Please ensure Javascript is enabled for purposes of website accessibility
Upcoming Event

Best Places to Work in Virginia

Hamburger Menu Hamburger Menu

Tag: cranes

Spies in the sky?

High-level federal concerns over Chinese-made ship-to-shore cranes ramped up in February after President Joe Biden issued an executive order addressing cybersecurity and espionage risks the cranes pose at U.S. ports.

Then in early March, a congressional investigation revealed cellular modems had been found on some Chinese crane components at a U.S. port and a modem
was discovered in another port’s server room — although the specific ports were not disclosed — according to The Wall Street Journal.

Chinese state-owned Shanghai Zhenhua Heavy Industries Co., known as ZPMC, manufactures about 80% of all cranes in use at U.S. ports — including all 27 of the Port of Virginia’s ship-to-shore cranes. The port has eight more cranes on order from ZPMC, including four that will be delivered in December and another four set to be delivered in August 2025.

However, notes Cathie Vick, the Virginia Port Authority’s chief development and public affairs officer, there have been no reports of cybersecurity breaches involving Port of Virginia cranes, and the federal government has not alerted the port about any instances of Chinese espionage involving Virginia cranes.

Nonetheless, “it’s incumbent on the industry to stay vigilant,” says Derek Miller, the American Association of Port Authorities’ government relations director.

During congressional testimony in late February, Rear Adm. John Vann, commander of the U.S. Coast Guard Cyber Command, said the Coast Guard had found “vulnerabilities that are there by design” in crane software networks but had not found malware or Trojan horse-type software.

At the Port of Virginia, “before any new cranes are put into service, they are subject to a detailed forensic cyberanalysis that is performed by one of the nation’s federal law enforcement agencies,” Vick said in a Feb. 21 statement after Biden released his executive order expanding the Coast Guard’s authority to address cybersecurity concerns. “New cranes awaiting analysis are isolated with dedicated firewalls to ensure there is no contact with port networks or the internet.”

Additionally, the port undergoes regular cybersecurity exercises with federal entities, and some of the regulations implemented in Biden’s executive order, like mandatory reporting of cybersecurity incidents or active cyberthreats, were already included in the port’s protocols.

The AAPA is supportive of the Biden administration’s actions, Miller says, “particularly the executive order, which really was aimed at bringing the Coast Guard’s authorities when it comes to cybersecurity up to the level that they are with physical security.”

The White House also announced it would direct more than $20 billion in federal funds to invest in port infrastructure over the next five years, including supporting domestic manufacturing of cranes from a U.S.-based subsidiary of Japanese company Mitsui E&S Co.

Following Biden’s order, members of two U.S. House of Representatives committees sent a letter to ZPMC that made public the investigators’ discovery of modems at U.S. ports. The Coast Guard also issued a Feb. 23 directive listing risk management steps for owners and operators of Chinese-made ship-to-shore cranes.

“Obviously, the Port of Virginia will follow whatever the directions are and the law, but having said that … there’s been no, at least publicized, documented issue with the cranes in terms of their software,” says Aubrey Layne Jr., board chair of the Virginia Port Authority. “And so … for the policies to come out, that was a little bit perplexing.

“Any Chinese-owned companies now are being scrutinized, and we get it, so we want to make sure that we are compliant, but it is very political right now, and we’re trying to stay out of all that,” notes Layne, who served as Virginia’s secretary of finance and, before that, the state’s transportation secretary. “We’re just trying to run our business in a safe way for the American people.”  

Biden executive order on Chinese cranes affects Port of Va.

President Joe Biden issued an executive order Wednesday addressing cybersecurity and espionage concerns over Chinese-made cranes in use at U.S. ports, including the Port of Virginia. Additionally, the Biden administration announced a plan to invest $20 billion on infrastructure security at U.S. ports, including support for domestic manufacturing of ship-to-shore cranes.

National security concerns about espionage and other cyber crime risks associated with ship-to-shore cranes manufactured by Shanghai Zhenhua Heavy Industries Co., known as ZPMC, became public in March 2023 following a report from The Wall Street Journal. ZPMC is owned by the Chinese government, and its major shareholder is China Communications Construction Co.

In a press briefing on Tuesday, Rear Adm. John Vann, commander of the U.S. Coast Guard Cyber Command, said: “The People’s Republic of China-manufactured ship-to-shore cranes make up the largest share of the global market and account for nearly 80% of cranes at U.S. ports. By design, these cranes may be controlled, serviced and programmed from remote locations. These features potentially leave PRC-manufactured cranes vulnerable to exploitation.”

Federal officials would not disclose if there have been any known cybersecurity incidents associated with the ZPMC cranes.

The issue is so critical, Vann said on Tuesday, because “America’s system of ports and waterways accounts for over $5.4 trillion of our nation’s annual economic activity, and our ports serve as a gateway for over 90% of all overseas trade.”

All 27 of the Port of Virginia’s ship-to-shore cranes were manufactured by ZPMC, according to Cathie Vick, the Virginia Port Authority’s chief development and public affairs officer. The port also has four cranes on order from ZPMC that will be delivered to the Virginia International Gateway terminal in December 2024 and another four cranes that will be delivered to Norfolk International Terminals in August 2025, Vick said Wednesday.

Biden’s executive order expands the Coast Guard’s authority to address cybersecurity concerns. Additionally, the Coast Guard will issue a maritime security directive listing risk management steps for owners and operators of Chinese-made ship-to-shore cranes.

“Before any new cranes are put into service they are subject to a detailed forensic cyber analysis that is performed by one of the nation’s federal law enforcement agencies,” Vick said in a statement. “New cranes awaiting analysis are isolated with dedicated firewalls to ensure there is no contact with port networks or the internet.

“At the Port of Virginia, we take the issue of cybersecurity very seriously and work continuously to protect our operations against outside threats,” Vick continued in the statement. “As part of this effort, we undertake regular cybersecurity exercises that include close collaboration with several federal entities [and] partners in Hampton Roads to ensure readiness for multiple types of cyber events or threats. We are confident that our protocols will satisfy the requirements of the executive order.”

Biden’s executive order broadens the Coast Guard’s authority to address cyber threats, including granting the authority “to control the movement of vessels that present a known or suspected cyber threat to U.S. maritime infrastructure,” according to the White House.

Some of the cybersecurity regulations implemented in the executive order, including mandatory reporting of cybersecurity incidents or active cyber threats and inspections of relevant vessels and facilities, were already voluntarily included in the Port of Virginia’s protocols, Vick said.

The Biden administration will also direct more than $20 billion to port infrastructure investments over the next five years, including supporting domestic manufacturing of cranes, according to a White House news release. That will include funding to help Paceco, a U.S.-based subsidiary of Japanese company Mitsui E&S Co., to manufacture ship-to-shore cranes in the United States. Paceco previously manufactured cranes in the U.S. from 1958 until the late 1980s, according to the White House.

Currently, no cranes comparable to ZPMC’s are manufactured in the U.S., according to reporting from The Wall Street Journal, and an alternative crane used by some U.S. ports from Finnish company Konecranes costs about a third more.

Speaking to reporters Tuesday, Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technologies, said that the administration is not looking at a “rip and replace” strategy for ship-to-shore cranes already in use, but instead was focused on setting cybersecurity requirements “to secure the existing infrastructure” and to also make sure that ports “can go [back] to buying trusted cranes and to bringing back [crane] manufacturing to the United States, given how important cranes are to port operations.”

At this time, the Virginia Port Authority does not have plans to replace its ZPMC-made cranes, and port officials have not had any discussions with the federal government about that, Vick said.

Neuberger said that while the executive order “certainly ties to particular concerns about Chinese cyber activity, we also have concerns regarding criminal activity.” She cited a criminal ransomware attack that disrupted the Port of Nagoya in Japan for more than two days in July 2023.

There have been no reports of cybersecurity breaches affecting Port of Virginia cranes, according to Vick. The federal government has not alerted the port to any instances of cranes in Virginia being used for espionage.

“We are confident that all of the cranes owned and operated by the Port of Virginia are safe and secure and will already comply with the parameters set forth in the executive order,” Vick said in a statement. “We employ best practices and will continue to collaborate with multiple federal law enforcement agencies to ensure the equipment we purchase, own and operate is here for its intended use, which is to move cargo.”

Port cranes: Cause for concern?

The Port of Virginia may have as many as 30 Chinese ship-to-shore cranes that have come under scrutiny from Pentagon officials over national security concerns. Five more cranes are scheduled for delivery next year.

Manufactured by state-owned company Shanghai Zhenhua Heavy Industries Co., known as ZPMC, the cranes are a possible security risk, according to a March report from The Wall Street Journal. U.S. defense and national security officials have voiced concerns that China could gather information about materiel shipments supporting U.S. military operations by using sensors on the cranes that can track containers’ origins and destinations. They told the Journal that the cranes also could be vulnerable to remote access attacks that could disrupt shipping.

A U.S. Department of Transportation study examining whether cranes from foreign manufacturers pose security risks is due by the end of the year.

The WSJ story came amid heightened U.S. concerns about Chinese spying, including the surveillance balloon saga in February and Gov. Glenn Youngkin’s decision late last year to remove Virginia from consideration for a $3.5 billion Ford Motor Co. battery plant due to its ties to a Chinese company. Following the U.S. reports about the cranes, South Korea said it would inspect its ZPMC-made cranes.

The American Association of Port Authorities, however, disputed the existence of a threat in a statement: “There have been no known security breaches as the result of any cranes at U.S. ports, despite alarmist media reports. Further, modern cranes are very fast and sophisticated, but even they can’t track the origin, destination or nature of the cargo.”

However, a bad actor could use a crane’s camera system to view a container’s serial number and then track it, says Chris Wolski, a former information security officer for Port Houston. One could also potentially disable crane systems by overriding safety sensors or causing false readings.

Even so, gathering materiel shipments’ origins and destinations wouldn’t be very useful, says Lonnie Henley, a retired intelligence officer and a Foreign Policy Research Institute senior fellow. “If I had information like that and had all the processing power in the world, I’m still not sure what military operational benefit I can gain from it.”

Virginia Port Authority spokesperson Joe Harris declined to confirm the port’s number of ZPMC-made cranes.

In January, the Port of Virginia announced it had finalized a $61.6 million purchase of five ZPMC-manufactured cranes that will be able to handle ultra-large container vessels. Delivery is set for December 2024, and the 1,827-ton cranes will replace two units at the Virginia International Gateway and three at the Norfolk International Terminals.

The port began using ZPMC cranes in 2000. The Newport News Marine Terminal’s crane, which has been in service since 1982, appears to be the only crane at the port made by a different manufacturer.

“We are confident that all of the cranes owned and operated by the Port of Virginia are safe and secure,” Harris said in a statement. “We employ best practices and will continue to collaborate with multiple federal law enforcement agencies to ensure the equipment we purchase, own and operate is here for its intended use, which is to move cargo.”

One way port authorities can mitigate risks from foreign-made technology, Wolski says, is by conducting a post-delivery systems check of the system code. “Anything that’s connected to a computer network is vulnerable to a cyberattack. It’s a matter of how well they’ve set up the defense for the cybersecurity of the organization and of the equipment.”

The Port of Virginia appears to be taking these precautions, according to a statement from Harris: “Before any new cranes are put into service, they are subject to a detailed forensic cyberanalysis that is performed by one of the nation’s federal law enforcement agencies. New cranes awaiting analysis are isolated with dedicated firewalls to ensure there is no contact with port networks or the internet.”  

April 2023 Top Five

The top five most-read daily news stories on VirginiaBusiness.com from Feb. 14 to March 13 included an update on the Lego Group’s Chesterfield County factory, which is expected to begin production in 2025.

1  |  Lego to hire 500 Chesterfield employees by year’s end

The Danish toymaker expects to create more than 1,760 jobs at its $1 billion Meadowville Technology Park manufacturing plant. (Feb. 20)

2  |  Feds say Chinese cranes used at Port of Virginia could be spy tools

The port has more than 20 cranes made by Chinese company ZPMC, with five more on order for next year. U.S. defense officials have voiced concerns about the cranes’ potential for espionage. (March 8)

3  |  Amazon delays construction on HQ2

Even as it prepares for the June opening of the first phase of its $2.5 billion East Coast headquarters in Arlington County, Amazon.com Inc. announced it was delaying the project’s second phase. (March 3)

4  |  Aument to step down from AECOM leadership role

Jennifer Aument, AECOM’s Arlington-based transportation chief executive, plans to step down from her job this spring, a decision she reached after surviving breast cancer. (Feb. 22)

5  |  DXC rejects buyout proposal from Asian firm

Ashburn-based Fortune 500 company DXC Technology Inc. ended buyout talks after Baring Private Equity Asia failed to raise enough capital. (March 7)

Feds say Chinese cranes used at Port of Va. could be spy tools

The Port of Virginia may have as many as 30 Chinese ship-to-shore cranes that have come under scrutiny from Pentagon officials over national security concerns, and the port has five more on delivery for next year.

The cranes made by Shanghai Zhenhua Heavy Industries Co., known as ZPMC, a state-owned company whose major shareholder is China Communications Construction Co., are a possible security risk, according to a report from The Wall Street Journal, as U.S. defense and national security officials voiced concerns that China could use technology in the cranes to gather information about materiel being shipped to support U.S. military operations. ZPMC cranes contain sensors that can track containers’ origins and destinations, and the cranes also could be vulnerable to remote access attacks that could disrupt shipping, Pentagon and national security officials told the Journal.

The story comes amid heightened U.S. concerns about Chinese spying, including the recent surveillance balloon saga and Gov. Glenn Youngkin’s decision late last year to remove Virginia from consideration for a $3.5 billion Ford Motor Co. battery plant with ties to a Chinese company.

Virginia Port Authority spokesperson Joe Harris declined to confirm the port’s number of ZPMC-made cranes, although the port has announced purchases and arrivals of ZPMC cranes over the past few years.

The American Association of Port Authorities disputes the existence of a threat. “There have been no known security breaches as the result of any cranes at U.S. ports, despite alarmist media reports,” the association said in a statement. “Further, modern cranes are very fast and sophisticated, but even they can’t track the origin, destination or nature of the cargo.”

Operational technology devices such as cameras, weight sensors and safety sensors are often integrated into equipment systems and are largely the cause for defense officials’ concern around ZPMC’s cranes, said Chris Wolski, a former information security officer for Port Houston.

Potential espionage scenarios include using a crane’s camera system to view a container’s serial number and determine where a container was loaded in order to track it, he said. A bad actor could also disable crane systems and stop cargo operations by overriding safety sensors or causing false readings. “Things like that, if they’re not under control or could be remotely controlled by another party, then you can have potential security concerns,” Wolski said.

Gathering materiel shipment data — origins, destinations and manifests — wouldn’t provide much useful information, said Lonnie Henley, a retired intelligence officer and a senior fellow with the Foreign Policy Research Institute’s Asia program. “If I had information like that and had all the processing power in the world, I’m still not sure what military operational benefit I can gain from it,” he said, adding that clandestine shipments would likely already have obfuscated manifests.

In January, the Port of Virginia announced it had finalized the purchase of five ZPMC-manufactured cranes for $61.6 million. Delivery is set for December 2024, and the 1,827-ton cranes will replace two existing units at the Virginia International Gateway and three in the South Berth at Norfolk International Terminals. Able to handle ultra-large container vessels, the new cranes can reach across a vessel that is 26 containers wide, about three to four containers farther than most cranes can reach.

The Port of Virginia first began using ZPMC cranes in 2000. The Newport News Marine Terminal’s crane, which has been in service since 1982, appears to be the only crane at the port made by a different manufacturer — Crane Materials International (CMI). Harris did not answer a request for confirmation that the Newport News terminal’s crane is the sole one made by a manufacturer other than ZPMC.

In October 2022, the Virginia Port Authority sold three ZPMC ship-to-shore cranes and their replacements parts to Haina International Terminals, the operator of the Río Haina Port in the Dominican Republic, for $50,000 for each crane and $50,000 for associated replacement parts.

By the end of 2023, the U.S. Department of Transportation’s maritime administrator, working with the Department of Defense and others, is required to produce an unclassified study examining whether cranes from foreign manufacturers pose security risks to American ports. The requirement comes from part of the $850 billion National Defense Authorization Act passed in December 2022.

Heightened U.S.-China tensions

The reported security concerns about the cranes come amid a time of heightened tensions between the U.S. and China, whose foreign ministry spokesperson said on Monday that U.S. concerns about ZPMC cranes were “complete paranoia.” In February, the U.S. Air Force shot down a balloon off the coast of South Carolina that Biden administration officials identified as a Chinese high-altitude surveillance balloon. The U.S. began tracking the balloon’s progress on Jan. 28 as it crossed from Alaska to Canada to Idaho and the East Coast.

On Tuesday, a group of 12 bipartisan senators led by U.S. Sen. Mark Warner, D-Virginia, chairman of the Senate Select Committee on Intelligence, and Sen. John Thune, R-South Dakota, introduced legislation that would allow the Department of Commerce to review and prohibit “transactions involving information and communications technology products in which any foreign adversary has any interest and poses undue or unacceptable risk to national security.” The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act could ultimately allow the executive branch to ban TikTok.

In his opening statement for the Senate Intelligence Committee’s open hearing on worldwide threats on Wednesday, Warner said, “The [People’s Republic of China] has … become an active player in the international technology standards-setting bodies and is embedding itself in global supply chains. All this is why the United States must aggressively invest in the talent, tools and research to lead in tomorrow’s technologies.”

In late February, the Biden administration was considering revoking U.S. suppliers’ export licenses for sales to Chinese telecom company Huawei Technologies Co. The federal government has previously banned other Huawei products for sale and import in the U.S. over concerns that the devices could be used by Beijing for espionage.

In January, Youngkin confirmed he had pulled Virginia out of consideration for a $3.5 billion Ford Motor Co. electric vehicle battery plant, citing concerns over the involvement of China-based Contemporary Amperex Technology Ltd. (CATL), which would operate the plant. In February, Ford announced it would build the plant in Michigan.

ZPMC has about 70% of the world market share for large-scale cranes for handling port containers and bulk materials like ore and coal, according to its website, and its products have entered 104 countries. Nearly 80% of the cranes in use at U.S. ports are made by ZPMC, according to The Wall Street Journal.

No cranes comparable to ZPMC’s are manufactured in the U.S., The Wall Street Journal reported, and an alternative used by some U.S. ports from Finnish company Konecranes costs about a third more. The AAPA advocates for government support for U.S. production of port equipment and plans to unveil a bill outlining its envisioned support at its summit later this month.

One step port authorities can take to mitigate risks from foreign-made technology, Wolski said, is conducting a post-delivery systems check including examining the system code and eliminate places for potential backdoor access. “Anything that’s connected to a computer network is vulnerable to a cyberattack,” Wolski said. “It’s a matter of how well they’ve set up the defense for the cybersecurity of the organization and of the equipment.”

Some ports also mitigate risks by using software from Swiss company ABB Ltd. with the cargo cranes instead of using ZPMC’s software, according to The Wall Street Journal. Harris did not respond to a request about which software the Port of Virginia runs on its cranes.

Nevertheless, the Port of Virginia appears to already be taking cybersecurity precautions around the cranes, according to a statement from Harris: “Before any new cranes are put into service, they are subject to a detailed forensic cyberanalysis that is performed by one of the nation’s federal law enforcement agencies. New cranes awaiting analysis are isolated with dedicated firewalls to ensure there is no contact with port networks or the internet.”

Editor’s note: This article has been amended to reflect the total possible number of ZPMC-made cranes used by the Port of Virginia.