- BlogInfoSec.com - https://www.bloginfosec.com -

Supply Chains at Risk

As I am writing this, a devastated Japanese nation is still struggling to recoup from the triple-whammy of earthquake, tsunami, and potential nuclear power plant meltdown. We need to wait until we know more of the facts before examining whether contingency planning was as good as it might have been in the face of catastrophes of such magnitudes. I do plan to return to the topic of catastrophe contingency planning at a later time but, in the interim, I point you to my chapter on “Responsibilities and Liabilities with Respect to Catastrophes” in the book Social and Organizational Liabilities in Information Security edited by Manish Gupta and Raj Sharman (IGI Global, 2009), which, due to it being the “Free Sample Chapter,” you can read at … http://www.igi-global.com/viewtitle.aspx?titleid=21331&sender=462d264d-7629-4504-a8c7-ef684703212c [1]  As in the case of the BP Gulf oil spill, the Japanese government abdicated responsibility to the corporation owning the destroyed and destructive facilities, bringing to the fore the matter of what roles public and private entities should play in responding to catastrophes resulting from man-made structures.

Meanwhile, I would like to revisit supply chain integrity risks. To some degree, the topic is a reissue of outsourcing risk, which I examined in detail in my book Outsourcing Information Security (Artech House, 2004). However, focus on supply chains has increased as production is dispersed more broadly across the globe and as the complexity of software, products and services has greatly increased. The issue has again raised its ugly head as a result of the Japanese mega-catastrophe. In a mere week, we see the impact in the U.S. (General Motors), Thailand (Honda), Taiwan (Advanced Semiconductor Engineering), and Sweden (Volvo) as described in the March 18, 2011 Wall Street Journal article “Crisis Tests Supply Chain’s Weak Links” by James Hookway and Aries Poon. More details on the intentions to close GM’s Shreveport, Louisiana plant for at least a week are given in Nick Bunkley’s March 18, 2011 article “Lacking Parts, G.M. Will Close Plant” in The New York Times. The full impact of the supply chain woes are becoming increasingly apparent as each day goes by.
In my October 25, 2009 BlogInfoSec column “iSuppli You, You Supply Me, and the Twain Shall Meet,” I wrote:   “It seems that either we have been very fortunate to date or we are overly worried about interdependencies. Or perhaps it is a little of each. We are continually pushing our luck and edging further out on the thin branch of unanticipated and unknown commonalities. How long will it be before the resiliency and flexibility of our technologies become brittle and break? What will it take to snap the branch?”

Well, it looks as though some of the branches snapped on 3-11.

I also wrote a paper on “Risks of Unrecognized Commonalities in Information Technology Supply Chains,” which appeared in the Proceedings of the 2010 IEEE International Conference – Technologies for Homeland Security. The conference took place November 8-10, 2010 in Boston, MA. In the paper I lament the lack of knowledge as to the dependencies that exist within complex supply chains and that, in order to address this problem, particularly when common components are used across many diverse brands and products, it is necessary to have an information gathering and reporting system that identifies commonalities and indicates where diversification is necessary.

Another issue that needs addressing is the economic justification of just-in-time (JIT) inventory systems. The JIT approach is favored because it avoids having to carry large inventories of parts that are expensive to store and might become obsolete, by getting suppliers to deliver only what is needed for immediate production. However, the downside, as we are seeing with Japan, is that a break in supply chain leads to halted production lines almost immediately. It might still turn out to be cheaper to use the just-in-time approach even considering catastrophic events. However, I doubt that analysis done to date has allowed for such eventualities. Perhaps what we need is a SIT system … somewhat in time … to give us a little more wiggle room when disaster strikes.