iStock-509671666

Modern supply chains are to global trade what veins are to humans: a delicate web of interconnected processes that enable the free flow of food, medicine, clothing, raw materials and other essential products around the world.  

The longer and more complex the supply chain, the more target-rich it becomes. It’s a magnet that attracts tech-savvy and determined cybercriminals, organized crime, terrorist groups and others with truckloads of bad intent.

Whether lurking in the shadows or hiding in plain sight, these criminals probe company supply chains for gaps and weaknesses that can be breached and exploited for financial, political or ideological gain.

Keep reading to learn about:

  • Supply Chain Enemies
  • Supply Chain Targets
  • The Costs of Supply Chain Disruption
  • Six Major Threats to Your Supply Chain
  • Creating a Supply Chain Security Strategy
  • Four Best Practices for Securing Your Supply Chain
  • How to Conduct a Supply Chain Risk Assessment
  • Model of Continuous Supply Chain Security Improvement
  • Supply Chain Security Maturity Model

Know Your Enemies

supply-chain-hacker

Modern supply chain enemies commonly belong to one of the following groups:

  • Nation-states: Conduct espionage, cyber warfare and target government agencies, infrastructure, energy and organizations with vast stockpiles of intellectual property.
  • Insiders: Disgruntled or compromised employees, as well as trusted third parties with access to sensitive data, who are outside your control and oversight.
  • Terrorists organizations: Use physical and cyberattacks to achieve mass casualties and maximum disruption against targeted groups, nations, government entities, infrastructure and the energy sector.
  • Organized Crime: Engages in the theft of financial or personal identity information (often with the help of insiders) from retailers, financial institutions and healthcare providers.
  • Product diverters and counterfeiters: Target high-value, high-demand product supply chains, e.g. pharmaceutical, health and beauty, alcoholic beverages. They divert products, adulterate contents, modify packaging and sell them through unlawful channels of distribution.
  • Hacktivists: Lone wolves, hacker collectives or social justice warriors with specific agendas who aim for service disruptions or reputation damage.
  • Pirates: Sophisticated, smart and heavily armed—they roam the coasts of East and West Africa seizing oil tankers and cargo ships for profit, often holding their crews for ransom.

Know Their Targets

cargo-port-containers

From the manufacturing floor to the consumer’s hands, any of the following areas could become a target.

Supply Chain Logistics Targets

  • Transportation modes: truck, rail, air, sea, intermodal
  • Cargo transfer points
  • Ports of entry: rail, air cargo, freight terminals, seaports
  • Distribution centers and warehouses
  • Retail and wholesale channels, e-Commerce merchants

Supply Chain Hardware / Software Targets:

  • Fleet performance optimization software
  • Cargo tracking platforms
  • Global supplier platforms
  • Sales and distribution management software
  • Pricing and procurement platforms

Know the Costs

man-with-stomach-pain

  • Production decreases and delays
  • Missed sales goals and revenue targets
  • Health and safety issues, sometimes life-threatening
  • Shaken customer loyalty and perceived brand value

Six Major Threats to Your Supply Chain

world-future-of-supply-chain-survey-results

Source: Supply Chain Risk 2020: New Worries, Forbes, October 6, 2017

As technology, shifting trade policies, the geopolitical landscape and global commerce cross paths, supply chain threats emerge. They are numerous, and often unpredictable, like earthquakes, hurricane, and other natural disasters. We’ve grouped them into six threat categories.

blurred-image-2.jpg

1. Domestic & Regulatory

  • Industry-specific shifts within countries, i.e. serialization rules for medicines
  • Electronic device mandate for the U.S. trucking industry
  • Shifts in tax regimes, as seen in the U.S., India and Australia
  • Layers of regulatory compliance

Example: The Electronic Logging Device (ELD) Mandate requires the use of an ELD to automatically record a truck’s driving time to more accurately monitor a driver’s hours of service to reduce the risk of crashes and chronic health conditions connected with lack of sleep. Any unexpected delays can put a driver over the 11-hour driving limit per day. Exceed it and they face strict penalties.

blurred-image-2.jpg

2.  Political and International Policy

  • Shifts in a country’s stance toward imports and exports
  • Participation (or lack of) in existing international institutions
  • America’s focus on Buy American policies
  • Global trade and tariff disputes
  • Political and civil unrest

Example: In July 2018, the US implemented a first round of tariffs on $34 billion of imports from China.  China retaliated with tariffs on an equivalent amount of imports from the United States. Because of this disruption, China and the US could lose income of up to 3.5% ($426 billion) and 1.6% ($313 billion), respectively.

blurred-image-2.jpg

3. Cataclysmic

  • The United Kingdom’s Brexit vote to leave the European Union
  • Venezuela’s descent into chaos and its impact on the world’s oil market
  • The political policies of heads of state, such as Rodrigo Duterte in the Philippines, can cast shade on a country’s business environment

Example: Because of Brexit, orders from EU-based companies are expected to take a dramatic decline.  “83% of British manufacturers are actively forging new relationships with ‘Rest of World’ territories, a move that will place new demands on supply chain networks and logistics providers…”

blurred-image-2.jpg

4. Manmade

  • Product adulteration, defects and recalls
  • Cyber attacks, e.g. malware and distributed denial of service
  • Labor and civil unrest
  • Terrorism
  • Piracy

Example:  In September 2017, Citrix confirmed that several builds of Citrix NetScaler ADC and Citrix Gateway Management Interface contained authentication bypass vulnerabilities.

A recent report from CrowdStrike suggests that cybercriminals are increasingly circumventing defenses and finding weak links to exploit via supply chain attacks.

blurred-image-2.jpg

5. Economic

  • Bankruptcies
  • Mergers and acquisitions
  • Failure to perform by third-party trade partners

Example: The 2017 Hanjin maritime bankruptcy was the largest in container shipping history.  The supply chain disruption that ensued left workers, 96 ships, containers and onboard cargo worth $14 billion stranded at sea and in ports all around the world.

 

 

 

blurred-image-2.jpg

6. Natural Catastrophes

  • Hurricanes
  • Earthquakes
  • Floods
  • Wildfires

Example: The Tohoku earthquake and tsunami in 2011 cost Japan an estimated $210 billion. The quake created a domino effect that shook supply chains all over the world. “Companies dependent on Japan’s ‘Just In Time’ delivery practices were left without parts as electronics and auto manufacturing plants were destroyed. Global production suffered, affecting other nations’ economies.”

Creating a Supply Chain Security Strategy

 

supply chain security definition

- The application of policies, procedures and technology to protect both physical and digital assets from theft, damage, terrorism, piracy, and cybercrime.

 -  The means to stop the unauthorized entry of illegal, counterfeit, and adulterated products into the supply chain before they reach consumers.

 

When planning your company’s supply chain protection strategy, concentrate first on identifying those points, gaps and cracks where it’s most vulnerable, and then work on protecting potential targets such as:

  • Transportation networks, including any cross-border activity
  • Hard assets and infrastructure
  • Communication, data management and IT systems

ONSITE Supply Chain Security Basics

  • Personnel screening and controlled access systems
  • Facilities security – fences, flood lights, alarms, etc.
  • Global supplier background checks and controlled access
  • Product serialization and authentication at the factory
  • Cargo screening and validation

OFFSITE Supply Chain Security Basics – Offsite

  • Securing modes of transportation
  • Inspecting cargo at ports, terminals and other points of entry
  • Tracking and tracing shipments
  • Control of and visibility to product journey from facility to consumer
  • Authenticating product in real time at end destination

 

Four Best Practices for Securing Your Supply Chain

Defeating potential threats means staying one… make that two … steps ahead of your adversaries. There are many field-tested best practices at your disposal to increase your resilience. Use them to link your people, processes and technology to build a layered defense that protects your supply chain assets. Let’s review a few.

1.  Adhere to Security Standards 

In addition, various technologies are being developed to help standardize the tracking and monitoring of cargo containers at rest and in transit, such as:

2.  Mitigate Insider Threats 

  • Perform rigorous vetting of all supply chain partners, service providers and their products.
  • Develop a formal on-boarding process that includes clear, formal and codified agreements with suppliers.
  • Ensure the Acceptable Use Policy that informs employees on proper use of your IT systems and services is followed by outside personnel granted access.

3.  Combat Cybercrime 

  • Build security requirements into every RFP and contract.
  • Hold external suppliers to the same security standards as they hold themselves.
  • Once a vendor is accepted, assign a security team to work with them onsite to address any vulnerabilities.
  • Implement “one strike and you’re out” policies when vendor-supplied products are either counterfeit or do not match specifications.

4.  Protect Against Supplier Bankruptcy 

  • Pay special attention to small business and early stage companies that may be shaky due to limited capitalization and cash flow issues.
  • Identify sole-source suppliers and review their financial condition.
  • Never to be more than 30% of any one supplier’s business to avoid becoming too dependent on them.

How to Conduct a Supply Chain Risk Assessment

Understanding the following is essential in getting the data necessary for an effective supply chain security program.

What:

  • Have a comprehensive inventory of the products moving through your supply chain
  • Identify products known to be counterfeited and/or diverted
  • Categorize new/emerging products that are likely to see the same fate
  • Prioritize the list to focus effort

Where:

  • Draw a heatmap of your supply chain, showing the locations and distribution paths of prioritized products
  • Identify points of known or assumed gray market diversion locations
  • Identify places where counterfeits have been discovered
  • Listen to your field inspectors to refine the mapping

When:
Use information assembled in the field to understand if your supply chain breaches primarily occur during daily and known business.

  • Is your “trusted” distribution network compromised?
  • Are there issues inhouse before distribution?
  • Is it purely external, unknown entities attacking your supply chain?

How:

  • Are trucks being raided?
  • Are non-contracted purchases being allowed?
  • Is counterfeiting rampant?
  • Is product directed to e-outlets like eBay and/or Alibaba?

Who:
This is the all-important question… “who” is attacking your supply chain?

  • Start by identifying the type of organization or person
  • Work to narrow the search down to known entities and/or individuals



Model of Continuous Supply Chain Security Improvement

Based on your risk assessment inputs, you can enter the four phases of continuous supply chain security improvement.

supply-chain-security-improvement-phases 

 

The Supply Chain Security Maturity Model

There is no formal Supply Chain Security Maturity Model, yet anyway. But there are several industry standard maturity models that help frame the discussion. The Capability Maturity Model (CMM) is a widely used software industry standard for software quality assurance, based on the degree of formality of processes and practices. The model is very complex and mirrors much of what is needed in supply chain nicely.

 supply-chain-security-maturity-model

Source: https://people.cs.pitt.edu/~chang/153/images/cmml.jpg

Level 1: Initial
You are essentially just starting your assessment. You know you have a problem, but how big is it?

Level 2: Managed
Basic and reactive. This can be thought of as ad hoc “projects” to deal with supply chain security issues.

Level 3: Defined
The assessments have targeted critical initial areas, and companies know where to start focusing on for supply chain issues. Formalized planning and response has been initiated.

Level 4: Managed
Organizations have effectively filled in the “gaps” in their supply chain. This means internal and external controls are in place to proactively, and very quickly respond to and remediate issues.

Level 5: Optimizing
The “what, where, when, how, who” of the risk assessment is fully known and active processes in place and in motion for every level of the supply chain. New and unknown forces will always appear, but the company that has reached Level 5 will be able to detect and act almost immediately to these threats.

The Road Ahead

Securing your supply chain against potential disruption requires time, commitment, due diligence and dynamic planning.

Approach building your defenses on the premise that your supply chain will be breached. While dealing with the threats of today, keep an eye on the next wave that are emerging.  With the likes of Amazon, Google and IBM warehousing mountains of data for other companies in the cloud, any disruption in their supply chains would have a domino effect on the global supply chain.

 

Keep Learning

digitally-encrypted-chains

Use Blockchain to Protect Physical Products

Learn how blockchain can be adapted for superior secure supply chain protection.

Learn How

unisecure-anti-counterfeiting-app

Prevent Counterfeiting & Diversion

UniSecure is the only non-additive anti-counterfeiting solution that provides real-time authentication.

Learn More

illustration-of-blockchain-digital-connections

Meet DSCSA Regs with Blockchain

Systech conducted a blockchain for DSCSA feasibility study. Learn about the process we used and major takeaways.

Read More