USRP 0316 Resources 030812 v2 PDF

Contents
Section One: Article and Report Summaries Chapter 1: New Landscape of Risk Chapter 2: The Cure for Anxiety Deficit Disorder Chapter 3: New Strategies for Supply Chain Risk Management Chapter 4: Cyber Supply Chain Risks, Strategies and Best Practices Chapter 5: Anti-Counterfeiting Strategies, Processes and Best Practices Chapter 6: Business Case for Supply Chain Security and Resilience Chapter 7: Linking Smart Grid, Cybersecurity and Supply Chain Chapter 8: National Strategies for Smart Grid, Cybersecurity and Supply Chain Section Two: Case Studies Dow Chemical: Strategies for Supply Chain Security and Sustainability De-Risking the Supply Chain: Ciscos Risk Intelligence and Analytic Tools Supply Chains in Crisis: Dealing with Disaster Ciscos Response in Japan Managing for Operational Excellence: Supply Chain Leadership at DuPont NASA Supply Chain: Maintaining a Vital Space Industrial Base Verizon: Building Security into the Network HP: Mature Business Processes for End-to-End Supply Chain Security Securing Information on the Smart Grid: Telvent Supply Chain Best Practices Section Three: Tools and Guides From the Utilities Appendix A: Sample Guidelines for Supplier Cyber Security Appendix B: Sample Smart Grid Cyber Security and Interoperability Requirements From the Supply Chain Risk Leadership Council Appendix 1: Sample Terms and Conditions for Supply Chain Security Appendix 2: Sample Supply-Chain Security Contract Language for International and Third Party Logistics Service Providers Appendix 3: Sample Supply-Chain Security Self-Assessment Questionnaire for Suppliers or Other Supply-Chain Partners
www.usresilienceproject.org
3 11 19 27 41 51 61 71
79 85 91 95 101 113 117 121
125 127 155 159 163
Securing the Smart Grid Workshop
U.S. Resilience Project
CHAPTER 1: New Landscape of Risk
CHAPTER 1
New Landscape of Risk

Rapid globalization is altering the world in fundamental ways, and everyone and everything are more connected and more interdependent than ever before. Risks are magnified in an environment in which disruptions cascade across networks and borders. The only certainty is that the future will be volatile and uncertain. Here is how some leading organizations characterize challenges, priorities and coping mechanisms for the new risk landscape.
Global Risks 2011
World Economic Forum January 2011 Kristel Van der Elst and Nicholas Davis
Three risk clusters are emerging: Macroeconomic imbalances: A cluster of economic risks including macroeconomic imbalances and currency volatility, fiscal crises and asset price collapse arise from the tension between the increasing wealth and influence of emerging economies and high levels of debt in advanced economies. Savings and trade imbalances within and between countries are increasingly unsustainable, while unfunded liabilities create extreme long-term pressure on fiscal positions. Illegal economy: This cluster of risks includes state fragility, illicit trade, organized crime and corruption. A networked world, governance failures and economic disparity create opportunities for such illegal activities to flourish. In 2009, the value of illicit trade around the globe was estimated at $1.3 trillion and growing. Water-food-energy nexus: A rapidly rising global population and growing prosperity are putting unsustainable pressures on resources. Demand for water, food and energy is expected to rise by 30 percent - 50 percent in the next two decades, while economic disparities incentivize short-term responses in production and consumption that undermine long-term sustainability. Shortages could cause social and political instability, geopolitical conflict and irreparable environmental damage. Five risks bear watching: 1. Cyber-security issues ranging from the growing prevalence of cyber theft to the littleunderstood possibility of all-out cyber warfare. 2. Demographic challenges adding to fiscal pressures in advanced economies and creating severe risks to social instability in emerging economies. 3. Resource security issues causing extreme volatility and sustained increases over the long run in energy and commodity prices, if supply is no longer able to keep up with demand. 4. Retrenchment from globalization through populist responses to economic disparities, if emerging economies do not take up a leadership role. 5. Weapons of mass destruction, especially the possibility of renewed nuclear proliferation between states.
Global Risk Management Survey 2011

Aon Risk Solutions Top 10 Risks of 2011
Economic slowdown Regulatory data/legislative changes Increasing competition Damage to reputation/brand Business interruption Failure to innovate/meet customer needs Failure to attract or retain top talent Commodity price risk Technology failure/system failure Cash ow/liquidity risk 0 20 40
PERCENT
64% 65% 71% 61% 69% 68% 60% 76% 76% 77%
60 80
Coping with Complexity The Upside of Down: Catastrophe, Creativity and the Renewal of Civilization
Island Press, 2006 Thomas Homer-Dixon
It is the Flat Earth Meets the Black Swan. Five tectonic stresses are accumulating deep underneath the surface of todays global order: 1. Energy stress, especially from increasing scarcity of conventional oil; 2. Economic stress from greater global economic instability and widening income gaps between rich and poor; 3. Demographic stress from differentials in population growth rates between rich and poor societies, and from expansion of megacities in poor societies; 4. Environmental stress from worsening damage to land, water forests and fisheries; and 5. Climate stress from changes in the composition of Earths atmosphere. These conditions are like tectonic plates bumping into each other, building up pressures which ultimately must be relieved. They are made worse because of global connectivity. Everything, everyplace is connected. This means a small event in one place can have an outsized impact everywhere.
The Century of Disasters

Slate, May 13, 2011 Joel Achenbach
This will be the century of disasters not because natural phenomena are more frequent, but because more people and more stuff stand in the way of calamity. There are now 7 billion people, a majority living in cities. In 1800, only Beijing could count a million inhabitants, but at last count there were 381 cities with at least one million people. Many are megacities in seismically hazardous places Mexico City, Caracas, Tehran and Kathmandu being among those with a lethal combination of weak infrastructure (unreinforced masonry buildings) and a shaky foundation. Natural disasters will increasingly be accompanied by technological crisesand the other way around. In March 2011, the Japan earthquake triggered the Fukushima Daiichi nuclear power plant meltdown. In April 2010, a technological failure on the Deepwater Horizon drilling rig in the Gulf of Mexico led to the environmental crisis of the oil spill.
Why Forecasts FailWhat to Do Instead

MIT Sloan Management Review Winter 2010, Volume 51, Number 2 Spyros Makridakis, Robin M. Hogarth and Anil Gaba
Key Findings In most areas of business, accurate forecasting is not possible. Future uncertainty is much greater than most managers acknowledge. Statistical regularity does not imply predictability. Instead of seeking predictability, managers should channel their efforts into being prepared for different contingencies. Moving from Forecasts to Planning Strategies: Accept, Assess, Augment Accept that you are operating in an uncertain world. Assess the level of uncertainty you face. Model uncertainties and look for additional relevant data, but always consider the unpredictability of falling coconuts. Augment the range of uncertainty. Extensive empirical evidence shows that people consistently underestimate uncertainty their powers of imagination are usually worse than their powers of mathematics. Rule of thumb: If you have a small amount of historical data that is relevant for modeling the future, double the difference between the largest and smallest observations. If you have a wealth of data, multiply it by at least 1.5.
Seeing Around Corners
McKinsey Quarterly, October 2009 Eric Lamarre and Martin Pergler
Most companies have some sort of process to identify and rank risks, often as part of an enterprise risk management program. While such processes can be helpful, many examine only the most direct risks, neglecting the indirect ones that can have an equal or greater impact. Executives who systematically examine the way risks propagate across the whole value chain including competitors, suppliers, distribution channels and customers can foresee and prepare for second-order effects more successfully. How Risks Cascade
Source: McKinsey Quarterly
Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise

John Wiley & Sons, Inc., 2010 Frederick Funston, Stephen Wagner
Essential Risk Intelligence Skills Check assumptions about the knowns: Black Swan is simply a metaphor for mental models. Europeans could not imagine that swans could be black until they went to Australia in 1697 and found them. In the same way, organizations often fail to challenge assumptions about their core business and operational strategies even as the world is changing around them. Maintain constant vigilance: How can we find the unexpected before it finds us? Riskintelligent enterprises look for evidence that their assumptions are wrong. Sometimes that means identifying weak signals that key assumptions in the environment are changing in ways that threaten your business. Make key connections and manage complexity: Survival training has three 3s: 3 minutes without air; 3 days without water; 3 weeks without food. Risk intelligent organizations identify their critical dependencies and how long they can survive without them. Factor in velocity and momentum: Bad things happen faster than good; reputations are gained in inches per year and lost in feet per second. The speed of response has to be matched to the speed of onset. Anticipate causes of failure: Risk-intelligent enterprises legitimize a constructive discussion of triggers for failure. They do not just step outside the box, they actively attack it. Verify sources and corroborate information: In God we trust; all others bring data. Prior experience is not necessarily a good predictor for the future. Executive opinions, while important, need to be corroborated. Maintain a margin of safety: October is a particularly dangerous month. Other dangerous months are July, January, September, May, March, November and so on. No margin of safety leaves no margin for error. Set enterprise time horizons: Urgent problems are often not the most important ones. Short-term events carry a risk of over-reaction. Take enough of the right risks: The greatest risk is the failure to take risk. Traditional risk management is so focused on protecting value that it often fails to see and seize opportunities. Develop and sustain operational discipline: Ben Franklin said: Well done is better than well said. But too often, when all has been said and done, more has been said than done.
The Resilient Enterprise

MIT Press, 2005 Yossi Sheffi
Companies are now exposed to a multitude of unexpected events from natural disasters such as earthquakes to terrorist attacks and supplier failures. They not only need to become more resilient to these shocks, but they can actually increase their everyday competitiveness and gain strength from such disruptions. A company can become more resilient by designing its supply chain for robustness. One of the standard ways is to use redundancy, which is expensive. Other ways to make the system more resilient include the following: forging strong relationships with critical suppliers while developing alternatives for commodity suppliers; working with interchangeable parts; crosstraining employees; deploying flexible manufacturing; utilizing concurrent processes of design, manufacturing and distribution; delaying product differentiation downstream in the supply chain so products remain in a fungible state as long as possible; and collaborating with trading partners. These principles create supply chains that are not only resilient, but are also flexible and that can respond to day-to-day demand changes. Enterprise Vulnerability Map
Source: Yossi Sheffi, The Resilient Enterprise, MIT Press, 2005.
HIGH P R O BA B I L I T Y
Single port closure Labor unrest Transportation link disruption Economic recession
MILD CONSEQUENCES
Loss of key supplier
Visible quality problems

SEVERE CONSEQUENCES
Computer virus Flood Workplace violence
IT system failure Accounting irregularity
Product tampering Multiple port closure
Earthquake Wind damage

LOW P R O BA B I L I T Y
Employee sabotage
Technological change
Bibliography
Achenbach, Joel. The Century of Disasters. Slate Magazine, May 13, 2011. http://www.slate. com/articles/health_and_science/science/2011/05/the_century_of_disasters_2.html. Aon Risk Solutions. Global Risk Management Survey 2011. Chicago: Aon Corporation, 2011. http:// img.en25.com/Web/AON/2011%20Global%20Risk%20Management%20Survey_20110708.pdf. Funston, Rick and Steve Wagner. Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise. Hoboken, New Jersey: John Wiley & Sons, Inc. 2010. Lamarre, Eric and Martin Pergler. Risk: Seeing Around the Corners. McKinsey Quarterly, October 2009. http://www.mckinseyquarterly.com/Risk_Seeing_around_the_corners_2445. Sheffi, Yossi. The Resilient Enterprise. Cambridge, MA: The MIT Press. October 2005. http:// mitpress.mit.edu/catalog/item/default.asp?ttype=2&tid=10624&sid=1571AD3C-4816-4DBD9E85-833E549B7437. Van der Elst, Kristel and Nicholas Davis. Global Risks 2011 Sixth Edition. Geneva, Switzerland: World Economic Forum, Janurary 2011. HYPERLINK http://riskreport.weforum.org/ http:// riskreport.weforum.org/.
10
CHAPTER 2: The Cure for Anxiety Deficit Disorder
CHAPTER 2
The Cure for Anxiety Deficit Disorder

For the foreseeable future, supply chain managers will have to navigate the effects of climate volatility, resource constraints, infrastructure interdependencies, cyber attacks, as well as assorted Black Swans. The following indicators identify some key risk triggers.
Climate Volatility There are clear and compelling indicators of increased climate volatility, and the impacts of climate volatility are expected to cascade into multiple risk areas, from food insecurity to water shortages to health impacts.
Indicators According to Swiss Re, the number of significant events has tripled and insured losses have increased from 10 billion to 100 billion between 1970 and 2010.1 An international research team of scientists has shown that the rate of sea-level rise along the U.S. Atlantic coast is greater now than at any time in the past 2,000 years.2 A February 2011 special report from Reuters noted that it has been rough going for the $500 billion U.S. property insurance business, explaining that storms are happening in places they never happened before, at intensities they have never reached before and at times of year when they did not used to happen.3 A 2010 report from Sandia National Laboratories estimates that the climate uncertainty as it pertains to rainfall alone [puts] the U.S. economy at risk of losing between $600 billion and $2 trillion, and between four million and 13 million U.S. jobs over the next 40 years. 4
1 Bevere, Natural Catastrophes and Man-Made Disasters. 2 Record rise in sea level in two millennia. Homeland Security NewsWire, June 21, 2011. http://www.homelandsecuritynewswire.com/recordrise-sea-level-two-millennia. 3 Berkowitz, Special Report: Extreme Weather. 4 Weiss, Vasquez, and Kaldunski, The Year of Living Dangerously.
11
Access to Critical Resources Demand for resources is growing rapidly. The United Kingdoms Chief Scientist warned that the world is heading for The Perfect Storm by 2030, with looming food shortages, scarce water supplies, scarcities in arable land, and insufficient energy. Competing demands, in conjunction with concentrated supplies, could also create shortages of minerals and heavy metals.
Indicators The worlds population is projected to increase from 6 to 8 billion. Demand for food is expected to increase by 50 percent. The UN projects that rising population and demand will require a 70 percent increase in food production by 2050.5 State-controlled oil companies so-called national oil companies (NOCs) hold about three-quarters of the worlds oil reserves, with implications for everything from gasoline prices to geopolitics.6 The European Commission identified that 14 critical raw materials needed for mobile phones and emerging technologies, such as solar panels and synthetic fuels, face shortages.7 China produces about 95 percent of rare earth metals and other critical minerals, such as rhenium, platinum and iridium. It also has at least 50 percent of the global production of other key raw materials, including bauxite, coke, fluorspar, magnesium, manganese, silicon carbide, silicon metal, yellow phosphorous and zinc for which it has imposed export restrictions. A World Trade Organization ruling against China is expected to be appealed.8
5 How to Feed the World 2050, Issue Briefs. 6 Program on Energy and Sustainable Development, National Oil Companies. 7 Ad-Hoc Working Group, Critical Raw Materials for the EU. 8 Chinas Growing Role in the Production, Strategic Metal Report.
12
Water Shortages If we could compress all the water on the planet into a single gallon, four ounces would be fresh water. Of those four ounces, two drops would be accessible to humanity, of which one drop is already in use.
Companies face four types of water risks: 1. Physical risk: Freshwater shortage in their supply chain or own operations. 2. Reputational risk: Corporate image issues from public scrutiny of sustainability policies and equitable water use. 3. Regulatory risk: Governmental regulation of water use. 4. Financial risk: Based on the above risks, potential for increased costs/reduced revenues.9 Indicators The business-as-usual water-demand scenario will still outstrip supply by 40 percent by 2030. This has the potential to put $63 trillion of global gross domestic product at risk by 2050.10 More than one-third of the worlds population roughly 2.4 billion people live in waterstressed countries, and by 2025, the number is expected to rise to two-thirds.11 Analysis from The ERIS Foundation shows that 54 percent of companies are exposed to water risks. However, worryingly less than 1 percent can currently demonstrate that they are adequately managing these risks.12
9 Orr, Cartwright, and Tickne. Understanding Water Risks. 10 World Business Council for Sustainable Development. Water for Business. 11 Morrison et al., Water Security and Climate Change. 12 EIRS, A drought in Your Portfolio.
13
Brittle Infrastructures Global infrastructures are now so complex that they have become inherently unstable. There is not one system, but many nested systems, each of which is interlinked and embedded in others. With more complex and integrated global transportation, communications, and information networks, the vulnerability to, impact and cost of disruptions is likely to increase exponentially.
Indicators In April 2011, a 75-year-old Georgian woman accidentally cut a fiberoptic cable while scavenging for copper cable, shutting off Internet service in Azerbaijan and Georgia.13 Overgrown trees and a computer bug that delayed the system alarms were among the key contributors of a cascading blackout that affected 55 million people in 8 eastern states and Canada in 2003. Lack of power disrupted cell phone systems, rail and air systems, constrained the supply of gasoline, and shut down much of the industrial production in the affected area. More than 50 percent of the inland locks and dams are described by the U.S. Army Corps of Engineers as functionally obsolete, but they carry approximately 20 percent of the nations coal, 22 percent of U.S. petroleum, and more than 60 percent of the nations farm exports.14 Major power outages more than doubled during the last decade, in part because about 70 percent of all transmission lines and power transformers are 25 years or older and 60 percent of circuit breakers are more than 30 years old.15
13 Parfitt, Georgian Women Cuts Off. 14 Water Resources Development Act of 2010: Jobs and Economic Opportunities, Before the U.S. Senate Committee on Environment and Public Works, 111th Cong. (May 6, 2010) (statement of Janet F. Kavinoky, U.S. Chamber of Commerce). http://epw.senate.gov/public/index. cfm?FuseAction=Files.View&FileStore_id=30606d5b-648f-4977-86f5-4f979f466c49. 15 An Unprecedented Opportunity, Rick Sergel, president and CEO, Energy Future Coalition Grid Working Group, North American Electric Reliability Corporation, Nov. 21, 2008.
14
Cyber Threats Cyber attacks constitute a new frontier for risk managers, with challenges ranging from cyber crime which is estimated to cost companies billions of dollars each year in intellectual property losses to attacks on Congress information technology systems, federal agencies, critical infrastructure systems, and U.S. corporations.
Indicators In 2011, the Privacy Rights Clearninghouse tracked 564 breaches involving 30.76 million sensitive records. This brings the total reported records breached in the United States since 2005 to 543 million.16 For U.S. companies, the latest survey by the Ponemon Institute LLC and Symantec Corp. found that data-breach costs grew for the fifth consecutive year to $7.2 million per incident in 2010. The average cost per compromised record also increased to $214 from $204 in 2009.17 Cybersecurity firm McAfee identifies more than 55,000 new, unique pieces of malware per day and identifies about 2,000,000 new malicious websites per month.18 Cyber risks were included for the first time as a stand-alone, material risk factor Consolidated Edison of New Yorks SEC filing.
16 Privacy Rights Clearinghouse, Chronology of Data Breaches. 17 Ponemon Study Indicated Organizational Data Breach, Symantec. 18 Omanoff, Cyber Security: A New and Growing Threat.
15
Future Risks
Top Cyber Risks for 2012
2012 Threat Predictions MacAfee Labs
Industrial attacks and embedded threats: Cyber criminals will target unprepared utility systems; hackers will increasingly prove they can control hardware, such as cameras or cars, via embedded software; and countries will try cyber war posturing, if not more actual skirmishes. Resurgence of spam: In the past two years, spam levels fell in a crackdown. This time, spam is apt to test legal limits as firms with something to sell buy email lists of customers from firms going out of business. More mobile worries: Attackers increasingly target people trying to do banking on their smartphones. Risks with virtual currency: Often used in games, virtual currency is an increasing target of attackers trying to steal money or spread malware. Rogue digital certificates: These could compromise secure browsing and transactions, such as when an attack site imitates a retailer. Attacks on hardware: Malware stuck onto network cards and the like, are seen rising compared to attacks on software, as new security features guard operating systems.
Most Dangerous Emerging Risks

Risk and Insurance, May 1, 2011 Paul Bomberger
Game changing risks for risk managers and insurers that may not be high on companies radar screens: 1. An ARk Storm closing Ports of Long Beach and Los Angeles for weeks or months: ARk stands for Atmospheric River 1,000, which is an epic system consisting of so-called atmospheric rivers that form in the tropics and can dump as much as 10 feet of rain over the course of weeks. An ARk Storm lasting 45 days devastated California nearly 150 years ago. The U.S. Geological Survey estimates that these storms occur once every 100 or 200 years. 2. Solar storms: Damage from electromagnetic solar disturbances could be significant, with an estimated $30 billion in satellite losses, halt to polar air traffic, power blackouts, and disruptions of GPS and cell systems. 3. Political risk emerging from left, right and center: Recent upheaval in the Middle East is likely to change the pricing for political risk insurance, which had generally been stable or declining. 4. Toxic water: Heavy rainfall and flooding could overwhelm manure and sewage storage areas. Leakage of fracking liquids into groundwater could further exacerbate fresh water shortages.
16
5. Rising water levels: Flood risk (inland as well as coastal) is shifting, perhaps faster than risk managers can get their hands on it, because of climate change. Volatile weather is meeting aging infrastructure and insufficient public funding. Weather-related annual insured losses have risen from $5.1 billion in 1989 to $27 billion today. 6. Pervasive nanotechnology: With nanotechnology in use by almost every industry sector, the number of products using nanotechnology ballooned to around 5,000 in 2020, up from 2,000 in 2011. For the moment, the tail on the potential product liability is unknown. Experts are sobered to think of the potential environmental liability posed by the technology. 7. Cyber threats: The gap between technological innovation and the capability to protect data and IT systems is creating openings for criminals, hacktivists, terrorists and competitors to steal data and infiltrate or attack systems. 8. Social media: Risks faced by publishers every day claims of defamation, invasion of privacy, and copyright infringement are now shared by any company that logs on to Facebook, Twitter and other social media sites. Surveys indicate that two-thirds of companies do not have a policy on social media use. 9. Aging workers: Every month beginning in January 2012, and for the next 18 years, about 10,000 people turn 65 in the United States. Companies need the higher productivity of knowledgeable workers, but veteran workers tend to suffer more severe injuries and their recoveries are slower. 10. Distressed cities: As towns and cities are slashing funds for fire, police and other services, businesses are facing growing risks. Smaller forces translate into slower response times and smaller numbers of first responders, which can lead to higher losses from fire and theft.
17
18
CHAPTER 3: New Strategies for Supply Chain Risk Management
CHAPTER 3
New Strategies for Supply Chain Risk Management

Traditional supply chain risk management analyses often focus on cost, continuity and customer satisfaction. Newer assessments are just beginning to add cyber into the supply chain risk management equation.
Risk in 21st Century Supply Chains

A survey by Aon Limited and State of Flux Limited June 2008
Supply chain leaders: Integrate their internal functions specifically supply chain management, procurement and risk management, and the external business partners that are involved in their supply chains into an overarching framework for supply chain risk management. Scrutinize their suppliers practices through structured audits, requesting evidence of business continuity plans, observing their suppliers business continuity tests, or requiring evidence of suppliers business interruption insurance protections. Exchange information among risk professionals in different functions whether supply chain, procurement, quality assurance or risk management personnel who work together to identify trends. Integrate risk management considerations into the design of the supply chain. Use eight or more different strategies to ensure security of supply. This suggests both a flexible approach and strong organizational understanding of options open to them to manage supply chain risk exposures. These plans are backed up with practice, with 50 percent of organizations subjecting their plans to regular testing. Find their business continuity plans effective in mitigating the impact of unplanned events and have a clear understanding of how their plans at all levels of the organizations have been deployed. Maintain clear communication of issues and events across their organizations. Perceive threats to be primarily related to third-party suppliers through a range of causes including physical incident, quality assurance failure and breach of intellectual property rights. They perceive data security and outsourced service provisions as significant threats. Create clear benchmark metrics of key performance indicators (KPIs) measuring the number of times plans are invoked, the percentage of suppliers with business continuity management plans in place, the total cost of loss events, or the number of supplier business continuity management audits completed. Recognize that supply chain risk management is a fast-moving area where practices are likely to need to mature further as supply chain complexity increases.
19
Supply chain laggards: Isolate procurement, supply chain and risk management. Perceive risk exposures to be different (mainly lower) than leaders. Tend to be more reactive to supply chain risk. Do not design their supply chain with risk management in mind. Perceive primary exposure to supply chain disruption to be within their own organizations, to relate to physical risk incidents or possibly data breaches. Take a narrowly focused approach to business continuity, using three or fewer techniques to implement supply chain risk management. Perform little or no testing of continuity plans. Do not recognize significant risks in their supplier base. Do not have KPIs in place.
Supply Chain and Transportation Risk Initiative

The World Economic Forum, 2011
Top Supply Chain Disruptors

1. Natural disasters 2. Conflict and political unrest 3. Sudden demand shifts 4. Export/import restrictions 5. Terrorism
Top Supply Chain Vulnerabilities

1. Reliance on oil 2. Information/data availability 3. Supply chain fragmentation 4. Extensive subcontracting 5. Supplier visibility
Top Priorities for Management

1. Collaborative trusted networks 2. Effective risk legislation and incentives 3. Appropriate data and information sharing 4. Improved quantification metrics 5. Enhanced scenario planning
20
Macro Trends and Supply Chain Impacts

Source: World Economic Forum
Trend
Globalization
Example
Outsourcing, offshoring
Risk Impact
Local concentrated risks become globally diffused, involving multiple actors Efficient process can be easily disrupted by a localized event Reliance on multiple parts/players in diverse locations reduces visibility While initially efficiency is improved and costs are lowered, there are fewer alternatives in case of disruption Systems are increasingly reliant on information flow Measures can impede the efficient flow of supply chains and transport networks
Specialization
Geographical concentration of production Product/network complexity
Complexity
Lean Processes
Single sourcing, buffer stock reduction
Information Availability
Track and trace
Government Legislation
Cargo screening
The Smarter Supply Chain of the Future

Global Chief Supply Chain Officer Study IBM, 2009
Top challenges for supply chains: more participants/partners, more geographies and more activities outsourced, as well as rapidly expanding and contracting product portfolios. Between 1995 and 2007: The number of transnational companies more than doubled, from 38,000 to 79,000, and foreign subsidiaries nearly tripled from 265,000 to 790,000. Product introductions increased by 17 percent from 2005 to 2006. Portfolio rationalization eliminated stock keeping units (SKUs) almost as fast. R&D outsourcing increased by 65 percent between 2007 and 2010; engineering and product design by 80 percent.
21
Characteristics of top supply chains Build flexibility into supply chains to deal with changing market conditions and cost volatility. Improve visibility/transparency through collaborative planning with suppliers, vendor managed inventory, customer collaboration and real-time data sharing. Incorporate risk management into supply chain planning and use information technology to monitor and act on disruptive events. Supply chains of the future will be: Instrumented: Information that was previously created by people will increasingly be machine-generated flowing out of sensors, radio-frequency identification tags, meters, actuators, global positioning systems and more. Inventory will count itself. Containers will detect their contents. Pallets will report in if they end up in the wrong place. Interconnected: The entire supply chain will be connected not just customers, suppliers and IT systems in general, but also parts, products and other smart objects used to monitor the supply chain. Extensive connectivity will enable worldwide networks of supply chains to plan and make decisions together. Intelligent: These supply chain decisions will also be much smarter. Advanced analytics and modeling will help decision makers evaluate alternatives against an incredibly complex and dynamic set of risks and constraints. Smarter systems will make some decisions automatically, increasing responsiveness and limiting the need for human intervention.
XSCM: The New Science of Extreme Supply Chain Management

Lisa Harrington, Sander Boyson, Tom Corsi, Richard Douglass 2010
Extreme Supply Chain Management (X-SCM) tackles the conditions of systemic volatility, continuous oscillation, and few or no rest or recovery periods. It recognizes the need for collective, rather than sequential, risk management and facilitates collaboration on the new scale that is necessary for survival. Supply chain volatility occurs at three distinct interconnected levels: external environment, industry/rm, and supply chain. Volatility can emerge simultaneously in each of the rings and quickly spread in multiple directions across highly porous ring boundaries. The model on the following page is a simple one in which entities (e.g., subsystems) within a system interact and impact one another.
22
Supply Chain Volatility Model
The authors provide a toolkit to address the following needs: The need for a wholly new model of supply chain risk management that goes beyond a narrow, sequential identification and management of operational risks. This new model needs to account for systemic risk because of the increasing fragility of interlocked systems and networks. The need for a wholly new model of volatility management that spans the multidimensional supply chain, which includes end-to-end service, nancial and cyber processes. The need for a wholly new model of supply chain network efficiency that replaces traditional economies of scale and scope with those that are based on contingent scale the ability of the enterprise to rapidly size its assets and services up or down as required by extreme demand uctuations. These resizing capabilities are executed through exible contracts with external providers.
23
Managing Supply Chain Resiliency in an Increasingly Risky World

Gary Lynch, Marsh Insights, April 2011
Best Practice Approaches to Supply Chain Risk Management Gain visibility upstream and downstream. Simplify complexity by looking at resources through a value (market served or product families) lens. Establish accountability for risk activities by designating ownership not by asset (these are the custodians), but by profit and loss leader, business manager, and product family owner. Understand your suppliers supply chain and risk management plans; create risk management plans if needed, including incentives and penalties. Create a business case for investment by measuring impact against risk mitigation and financing options. Establish business intelligence and leverage analytics and decision modeling to support the business case. Provide holistic insurability beyond physical damage coverage. Supply chain interruptions extend to the non-physical world, including labor strikes, pandemics, regulatory change, civil order and financial failure. Maintain relevance by ensuring that vulnerabilities are relevant to the supply chains of greatest value. Avoid strategies that focus only on threats or only make use of qualitative metrics.
Black Swans and Your Supply Chain

Risk Logic April 29, 2011
Key Strategies for Supply Chain Continuity 1. Diversification of transportation systems. Supply chains need multiple carriers in addition to multiple forms of supply and distribution, because transport infrastructure is often the first to be impacted in a major disruption. 2. Development of reciprocal agreements for storage space. Shared agreements with suppliers, transport providers, customers, or competitors, established prior to a disruption, can help when facilities are inaccessible. 3. Relocation of production. Although production may be relocated to other sites, capacity levels must be carefully considered, and other product lines may need to be scaled down to accommodate the increase at an alternate facility. 4. Sourcing alternate or substitute products or components. Lead times are often critical, so establishing relationships is recommended prior to a disruption. 5. Building redundancy for enterprise resource planning/inventory management systems. Availability of redundant IT infrastructure, onsite and offsite data backup, and access to databases within business-critical time frames is essential.
24
6. Interruption insurance. Ensuring that the organization is covered for loss of revenue in the event of a disruption provides a high level of comfort to internal stakeholders. 7. Staff management and succession plans. A significantly traumatic event or disruption can render critical staff unavailable for long periods of time. Ensuring critical roles have been identified and suitable back-up personnel, multi-skilling, use of offsite resources, and outsourcing roles could be critical. On the other hand, not all roles may be critical in the first few days of a significant disruption. It is just as important to know who to send home as who to keep on. 8. Review of supplier business continuity preparations. Asking to review or receive evidence of a suppliers business continuity plan will provide a higher degree of confidence that supply will or will not continue in a disruption.
Supply Chain Resilience

Business Continuity Institute November 2011
An international survey of more than 550 organizations from more than 60 countries found the following: 85 percent of survey respondents experienced at least one disruption. 40 percent of analyzed disruptions originated below the tier one supplier. Adverse weather was the main cause of disruption at 51 percent, with unplanned IT and telecommunication outages in second place at 41 percent. Sources of disruption can, however, vary significantly by sector and geography. Cyber attack rose to become a top three source of disruption in the financial services sector. Only 8 percent of respondents could confirm that all of their key suppliers had business continuity programs in place to deal with disruption. Less than half of businesses check that business continuity programs are likely to be effective in practice. The ability to demonstrate resilience is starting to become a factor in purchasing decisions, with 28 percent of respondents stating that they always or often have to provide assurance to prospective clients.
25
Bibliography
Aon Limited and State of Flux Limited. Risk in 21st Century Supply Chains. Chicago, IL: Aon Corporation, June 2009. http://insight.aon.com/?elqPURLPage=4388. Business Continuity Institute. Supply Chain Resilience 2011. Caversham, United Kingdom: Business Continuity Institute, November 2011. Harrington, Lisa H., Sandor Boyson, and Thomas M. Corsi. X-SCM: The New Science of X-treme Supply Chain Management. New York: Routledge, 2011. Harrington, Lisa H., Sander Boyson, Tom Corsi, and Richard Douglass. X-SCM: The New Science of Extreme Supply Chain Management. New York: Routledge, 2010. IBM Corporation. The Smarter Supply Chain of the Future. Somers, NY: IBM Corporation, 2009. http://www-935.ibm.com/services/us/gbs/bus/html/gbs-csco-study.html. Lynch, Gary. Risk Spotlight: Managing Supply Chain Resiliency in an Increasingly Risky World. New York: Marsh Inc., April 18, 2011. http://usa.marsh.com/NewsInsights/ThoughtLeadership/ Articles/ID/4410/Risk-Spotlight-Managing-Supply-Chain-Resiliency-in-an-Increasingly-RiskyWorld.aspx. RiskLogics Business Continuity Team. Black Swans and Your Supply Chain. Sydney, Australia: RiskLogic, April 29, 2011. http://www.risklogic.com.au/2011/04/black-swans-and-your-supplychain/. The World Economic Forum. New Models for Addressing Supply Chain and Transport Risk Geneva, Switzerland: World Economic Forum, 2011. http://www3.weforum.org/docs/WEF_SCT_ RRN_NewModelsAddressingSupplyChainTransportRisk_IndustryAgenda_2012.pdf
26
CHAPTER 4: Cyber Supply Chain Risks, Strategies and Best Practices
CHAPTER 4
Cyber Supply Chain Risks, Strategies and Best Practices

Why is supply chain cybersecurity a problem beyond the IT silo?
Securing Our Nations Cyber Supply Chain
Harris International Panel, April 21, 2011 The Honorable Dale Meyerrose, Internet Security Alliance President Larry Clinton, Honorable Michael Chertoff
Key Points The Tylenol crisis in 1982 revolutionized supply chain security because, at the time, company responsibility ended at the point of sale. Cyber issues raise the potential for security and quality issues well beyond the cash register. There is a tendency to look at supply chain cybersecurity as a single problem, when it is actually three separate challenges that must be disaggregated: Poor quality control, which creates accidental vulnerability; Organized criminals seek to extract assets, not degrade critical systems and the benefits have to exceed the costs; and Nation-state actors, which are more patient, have no economic bottom line. Their goal is to attack using embedded and corrupted information technology at a time and place of their choosing.
Piloting Supply Chain Risk Management for Federal Information Systems

Draft NISTIR 7622, June 2010 Marianne Swanson
Information systems and their components are at increasing risk of supply chain attacks from adversaries, enabled by growing technological sophistication and facilitated by the rapid globalization of information systems infrastructure, suppliers and adversaries. The ever-broadening reliance on globally sourced information system equipment exposes information systems and networks to an enlarging risk of exploitation through counterfeit materials, malicious software or untrustworthy products. Many information system suppliers are transnational. Accelerating trends in multinational mergers and acquisitions of information system suppliers and integrators is making it almost impossible to adopt corporate ownership and control as the basis for assuring supply chain security. This is partially because these accelerating trends reduce transparency and traceability of the supply chain. Globalization and its consequences are permanent and are likely to have a greater impact over time. Even in domestically developed information system elements, intentional and unintentional weaknesses/ vulnerabilities may present opportunities for supply chain-related compromises.
27
Supply chain attacks may involve manipulating computing system hardware, software or services at any point during the life cycle. Supply chain attacks are typically conducted or facilitated by individuals or organizations that have access through commercial ties, leading to stolen critical data and technology, corruption of the system/infrastructure, and/or disabling of mission-critical operations.
Long-Term Reliability Assessment
North American Electric Reliability Corporation, November 2011
Cybersecurity presents a unique risk to the reliability of the bulk power system. The crosscutting nature of technology development and deployment across the electric sector makes this issue key to the entire system, from smart meter to generator. With the new era of ever-increasing digital reliance and system complexity, there is an emergence of common vulnerabilities within the computational backbone of the power system that can result in credible, largescale contingencies, due to common modal failures or coordinated cyber attacks. This may significantly challenge the ability to rebalance the system. High-Impact, Low-Frequency (HILF) events, such as coordinated cyber, physical, or blended attack and extreme solar weather, have the potential to greatly impact the critical infrastructure the industry relies on to ensure reliable operation. There is also a risk from the integration of smart grid devices and other new emerging technologies reliant on communications to control operations of infrastructure components. Increasing reliance on automated devices and technologies to promote reliability can increase attack vectorswhich may or may not be with malicious intent. Critical infrastructure protection needs to develop beyond regional standardization to a continental and transcontinental view; additionally, regional reliability problems can turn into interconnection-wide problems if left uncorrected. Replacing assets after a serious cyber or physical attack and/or regional natural disasters can be challenging, as these critical assets may have long lead times for production.
28
What Examples Do We Have That this is a Problem?

Date
September 2006
Example
A small number of Apple video iPods left the contract manufacturer carrying the Windows RavMonE.exe virus.1 TomTom admits that a batch of devices was shipped with malware installed.2 Seagates Maxtor Basics Personal Storage Drives were installed with a virus that hunts for gaming passwords. Drives were built under contract.3 Email sent to U.S. government employees: Please be advised that two USB thumb drives were discovered on the 9th Floor of the Bicentennial Building. One was discovered in the mens restroom yesterday afternoon. Another was found this morning on a facsimile machine. The drives contain malicious code that automatically and silently executes when the drive is plugged into a system. The code captures certain system information and transmits it out of DOJ.4 A factory-sealed M&A Companion Touch netbook contained three pieces of malware, including a worm that spreads to USB devices and steals the online passwords of gamers. In the case of the M&A Companion Touch netbook, the malware was likely introduced when an infected USB drive was plugged into a computer at a manufacturing facility where technicians were installing drivers for the machine.5 Energizer Duo USB battery charger software automatically downloads contaminated files from the manufacturers website during the installation process. The malware was developed in 2007 and is suspected to have always been part of the software.6 IBM hands out free USB storage devices with autorun worm malware at the Australian Computer Emergency Response Team Conference.7 Replacement parts for the Dell PowerEdge servers were shipped already infected with malware that was embedded in the server management firmware.8 Aldi ships an external hard drive which installs the Conflicker virus when plugged into a computer.9 Apple approves a fake new iPhone app, Camera+ v.4.0, which includes malware not created by the original application maker. The app was quickly pulled from the store when the verified developer confirmed they had only released v.2.4.
October 2006 September 2007
July 2008
May 2009
March 2010
May 2010
July 2010
July 2011
January 2012
1. Malware Shipped on Apple Video iPods, Sophos Press Release, October 17 2006, http://www.sophos.com/en-us/press-office/press-releases/2006/10/ipod-ships-with-virus.aspx. 2. Virus located in TomTom GPS Systems, Robert McMillan, Infoworld, January 29, 2007, http://www.infoworld.com/d/security-central/virus-located-in-tomtom-gps-systems-183 3. Seagate Ships virus-laden hard drives, Robert McMillan, Infoworld, November 12, 2007, http://www.infoworld.com/d/security-central/seagate-ships-virus-laden-hard-drives-119 4. Marcus Sachs, 2010 5. New Windows netbooks may harbor malware, Gregg Keizer, Infoworld, May 19 2009 http://www.infoworld.com/d/security-central/new-windows-netbooks-may-harbor-malware-979 6. Energizer Duo software suffers backdoor Trojan bother, John Leyden, The Register, March 8, 2010 http://www.theregister.co.uk/2010/03/08/energizer_trojan/ 7. IBM distributed infected USB drives at conference, Angela Moscaritolo, SC Magazine, May 24, 2010 http://www.scmagazine.com/ibm-distributed-infected-usb-drives-at-conference/article/170862/ 8. Dell warns on spyware infected server motherboards, John Oates, The Register, July 21, 2010, http://www.theregister.co.uk/2010/07/21/dell_server_warning/ 9. Aldi recalls Conflicker-infected hard drives, Darren Pauli, SC Magazine, July 29, 2011 http://www.scmagazine.com.au/News/265264,aldi-recalls-conficker-infected-hard-drives.aspx
29
What Kinds of Best Practices Are Being Deployed?

Securing the Supply Chain for Electronic Equipment: A Strategy and Framework
Internet Security Alliance Scott Borg
The key to solving the problem of malicious firmware is to make the entire global supply chain more secure so that it can cope with these and other threats. This means that any measure to protect against malicious firmware must be part of a more comprehensive security program. This emphasis, on a more comprehensive approach, also makes sense in more basic ways security measures are, by nature, complementary and need to be applied together to be effective. There are four types of cyber attacks that are possible at each stage of the supply chain: 1. Cyber attackers could interrupt the operation. 2. Cyber attackers could corrupt the operation (including inserting malware). 3. Cyber attackers could discredit the operation (undermining trust, damaging brand value). 4. Cyber attackers could undermine the basis for the operation (loss of control, loss of competitively important information). There are four types of remedies to cyber attacks: 1. Protection against interruption Continual, mandatory sharing of production across supply chain Maintaining alternative sources 2. Protection against insertion of malware Strict control of environments where key intellectual property is being applied Logical tamper-proof seals Physical tamper-proof seals Effective sealing and tracking of containers 3. Protection against undermining trust Logging every operation and who is responsible for each action 4. Protection against loss of control of information Versioning as a tool for protecting intellectual properties Five Stages of Supply Chain to which the remedies need to be applied: 1. The Design Phase 2. The Fabrication Phase 3. The Assembly Phase 4. The Distribution Phase 5. The Maintenance Phase
30
Building a Cyber Supply Chain Assurance Reference Model
Scientific Application International Corporation and University of Maryland School of Business Supply Chain Management Center, June 2009 Sandor Boyson, Thomas Corsi and Hart Rossman
Like a physical supply chain, a cyber supply chain for information technology systems is an endto-end process. It begins with software developers whose roles are similar to that of suppliers in the physical supply chain. The roles of purchasing agents and production and distribution managers in the physical supply chain closely parallel the roles of policy makers and system integrators, hardware/component developers, and network providers in the cyber supply chain. Finally, physical supply chain customers equate to operators/end users in the cyber supply chain. Four ways to de-risk the cyber supply chain In managing cyber supply chain, it is critical that platforms and networks are designed to accommodate volatility in an ongoing, ever-changing manner. As such, cyber supply chain networks must be as flexible as their physical or financial counterparts; that is, they must be able to adapt and respond to events that are within normal tolerances and to those that are outside of normal tolerances. To this end, there are four key cyber supply chain imperatives for manufacturers and other supply chain participants to consider adopting in order to minimize the downside of supply chain volatility and maximize its upside: 1. Provide a global integration platform for dynamic business collaboration networks. 2. Deploy an integrated supply chain visibility and business intelligence platform. 3. Create global trade and order management hubs. 4. Streamline and automate multi-tiered, cross-channel selling. Collaborative supply chain information platforms today can provide a single view of the customer and their orders, regardless of the channel.
Open Trusted Technology Provider Framework: Industry Best Practices for Manufacturing Technology Products that Facilitate Customer Technology Acquisition Risk Management Practices and Options for Promoting Industry Adoption
The Open Group Trusted Technology Forum, February 2011
Commercial enterprise and government customers share an interest in understanding the factors that contribute to product integrity and how to identify a trustworthy commercial product. Determination of trustworthiness is impeded in part due to the lack of the following: 1. Consistent terms; 2. Uniform supply chain standards, practices and approaches; and 3. Comprehensive common ways of providing evidence of a products trustworthiness and integrity in a way that keeps pace with innovation, accommodates the need to integrate diversely sourced components, and is applicable globally.
31
The categories of commercial best practices listed below are considered most effective in protecting customers from unacceptable levels of product security risk. Category
Product Engineering/ Product Development
Best Practice
Trusted technology providers utilize and internalize the application of a well-formed and documented development (or manufacturing) method or process. Product engineering methods are specified and refined to best fit the engineering/development characteristics of the target product. Trusted technology providers adopt and apply a development/engineering method or process that contributes to the manufacturing of a more secure product. Trusted technology providers adopt and apply (where applicable) threat and risk models in the design of their product functions and attributes. Trusted technology providers select suppliers who follow equivalent secure development/engineering practices for supplied components and follow hardening practices to secure their configuration. The organizations supply chain management is aware of and actively participates in the evolution and optimization of industry practices and methods. A trusted technology provider manages suppliers through a framework that measures supplier performance against metrics such as quality, efficiency, innovation, adherence to the vendors specifications, social responsibility, and their ability to manage their workforce and their internal supply chain. Supply chain security and integrity is treated as a key element of the endto-end development/manufacturing process. Validation technology and/or processes are embedded into the trusted supply chain. Trusted technology providers require their suppliers to follow similar secure development/engineering practices for supplied components. Trusted technology providers employ a structured approach to inclusion of open source as components in their offerings. The organizations product evaluation method follows internationally accepted industry and government best practices. A trusted technology provider manages its product evaluations appropriate to customer requirements at defined assurance levels, providing products and supporting documentation to certified third-party laboratories as required. Product evaluations are performed as part of product assurance.
Secure Engineering/ Product Development
Supply Chain Integrity Method
Product Evaluation Method
32
Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain
SAFECode, June 14, 2010 Stacy Simpson
There is a growing recognition that: 1. There is no way to defend every potential vector a motivated attacker may seek to exploit. 2. Focusing on the place where software is developed is less useful for improving security than focusing on the process by which the software is developed and tested. 3. There are circumstances in which the insertion of malicious code would be almost impossible to detect. To be effective in todays complex global supply chains, software integrity processes and controls must be designed to be independent of geography, accommodate diverse sources of software components, and extend from a vendors suppliers to its customers. Achieving software assurance requires software vendors to apply practices and controls to meet three key goals: Security: Threats are anticipated and addressed during the softwares design, development and testing. Integrity: Threats are addressed in the processes used to source software components, create software components, and deliver software to customers. Authenticity: The software is not counterfeit and the software supplier provides customers with ways to differentiate genuine from counterfeit software. Principles for Designing Software Integrity Controls
Chain of Custody The confidence that each change and handoff made during the source codes lifetime is authorized, transparent, and verifiable. Personnel can access critical data with only the privileges needed to do their jobs. Personnel cannot unilaterally change data, nor unilaterally control the development process. Attempts to tamper are obstructed, and when they occur they are evident and reversible. Critical data is protected in ways that remain effective even if removed from the development location. The success of the protections can be continually and independently confirmed. Methods for code inspection are implemented and suspicious code is detected.
Least Privilege Access
Separation of Duties
Tamper Resistance and Evidence Persistent Protection
Compliance Management Code Testing and Verification
33
Evaluating and Mitigating Software Supply Chain Security Risks

Software Engineering Institute, May 2010 Robert Ellison
Because software systems can be configured and used in ways that increase security risk, the end user of a software system has more responsibility to ensure against unauthorized product modification than is usually the case for end users of hardware systems. For software systems, the supply chain security risk management process must consider the potential introduction of security risks during deployment, configuration, and system operation, as well as during design and development. An assurance case reference model can be developed by verifying the available evidence down through the supplier tiers to support the overall claim that supply chain security risks for a certain product have been reduced as low as is reasonably practicable (ALARP). The reference model emphasizes two key strategies for controlling security risk: (1) identifying and monitoring a systems attack surface and (2) developing and maintaining a threat model. Evidence of supply chain security risk mitigation needs to be gathered at every phase of an acquisitions life cycle: initiation, development, configuration/deployment, operations/maintenance, and disposal. Reduction of supply chain security risk requires paying attention to all of the following steps within the acquisition life cycle: Acquirer capabilities: Policies and practices for defining the required security properties of a particular product or system Supplier capability: Ensuring that a supplier has good security development and management practices in place throughout the life cycle Product security: Assessing a completed products potential for security compromises and determining critical risk mitigation requirements Product logistics: The methods for delivering the product to its user and determining how these methods guard against the introduction of malware while in transit Operational product control: Ensuring that configuration and monitoring controls remain active as the product and its use evolve over time Disposal: Ensuring software data and modules are effectively purged from hardware, locations, libraries, etc., when removal is needed Software vulnerabilities, in general, are a major contributor to software security risk. It is impossible, as well as impractical, to eliminate all software vulnerabilities, many of which can lead to supply chain security risk. However, there are key strategies for reducing and managing such risks.
34
Emerging Secure Development Practices

Attack Surface Analysis Measure the attack opportunities, a weighted sum of the exploitable features. The analysis includes the following dimensions: Threat Modeling Targets data resources or processes desired by the attacker. Enablers the other processes and data resources used by an attacker. Channels and Protocols these are used by an attacker to obtain control over targets. Access Rights control is subject to constraints imposed by access rights. Provides a business justification for security by mapping threats to business assets. Enables a thoughtful discussion around risk and trade-offs during software development in an objective, quantifiable way. Encourages a logical thought process in determining an applications security model. Creates malformed data and observes application behavior when such data is consumed. An unexpected failure, due to malformed input, is a reliability bug and possibly a security bug.
Fuzz Testing
Toward a Trusted Supply Chain: A Risk-Based Approach to Managing Software Integrity

Microsoft, July 26, 2011 Tyson Storch
Software Integrity is a program within Microsoft that is designed to address the risk of intentional tampering with our products or services. At Microsoft, we use either a Standards Correlation or Business Process Modeling approach to perform a risk assessment. The Standards Correlation is the preferred option when relevant, mature standards exist that may also mitigate Software Integrity threats. This approach tends to be less resource intensive because it identifies predefined standard controls. It is particularly useful if an organization already conducts relevant standards compliance work that could also be used to assess and address Software Integrity threats. An example where the Standards Correlation approach is particularly effective is in the analysis of operational environments for online services. The reason the Standards Correlation approach is effective in this case is that operational security has many relevant standards. The Business Process Modeling approach requires first creating a graphical representation of the workflow that defines the products groups actual development process. This approach is useful to analyze software integrity attack scenarios in order to define areas of risk and to develop or strengthen corresponding controls to mitigate these risks. The Business Process Model approach is particularly effective in software development because there are few
35
relevant standards that can be leveraged and because developing an in-depth step-by-step understanding of actual, current processes contributes significantly to increasing a products software integrity. Step
1. Plan 2. Discover
Standards Correlation Approach

Define objectives, scope and approach Identify broad classes of software integrity threats, relevant standards, and existing internal policies and procedures Define control categories within standards relevant to software integrity threats and rate the effectiveness of the selected control activities (1-5)
Business Process Modeling

Define objectives, scope and approach Identify business processes that relate to developing and operating products through a business process diagram Analyze attack scenarios and classes of threats; identify weaknesses within model and existing controls; rate the resulting risk (1-5) inherent risk (impact X likelihood) and control effectiveness. Design control practices to address the risk areas identified in the assess phase as requiring mitigation Determine which control requirements a particular product group currently meets (baseline) and those that should be implemented. Gain approval for new policies and procedures and communicate to all stakeholders
3. Assess
4. Develop
Create guidance on how to comply with overall objective and related requirements
5. Validate
Determine which control requirements a particular product group currently meets (baseline) and those that should be implemented. Gain approval for new policies and procedures and communicate to all stakeholders
6. Implement
36
How Many Firms Are Using Best Practices?

Assessing Cyber Supply Chain Security Vulnerabilities within the U.S. Critical Infrastructure
Enterprise Strategy Group (ESG), November 2010 Jon Oltsik
In a survey of 285 U.S.-based critical infrastructure organizations, ESG focused on the current cybersecurity processes in general, and cyber supply chain awareness and safeguards. The following conclusions were found: Critical infrastructure organizations face constant cyber attacks: 68 percent suffered at least one security breach in the last 24 months. Threats continue to escalate: 71 percent of respondents believe the threat landscape will worsen dramatically over the next two years. Some organizations are not prepared: 20 percent rated their organizations security policies, procedures and technology safeguards as poor. In addition, 23 percent rated their managements support for and investment in cybersecurity as poor or fair. With regard to cyber supply chain security issues specifically, the following conclusions were reported: Information technology vendor security audits are performed inconsistently and are rarely thorough: Only 10 percent of critical infrastructure organizations follow industry best practice for information technology vendor audits. Software assurance is a work in progress: 33 percent of critical infrastructure organizations provide secure software development training, and 30 percent of critical infrastructure organizations experienced a security incident directly related to internally developed software in the last two years. External information technology relationships lack appropriate security: Most critical infrastructure organizations have opened internal information technology systems to third parties, but have not standardized the governance, oversight or executive support to mitigate risks. Critical infrastructure organizations want help from the federal government: 71 percent of respondents believe the federal government should be a more active participant in cybersecurity strategies and defenses.
37
Bibliography
Borg, Scott. Securing the Supply Chain for Electronic Equipment: A Strategy and Framework. Arlington, Virginia: Internet Security Alliance. http://www.whitehouse.gov/files/documents/cyber/ ISA%20-%20Securing%20the%20Supply%20Chain%20for%20Electronic%20Equipment.pdf. Boyson, Sandor, Thomas Corsi, and Hart Rossman. Building a Cyber Supply Chain Assurance Reference Model. College Park, MD: Science Applications International Corporation and University of Maryland School of Business Supply Chain Management Center, June 2009. www.saic.com/ news/resources/Cyber_Supply_Chain.pdf. Ellison, Robert. Evaluating and Mitigating software Supply Chain Security Risks, Technical Note CMU/SEI-2010-TN-016. Pittsburgh, PA: Carnegie Mellon University Software Engineering Institute, May 2010. http://www.sei.cmu.edu/library/abstracts/reports/10tn016.cfm. Keizer, Gregg. Apple approves fake iPhone app for App Store. Computerworld. January 23, 2012. http://www.computerworld.com/s/article/9223630/Apple_approves_fake_iPhone_app_for_App_ Store. Keizer, Gregg. New Windows netbooks may harbor malware. InfoWorld. May 19, 2009. http:// www.infoworld.com/d/security-central/new-windows-netbooks-may-harbor-malware-979. Leyden, John. Energizer Duo software suffers backdoor Trojan bother. The Register. March 8, 2010. http://www.theregister.co.uk/2010/03/08/energizer_trojan/. McMillan, Robert. Seagate Ships virus-laden hard drives. InfoWorld. November 12, 2007. http:// www.infoworld.com/d/security-central/seagate-ships-virus-laden-hard-drives-119. McMillan, Robert. Virus located in TomTom GPS Systems. InfoWorld. January 29, 2007. http:// www.infoworld.com/d/security-central/virus-located-in-tomtom-gps-systems-183. Meyerrose, Dale, Larry Clinton, and Michael Chertoff. Securing Our Nations Cyber Supply Chain. National Press Club event, Washington, DC, April 21, 2011. Moscaritolo, Angela. IBM distributed infected USB drives at conference. SC Magazine. May 24, 2010. http://www.scmagazine.com/ibm-distributed-infected-usb-drives-at-conference/ article/170862/. North American Electric Reliability Corporation. Long-Term Reliability Assessment 2011. Washington, DC: North American Electric Reliability Corporation, November 2011. www.nerc.com/ files/2011LTRA_Final.pdf. Oates, John. Dell warns on spyware infected server motherboards. The Register. July 21, 2010. http://theregister.co.uk/2010/07/21/dell_server_warning/.
38
Olstik, Jon. Assessing Cyber Supply Chain Security Vulnerabilities within the U.S. Critical Infrastructure. Milford, MA: Enterprise Strategy Group, November 2010. http://www. enterprisestrategygroup.com/2010/11/cyber-supply-chain-security-research-report/. Pauli, Darren. Aldi recalls Conflicker-infected hard drives. SC Magazine. July 29, 2011. http:// www.scmagazine.com/au/News/265264,aldi-recalls-conflicker-infected-hard-drives.aspx. Simpson, Stacy. Software Integrity Controls: An Assurance-Based approach to Minimizing Risks in the Software Supply Chain. Arlington, VA: SAFECode, June 14, 2010. http://www.safecode.org/ publications/SAFECode_Software_Integrity_Controls0610.pdf. Sophos. Malware Shipped on Apple Video iPods. October 17, 2006. http://www.sophos.com/enus/press-office/press-releases/2006/10/ipod-ships-with-virus.aspx. Storch, Tyson. Toward a Trusted Supply Chain: A Risk Based Approach to Managing Software. Redmond, WA: Microsoft, July 26, 2011. http://www.microsoft.com/download/en/details. aspx?id=26828. Swanson, Marianne. Piloting Supply Chain Risk Management for Federal Information Systems, Draft NISTIR 7622. Washington, DC: National Institute of Standards and Technology, June 2010. http://csrc.nist.gov/publications/drafts/nistir-7622/draft-nistir-7622.pdf. The Open Group Trusted Technology Forum. Open Trusted Technololgy Provider Framework: Industry Best Practices for Manufacturing Technology Products that Facilitate Customer Technology Acquisition Risk management Practices and Options for Promoting Industry Adoption. February 2011.
39
40
CHAPTER 5: Anti-Counterfeiting Strategies, Processes and Best Practices
CHAPTER 5
Anti-Counterfeiting Strategies, Processes and Best Practices

Counterfeiting problems have grown dramatically in the past two decades, becoming an enormous drain on the global economy. With numerous high-profile examples of counterfeit parts undermining the integrity, functionality and longevity of critical systems, counterfeiting has come into the spotlight as a serious risk to national security. Recognizing the depth, extent and potential consequences of counterfeiting, the private sector and government have developed new supply chain security and integrity standards and best practices to mitigate the growing risk.
Scope and Impact of Counterfeiting

Estimating the Global Economic and Social Impacts of Counterfeiting and Piracy
Business Action to Stop Counterfeiting and Piracy, February 2011
Counterfeiting and piracy have increased substantially during the last two decades. Today, counterfeit and pirated products can be found in almost every country in the world and in virtually all sectors of the global economy. While estimates of the incidence of counterfeiting vary, it is clear that hundreds of billions of dollars of counterfeit products are produced every year. In fact, the global economic value of counterfeit and pirated products totals as much as $650 billion every year, and that value is projected to double (or potentially triple) by 2015. Beyond the value of counterfeit and pirated products themselves, counterfeiting has broad, economy-wide effects. These include the impact of counterfeiting and piracy on government tax revenues, legitimate employment, increased costs of crime, economic costs on consumer health and safety, and downward pressures on foreign direct investment (FDI) flows.
41
Estimate of the Total Value of Counterfeit and Pirated Products in 2008 and 2015, and Impacts on the Broader Economy and Employment Estimate in Dollars Billions (2008)
$285$360 $140$215
Organization for Economic Cooperation and Development Category

Internationally traded counterfeit and pirated products Domestically produced and consumed counterfeit and pirated products Digitally pirated products Subtotal Broader economy-wide effects (tax revenue, costs of crime, FDI flows) Employment losses (G20 Economies)
Estimate in Dollars Billions (2015)

$770$960 $370$570
$30$75 $455$650 $125
$80$240 $1,220$1,770 $125+
2.5 million
2.5 million+
Defense Industrial Base Assessment: Counterfeit Electronics

Department of Commerce, January 2010
This study provides statistics on the extent of the infiltration of counterfeits into U.S. defense and industrial supply chains. A survey of original component manufacturers revealed that counterfeit electronics incidents doubled from 3,369 in 2005 to 8,644 in 2008. The total counterfeit incident reports by prime/subcontractors during the same time period rose from 25 to 76. Based on survey responses, independent research and field interviews, the study reports the following: All elements of the supply chain have been directly impacted by counterfeit electronics. There is a lack of dialogue between all organizations in the U.S. supply chain. Companies and organizations assume that others in the supply chain are testing parts. Lack of traceability in the supply chain is commonplace. There is an insufficient chain of accountability within organizations. Recordkeeping on counterfeit incidents by organizations is very limited.
42
Most organizations do not know who to contact in the U.S. government regarding counterfeit parts. Stricter testing protocols and quality control practices for inventories are required. Most U.S. Department of Defense (DoD) organizations do not have policies in place to prevent counterfeit parts from infiltrating their supply chain.
Counterfeiting: Specific Examples

Defense Supplier Base: DoD Should Leverage Ongoing Initiatives in Developing Its Program to Mitigate Risk of Counterfeit Parts (GAO-10-389)
U.S. Government Accountability Office, March 2010
This U.S. Government Accountability Office (GAO) study reports on DoDs knowledge of counterfeit parts discovered in its supply chain. The table below provides a few examples of known or suspected counterfeit parts that the DoD has encountered. Examples of DoD Counterfeit Parts Entering the Supply Chain Part
Seatbelt clasps
Description
Seatbelt parts were made from a grade of aluminum that was inferior to specified DOD requirements. The parts were found to be deficient when the seatbelts were accidentally dropped, and they broke. The Navy, as well as other DoD and government agencies, purchased counterfeit network components including routers that had high failure rates and the potential to shut down entire networks. The Defense Logistics Agency (DLA) procured non-Kevlar material that was misrepresented as Kevlar. The DLA discovered the discrepancy during testing. The Air Force needed microprocessors that were no longer produced by the original manufacturer for its F-15 flight-control computer. These microprocessors were procured from a broker, and F- 15 technicians noticed additional markings on the microprocessor and character spacing inconsistent with the original part. During a two-year period, a supplier and three co-conspirators packaged hundreds of commercial items from hardware and consumer electronics stores and labeled them as military-grade items. For example, the supplier placed a rubber washer from a local hardware store in a package labeled as a brass washer for use on a submarine. The supplier also labeled the package containing a circuit from a personal computer as a $7,000 circuit for a missile guidance system. The suppliers avoided detection by labeling packages to appear authentic, even though they contained the wrong part.
Routers
Body armor
Microprocessor
Packaging and small parts
43
Counterfeiting Update
NAVAIR Diminishing Manufacturing Sources and Material Shortages (DMSMS) Presentation, 2007
The Chinese city of Shantou is a global hub for counterfeiting, and the counterfeiting process has been documented. E-waste delivered for processing. Components are washed in the river and dried.
Markings are removed. Components are then inserted into counterfeit products.
44
Best Practices
Defense Industrial Base Assessment: Counterfeit Electronics
Department of Commerce, January 2010
In addition to providing statistics on the extent of the infiltration of counterfeits into U.S. defense and industrial supply chains (see previous Scope and Impact of Counterfeiting section), this study recommends best practices to curtail the flow of counterfeit parts into U.S. defense and industrial supply chains. Best Practices for Organizations Dealing with Electronic Components Category
Supply Chain
Best Practices
Institutionalized policies and procedures: Employees need clear direction from management on combating counterfeits, as well as written (and regularly updated) guidance on how to avoid purchasing counterfeit parts; test, handle and track incoming and outgoing parts; and manage and dispose of suspected counterfeit components. Counterfeit part training programs: This training should be given to all employees who handle electronic parts. Refresher training should be given regularly to update employees on new threats, identification techniques and communication strategies. Internal and external communication: Employees involved need to be made aware of counterfeits and their implications, and be encouraged to report occurrences to management. Organizations also need to communicate with external entities such as industry associations and the Government-Industry Data Exchange Program database.
Original Component Manufacturers
Original component manufacturers (OCMs) require tailored counterfeit avoidance practices to meet their distinctive needs and experiences, which include the following: Using authentication or encryption codes Embedding security markings in parts Using unique, harder-to-copy labels and markings Identifying distinctive lot and serial codes on external packaging Embedding radio frequency identification into high-value parts Physical destruction of all defective, damaged and substandard parts Secure facilities to prevent unauthorized access to proprietary information Addressing product return, buy back, and inventory control practices to ensure that counterfeit parts do not enter inventories, and thus are not resold as legitimate products Communicating more with companies (including unauthorized distributers and customers) to share authenticity information
45
Best Practices for Organizations Dealing with Electronic Components (continued) Category
Procurement of Parts
Best Practices
Purchase from OCMs and authorized distributors; however, when it is not possible to do so, these best practices will help ensure counterfeit parts do not enter the supply chain. Traceability: The most common way to map a parts traceability is through a certificate of conformance. Organizations can also require suppliers to provide a testing certification. Traceability documentation is only effective if reviewed and verified to be consistent with the received parts. Trusted and untrusted supplier lists: Establishing a list with defined criteria that is regularly audited can help to avoid purchasing counterfeit components. Organizations should also have a list of unapproved suppliers and not use these suppliers unless there are extenuating circumstances. If using an unapproved supplier, orgaizations should require extensive proof of authenticity. Supply chain requirements: Organizations should confirm suppliers are using desired counterfeiting avoidance policies and practices. One practice growing in popularity is using an escrow service to hold payment until the buyer has tested a products authenticity.
Receiving and Storing Parts
Visual inspection: This should include checking that part numbers, lot codes, dates of manufacturing, and logos on the parts and documentation are the same. After verifying the documentation, employees should conduct visual inspections of parts to look for evidence of counterfeiting. Component testing: Surface testing: For components that visually have differences in their surface texture or coating X-ray analysis: Another recommended non-invasive testing method Destructive physical analysis: A step beyond x-ray analysis, destructive analysis can include de-lidding or de-capping Electrical testing: Can be used to detect counterfeits by plugging a part into a circuit board in order to determine its performance Temperature or thermal cycling: Tests a parts resistance to extreme high and low temperatures Burn-in testing: A more intense test that stresses microcircuits at or above maximum-rated operating conditions Testing facilities and inventory storage: If an organization chooses to use external, thirdparty testing facilities, it should put those facilities through the same level of scrutiny recommended earlier for suppliers.
Managing Counterfeits
Organizations should remove suspected and confirmed counterfeit parts from regular inventory and quarantine them. All organizations should maintain an internal database to track all suspected and confirmed counterfeit components. Organizations should report all information on suspected and confirmed counterfeit parts to industry associations and databases.
46
Counterfeit Parts: Increasing Awareness and Developing Countermeasures

Aerospace Industries Association, March 2011
The report sets forth the recommendations developed by the Aerospace Industries Association (AIA) Counterfeit Parts-Integrated Project Team (CP-IPT) relating to counterfeit parts in the aerospace and defense industry supply chains. The following table summarizes the recommendations. AIA CP-IPT Recommendations Category Recommendations
Procurement/Supplier Industry members should adopt SAE International standard AS5553: Counterfeit Selection Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, to mirror DOD and National Aeronautics and Space Administration adoption. Industry and government should develop a Qualified Suppliers List for Distributors. Suspected Counterfeit Companies and the government should report in the Government-Industry Data Part Reporting Exchange Program (GIDEP), a free database managed by the government, to help protect sensitive information and detection methods. Companies should review databases, such as GIDEP, before purchasing from a potential new supplier. Government should ensure proper funding to keep GIDEP up to date and provide training and education to contractors and industry. Counterfeit Part Disposition Companies should develop their internal disposition plans with the assistance of their procurement, legal and quality personnel. The plans should address supplier payment conditions when counterfeit material is discovered. Government should develop guidance on disposition that may be used by industry. The government should identify the appropriate department/agency to act as a single point of contact for counterfeit parts and materials. Component Obsolescence Industry should be proactive and use component life cycle analysis tools based on EIA-724 life cycle prediction curves. This tool will help forecast when components are in the last phase of their life cycle and may become difficult to obtain. In addition, this tool can help prevent new designs from using parts in the mature phase of their life cycle. Government should require each contract to have a definitive plan for component obsolescence. Government should develop a process that establishes intellectual property vaults, administered by a third party, and contains the data required to produce those components that have become obsolete. Government should establish requirements in defense contracts to consign and/or sell all surplus material with original equipment manufacturer/original component manufacturer traceability to a trusted source that would make it available to U.S. manufacturers when needed.
47
AIA CP-IPT Recommendations (continued) Category

Counterfeit Parts Plan
Recommendations
Industry should develop a counterfeit parts plan that documents the processes used for avoidance, detection, risk mitigation, disposition, and reporting of counterfeit parts. Government and industry should review SAE International standard AS6081: Counterfeit Electronic Parts; Avoidance Protocol, Distributors, for adoption, which suggests ways to mitigate the risks of purchasing counterfeit parts.
Standards for Mechanical Parts and Materials
Industry and government should assist various groups creating standards in the area of mechanical parts and materials. Organizations that have attained a robust and effective Quality Management System (such as AS9100: Quality Systems-Aerospace-Model for Quality Assurance in Design, Development, Production, Installation and Servicing) are more likely to successfully mitigate the threat of counterfeit parts. Companies should develop and conduct training for employees in the areas of procurement, detection, reporting, and disposition of counterfeit parts. Companies should take advantage of industry symposiums and standards organizations to learn of best practices.
Training
Best Practices in the Fight Against Global Counterfeiting

American National Standards Institute, 2011
This report details the conclusions of a meeting in which members of the international standards-setting community spoke to the global nature of counterfeiting and to the vulnerabilities endemic to global industry supply chains. While national regulatory, oversight and law enforcement agencies will often cooperate across borders, as well as through international agreements and investigative agencies such as INTERPOL, the statutory authority ends at national borders. The group arrived at four consensus conclusions: 1. Public-private partnerships: Counterfeiting is a global problem that cannot be handled or resolved by just one agency or group with limited jurisdiction. Public- and private-sector stakeholders throughout and across industries must work together, including national and international law enforcement agencies, government officials, and private-sector participants from all industry sectors and all points in the supply chain.
48
2. Education: Many people affected by counterfeiting, including both manufacturers and consumers, are unaware of the true scope and impact of this issue. Consumers must be educated on the true impact of purchasing counterfeit goods, as well as how to avoid making such purchases. Manufacturers should be given case studies and statistics on the effects that counterfeit goods have in their industry, and simple steps to reduce the presence of counterfeit parts and products. 3. Enforcement: Policies and laws that fight counterfeiting must be supported on every level by refusing to use, pay for or return counterfeit parts. Sales of counterfeit parts and products must be reported to the proper legal authorities; continual testing of critical components must be conducted to assure the quality of parts that appear legitimate; and, finally, an effective security assurance program must be in place, coupled with the use of effective authentication technologies. Many of the existing public and private initiatives begin and end with enforcement and prosecution other tools may be needed because we can not incarcerate our way to safety. 4. Standards: While no standards can completely stop counterfeiting, they can bring awareness to industries encouraging them to institute checks and balances throughout their supply chains. However, universal access to standards must be considered during quality assurance processes, because counterfeiters could also potentially refer to them as a resource when creating parts and products.
49
Bibliography
Aerospace Industries Association. Counterfeit Parts: Increasing Awareness and Developing Countermeasures. Arlington, VA: Aerospace Industries Association, March 2011. http://www.aia-aerospace.org/assets/counterfeit-web11.pdf. American National Standards Institute. Best Practices in the Fight against Global Counterfeiting: An Action Guide to Strengthen Cooperation and Collaboration across Industry Sectors and among Global Supply Chains. Washington, DC: American National Standards Institute, 2011. http://publicaa.ansi.org/sites/apdl/Documents/Meetings%20and%20Events/2010%20World%20 Standards%20Week/Anti-counterfeiting%20Conference/Anti-Counterfeiting_Best_Practices.pdf. Business Action to Stop Counterfeiting and Piracy (BASCAP). Estimating the global economic and social impacts of counterfeiting and piracy. Produced by Frontier Economics Ltd., London. Paris: International Chamber of Commerce, February 2011. http://www.iccwbo.org/uploadedFiles/ BASCAP/Pages/Global%20Impacts%20-%20Final.pdf. U.S. Department of Commerce. Defense Industrial Base Assessment: Counterfeit Electronics. Washington, DC: U.S. Department of Commerce, January 2010. http://www.bis.doc.gov/ defenseindustrialbaseprograms/osies/defmarketresearchrpts/final_counterfeit_electronics_ report.pdf. U.S. Government Accountability Office. Defense Supplier Base: DoD Should Leverage Ongoing Initiatives in Developing Its Program to Mitigate Risk of Counterfeit Parts, GAO-10-389. Washington, DC: U.S. Government Accountability Office, March 2010. http://www.gao.gov/ assets/310/302313.pdf Counterfeiting Update: NAVAIR Diminishing Manufacturing Sources and Material Shortages (DMSMS). Presentation given to Defense Logistics Agency Parts Standardization & Management Committee, April 2010.
50
CHAPTER 6: Business Case for Supply Chain Security and Resilience
CHAPTER 6
Business Case for Supply Chain Security and Resilience

A number of authors have shown that the benefits of investment in supply chain risk management can extend across the enterprise increasing productivity, revenue, reputation and shareholder value. This is similar to the experience of integrated safety management, implemented by the chemical industry after the 1984 gas leak disaster in Bhopal, India. The industry realized significant savings from reduced medical costs, wages and claims administration fees. What it did not anticipate was that the indirect savings from integrated safety management would increase savings by a factor of five including the costs of lost production, process interruptions, equipment replacement, litigation, employee morale, customer relations and public image. Safety was not just the right thing to do; it became a competitiveness driver.
Impact of Supply Chain Disruptions

The Effect of Supply Chain Disruptions on Long-term Shareholder Value, Profitability and Share Price Volatility
The Logistics Institute, 2005 Vinod Singhal and Kevin Hendricks
Researchers looking at the impact of supply chain disruptions on corporate performance found that such events can be catastrophic for businesses and their shareholders. Singhal and Hendricks research showed that the symptoms of an impending disruption were evident in advance of a public announcement. Based on a sample of 885 disruptions announced by publicly traded firms, they found that, in the year leading up to the announcement, firms on average experienced a 107 percent drop in their operating income, 114 percent drop in return on sales and 93 percent drop in return on assets. During this time period, the level of return on sales dropped by 13.78 percent and return on assets by 2.32 percent. Firms that experienced disruptions faced on average 6.92 percent lower sales growth, 10.66 percent growth in cost, and 13.88 percent growth in inventories. Changes in operating income, sales, total costs and inventories remained negative in the two years after the problems were disclosed.
51
Supply Chain Resilience 2011
Business Continuity Institute, United Kingdom, 2011
The UK Business Continuity Institute survey considers the causes and consequences of disruption, the techniques and approaches to identify key supply chains, and methods to gain assurance of resilience capability. It reports the following key findings from respondents from 35 countries across 15 industry sectors: 85 percent of survey respondents experienced at least one disruption. 40 percent of analyzed disruptions originated below the immediate tier-one supplier. Supply chain incidents led to a loss of productivity for almost half of businesses, along with an increased cost of working (38 percent) and loss of revenue (32 percent). The longer-term consequences of disruption in the supply chain included shareholder concern (19 percent), damage to reputation (17 percent), and expected increases in regulatory scrutiny (11 percent). For 17 percent of respondents, the financial costs of the largest single incident totaled a million or more euros. For those with weaker supply chains, the number experiencing higher financial costs almost doubled, to 32 percent. The ability to demonstrate resilience is starting to become a factor in purchasing decisions, with 28 percent of respondents stating that they always or often have to provide assurance to prospective clients.
Benefits of Supply Chain Security

Innovators in Supply Chain Security: Better Security Drives Business Value
Stanford University and The Manufacturing Institute, June 2006 Barchi Peleg-Gillai, Gauri Bhat and Lesley Sept
International trade is no longer just about moving goods quickly and cheaply. In this age of global terrorism, there is a third element: moving goods securely. There are costs to supply chain security. After 9/11, firms experienced an increase of 15 percent in airfreight costs and 20 percent in commercial insurance premiums. New security measures following 9/11 were estimated to cost the U.S. economy alone more than $150 billion, including $65 billion for changes in supply chains. Through case studies of eleven major manufacturers and three logistics providers, the study quantifies benefits that may potentially offset or exceed the costs of security. These benefits include the following: Improved product safety: a 38 percent reduction in theft or loss, and a 37 percent reduction in tampering. Improved inventory management: a 14 percent reduction in excess inventory and a 12 percent increase in reported on-time delivery.
52
Improved supply chain visibility: a 50 percent increase in access to supply chain data and a 30 percent increase in the timeliness of shipping information. Improved product handling: a 43 percent increase in automated handling of goods. Process improvements: a 30 percent reduction in process deviations. More efficient customs clearance processes: a 49 percent reduction in cargo delays and a 48 percent reduction in cargo inspections/examinations. Speed improvements: a 29 percent reduction in transit time and a 28 percent reduction in the delivery time window. Resilience: close to a 30 percent time reduction in problem identification, response and resolution. Higher customer satisfaction: a 26 percent reduction in customer attrition and a 20 percent increase in the number of new customers. Average Percentage Improvement from Supply Chain Security Investments Reported by Manufacturers
EFFICIENCY RESILIENCY
Reduced inspections Increased automated handling Less process deviation Shorter transit time
VISIBILITY
48% 43% 30% 29%
Shorter problem resolution time Quicker response to a problem Reduced time to identify a problem
31% 23% 21%
INVENTORY MANAGEMENT AND CUSTOMER RELATIONS
Improved asset visibility More timely shipping information Reduced inaccurate shipping data
50% 30% 9%
Reduced theft, loss, pilferage Decreased tampering Less customer attrition Reduced excess inventory
45% 37% 26% 14%

0 25 PERCENT 50
25 PERCENT
50
53
Dow Chemical: Strategies for Supply Chain Security and Sustainability

The U.S. Resilience Project, 2011
Dow was one of the companies that participated in the Innovators in Supply Chain Security study. It documented the following savings that were realized due to security investments:

More than 20 percent cost reductions in excess inventory and container fleet requirements. A 100 percent reduction in theft/loss/pilferage. A 100 percent reduction in tampering. Up to a 90 percent reduction in transit time. Anywhere from 25 percent to 50 percent improvements in on-time delivery. A 50 percent reduction in response time to identify and resolve in-transit problems.
Investing in Supply Chain Security: Collateral Benefits

IBM Center for the Business of Government, May 2005 James B. Rice, Jr., Philip W. Spayd
Security Investment
Asset Visibility and Tracking
Direct Benefits
Provides positive location status, preventing excursions Provides time-definite and controlled chain of custody
Collateral Benefits
Lower theft and losses Faster recalls Fewer delayed shipments Better planning, enabling lower working capital for inventory Fewer overages, shortages, and damages (OS&D) Protection of brand name
Personnel Security
Thorough background check eliminates bad actors from hiring pool Regular background checks provide early warning for employees operating under the influence
Customer loyalty, increased sales revenues, higher market share Employee commitment and belief in companys concern for employee
Physical Security
Controlled access keeps out unauthorized personnel Protection of intellectual property Protection of capital equipment and personnel
Customer recognition of firms safe and secure environment as an expertise, increasing customer loyalty Fewer thefts and OS&D by virtue of having a more secure facility
54
Security Investment
Physical Security (continued)
Direct Benefits
Controlled access keeps out unauthorized personnel Protection of intellectual property Protection of capital equipment and personnel
Collateral Benefits
Customer recognition of firms safe and secure environment as an expertise, increasing customer loyalty Fewer thefts and OS&D by virtue of having a more secure facility
Standards Development
Facilitates coordination of multicompany security activities (initiatives, sting operations, and incident investigations) Security breaches are easier to spot with standard systems Higher levels of security with common procedures System-level and supplier security improvement
Improved efficiency of ship, train, truck, and terminal operations; reduced international shipping times Platform for collaboration within an industry, leading to standards that raise the level of performance Process discipline enables compliance (quality, safety, and process) and higher performance Common processes reduce confusion, raise predictability, and improve staff backup Reduced non-security losses
Supplier Selection and Investment
Ensures a secure supply of materials Early warning of upstream security issues Reduced upstream and inbound losses
Lower inspection costs and faster throughput Enhanced communication via collaboration Increased efficiency through joint planning Utilizes internal security resources to assist suppliers, ultimately making for improved relationships
Transportation and Conveyance Security
Reduces theft losses Reduces adulteration of product Reduces chance of cargo vessel misuse (weapon delivery system) Protect conveyance equipment and vessels
Avoidance of non-product-related costs (indirect costs) Lower crime and vandalism rates Fewer disruptions to the supply chain, and more cost savings compared with avoided losses Less capital required for inventory Reduced transportation cycle time
55
Security Investment
Building Organizational Infrastructure Awareness and Capabilities
Direct Benefits
Builds awareness of security concerns Increased role of security in daily operations and every assignment
Collateral Benefits
Increases problem prevention through recognition by employees Increases early intervention, reducing the impact of a disruption Improves the ability to respond with early awareness
Collaboration Among Supply Chain Parties
Improved coordination along supply chain increases security
Platform for broader alignment Enables the creation of a secure supply chain network for common problem solving, resource sharing Improves communication among supply chain partners, potentially reducing coordination costs
Proactive Technology Investments
Increased ability to track, monitor, and observe material flows, preventing excursions
Ability to customize the application to the benefit of the firm Increased process efficiency through technology Visibility investments give real-time awareness of supply chain delays, location, and status
TQM Investments
More consistent security procedure execution Application of Six Sigma may lead to disciplined loss reduction efforts Lower losses Higher-performance employees emphasize security Process design standardizes security processes Design supply chain with fewer hand-offs, keeping product moving
Discipline increases, enabling compliance (quality, safety and process) Reduction in safety stock, leadtime variance, and OS&D Better process knowledge and management from additional data, and greater visibility to discern bottlenecks and congestion Safety stock reduction as a result of advance lead-time information Investment in quality processes results in quality security Consistent process operation leads to fewer disruptions, faster and more reliable operation Process discipline leads to higher levels of performance and efficiency
56
Security Investment
Voluntary Security Compliance
Direct Benefits
European Unions Authorized Economic Operator program ensures a base level of supply chain security assessment Customs specialists working in specialized security programs may observe the risk of a security breach before a breach can occur CustomsTrade Partnership Against Terrorism (C-TPAT) membership provides member companies with information about industry best practices in supply chain security Swedens StairSec program leads to higher inspection rates of uncertified cargo, increasing the likelihood of early warning and prevention
Collateral Benefits
Establishes a mandatory fundamental standard across industry for supply chain security via a voluntary program A platform for collaboration and alignment within an industry that leads to industry standards, raising the overall level of quality, service, and cost performance C-TPAT supply chain specialist assists firm as Customs and Border Patrol liaison for validation, security issues, procedural updates, communication, and training Faster border throughput times from fewer inspections and green lane flow, which may raise service levels, enabling lower working capital Process discipline enables compliance (quality, safety, and process) and higher levels of process performance
The Value of Visibility

Smart Boxes
A.T. Kearney, 2005 Mike Tower, Sean Ryan, and Todd Huseby
A.T. Kearney conducted interviews with supply chain executives from the United States top 100 import companies and top 100 export companies, discussing the value proposition of greater supply chain visibility through radio frequency identification (RFID) technology. Respondents estimated a total benefit per container of $1,150, not including any benefit they received from expedited passage at the border.
57
Perceived Benefits Per Container
lead 17% Reduced time variance Increased manufacturing uptime
16% 30% Reduced out of stocks
labor 3% Reduced costs and fees of 1% Prevention lost containers container 2% Increased security
31% Reduced inventory
The Defense Driver for RFID

The A.T. Kearney report noted that the benefits of radio frequency identification (RFID) technology were first demonstrated during the first Gulf War in 1991. The U.S. military had a shipping problem: nearly one third of the containers shipped to the Middle East were lost or unaccounted for when needed. And when containers did arrive in the hot desert, in the middle of a war zone soldiers had to open almost two thirds of them to see what was inside. Not knowing what was in the containers, commanders frequently made redundant requisitions, in a practice they called just-in-case logistics. Just in case the boots, bullets or other material so essential to their success had not actually arrived, they placed multiple back orders. The result? Iron mountains of containers on docks and in the desert. And a lesson for the U.S. Department of Defense (DoD) when it comes to the rapid deployment of forces, logistical support requires real-time tracking of critical supplies as they move through the global supply chain. Enter RFID technology. Through seed grants from the Defense Advanced Research Projects Agency the same agency that fostered the development of the Internet military officials tested and validated RFID solutions. An RFID chip attached to a logistic unit of any size can be read at key checkpoints such as distribution centers, seaports and trucking terminals to beam information into a global computer network. The DoD now deploys its In-Transit Visibility (ITV) network to track military supplies from factory to foxhole. ITV spans more than 1,600 locations in more than 45 countries. Used in both Afghanistan and Iraq, ITV has reduced overall losses to less than 8 percent. The military deployed 90 percent fewer containers in Operation Iraqi Freedom than it did during Operation Desert Storm, and military personnel attribute more than $300 million USD of efficiency savings to RFID. The military had the financial strength to invest in developing new technology; then, as happened with the Internet, adoption costs eventually decreased to the point where the solution also became commercially viable.
58
Bibliography
Business Continuity Institute. Supply Chain Resilience 2011. Caversham, United Kingdom: Business Continuity Institute, 2011. Peleg-Gillai, Barchi, Gauri Bhat, and Lesley Sept. Innovators in Supply Chain Security: Better Security Drives Business Value. Produced by Stanford University, Stanford, CA. Washington, DC: The Manufacturing Institute, 2006. http://www.gsb.stanford.edu/scforum/documents/ Innovators_in_SC_Security.pdf. Rick, James B., Jr. and Philip W. Spayd. Investing in Supply Chain Security: Collateral Benefits. Washington, DC: IBM Center for the Business of Government, May 2005. http://www.ncapec.org/ docs/supply_chain_investment.pdf. Singhal, Vinod, and Kevin Hendricks. The Effect of Supply Chain Disruptions on Long-term Shareholder Value, Profitability, and Share Price Volatility. Toronto, Canada: The Logistics Institute, 2005. http://www.loginstitute.ca/pdf/singhal_scm_report.pdf. U.S. Resilience Project. Dow Chemical: Strategies for Supply Chain Security and Sustainability. Washington, DC: The U.S. Resilience Project, October 2011. http://www.usresilienceproject.org/ workshop/participants/pdfs/USRP_Dow_CS_012312.pdf. Tower, Mike, Sean Ryan, and Todd Huseby. Smart Boxes: RFID Can Improve Efficiency, Visibility and Security in the Global Supply Chain. Chicago, IL: A.T. Kearney, 2005. http://www.atkearney. com/index.php/Publications/smart-boxes.html.
59
60
CHAPTER 7: Linking Smart Grid, Cybersecurity and Supply Chain
CHAPTER 7
Linking Smart Grid, Cybersecurity and Supply Chain

Supply chain and cybersecurity are inextricably linked. Recognizing this, a number of new studies include supply chain as part of an overall cybersecurity risk management structure. Issues that are now part of the cybersecurity landscape include trusted vendor networks, reliability, integrity of commercial off-the-shelf components, resilience of supply chains, and safeguards against malicious insertion of compromised or counterfeit components. The mature processes in supply chain security and resilience within businesses can help inform the challenge of securing the smart grid supply chain from cyber threats.
Protecting Hardware in the Supply Chain Ensuring Hardware Cybersecurity

Issues in Technology Innovation, Brookings, May 2011 John D. Villasenor
Insertion of malicious hardware during manufacturing is very difficult because of the likelihood that the insertion process itself will lead to impairments that would be detected during postmanufacturing testing. For an attacker, the low-hanging fruit lies in the design process, where there is the potential to create malicious circuits and bury them within the much larger set of healthy circuits in a nondisruptive manner. Chip design today relies heavily on outsourcing. Although a complex chip is a single, physically small device, it contains many different functional areas, called blocks, that perform different tasks. A chip used in a smartphone, for example, may have a set of functional blocks devoted to receiving a wireless signal, processing that signal to extract the data it contains, decoding that data to produce audio and video signals, and sending those signals to a speaker and display screen. A company overseeing the design of a complex chip typically designs some portions in-house but obtains designs for other portions from third parties. While outsourced chip manufacturing has been common for several decades, the use of outsourcing in chip design has accelerated dramatically in the last half-decade, largely for economic reasons. The following steps could go a long way toward reducing the likelihood and impact of hardware attacks. A change in design practices within the semiconductor industry: Companies engaged in chip design should adopt a need-to-know partitioning of information. A designer working on a portion of a chip devoted to receiving wireless data does not need access to the internal details of a portion of the chip that processes video for display on a screen. Establishment of a national-level capability to coordinate a quick response to an attack: Currently, the United States does not have any national-level capability to respond to an attack. In the event of an attack, it would also be critically important to be able to rapidly identify the other chips containing designs received from a known supplier of corrupted hardware.
61
Improved testing procedures to detect corrupted chips before they are placed into products: Todays commercial chip-testing procedures are designed to identify accidental design flaws, not to discover intentionally hidden attacks. New testing procedures specifically designed to look for attacks, such as those in research today by the Defense Advanced Research Projects Agency, lower the odds that corrupted hardware could escape pre-deployment testing. Inclusion of defenses built into chips to identify and thwart attacks as they occur: While pre-deployment testing is extremely important, it cannot be relied on to find all instances of malicious hardware. Given the inevitability that some number of compromised chips will slip past the testing process, it is important to build defenses into chips that can identify and respond to attacks within milliseconds. When an attack is discovered, the offending portion of the chip could be identified and quarantined, and a notification sent to other devices containing similar circuits.
Protecting Software in the Supply Chain

Evaluating and Mitigating Software Supply Chain Security Risks
May 2010 Robert J. Ellison, John B. Goodenough, Charles B. Weinstock, Carol Woody
Software Supply Chain Security Risks Poor security requirements that lead to ineffective security considerations in all acquisition steps. Coding and design defects incorporated during development that allow the introduction of code by unauthorized parties when the product or system is fielded. In addition, there are those defects that compromise security directly by allowing unauthorized access and execution of protected functionality. Improper control of access to a product or system when it is transferred between organizations (failures in logistics), allowing the introduction of code by unauthorized parties. Insecure deployed configuration (e.g., a deployed configuration that uses default passwords). Operational changes in the use of the fielded product or system that introduce security risks or configuration changes that allow security compromises (configuration control and patch management). Mishandling of information during product or system disposal that compromises the security of current operations and future products or systems.
62
Supply Chain Security Risk Management in Each Acquisition Phase

Initiation Perform an initial software supply chain security risk assessment and establish required security properties. Include supply chain security risk management as part of the RFP. Develop plans for monitoring suppliers. Select suppliers that address supply chain security risk. Development Management Configuration/Deployment Monitor practices for supply chain security risk. Maintain awareness of suppliers sub-tier relationships. Assess delivered products/systems. Configure/integrate with consideration of supply chain security risks. Develop user guidance to help mitigate supply chain security risk. Operations/Maintenance Manage security incidents. Review operational readiness. Monitor component/supplier. Disposal Mitigate risks of information disclosure during disposal.
Supply Chain Risk Analysis webinar

Carnegie Mellon, 2010
Information that acquirers should be asking suppliers: What are their development practices? How do they design code and test? How do they deal with their own suppliers? How do they deal with their own events (changes in requirements, personnel changes, upgrades and business disruptions)? Requests for proposals (RFPs) should ask for evidence of the following: Development staff training (biggest risks continue to be known common weaknesses). Documentation of potential attacks and mitigations. Supplier capabilities as demonstrated with development of other systems. For contracted development, require application of threat modeling to analyze risks associated with architecture and design decisions.
63
Supply Chain Risk Management

Electricity Sector Cybersecurity Risk Management Process Guideline
U.S. Department of Energy, September 2011
The Department of Energy issued a draft guideline for comment that provided suggestions on how to incorporate cybersecurity into enterprise risk management processes. It noted: Although the electricity delivery system has not yet experienced widespread debilitating cyber attacks, its reliance on the previous strategies of physical separation between the ICS [industrial control systems] environment and the business and administrative networks is no longer adequate to satisfy todays mission and business needs. The model offers a continuous process of framing, assessing, responding to, and monitoring risk at each of the three tiers to ensure risk-based decision-making is integrated into every aspect of the organization. The risk management plan described three tiers of cyber risk management: Add cyber risk as enterprise-level risk with appropriate leadership involvement, management strategies and resourcing; Implement cybersecurity risk management goals and strategies into mission and business processes; and Deploy cybersecurity safeguards, controls and countermeasures at the system level. Risk Management Framework
64
Supply chain issues: With respect to supply chain, the report noted: In todays world, the efficiencies of commercial off-the-shelf (COTS) hardware and software platforms, interconnected public and private networks, and remote support are moving organizations from an isolated environment into a global, interconnected environment. Thus, electricity sector organizations recognize these efficiencies represent new cybersecurity risks that were not present in their isolated environment. The evolution of ICS from proprietary to COTS platforms has also introduced electricity sector organizations to new cybersecurity risks as illustrated by targeted malware against COTS platforms in the IT [information technology] sector. Consequently, ICS deployed to support mission critical operations in the electricity sector can potentially be compromised and result in significant negative impact on operations. Trust relationships: The ever-broadening reliance on globally sourced equipment exposes IT, ICS and networks to an enlarging risk of exploitation through counterfeit materials, malicious software or untrustworthy products. The Risk Framework described five models for trusted relationships that could help minimize supply chain cyber risks. Validated trust occurs when one organization develops an IT and ICS application and provides evidence (e.g., security plan, assessment results) that the application meets certain security requirements. Historical trust is established by the track record exhibited by an organization in the past, particularly in its risk and cybersecurity-related activities and decisions. Third-party trust occurs when an organization establishes a level of trust with another organization on the basis of assurances provided by a mutually trusted third party. Mandated trust is established on the basis of a specific mandate issued by a third party in a position of authority, such as an organization charged with issuing public key infrastructure (PKI) certificates. Hybrid trust models represent some combination of the models above.
Supply Chain Risk Management Practices for Federal Information Systems

NISTIR 7622, June 2010 Marianne Swanson, Nadya Bartol, Rama Moorthy
This report provides a tool set for supply chain security. In addition, it provides the following general and technical requirements that an organization can place in contractual documents to achieve a measure of supply chain assurance. These requirements should be explicitly defined in the statement of work. Determine the appropriate level of risk distribution among the acquirer, integrator and supplier. Define the integrators and suppliers level of responsibility for supplying trustworthy systems and elements in contracts.
65
Use past performance of the integrator/supplier for indications of security consciousness in their processes and the resulting systems, elements and services as a gauge for their supply chain assurance practices. Indicators include available information about systems, elements and services; evidence of attempts by the supplier to reduce vulnerabilities; and what past vulnerabilities indicate about product/service strength, supplier pattern of addressing identified vulnerabilities, current known yet unfixed vulnerabilities, and recent changes in the organization that might invalidate past performance. Establish requirements for processes (including test and evaluation processes) and include them in contract documents. Examine how integrators select/manage their suppliers and whether or not the integrator/ supplier imposes similar requirements on their suppliers. Require respondents to provide a supply chain risk management plan that addresses, in detail, their internal and external practices and controls employed to minimize the risk posed by counterfeits, and known and unknown vulnerabilities in systems, elements and services. The report identifies best practices and guidelines for acquirers, suppliers and integrators across the spectrum of supply chain risks, including the following: Maximize acquirers visibility into integrators and suppliers Protect confidentiality of element uses Incorporate supply chain assurance in requirements Select trustworthy elements Enable diversity Identify and protect critical processes and elements Use defensive design Protect the supply chain environment Configure elements to limit access and exposure Formalize service/maintenance Test throughout the system development life cycle Manage configuration Consider personnel in the supply chain Promote awareness, educate and train personnel on supply chain risk Harden supply chain delivery mechanisms Protect/monitor/audit operational system Negotiate requirements changes Manage supply chain vulnerabilities Reduce supply chain risks during software updates and patches Respond to supply chain incidents Reduce supply chain risks during disposal
66
Governing the Tangible Risk: The SCOR model
X-SCM: The New Science of X-treme Supply Chain Management, 2011 Taylor Wilkerson
The supply chain operations reference (SCOR) model has been used by supply chain managers since 1996 to structure and guide supply chain analysis. Its proven utility as an analytical framework for evaluating, improving and managing supply chain performance has been demonstrated across almost every industry. The SCOR model integrates process definitions with performance and diagnostic metrics and leading practices for improving operational efficiency and customer service. Recently, the Supply Chain Council, which owns the SCOR model, formed a project team to investigate the intersection between the SCOR model and supply chain risk management. Phase 1: Define the supply chain. Different product categories star performers, cash cows, poor performers may have different risk management objectives, so it is critical to clearly define the supply chain that will be evaluated. The next step is to map the supply chain and depict the material flow between the nodes. For each node, there should be an associated SCOR process source, make, deliver, return reflecting the activity occurring at that node. Phase 2: Analyze the supply chain. The SCOR model uses value at risk (VAR) to quantify supply chain risks. The VAR for a specific risk is simply the probability of the risk event occurring, multiplied by the financial impact that would result if the event should occur. The VAR for an entire supply chain, then, is the sum of the VAR for each risk in the supply chain. The result is an assessment of the likely financial impacts of all risks in the supply chain. This information can be used to develop return on investment calculations to guide mitigation efforts. Although VAR is the preferred metric in the SCOR model, time to recover the measure of the expected lapsed time between an event and supply chain recovery is the metric that Cisco uses to quantify the risks in its supply chains. Phase 3: Assess the supply chain risks. The SCOR model provides a structure for a brainstorming exercise to identify potential risks linked to the geographic assessment and process maps developed earlier. Suggested areas for consideration include disaster preparedness, political and labor stability, critical failure point for supply chain, security and quality controls at the site, supplier financial stability, and so on. Validate the list of potential risks with respect to probability and impact and document the risk register in a format that makes it usable in future analyses. Phase 4: Mitigate the supply chain risks. Mitigation involves taking action to reduce either the likelihood that a risk will occur or the impact of the event when it does occur. How much risk you mitigate will depend on both the risk tolerance of the supply chain and the resources available to implement mitigation actions. Because it is difficult to mitigate every risk, the Risk Prioritization table on the following page provides a way of prioritizing which risks to mitigate. Phase 5: Implement mitigation measures. Once the mitigation plan has been defined and funded, a critically important aspect of implementation is risk monitoring to allow managers to proactively respond to events as they happen or even take preventive action before they occur.
67
Continuous risk management In todays economic environment, there is no such thing as a static supply chain and that means there is no such thing as a static risk profile. As suppliers, customers and partners are added and removed from your supply chain, the impact of changes must be regularly reassessed. Here is an example of a typical schedule: Monthly Revisit mitigation plans to ensure that they are being properly implemented and accurately reflect operational needs. Quarterly Revisit risk assessments, especially those that are subject to market or political conditions, to verify that the VAR for each risk is accurate. Annually Revisit the supply chain to ensure the supply chain definition and risk priorities accurately reflect the current supply chain configuration. Biannually Revisit the supply chain definition to ensure that the risk management program reflects both the organizations that are currently involved in the supply chain and the role the supply chain plays in your companys corporate strategy. Risk Prioritization
Source: Logistics Management Institute 2008
Moderate risk Medium priority for mitigation
Critical risk High priority for mitigation
Low risk Low priority for mitigation
POTENTIAL IMPACT
LIKELIHOOD OF OCCURRENCE
Moderate risk Medium priority for mitigation
68
The ICT SCRM Community Framework Development Project

University of Maryland, 2011 Sandor Boyson
This study reviewed more than 60 policy and practice documents of key initiatives in the supply chain cybersecurity and found areas of emerging congruence, but also fragmentation of approach. The core finding is a compelling need for the information communications technology (ICT) supply chain industry to reach across the hardware, software, network and physical distribution divides to gain greater strategic command and control; to better leverage the lessons learned from other supply chain disciplines; and to more effectively navigate the serious opportunities and risks associated with the rapid globalization of ICT systems. Key Findings The cyber supply chain discipline is currently in an early emerging state characterized by a deficient evidence-based body of knowledge; a proliferation and fragmentation of industry best practices and standards groups, generally led by the largest firms; and a profound under-usage of supply-chain-wide risk governance mechanisms inside IT vendors. No readily identifiable, large-scale, end-to-end risk management model exists that cuts across the various functional areas of the ICT supply chain. Anchoring ICT Supply Chain Risk Management (SCRM) to the more mature supply chain industry will help accelerate consensus building and overall development. This study recommends combining defense in depth and breath. Defense in breath is extensive, covering the end-to-end ecosystem of customers/acquirers, integrators, suppliers and key processes between them. Defense in depth is intensive, covering risk governance; systems life cycle management, including design, risk assessment and supply base modeling/auditing; and operations management. Together, they provide comprehensive ICT SCRM controls.
69
Bibliography
Allan, Danny, Tim Hahn, Andreas Szakal, Jim Whitmore, and Axel Buecker. Security in Development: The IBM Secure Engineering Framework. Armonk, New York: IBM Corp., 2010. http:// www.redbooks.ibm.com/redpapers/pdfs/redp4641.pdf. Boyson, Sandor. THE ICT SCRM Community Framework Development Project. College Park, MD: University of Maryland, 2011. http://csrc.nist.gov/scrm/documents/umd_ict_scrm_initiativesreport2-1.pdf. Ellison, Robert J., John B. Goodenough, Charles B. Weinstock, and Carol Woody. Evaluating and Mitigating Software Supply Chain Security Risks. Pittsburgh, PA: Carnegie Mellon Software Engineering Institute , May 2010. http://www.sei.cmu.edu/library/abstracts/reports/10tn016.cfm. Harrington, Lisa H., Sandor Boyson, and Thomas M. Corsi. X-SCM: The New Science of X-treme Supply Chain Management. New York: Routledge, 2011. Lipner, Steve, and Michael Howard. Microsoft The Trustworthy Computing Security Development Lifecycle. MSDN Library Web site. March 2005. http://msdn.microsoft.com/en-us/library/ ms995349.aspx (accessed February 29, 2012). Swanson, Marianne, Nadya Bartol, and Rama Moorthy. Supply Chain Risk Management Practices for Federal Information Systems. Gaithersburg, MD: National Institute of Standards and Technology, June 2010. http://csrc.nist.gov/publications/drafts/nistir-7622/draft-nistir-7622.pdf. U.S. Department of Energy. Electricity Sector Cybersecurity Risk Management Process Guideline. Washington, DC: U.S. Department of Energy, September 2011. https://public. commentworks.com/CW_DOE_WF/InitiativeDocFiles/46/RMP_Guideline_Draft_for_Public_ Comment_08312011-1.pdf. Villasensor, John D. Ensuring Hardware Cybersecurity. Washington, DC: Brookings Institution, May 2011. http://www.brookings.edu/papers/2011/05_hardware_cybersecurity.aspx.
70
CHAPTER 8: National Strategies for Smart Grid, Cybersecurity and Supply Chain
CHAPTER 8
National Strategies for Smart Grid, Cybersecurity and Supply Chain

National policy documents are beginning to reflect the overlaps between cybersecurity and supply chain risk management. The organizational silos between physical and cybersecurity are beginning to break down, leading to a more integrated approach one that capitalizes on the synergies of solution and the opportunities to strengthen public-private partnerships.
U.S. Policy Documents

Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure
White House, May 2009
A team of government cybersecurity experts conducted a comprehensive review to assess U.S. policies and structures for cybersecurity, identifying initial areas of action to help the United States achieve a more reliable, resilient and trustworthy digital infrastructure for the future. Key Findings Anchor leadership in the White House Create a cybersecurity coordinator to work across agencies. Review policies and laws to clarify authorities, roles and responsibilities. Strengthen federal leadership and accountability. Elevate cybersecurity at state, local and tribal levels to ensure effective coordination. Build capacity for a digital nation Promote cybersecurity risk awareness for all citizens. Build an education system that will enhance understanding of cybersecurity and allow the United States to retain and expand upon its scientific, engineering and market leadership in information technology. Expand and train the workforce to protect the nations competitive advantage. Help organizations and individuals make smart choices as they manage risk. Share responsibility for cybersecurity Improve partnership between the private sector and government. Evaluate barriers to public-private partnership. Partner effectively with the international community.
71
Create effective information sharing and incident response Build a framework for cyber incident response. Enhance information sharing to improve incident response capabilities. Improve cybersecurity across all infrastructures. Encourage innovation Link research and development (R&D) frameworks to infrastructure development. Build a cybersecurity-based identity management vision and strategy for the nation. Inclusion of supply chain considerations The report noted that: One of the results of the information technology revolution and free trade policies is a global environment for research, design, manufacturing, and servicing of information and communications products by corporations with facilities spread across the globe. This global marketplace has created tremendous benefits for U.S. industry by opening markets worldwide for high-tech U.S. goods and services. However, the emergence of new centers for manufacturing, design and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions. A broad, holistic approach to risk management is required rather than a wholesale condemnation of foreign products and services. The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nationstate adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities. The best defense may be to ensure U.S. market leadership through continued innovation that enhances U.S. market leadership and the application of best practices in maintaining diverse, resilient supply chains and infrastructures. The presidents cybersecurity policy official, working with departments and agencies, should: Define procurement strategies through the General Services Administration, building on work by the National Security Agency for the Department of Defense, for commercial products and services in order to create market incentives for security to be part of hardware and software product designs, new security technologies, and secure managed services; Expand partnerships with state, local, and tribal governments and international partners to maximize the market influence of these procurements; Work with Congress to identify mechanisms that would enable departments and agencies under appropriate, limited situations to incorporate threat information into acquisition decisions; and Work with industry to provide threat information and identify best practices for managing supply chain and insider risks, both from economic and threat perspectives.
72
The Comprehensive National Cybersecurity Initiative (CNCI)

White House, May 2009
In May 2009, the president accepted the recommendations of the Cyberspace Policy Review. The CNCI is implementing the recommendations of the Cyberspace Policy Review to strengthen the capabilities of the federal government to meet a more sophisticated cyber threat. This effort is built on the George W. Bush administrations cybersecurity plan, but it extends beyond the Bush-era CNCI by adding cybersecurity initiatives in two key areas: supply chain and critical infrastructure. Initiative No. 11: Develop a multipronged approach for global supply chain risk management. Globalization of the commercial information and communications technology marketplace provides increased opportunities for those intent on harming the United States by penetrating the supply chain to gain unauthorized access to data, alter data, or interrupt communications. Risks stemming from both the domestic and globalized supply chain must be managed in a strategic and comprehensive way over the entire life cycle of products, systems and services. Managing this risk will require a greater awareness of the threats, vulnerabilities and consequences associated with acquisition decisions; the development and employment of tools and resources to technically and operationally mitigate risk across the life cycle of products (from design through retirement); the development of new acquisition policies and practices that reflect the complex global marketplace; and partnership with industry to develop and adopt supply chain and risk management standards and best practices. This initiative will enhance federal government skills, policies and processes to provide departments and agencies with a robust tool set to better manage and mitigate supply chain risk at levels commensurate with the criticality of, and risks to, their systems and networks. Initiative No. 12: Define the federal role for extending cybersecurity into critical infrastructure domains. The U.S. government depends on a variety of privately owned and operated critical infrastructures to carry out the publics business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyber threats. This initiative builds on the existing and ongoing partnership between the federal government and the public and private sector owners and operators of critical infrastructure and key resources (CIKR). The Department of Homeland Security and its private-sector partners have developed a plan of shared action with an aggressive series of milestones and activities. It includes both short-term and long-term recommendations, specifically incorporating and leveraging previous accomplishments and activities that are already underway. It addresses security and information assurance efforts across the cyber infrastructure to increase resiliency and operational capabilities throughout the CIKR sectors. It includes a focus on public-private sharing of information regarding cyber threats and incidents in both government and CIKR.
73
National Strategy for Global Supply Chain Security

The White House, January 2012
International trade has been, and continues to be, a powerful engine of U.S. and global economic growth. The global supply chain system that supports this trade is essential to the United States economy and is a critical global asset. The National Strategy for Global Supply Chain Security (the Strategy) articulates the United States governments policy to strengthen the global supply chain in order to protect the welfare and interests of the American people and secure our nations economic prosperity. The Strategy focuses on the worldwide network of transportation, postal, and shipping pathways, assets, and infrastructures by which goods are moved from the point of manufacture until they reach an end consumer, as well as supporting communications infrastructure and systems. The document recognizes the interdependencies between cybersecurity and supply chain security, noting: The global system relies upon an interconnected web of transportation infrastructure and pathways, information technology, and cyber and energy networks. While these interdependencies promote economic activity, they also serve to propagate risk that arises from a local or regional disruption across a wide geographic area or industry. The Strategy stresses two primary goals: Goal 1: Promote the efficient and secure movement of goods Resolve threats early to expedite the flow of legitimate commerce by integrating security into supply chain operations. Improve verification and detection capabilities to identify those goods that are not what they are represented to be, are contaminated, are not declared, or are prohibited; and to prevent cargo from being compromised or misdirected as it moves through the system. Enhance the security of infrastructure and conveyances by limiting access to cargo, infrastructure, conveyances and information to those with legitimate roles and responsibilities. Maximize the flow of legitimate trade by modernizing supply chain infrastructure and processes, developing new mechanisms to facilitate low-risk cargo, simplifying trade compliance processes, and refining incentives to encourage enhanced stakeholder collaboration. Goal 2: Foster a resilient supply chain Mitigate systemic vulnerability to a supply chain disruption prior to a potential event by using risk management principles to identify and protect key assets, infrastructure, and support systems; and by promoting the implementation of sustainable operational processes and appropriate redundancy for those assets. Promote trade resumption policies and practices that will provide for a coordinated restoration of the movement of goods following a potential disruption by developing and implementing national and global guidelines, standards, policies and programs.
74
Priority Action Areas Implementation of the Strategy will focus on the following priority action areas: Align federal activities across the United States government to the goals of the Strategy. Refine understanding of the threats and risks associated with the global supply chain through updated assessments. Advance technology research, development, testing, and evaluation efforts aimed at improving the ability to secure cargo in air, land and sea environments. Identify infrastructure projects to serve as models for the development of critical infrastructure resiliency best practices. Seek opportunities to incorporate global supply chain resiliency goals and objectives into the federal infrastructure investment programs and project assessment process. Promote necessary legislation that supports implementation of the Strategy by federal departments and agencies. Develop, in concert with industry and foreign governments, customized solutions to speed the flow of legitimate commerce in specific supply chains that meet designated criteria and can be considered low-risk. Align trusted trader program requirements across federal agencies with the potential for standardized application procedures, enhanced information-sharing agreements, and security audits conducted by joint or cross-designated federal teams.
European Policy Documents

Priorities for Research on Current and Emerging Network Technologies: Supply Chain Integrity
European Network and Information Security Agency, April 2010
Supply chain integrity in information communication and technology (ICT) is addressed separately in different industries. A common framework for supply chain integrity would help identify common linkages across various industries, including technologies, best practices, and innovative business models. The problem is complicated because of the following: 1. Complex nature of globally distributed supply chains (people, processes, and technologies). 2. Lack of common guidelines for ICT supply chain integrity. 3. Absence of tools, processes, and controls to help measure statistical confidence levels and verify integrity. 4. Ineffective methodologies and technologies for end-user verification of products. 5. Lack of broadly applicable tools, techniques, and processes to detect or defeat counterfeiting and tampering in systems.
75
6. Lack of coordinated approaches to preserving integrity for different types of products from production through purchasing, and into operations and use. 7. Absence of common business models that could drive the harmonization of integrity requirements across various ICT segments. Recommendations for Research The study identifies several key areas for research that can lead to the emergence of a common framework that will strengthen insights into the integrity of the supply chain: 1. Improved and innovative trust models. Currently, most commercial systems operate with implicit trust from their operators only. Moreover, hierarchical trust models in systems lead to numerous dependencies (e.g., software packages need to trust each other and the operating system, from the bottom to the top of the stack). These trust models need to be augmented to enable end-to-end verifiable trustworthiness of ICT systems. Innovative approaches need to be defined to create a new generation of trust models with better-defined constraints. Trust (defined as the expected behavior of a product) and integrity need to be verifiable in solutions that cut across the development and production process. Another interesting area of research is recovery of trust and integrity, a set of approaches and techniques to use if an ICT product has been compromised in order to recover some integrity. 2. Improvement in evaluation and integrity-checking techniques. Evaluation approaches as currently used, while very useful in many contexts, provide no assurance under operational conditions (at run time) and rely on the evaluation of the general design rather than an instance of a product. New dynamic evaluation mechanisms for integrity or an extension of the existing approaches are required to enhance the role of evaluation. 3. Study of good practices currently used in various industry segments and in government procurement. Good practices in supply chain management can provide important insights into technology and process developments that will increase the efficiency and integrity of ICT supply chains. Government procurement practices can be of interest, as can their comparison with other best practices. 4. Improved technology solutions to detect and prevent counterfeiting or overproduction. Non-authentic components (e.g., networks or endpoints) are more likely to fail or be breached. New technologies to determine the provenance of ICT systems are needed to protect the infrastructure. 5. New approaches to security assurance. Auditable, transparent and uniform supply chain integrity practices and tools are needed to achieve higher levels of assurance in critical systems without significantly increasing their cost. New technologies to define inherently trustable complex systems are also necessary. There are two aspects of improving security assurance: greater assurance in supply chains for existing products and designing new architectures that can provide better assurance in new ICT products. Finally, currently available evaluation and assurance frameworks, such as Common Criteria, need to be studied.
76
6. Better approaches to inventory and configuration control and maintenance. The resilience of a system is dependent on the ability of the operator to verify the integrity of the hardware, software and configuration after any updates, repairs or patching. Introducing compromised elements into the solution can severely impair a systems resilience. New technologies are needed to manage deployed complex systems in order to ensure integrity after modifications. Furthermore, tools and techniques to define, track and measure the integrity of ICT systems will allow real-time verification of their integrity. 7. Study of approaches for assessing policy needs on a global scale. There is an opportunity for industry and academia to study balanced approaches for addressing policy needs in the area of ICT supply chains on a global scale, based on the examples of good practices available from a range of use cases, such as highly global ICT supply chains, supply chains in regulated industries or examples of organizational good practices. Relevant study ideas can be gleaned in technology and process innovations in ICT supply chains, as well as in the deployment of environments with high levels of assurance.
Cybersecurity Aspects in the Maritime Sector
European Network and Information Security Agency, December 2011
Key Findings Maritime cyber security awareness is currently low or non-existent. Member states are thus highly recommended to undertake targeted maritime sector awareness-raising campaigns and cybersecurity training of shipping companies, port authorities, national cybersecurity offices and other key stakeholders. Due to the high ICT complexity, it is a major challenge to ensure adequate maritime cybersecurity. A common strategy, and the establishing of good practices for technology development and implementation of ICT systems, would therefore ensure security by design for all critical maritime ICT components. As current maritime regulations and policies consider only physical aspects of security and safety, policy makers should add cybersecurity aspects to them. The study strongly recommends a holistic, risk-based approach; assessment of maritimespecific cyber risks; and identification of all critical assets within this sector. As maritime governance is fragmented between different levels (i.e., international, European, and national), the International Maritime Organization, together with the EU Commission and the member states, should align international and European Union policies in this sector. Better information exchange and statistics on cybersecurity can help insurers to improve their actuarial models, reduce their own risks, and thus offer better contractual insurance conditions for the maritime sector. Information exchange platforms, such as CPNI.NL, should be also considered by member states to better communications.
77
Bibliography
European Network and Information Security Agency. Analysis of Cyber Security Aspects in the Maritime Sector. Heraklion, Greece: European Network and Information Security Agency, November 2011. http://www.enisa.europa.eu/act/res/other-areas/cyber-security-aspectsin-the-maritime-sector/cyber-security-aspects-in-the-maritime-sector-1/at_download/ fullReport. European Network and Information Security Agency. Priorities for Research on Current and Emerging Network Technologies. Heraklion, Greece: European Network and Information Security Agency, November 2011. http://www.enisa.europa.eu/act/res/other-areas/cyber-securityaspects-in-the-maritime-sector/cyber-security-aspects-in-the-maritime-sector-1/at_ download/fullReport. The Comprehensive National Cybersecurity Initiative. The White House. http://www.whitehouse. gov/cybersecurity/comprehensive-national-cybersecurity-initiative. The White House. Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure. Washington, DC: The White House, May 2009. http://www. whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf. The White House. National Strategy for Global Supply Chain Security. Washington, DC: The White House, January 2012. http://www.whitehouse.gov/sites/default/files/national_strategy_for_ global_supply_chain_security.pdf.
78
CASE STUDY: Dow Chemical
CASE STUDY
Dow Chemical: Strategies for Supply Chain Security and Sustainability

Based on an interview with Henry Ward, Global Supply Chain Director, Security, Sustainability & Public Policy, Dow Chemical October 12, 2011
The Changing Landscape for Supply Chain Risk Management

Historically, the issues that cause the greatest impact on the supply chain included natural disasters, severe weather, labor disputes and work stoppages, and social and political unrest. Since The Dow Chemical Company operates on a global scale, these conventional risks continue to have the greatest enterprise-wide impact. But, the risk landscape has changed dramatically since 9/11. Increased terrorism risks, coupled with pandemics, cargo theft, chemical diversion, growing public concerns about hazardous material incidents, product counterfeiting, and smuggling and maritime piracy convinced the company to develop a long-term strategy for supply chain sustainability and risk management that included: A supply chain redesign to reduce the number of shipments and container miles; Risk-based global supply chain security measures and regional service event management centers; Chain of custody controls implemented through asset visibility, vendor/service provider risk assessments and continuing technological innovation; and Enhanced collaboration with industry coalitions and the government to share best practices and promote the adoption of practical, proven industry best practices as the basis for government policy.
Supply Chain Redesign

Dow operates an extensive, integrated global supply chain. The company procures more than 100 billion pounds of raw material and hydrocarbon feedstock from more than 1,000 suppliers worldwide, and manages about three million product shipments to external customers and other Dow locations each year. Dows products are staged in 300 warehouses and 100 terminals around the world, and shipped via highway, rail, marine, pipeline and air. About 20 percent of those shipments involve international border crossings where customs clearance is required. Dow believes that a sustainable supply chain is a key enabler and an ongoing necessity for sustainable business growth. The companys vision for a sustainable supply chain goes well beyond the boundaries of greening the supply chain. It addresses the fundamental attributes of sustainability, including safety and security, profitability, reliability and resilience, and social and environmental responsibility.
79
In order to achieve its vision of a sustainable supply chain, Dow has continued to evaluate and implement new ways to improve the efficiency and effectiveness of its supply chain. The greatest gains have been accomplished through supply chain redesign. For example, during the past three years, Dow completed more than 300 supply chain sustainability projects that contributed $85 million to the companys bottom line. The drivers for those projects were primarily economic, but they also yielded significant service, safety, security, energy and environmental benefits. As a result of the companys efforts to reduce transportation distances, improve asset utilization, optimize distribution networks and improve productivity, Dow was able to achieve energy savings equivalent to 2.5 million gallons of diesel fuel per year, greenhouse gas reductions of nearly 400,000 metric tons per year, and relative transportation safety risk reductions of about five percent.
5%
The supply chain was an important area of focus for Dow after 9/11. Dow sought to reduce chemical product transportation risks by reducing highly hazardous chemical shipments, while still meeting the needs of the marketplace. Its supply chain redesign efforts had two major components: Reduce the number of existing shipments though alternative sourcing, alternate modes of delivery and greater producer/user process integration; and Avoid new long-term shipments of highly hazardous materials. Those supply chain redesign efforts reduced Dows global footprint for highly hazardous materials by 40 percent and lowered its inventory handling and shipping costs.
Risk-Based Global Supply Chain Security Measures

Dow has developed a comprehensive risk management system for the safe and secure distribution of raw materials, intermediates and products worldwide. The program includes an assessment of potential safety and security risks across its chemical supply chain, including an evaluation of the safety and security practices of its raw material suppliers, the hazards of the materials shipped, the safety and security practices of its logistics service providers, the downstream uses of its products and the qualifications of customers to whom the products are shipped. This supply chain risk assessment and management program enables Dow to identify and implement appropriate, consistent, minimum safety and security measures for product, intermediate and raw material shipments worldwide.
80
Dow has prepared and implemented a supply chain security plan, which establishes a tiered system of risk-based security measures that increase with rising threat levels. Dow also has established transportation safety and security standards in those areas where additional risk reduction measures are desired above and beyond those required by government regulations. And, in those areas representing the greatest safety and security concern, Dow is pursuing industry-leading state-of-the-art security initiatives.
Regional Service Event Management Centers

Within the last two years, Dow has created regional supply chain service event management centers to proactively monitor events that could adversely impact its global supply chain from adverse weather conditions to anticipated labor disputes to social and political unrest, cargo theft and piracy and manage those events to minimize any potential disruptions for customers. Covering the Americas, Asia, Europe/Middle East, Latin America and Africa, the regional centers draw on multiple intelligence streams to gather information and assess the potential impact of events on Dow shipments. For example, in a recent month, Dows regional centers have managed potential disruptions associated with rail and port strikes in Europe and North America, typhoons in the South China Sea, hurricanes and tropical storms in the Gulf Coast, Houston ship channel closures due to a barge accident, political unrest in the Middle East, maritime piracy in the Gulf of Aden, and dangerous goods routing restrictions in China and other world areas associated with high-profile public events. The regional centers are building a strong library of lessons learned i.e. what worked, what did not, and how the company could approach the problem differently in the future. Once it becomes clear that an event could affect the companys product shipments or customers, the regional centers become the focus for risk management efforts. Depending on the potential severity of the event, the regional teams can put together a war room to monitor the situation, assess the potential impact, develop options and work directly with the affected business units, which in turn engage customers to determine ways to mitigate the impact of the disruption. The goal is to anticipate and adjust before a disruption can cascade into a major crisis for the company and its customers.
Chain of Custody Controls

Dows supply chain security is rooted in chain of custody controls. For highly valuable, highly regulated or highly hazardous products, the company has established the capability for 24-7 monitoring of the cargos location e.g. who has responsibility for its handling and whether there has been unauthorized entry into the containers in transit or at the points of hand-off from one party to another. Three areas of focus include: Asset Visibility Supplier/Service Provider Evaluations Technology Innovation
81
Asset Visibility: Dow began implementing a strategy for asset visibility through a combination of RFID tagging, GPS and sensor technologies about six years ago. Although RFID had long been used to track chemical shipments by rail, the communication was one way the container had to pass an RFID reader to signal its location and did not cover other modes of transportation. By combining RFID and GPS technology, the company got real-time location information. Today, Dows web-based DowTrak container tracking portal gives the company and customers the ability to track shipments no matter what mode of transportation or area of the world. GPS and RFID technologies are coupled with sensors which allow supply chain managers to monitor the condition of the material and the integrity of the container. Electronic seals can monitor whether the door has been opened; whether the sensors detect light. There are shock detectors, which also can enable the company to detect where rough handling may be damaging the transportation equipment or products in the container, and humidity sensors to monitor for the presence of water vapor, previously detectable only after drums deteriorated as a result of adverse conditions during ocean transits. These types of asset visibility measures serve both product quality as well as security needs. Given the volume of shipments, it is not practical to track every shipment. Dows focus is on cargo that is: High value: for example, catalyst materials and agriculture chemicals which could bring a high price on the black market; High hazard: for example, materials that are toxic to inhale which could be used as weapons of mass effect by terrorists; and Highly regulated: for example, chemicals that could be repurposed to manufacture illegal drugs or chemical weapons, or products sold into sensitive end-use markets such as direct food and pharmaceutical applications. As the need is determined by risk assessments on products in these categories, Dow has the ability to maintain 100 percent visibility on a shipment from the time it leaves the shipping location until it arrives at its destination. Risk Assessments of Raw Material Suppliers & Logistics Service Providers: Dows suppliers are evaluated initially and periodically thereafter, based on the potential risks they present to the company. All suppliers are screened against specific criteria in eight risk areas, including safety and security, product stewardship, social and environmental responsibility, product quality, trade compliance, business continuity, financial stability and information protection. The criteria include attributes related to the supplier, industry sector, commodity, geographic area and markets served. Based on the screening results, all suppliers are ranked in one of three risk tiers high, medium or low. Suppliers that are ranked in a medium or high-risk tier are further assessed using industrydeveloped protocols and internationally recognized certification standards, where available. Examples include marine and terminal assessment protocols developed and administered
82
by the Chemical Distribution Institute; CEFIC SQAS assessment protocols for road and rail carriers and warehouse operators; international border security program certifications under the C-TPAT (USA), AEO (Europe) and PIP (Canada) government programs; ISO 9000 quality standards; and ISO, ASIS and NFPA business continuity standards. Where industry protocols or government programs are not available, Dow-specific assessment protocols are used. Further, for suppliers ranked in a high-risk tier, Dow puts boots on the ground to validate that minimum risk management requirements are being implemented. Most Effective Technology: Technology solutions are driven by Dows MET (most effective technology) programs which provide a range of solutions for supply chain safety and security, including the integrity of the shipment container, tracking devices and anti-counterfeiting technologies. One of Dows emerging challenges is counterfeit products either counterfeit Dow labels or real Dow labels with counterfeit product. For several high-risk businesses operating in high-risk geographies, Dow has implemented anti-counterfeiting approaches. For example, Dow places tamper-evidence seals on containers to lower the probability of undetected entry. Second, the company has employed the use of holographs and 3D bar codes linked to a database of shipments, so distributors and customers can scan and verify the bar code through a link to Dows secure database that the label is a legitimate Dow label and a legitimate Dow shipment. The link also provides information on when the product was manufactured and shipped. Cyber Security: IT has become an emerging supply chain risk for Dow. Criminal elements around the world are beginning to use shipping information to target specific cargoes. For example, criminals in Mexico recently gained access to a logistics companys shipping records and used that information to target specific shipments in transit. In another example, there is evidence that Somali pirates have gained insider information from ports in Europe about container ship cargoes, which they have used for targeting purposes when those vessels pass through the Gulf of Aden. The challenge is to prevent the basic information that shippers, customs authorities, carriers and customers need from falling into the wrong hands. Cyber security is the responsibility of Dows information security professionals. They use standard industry protocols to assess the IT security of high-risk suppliers and service providers.
Collaboration for Improved Security & Resilience

Dow partners with both the public and private sectors for information sharing about best practices. It partners with a wide range of industry consortia and associations to develop best practices and is proactive in proposing practical, proven industry standards for adoption by policy-makers and regulators. For example, Dow and the eight highway carriers that account for about 90 percent of Dows North American truck shipments formed a highway security network to share security intelligence information, discuss best practices and develop common security programs. When the Transportation Security Administration (TSA) was looking for guidelines to secure hazardous materials, the highway security network shared their practices for safe and secure transportation
83
of toxic inhalation materials. These became the basis for TSAs voluntary Highway SecuritySensitive Materials Security Action Items for hazardous materials transportation for the entire industry. Dows position is that, rather than wait for the government to propose a security standard, a proactive approach ensures that practical and proven industry best practices are built into the national strategy for homeland security and resilience. For public-private collaboration, Dow emphasizes two principles: 1. Holistic Approaches: Supply chain security strategies need to be based on the selection of those risk mitigation techniques and approaches that achieve the desired result in the most cost-effective way. The strategies also need to balance commercial and security needs. 2. Collaboration Imperative: Neither the public nor private sector can secure supply chain systems without the support and partnership of the other. The level of complexity is increased by the fact that, for manufacturers, supply chain security requires the engagement of suppliers, customers and carriers. Traditional, punitive regulatory frameworks do not represent the best approach for securing the supply chain.
The Business Case for Supply Chain Security

In the final analysis, Dow can document that supply chain security investments have saved the company millions in annual operating costs from reduced inventory requirements and shipping costs, greater efficiency, minimized losses from theft and greater resilience. Estimates of savings for the supply chains where those investments have been made include: More than 20 percent cost reductions in excess inventory and container fleet requirements; 100 percent reduction in theft/loss/pilferage; 100 percent reduction in tampering; Up to 90 percent reduction in transit time; 25-50 percent improvements in on-time delivery; and 50 percent reduction in response time to identify and resolve in-transit problems.
84
CASE STUDY: De-Risking the Supply Chain
CASE STUDY
De-Risking the Supply Chain: Ciscos Risk Intelligence and Analytic Tools
Based on an interview with James Steele, Program Director, Supply Chain Risk Management, Cisco August 8 2011
In a Nutshell
Supply chain risk management is critical for Cisco Systems because it relies on outsourced manufacturing for more than 99 percent of the products it delivers, most of which are configureto-order. According to James Steele, Ciscos program director for supply chain risk management: In the past, supply chain operations was care-about only when things went wrong. The focus was not on growing the business, but on keeping the trains running on time. Over the past 15 years, there has been a sea change in supply chain management. It has become a strategic capability for many companies, and it continues to get the resources, visibility and focus needed to manage it as a platform for growth. Supply chain risk management is a key element in this evolution. Cisco has built a risk management program focused on anticipating and mitigating any event or circumstance that could disrupt its global supply chain. The goal: to incorporate risk intelligence, agility and resiliency into the supply chain so that it is prepared to respond to any threat Examples of the program in action include: When Bangkoks airport was shut down by protestors in 2008, Cisco had truck convoys ready to move from their partners nearby factory to an airport in Malaysia, sparing customers any disruption. Within 48 hours after the 2008 Chengdu earthquake in China, Cisco was able to conduct a full impact analysis, gain complete visibility into the supplier footprint in the area and initiate a crisis survey targeted at the suppliers emergency contacts. When the economic downturn worsened at the end of 2008, Cisco quickly launched a financial risk assessment (FRA) initiative to identify suppliers with single sourced parts that have high revenue implications for Cisco. Once the financial assessment was complete, the team separated suppliers into three categories: Green, requiring no action; Yellow, needing to be monitored; and Red, needing mitigation. When two of the suppliers filed for bankruptcy protection, Cisco already had put in place last time buys and established second sources for their parts. When reports of an H1N1 outbreak in Mexico City surfaced in 2009, it took Cisco three days to put together detailed risk assessments of potential impact on orders, revenues and available contingency plans.
85
Within 24 hours of the 2011 earthquake/tsunami in Japan, Cisco understood the key impacts to its extensive supplier base in the impacted area and formed a 100+ person war room that launched an intensive 70-day effort to mitigate the impacts. Cisco anticipated the escalating risk of the recent Thailand floods in October 2011 and formed a proactive war room that allowed the company to adjust its supply chain to minimize the impact to key suppliers in the region. Ciscos supply chain risk management process pairs risk intelligence knowing where their vulnerabilities are with risk analytics knowing where the highest probabilities for disruption are.
Key Tools for Supply Chain Risk Intelligence

Business Continuity Planning (BCP) The BCP program collects information on key suppliers and key nodes in the supply chain. Although BCP has become a standard tool for many companies, the challenge for Cisco is simply its scope and scale managing a global network of more than 900 suppliers, six EMS partners, multi-traffic lanes, hubs and carriers that the company uses and that information is continually changing. Business continuity data gives Cisco insight into the impact of a disruption, creating an ability to identify which suppliers are affected by an event and its overall impact on the supply chain. Ciscos BCP program gathers a variety of information from its key supply chain partners through a survey process that occurs several times per year. The survey collects information on partners business continuity practices, time to recover (TTR) in the event of a disruption and key emergency contact information, as well as financial information. With this data, Cisco can define the recovery profile of a product as characterized by the resilience of all component supplier factories, inventory hubs, partner (or internal) production facilities and logistics centers within that products value chain. BCP Visualization: Ciscos BCP Visualization capability provides a way to quickly assess the impact of an event identifying which supply chain nodes are in the affected region, what parts and/ or products are made there and what alternate sites can/should be engaged. This visualization and the underlying data becomes the starting point for any incident mitigation effort and allows Cisco to quickly qualify the potential impact an incident could have or is having on its supply chain operations. Major Elements of Ciscos BCP Program
Collect, manage and utilize BCP information on all key supply chain nodes: Map critical components to supplier sites; Identify Time-to-Recover at the part and site levels; Evaluate preparedness based on an objective format; Validate Business Continuity Plans through audits and drills; and Utilize BCP data as the starting point for any incident response
86
Crisis Monitoring: Cisco contracts with the National Center for Crisis and Continuity Coordination (NC4) to provide round-the-clock global monitoring to achieve its goal of sense and respond situational readiness. Alert profiles are constructed to capture the information on global incidents and events that Cisco monitors generally and in specific regions. Cisco has worked with NC4 to map all of its critical supply chain nodes worldwide and has set criteria for when alarms need to be sounded (for example, when an earthquake occurs within 200 miles of a site). The Cisco Supply Chain Risk Management Team is responsible for utilizing these alerts, as well as open source information to anticipate, sense and identify a potential risk to operations and to initiate the appropriate response. Playbooks: Cisco has developed a set of response playbooks that provide a framework for organizing an incident response team, as well as a process for assessing the ground-level impact of a disruption, translating that into an actionable set of mitigation actions and Cisco Presentation Slide
87
identifying potential impacts to specific products, customer orders and ultimately to customer operations. Cisco maintains a risk agnostic master playbook that is applicable to any type of supply chain disruption regardless of its location and nature, as well as risk-specific playbooks that focus on recurring events such as hurricanes and typhoons. Resiliency Index: Cisco invented the Resiliency Index and the TTR metric because it was not able to find any pre-existing standards or metrics to meet its needs. The Resiliency Index is a composite of resiliency attributes for the key care-abouts at Cisco these include product resiliency, supplier resiliency, manufacturing resiliency and test equipment resiliency, which is a key control point given the globally outsourced supply chain. Each of these four elements of the Resiliency Index is in turn measured by an additional level of resiliency criteria. At the component level, for instance, the criteria includes the number of alternative sources, component suppliers TTR and end of life plans and processes. At the supplier level, resiliency is linked to the financial health of suppliers and partners. Manufacturing resiliency is similar to component resiliency in that it is correlated with the availability of back-up or secondary sourcing and the manufacturers TTR following an event. Test resiliency is measured by the availability of inventories for long-lead test equipment parts. The Resiliency Index is applied automatically to Ciscos top 100 products that, in aggregate, account for about 50 percent of Ciscos revenue. This version of the Resiliency Index is updated quarterly and is a key item on the overall Cisco Supply Chain Operations Executive Dashboard. However, the Index can be applied to a single product, a product line or a group of related products. The Index is tracked not only to illustrate the impact of Ciscos investments in supply chain resiliency, but also can be utilized to identify opportunities to improve resiliency in existing and new products. New Product Resiliency: Going forward, Cisco is moving the resiliency metrics upstream to new product introductions, each of which now has a risk and resiliency target. While design teams traditionally concentrated on cost and schedule, they now focus on risk and resiliency targets concerning choices about partners, components and sourcing choices. This allows Cisco to build supply chain resilience into the design of the product, rather than trying to de-risk the supply chain after the product launch.
New Tools/Next Steps

New Business Software Tools: The recent Japan earthquake/tsunami in March 2011 was a key test for Ciscos supply chain risk management capability. Overall, Cisco had a very successful mitigation response and was able to ensure no downstream impact to customers or revenue despite the fact that more than 100 of Ciscos suppliers were impacted by the event. The enormous scale and scope of the incident, however, was a key learning opportunity to improve Ciscos supply chain risk management capability and processes. Based on key lessons from its Japan response, Cisco is continuing to invest in increasing the automation of its crisis management workflow process essentially the process of identifying all impacted components and translating these impacts into actionable mitigation plans and proactive visibility into downstream customer impacts.
88
Cisco Presentation Slide
Sub-Tier Resiliency Visibility: A key for additional risk management is to increase risk intelligence on supply chain resilience capabilities deeper into the supplier sub-tiers. This opportunity was identified clearly by Cisco during their Japan response in that, while impacts to their first tier of suppliers were highly visible, it was more challenging to identify impacts on the supplier subtiers. Such information is particularly important for highly engineered components in critical commodity areas such as semiconductors and optical components. Cisco is continuing to expand its supply chain risk management efforts into BCP coverage for select portions of its supply chain sub-tiers in order to be even more prepared for the inevitable next crisis.
89
90
CASE STUDY: Supply Chains in Crisis
CASE STUDY
Supply Chains in Crisis: Dealing with Disaster Ciscos Response in Japan

Based on an interview with John OConnor, Senior Director, Value Chain, Cisco Systems
Evolution of Ciscos Value Chain Resiliency Management

Cisco has moved from a position of reactive supply chain risk management (2004-2007) to proactive risk management (2008-2009) to innovative risk management (2010). (See Chart 1.) In the same way, supply chain resilience has become a core business challenge across the enterprise, not just a logistics problem. New tools, processes and technologies were developed during the last decade to preserve the resilience of the supply chain and the effectiveness and value of these tools were demonstrated during the crisis in Japan.
Background on the 2011 Japan Earthquake

The 9.0 magnitude earthquake that struck the Northeastern coast of Japan on March 11, 2011, was the most significant disruption that the global supply chain has experienced in modern times. This was based on the scope, scale and velocity of the evolution of the risk exposure and circumstances. What started as an extremely powerful earthquake quickly became a deadly tsunami that triggered an unprecedented nuclear facility disaster. This, in turn, further compromised key elements of Japans infrastructure, such as roadways, power transmission and electrical capacity for large portions of the impacted region. The crisis was a key test of the Ciscos Supply Chain Risk Management (SCRM) team and capabilities, as well as the overall endto-end resiliency that the team and the Supply Chain Operations organization drives.
Ciscos Supply Chain Risk Management: Leading Practices Applied to the Japan Response
Supply Chain Incident Management Activation: Within 30 minutes of the initial NC4 alert of the 9.0 magnitude earthquake (NC4 is a third-party notification service that sends alerts based on a mapping of all critical supply chain nodes), the supply chain incident manager (on the SCRM team) was made aware of the event, alerted both the SCRM team lead, team members and the Supply Chain Operations senior leadership team. Within 12 hours, the primary supply chain incident management team was activated. This team consists of an extended group of operations functional leaders that represent their functional organizations during an incident.
91
Chart 1. Evolution of Value Chain Risk Management at Cisco

Innovating Risk Management (2010+) Resiliency embedded in processes Design for resiliency
ORGANIZATIONAL ENGAGEMENT
Proactive Risk Management (2008-2009) Business continuity planning as an assessment framework Mitigation governance and metrics Crisis monitoring and playbooks
Reactive Risk Management (2004-2007) Business continuity planning Crisis management Some level of mitigation
EFFECTIVELY MANAGING
Business Continuity Planning (BCP) Leverage: Utilizing SCRMs BCP data and processes, the SCRM BCP program manager was able to identify all direct suppliers, their associated sites and components (manufacturing parts numbers) and other critical supply chain nodes in the impacted area within 12 hours of the initial earthquake. The manager was also able to profile each supplier site from various resiliency perspectives. These included the expected time-torecover (TTR) for the site, back-up power generation capabilities, and whether the suppliers components were single sourced or had alternate sites available. Leveraging the BCP emergency contact information at the supplier site level, the incident management team was able to quickly establish (over the course of the first few days of the incident) contact with suppliers to assess the impact of the incident on site capacity, prognosis of their ability to continue to produce and distribute components. Utilizing Ciscos BCP Resiliency Visualization capability, the incident management team was able to develop a snapshot of the supplier impact and status over the entire region.
92
CASE STUDY: Supply Chains in Crisis
This snapshot was refreshed on a daily basis based on the evolution of the crisis circumstances (e.g. addition of the nuclear exclusion zone around the Fukushima nuclear facility, changing electrical power capacity projections, etc.) and facilitated faster, more informed executive decision making on mitigation activities and prioritization. Supply Chain Incident Management Team War Room: Within 2 days of the initial earthquake, a formal war room was established to provide a central management point and decision making forum for all Supply Chain Operations personnel involved in the mitigation effort. The war room approach, structure and operations were based on the SCRM Incident Management playbooks. These playbooks create a predefined reference for bringing together the Customer Value Chain Management (CVCM) organizational leaders to assess, mitigate and resolve a disruptive supply chain incident. The playbooks define a functional track structure, key contacts related to various types of incidents, templates and other collateral to assist in running and managing an incident response. Through these playbooks and the overall SCRM incident management process, CVCM was able to very quickly mobilize and get out ahead of the crisis from a mitigation and customer communication standpoint. Bottom Line: In a very short period, the crisis management system was able to assess more than 300 Tier 1Tier 5 suppliers including site inspections and more than 7,000 part numbers and complete a risk rating and mitigation plan. And, the largest supply chain disruption in modern times created virtually no revenue impact for the company.
Key Lessons Learned

Information and visibility is the backbone of a major incident response. When a crisis hits, it is extremely important to have the systems and processes in place that can assist with understanding and assessing the situation. In Ciscos case, this included quickly understanding who has been impacted (supply chain nodes), how this impact affects Cisco (components/products/customers/revenue), and what recovery path to pursue (2nd and alternative source availability, TTR). Each of these questions were addressed through the BCP capability and data. Utilizing the output of this program allowed Cisco to focus on mitigation rather than scrambling for visibility in the early stages of the incident and accelerated overall time to results. Incident preparation and process are non-negotiable for success. Given the scale of the impact and the velocity of the evolution of the threat, Ciscos response involved every part of the Supply Chain Organization across 100+ people. Without a structured response process and an extended team that is trained in how this process is utilized, Cisco would have spent valuable time in the early stages of the incident just to form a functional response team. Anecdotal evidence from discussions across a wide variety of industries indicated that Cisco, from a response standpoint, was functioning at a level within 2 days that took
93
many companies over 2 weeks to accomplish. The SCRM Incident Management Playbooks, in conjunction with drills, training sessions and incident postmortems, creates a level of preparedness that allows Cisco to get out in front of any type of supply chain disruption quickly and effectively regardless of its nature and scale. It is important to quickly identify and manage your unknowns during an incident. There is really no way to have infinite information and visibility into impacts from a crisis, nor is it possible to anticipate and prepare for every potential threat situation. Information and preparedness are investments, and at a certain point a balance must be found. It is possible, however, to at least identify and recognize key gaps. Proactive knowledge of these key gaps is important such that resources can be prioritized early in a response. For Cisco, the key gap was visibility into sub-tier supply chain (suppliers that supply Tier 1 component manufacturers). Having this as a known unknown was critical to quickly resourcing a team to investigate key impacts and ramifications in this area and to mitigate where possible. Communication is crucial. A structured communications plan is, in many ways, just as important as the actual incident response management program. For Cisco, communications is the key interface with customers who need to have information regarding the status of their orders and an incidents overall impact to the continuity of their order pipeline. Internal stakeholders, including sales, marketing, engineering and the business units that own the P&L need answers as well. A successful communications program will provide consistent and appropriate messaging in a timely fashion based on what is known from the incident response. Having a dedicated communications team embedded in an incident response program is a necessary element of making communications successful.
94
CASE STUDY: Managing for Operational Excellence
CASE STUDY
Managing for Operational Excellence: Supply Chain Leadership at DuPont

Based on an interview with Donald Wirth, Vice President, Global Operations, Corporate Supply Chains, DuPont
The processes that guide supply chain resilience are the same ones that guide operational excellence and productivity across the DuPont Production System. They are built on business integration, superior execution and centers for operational competency, which provide best practices, technologies and tools that are standardized and leveraged across DuPonts 13 businesses. Integrated Operations
Business Integration Strong supply chain integration within business teams and business strategies Execution Drive effectiveness and efficiency in execution in plants and supply chains across businesses and regions Operations Center of Competency Ensure organizational capability is in place Standardize and leverage
Deliverables
Integrated strategies and operational plans Advancing core values Productivity and asset effectiveness among supply chains Capability building: people and organizational development Technology ownership and integration along supply chains Mindsets and behaviors that foster engagement and superior execution
The goal is to create core processes that are simplified, standardized and sustainable. The supply chain operational centers of competency deploy practices and processes, technologies and models to drive continuous process improvement across regions and business platforms. In the supply chain area, the centers focus cover both efficiency and risk management. They create standards and processes to execute those standards which are then deployed collaboratively with the business units.
95
Change Management: Talent as an Enterprise Asset

A more than 200-year-old business, DuPont has focuses on creating mindsets and behaviors among its workers and managers that enable change. A core insight is that people are simultaneously the key barriers and key enablers of a new culture of excellence needed to cope with increased global competition and operational risks.
Mindsets and Behaviors that Foster Engagement and Superior Execution

Unconscious incompetence Conscious incompetence Do not know, do not want to know, resist change Recognize that things are working well, open to change and alternative solutions Engage in formal learning processes to acquire new competencies
Conscious competence
When confronted with change, people Mastery Integrate new competencies so have a choice. They can either be that they become unconscious receptive to alternative solutions, or they competencies can protect the status quo. The challenge that the company is tackling is how to create an environment that encourages a learning choice rather than engenders a defensive response. Half the battle is to create a body of evidence that makes a compelling case for change. Only people who believe that change is necessary are open to learning. If they have not reached that conclusion, they are likely to defend the status quo indefinitely because it is human nature to resist change. The goal for the company is to create learning and communications opportunities that shift mindsets from unconscious incompetence to mastery.
Principles and Processes for Risk and Crisis Management

Scenarios provide useful tools to test risk readiness and resilience. But, it is impossible to accurately predict every possible risk trigger. What matters at the end of the day is not whether you have correctly forecast the right risk scenario, but whether you have a set of processes and skilled people with the capability to respond to whatever comes along. What you should be scoring is not resilience per se, but your processes to manage for resilience. DuPonts crisis decision making is governed by standing teams which are charged with handling most aspects of a crisis. For foreseeable events, like a Hurricane Irene, the process is very robust. There was a five day countdown with meetings every day as the path of the hurricane became more certain. Early deployment of satellite phones to key staff at each of the sites, staging of the mobile command trailers and recovery capabilities all happened before the storm approached.
96
But, a similar collaborative and coordinated decision making process would occur whether the event was foreseeable or not. The crisis decision making process brings together the key stakeholders: plant managers, regional directors, operational excellence, supply chain leaders, sourcing leaders, public affairs, IT and human resources, among others. Each participant has an area or activity for which they are responsible. For example, IT staff lead information and communications continuity planning. Human resources coordinates outreach to DuPont employees to assess their situation. Supply chain manages mitigation plans in the event plants are out of commission. The plant managers focus on mitigation and response plans.
Learning from Katrina: When Prevention Fails

What happened at Fukushima earlier this year was similar to what happened at the DeLisle plant during Hurricane Katrina in 2005. At the DeLisle plant, every piece of wiring and cable that came into contact with sea water had to be replaced effectively almost all of the equipment in the plant at a cost of one hundred million dollars over five months. The level of protection had been set at 1969 Hurricane Camille levels and were inadequate to prevent the damage from a Katrina level storm. Some key differences: The DeLisle plant had been shut down during the hurricane, which helped to contain the environmental impact, while the Fukushima plant was running on full operations when the disaster hit. At Fukushima, the back up power generators were colocated on the ground level with the primary power systems and were destroyed at the same time.
This process is used irrespective of the nature of the crisis. The team of crisis managers comes together, each with specific accountabilities and responsibilities, to discuss options whether preemptive or responsive.
Assuring Supply Chain Resilience

Many people see resilience as belonging to the disaster recovery silo. But, supply chain resilience is always a combination of prevention, mitigation and recovery. Prevention is about setting standards to preclude damage or consequences for a specified set of circumstances. Mitigation requires understanding of the range of possibilities, and that choices must be made to lessen the impact of an event. Response becomes a mindful activity adapting to the situation as events unfold. From a prevention point of view, a company does as much as it can economically afford. Since it is impossible to protect against everything, the first step in risk management is a consequence analysis that helps define the potential impact. Risk managers need to understand potential consequences in order to determine whether the risks mandate a focus on prevention, mitigation or recovery. In general, when a strategy becomes overly focused on prevention, rather than consequence management, the challenge becomes infinite, and the cost unaffordable. A first step is to decide the level of protection desired. Will the bar be set by Hurricane Camille or Hurricane Katrina? If the flood surge exceeds that level, mitigation protocols are needed to reduce the impact. Mitigation plans can be implemented pre-emptively shut down the plant to avoid damage or they may be executed in the disaster response stage move pre-positioned mobile command and control trailers into the area to provide power and communications. One of the key tools for supply chain resilience is a communications infrastructure that lets managers locate their human and material assets with precision. Like everything else, it is a process.
97
Mitigation Protocols During Hurricane Irene

When Hurricane Irene made landfall in North Carolina, DuPont had 19 40-foot mobile trailers staged along the coast assuring an ability to respond no matter what path the hurricane took. Disaster mitigation processes and plans are governed by very clear goals. The No. 1 goal is to assure the safety and welfare of employees and their families. Hurricane Irene came through on a Saturday night. By Sunday night, DuPonts Im OK system had accounted for the status of all 18,000 employees in the affected region. The company also knew where their people were struggling with power outages. After people, DuPonts priorities are: 2) protect the environment, 3) restore orderly plant operations, and 4) restore customer deliveries. These principles provide a guidepost for actions in every crisis and disaster response. At DuPont, we believe that if you do not have a cohesive set of principles, it is impossible to make informed choices. In our case, meeting our goals depends on our people. Without them, none of the other priorities can be implemented. It is critical to be very clear about principles that set priorities and everyone managing the disaster needs to be clear about that framework. One of the goals of the national preparedness system should be to clearly articulate those principles and priorities for the government.
Tools for IP Protection, Supply Chain Security and Integrity

Quality Assurance/IP Protection: As part of its supply chain risk management, DuPont is careful to perform technology risk assessments. From a trusted source, a manufacturer that lives by the rule of law, DuPont would accept a confidentiality of information/invention agreement. In other parts of the world, that level of trust would not be deemed appropriate. The company may continue to manufacture there, but would be careful about what technology is shared does DuPont own analysis of the materials provided and visually observe the loading of the containers? In other areas, there is no trust at all, and DuPont does not source from those areas. The key piece of intellectual property that is never shared with any supplier is the impurity profile. A supplier may be asked to test materials to a certain point, but will not know exactly what standard DuPont has set. Security in Transit: When a box is locked, sealed and tracked with RFID tags, supply chain managers raise the level of confidence that the material received is the intended shipment. Active defenses of every shipment would be prohibitively expensive. Instead, the mitigation protocol is to reduce the risk that the container could be accessed and the material contaminated without knowledge of the intrusion. Counterfeiting: Counterfeiting is a fraud issue, rather than a supply chain security problem. In most cases, buyers are purchasing from unauthorized distributors in pursuit of steep discounts. For example, Romanian counterfeiters put a product into the marketplace that looked like a DuPont product and sold it to farmers in northern Italy, who bought it from an unauthorized dealer at deep discounts. The product not only did not work as advertised, it killed their fields. DuPont works with government law enforcement authorities to prevent counterfeiting and to manage the integrity of its authorized network of dealers and retail outlets.
98
Proscriptive Versus Prescriptive National Approaches: The U.S. government works differently than governments in other countries. In other parts of the world, the focus is on guidelines with an expectation that companies will find ways to achieve them most efficiently and effectively. In the United States, the focus is on prevention and regulation. How does this play out in practice? In the quality arena, for example, Europeans embrace processes to manage for quality assurance, similar to ISO 9000. In the United States, the standard is a specified failure rate and complex rules on how to achieve it. A standard that focuses on preventing every risk is different than a standard that describes processes for responding to crises. If you are protecting against everything, you have set an impossible task. If you are managing outcomes, you can focus on specific measures that would prevent or mitigate that outcome.
99
100
CASE STUDY: NASA Supply Chain
CASE STUDY
NASA Supply Chain: Maintaining a Vital Space Industrial Base

Based on an interview with Michael Galluzzi, Supply Chain Manager, NASA
In a Nutshell
The National Aeronautics and Space Administration (NASA) faces a significant challenge: not just assuring the security and integrity of the components in the supply chain but, given the hiatus in space operations, assuring that there is a viable industrial base at all. NASAs focus has been on creating new tools to assess how program changes impact the financial liquidity of the supplier base and map the multi-functional relationships of the lower-tier suppliers in the supply chain. This approach helps catalyze a regional innovation cluster approach to encourage virtual collaboration, advanced manufacturing, and shared infrastructure in order to sustain the industrial base for multiple NASA missions. The big picture approach simultaneously advances manufacturing competitiveness, commonality, inter-agency interoperability, supply chain readiness, technology innovation, and security.
NASAs Supply Chain Challenge

From a historical perspective, the last several decades have seen relatively few human space flight programs, with an average of 4.5 shuttle flights per year, and a handful of unmanned missions. That was barely sufficient to keep the industrial base viable. The recent cancellation of shuttle programs and the Constellation program, coupled with the economic crisis, creates the risk of a major disruption to the U.S. domestic space industrial base not just the primes, but the lower tiers as well. NASAs challenges include the following: In the years between the retirement of the shuttle and the beginning of flight operations for new programs, how will the space programs industrial base survive? What will happen when the next human space flight program needs parts, subsystems and critical spares, but many of the qualified suppliers of space hardware are long gone or have discontinued their product offering? How can NASA avoid the cost of building and certifying a supplier base? With such stress on the suppliers, how can quality be maintained? A study of the airline industry demonstrated a direct link between financial health and quality declines in bond prices shortly began to manifest in quality problems.
101
NASA supply chain challenges are not limited to the space mission. Initial findings from a 2010 Department of Commerce survey of the NASA human space flight supply chain network indicated that many other government agencies and missions are affected by a decline in the viability of NASAs supplier base.
Definition of Supply Chain Management

For NASA, supply chain management is an integrated, information-driven approach to all aspects of a products lifecycle at various planetary and interplanetary regions. The approach which comprises people, processes and technology is the integration of both information and material between agency organizations that share common support approaches and data architectures. The philosophy is focused on perfect order fulfillment, virtual 3D computer-aided design (CAD) modeling and simulation, agile operations, flexible manufacturing, design-to-order production, and vendor-managed inventories at strategic locations. Previously, NASA employed two more conventional approaches: integrated logistics support (ILS) and performance-based logistics (PBL). ILS was implemented by the U.S. Army in the early 1970s under Military Standard 1388 and served, for the most part, as the foundation for shuttle logistics. This paradigm takes an inventory-centric approach, using such metrics as mean time between failures, mean time to repair, probability of sufficiency and repair generation rate forecasts, and reliance on the prime contractor. However, there is a problem with this approach. In a dynamic engineering environment that realizes frequent design changes and low product demand, chances are good that there will be some obsolete inventory on the shelves, and no visibility beyond the Tier 1 supplier level, which increases the risk of counterfeit parts entering the supply chain. PBL provided a more evolved process, relying on the prime contractor to support operations and sustainment on a fixed-cost basis. PBL was introduced around 1994, at roughly the same time that the commercial off-the-shelf initiative was introduced at the Department of Defense (DoD). Today, without the proper contract language in place, this approach is also dated. But more importantly, it offers limited government oversight. The problem with the PBL approach is that it assumes that the industrial base would remain constant and available. Newer supply chain management approaches offer a way to share information sources, master data files, CAD systems, materials requirements planning, and supplier relationship management applications to provide a secure information sharing environment within the supply chain and across programs and agencies that protects the intellectual property rights of the supplier.
New Tools/Approaches
PrimeSupplier: The primary function of PrimeSupplier is to identify suppliers that may be negatively impacted from program changes and the resulting viability impact to a supplier or product line. The model identifies a number of risk indicators and creates a risk value for each. These indicators are then integrated into a framework that creates a meaningful and consistent risk value for each supplier. The model captures financial risk indicators (including profit margin and debt-to-equity ratios), operational risk indicators (including perfect order fulfillment, schedule achievement and defects per million opportunities), and supply chain risk indicators (including upstream/downstream information flow and supply chain readiness levels).
102
The tool was developed to manage the additional risks of manufacturing source and material shortages, and identify cross-program commonality, potential supplier procurement/contract gaps, and areas for potential pooling of non-recurring program funds required for obsolescence mitigation. See Appendix 1 (page 106) for an in-depth discussion of the tool and its capabilities. NASAs PrimeMapVSAAM: Initially designed for the Missile Defense Agency, PrimeMapVSAAM (Visual Supplier Analysis and Assessment Modules) is a supplier mapping software application acquired for the purpose of identifying cross-element and cross-program utility and impacts. The application includes: A geographic and tabular view of the programs supplier base; A visual representation of supplier relationships based on program and element; information from a NASA database; Congressional district mapping; Supplier demographics; Supplier customer diversification; and Natural disaster visualization. PrimeMap provides the agency with an industrial base big picture. The application is based on work that was conducted at the Massachusetts Institute of Technology and is currently being applied commercially by Advanced Core Concepts. The tool, which is hosted on a NASA internal server with a secure firewall, identifies and maps cross-element suppliers and their multi-functional capabilities to support the agency supply chain. The intent for PrimeMap is to eliminate the search lead time for secondary sources while improving the environment for collaborative interagency demand planning, interoperability, product commonality, and product line viability through strategically planned procurements. Ultimately, the visibility of critical processes and critical vendors to allow for a configurable supply chain will reduce indirect, nonrecurring costs associated with product discontinuance and obsolescence. Currently, the software provides the following benefits: The ability to compare supplier quality, performance, and risk across programs and elements; A mechanism for members of the supply chain to comply with the requirements of ISO 9001:2000 to evaluate supplier performance; A standardized approach to supplier management and rating that would contribute to the interagency approach by improving communication between the government, prime contractors and lower-tier suppliers; Uniform supplier performance and utility data to be provided to the Defense Contractors Management Administration; Resource allocation based on supplier performance; and The tracking and evaluation of supplier performance trends (this will include sorting by commodities).
103
See Appendix 2 (page 110) for a discussion of the anticipated capabilities for a second generation of PrimeMapVSAAM.
Virtual Design and Manufacturing Cluster

Finally, the implementation of a Space Commerce Network known as a Virtual Design and Manufacturing Cluster (VDMC) could provide an opportunity to rescue industrial resources in danger of being terminated. The concept is that the burden on the U.S. manufacturing base can be reduced substantially by developing standardized processes for collaborative forecast demand planning, by standardizing agencies hardware requirements and processes, and by allowing for better visibility of hardware demands. A VDMC is a new manufacturing business model that uses a shared physical and virtual infrastructure (hardware, software, facilities and services) to reduce costs and uses networkcentric technologies and product- and service-oriented architectures to facilitate the smart design, rapid assembly, and seamless coordination of dynamic supply chains to accelerate production, reduce costs, and mitigate risk. A VDMC is much like traditional company-focused supplier cities created by Toyota and other large companies to reduce inventory costs and increase efficiencies. A VDMC does the same. However, a VDMC is different from the traditional supplier city in three fundamental ways: 1. Demand aggregation. A VDMC is not driven by the purchasing volume commitments of a single large company. Instead, the demand is aggregated from different buyers, ranging from commercial companies to government agencies. Because the demand is aggregated, buyers that may not have been able to generate enough demand on their own can support the vitality of the industrial base. 2. Infrastructure. VDMC infrastructure is not dedicated to a particular customers systems. Instead, VDMC infrastructure is a combination of technologies, standards, and processes that allow both buyers and suppliers to connect their existing systems to a common backbone. This allows for the sharing of information throughout the supply chain, regardless of disparate software technologies. The potential impact from this type of manufacturing coordination infrastructure is significant. In addition to reducing the cost for buyers and suppliers to connect, VDMC infrastructure opens the door for new efficiencies: linking suppliers; enabling buyers and suppliers to collaborate on manufacturability issues; and providing visibility into the manufacturing process throughout the supply chain while also providing visibility to previously unknown sources and capabilities, including gaps in production capability of critical technologies.
104
3. Shared facilities. Traditional supplier cities typically require suppliers to invest in buildings, equipment, and so on. The large customer behind a supplier city will sometimes contribute land or shared utilities, but most of the cost is borne by the suppliers. A VDMC differs in that it typically has, at its core, buildings already equipped with advanced and expensive manufacturing equipment. These buildings are often made available to regional groups, such as economic development organizations, by large companies or by government agencies that no longer need the facilities. In many cases, economic development organizations have obtained government monies to update these facilities and outfit them with new equipment. These facilities, such as NASAs Michaud Assembly Facility in Louisiana which is managed by NASAs National Center for Advanced Manufacturing, may already have large, expensive equipment that small- to medium-size manufacturers could not afford on their own. By sharing facilities, many suppliers can capture business opportunities they might not otherwise. Whether available on a time-and-materials basis or as part of a permanent residency, suppliers can leverage this capital-intensive equipment, along with their own, to expand their offerings. The intent is that manufacturers will have access to shared tooling, an associated workforce, manufacturing training, commercial financing, foreign trade zone benefits, a lower corporate tax base and an advanced-skill labor pool at no upfront direct cost to the small-to-medium enterprises. This approach is intended to strengthen the U.S. aerospace and defense industrial base. From an economic competitiveness point of view, the VDMC model is a tool to revitalize Americas manufacturing competitiveness. From a security point of view, the model enables shorter supply chains, more domestic sourcing, and an information-sharing environment with stronger intellectual property protections. See Appendix 3 (page 112) for a more in-depth look at the VDMC roll-out strategy.
105
Appendix I: PrimeSupplier
This model, also known as the Galluzzi-SIB Index, determines the economic stability of a programs industrial base as a whole using the programmatic influences on the individual suppliers economic stability and liquidity posture.
Structure of the Enhanced Model: Overview of Concept

The primary function of PrimeSupplier is to identify suppliers that pose a risk to a program/ supply chain. To accomplish this objective, the model must utilize the data for each risk indicator, converting it into a meaningful risk value. In doing so, the model should consider the relative utility function associated with each risk indicator. Finally, these risk indicators should be integrated in a consistent fashion to generate a meaningful and consistent risk value for each supplier. Figure 1: Risk Indicators
Financial Risk Indicators

The model includes financial risk indicators for profit margin, debt-to-equity ratio, current ratio, percent NASA revenue, and percent DoD revenue. Profit Margin. Profit margin is defined as the ratio of net income to total revenue. This metric reflects how much profit is derived from every dollar of total revenue. Profit margins indicate how well a business has managed its operating expenses and can be an indication of whether a business is generating enough revenue to cover minimum fixed costs and still preserve an acceptable profit.
106
Debt-to-Equity Ratio. Debt-to-equity ratio is another financial risk indicator. It measures the number of dollars in borrowed funds a company has received for each dollar of invested funds. The metric is calculated by dividing the companys total liabilities by the total equity. In general, most U.S. companies will have a debt ratio between 0.40 and 0.60. The debt-to-equity risk indicator utility function would have a curve showing the risk component value as increasing as the debt-to-equity ratio approaches 1.0. Comparing PrimeSupplier Financial Risk Indicators to Publicly Reported Metrics. The U.S. Census Bureau collects financial data on industry sectors and reports the results on a quarterly basis in the Quarterly Financial Report.
Operational Risk Indicators

Operational performance risk indicators include indicators for perfect order fulfillment (POF), order fulfillment cycle time (OFCT), schedule achievement, first-pass yield (FPY), and defects per million opportunities (DPMO). Perfect Order Fulfillment. POF is defined in the supply chain operations reference (SCOR) model as the percentage of orders meeting delivery performance with complete and accurate documentation and no delivery damage. The SCOR is a process reference model that has been developed and endorsed by the Supply Chain Council as the cross-industry standard diagnostic tool for supply chain management. SCOR enables users to address, improve and communicate supply chain management practices within and between all interested parties. The POF is calculated by dividing the total number of perfect orders by the total number of orders. A supply chain is considered perfect when original commitment made to the customer is met. As the measured historical order fulfillment decreases, the risk of future orders not being fulfilled as committed increases. Order Fulfillment Cycle Time. According to the SCOR model, OFCT is the average actual cycle time consistently achieved to fulfill customer orders. In the PrimeSupplier model, the OFCT is evaluated by comparing the actual total OFCT to the required total OFCT. Schedule Achievement. Another operational risk performance indicator is schedule achievement, which measures, as a percentage, how well a company adheres to its targeted production schedule. Schedule achievement is calculated by dividing the number of scheduled end items produced to schedule by the total number of end items produced. First-Pass Yield. An additional operational metric that measures quality production performance is FPY, which measures the ability of the company to manufacture a product correctly the first time. A low FPY is an indication of poor quality, which increases the probability of defective products and creates diversions from the nominal process flow. These off-nominal activities usually result in longer lead times, increased costs and late deliveries. As one might expect, as the FPY value decreases, the risk component value increases. Defects Per Million Opportunities. A final operational risk indicator is DPMO, which is the number of defective parts divided by the total number of opportunities, multiplied by 1,000,000.
107
Supply Chain Risk Indicators

Supplier-Specific Supply Chain Management Assessments. Supply chain management risk indicators gauge a suppliers ability to effectively function with other suppliers and customers within a program or supply chain. The PrimeSupplier model considers risk indicators computed from supplier-specific assessments that evaluate the supply chain management capabilities in two areas: 1. Intercompany information flow (CCC=communication, collaboration, coordination): Supply chain intercompany information flow capability as measured by utilizing a modified CCC assessment 2. Supply chain management practices (SCRL): Assessment of supply chain practices as measured with a modified SCRL qualification assessment CCC Model Assessment. In the case of the intercompany information flow, the CCC assessment evaluates the suppliers practices and capabilities related to upstream and downstream information flow and collaboration. There are four primary categories of information (see Figure 2) that must be shared between suppliers and customers. In addition, the assessment considers types of information that flow both from supplier to customer and also from customer to the supplier. Figure 2: Intercompany Information Flow Model
108
The assessment evaluates the practices related to the information flow for each of the categories resulting in a composite CCC score that reflects the potential for the supplier to perform at a high level in communication, collaboration and coordination. An additional method of evaluating risk associated with supply chain practices, the SCRL model can be used to assess supply chain management practices. The SCRL model allows any supply chain to be assessed based on proven characteristics required for flexibility, agility, viability and sustainability. Risk Measurement Calculation. Figure 3 illustrates how the model is used to calculate the total risk measurement value. Total Risk Measurement Value = Financial Risk Category + Operational Risk Category + Supply Chain Risk Category. Figure 3: Risk Score Components
109
Appendix 2. PrimeMapVSAAM Version 2.0: Anticipated Capabilities

PrimeMapVSAAM v2.0 will include extended user drill down of supply chain data such as: Total employees Contract dates Cross-agency utilization/identification Capabilities Manufacturing capacities Performance data Qualification data Government Industry Data Exchange Program alerts
Supplier Performance and Qualification

PrimeMapVSAAM v2.0 will: Allow personnel across the enterprise to see the impact of breakdowns in supplier performance or qualification on individual products, product lines, and the enterprise. Provide an accessible area to conduct performance and qualification reviews, pulling information from various locations within the enterprise into a single location with consistent displays. Provide the capability to host current internal assessment tools with the ability to create and archive information that will be available enterprise-wide. Give access to supplier performance and qualification information as stand-alone information or in context with other assessments such as program, product line, and enterprise affiliation. Combined with other optional data sets, support capabilities such as supply chain flow paths and contract relationship assessment to provide insight into the potential disruption that can take place if a supplier underperforms or loses a critical qualification. Allow users to view the performance data for a supplier, a supplier sector, a product, a product line, or the entire enterprise. Enable drilldown to identify the root cause for performance issues. Generate reports for use in preparation of decision support materials.
110
Supplier Capabilities Search

A Supplier Capabilities Search allows users to identify suppliers based on capabilities and business classifications. To initiate a search, users will enter relevant search terms reflecting desired capabilities. The application will return a list of suppliers with those capabilities. The rank-ordered list will contain suppliers based on relevancy of search terms to the capability of the supplier. The application will also allow users to limit the list of suppliers by classification, e.g., Service Disabled Veteran-Owned Business, 8(a), Small Disadvantaged Business, etc. The application will also provide: Links to the suppliers website Available supplier contact information (email, phone number, address) Suppliers Small Business Administration (SBA) status (both self-identified and SBA validated) Suppliers Veterans Affairs (VA) status (both self-identified and VA validated)
111
Appendix 3. VDMC Development: A Commercial Approach to Organically Develop a Regional Innovative Manufacturing Cluster
The U.S. government market consists of many departments and agencies purchasing billions of dollars worth of various types and quantities of hardware and services. During FY 2011, the following were the top five agencies by U.S. dollars obligated for system components (per Federal Procurement Data Systems): 1. Department of Defense, $366 billion; 2. Department of Energy, $25 billion; 3. Department of Health and Human Services, $18 billion; 4. Department of Veteran Affairs, $15 billion; and 5. National Aeronautics and Space Administration, $15 billion. The Department of Commerces Economic Development Administration and the Washingtonbased non-profit Council on Competitiveness, in conjunction with private industry, is considering expanding current National Digital Engineering and Manufacturing Consortium project activity to the southeast region of the United States by coalescing a small- and medium-sized manufacturing cluster, or Virtual Design and Manufacturing Cluster (VDMC), dedicated to: Stimulating the U.S. manufacturing industry of all USG system hardware with commercial application. Providing a resilient, traceable and viable supply chain for active or obsolete product still required for USG systems. Ensuring emerging technologies and research with multiple applications, e.g., smart grid. Certifying manufacturing sources as viable sources of products or services to the U.S. government. Establishing 3D modeling and simulation capabilities and standards within the aerospace and defense industrial base.
112
CASE STUDY: Verizon
CASE STUDY
Verizon: Building Security into the Network

Based on interviews with Henry Shiembob, Executive Director, Cyber Security and Fraud Operations James McConnell, Director of Security Marcus Sachs, Vice President, National Security Policy September 2011 and January 2012 Verizon is more than just a phone company. Operating in more than 150 countries, it is a network owner and operator, systems integrator, and global purchaser. Its supply chain runs the gamut from wireless testing equipment to mobile devices to the purchase of millions of miles of fiberoptic cable. One of Verizons many supply chain security priorities is to assure the security of the network and the devices connected to it, while also maintaining the integrity of the services required to maintain the network and the revenue-generating services riding on it.
The Business Case for Supply Chain Security and Resilience

Supply chain resilience is one of Verizons many business objectives. Cutting back on supplier assessments or failing to perform independent verification and validation would certainly cut costs; however, Verizon understands that cutting corners also cuts reliability, which is the cornerstone of its competitiveness. Verizon maintains a private and public infrastructure, and customers have choices about which communications infrastructure to use. Verizons network must be resilient in order to retain the companys customer base failure of the network is not an option. Verizon prioritizes network resilience, rather than price alone, in managing its supply chain. For example, given a choice between paying $1,000 or $10,000 for a piece of network equipment, Verizon will not always choose the cheaper option. The $1,000 piece of equipment might use stolen intellectual property essentially a copy of a $10,000 piece of equipment patented in the United States or its reliability may be low. Supply chain resilience and security are linked. On 9/11, for example, Verizons communications infrastructure kept operating under extreme conditions. When one of the hijacked aircraft crashed into the Pentagon, it landed on top of one of the two communications points of presence (PoPs). The switches, which were located only a few floors below the point of impact, kept operating despite the fires, leaking jet fuel, and water. This kind of resilience cannot be obtained without focused attention to the quality, integrity, and security of the components in the supply chain.
113
Communications networks are designed to withstand or recover from a spectrum of disasters a mindset that goes back to the Cold War. With a demand for high uptime, the communications network keeps working during most types of emergencies including floods, fires, earthquakes, and hurricanes. It works because of Verizons workforce and the companys ongoing focus on its supply chains. Verizons view of supply chain goes beyond procurement, maintenance, and disposal it views supply chain as an important part of the reliability and performance of the network and supported services.
Supply Chain Security Good Practices

For Verizon, cybersecurity is not just a technology problem. Many non-cyber business practices need to be implemented to assure cybersecurity, including knowing who the company is doing business with, knowing the ownership and location of contractors and subcontractors, and ensuring validation and compliance with contract terms and conditions. These supply chain processes are just as important as testing the quality and security of devices when they arrive from manufacturers. Verizon implements numerous security processes that help manage cyber risks in the supply chain, including the following: Vendor Controls: Security processes are embedded into supply chain processes, from the selection of appropriate vendors and locations, to the completion and delivery of products or services, to the turndown of the relationship. Prior to any contractual agreement, prospective Verizon suppliers are scrutinized on criteria such as ownership and location; links to foreign countries; and red flag violations, including export controls. Verizon uses its own intelligence and public information to review suppliers. Internal Clearance Processes: Verizon conducts an additional internal clearance process on prospective vendors to make sure that the business relationship is in compliance with all legal and regulatory imperatives, as well as all security priorities. This process includes background checks, export control statements, requirements for off-shoring or outsourcing notification and approval, disclosure of baseline security for handling data, and other clearance requirements, including assessments of physical and cyber controls. Risk Prioritization: Verizon prioritizes these assessments both by ranking the criticality of components and the assurance levels desired for suppliers that have access to Verizon data, products, or systems. Many of the major components are purchased from key vendors that are within a trusted category and face restrictions on where products can be developed and manufactured, as well as where services may be performed. For certain relationships, Verizon contractors are required to list their subcontractors.
114
CASE STUDY: Verizon
Assessments of High-Priority Vendors: Verizon also performs on-site reviews of high-priority vendors to ensure that they are complying with requirements and meeting appropriate security practices. Verizon employs on-site inspections and audits for these reviews, because there is concern that questionnaires may create a false sense of security. Vendors often give the answer that they think their customers want to hear or describe what the vendor believes is in place. Experience has shown that questionnaire answers rarely match up to the findings of on-site inspections. Anti-Counterfeiting Efforts: There is a growing problem with counterfeit goods, which introduce potential risks when they connect to the Verizon network. Federal agencies estimate that 10 percent to 11 percent of the global electronics supply chain is counterfeit everything from iPads and iPods to routers, switches, and heavy machinery. A circuit card that would normally cost $1,000 might be discounted by a licensed re-seller to $700-800 wholesale. But, when that product is offered as brand new for $99 on an auction site, there is no way it is genuine. There is no way to stop a customer from going online and buying a fake or modified phone. However, Verizons own procurement processes strong relationships with suppliers and other technical controls lower the risk of counterfeit products being used in its environment or entering its supply chain. To further understand the vulnerabilities in its supply chain, Verizon maintains a rigorous independent verification and validation program. Security Controls: Verizon also employs other detective controls, including supply chain fraud analytics, supply chain link analysis, supply chain mapping, and supply chain security awareness.
115
116
CASE STUDY: HP
CASE STUDY
HP: Mature Business Processes for End-to-End Supply Chain Security

Based on interviews with Robert Moore, Vice President, Global Security Services; and Fred Smith, Director, Supply Chain Global Security Group Programs & Supply Chain
Supply Chain by the Numbers

HP has one of the industrys most extensive supply chains: more than 1000 production suppliers (responsible for product materials, components, manufacturing and distribution services) in more than 1200 locations; 450 supply chain nodes, and a billion customers worldwide. HP ships more than 60 million computers, printers and servers every year approximately 3.5 products every second. HP views supply chain as a competitive differentiator. The company takes an end-to-end view of supply chain management from manufacturing to distribution and everyone in the company is expected to be actively engaged in managing supply chain risk in some capacity.
Continuous Crisis Management, Continuity and Contingency Planning

Given its global footprint, HP maintains significant risk and crisis management capabilities. In 2011 alone, the company faced drought, floods, tornados, earthquakes, hurricanes, protest demonstrations, and that was just in the United States. On the international front, a quick survey of the headlines included crises ranging from civil unrest in the Middle East, a devastating earthquake in New Zealand, a series of disasters in Japan, a state of emergency in Bahrain, financial crisis in Greece, attacks in India and Norway, followed by typhoons in the Philippines and flooding in Thailand. According to the chief security officer: No global company can take time off when it comes to crisis management and business continuity planning.1 HP takes an enterprise-wide, all hazards approach to risk management because it is impossible to anticipate every crisis and that is particularly true for supply chain disruptions. In an era of volatility, HP sees no substitute for effective planning. When the 9.0 magnitude earthquake struck the northeast coast of Japan on March 11, 2011, HPs team was activated within an hour. A war room was set up from which every supplier in Japan, including sub-suppliers, was contacted; alterative sources for constrained parts were identified; and daily updates and triage were managed. This kind of competency comes from preparation and communications. Additional impetus for supply chain management came from the 2011 floods in Thailand, which created a worldwide shortage of hard drive disks and continued to affect HPs computer and server sales in the first quarter of 2012.
1 Priorities for Americas Preparedness: Best Practices from the Private Sector. U.S. Resilience Project. http://www.usresilienceproject.org/reports.html.
117
Supply Chain Risk Management

Far from minimizing investment in supply chain risk management, HP spends roughly $60 billion annually, or nearly half of its total sales, in support of its supply chain. Every year, the company conducts an annual supply chain mapping process to identify the most critical first- and thirdparty exposures. It regularly exercises supply chain continuity plans and emergency response capabilities in table-top drills. It also convenes an annual Suppliers Summit, bringing together more than 500 representatives from 150 suppliers, to share vision and priorities. HP encourages its supplier base to adopt supply chain practices as well as technology solutions and early resistance has turned into a standard part of doing business for most suppliers. Security programs tend to differ based on product, country and regional risks; HP suppliers have adopted much more stringent security measures in higher risk areas. HP conducts about 100 audits of its supply chain partners every year with follow-up action to ensure that corrective measures are implemented. Sites are selected for audit based on product value, volume and risk.
Mature Business Processes Support Supply Chain Risk Management

Supply chain security begins with a set of rigorous business processes and controls. More rigorous controls evolved in lock step with globalization. Twenty years ago, supply chain executives had more hands-on control when manufacturing and warehousing was done in-house. The globalization of manufacturing and distribution networks necessitated more organized business processes to combat corruption, quality issues and theft. There are many processes in place to create confidence in the materials being sourced, the quality of the manufacturing process, security of the products in shipment, and end-of-life disposal. In recent years, some new issues have emerged that have increased the scrutiny of supply chain controls, including cybersecurity, hi-tech counterfeiting, and social and environmental responsibility in the supply chain. Cybersecurity: The visibility of cybersecurity issues and the scale and scope of the response is increasing and HP customers want to know that HP is managing the risk. There are two aspects to cybersecurity. On the supply chain side, the maturity of existing business processes and controls can go a long way toward securing the cyber supply chain. HPs initiatives to secure the manufacturing process against firmware or malware, regular testing, and its anti-cargo theft and anti-counterfeiting programs reduce the risk of malicious insertion of compromised or counterfeit components through its supply chain. Although supply chain security and resilience processes are mature, the standards to secure cyberspace are still in development. HP is working with other industry members in co-developing a set of secure practices as part of the Open Group Trusted Technology Forum.
118
CASE STUDY: HP
Cargo Security: HP shipping requirements include the seven step container inspection process for all shipments to the United States. All seal variances are reported and investigated. There is a global reporting process for compromised freight. Overall, industry experts suggest that $40 billion a year is lost to cargo theft worldwide, and high tech electronics are one of the most popular targets. HP uses various GPS satellite-type technologies to track products in transit, particularly by truck or rail. Covert GPS units monitored by third party security companies send out pings on a regular basis that allow law enforcement officials to track and recover stolen goods. For ocean containers, HP typically uses physical security methods, such as high-security or bar-lock seals. High value shipments that are vulnerable to theft are accompanied by a variety of security protective measures, from security escorts to covert tracking of the tractor, trailer and the product itself. Counterfeiting: Counterfeiting is a significant concern for HP in an industry in which it is estimated that as many as 10 percent of products are counterfeit. The International Anticounterfeiting Coalition estimates that brand holders lose approximately $600 billion of revenue annually due to counterfeiting.2 HP is leveraging technology solutions, particularly in the printing and imaging areas, to reduce losses from counterfeiting, and achieve a loss ratio that is well below the industry average. HP links printing innovation with QR codes that users of mobile devices can use to scan the bar codes to check whether the product is genuine. A relatively simple approach is to have a particular set of numbers, bars or other kind of code printed in several places on the packages. A more technical approach is to duplicate the overt code in infrared or ultraviolet ink which is invisible unless viewed under IR or UV lamps. Comparisons of the overt and covert codes determines whether the product is authentic. With variable date printing, it is now possible to give each item, case and packet its own unique code. Variable printing makes it possible to compute a set of non-linear unique codes ahead of time, which makes it difficult for counterfeiters to identify a sequence of numbers. For the future, a new technology will be smart packaging, in which the package itself is imprinted with electro-conducive ink. Such inks can be charged in different ways and contain unique information that can only be decoded when passed through a reader. This will help drive security at the digital front end.3
2 Richetto, David. Advanced Security Prevents Counterfeit Products. Electronics Design, Strategy, News. November 3, 2011. http://www.edn.com/article/519756-Advanced_security_prevents_counterfeit_products.php. 3 Firth, Simon. Fighting Fakes. March 2006. http://www.hpl.hp.com/news/2006/jan-mar/fake.html.
119
Supply Chain Transparency for Social and Environmental Responsibility

HP has an aggressive program to monitor the social and environmental conditions in its supply chain. It was the first electronics company to publish a list of its suppliers, representing more than 95 percent of HPs procurement expenditures for materials, manufacturing and assembly of HP products all over the world. The list includes contract manufacturers, electronic manufacturing service providers, and original design manufacturers, as well as commodity suppliers. HP has set key performance indicators for suppliers and evaluates their performance through self-assessments and on-the-ground audits. This level of transparency gives HP the capability to assess issues in its supply chain, such as excluding purchases of conflict minerals.
Integrating Supply Chain Risk Management

With complex supply chains, one group cannot manage all risks. At HP, efforts are underway to strengthen communications and cooperation to manage end-to-end supply chain risks. Currently, the supply chain security (including anti-counterfeiting), cybersecurity, and business continuity functions are all in the same organization and work closely together. These units, in turn, work closely with the logistics function and business units. Supply chain security and logistics functions meet at least weekly to review joint initiatives and operational concerns.
120
CASE STUDY: Securing Information on the Smart Grid
CASE STUDY
Securing Information on the Smart Grid: Telvent Supply Chain Best Practices
Based on an interview with Jeff Meyers, Director for Smart Grid Sales, Telvent February 7, 2012
Telvent is an information technology company that specializes in real-time data collection and monitoring systems and operational tools to transform data into actionable information. One of its key business areas is smart grid applications and tools. Telvent applications are in use in engineering and operations departments at more than 550 utilities in North America and around the world. From core geospatial network modeling and management, to real-time analytics and control, Telvent builds software to enable the smart grid.
Best Practices in Software Development

Telvent develops software and protects it through a common set of security practices that are appropriate and consistently implemented, and people who are vetted for capability and experience, as well as a potential for malicious intent. Across its diverse product lines from GIS systems to the outage models Telvents programmers manage approximately 3-3.5 million lines of code. Telvent uses Agile software development, a methodology based on iterative and incremental development and collaboration between cross-functional teams. The Agile approach offers competitive advantages in terms of adaptive planning and flexible response to change, but it has some built-in security safeguards as well. Coders work in pairs for actual programming tasks. On the surface, any attempt to build disruptive or malicious functionality (malware) into the code would require at least two people working in tandem. In fact, even the coding pairs could not succeed in delivering code with embedded malware. The methodology dictates that teams never build anything that takes longer than two and a half weeks (a sprint), which could be anything from a couple of hundred to a couple of thousand lines of code. Each sprint involves at least one code review, during which members of the team walk through each others code. Functionality is tested at the end of each sprint against vetted requirements by a QA specialist assigned to the team. To introduce malware into an application in an Agile system would likely require the complicity of everyone on the subteam, approximately four to eight members, including the product owner, a senior programmer with both management and coding skills.
121
Best Practices in Software Testing

A second level of security is attained during the testing process. Every software development organization tests. At Telvent, however, this is not a separate activity after the product development is complete. Testing is built into the development process from requirements validation, to unit testing for each sprint, to production testing for each software release. Once during each release cycle, each project team takes a one-day break in the coding cycle to stress test. This exercise, called SWAT (Software With A lot of Testers), takes place at a known date prior to release and is an all-hands-on-deck exercise in which all programmers stop coding and start testing, looking not only for quality bugs but security issues: holes, places in the code with a single sign-on, hard-coded paths, legacy protocols, anything that creates or increases the threat surface. The rewards are geared toward finding and learning from mistakes, and there are prizes for those who find the most bugs and the most significant security threats. Beyond human testing, Telvent uses machine-based automated testing scripts for highly complex scenario testing, as well as for regression testing. Automated testing is particularly valuable when used to evaluate the impact of newly released code on legacy applications. Machine-based testing can simulate multi-user conditions and highly repetitive tasks. While not specifically able to sniff for malware, automated test scripts can discover functional anomalies based on repetitive use conditions that can be base triggers for malware such as Trojan horses or other kinds of disruptive functions.
Best Practices in Software Design

Smart grid technology itself is often seen as a potential security problem because it opens utility grids to many potential penetration points, including the Internet. A smarter grid requires integration among systems that have traditionally been isolated, further extending the threat surface. But application of standardization and interoperability principles can increase the security of the smart grid. Standard architectural patterns and standard integration techniques make it possible to create great efficiencies, but also enable operators to identify anomalies more easily. Telvent adheres to key architectural principles that enable the company to design in, rather than add on, security. By adopting a standard reference architecture, such as Microsofts Smart Energy Reference Architecture, vendors can ensure that the integrated environment is built upon a foundation that has been designed with cybersecurity as a key requirement. Further, sticking to industry integration standards, such as the Common Information Model, allows for predictable integration with systems and devices beyond those delivered by a single vendor. Standard integration practices reduce customized code, a key failure point and a critical opportunity for cyber threat. Finally, solid architecture allows for the straightforward embedding of intrusion and malware detection and tamper-proofing tools that are built to provide internal security.
122
CASE STUDY: Securing Information on the Smart Grid
The most secure software products must eventually leave the development shop and be implemented in the real world of grid modernization. Implementation means that grid management software must touch and be touched by legacy systems and external devices with varying levels of security design and management tools. By adopting a standard architecture and using standard integration techniques, the threat surface from these external factors is significantly reduced.
Gaps and Ongoing Improvements

No software product or system is 100 percent foolproof, and even the best development methodologies have room for improvement. Among the most crucial issues and key areas of concentration for Telvent are: Harmonization of methodology and security practices. Most modern software is not built in a single physical location, and Telvent is no exception, with development teams in two North American and one European locations. Although each team uses its own consistent practices, harmonizing those across all teams would enhance overall security. Securing implementations. Grid management software must be implemented in the real grid. Implementation teams often consist of both vendor and utility staff with varying backgrounds, capabilities, and degrees of vetting. Internal utility IT teams may have existing practices or methods that must be harmonized with the vendors to ensure consistency and close gaps in security. Ongoing surveillance of implemented technology. Delivering a system in a secure fashion does not guarantee that it will remain so indefinitely. Telvent uses strong-naming and code signing techniques to ensure tamper protection, but it and its clients could do more to ensure that patches, upgrades, and new integrations do not compromise system security. Future deployments using cloud computing technology. Most Telvent clients report that cloud computing is not currently an attractive option for mission-critical grid management applications. However, there is still work to be done to ensure that any cloud deployments that may touch or impact grid management tools are properly vetted, and that any future applications are designed with the rigor of system-based platforms.
123
124
FROM THE UTILITIES: Appendix A
FROM THE UTILITIES
Appendix A: Sample Guidelines for Supplier Cyber Security
Require Vendor/Contractor to ensure they have updated their System Development Life Cycle (SDLC) to address emerging cyber security vulnerabilities. This should be done by adapting to the SANS Top 25 Most Dangerous Programming Errors or the OWASP Top 10 Project. Require vendor to certify that their code is scanned for vulnerabilities with a continuously updated scanning tool to keep abreast of new vulnerabilities. Require additional code written onsite by Vendor/Contractor to adhere to the same standards used for delivered package. Require Vendor/Contractor to notify promptly when vulnerabilities are found in their product. Publication of vulnerability by US-CERT is a good trigger for this requirement. It is best to specify in contract how quickly notifications and remediation plans will be provided. Require Vendors/Contractors to allow Company to apply security related patches and updates to servers hosting Vendor/Contractor software and ensure continued functionality. This applies to servers within the Companys network. Forbid any connectivity to Company networks not explicitly provided for in Vendor/Contractor contract. Forbid any connectivity without execution of Confidentiality and Non-Disclosure Agreement. Limit remote access by Vendor/Contractor to a predefined Virtual Private Network (VPN) solution. Do not allow the VPN to be configured for split tunneling. Minimize Vendor/ Contractor access rights to only portions of their product they are supporting. If administrative access is required it should not extend beyond specific system hosts. When Vendor/Contractor are required to connect to Company network, require that the computers they connect with have the latest operating system security patches/updates and latest anti virus/malware signatures. Require Vendor/Contractor to use unique set of login credentials for each of its individual employees. Forbid login credential sharing. If Vendor/Contractors support efforts require them to connect their computer to Companys network then they should be required to demonstrate that those computers have the latest operating system security related patches/updates and latest anti virus/malware updates. Require Vendor/Contractor to submit to any ad hoc scans deemed prudent by Company.
125
Data interfaces to be created as part of the Vendor/Contractor provided system should be required to have encryption and authentication (strong authentication when possible.) Vendor/Contractor must obtain explicit management approval before using removable media to transfer any data files to Company network. A manual anti virus/malware scan must be performed on the removable media before insertion into a network connected computer. Files containing Company information must be transferred using encrypted file transfer techniques. Vendor/Contractor must agree to abide by all Company Information Security Policies while connected to Company networks. Vendor/Contractor must agree to maintain current anti-malicious code mechanisms for the environment they are hosting. This should include security related patches/updates for operating systems, anti virus/malware systems, and other security related patches/updates for relevant software such as Relational Data Base Management (RDBMS) systems. Require Vendor/Contractor to guarantee update promptness. If access to hosted product requires the use of a third party product like a web browser then Vendor/Contractor must ensure compatibility to that third party product when security related patches/updates are applied. Vendor/Contractor should guarantee promptness. Require Vendor/Contractor to conduct background checks of all its employees. Require Vendor/Contractor to perform periodic cyber security awareness training for its employees.
126
FROM THE UTILITIES: Appendix B
FROM THE UTILITIES
Appendix B: Sample Smart Grid Cybersecurity and Interoperability Requirements
ID
Requirement
Comply (yes/no/ partial)
For partial, list exceptions
Security Architecture Physical security features of the solution shall be idenitified by the vendor. Cyber security features of the solution shall be identified by the vendor. Methodologies to maintain physcial security features shall be included with the solution. Methodologies to maintain cyber security features shall be included with the solution. Methodologies to change vendor configured or manufacturer default settings shall be included with the solution. The solution shall support being deployed in a network with different security zones. All security zones in the solution shall be protected with a stateful firewall. All security zones in the solution shall be protected with separate authentication domains. The solution shall have no restrictions on network segmentation. The solution shall have no restrictions on stateful firewall placement. There shall be no restrictions on placing different components of your solution in different authentication domains. The use of trusts between authentication domains in the different security zones shall be limited and not assumed.
127
ID
Requirement
A listing of all types and locations of customer information shall be provided to the Cyber Security team for review and analysis. All backdoors to the solution shall be identified along with corresponding security controls. Communications in the solution shall originate from the more trusted/privileged component to the lesser trusted/privileged component. In the event of a communication failure only the more trusted/ privileged component shall reinitiate communications. For distributed components only the centralized/master node shall initiate communications to remote nodes. The HAN interface in the solution shall prevent HAN devices from accessing utility control functions. All device management software shall be compatible with Microsoft Windows Server 2008 R2 Terminal Server. Network Security The solution shall have the capability to restrict access at the network layer, e.g. IP address and port filtering. All firewalls that are part of the solution shall be stateful. All firewalls that are part of the solution shall be configured with a default deny policy. All firewalls that are part of the solution shall only allow required and approved ingress and egress data flows. The solution shall have stateful, firewalled network boundaries between HAN and NAN zones. The solution shall have stateful, firewalled network boundaries between NAN and WAN interfaces. The solution shall have stateful, firewalled network boundaries between WAN and centralized AMI system components (headend, MDMS, AMI system management, AMI network management) interfaces. The solution shall have stateful, firewalled network boundaries between the AMI system and other networks. The solution shall have stateful, firewalled network boundaries between the AMI applications and other applications leveraging AMI transport infrastructure.
128
ID
Requirement
All required ingress and egress data flows shall be submitted to the Cyber Security team for approval during the design phase. All components in the solution shall support the Secure DNS protocol. IPSec VPN tunnel creation shall be supported between any distributed components and the master/head-end component IPSec VPN tunnels shall support one of the following encryption algorithms: 3DES, AES-128 or greater, or SSL 128 bit or greater. All wireless links in the solution shall be protected with authentication. All wireless links in the solution shall be protected with encryption. The solution shall have a mechanism to scan for unauthorized wireless access points. Device Configuration System Hardening The solution shall remove or disable all unused device drivers for network hardware. The solution shall remove or disable all unused network ports and protocols. The solution shall remove or disable all unused communication ports. The solution shall remove or disable all unused administrative utilities. The solution shall remove or disable all unused diagnostic functions. The solution shall remove or disable all unused network management functions. The solution shall remove or disable all unused system management functions. The solution shall remove all unused data files. The solution shall remove all unused configuration files. The solution shall disable or remove all unneeded removable media drives/ports.
129
ID
Requirement
Hardware components in the solution shall be capable of being configured with least privilege file access. Hardware components in the solution shall be capable of being configured with least privilege account access. Software components in the solution shall be capable of being configured with least privilege file access. Software components in the solution shall be capable of being configured with least privilege account access. Configuration Management & Reporting The solution shall support centralized security management for stateful firewall policy configurations. The solution shall support centralized security management for software upgrades. The solution shall support centralized security management for firmware upgrades. The solution shall support centralized security management for configuration settings. The solution shall support centralized security management for security patches. The solution shall support centralized security management for IDS/IPS signature updates. The solution shall support centralized security management for configuration of security features. The solution shall support centralized security management for enabling security features. The solution shall allow a baseline configuration template to be created for all distributed components in the solution. The baseline configuration template shall be automatically applied to provide a distributed component with an initial configuration. The baseline configuration template shall have the capability to be modified and changes automatically applied to existing distributed components. Access Control & Management Management of Built-In or Default Accounts
130
ID
Requirement
Vendors shall provide documentation about built-in and/or default accounts including account names, purpose, and authorizations to the Cyber Security team. Vendors shall provide recommendations for which accounts need to be active. Vendors shall provide recommendations for which accounts need to be disabled. Vendors shall provide recommendations for which accounts need to be removed. Vendors shall provide recommendations for which accounts need to be modified. The solution shall support renaming built-in and/or default account identifiers. The solution shall support renaming built-in and/or default account passwords. The solution shall support renaming built-in and/or default account authorizations. Session Management Concurrent login attempts by the same user identifiers shall be blocked. The solution shall not allow the storage of user identifiers between sessions. Storage of user passwords between sessions shall not be allowed. Auto-fill functionality during login shall be prevented. Anonymous logins shall be blocked. Upon successful logon, the date and time of the last logon shall be displayed to the user. Upon successful login, the number of unsuccessful logon attempts since the last logon shall be displayed to the user. Password Policy & Management The solution shall integrate with Microsoft's Active Directory. LDAP integration shall be supported. Kerberos authentication shall be supported.
131
ID
Requirement
All credentials shall be encrypted while at rest. All credentials shall be encrypted while in transit. The RADIUS protocol shall be supported. Te TACACS protocol shall be supported. The solution shall integrate with RSA's SecurID. The solution shall support creating access accounts locally. The solution shall support creating access authorizations locally. The use of local access accounts shall be limited and not assumed. The solution shall have configurable technical controls to enforce password complexity. The solution shall have configurable technical controls to prevent a user from reusing a password for at least eighteen months. The solution shall have configurable technical controls to enforce an eight character minimum password length for user accounts The solution shall have configurable technical controls to force end-users to change their passwords at least every ninety days The solution shall have configurable technical controls to force privileged users to change their passwords at least every sixty days. The solution shall have configurable technical controls to automatically lock accounts immediately following five consecutive authentication failures. The solution shall have configurable technical controls to prevent a user's password from matching his/her user ID. The solution shall have configurable technical controls to automatically lock a user's session that has been inactive for a configurable period of time. The solution shall have configurable technical controls to automatically terminate a user's session that has been inactive for a configurable period of time. Distributed components shall support local password changes. Distributed components shall support remote password changes. Distributed components shall support global password changes.
132
ID
Requirement
The potential breach resulting from passwords being reused across multiple components in the solution shall be minimized. Passwords shall not be embedded in tools. Passwords shall not be embedded in source code. Passwords shall not be embedded in scripts. Passwords shall not be embedded in shortcuts. Passwords shall not be displayed when entered by a user. Error messages for invalid account identifiers shall be the same as those for invalid passwords. Host/Device Authentication Devices shall authenticate before accessing the network. RADIUS device authentication shall be supported. Account identifiers used for device authentication shall be configurable. Account passwords used for device authentication shall be configurable. Devices shall authenticate using PKI certificates. Role-Based Access Control User interfaces in the solution shall require authentication. User interfaces in the solution shall have authorization controls. Application interfaces in the solution shall require authentication. Application interfaces in the solution shall have authorization. Users shall authenticate before accessing configuration files. Users shall authenticate before accessing configuration settings. Users shall authenticate before performing firmware upgrades. Users shall authenticate before performing software upgrades. User accounts shall be configured with only the required authorizations for a specfic job role. Application to application (process) accounts shall be configured with only the required authorizations for a specific application role.
133
ID
Requirement
Users role associations shall have the capability to be changed. Administrators shall have the capability to create emergency/ temporary accounts. The use of emergency/temporary accounts shall be limited and not assumed. Emergency/temporary accounts shall have the same or greater security controls than traditional user accounts. Emergency/temporary accounts shall be automatically disabled or deleted after a configurable amount of time. Emergency/temporary accounts shall be centrally monitored. The solution shall support PKI-based authentication. PKI certificates shall be validates by constructing a certification path to an accepted trust anchor. The solution shall enforce authorized access to the certificate's private key. The solution shall enforce authorized use of the certificate's private key. The solution shall map the authenticated certificate identity to the user account. The solution shall restrict the life-span of passwords for field tools. The solution shall restrict the life-span of certificates. Dual authorization shall be required to execute privileged functions that have effects on facility, human, and environmental safety. Single Sign On (SSO) The solution shall support single-sign-on for user accounts. Access control provided by single-sign-on (SSO) shall be the same or greater than that of a direct logon. Single-Sign-On shall be supported across all components in the solution. SSO implementations shall have strict access control in place for key files like authorization and password files. SSO implementations shall encrypt authorization and password files.
134
ID
Requirement
The solution shall integrate with CA SiteMinder. Application/Hardware Security Customizable login banners shall be available for all user interfaces in the solution. Customizable login banners shall allow at least 256 characters. Sensitive information such as make and model of product and/ or software or firmware versions shall not be displayed before successful authentication is completed. The solution shall have the capability to automatically push login banner changes to distributed components. The solution shall isolate telemetry/data acquisition services from management services. The solution shall isolate telemetry/data acquisition services from information storage services (e.g. a database). The solution shall isolate security functions from non-security functions. The solution shall implement security functions as independent modules. The solution shall limit interactions between the different security functions (modules). The soluiton shall implement security functions in a layered manner. Lower layer security functions shall not be dependent on higher layer security functions. Information system remnants, including encrypted information, shall be cleared from registers after a resource has been returned to the information system. Information system remnants, including encrypted information, shall be cleared from main memory after a resource has been returned to the information system. Information system remnants, including encrypted information, shall be cleared from secondary storage after a resource has been returned to the information system. Security related components shall be designed to fail to a safe mode, thus preventing a security component failure from causing a denial of service event in the solution.
135
ID
Requirement
Operationally significant security components (e.g. firewalls, PKI, access control, etc.) shall be highly available/redundant. Processes executed shall be prioritized. Higher priority processes shall be executed before lower priority processes. The solution shall have protocol level message authentication mechanisms for serial protocols. The solution shall have protocol level message authentication mechanisms for routable protocols. Integrity/authenticity checking shall be performed before firmware and/or software is loaded. Inputs shall be filtered and allow only those matching a predefined valid set to be processed. Inputs that don't match the predefined set shall be rejected and logged. Detail shall be limited in returned error messages. Security mechanisms shall be designed using a default-deny strategy, i.e. access is denied until allowed, not allowed until denied. The solution shall include data integrity checking. The solution shall include message integrity checking. Inputs and outputs shall be validated. The solution shall have handle errors securely. The following vulnerability shall be mitigated in the solution: Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. The following vulnerability shall be mitigated in the solution: Cross-Site Scripting (XSS) flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victims browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
136
ID
Requirement
The following vulnerability shall be mitigated in the solution: Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users identities. The following vulnerability shall be mitigated in the solution: Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. The following vulnerability shall be mitigated in the solution: CrossSite Request Forgery (CSRF) A CSRF attack forces a logged-on victims browser to send a forged HTTP request, including the victims session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victims browser to generate requests the vulnerable application thinks are legitimate requests from the victim. The following vulnerability shall be mitigated in the solution: Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. The following vulnerability shall be mitigated in the solution: Insecure Cryptographic Storage Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes. The following vulnerability shall be mitigated in the solution: Failure to Restrict URL Access Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.
137
ID
Requirement
The following vulnerability shall be mitigated in the solution: Insufficient Transport Layer Protection Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. The following vulnerability shall be mitigated in the solution: Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Field tools shall be authenticated by field components before accepting configuration data. Field tools shall be authenticated by field components before displaying configuration data. The solution shall prevent uploading of executable files from the HAN interface to the AMI meter. Field components shall not provide developer level diagnostic/ debug information to a field user. Components with remote connect and/or disconnect capabilities shall introduce a random delay of between 0 and 360 minutes or greater before responding to a remote connect and/or disconnect command. Meters shall respond immediately to a cancel remote connect/ disconnect command by cancelling any connect/disconnect command that has been received but not yet executed. Selection and imposition of remote connect and/or disconnect delays are implemented by a device whose operation, excepting disconnect/connect requests and request cancellations, cannot be modified via a network interface. The software associated with scheduling remote connects/ disconnects shall recognize when a dangerously large number of remote connects/disconnects have been scheduled to occur simultaneously. The software associated with scheduling remote connects/ disconnects shall provide notification when a dangerously large number of remote connects/disconnects have been scheduled to occur simultaneously.
138
ID
Requirement
The software associated with scheduling remote connects/ disconnects shall suspend issuing any connect/disconnect commands when a dangerously large number of remote connects/ disconnects have been scheduled to occur simultaneously until the situation is understood and resolved by properly authorized utility personnel. Remote connect/disconnect devices and/or their associated infrastructure shall log sufficient information about remote connect/disconnect commands received by the device to enable subsequent troubleshooting, tracking, and other forensic analysis in the event of a suspected attack or other anomaly. Web Services Application interfaces shall be protected with TLS v1.2 or greater or SSL v3 or greater. x.509 certificates shall be used for application interface encryption. Applications shall validate identies using a Security Token Service (STS). The WS-Trust protocol shall be supported for use of Secure Token Services (STS). Web applications shall require authentication and authorization on a reverse proxy before users may reach the application or its corresponding infrastructure. The solution shall support integration with CA SiteMinder for user authentication. The solution shall support integration with CA SiteMinder for user authorization. The solution shall support integration with CA SiteMinder for reverse proxying. Cryptography The solution shall not allow encryption keys to be installed on multiple components. Enabling cryptographic protections shall not degrade performance or functionality A cryptographic protection mechanism failure shall not impact normal operations of the solution.
139
ID
Requirement
All cryptographic modules shall meet Federal Information Processing Standard (FIPS) 140-2 requirements where technically feasible. All management interfaces shall be encrypted. All communication interfaces shall be encrypted. Encryption keys shall not be embedded in source code. Encryption keys shall not be shared across multiple customer deployments. Standard IPSec VPN concentrators shall be supported for IPSec connections. Key Management The solution shall provide key establishment/generation in a secure way. The solution shall provide key destruction in a secure way. The solution shall require periodic key changes. The solution shall support quantities of certificates in the magnitude of millions. The solution shall provide reporting capabilities for the key management system. The solution shall provide a revocation function. The key management solution shall restrict communications to specific devices. Latency induced by using certificates shall not degrade the operational performance of the solution. Malware Detection & Protection The information required to configure a host-based intrusion detection system (HIDS) shall be delivered with the solution. The solution shall be fully compatible with Symantec Endpoint Protection v11 software. Symantec Endpoint Protection v11 software shall be installed on all components in the solution. Latency induced by performing periodic full scans shall not degrade the operational performance of the solution.
140
ID
Requirement
Latency induced by performing periodic real-time scans shall not degrade the operational performance of the solution. The solution shall be fully compatible with standard antivirus software. The solution shall support real-time virus scanning on all components. The solution shall support periodic full system virus scans on all components. Flaw Remediation Security Updates/Patching and Notification Vendors shall notify PGN upon discovering a flaw or vulnerability and include detailed documentation describing the flaw, security impact, root cause, and corrective action. Vendors shall notify PGN via email when security patches or updates are available. Vendors shall notify PGN via email when security patches or updates are available for any operating system, application, or other third party component leveraged by their products. Vendors shall provide software updates or workarounds to mitigate all identified vulnerabilities within ten business days. Vendors shall have formal flaw/vulnerability remediation processes that are shared with PGN during the RFP scoring phase. Vendors shall provide a history of identified flaws/vulnerabilites in their products/solutions along with the remediation steps taken during the RFP scoring phase. Software updates, patches, firmware updates, etc. shall not require a physical site visit to load and install. Production components shall not require internet access to obtain updates. Vendors shall deliver mitigations for zero-day vulnerabilities within 10 business days. Vendors shall certify compliance with critical operating system patches within two business days. Vendors shall certify compliance with non-critical operating system patches within ten business days.
141
ID
Requirement
The solution shall have an automated method to remotely install patches, security updates, and firmware on all end-devices. Successful authentication shall be required before firmware can be loaded and installed. Vendors shall provide the number of security updates/patches released for all their products over the past 12 months during the RFP phase. Problem Reporting The vendor shall have a formal process for users to submit problem report and remediation requests. Vendors shall review problem reports and remediation requests and provide a corrective action plan within 24 hours of PGN's submittal. Vendors shall protect problem reports PGN submits to the same degree as their company's confidential information. Vulnerability Management Vendors shall conduct vulnerability assessments on their products/solutions at least annually. Vendors shall mitigate all vulnerabilities in their solutions. Vendors shall use a creditable entity to perform vulnerability assessments. All application and hardware code shall be reviewed and assessed for vulnerabilities by a creditable entity within the past year. All application and hardware code vulnerabilities shall be mitigated. All web servers/services and the applications that leverage them shall be scanned for vulnerabilities at least annually by a creditable entity using standard tools. All identified web server/services and web applications vulnerabilities shall be mitigated. All web server/services versions installed shall be supported, current, and fully patched. The solution shall minimize the system impact of a potential denial of service attack. Capacity shall be managed to limit information flooding DoS attacks.
142
ID
Requirement
Bandwidth shall be managed to limit information flooding DoS attacks. All redundancies shall be managed to limit information flooding DoS attacks. The solution shall mitigate the impact of a potential radio jamming attack. The solution shall mitigate the impact of potential energy theft. Physical security controls shall be in place to mitigate tampering. The risk associated with potential lost or stolen components shall be mitigated. The solution shall minimize the system impact an unauthorized user gaining access to the Neighborhood-Area-Network (NAN). The solution shall detect and alert on unsuccessful login attempts. The solution shall detect unauthorized components that are introduced into the solution. The solution shall quarantine unauthorized components that have been introduced into the solution. Vendors shall provide a website where security patches and updates can be downloaded on demand. Vendors shall include integrity and authenticity checking when updates are downloaded. Monitoring, Auditing, Logging, & Reporting The solution shall support mirroring security logs from all hardware and software components to a central logging server. The syslog standard shall be supported on all components in the solution. The solution shall support periodic synchronization of system clocks with a centralized clock using NTP for all components. System clocks shall be periodically synchronized to minimize drift. The solution shall aggregate audit logs and security events, and provide reports and alerts. The solution shall alert and report on excessive authentication failures for a specific account.
143
ID
Requirement
The solution shall alert and report on abnormal behavior on a specific account. The solution shall alert and report on adding, deleting, or modifying user accounts. The solution shall alert and report on modifying the configuration of the solution. The solution shall alert and report on altering data stored in the solution. The solution shall alert and report on modifying the solution's security settings. The solution shall alert and report when logging facilities are not operational. The solution shall alert and report when log storage limit has been reached? The solution shall generate log entries for all user activity. The solution shall generate log entries for all component activity. The solution shall provide a reporting function for user level activities. The solution shall provide a reporting function for component level activities. The solution shall provide a reporting function for solution level activities. All log entries generated by the solution shall include the date and time of the event/action. All log entries generated by the solution shall include the component where the event occurred. All log entries generated by the solution shall include the type of the event or action. All log entries generated by the solution shall include the user/ subject identity. All log entries generated by the solution shall include the outcome of events. All log files shall be encrypted.
144
ID
Requirement
The latency induced by enabling all logging, alerting, and reporting functions shall not degrade the operational performance of the solution. A heartbeat signal that can be remotely monitored shall be generated to ensure the solution is working and available. The retention period for all log repositories shall meet business and regulatory requirements and be no less than one year. The solution shall integrate with standard security incident and event management tools. The solution shall integrate with ArcSight. The solution shall include custom adapters for ArcSight. The solution shall integrate with Microsoft System Center and Operations Manager (SCOM). The solution shall include custom adapters for Microsoft System Center and Operations Manager (SCOM). The solution shall include an automatic and periodic auditing/ verification mechanism to check configuration parameters. The solution shall include an automatic and periodic auditing/ verification mechanism to check security settings. The solution shall include an automatic and periodic auditing/ verification mechanism to check firmware versions. The solution shall include an automatic and periodic auditing/ verification mechanism to check program settings. The solution shall generate reports and alerts resulting from discrepencies resulting from automatic and periodic auditing/ verification mechanisms. The solution shall automatically correct discrepencies identified during automatic and periodic auditing/verification mechanisms. The solution shall have a security self-test function capabilitity that will run periodically and test all security functions in the soluiton. Alerts, reports, and log entries shall be generated or created for failures identified during the security self-test.
145
ID
Requirement
The sollution shall take steps to inhibit the control, communications, and relaying/repeating functions on any device with a failure identifed during the security self-test until the failure is corrected. Periodic integrity checks shall be performed on installed software and firmware. The solution shall alert on anomalies resulting from periodic integrity checks that are performed on installed software and firmware. The solution shall support SNMP v3 on all devices. Field Tools Field service tools shall not require a connection through the HAN to interface to the AMI meter. Field tools shall not collect nor store sensitive information like customer personally identifiable information, customer premise identifiers, customer certificates, or system information. Field tools shall support full-volume encryption. Field tools shall support multi-factor authentication. Field tools shall support RSA SecurID. Field tools shall support automatic application of all security updates for the operating system and installed applications. Field tools shall support host-based firewalls. Field tools shall support host-based IDS. Field tools shall support anti-virus, anti-malware, and anti-spam software. Field tools shall support automatic scanning of removable media when attached. Field tools shall support Symantec EndPoint Protection software v11. Field tools shall not save nor store customer information, passwords, encryption keys, or any other information that may compromise the solution. Supply Chain
146
ID
Requirement
Vendors shall have a certified quality assurance process for all manufactured products. Vendors shall assure 100% of their manufactured products through a certified quality assurance process. Quality assurance testing shall be performed by a creditable entity. Vendor supply chain processes shall be assessed for vulnerabilities by a creditable entity at least annually. All identified vendor supply chain vulnerabilities shall be mitigated. Vendor quality assurance processes shall be audited by a creditable entity at least annually. All gaps resulting from periodic quality assurance process audits shall be remediated. Vendors shall audit their supppliers against their own quality assurance and requirements at least annually. All gaps resulting from audity of vendor's suppliers shall be remediated. Vendors shall mitigate international supply chain risks for any hardware, software, or components manufactured, programmed, or developed outside of the United States. Vendor shall implement security controls to prevent unauthorized code from being loaded on products during manufacturing. Asset Management The solution shall provide a mechanism to track maintenance on all components. The solution shall collect and store the date and time of all maintenance. The solution shall collect and store the name of the individual performing maintenance. The solution shall collect and store a description of all maintenance. The solution shall collect and store a description and identification number for any removed and/or replaced equipment. The solution shall support integration with a configuration management database (CMDB).
147
ID
Requirement
The solution shall provide a mechanism to report on maintenance trends. The solution shall provide a mechanism to report on deployed hardware and software version levels. The solution shall provide a mechanism to report on actions taken by specific maintenance personnel. The solution shall include methods that are compliant with PGN's CSP to remove all critical/sensitive information (customer, company, and system information) before equipment and/or media is disposed. Business Continuity/Disaster Recovery The solution shall include automated backup and restore mechanisms for all critical software, applications, and data for all components. Backups shall be physically separated from operational components. The timeframe for performing a restore for each operational component shall be limited. Backups shall be encrypted. The solution shall integrate with an standard enterprise backup solutions. Integration with Tivoli Storage Manager (TSM) shall be supported. Service Provider(s) - Complete if your solution includes a hosted option. Hosting/service providers shall comply with all requirements in PGN's Cyber Security Policy. Hosting/service providers shall have a formal cyber security policy that meets ISO 17799/27002. Hosting/service providers shall have an effective security awareness program. Hosting/service providers shall complete PGN's SaaS/Application Service Provider questionnaire and remediate all findings. Hosting/service providers shall have undergone a SAS 70 Type II audit or equivalent within the past year.
148
ID
Requirement
Hosting/service providers shall provide documentation of findings, dispositions, and mitigations which result from a SAS 70 Type II audit or equivalent. Hosting/service providers shall conduct penetration tests on their service at least annually. Hosting/service providers shall mitigate all penetration test findings. Hosting/service providers shall use a creditable entity to perform penetration tests. Hosting/service providers shall provide all material weaknesses or deficiencies identified during audits on the hosting facilities, accessing customer information, or data pathways supporting the project. Hosting/service providers shall segregate and protect PGN data and access from other customer's data and access at the hosting facility. Hosting/service providers shall support building a site-to-site VPN with PGN that is encrypted with 3DES or AES algorithms. Hosting/service providers shall require authentication to access wireless networks at their facilities. Hosting/service providers shall encrypt communications over the wireless network. Hosting/service providers shall take steps to ensure non-approved wireless devices are not connected to their network. Hosting/service providers shall require multi-factor authentication for remote access to their network. Hosting/service providers shall encrypt all remote access connections to their network using 3DES, AES, or SSL 128 or greater algorithms. Hosting/service providers' cyber security management practices shall meet the requirements in PGN's Cyber Security Policy. Hosting/service providers shall support signle sign on for PGN users using standard and secure methods. Hosting/service providers shall support standard directory federation technologies.
149
ID
Requirement
Hosting/service providers shall conduct criminal background checks on all employees that go back seven years or to the date of the eighteenth birthday, whichever is less. Risks of using international hosting/service providers shall be mitigated. Hosting/service providers shall mitigate risks of system outages, power outages, disasters, and failures. Hosting/service providers shall use carriers who specialize in transporting confidential data when physically shipping data. media. Hosting/service providers shall have a formal chain-of-custody process for the physical movement of data/media. Hosting/service providers shall place all physical media in locked containers before it leaves the data center. Hosting/service providers shall track data containers individually through the shipping process. Hosting/service providers shall ensure all data containers are signed for upon delivery. Hosting/service providers shall have a formal process to idenitfy data container delivery recepients. Hosting/service providers shall reconcile shipping/tracking information against records from the backup/archive application at least monthly. Hosting/service providers shall have a formal process to investigate and notify PGN about lost or missing data. Hosting/service providers shall encrypt all physical media before shipping it. Hosting/service providers shall have a formal process for sanitizing and securely wiping physical media. Interoperability & Cyber Security Standards Compliance The solution shall comply with ISO 17799/27002 - Code of practice for information security management. The solution shall comply with NERC CIP 002-009.
150
ID
Requirement
The solution shall comply with NIST Special Publication (SP) 80053, NIST SP 800-82 Cyber security standards and guidelines for federal information systems, including those for the bulk power system. The solution shall comply with NIST IR 7628 - Smart Grid Cyber Security Strategy & Requirements. The solution shall comply with AMI-SEC System Security Requirements Advanced metering infrastructure (AMI) and Smart Grid end-to-end security. The solution shall comply with SG-AMI 1-2009 - NEMA Meter Upgradability Standard The solution shall comply with NIST 800-95 - Guide to Secure Web Services The solution shall comply with ANSI/ISA-99.02.01-2009 Security for Industrial Automation and Control Systems Standard The solution shall comply with IEEE-1686 IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities The solution shall comply with IEC 62351 Parts 1-8 - Defines information security for power system control operations The solution shall comply with ISA SP99 - Explains the process for establishing an industrial automation and control systems security program through risk analysis, establishing awareness and countermeasures, and monitoring and improving an organizations cyber security management system. The solution shall comply with NIST FIPS 140-2 - U.S. government computer security standard used to accredit cryptographic modules The solution shall comply with OASIS WS-Security and OASIS suite of security standards - Toolkit for building secure, distributed applications and applying a wide range of security technologies The solution shall comply with IEC TC 57 Common Information Model (CIM) The solution shall comply with ANSI C12.19 DNP3 The solution shall comply with IEC 61850 - International standard for communication in substations
151
ID
Requirement
The solution shall comply with IEC 61968 - Standards for information exchanges between electrical distribution systems The solution shall comply with IEEE-1613 Standard Environmental and Testing Requirements for Communications Devices in Electric Power Substations. The solution shall comply with IEEE 1547 Physical and electrical interconnections between utility and distributed generation (DG) The solution shall comply with FCC Part 68 - Governs the direct connection of Terminal Equipment (TE) to the Public Switched Telephone Network (PSTN), and to wireline carrier-owned facilities used to provide private line services The solution shall comply with IEC 61000-4 - Electromagnetic Compatibility (EMC) Testing and Measurement Techniques for use in residential, commercial and industrial environments The solution shall comply with IEC 600068 - Environmental testing standards The solution shall comply with RFC 1878 - Variable length subnet table for IPv4 The solution shall comply with RFC 2131 - Dynamic Host Configuration Protocol The solution shall comply with RFC 1723 - RIP Version 2 The solution shall comply with IETF RFC 2474 - Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers The solution shall comply with IETF RFC 2475 - An Architecture for Differentiated Service The solution shall comply with IETF RFC 2597 - Assured Forwarding PHB Group The solution shall comply with IETF RFC 3140 - Per Hop Behavior Identification Codes The solution shall comply with IETF RFC 3246 - An Expedited Forwarding PHB (Per-Hop Behavior) The solution shall comply with ANSI/ASHRAE 135-2008/ISO 16484-5 BACnet - A Data Communication Protocol for Building Automation and Control Networks The solution shall comply with ANSI C12.1 - Performance and safety type tests for revenue meters
152
ID
Requirement
The solution shall comply with ANSI C12.18/IEEE P1701/MC1218 Protocol and optical interface for measurement devices The solution shall comply with ANSI C12.19/MC1219 - Revenue metering End Device Tables The solution shall comply with ANSI C12.20 - Revenue metering accuracy specification and type tests The solution shall comply with ANSI C12.21/IEEE P1702/MC1221 Transport of measurement device data over telephone networks The solution shall comply with ANSI/CEA 709 and CEA 852.1 LON Protocol Suite - local area networking protocol for various applications including electric meters, street lighting, home automation and building automation The solution shall comply with IEC 60870-6 / TASE.2 - Defines messages sent between control centers of different utilities The solution shall comply with IEEE C37.118 - Defines phasor measurement unit (PMU) performance specifications and communications The solution shall comply with IEEE 1588 - Standard for time management and clock synchronization across the Smart Grid for equipment needing consistent time management The solution shall comply with IETF RFC 2460 - IPv6 The solution shall comply with IETF RFC 791 - IPv4 The solution shall comply with Core Protocol in the Internet Suite, draft-baker-ietf-core-04 The solution shall comply with Multispeak - A specification for application software integration within the utility operations domain The solution shall comply with OpenADR - The specification defines messages exchanged between utilities and commercial/industrial customers for price-responsive and direct load control The solution shall comply with OPC-UA Industrial - A platformindependent specification for a secure, reliable, high-speed data exchange based on a publish/subscribe mechanism The solution shall comply with Open Geospatial Consortium Geography Markup Language (GML) - A standard for exchange of location-based information addressing geographic data requirements for many Smart Grid applications
153
ID
Requirement
The solution shall comply with ZigBee/HomePlug Smart Energy Profile 2.0 - Home Area Network (HAN) Device Communications and Information Model The solution shall comply with OpenHAN - A specification for home area network (HAN) to connect to the utility advanced metering system including device communication, measurement, and control The solution shall comply with AEIC Guidelines v2.0 - A guideline comprising a - framework and testing criteria for vendors and utilities who desire to implement standards-based AMI (StandardAMI) as the choice for Advanced Metering Infrastructure (AMI) solutions The solution shall comply with W3C Suite - Web Architecture & Security Standards Physical Security The solution shall provide end-to-end physical security for all components. All physical enclosures shall include a physical door contact alarm sensor. All physical door contact alarm sensors and wiring shall not be accessible from the outside of the enclosure. At least one device in each enclosure shall be capable of accepting door contact alarm inputs. Devices that accept door contact alarm inputs shall forward related alarm signals to a head-end system. Devices that accept door contact alarm inputs shall forward related alarm signals using the DNP3.0 protocol. All physical enclosures shall securely terminate conduit for all cabling entering the enclosure. Conduit termination hardware such as clamps, screws, fasteners, etc. shall not be accessible from outside the enclosure.
154
FROM THE SUPPLY CHAIN RISK LEADERSHIP COUNCIL: Appendix 1
FROM THE SUPPLY CHAIN RISK LEADERSHIP COUNCIL
Appendix 1: Sample Contract Terms and Conditions for Supply-Chain Security
Your company should ensure that proper contractual terms and conditions are in place requiring your suppliers and logistics partners to comply with proper supply chain security procedures as follows: SAMPLE SUPPLIER Terms and Conditions For those Goods ordered by Buyer from Seller that are shipped directly to Buyer, Seller agrees to comply with the following supply chain security requirements from the Point of Origin as provided below. The Point of Origin is the site where such Goods are assembled, manufactured, packaged and shipped. Seller shall include this provision with applicable Subcontractors. For purposes of this provision, Subcontractors shall be defined as those sub-tier manufacturers or suppliers from which the shipment of Goods is shipped directly from said manufacturers or suppliers facilities to Buyer and those suppliers engaged in packaging or transport of Buyer shipments (including but not limited to freight forwarders, 3rd party logistic companies, packagers). Seller shall be responsible to Buyer for any breach of such requirement by its subcontractor. A. Supplier will maintain adequate security controls and procedures as further described in this Section 6.l.A. a. Seller Subcontractor Selection Process: Seller shall have documented processes for the selection of its Subcontractors. The process shall ensure that such Subcontractors maintain adequate security controls and procedures. b. Physical Security: Facilities must be protected against unauthorized access including but not limited to cargo handling and storage facilities which shall have physical security deterrents. i. All entry and exit points for vehicles and personnel shall be controlled. ii. Secure all external and internal windows, gates, and doors through which unauthorized personnel could access the facility or cargo storage areas with locking devices. iii. Provide adequate lighting inside and outside facilities to prevent unauthorized access.
155
c. Access controls: Prevent unauthorized entry into facilities using access controls which may include but are not limited to badge readers, locks, key cards, or guards. i. Positively identify all persons at all points of entry to facilities. ii. Maintain adequate controls for the issuance and removal of employee, visitor and vendor identification badges, if utilized. iii. Upon arrival, photo identification shall be required for all non-employee visitors. d. Personnel Security and Verification: Screen prospective employees consistent with local regulations. Verify employment application information prior to employment. e. Ocean Container and Truck Trailer Security: Maintain container and trailer security to protect against the introduction of unauthorized material and/or persons into shipments. In the event containers are stuffed, inspections shall be made of all ocean containers or truck trailers prior to stuffing, including but not limited to the inspection of the reliability of the locking mechanisms of all doors. i. Ocean Container and Truck Trailer Seals: Properly seal and secure shipping containers and trailers at the point of stuffing. Affix a high security seal to all access doors on truck trailers and ocean containers bound for the U.S. Such seals must meet or exceed the current PAS ISO 17712 standard for high security seals. ii. Ocean Container and Truck Trailer Storage: Empty or stuffed ocean containers and truck trailers must be stored in a secure area to prevent unauthorized access and/or manipulation. f. Information Technology (IT) Security: maintain IT security measures to ensure all automated systems are protected from unauthorized access. i. Use individually assigned accounts that require a periodic change of password for all automated systems. ii. Maintain a system to identify the abuse of IT resources including but not limited to improper access, tampering or altering of business data and will discipline violators. g. Procedural Security: maintain, document, implement and communicate the following security procedures to ensure the security measures in this clause are followed and must include: i. Procedures for the issuance, removal and changing of access devices. ii. Procedures to identify and challenge unauthorized or unidentified persons iii. Procedures to remove identification, facility, and system access for terminated employees.
156
iv. Procedures for IT security and standards. v. Procedures to verify application information for potential employees. vi. Procedures for employees to report security incidents and/or suspicious behavior. vii. Procedures for the inspection of ocean containers or truck trailers prior to stuffing. viii. Procedures to control, manage, and record the issuance and use of high security bolt seals for ocean containers and truck trailers. Such procedures must stipulate how seals are to be controlled and affixed to loaded containers and shall include procedures for recognizing and reporting compromised seals or containers to Customs or the appropriate authority and Buyer. B. Upon request, complete a Supply Chain Security Self Assessment Questionnaire. C. Seller and its subcontractors shall be subject to periodic site visits by Buyer during normal operation hours, to confirm compliance with the terms contained within this clause. D. Maintain procedures for employees to report security incidents and/or suspicious behavior. Immediately notify Buyer of any actual or suspected breach of security involving Buyers cargo.
157
158
Appendix 2: Sample Supply-Chain Security Contract Language for International and Third-Party Logistics Service Providers
For those Goods which are distributed, handled, warehoused, transported or shipped by Service Provider to (your company), Service Provider agrees to comply with the provisions of this section. For purposes of this section, 3PL includes Service Providers and means any outsourced Service Provider that provides services (e.g. distribution, handling, warehousing, transportation or shipping) for (your company) shipments. Service Provider shall ensure that Subcontractors comply with the terms of this section and shall include these terms and conditions in any Subcontractor contracts. For purposes of this section, Subcontractors shall be defined as those sub-tier service providers of Service Provider which are involved in the distribution, handling, warehousing, transportation and shipping of (your company) shipments (including but not limited to freight forwarders, 3rd party logistic companies, packagers, local trucking/transport companies). Service Provider shall be responsible for any breach of this section by its Subcontractors. A. Supply Chain Security Compliance: Service Provider must ensure that all Service Provider and applicable Subcontractor facilities involved in the distribution, handling, warehousing, transporting or shipping of (your company) goods meet all security standards documented below and all applicable local regulations. Service Provider should maintain certification in an official supply chain security program (C-TPAT, AEO, etc) and comply with those respective security standards throughout the period of this Agreement. Service Providers loss of certification or failure to sustain appropriate security standards or breach of this section will be grounds for termination of this Agreement. B. Supply Chain Security Program Status: Prior to execution of this Agreement, Service Provider will send a letter verifying its supply chain security certification in any official program it participates in. Service Provider will immediately notify (your company) of any change to its certification status. If not certified, Service Provider must complete a Security Questionnaire to confirm that its procedures and security measures comply with minimum supply chain security criteria. Service Provider will send copies of the aforementioned Security Questionnaire to (your company).
159
C. C-TPAT Certification: Service Provider agrees to use certified Subcontractors to the extent available. In the absence of certified Subcontractor, Service Provider may use companies (including local cartage companies) that have agreed in writing to follow these supply chain security guidelines and will promptly notify (your company) of such usage. If no certified transport and handling providers or companies that have agreed to follow these security guidelines are available to move (your company) shipments, Service Provider will contact (your company) immediately for direction. D. Service Provider will maintain adequate security controls and procedures as further described in this section. 1. Supply Chain Security Program: Service Providers are encouraged to participate in and will advise (your company) of its participation in national supply chain security programs including, but not limited to. Partners in Protection (PIP) and Authorized Economic Operator (AEO) and shall list the countries and extent of participation. Service Provider shall provide prompt notice of any changes to its supply chain security program status. 2. Service Provider Subcontractor Selection Process: Service Provider shall have documented processes for the selection of its Subcontractors. The process shall ensure that such Subcontractors maintain adequate security controls and procedures. 3. Physical Security: Facilities must be protected against unauthorized access including but not limited to cargo handling and storage facilities which shall have physical security deterrents. a. All entry and exit points for vehicles and personnel shall be controlled. b. Secure all external and internal windows, gates, and doors through which unauthorized personnel could access the facility or cargo storage areas with locking devices. c. Provide adequate lighting inside and outside facilities to prevent unauthorized access. 4. Access controls: Prevent unauthorized entry into facilities using access controls which may include but are not limited to badge readers, locks, key cards, or guards. a. Positively identify all persons at all points of entry to facilities. b. Maintain adequate controls for the issuance and removal of employee, visitor and vendor identification badges, if utilized. c. Upon arrival, photo identification shall be required for all non-employee visitors. 5. Personnel Security and Verification: Screen prospective employees consistent with local regulations. Verify employment application information prior to employment. 6. Ocean Container and Truck Trailer Security: Maintain container and trailer security to protect against the introduction of unauthorized material and/or persons into shipments. In the event containers are stuffed, inspections shall be made of all ocean containers or truck trailers prior to stuffing, including but not limited to the inspection of the reliability of the locking mechanisms of all doors.
160
a. Ocean Container and Truck Trailer Seals: Properly seal and secure shipping containers and trailers at the point of stuffing. Affix a high security seal to all access doors on truck trailers and ocean containers Such seals must meet or exceed the current PAS ISO 17712 standard for high security seals. b. Ocean Container and Truck Trailer Storage: Empty or stuffed ocean containers and truck trailers must be stored in a secure area to prevent unauthorized access and/or manipulation. 7. Information Technology (IT) Security: maintain IT security measures to ensure all automated systems are protected from unauthorized access. a. Use individually assigned accounts that require a periodic change of password for all automated systems. b. Maintain a system to identify the abuse of IT resources including but not limited to improper access, tampering or altering of business data and will discipline violators. 8. Procedural Security: maintain, document, implement and communicate the following security procedures to ensure the security measures in this clause are followed and must include: a. Procedures for the issuance, removal and changing of access devices. b. Procedures to identify and challenge unauthorized or unidentified persons c. Procedures to remove identification, facility, and system access for terminated employees. d. Procedures for IT security and standards. e. Procedures to verify application information for potential employees. f. Procedures for employees to report security incidents and/or suspicious behavior. g. Procedures for the inspection of ocean containers or truck trailers prior to stuffing. h. Procedures to control, manage and record the issuance and use of high security bolt seals for ocean containers and truck trailers. Such procedures must stipulate how seals are to be controlled and affixed to loaded containers and shall include procedures for recognizing and reporting compromised seals or containers to Customs or the appropriate authority and (your company). 9. Security Awareness Program: A Security Awareness Program will be implemented by Service Provider and provided to its employees including awareness and understanding of the supply chain security program, recognizing internal conspiracies, maintaining cargo integrity, and determining and addressing unauthorized access. The Security Awareness Program should encourage active employee participation in security controls. Service Provider shall ensure that key personnel receive regular training which shall be no less than once per year on security procedures and requirements. Service Provider shall submit evidence of such Security Awareness training upon request.
161
E. Questionnaire: Service Provider will, upon request, complete a Supply Chain Security Questionnaires provided to Service Provider by (your company). F. Detailed Mapping: Service Provider will, upon request, promptly provide a detailed mapping for planned routings and any Subcontractors involved in the transport of (your company) shipments. G. Site Visits: Service Provider and its subcontractors shall be subject to periodic site visits during normal operating hours to confirm compliance with supply chain security standards. H. Breach of Security: Service Provider and its subcontractors shall immediately notify (your company) of any actual or suspected breach of security involving (your company) cargo. This may include cargo theft, tampering, unauthorized access, or other activities that involve suspicious actions or circumstances related to (your company) cargo.
162
Appendix 3: Sample Supply Chain Security Self-Assessment Questionnaire for Suppliers or Other Supply-Chain Partners
Instructions: On questions which require a yes or no answer, please circle yes or no, and then describe your answer in the space provided. If desired, you may attach copies of documents that support your descriptions. General Information Contact Name: Company Name: Primary Location/Address: Street: City, State/Province, Postal Code: Country: Phone: If you have multiple locations from which you ship to (your company), please list additional sites: Please list your company contacts for Security and Transportation below. Contact for Security: Name: Title: Phone Number: Email address: Contact for Transportation: Name: Title: Phone Number: Email address: Type of products produced for (your company) at your facility:
163
Physical Security
1. Does your facility utilize security guards? Yes No
1a. If yes, describe how they are positioned and the hours of coverage and areas of coverage within your facility that they provide. Additional Comments: 2. Is your facility fully enclosed by perimeter fencing or walls? 2a. If yes, please describe the type of materials used and the height. Additional Comments: 3. Does your facility utilize security cameras for monitoring perimeters, entries and exits, loading bays, or other areas? 3a. If yes, describe coverage provided and who monitors them. Additional Comments: 4. Does your facility have locks on doors, windows and gates? Additional Comments: Yes No Yes No Yes No
164
Physical Security Continued

5. Are the locks kept locked at all times to prevent unauthorized personnel from entering? 5a. If no, please explain why. Additional Comments: 6. Do you have bars, screens, or other materials over the windows? 6a. If yes, please describe what materials are used. Additional Comments: 7. Do you have an alarm intrusion system? Yes No Yes No Yes No
7a. If yes, please describe who is monitoring the alarm and where the alarm sensors are located at. Additional Comments: 8. Is your facility exterior lighted/illuminated at night? 8a. If yes, please describe what areas are illuminated. Additional Comments: Yes No
165
Physical Security Continued

9. Is the shipping/receiving area secure at all times to prevent access by unauthorized personnel? Yes No
9a. If yes, please describe what physical barriers are used and what personnel is allowed access. Additional Comments: 10. Are outgoing shipments stored in a separate area that is secure and prevents unauthorized access? Yes No
10a. If yes, describe where the shipments are stored and who has access to them. Additional Comments: Please describe any aspects of physical security at your facility that you feel were not addressed above.
166
Access Control
1. Do you use an employee badge system for entry and monitoring onsite activities? Yes No
1a. If yes, describe the badge system (electronic, color coded, how many badges are needed to gain access, etc.)
1b. If no, but you use another method to identify and track employees, please describe. Additional Comments: 2. Do you have access controls in place at entry points to your facility? Yes No
2a. If yes, describe what access controls are used at each point of access into your facility. Additional Comments: 3. Is vehicle access into your facility controlled? Yes No
3a. If yes, describe how vehicle access is controlled and what vehicles are allowed access. Additional Comments: 4. Are vehicles and drivers screened or inspected prior to entry to your facility? Yes No
4a. If yes, describe the method of screening (driver ID checks, vehicle inspections, etc.). Additional Comments:
167
Access Control Continued

5. Do you identify, record, and track all visitors? 5a. If yes, what method is used and how are the records kept? Yes No
Additional Comments: Please explain any access controls at your facilities that you feel were not addressed above.
168
Personnel Security
1. Are employee work history background checks completed prior to hiring? Yes No
1a. If yes, describe to what extent the background check is completed. 1b. If no, describe if there is a local law that prohibits this action. Additional Comments: 2. Are employee criminal background checks completed prior to hiring? Yes No
2a. If yes, describe to what extent the background check is completed. 2b. If no, describe if there is a local law that prohibits this action. Additional Comments: 3. Are non-employee contractors allowed routine access into your facility (janitorial service, delivery drivers, food vendors, etc) ? Yes No
3a. If yes, are employment and criminal background checks completed prior to access being allowed? 3b. Is access restricted to these workers so that they may only access facilities that they need to be in? 3c. Are these workers restricted from accessing the shipping and receiving areas? 3d. Are these workers required to wear identification badges? Yes Yes Yes No No No
Please explain any personnel controls at your facilities that you feel were not addressed above.
169
Procedural Security
1. Is there a Security Manager and staff? Yes No
1a. If yes, what is the persons name and how many staff are working security? Additional Comments: 2. Are physical security procedures documented? 2a. Are access control security procedures documented? 2b. Are I.T. security procedures documented? 2c. Are personnel security procedures documented? 2d. Are education/training of security procedures documented? Additional Comments: 3. Are there procedures for employees reporting security problems and addressing the situation? Additional Comments: 4. Are there procedures for marking, counting and weighing outgoing shipments? Additional Comments: Yes No Yes No Yes Yes Yes Yes Yes No No No No No
170
Procedural Security Continued

1. Is there a Security Manager and staff? Yes No
1a. If yes, what is the persons name and how many staff are working security? Additional Comments: 2. Are physical security procedures documented? 2a. Are access control security procedures documented? 2b. Are IT security procedures documented? 2c. Are personnel security procedures documented? 2d. Are education/training of security procedures documented? Additional Comments: 3. Are there procedures for employees reporting security problems and addressing the situation? Additional Comments: 4. Are there procedures for marking, counting and weighing outgoing shipments? Additional Comments: Yes No Yes No Yes Yes Yes Yes Yes No No No No No
171

5. Are there procedures for documenting outgoing shipments? Additional Comments: 6. Are there procedures for storing and identifying incoming and outgoing shipments? Additional Comments: 7. Are there procedures in place for storing shipment documentation (packing list, commercial invoice, etc.)? Additional Comments: 8. Are procedures in place for securing outgoing shipments against intrusion? Additional Comments: 9. Does a 3rd party physically pack these shipments? 9a. If yes, are security procedures flowed down to the packers? Additional Comments: If ocean and/or truck trailer containers are used, please answer questions 10 - 12. If not, skip to question 13. Yes No Yes No Yes No Yes No Yes No
172

10. Are containers examined prior to loading to ensure no explosives or other contraband is present? 10a. If yes, describe the process. Additional Comments: 11. Describe how ocean containers (full and/or empty) are stored. Additional Comments: 12. Are high security bolt seals used on ALL ocean/truck trailer container entry doors? Yes No Yes No
12a. If yes, How are bolt seals controlled? (e.g., storage and procedures to assure no fraudulent use) Additional Comments: 13. What security considerations have been established for selecting and screening carriers that are providing transportation services for outgoing shipments?
Additional Comments: 14. Are there procedures for reporting problems/delays in the movement of cargo? 14a. If yes, describe the process. Additional Comments: Yes No
173

15. Describe the materials used for packing products that are being sent to Boeing (e.g., cardboard box, container, etc). 15a. Are tamper evident materials used? Additional Comments: Please explain any procedural controls at your facilities that you feel were not addressed above.
174
Education and Training

1. Does your company provide a security awareness program related to protecting product integrity and facility security? Yes No
1a. If yes, please describe what is covered in this training and awareness program.
1b. If yes, how often are employees required to take this training and awareness program? Additional Comments: 2. Is your company certified in a supply chain security or known shipper/consignor program? (e.g. AEO, PIP, etc.) Yes No
2a. If yes, indicate which program you have certification in, when it was obtained, and who provided the certification. Additional Comments: 3. Do you require cargo integrity training for employees in the shipping and receiving areas and opening mail? 3a. If yes, how often is this training required? Additional Comments: 4. Do you require education on recognizing internal conspiracies and protecting access controls for all employees? 4a. If yes, how often is this training required? Additional Comments: Yes No Yes No
175

USRP 0316 Resources 030812 v2 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

USRP 0316 Resources 030812 v2 PDF

Transféré par

Droits d'auteur :

Formats disponibles

Contents

79 85 91 95 101 113 117 121

125 127 155 159 163

Securing the Smart Grid Workshop

U.S. Resilience Project

CHAPTER 1: New Landscape of Risk

New Landscape of Risk

Global Risks 2011

Securing the Smart Grid Workshop

Global Risk Management Survey 2011

U.S. Resilience Project

CHAPTER 1: New Landscape of Risk

The Century of Disasters

Why Forecasts FailWhat to Do Instead

Securing the Smart Grid Workshop

Seeing Around Corners

McKinsey Quarterly, October 2009 Eric Lamarre and Martin Pergler

U.S. Resilience Project

CHAPTER 1: New Landscape of Risk

Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise

Securing the Smart Grid Workshop

The Resilient Enterprise

Loss of key supplier

Visible quality problems

Computer virus Flood Workplace violence

IT system failure Accounting irregularity

Product tampering Multiple port closure

Earthquake Wind damage

U.S. Resilience Project

CHAPTER 1: New Landscape of Risk

Securing the Smart Grid Workshop

U.S. Resilience Project

CHAPTER 2: The Cure for Anxiety Deficit Disorder

The Cure for Anxiety Deficit Disorder

Securing the Smart Grid Workshop

U.S. Resilience Project

CHAPTER 2: The Cure for Anxiety Deficit Disorder

Securing the Smart Grid Workshop

U.S. Resilience Project

CHAPTER 2: The Cure for Anxiety Deficit Disorder

Securing the Smart Grid Workshop

Most Dangerous Emerging Risks

U.S. Resilience Project

CHAPTER 2: The Cure for Anxiety Deficit Disorder

Securing the Smart Grid Workshop

U.S. Resilience Project

CHAPTER 3: New Strategies for Supply Chain Risk Management

New Strategies for Supply Chain Risk Management

Risk in 21st Century Supply Chains

Securing the Smart Grid Workshop

Supply Chain and Transportation Risk Initiative

Top Supply Chain Disruptors

Top Supply Chain Vulnerabilities

Top Priorities for Management

U.S. Resilience Project

CHAPTER 3: New Strategies for Supply Chain Risk Management

Macro Trends and Supply Chain Impacts

Geographical concentration of production Product/network complexity

Single sourcing, buffer stock reduction

Track and trace

The Smarter Supply Chain of the Future

Securing the Smart Grid Workshop

XSCM: The New Science of Extreme Supply Chain Management