CybrIQ for government · State & Local · Ports & maritime
CybrIQ
Government/State & Local/Ports & maritime
Ports & maritime

Ship-to-shore cranes, gate systems, terminal operating systems, and the Layer-1 question Executive Order 14116 made central.

Executive Order 14116 (Feb 2024) directed the US Coast Guard to issue cybersecurity rules covering vessels, harbors, ports, and waterfront facilities. The FY2024 NDAA included Section 7510 covering ship-to-shore cranes manufactured by entities of concern. The Volt Typhoon advisories specifically named US port infrastructure. The convergence: ports are now expected to know — and document — every connected device, including the ones that ship inside vendor-supplied operational equipment. CybrIQ identifies devices at the gate network, the terminal operating system, crane control networks, and the building systems on the terminal estate.

What's regulated and who's asking

  • USCG cybersecurity rulemaking (2024 NPRM, FSP-related). Cybersecurity assessment, plan, response, and reporting requirements for MTSA-regulated facilities. Device inventory is the foundation of the assessment.
  • 33 CFR 105 / 106 (Facility Security Plan, OCS Facility Security Plan). The existing MTSA framework now includes cyber posture as a recurring element.
  • EO 14116. Directed cybersecurity action across the maritime sector; the USCG rulemaking follows.
  • FY2024 NDAA Section 7510 (and related provisions). Ship-to-shore cranes manufactured by China-headquartered companies — particularly ZPMC — are flagged for assessment and risk action. The provision drives an inventory question: which cranes, and what's on the crane control network.
  • USCG NVIC 01-20 (Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities). Industry-facing guidance that anticipates the formal rule.
  • Port Security Grant Program (PSGP, FEMA). Cyber investments increasingly eligible; reporting requires documented baseline and post-investment delta.
  • USCG Captain of the Port (COTP). Local-jurisdiction authority that increasingly includes cyber posture as part of facility inspection scope.
  • Cyber-insurance carriers covering port operations. Application questions on OT segmentation, vendor-supplied equipment, and unauthorized-device monitoring.

Why the inventory question is hard for a port

  • Ship-to-shore cranes are network-attached, vendor-supplied operational systems. The crane control network was historically considered the OEM's domain; the port may not have full inventory of what's inside.
  • Gate and terminal operating systems span multiple vendors. Gate cameras (OCR for container IDs), gate kiosks, RFID readers, weigh-in-motion sensors, and the terminal operating system that ties them together — each from different vendors, often with overlapping network presence.
  • Tenant operators run their own networks. A port authority's network and a marine terminal operator's network often interconnect at points the port authority does not directly control.
  • Vessel interfaces. Vessels physically docking at the facility may connect to port networks for various purposes; the inventory of those touchpoints is rarely maintained.
  • BAS on terminal estate. Warehouses, refrigerated container yards, administration buildings, and customs facilities each have building systems on networks the port IT team owns.
CybrIQ identification approach on port and maritime operational networks. Crane control PLCs, terminal operating system servers, gate camera and OCR systems, RFID reader classes, weigh-in-motion sensors, and OEM-supplied operational equipment are connected through managed switches across the terminal estate. CybrIQ's External Scan Engine reads switch-side signals (link negotiation, MAC OUI, LLDP, port statistics, VLAN context) through SNMP with read-only credentials. The crane control segment is never actively scanned, never probed, and no agents are installed on PLCs, terminal operating system servers, or vendor-supplied equipment. SSL between ESE and the main instance, internal to the customer network. The main instance matches against the 750-million-device reference library — including relabel-resistant identification of covered-entity hardware that ships under different labels, which is the FY2024 NDAA Section 7510 ship-to-shore-crane assessment use case. Output: per-segment device inventory aligned with FSP scope, NDAA §7510 crane-equipment evidence, PSGP grant baseline. What never enters the operational segment: SPAN ports, mirror ports, inline taps, packet capture, DPI, agents, vendor cloud connectivity.

How CybrIQ identifies devices on a port network

  • Switch-side, read-only signals. Identification from managed switches via SNMP with read-only credentials. No active scanning of crane control systems. No agents on terminal operating system servers. No traffic capture.
  • Maritime-OT reference library. The Device DNA library identifies common crane control PLC families, gate camera and OCR system vendors, RFID reader classes, weigh-in-motion sensors, and TOS server families.
  • Relabel-resistant identification for covered hardware. The Section 889 detection approach applies directly here. A camera shipped with one label but matching the Layer-1 fingerprint of a covered-entity vendor is identified by what it is, not by what its sticker says. See the Section 889 page for the methodology.
  • Vendor-equipment-segment visibility. The networks the OEM may have considered its own are now inventoried by the port — every device on them, named.
  • Tenant-boundary visibility. Where the port authority's managed-switch infrastructure reaches into tenant-operator interconnects, CybrIQ identifies what's at the boundary.

Reporting alignment

  • FSP cybersecurity assessment (under USCG rulemaking). Per-segment inventory aligned with the facility's assessed scope.
  • NDAA §7510-aligned crane-equipment evidence. The crane control network device inventory, with relabel-resistant identification against the covered-entity reference library.
  • PSGP investment reporting. Baseline and post-investment device-visibility numbers for grant audit.
  • USCG Area Maritime Security Committee (AMSC) reporting. Posture evidence for the regional coordination cycle.
  • Cyber-insurance renewal evidence. Carrier questions answered with signed, current inventory exports.

Volt Typhoon and the port context

CISA AA24-038A explicitly named US port infrastructure as targeted for pre-position. The defensive question is concrete: which edge devices are on the port's networks today, and would a new one be visible inside the polling interval. CybrIQ's 30-second default cadence and unauthorized-device identification produce an answer to both. The deployment posture — customer-installed, no vendor cloud, no traffic capture — is the shape that fits a port authority's security plan and the USCG's emerging rulemaking simultaneously.

Schedule a port-authority briefing

30 minutes. We walk CybrIQ against your specific gate, crane, terminal, and BAS topology, your FSP scope, your NDAA §7510 crane-assessment posture, and your COTP cycle. Tenant-operator coordination shape covered as needed.

Request briefing