This advisory supersedes and cancels U.S. Maritime Advisory 2025-013

1. Issue: This Advisory continues to alert maritime stakeholders of potential vulnerabilities to maritime port equipment, networks, operating systems, software, and infrastructure. Foreign companies manufacture, install, and maintain port equipment that may create vulnerabilities to global maritime infrastructure information technology (IT) and operational technology (OT) systems. In the past few years, the U.S. Government has published several documents (see paragraph 4 below) explaining the risks associated with integrating and utilizing China’s state-supported National Public Information Platform for Transportation and Logistics (LOGINK), Nuctech scanners, and automated ship-to-shore cranes worldwide.

LOGINK is a single-window logistics management platform that aggregates logistics data from various sources, including domestic and foreign ports, foreign logistics networks, shippers, shipping companies, public databases, and hundreds of thousands of users in China. China is promoting logistics data standards that support LOGINK’s widespread use, and LOGINK’s installation and utilization in critical port infrastructure very likely provide China with access to and/or collection of sensitive logistics data. U.S. law prohibits the use of LOGINK for U.S. government entities or U.S. companies receiving federal funding (see https://www.transportation.gov/mission/office-secretary/office-chief-information-officer/prohibited-platforms).

Nuctech Company, Ltd. (Nuctech) is a China state-controlled entity that manufactures and fields data-centric security inspection equipment at key logistic nodes worldwide. Nuctech equipment has access to biometric information, personally identifiable information (PII), patterns of life, cargo information, proprietary data, and geo-locational metadata. The United States added Nuctech to the Department of Commerce’s Entity List for its involvement in activities contrary to the national security interests of the United States (see 15 CFR Part 744).

Shanghai Zhenhua Heavy Industries Company Limited (ZPMC), a subsidiary of the China Communications Construction Company which has been identified by the Department of War as a Chinese military company operating in the United States, maintains the largest share, by sales revenue, of the ship-to-shore crane market worldwide. These cranes may, depending on their individual configurations, be controlled, serviced, and programmed from remote locations. These features may leave them vulnerable to exploitation. The U.S. Coast Guard (USCG) issued Maritime Security Directive 105-5 outlining cyber risk management requirements for ship-to-shore cranes manufactured by People’s Republic of China (PRC) companies (https://www.federalregister.gov/documents/2024/11/19/2024-26896/issuance-of-maritime-security-marsec-directive-105-5-cyber-risk-management-actions-for-ship-to-shore.)

2. Guidance: Maritime industry stakeholders, including vessel owners/operators, shippers, and port operators should apply cybersecurity best practices for access control (identity and access management), vulnerability mitigation, and configuration management, and should:

• Pay vigilant attention to USCG and Cybersecurity and Infrastructure Security Agency (CISA) notices and other alerts or advisories regarding identified cyber vulnerabilities which might impact their systems and diligently patch and update software to reduce vulnerabilities to known exploits as soon as possible.
• Position themselves to increase their cybersecurity and cyber resiliency to respond to and report any incidents that could inhibit their ability to continue operations.
• Maintain a comprehensive understanding of data sharing and network access permissions within contractual agreements.
• Stress to their personnel the importance of understanding and knowing who maintains access to maritime technology throughout any port or facility they utilize.
• Be wary of untrusted network traffic and treat all traffic transiting their networks – especially third-party traffic – as untrusted until it is validated as legitimate.
• Develop, implement and practice robust recovery and reconstitution plans for critical information and operational technology (IT and OT) systems that:
  • Ensure infrastructure operational resiliency regarding system security, as well as the ability to maintain equipment and sourcing for critical parts and upgrades; and
  • Maintain fully recoverable backups and practice recovery from backups.
• Partner with academia and government to develop and maintain optimal cybersecurity hygiene by participating in information sharing exchanges and cyber drills and exercises.

Additional information on Cybersecurity Best Practices can be found at CISA’s Cybersecurity Best Practices Webpage (https://www.cisa.gov/topics/cybersecurity-best-practices). The mitigation measures below should be utilized to reduce the risks associated with automated port cranes. Specifically, owners and operators of Chinese manufactured ship-to-shore cranes must:

• Ensure compliance with U.S. Coast Guard Maritime Security Directives 105-4 and 105-5 (see paragraph 4, References);
• Improve segmentation between the crane and other port systems/networks to reduce an adversary’s initial cyber access;
• Reduce unnecessary communications and network services between business and management networks and the crane network and disallow multi-homed systems across these networks;
• Utilize secure file transfer tools/maintain a secure file transfer to reduce the risk of malware when transferring files into the crane network, such as firmware updates, reducing dependency on removable media (e.g., USBs);
• Provide dedicated remote access systems and processes for crane devices which utilize and enforce Multifactor Authentication (MFA), and define formal policies and procedures for firewall rule changes needed to control access;
• Separate and segment crane management functions from crane operational systems to reduce cyber access by adversaries. Keep crane management functions (e.g., diagnostics, patching, programmable logic controller (PLC) program modification/updating) on separate segments and restrict modifications from crane operational systems, including the on-board and remote crane
  management systems (RCMS);
• Monitor all communications on the crane network (all ingress and egress traffic), especially those between the crane and broader port operational and management systems;
• Monitor all communications paths used to connect to the crane, including remote connection from the RCMS;
• Monitor host activities for operational management systems; and
• Require vendor update completion through physical visits at crane operating sites whenever possible and discourage vendors from completing remote updates.

The integrity and security of on-board crane devices and networks should be verified by:

• Performing periodic integrity checks and validation of PLC application programs to ensure their correct/secure operation; and
• Ensuring on-board crane virtual local area networks (VLANs) enforce segmentation of critical control devices. The VLANs should segment devices and communications supporting core control functions (e.g., PLCs, drives, I/O, etc.) from those used for non-critical functions (e.g., cameras, surveillance, etc.). Any devices from untrusted suppliers should also be segmented on a separate VLAN.

Maintain robust response and recovery programs to ensure key on-board crane systems and devices can be efficiently restored:

• Perform periodic backups of key software images and programs, including operating system images (crane management, cabin view, and ground view system), application programs for PLCs, and settings for other key devices (e.g., variable frequency drive (VFD) network switches). Make sure backups are stored offline. Periodically test backups and restoration procedures.
• Maintain spare hardware of key components, including PLCs, embedded/small form factor computers, and network devices. Ensure the organization has procedures for performing and testing hardware rebuilds.

Ensure strong physical security and access control of devices and infrastructure used to operate and manage the crane:

• Ensure ground facilities used to support crane operations, including data closets, server rooms,
  and operator workstations, have appropriate physical security controls.
• Keep on-board devices such as PLCs, networking devices, and computers within locked data cabinets.
• Ensure only cleared service personnel are allowed access to cranes under appropriate supervision.

3. Contact Information: Maritime stakeholders who discover compromised equipment or
suspicious activity within the Marine Transportation System (MTS), or OT/IT assets should contact:

a) U.S. Coast Guard National Response Center: 1-800-424-8802
b) U.S. Coast Guard Cyber Command (CGCYBER), Maritime Cyber Readiness Branch (MCRB): maritimecyber@uscg.mil
c) Cybersecurity and Infrastructure Security Agency (CISA) Central: 888-282-0870 or central@cisa.gov
d) FBI’s Cyber Division: 855-292-3937 or CyWatch@fbi.gov

4. References:

U.S. Coast Guard Maritime Industry Cybersecurity Resource Center: https://www.uscg.mil/MaritimeCyber/

Department of Homeland Security (DHS)/Cybersecurity and Infrastructure Security Agency (CISA) - Port Facility Cybersecurity Risks: https://www.cisa.gov/sites/default/files/publications/port-facility-cybersecurity-risks-infographic_508.pdf

National Security Agency (NSA), ODNI, and DHS/CISA - Developers Recommended Practices Guide for Securing the Software Supply Chain:
https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF

Federal Register - Entry on the Entity List (Nuctech):
https://www.federalregister.gov/documents/2020/12/22/2020-28031/addition-of-entities-to-the-entity-list-revision-of-entry-on-the-entity-list-and-removal-of-entities

Federal Bureau of Investigation (FBI) - Worldwide Threats to the Homeland:
https://www.fbi.gov/news/testimony/worldwide-threats-to-the-homeland-111522

Public Law 117-263 - James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (Section: 3529): https://www.congress.gov/117/plaws/publ263/PLAW-117publ263.pdf

ODNI - 2024 Annual Threat Assessment of the U.S. Intelligence Community:
https://www.dni.gov/files/ODNI/documents/assessments/ATA-2024-Unclassified-Report.pdf

Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Best Practices
Webpage: https://www.cisa.gov/topics/cybersecurity-best-practices

Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Primary Mitigations to Reduce Cyber Threats to Operational Technology: https://www.cisa.gov/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operational-technology

United States Coast Guard Maritime Security (MARSEC) Directive 105-4; Cyber Risk
Management Actions for Ship-to-Shore Cranes Manufactured by People’s Republic of China Companies: https://www.federalregister.gov/documents/2024/02/23/2024-03822/issuance-of-maritime-security-marsec-directive-105-4-cyber-risk-management-actions-for-ship-to-shore

United States Coast Guard Maritime Security (MARSEC) Directive 105-5; Cyber Risk
Management Actions for Ship-to-Shore Cranes Manufactured by People’s Republic of China Companies: https://www.federalregister.gov/documents/2024/11/19/2024-26896/issuance-of-maritime-security-marsec-directive-105-5-cyber-risk-management-actions-for-ship-to-shore

Section 301 Investigation, Report on China’s Targeting of the Maritime, Logistics, and
Shipbuilding Sectors for Dominance: https://ustr.gov/sites/default/files/enforcement/301Investigations/USTRReportChinaTargetingMaritime.pdf

5. Cancellation of Prior Advisories:

This message cancels and supersedes U.S. Maritime Advisory 2025-013 and will automatically expire on October 21, 2026.

For more information about U.S. Maritime Alerts and Advisories, including subscription details, please visit https://www.maritime.dot.gov/msci/