MARAD Advisory 2026-007: Chinese-Linked Port Equipment and Software Still Under Watch
The U.S. Maritime Administration has issued a refreshed advisory on cyber and physical risks posed by Chinese-linked port equipment and software, superseding advisory 2025-013 and valid through October 21, 2026.
An real updated advisory and not just a reissue
On April 24, 2026, the U.S. Maritime Administration (MARAD) published advisory 2026-007, cancelling and replacing advisory 2025-013. The document covers the same risk vectors as its predecessors — LOGINK, Nuctech scanners, and automated ship-to-shore cranes — but incorporates regulatory developments that give it more substance than a routine renewal.
The persistence of this advisory series is itself worth noting. MARAD has been issuing warnings on Chinese-linked port equipment since advisory 2023-009. Their regular renewal reflects both the durability of U.S. concerns and the absence of any practical resolution on the ground: ZPMC (Shanghai Zhenhua Heavy Industries) still holds the largest share of the global ship-to-shore crane market by sales revenue, and near-term replacement in American ports is not a realistic prospect.
Three vectors, one underlying concern
The advisory organizes its risk assessment around three categories of equipment and software, all connected by the same underlying concern: the potential collection of sensitive data for the benefit of Chinese state actors.
LOGINK is a single-window logistics management platform developed by China’s Ministry of Transport, aggregating data from ports, shipowners, freight forwarders, and public databases worldwide. At least 24 global ports have signed cooperation agreements with the platform. Its use is prohibited for U.S. government entities and federally funded companies under the National Defense Authorization Act for fiscal year 2023. The advisory also notes that China is actively promoting logistics data standards designed to encourage broader LOGINK adoption internationally.
Nuctech, a Chinese state-controlled company, manufactures security inspection equipment — X-ray, backscatter, and thermal platforms; explosives detection; facial recognition — deployed at critical logistics nodes around the world. The company has been on the U.S. Department of Commerce Entity List since December 2020, cited for activities contrary to U.S. national security interests. The risk is structural: Nuctech equipment collects biometric data, personally identifiable information, cargo details, and geolocation metadata in port environments.
Ship-to-shore cranes represent the third vector, and the one that has attracted the most developed regulatory response. Advisory 2026-007 introduces a notable piece of context: it explicitly identifies ZPMC as a subsidiary of China Communications Construction Company (CCCC), which the U.S. Department of the Army has designated as a Chinese military company operating in the United States. This characterization was not stated as directly in earlier versions of the advisory. ZPMC cranes can, depending on their individual configurations, be controlled, serviced, and reprogrammed from remote locations — the primary exposure vector described in the document.
MARSEC Directive 105-5 as the operational reference
The most substantive regulatory addition compared to earlier versions of the advisory is the explicit incorporation of USCG MARSEC Directive 105-5, published in the Federal Register in November 2024. This directive, which superseded Directive 105-4 issued in February 2024, sets out cyber risk management requirements for ship-to-shore cranes manufactured by companies from the People’s Republic of China.
Advisory 2026-007 builds on the technical guidance established by this framework. The overall approach rests on four principles: network segmentation, traffic monitoring, strict control of remote access, and a preference for physical on-site interventions when carrying out software or hardware updates.
On segmentation, the document recommends isolating crane management networks from other port systems, separating management functions (diagnostics, programmable logic controller updates, program modifications) from operational systems, and using dedicated VLANs for critical control devices on the one hand, and non-critical equipment such as surveillance cameras on the other. Systems from untrusted suppliers should also be placed on a separate VLAN.
On monitoring, the advisory calls for comprehensive surveillance of all traffic entering and leaving the crane network, including flows through the Remote Crane Management System (RCMS). Host activity on operational management systems should also be monitored.
The most operationally significant recommendation concerns vendor updates: the advisory explicitly calls on operators to require that update work be completed through physical visits to crane operating sites wherever possible, and to discourage remote updates. This reflects a concrete concern about software supply chain integrity that goes beyond the network perimeter alone.
A posture settling in for the long term
The regular publication of these advisories since 2023, combined with the emergence of a dedicated regulatory framework for ZPMC cranes through the MARSEC directives, points to a U.S. posture that is not temporary. Advisory 2026-007 also references the USTR Section 301 investigation report on China’s targeting of the maritime, logistics, and shipbuilding sectors — a document that places the cybersecurity concern within a broader industrial and geopolitical strategy.
For port operators outside the United States, this advisory carries no direct regulatory weight, but it remains a useful reference. The technical measures it describes — network segmentation, OT traffic monitoring, remote access controls, on-site vendor intervention — apply regardless of the national origin of the equipment involved. Several of these measures are also reflected in IMO guidelines on cyber risk management aboard ships (MSC-FAL.1/Circ.3) and in ENISA guidance on port cybersecurity. The question of whether mid-sized ports have the human and technical resources to implement them remains open, and is where the real gap between policy intent and operational reality tends to sit.