Specifically, the U.S. government determined Nuctech’s lower performing equipment impairs U.S. efforts to counter illicit international trafficking in nuclear and other radioactive materials. Lower performing equipment means less stringent cargo screening, raising the risk of proliferation.
2. Guidance: Maritime industry stakeholders exposed to these risks should apply cybersecurity best practices for Access Control (identity and access management), vulnerability mitigation, and configuration management, and should:
• Position themselves to increase their cybersecurity and cyber resiliency so as to respond to and report any incidents that could inhibit their ability to continue operations.
• Maintain a comprehensive understanding of data sharing and network access permissions, outlined within contractual agreements.
• Stress the importance of understanding and knowing who maintains access to the foreign maritime technology throughout any port or facility they utilize.
• Be wary of untrusted network traffic and treat all traffic transiting your network – especially third-party traffic – as untrusted until it is validated as legitimate.
• Ensure infrastructure operational resiliency, regarding system security, as well as the ability to maintain equipment and sourcing for critical parts and upgrades.
• Maintain fully recoverable backups and practice recovery from backups.
• Partner with industry, academia, and government to develop and maintain optimal cybersecurity hygiene by participating in information sharing exchanges and cyber drills and exercises.
The below mitigation measures can be utilized to reduce the risks associated with automated port cranes:
• Improve segmentation between the crane and other port systems/networks to reduce an adversary’s initial cyber access. Reduce unnecessary communications and network services between business and management networks and the crane network and disallow multi-homed systems across these networks.
• Utilize secure file transfer tools/maintain a secure file transfer to reduce the risk of malware when transferring files into the crane network, such as firmware updates, reducing dependency on removable media (e.g., USBs).
• Provide dedicated remote access systems and processes for access to crane devices to reduce the ability of adversaries’ initial cyber access and define formal policies and procedures for firewall rule changes needed to control access.
• Separate and segment crane management functions from crane operational systems to reduce cyber access by adversaries. Keep crane management functions (e.g., diagnostics, patching, programmable logic controller (PLC) program modification/updating) on separate segments and restrict modifications from crane operational systems, including the on-board and remote crane management systems (RCMS).
• Monitor all communications on the crane network, especially those between the crane and broader port operational and management systems. Monitor all communications paths used to connect to the crane, including from the RCMS remotely.
Verify the integrity and security of on-board crane devices and networks:
• Perform periodic integrity checks and validation of PLC application programs to ensure their correct/secure operation.
• Ensure on-board crane virtual local area network VLANs enforce segmentation of critical control devices. The VLANs should segment devices and communications supporting core control functions (e.g., PLCs, drives, I/O, etc.) from those used for non-critical functions (e.g., cameras, surveillance, etc.). Any devices from untrusted suppliers should also be segmented on a separate VLAN.
Maintain robust response and recovery programs to ensure key on-board crane systems and devices can be efficiently restored:
• Perform periodic backups of key software images and programs, including operating system images (crane management, cabin view, and ground view system), application programs for PLCs, and settings for other key devices (e.g., variable frequency drive (VFD), network switches). Make sure backups are stored offline. Periodically test backups and restoration procedures.
• Maintain spare hardware of key components, including PLCs, embedded/small form factor computers, and network devices. Ensure the organization has procedures on how to perform and test hardware rebuilds.
Ensure strong physical security and access control of devices and infrastructure used to operate and manage the crane:
• Ensure ground facilities used to support crane operations, including data closets, server rooms, and operator workstations have appropriate physical security controls.
• Keep on-board devices, such as PLCs, networking devices, and computers within locked data cabinets.
3. Contact Information: Maritime stakeholders who discover compromised or suspicious activity within the Marine Transportation System (MTS), or OT/IT assets should contact:
• U.S. Coast Guard National Response Center: 1-800-424-8802
• U.S. Coast Guard Cyber Command (CGCYBER), Maritime Cyber Readiness Branch (MCRB): maritimecyber@uscg.mil
• Cybersecurity and Infrastructure Security Agency (CISA) Central: 888-282-0870 or central@cisa.gov
• FBI’s Cyber Division: 855-292-3937 or CyWatch@fbi.gov
4. References:
• U.S. Coast Guard Maritime Industry Cybersecurity Resource Center
• Department of Homeland Security (DHS)/Cybersecurity and Infrastructure Security Agency (CISA) – Port Facility Cybersecurity Risks
• National Security Agency (NSA), ODNI, and DHS/CISA – Developers Recommended Practices Guide for Securing the Software Supply Chain
• U.S. – China Economic and Security Review Commission – LOGINK: Risks from China’s Promotion of a Global Logistics Management Platform
• Federal Register – Entry on the Entity List (Nuctech)
• Federal Bureau of Investigation (FBI) – Worldwide Threats to the Homeland
• H.R.7776 – James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (Section: 3529)
• ODNI – 2023 Annual Threat Assessment of the U.S. Intelligence Community
5. Cancellation: This message cancels U.S. Maritime Advisory 2023-002 and will automatically expire on February 19, 2024.