The rapid evolution of technology and outsourced manufacturing has created new opportunities, as well as new challenges and risks. Organizations today are under increased pressure to improve product designs as well as manufacturability and sustainability while reducing costs and development schedules. These initiatives are taking place in a competitive environment where products are more complex, new technology is introduced at a faster rate and critical suppliers are facing a severe economic climate.
Information and Communications Technology (ICT) relies on a complex, globally distributed, and interconnected supply chain ecosystem that is long, has geographically diverse routes, and consists of multiple tiers of outsourcing. This ecosystem is composed of public and private sector entities (e.g., acquirers, system integrators, suppliers, and external service providers) and technology, law, policy, procedures, and practices that interact to design, manufacture, distribute, deploy, and use ICT products and services.
Commercially available ICT solutions present significant benefits including low cost, interoperability, rapid innovation, a variety of product features, and choice among competing vendors. However, the same globalization and other factors that allow for such benefits also increase the risk of a threat event which can directly or indirectly affect the ICT supply chain, often undetected, and in a manner that may result in risks to the end user.
In 2016, according to an article on CNN, Samsung’s Galaxy Note 7 battery issues caused not only explosions and recalls, but also created public relations challenges for the company. Revealingly, Underwriters Laboratories concluded that both design and manufacturing issues contributed to the battery problems—with design issues linked to two key supply chain partners.
The expansion of the global economy, increased use of outsourcing, and development of open standards are some of the modern day factors that present new challenges to the security of government systems. These factors have resulted in emerging threats and have made protection of the supply chain increasingly difficult. With globalization, the main hardware risk comes through offshore contractors and suppliers. The widespread acceptance of globalization makes it harder to be certain of the integrity of your hardware supply chain.
DOD manages about 4.9 million secondary inventory items, such as spare parts, with a reported value of $92.9 billion as of September 2017. As technology has continually evolved from hardware to software, it has introduced new aspects of supply chain management. While software innovation offers new capabilities, it also brings vulnerabilities that are more easily exploited than with hardware. What’s more, as software attack vectors become more sophisticated, they are also likely to be adapted to hardware. The installed hardware base is large, and therefore attractive to bad actors.
The defense industry “is very tiered,” said Mike Gordon, Lockheed’s deputy CISO and chairman of the Defense Industrial Base Sector Coordinating Council, Fifth Domain reports. The DOD does not always have direct contracts with its Tier-1 suppliers’ suppliers, which often don’t want to share information with each other, he added, so “Tier 1 doesn’t necessarily know who in Tier 4 is working on a particular program, and the government does not necessarily know that either.”
Managing components and suppliers is more critical than ever as obsolescence, counterfeit, and non-compliance risks continue to grow. An effective product information management system will enable organizations to increase the pace of new product introductions, avoid costly production interruptions or product redesigns, and improve sustainability over extended service lives. For federal government agencies, where data security is paramount, vendors will encounter more stringent compliance requirements than in the private sector. The supply chain must be protected to ensure product quality, and to protect against the ever-evolving onslaught of cybersecurity threats.
Supply Chain Risk Management (SCRM) is a discipline that addresses the threats and vulnerabilities of commercially acquired information and communications technologies within and used by government information and weapon systems. Through SCRM, systems engineers can minimize the risk to systems and their components obtained from sources that are not trusted or identifiable as well as those that provide inferior material or parts.
The National Security Presidential Directive 54, Homeland Security Presidential Directive 23, and Defense Authorization Act 254 have made SCRM a national priority . In accordance, the Department of Defense (DoD), Department of Homeland Security, and other departments have begun to review and refine their SCRM practices and procedures. The goal of one of the Comprehensive National Cyber Initiatives (CNCI) is to provide the U.S. government with a robust toolset of supply chain assurance defense-in-breadth and defense-in-depth methods and techniques. The CNCI effort conducted a pilot program and produced a Key Practices Guide to provide systems engineers with key practices that can help manage supply chain risk.
The DOD’s supply chain management abilities have actually been on the GAO’s High Risk List since 1990. After the 2017 report, however, the DOD improved enough that supply chain management was taken off the list. “DOD made key improvements, such as reducing on-order excess inventory by about $600 million and addressing each of our high-risk criteria, resulting in demonstrable and sustained improvements,” the 2019 report says. Yet supply chain security for the smaller contractors remains a challenge. According to FCW, fewer than 60 percent of small and medium-sized defense contractors responding to a survey conducted by the National Defense Industrial Association had read the Defense Federal Acquisition Regulation Supplement, which provides minimum security standards. “Nearly half of those who did said they found it hard to understand,” FCW reports.
Supply Chain Threats and Risks
The DoD supply chain is a global network that provides material, services, and equipment to the Services. The steps of the acquisition process include: identifying a need, manufacturing, purchasing, delivery, distribution, maintenance, repair, sustainment, and disposition.
The Pentagon had released a report in Oct 2018, accusing China of seeking to undermine the US military’s industrial base. “China represents a significant and growing risk to the supply of materials and technologies deemed strategic and critical to US national security,” said a Pentagon report commissioned by Donald Trump. “China’s trade dominance and its willingness to use trade as a weapon of soft power increases the risks America’s manufacturing and defense industrial base faces in relying on a strategic competitor for critical goods, services, and commodities,” the report adds. The report found the US was susceptible to nearly 300 such vulnerabilities, from “dependencies on foreign manufacturers to looming labour shortages”, US trade adviser Peter Navarro wrote in the New York Times.
In general any product or components carry multiple risks. Lifecycle Risk- Like any product in the market, electronics components follow a lifecycle from introduction to decline. Components with a lifecycle risk are generally in the maturity phase of their lifecycle and could be moving towards decline or obsolescence. Inventory Risk: Inventory risk refers to the amount of stock currently available in the market, not what is reflected in your BOM. Environmental Risk: Environmental risk refers to whether or not your components comply with the latest environmental regulations and Multi-Sourcing Risk: If your components are only coming from a single source, there is a higher risk to your BOM if that source runs into issues.
In Oct 2020, National Security Agency warned that Chinese government hackers are taking aim at U.S. computer networks involved in national defense, characterizing the threat posed by Beijing as a critical priority in need of urgent attention. The NSA urged the Defense Department’s cyber officials and those within the defense industrial base to take action to guard against the intrusion by the Chinese. “These networks often undergo a full array of tactics and techniques used by Chinese state-sponsored cyber actors to exploit computer networks of interest that hold sensitive intellectual property, economic, political, and military information,” the Tuesday morning advisory warned. For a number of years, China’s theft of American military secrets has been a top national security issue. Concerns have continued to grow, and a recent internal audit concluded the problem was far more dire than officials had realized.
The major supply chain risks facing all federal agencies, according to a 2018 report by the Government Accountability Office, include:
- Harmful hardware or software, whether intentionally installed or counterfeit
- Failure to manufacture or distribute critical products, or disrupting manufacturing and distribution
- Reliance on malicious or unqualified service providers for technical services
- Hardware or software containing unintentional vulnerabilities, such as defective code
A comprehensive approach to SCRM addresses four classes of threats:
Intentional Threats. These are deliberate actions, intending to be malicious or to gain an unfair competitive advantage. Competitors may inject malware or viruses to undermine your product or to attack your end customer. Prohibited or pirated software may be used to keep production costs down. Black market or counterfeit components may also be used instead of OEM to cut costs and time to market.
Unintentional Threats. These are poor quality control practices or events beyond the vendor’s control. Enforcement of quality standards may be lax. Information with outside contractors may be unclear or incomplete. Human error around data security may make the supply chain vulnerable to future cyberattacks. Poor work conditions could disrupt network operations and throw the process into chaos.
Internal Threats. These may be either intentional or unintentional. Disgruntled or turncoat workers may undermine your production from the inside. The same is true of careless workers, through human error or lack of awareness of data security practices. Weak policies and procedures to control access and grant privileges for sensitive data.
External Threats. These deliberate, well-targeted threats come from outside your organization. Downstream supply chain partners may try to steal IP to disrupt production, often prompted by competitors. Individual hackers may find a vulnerability in your supply chain, which could lead to malware, phishing, fraud, extortion, ID theft, and more. You may even be exploited by state-sponsored actors on behalf of hostile governments.
With government agency purchases becoming more software-based, associated threats can be harder to recognize. This is particularly true of cloud-based software solutions, where communication channels are truly borderless and information can flow seamlessly from anywhere in the world.
Supply Chain Risk Management (SCRM)
Effective and efficient supply chain management is critical for (1) supporting the readiness and capabilities of the force and (2) helping to ensure that DOD avoids spending resources on unneeded inventory that could be better applied to other defense and national priorities. The supply chain management as including three segments—inventory management, asset visibility, and materiel distribution. DOD Supply Chain Management had been beset with problems like inventory management—because of inefficient and ineffective management practices leading to excess inventory, asset visibility and materiel distribution the weaknesses that were identified during operations in Iraq and Afghanistan, including backlogs of hundreds of pallets and containers at distribution points. In 2017, DOD made key improvements, such as reducing on-order excess inventory by about $600 million and addressing each of our high-risk criteria, resulting in demonstrable and sustained improvements.
The term “supply chain” has different meanings to commercial, government, and commercial entities. The military has extensive processes for structuring supplies (materiel management) to their units and organizations (refer to DoD 4140.1-R). Historically, the DoD has assessed the logistical tail of supply chain by focusing on the distribution and shipment of equipment, but this does not address the complete “chain.” To address the emerging threat, the “supply chain” analysis must address all parts and components of a system early in the program, including firmware and software. It must also analyze the impact of people, purchase of substitute parts, and automated processes (e.g., software patching) on the supply chain processes.
SCRM is defined as “a systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities and threats throughout DoD’s “supply chain” and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal)”, Supply Chain Risk Management (SCRM) is an important topic that all life cycle logistics professionals need to be cognizant of and actively engaged in.
The Risk is a Function of threat, vulnerability, and consequence, where threat depends on adversary motivation, capability and access; Vulnerability depends on how readily will a component compromise and cause; consequence measures how Serious is the impact onn System/Mission?
Therefore, an accurate SCRM assessment includes an evaluation of the origin of the materiel, how it is distributed, and the government decision-making process in the selection of the product. The requirement is ensure that the systems engineering process is applied to all components and parts of a system throughout their life cycle.
A systems engineer should be prepared to apply SCRM at any point of a system’s life; it is never too late nor too early in a system life for a systems engineer to incorporate the SCRM process. SCRM is currently being applied to materiel supply during the logistic phases, but a more effective systems engineering process should include addressing SCRM as early in the program as possible.
The DoD CNCI SCRM pilot program produced an implementation guide that offers detailed suggestions on how and when SCRM should be integrated into the life cycle of a system. This guide was developed to assist systems engineers and explains how these engineers can incorporate SCRM prior to design and throughout its life. A summary of some key steps identified in the guide that a MITRE systems engineer should understand include:
- Determine system criticality.
- Determine the supply chain threat.
- Select build versus buy.
- Select SCRM key practices and determine sufficiency.
- Understand the Risk Management Plan adopted by the government efforts they support.
- Understand the likelihood and the consequence of insufficient SCRM practices.
Systems engineers should ensure that acquisition, sustainment, disposal, and other program documentation are properly updated to include SCRM. At a minimum, the following kinds of documents should incorporate the SCRM process and findings: Program Protection Plan, Systems Engineering Plans/Procedures, and Life Cycle Management Plans. In addition, systems engineers should work closely with contracts and legal staff to verify that SCRM is included as part of the acquisition documentation, source selection criteria, and contractual clauses. The systems engineer should also ensure that the SCRM practices are included as part of the sustainment documentation, supplier selection criteria, purchasing clauses, incoming inspection, quality verification testing, acceptance for inventory, and disposal processes.
Trusted Defense Systems Strategy
DoD Instruction 5200.444, “Protection of Mission‐Critical Functions to Achieve Trusted Systems and Networks (TSN),” establishes policy to minimize the risk that DoD’s warfighting mission capability will be impaired because of vulnerabilities in system design or because of sabotage or subversion of a system’s mission‐critical functions or critical components by foreign intelligence, terrorists, or other hostile elements.
• Prioritization: Establish a repeatable analytical process for analyzing mission dependencies on systems; apply systems assurance.
– Focus security requirements on mission critical systems
– Within systems, identify and protect critical components, technology, information
• Comprehensive Program Protection Planning : Employ program protection planning to identify and protect CPI, including critical components within critical weapons systems and information networks; assess threats to CPI; and mitigate risk using the full range of cost-effective best practices, including SCRM key
practices and system security engineering.
– Early lifecycle identification of critical components
– Provide Program Managers with analysis of supply chain risk
– Protect critical components through trusted suppliers, or secure systems design
– Assure systems through advanced vulnerability detection, test and evaluation
• Partner with Industry: Collaborate with industry to protect the information environment supporting critical systems, use the Defense Industrial Base Cyber Security/Information Assurance (DIB CS/IA) Program, and address risks related to global sourcing through various channels, including United States Munitions List (USML) supplier management
– Develop commercial standards for secure products
• Enhance capability through Research and Development: Invest in enhanced vulnerability detection research and development (e.g., DARPA TRUST in ICs
program, Center for Assured Software of the National Security Agency (NSA), and Air Force Application Software Assurance Center of Excellence (ASACoE)), and transition such analytical capabilities to support acquisition.
– Leverage and enhance vulnerability detection tools and capabilities
– Technology investment to advance secure software, hardware, and system design methods
DHS Creates ICT Supply Chain Risk Management Task Force
In Nov 2018, the U.S. Department of Homeland Security (DHS) announced that it is establishing the nation’s first Information and Communications Technology (ICT) Supply Chain Risk Management Task Force. This public/private partnership is tasked with creating recommendations to identify and manage risk in the global ICT supply chain. “The ICT Supply Chain Risk Management Task Force embodies the type of cross-sector, whole-of-government engagement that is critical to protecting our global digital economy,” said Robert Mayer, senior vice president for Cybersecurity at U.S. Telecom and co-chair of the task force. The collaboration will offer an “opportunity to identify practical, efficient, and forward-looking strategies and solutions to mitigate supply chain risks,” he added.
Both government and business entities are being attacked by a variety of cyber threats from foreign adversaries, hackers, and criminals. These bad actors pose a threat to electricity providers and other critical infrastructure such as wastewater facilities or manufacturing plants. All tiers of the supply chain, including contractors, sub-contractors, and suppliers, are being targeted by increasingly sophisticated threats.
“Threats to the nation’s IT and communications supply chain can severely impact our national security and nearly every facet of our economy,” said National Protection and Programs Directorate Undersecretary Christopher Krebs. “The nature of supply chain threats, because they can encompass a product’s entire life cycle and often involve hardware, make them particularly challenging to defend against. Government and industry have a shared interest and thus a shared responsibility in identifying and mitigating these threats in partnership. The Task Force will seek holistic solutions across a broad set of stakeholders to develop near-and long-term strategies to address supply chain risks.”
The group will create best-practice playbooks that will be useful to both government agencies and businesses. The task force will determine priorities, identify a scope of work, develop a plan of action, and establish milestones. “Executive Committee members agreed that the task force would begin by conducting an ecosystem analysis of existing industry and government supply chain initiatives to identify consensus best practices and concentrate efforts on critical gaps,” the announcement said.
“The work of the Information Communications Technology Supply Chain Task Force in developing playbooks for both government agencies and U.S. organizations to hammer out operational responses to security risks in the supply chain is critical,” said Matan Or-El, co-founder and CEO of Panorays. “As cybercriminals use sophisticated approaches to infiltrate the supply chain from product inception to end-of-lifecycle, all links in the chain must be secured in very different ways. Even after a playbook has been designed and implemented, online companies will have to continue to monitor the cybersecurity of all digital assets on a continuous basis, including all third-party vendors. This undertaking requires automation to review and alert on any possible holes in the security fabric so they can be quickly addressed.”
Big Contractors Boost Supply Chain Security Awareness
The DOD and its major contractors also recognize the need to deliver a clearer message about cybersecurity practices to smaller and nontraditional DOD suppliers (those who do not specialize in selling to the military and may lack the experience to meet tough DOD cybersecurity standards), increasing the amount of education around cyber policies. “A first step is communicating and spreading awareness to the supplier base that cybersecurity is both a national and economic security issue within the supply chain,” says John DeSimone, vice president of cybersecurity and special missions at Raytheon Intelligence, Information and Services.
Raytheon, which regularly assesses its suppliers for security issues, focuses on those at the greatest risk, “assessing their environment and providing recommendations for how to build an efficient, affordable and DOD-compliant security posture,” DeSimone says. In some cases, the company uses its own personnel to help suppliers develop better security, he adds. The DIB SCC is developing methods to assess a supplier’s ability to protect controlled unclassified information, as well as a model for assisting small and midsized suppliers develop and deploy cyber programs that protect CUI within the supply chain, Gordon says.
“The most significant challenge to small suppliers is that they have limited resources, thus the cost and complexity of deploying and maintaining cyber capabilities must be lowered,” he says. To address this challenge, the task force is exploring new detection capabilities for smaller companies, the selective use of cloud technologies to provide affordable cyber protection and selective implementation of digital rights management, Gordon says.
DRM embeds code in digital assets that prevents copying, specifies the time period within which the content can be accessed and limits the number of devices that can use the media. Technologies such as artificial intelligence and predictive analytics could also be employed in a spot-check strategy, since these technologies can perform risk assessments across the supply chain and flag the most critical suppliers and hot spots for review. “We need to ensure that our partners are establishing resiliency across their hardware and software systems,” says DeSimone. “Securing the DOD supply chain is a national security imperative that requires collaboration and partnership with the DOD, our suppliers and our competitors.”
BOM management and streamline product development
The convergence of mechanical, electrical, and software design in the “Internet of Things” (IoT) era is forcing multidisciplinary design cooperation. Getting high-quality products to market today requires consistent and clear collaboration among a wide range of systems and distributed product teams. Companies demand tighter control of their intellectual property (IP), which, for product companies, is encapsulated in the bill of materials (BOM). BOMs define everything necessary to manufacture products and comprise the core building blocks of the product record. However, BOMs are too often managed across multiple tools by different engineering disciplines and manufacturing teams. This fragmented view leads to disconnected development processes, which frequently result in product launch delays, quality issues, manufacturing mistakes, and costly scrap and rework to correct product issues.
Risk assessment can result in classifying risks, Low Risk: You can feel confident that your BOM is made up of quality components that can be used to create a great product for the foreseeable future; Medium Risk: Some of the components in your BOM may need to be reevaluated for crosses, but you can generally feel confident in the components that make up your product; High Risk: There are several risk factors for key components in your BOM and you should take action quickly. Unknown Risk: Currently, there is not enough information about the components in your BOM to give it a risk grade
As the Army moves to an enterprise resource planning (ERP) environment for sustainment systems, implementing industry best business practices is essential. One such practice is developing a standardized and integrated process to create, update, and syndicate bill of materials (BOM) data.
Sit down with your team and understand their needs and requirements throughout the entire product lifecycle. Be careful not to evaluate only one team’s needs in managing design. It is important that electrical, mechanical, and software design teams provide input to ensure buy-in and that all requirements are understood before a project begins. Product marketing, design and supply partners, quality, and operations should typically be represented in your cross-functional product development efforts. In addition, if you practice any “design for” efforts, such as design for manufacturing (DFM), your product teams will also include operations, service, and support. Change will happen throughout any product development lifecycle, and it’s imperative that cross-functional collaboration is the primary objective as the teams start creating, importing, sharing, changing, comparing, and approving items laid out in the BOM.
Because design and manufacturing teams use many different systems unique to their job roles, it’s important to have an agnostic approach to aggregate the entire product record into a single system for simplified collaboration. A centralized BOM provides better control, while streamlining connections between product information and people to accelerate development processes. Centralized control involves more than having a single system to store product information. It creates the necessary backbone for effective product development by helping connect all related product and process information. It helps with change processes (e.g., change requests, change orders, deviations) by linking key product record information. And it eliminates confusion by ensuring teams have a single place to create and change all aspects of the product design.
Effective collaboration across teams and partners is critical for every product company; however, achieving this goal can be challenging. Contract manufacturing partners (CMs) and their distributed supply chains must work in concert with the original product or design manufacturer (OEM or ODM) early and throughout the entire product lifecycle. To gain and retain a competitive advantage, everyone responsible for delivering any portion of the product must work off the same page. This means having a single, secure place for all things product related. A centrally controlled and complete product record (BOMs and all associated data) can be the difference between leading the market and going out of business.
It seems like common sense, but accessing and sharing product information securely between internal and external teams is a must. Many organizations still use outdated methods of collaboration that will not scale with highly dispersed teams. Access should be easy for users, quick to provision and administer, and secure. Product companies should begin from a restrictive model and then allow only specific access for external partners to the components of the BOM the partners need in order to source or build. This helps ensure integrity of the design and manufacturing process, as well as mitigates risk of compromise from being shared with too broad of an audience. Additionally, companies need to ensure audit trails are created whenever someone accesses the product record to eliminate “finger pointing” and increase accountability between internal and external teams.
While documented, formal communication is essential in the development and delivery of any product (we need to understand what we are doing, how we are doing it, and what the measure for success looks like), there are times when less formal and more flexible methods of collaboration are needed. The ability to provide input around items, assemblies, BOMs, and other product information outside formal change and product processes enhances product development, and ultimately accelerates NPI processes. Your processes should recognize and make informal product collaboration easy for the teams, but also within the overall context of the product record for future leverage in product efforts, traceability, and team continuity.
Complex product companies and their supply chain partners need to eliminate risks for sourcing market-available and environmentally compliant components. The ability to identify and source parts that meet compliance is critical to reduce product costs and get products delivered on time and on budget. Providing component lifecycle and compliance information to the right people throughout the supply chain is critical to ensure quality, reduce costs, and avoid unnecessary shipping delays.