US crane software security bill poses shake up to equipment future

A new legislative bill is proposing stronger oversight on the procurement of overseas harbour cranes on the grounds of cybersecurity risk.

The Port Crane Security and Inspection Act of 2022 was introduced by US Congressman Carlos Gimenez on 25 January.

“With respect to newly constructed foreign cranes procured for use at a United States port determined… to be of high risk to port security or maritime transportation security and that connect to the cybersecurity network of such port, the Secretary of Homeland Security shall… before such crane is placed into service at such port, inspect such crane for potential security vulnerabilities,” the bill proposed.

No later than 180 days following enactment of the Act, authorities will assess the threat posed by security vulnerabilities of any existing or newly constructed foreign cranes.

Within five years after passing of the law, the US crane operators would be required to remove software manufactured by countries covered under the ban connected to a ports’ cyber network.

The Act added that it would cover foreign countries identified as a foreign adversary in Department of Homeland Security’s Annual Threat Assessment, or countries that the Secretary of Homeland Security, in coordination with the Director of National Intelligence, has identified as a foreign adversary not included in the threat assessment.

The term foreign crane will fall under the scope of any software or technology in such cranes connected into cyber infrastructure at a port located in the US, that was manufactured by an entity owned or controlled by a corporation based in a high-risk covered foreign country.

The bill could pose risks to future procurement of cranes from manufacturers such as China-based ZPMC, which is the world’s largest ship-to-shore harbour crane manufacturer.

ZPMC already has multiple pieces of equipment in the nation’s largest container ports including the Port of Los Angeles and Port Houston.

Other global competing crane manufacturing firms include Liebherr, based in Ireland, and Konecranes/Kalmar Global, based in Finland.

The introduction of the bill comes at a time when cyber risk is rapidly increasing in ports and maritime: just this week a number of European oil terminals were hit by an alleged ransomware attack.

In September last year Port Houston announced it was targeted in a cybersecurity attack in August, believed to have originated from a nation-state actor.