Chinese cranes, old tech and vendor backdoors: Why U.S. ports are a national security risk
America’s commercial ports may look like economic engines – but in the eyes of foreign adversaries, they’re something else: a strategic seam in a single, connected battlespace. And that seam is fraying, as foreign hardware and unsecured or outdated systems come under active pressure from adversaries.
Booz Allen executives Dave Forbes and Brad Medairy argue that national security planners need to confront these risks as part of a single, connected battlespace. Medairy leads the firm’s cyber practice, while Forbes heads its physical and cyber practice. Speaking with Frank Cilluffo on the Cyber Focus podcast, they explained why the vulnerabilities aren’t hypothetical.
About 80% of the cranes used at U.S. ports are made by Chinese companies, many of them outfitted with communications gear that could be accessed or remotely manipulated. These systems move trillions of dollars in goods annually and play a critical role in military logistics – 17 of the 22 ports designated strategic by the Department of Defense are also commercial facilities.
“Our adversary doesn’t see the United States infrastructure environment as a Department of Defense, [or] a global economy, [or] a Department of Transportation,” Forbes said. “They see one connected battlespace with a … great number of seams.”
Forbes said what makes those seams so dangerous is that you don’t need a catastrophic attack to trigger chaos. A disruption is enough. That could come from a vendor connection left open, a port crane taken offline or a ransomware lockout that halts throughput. It’s the kind of interference that can ripple from the dock to the grocery store aisle – or into a vital DoD logistics chain – in a matter of days.
“It doesn’t need to be a devastating attack. It needs to be a disruption. It needs to be a distraction. It needs to be something that we’re worried about,” Forbes said, “throwing things off balance on our economy and national security posture.”
There’s precedent. Cyberattacks have already disrupted port operations in Seattle and Singapore, and the COVID-era supply chain gridlock proved how easily small delays can snowball into national problems. One blocked channel, one frozen terminal, and the system groans under its own weight.
Then there’s the issue of legacy OT systems, many of them built before cybersecurity was even a concern. “Right now, we’re actually able to VPN directly into your OT environment, because here is a comms link that wasn’t secured,” Medairy said, describing a real-world engagement with an OT operator that failed to understand how vulnerable their system had become despite efforts at segmentation and “castle wall” defenses.
What both argue is that security needs to be built on a different foundation. Medairy points out that while many OT systems were engineered for physical resilience and uptime, they weren’t built with the assumption that an adversary might already be inside. That’s where zero trust comes in – not as a slogan, but as a posture grounded in minimal trust and continuous verification. “Zero trust is a framework for actionable solutions … you are in an assumed-breach environment,” Forbes explained.
So what should port operators do now? Forbes outlined a checklist: visibility into the data flowing to and from material-handling equipment, prioritizing assets that cannot go down, and establishing alerts for anomalies that could disrupt operations. Medairy added that tabletop exercises using real-world campaigns such as Volt Typhoon can help make the risk tangible.
With “awareness and understanding of both the threat and the environment,” Medairy said, operators can move beyond abstract conversations and start making concrete choices about how to reduce their risk.
The full Cyber Focus episode can be found here, or you can subscribe in your favorite podcast app.