Maritime Security Directive 105–4: Cyber Risk Management Actions for Ship-to-Shore Cranes Manufactured by People's Republic of China Companies

Issuance of Maritime Security (MARSEC) Directive 105-4; Cyber Risk Management Actions for Ship-to-Shore Cranes Manufactured by People's Republic of China Companies

Dates

MARSEC Directive 105-4 is available on February 21, 2024.

Supplementary Information

Background and Purpose

MARSEC Directive 105-4 provides cyber risk management actions for owners or operators of PRC-manufactured STS cranes. Owners or operators of PRC-manufactured STS cranes should immediately contact their local COTP or cognizant District Commander for a copy of MARSEC Directive 105-4.

The Maritime Transportation Security Act's implementing regulations in 33 CFR parts 101-105 are designed to protect the maritime elements of the national transportation system. Under 33 CFR 101.405, the Coast Guard may set forth additional security measures to respond to a threat assessment or to a specific threat against those maritime elements. In addition, per 33 CFR 6.14-1, the Commandant "may prescribe such conditions and restrictions relating to the safety of waterfront facilities and vessels in port as the Commandant finds to be necessary under existing circumstances."

PRC-manufactured STS cranes make up the largest share of the global ship-to-shore crane market and account for nearly 80% of the STS cranes at U.S. ports. By design, these cranes may be controlled, serviced, and programmed from remote locations, and those features potentially leave PRC-manufactured STS cranes vulnerable to exploitation, threatening the maritime elements of the national transportation system.

As such, additional measures are necessary to prevent a Transportation Security Incident in the national transportation system due to the prevalence of PRC-manufactured STS cranes in the U.S., threat intelligence related to the PRC's interest in disrupting U.S. critical infrastructure, and the built-in vulnerabilities for remote access and control of these STS cranes.

Procedural

COTPs and District Commanders can access all MARSEC directives on Homeport by logging in and going to Missions > Maritime Security > Domestic Ports and Waterway Security > Policy. Owners and operators of PRC-manufactured cranes must contact their local COTP or cognizant District Commander to acquire a copy of MARSEC Directive 105-4. COTPs or cognizant District Commanders may provide this MARSEC Directive to appropriate owners and operators in accordance with SSI handling procedures.

Pursuant to 33 CFR 101.405, we consulted with the Department of State, Department of Defense, Department of Transportation/Maritime Administration, Department of Homeland Security, Transportation Security Administration, Cybersecurity and Infrastructure Security Agency, and National Maritime Intelligence-Integration Office.

All MARSEC Directives issued pursuant to 33 CFR 101.405 are marked as SSI in accordance with 49 CFR part 1520. COTPs and District Commanders will require individuals requesting a MARSEC Directive to prove that they meet the standards for a "covered person" under 49 CFR 1520.7, have a "need to know" the information, as defined in 49 CFR 1520.11, and that they will safeguard the SSI in MARSEC Directive 105-4 as required in 49 CFR 1520.9.

This notice is issued under authority of 33 CFR 6.14-1 and 101.405(a)(2) and 5 U.S.C. 552(a).