Security has been an issue since supply chains began. Even the first camps and convoys had to deal with attackers and criminals. Theft, fraud, smuggling, sabotage, hijacking and piracy were all present.
Today’s complex networks of storage and intermodal transport face these challenges too. However, there are now two extra twists. First, the growth of IT means that these problems now exist physically and virtually. Second, the risks of terrorism have risen, notably since the 9/11 attacks on the World Trade Center. These and other factors have meant a rethink of supply chain security.
Basics of supply chain security
Security is part of a bigger whole. That whole is risk management. Within overall risk management, threats like earthquakes and storms may be critical issues. However, we leave mitigation against such natural disasters to business continuity planners. Here, our interest is in illegal and criminal threats. They can affect manufacturing, warehousing and transport. Security to defend these areas against deliberate hostility may have several dimensions.
- This includes fences, gates, locks, and alarms. Access controls for personnel, too.
- Examples are pre-hiring and background checks. Don’t forget termination either.
- Paperwork and tallies for shipping and receiving are part of this.
- Business partner. Goods origination, third-party security, foreign customs are examples.
- This can mean supply chain data, applications, IT systems, and IT account access.
- Security awareness. This covers security policies, threat awareness, security training, exercises.
Actors in supply chain security go beyond supply chain operators and owners. They include governments and their agencies. For instance, customs regulations may affect a supply chain that stretches between countries. Thus, enterprises do not only take the initiative to apply security. They are also driven to do by rules and regulations.
Vulnerabilities in the supply chain
The more complex a supply chain is the more chance of a chink in its armour. Longer chains and more actors increase risk. Security threats can affect vulnerabilities in many parts of supply chain operations.
- Tampering and unauthorised replacement of products can make goods unsatisfactory or dangerous to customers.
- Goods in transit. Theft and tampering are also concerns when goods are being loaded into containers or vehicles, or in transit.
- Supply chain partners. Third-party service providers may not have the same standards or priorities when it comes to security.
- Transport networks. Cargo diversion, hijacking and piracy are all concerns. Planes, boats, trucks and trains can all carry bombs, contraband goods or stowaways.
- Crime is driven by humans. Criminals may go to great lengths to obtain employment of one of their gang in a supply chain that they want to target.
- With IT systems driving larger parts of supply chains, IT security is a growing issue. IT systems can also be interlinked. Examples are ERP for manufacturing, CRM for sales and operations, and TMS for transport management. Rogue access to one system can lead to access to the next one, and so on.
Supply chains, therefore, offer bad actors two basic possibilities. On one hand, supply chains are the targets of threats such as theft, sabotage, and hijacking. On the other hand, they are also vehicles for delivering threats. Examples are tainted goods being carried to or substituted in retail outlets. The Tylenol poisoning in Chicago in 1982 was one such case.
Changes and displacements of threats
Changes in security in one part of a supply chain may affect other parts. Improvements here may result in increased risk there. For example, warehousing security has increased. So, thieves have shifted their attention to goods in transit. In the US, as much as 86% of goods theft now occurs at unsecured truck stop parking, public parking and drop lots. In Mexico, things are similar. Cargo theft is mostly done by hijacking the driver transporting the goods.
In general, professional criminals and dedicated terrorists are likely to try different routes until they get what they want. Enterprises planning their supply chain security should think about the following categories and examples of threat displacement.
- Crime type. For example, cargo thieves stop hijacking trucks. They start pilfering them in truck stops.
- Terrorists stop trying to blow up tankers carrying milk. They taint their contents instead.
- As above, when security is too good for thieves to attack in warehouses, they steal from trucks in transit.
- If business partner security is lax, attackers will strike there, instead of on your premises. This may also be an easier route for criminals to get into your business. The mammoth Target supermarket IT breach started with an attack on the systems of a Target subcontractor.
- For instance, you beefed up your night security. Now, you can see intruders a mile away. So, criminals attack in broad daylight, posing as members of your legitimate staff.
- Your new security staff keeps external criminals out. Yet this could create an additional insider threat risk.
Supply chains can be securely engineered to prevent abuse and crime. At the same time, goods and services must still move efficiently. The supply chain should also recover rapidly and effectively from any attacks, and with minimal damage. Approaches to reduce the risks of threats and vulnerabilities can be strategic, tactical or both.
A popular strategy is a layered defence. With this, criminals must pass through several layers of security. Consider the following example. Access to a site is first via a badge read electronically at the door. Video surveillance cameras scan the site for unauthorized access. This includes “tailgating” where an intruder slips in behind an employee without presenting a security badge. Further security measures are heat (body heat) and motion detectors. Human gatekeepers can then also make visual checks on identities. A security issue detected at any point then alerts security staff.
Better still, supply chain facilities can be designed to prevent security problems from the outset. Factories and warehouses can be built away from other buildings. They can be separated by open space that can be easily monitored. Lighting for surveillance at night should give wide-ranging visibility. Even if it is of lower intensity compared to spotlights, it must not leave dark areas that cannot be monitored.
Properly architected security is the way to go. Prefer this to systems that are bolted on as an afterthought. Part of this architecture is employee education. For example, to prevent tailgating, employees should be trained to (politely) refuse unchecked access to another person. Instead, they must ask the person to use his or her own security authorization or report to the security office.
Supply Chains can be securely engineered to prevent abuse and crime
Security architecture and awareness apply to supply chain information as well. Access to information is best limited to those who need to know. Employees must never share IT account details, even with colleagues. Modern IT systems can offer flexible control of which data and privileges are available to which persons. Passwords and account credentials can be automatically and securely managed, too. This removes any need to divulge their passwords, whether to IT support engineers or anyone pretending to be one.
In one case of supply chain abuse, IT carelessness on a business trip was to blame. The victim was an Australian company making metal detectors. One of its employees used an insecure hotel Wi-Fi connection to access a company system. Some time later, the company found its markets being flooded by cheap imitations of its products. Thieves had hacked the company’s systems. They had stolen blueprints of the product designs. Counterfeiters had then made their own versions of the products. They used poor quality components, offering them at substantial discounts, but still with original manufacturer’s logo. The Australian company only started to hear of the problem when customers began contacting the company with support problems and complaints, believing the counterfeit products to be genuine articles.
Hybrid security solutions can link physical and virtual aspects. Sensors and cameras provide information on the whereabouts of assets. They can also detect if assets are in motion. This information, like that of intruder detection systems, can be processed by software. For example, the software can detect cargo moving in or out of authorized areas. This “geofencing” can be used when trucks are parked in overnight stops. The system sends alerts if trucks start to move while their drivers are resting in an adjoining hotel. The same systems can also automatically generate alerts if idle time is occurring in unsafe places. They can help with route planning to avoid known problem areas. This can work before transit starts or if unexpected events force a change after.
Supply chain security standards
Standards let you agree with other supply chain partners on how to handle security. Such standards need to be effective and easy to implement. They should also be compatible, where possible. For example, the approach taken by the UK has been to enforce cargo checks at the point of origin, then prevent tampering at any point in transit. By comparison, the US imposes strict security checks at the last point of departure for the US. This is independent of any prior cargo screening along the route. Standards harmonization is a continuing debate. However, a few years ago (2012), the US and the European Union agreed to recognize each other’s security procedures for air cargo. This helps prevent expenses of time and money that previous duplication of controls had caused.
Examples of standards include:
- ISO/PAS 28000:2007 (Specification for security management systems for the supply chain).
- The Customs Trade Partnership against Terrorism (C-TPAT). This program is voluntary for companies to improve the security of their supply chains.
- Framework of Standards to Secure and Facilitate Global Trade from The World Customs Organization (WCO). This framework offers supply-chain security standards for customs requirements.
- The Container Security Initiative (CSI) focuses on screening containers in ports along routes leading to the US. CSI is led by U.S. Customs and Border Protection, part of the Department of Homeland Security.
- The Global Container Control Programme (CCP) fights trafficking of drugs, chemicals and other contraband through container controls at certain ports internationally. This is a joint United Nations Office on Drugs and Crime (UNODC) and World Customs Organization (WCO) initiative.
- The International Ship and Port Facility Security Code (ISPS Code) is an agreement between 148 countries that are members of the International Maritime Organization (IMO).
In addition, various initiatives are underway to use technologies like Radio Frequency Identification (RFID) and Global Positioning System (GPS). These can help standardize the tracking and monitoring of cargo containers at rest and in transit.
Supply chain security must be cost-effective. There is no point in spending more to protect cargo, for example, than the loss caused. However, the real cost of loss of a shipment may be as much as three to five times the value of the shipment alone. Factors increasing loss include the time and effort to replace the shipment. There may also be impacts on customer satisfaction and loyalty because of delays. Opportunity costs may arise through having to replace the shipment instead of being able to pursue new business.
Supply chain security must be cost-effective
Cost savings are often promoted as advantages in adopting security standards. Proponents of ISO 28000, for instance, indicate the following advantages:
- Time and effort saved expediting goods across borders
- Lower risk and less business impact throughout the supply chain
- Competitive advantage for new business through proof of systematic security management
- Reassurance for stakeholders and investors
- More effective use of limited business resources
- Opportunities to improve efficiency across the supply chain
- Potential to reduce associated expenses, such as supply chain insurance premiums.
How will supply chain security develop now?
Customer needs, technology and criminals will not standstill. Supply chain security will continue to change. Yet, as in supply chain itself, certain principles will hold good. Designing security into a supply chain is one example. This includes taking out vulnerabilities at the start. This will always beat trying to add security in later. Layered defences are another immutable basic. So too is vigilance about threats moving and evolving. With these in mind, apply standards as fit, but never lose sight of the main goal of providing customer satisfaction and generating profit – safely.