The dynamic, multifaceted nature of regulatory risk came into focus this week when the U.S. government announced plans to invest billions into the domestic manufacturing of ship-to-shore cranes. This planned subsidy seeks to address national security concerns over China-manufactured cranes by lowering the commercial burden of replacing these cranes in U.S ports. This signals future intent to regulate the use of ZPMC cranes. We encourage commercial leaders to plan now for procuring replacement cranes in U.S. ports.
While other segments have for years been in the public focus — e.g., the risk of certain electronic components (Huawei in smartphones) — concerns over intelligence-gathering malware now extend from toothbrushes to cranes. U.S. policymakers are grappling with how to address cyber vulnerabilities in commercial manufacturing, electronics and critical infrastructure. Moreover, this subsidy — on the back of the 2022 CHIPs act — may signal that the scope of U.S. industrial policy may be increasing as the U.S. seeks to build resilience in critical infrastructure prior to potential China-Taiwan conflict. This has important implications for forward-looking risk managers with manufacturing, logistics and supply chain remit.
Risk Events
- On March 5, 2023, the WSJ published a report highlighting concerns from U.S. officials that ship-to-shore cranes manufactured by ZPMC had the potential to be used for spying in U.S. ports. An estimated 80% of ship-to-shore cranes in the U.S. are ZPMC-manufactured and fully operated on Chinese-made software.
- On January 28, 2024, U.S. officials announced the takedown of a large Chinese hacking operation. Hackers accessed computer networks responsible for running critical infrastructure like air traffic control, clean water and power stations. The botnet of hacked devices reportedly consisted of outdated home and office routers.
- On February 8, 2024, researchers from the cybersecurity firm Fortinet illustrated the hypothetical vulnerability of an internet-connected toothbrush and warned that a botnet can be created from any number of smart devices, including web cams, doorbells and appliances.
- On February 21, 2024, U.S. officials announced plans to invest more than $20 billion over five years to boost crane manufacturing in the United States. The U.S. government has not disclosed evidence of state-sponsored spying via the crane software; however, U.S. military officials have reportedly avoided ports with ZPMC cranes when possible.
Implications for Risk Managers
What are the short-term and long-term business implications? What does the risk to U.S. critical infrastructure mean for U.S. businesses? How should we think about the convergence of information and physical security risk?
What is the likelihood that U.S. port operations are impacted or suspended due to concerns over ZPMC cranes?
- It is unlikely in the near term that the U.S. government bans or suspends the use of ZPMC cranes. Nearly 80% of ship-to-shore cranes in U.S. ports are ZPMC manufactured. U.S. ports process nearly 43% of U.S. international trade, valued at $2.28 trillion. It stands to reason then that ZPMC cranes process an estimated $1.82 trillion of goods every year. Suspending ZPMC crane operations overnight would have catastrophic impacts on the U.S. economy and global trade.
- There are severely limited alternatives for procuring U.S.-manufactured ship-to-shore cranes. ZPMC cranes are reportedly well-made and inexpensive, making the replacement of these cranes an expensive proposition. Replacement of ZPMC cranes will require a multi-year financial strategy and close coordination between compliance officers, legal and risk management.
- The U.S. government’s announcement of a $20 billion subsidy over five years for U.S. manufactured cranes is both an acknowledgement of these business challenges, as well as a long-term signal that the U.S. desires to regulate the future use of critical infrastructure components manufactured offshore.
What does the risk to U.S. critical infrastructure mean for businesses?
- Incidents involving critical infrastructure have been on the rise over the past two years. Recent reporting on the cyber vulnerability of this infrastructure further highlights the importance of tracking incidents involving critical infrastructure, and developing robust mitigation strategies for when local infrastructure is compromised. Consider incorporating critical infrastructure failures in your next planning session, TTX, or other risk management exercise.
- For risk managers of critical infrastructure, explore public and private partnership to identify cyber vulnerabilities within your ecosystem — from routers to the large cranes. U.S.-based companies should consider joining InfraGard, which has the explicit mission of critical infrastructure protection in collaboration with the FBI, in addition to OSAC, DSAC and regional chapters of professional organizations (ACP, ASIS, AIRIP, etc.). Maritime port operators may also consider reaching out to the U.S. Coast Guard Cyber Protection Team (CPT) and local port authorities.
Within private sector executive teams, how should we think about the convergence of information and physical security risk?
- Siloed strategies for mitigating types of risk (physical, cyber and regulatory) will severely limit organizational resilience today and in the future. Risk managers that work together to create a holistic mitigation approach will better protect their organizations and give executives the complete picture of how threats impact the business.
- Physical security without cyber hygiene is like fighting with our hands tied behind our back. Bad actors, including state-sponsored espionage, do not need physical access to a site to damage property, steal confidential information or compromise employee safety. Having a process for internally sharing all types of security incidents and technology to identify and track dynamic risk, will go a long way in helping manage today’s risk environment.
The mission can feel daunting and the path forward unclear. If you’d like to continue this discussion, provide feedback or are looking for assistance, OnSolve is here to help.
(Information cut-off date 1000 PT, February 21, 2024)
