Supply Chain Security for the Electronics Industry
New Enemy Threat
Crista Souza
My-ESM
A delivery truck backs up to the loading dock of a distribution warehouse somewhere in the United States at its regular pickup time of 9:30 p.m. When the shipping bay opens, armed thugs jump out of the truck and force two dozen employees to the ground at gunpoint, then make off with close to $1 million worth of microprocessors.
Within hours, the truck rolls across the border into Mexico, where the stolen chips are sold into the black market. They eventually find their way onto computer boards that are shipped back into the United States to unsuspecting customers.
But what if, instead of being hijacked for gains, those stolen goods had been somehow transformed, like computer viruses, into weapons of mass destruction-aimed at sectors of the United States or other regions that rely on efficient operation of electronic equipment-and reintroduced into the supply chain?
That's the new threat. And in the wake of the 9/11 terrorist attacks, that's where industry, government and law enforcement have turned their attention.
"It used to be you wanted to track that an object left point A and got to point B. That's no longer sufficient," said Scott Horn, director of logistics engineering at electronics-manufacturing services provider Sanmina-SCI Inc. (San Jose, Calif.). "Now you have to make sure that it never gets tampered with. That chain of custody is what supply chain security is focusing on today."
While cargo theft is a global problem pegged at more than $50 billion annually by the International Maritime Bureau-high tech being one of the hardest-hit industries-an act of terrorism is seen as potentially far more devastating.
Consider this: According to the U.S. Census Bureau's Foreign Trade Statistics, China exported $38.5 billion worth of high-tech goods to the United States in the first 11 months of 2004, while the European Union exported $9.6 billion, Japan $13.6 billion and Malaysia $16 billion.
These are staggering figures, and some observers marvel that the industry has so far avoided incidents that could spread panic about the safety of parts used in, for instance, critical electronic equipment.
No known incidences of cargo tampering have been documented since the infamous terrorist attacks on New York and Washington just over three years ago. But considering the volume of product that crosses the borders each day, the potential is enormous. At the same time, heightened security measures could create an international customs logjam.
That's where security initiatives, such as Customs-Trade Partnership Against Terrorism (C-TPAT), come in. Administered by the U.S. Customs and Border Protection unit under the auspices of the Department of Homeland Security, C-TPAT gives preference to "trusted" importers-those that have met stringent certification requirements-freeing up customs officials to focus on suspect shipments.
It's not clear yet whether C-TPAT will be the panacea for solving supply chain snafus resulting from security concerns. But nobody is counting on it alone to do the job. Other programs being deployed include the Container Security Initiative, which prescreens U.S.-bound cargo before it leaves foreign ports that are deemed high risk, and the Free and Secure Trade initiative, which provides an "express lane" for C-TPAT-certified shipments between the U.S. and Canada.
According to industry executives, C-TPAT guidelines largely incorporate those of the Technology Asset Protection Association (Tapa)-an industry body that recommends security standards and best practices-as well as everyday security initiatives any company would implement to thwart criminal activity.
"Whether I'm doing it to fight terrorism or I'm doing it to reduce theft, I'm going to win on both fronts if I improve my security," said Horn.
Joining forces
Electronics companies grapple daily with how to ensure the security of the supply chain, and as operations spread out to lower-cost, developing areas like Malaysia and Eastern Europe, where cargo theft is seen as a higher risk, the need for a global security strategy becomes more pressing.
Industry executives say the problem continues to escalate. In Europe, cargo theft is so rampant that many insurance companies have stopped covering it, said Ron Greene, a supply chain risk analyst at First Advantage Corp. (Phoenix).
Data from Tapa's European chapter seems to bear out Greene's assertion. In 2002, overall losses more than doubled, to 187 incidents with a total value of $39.9 million, from 80 incidents in 2001, or $15.9 million in losses. While incidents involving mobile phones dropped by roughly a third, and memory product losses were down almost 90 percent, losses of hard-disk drives increased more than seven times.
Hijackings decreased by a third and warehouse theft was down by nearly half. Yet Europe reported alarming rises in airport losses and truck theft. The hardest-hit countries were the U.K., France and the Netherlands, while the greatest increase in reported incidents was recorded in the Czech Republic.
"If you lose one truckload or one container, you could lose several millions of dollars. That goes right to the bottom line," Greene said.
In Silicon Valley alone, nearly $65.8 million worth of stolen high-tech property was seized in 2004, according to Sgt. Lloyd Cardone of the San Jose Police Department. Cardone is now on loan to the Rapid Enforcement Allied Computer Team, a task force made up of 16 local, state and federal law enforcement agencies in California.
Although Cardone said the dollar value of high-tech crime has increased significantly from year to year, hard figures are difficult to pin down. At a national level, such statistics are lumped in with violent crimes and thus are hard to parse.
There are no easy solutions, but many high-tech companies are implementing facility and transport security strategies that are consistent across all of their operations, whether in the United States, China or Brazil. Still, additional measures may be called for, depending on the location or product.
For example, on certain routes in Mexico, government officials advise having armed guards transport high-tech goods-and at least one insurance carrier won't cover theft without one.
Operating in Mexico "hasn't affected our insurance rates, but ... if you do not have an [armed] escort, the deductible is 30 percent of the value," said John Novotny, director of logistics at EMS provider Jabil Circuit Inc. (St. Petersburg, Fla.).
Defensive logistics
How you choose to ship your cargo can make a significant difference in your risk of losses. The risks are much lower with an "integrated" carrier like FedEx, which uses its own logistics infrastructure and contracts with third-party logistics outfits only where necessary, said Simon Powell, director of logistics at Agere Systems Inc. (Allentown, Pa.).
Among other benefits for Agere, using FedEx for 96 percent of its international shipments means the logistics provider has all the necessary documentation and shipment history to be able to clear Agere's cargo through customs while it's still in the air, Powell said. And while the cost can be higher than commercial alternatives, the potential security benefits may offset the additional expense.
A commercial airline shipping into China, for example, will deliver cargo to the airport and then turn it over to an airport authority, which will unload the airplane and hand off cargo to a third-party broker. The broker may then contract with a local trucking company to do the final delivery.
"Whenever you have that many hands on your cargo, your chances of something getting lost or delayed, or even getting stolen, go up significantly," Powell said.
As part of its transportation security processes, Agere uses a commercial software program from TradePoint Systems LLC (Nashua, N.H.) to perform preshipment verification of paperwork, including the end customer documentation, before a shipment ever leaves the docks.
"In many ways that's just as important as guaranteeing the physical security of cargo, because it helps ensure that we're controlling where products end up," Powell said.
UPS has similar capability through a new Web-based tool that calculates the total cost of an international shipment before it leaves the dock, provides up-to-date compliance information and notifies Customs in advance of a shipment.
Distributor Avnet Inc. (Phoenix) has developed programs with its cargo carriers that provide a raft of details about its packages. Carriers in turn follow specific operating instructions from the time they leave their facility to make a pickup to when they return. Once a shipment is transported, various communications and security processes take place so that Avnet ensures the product makes it to its intended destination. Pickup and delivery schedules may be varied to make it more difficult to be "cased."
At the same time, the distributor records any shortage, loss or even late delivery, categorized by geographic areas, cities and hubs, so that missing items can be traced early enough to prevent a major loss.
"The whole premise of security today, as we've been told by consultants and law enforcement, is to export the theft," said Jim Smith, senior vice president of global operations at Avnet. "In other words, make your [operation] so hard to get into that thieves look for an easier target."
Difficult targets
Companies with a global perspective are realizing more and more that the objective of physical and transportation security is more than just theft prevention; it's also about not becoming a channel for illegal activity.
As First Advantage's Green noted, if cargo can be readily stolen from the supply chain, it will also be an easy target for tampering or for introducing an unauthorized item into the supply chain-or for creating an artificial shipment under your name.
Antiterrorism programs like C-TPAT have gathered huge momentum based on two motivating factors: First, you're a good business partner in the global community if you take things like terrorism and security seriously; and second, with U.S. Customs examining more shipments, there's a risk-management incentive to becoming a C-TPAT partner.
Once customs agents seize a shipment, someone has to deal with the problem, which takes time away from the person's normal job. But if that shipment is a line-critical item that gets held for a day-or two days, or a week-"suddenly you either have to try to expedite replacement freight to cover your need or risk a line down, because you've got a very tightly wound, lean process," said Sanmina-SCI's Horn. "You've got a serious cost problem then."
Since the program was launched in late 2001, more than 7,000 companies have joined, and approximately 40 percent of all cargo headed for the United States is transported by C-TPAT partners, according to U.S. Customs.
The U.S. Customs listing is alphabetical and does not include volume or value of shipments, but among the top 5,000 importers in fiscal 2002 were electronics OEMs such as Cisco Systems, Dell, Fujitsu and Nokia, and EMS companies like Benchmark Electronics, Celestica, Foxconn, Plexus and Solectron.
No global import/export security rules exist, but that may soon change. In December, the World Customs Organization endorsed elements of C-TPAT and several other post-9/11 Homeland Security initiatives as a framework for a global security standard. WCO represents 164 customs administrations from around the world and accounts for 99 percent of all global trade.
Today, C-TPAT is strictly a voluntary program, but there are definite benefits to participating. For instance, if you and all of your trading partners are C-TPAT certified-meaning U.S. Customs has reviewed your security policies and processes and agrees they are adequate-your shipments will receive expedited treatment.
Multinational companies must demonstrate that their security plans apply to all operating locations, which are subject to audits.
A C-TPAT importer "will incur fewer delays in terms of clearing the freight as it enters the U.S.," said Earl Agron, vice president of security at APL Logistics, a subsidiary of ocean carrier APL Ltd. (Oakland, Calif.).
Certification is not a free pass, however. Industry executives said it's no small challenge to produce the proper detail of documentation with the timeliness U.S. Customs rules now demand. For example, ocean shipments now require that documentation be provided 24 hours in advance, and certain air shipments require a four-hour window.
"Before C-TPAT and 9/11, you could put on a waybill 'electronics in a box,' " said Jabil Circuit's Novotny. "Now you have to be very specific, with descriptions of everything that is in that shipment."
Indeed, the additional time and effort in terms of paperwork and audit preparations mean the cost of compliance can be hefty. If you don't already have a sound import/export process, there's an additional cost to get that implemented before seeking certification.
Agere's C-TPAT certification took just under a year. But the company spent two years honing and documenting its internal processes before opening them to the scrutiny of government auditors, according to Powell.
"You're balancing the interest of the world, in terms of real security, against the interest of your company, as far as investment in these programs," said Sanmina-SCI's Horn. "C-TPAT has got its heart in the right place. It's probably got to have some kinks ironed out, but it's proving to us to have a very sound structure for us to organize some policy around."
Crista Souza can be reached at csouza@cmp.com.
If armed guards, security audits and flawless documentation don't seem like enough protection, there are many additional measures companies can take to secure goods in transit.
One of the most basic deterrents is the plain brown wrapper. Ten years ago, it was common to see manufacturer or distributor logos and product labels on boxes and exterior cartons-a show of pride by the source, but also a flashing-red neon sign to would-be criminals that there was something inside that was highly fencible.
"Back in those days we'd get product to the carriers, the carriers would get it to their hubs and it wouldn't come out the other end," said Jim Smith, senior vice president of global operations at Avnet Inc. "I'm not saying our carriers had people working with them who were thieves, but the minute we stopped labeling [products] and put them into plain, uniform packaging, that stopped being a big problem."
About 10 years ago, Avnet used some 30 box styles and sizes to package products for shipment. Today, the distributor uses nine.
At Jabil Circuit Inc., care is taken to ensure that products are palletized, shrink-wrapped and banded correctly, and that documentation matches what's on a pallet. On top of that, the EMS provider has recently required that its outbound logistics suppliers not break pallets. Often, freight providers will do this to optimize their truck- or planeloads.
"From a security standpoint, that adds an element of variability and risk, and potential theft," said Courtney Ryan, senior vice president of global supply chain at Jabil. "If we're sure everything is palletized correctly ... when it leaves our factory, then we can be relatively sure that if it shows up at the end destination in the same form, it's in good shape."
A more sophisticated component of some supply chain security strategy is radio-frequency identification. Used today primarily within inventory management systems, RFID can offer definite security benefits, some executives said. Like a serial number on a package, the technology can inform the system within seconds precisely what goods are in a container, the quantity and the origin.
"If I'm supposed to have a big 52-footer [trailer truck] that's fully loaded, and there's a big hole in the middle, you assume that it's full but it's been ripped off at the depot," said Avnet's Smith. "If you had RFID, you could go to that 52-footer and the scanners would immediately tell you the truck was empty."
RFID is also being employed in tandem with so-called smart containers-secure compartments used to ship cargo by air, sea, land or rail. Smart containers use sensors to detect subtle changes in the environment, such as a door being opened, or variations in light, temperature, vibration or volume which might indicate the container has been tampered with.
The drawback to RFID is its cost; tags sell for anywhere from a few cents to a few hundred dollars. However, vendors are working to make RFID more affordable, and volumes driven by mandates from large retailers like Wal-Mart and Target should ease pricing.
Research and Markets, a Dublin, Ireland, multimarket information provider, estimates that as smart-container technology matures and is put into effective use, it will save the U.S. economy more than $10 billion a year in merchandise losses. - C.S