Maritime Security Directive 105 5: Cyber Risk Management Actions for Ship to Shore Cranes Manufactured by People's Republic of China Companies

Issuance of Maritime Security (MARSEC) Directive 105-5; Cyber Risk Management Actions for Ship-to-Shore Cranes Manufactured by People's Republic of China Companies

DATES:

MARSEC Directive 105-5 has been available since November 13, 2024.

SUPPLEMENTARY INFORMATION:

Background and Purpose

MARSEC Directive 105-5 outlines requirements in addition to those previously promulgated via MARSEC Directive 105-4 on cyber risk management actions for owners or operators of STS cranes manufactured by PRC companies. MARSEC Directive 105-4 was issued on February 21, 2024 and was announced in a notice of availability published on February 23, 2024. 89 FR 13726 (February 23, 2024). Owners or operators of STS cranes manufactured by PRC companies should immediately contact their local COTP or cognizant District Commander for a copy of MARSEC Directive 105-5.

The Maritime Transportation Security Act's implementing regulations in 33 CFR parts 101-105 are designed to protect the maritime elements of the national transportation system. Under 33 CFR 101.405, the Coast Guard may set forth additional security measures to respond to a threat assessment or to a specific threat against those maritime elements. In addition, per 33 CFR 6.14-1, the Commandant "may prescribe such conditions and restrictions relating to the safety of waterfront facilities and vessels in port as the Commandant finds to be necessary under existing circumstances."

STS cranes manufactured by PRC companies make up the largest share of the global ship-to-shore crane market and account for nearly 80% of the STS cranes at U.S. ports. By design, these cranes may be controlled, serviced, and programmed from remote locations, and those features potentially leave STS cranes manufactured by PRC companies vulnerable to exploitation, threatening the maritime elements of the national transportation system.

As such, additional measures are necessary to prevent a Transportation Security Incident in the national transportation system due to the prevalence of STS cranes manufactured by PRC companies in the U.S., threat intelligence related to the PRC's interest in disrupting U.S. critical infrastructure, and the built-in vulnerabilities for remote access and control of these STS cranes.

Procedural

Owners and operators of STS cranes manufactured by PRC companies must contact their local COTP or cognizant District Commander to acquire a copy of MARSEC Directive 105-5. COTPs or cognizant District Commanders may provide this MARSEC Directive to appropriate owners and operators via email, mail or fax in accordance with Sensitive Security Information (SSI) handling procedures.

Pursuant to 33 CFR 101.405, we consulted with the Department of State, Department of Defense, Department of Transportation/Maritime Administration, Department of Homeland Security, Transportation Security Administration, Cybersecurity and Infrastructure Security Agency, and National Maritime Intelligence-Integration Office.

All MARSEC Directives issued pursuant to 33 CFR 101.405 are marked as SSI in accordance with 49 CFR part 1520. COTPs and District Commanders will require individuals requesting a MARSEC Directive to prove that they meet the standards for a "covered person" under 49 CFR 1520.7, have a "need to know" the information, as defined in 49 CFR 1520.11, and that they will safeguard the SSI in MARSEC Directive 105-5 as required in 49 CFR 1520.9.

This notice is issued under authority of 33 CFR 6.14-1 and 101.405(a)(2) and 5 U.S.C. 552(a).