Supply Chain Security Standards Proposed to Detect Tainted and Counterfeit Products

Stephen DeAngelis

April 10, 2012

In early March, The Open Group, a global consortium that enables the achievement of business objectives through IT standards, “announced the publication of the Open Trusted Technology Provider Standard (O-TTPS) Snapshot, a ‘preview’ of what is intended to become the first standard developed by The Open Group Trusted Technology Forum (OTTF). Geared toward global providers and acquirers of Commercial Off-the-Shelf (COTS) Information and Communication Technology (ICT) products, the O-TTPS will provide an open standard for organizational best practices that aims to enhance the security of the global supply chain and help assure the integrity of COTS ICT products worldwide.” [“The Open Group Releases Preliminary Criteria for New Global Technology Supply Chain Security Standard,” The Open Group press release, 5 March 2012] Standards have always been important as a way of ensuring quality, efficiency, and interoperability. According to the press release, “The Snapshot enables participants across the COTS ICT supply chain to understand the value in adopting best practice requirements and recommendations.” Frankly, I’m surprised that any stakeholder needs to be convinced about the importance of standards. The press release continues:

“It also provides an early look at the standard so providers, suppliers and integrators can begin planning how to implement the standard in their organizations, and so customers, including government acquirers, can differentiate those providers who adopt the standard’s practices. Based on this Snapshot, Version 1.0 of the standard is expected to be published in late 2012. An accreditation program is planned to help provide assurance that Trusted Technology Providers conform to the standard.”

Supply chain security is garnering almost as much attention nowadays as supply chain resiliency. Both resiliency and security play a role in supply chain risk management. David Lounsbury, chief technology officer for The Open Group, stated, “With the increasing threats posed by cyberattacks worldwide, technology buyers at large enterprises and government agencies across the globe need assurance the products they source come from trusted technology suppliers and providers who have met set criteria for securing their supply chains. Standards such as O-TTPS will have a significant impact on how organizations procure COTS ICT products over the next few years and how business is done across the global supply chain.” Even though I believe it is readily apparent why standards are needed, the press release goes into some detail making the point. It continues:

“The rapid pace of globalization has brought both benefits and risks to developers of COTS ICT products worldwide. Although most technology hardware and software products today could not exist without global development, the increase in sophistication of cyberattacks has forced technology suppliers and governments to take a more comprehensive approach to risk management as it applies to product integrity and supply chain security. The Trusted Technology Forum was formed in late 2010 under the auspices of The Open Group to help technology companies, customers, government and supplier organizations create and promote guidelines for manufacturing, sourcing and integrating trusted, secure technology products as they move through the global supply chain. The two risks being addressed in the Snapshot are tainted and counterfeit products. Each pose significant risk to organizations because altered or non-genuine products introduce the possibility of untracked malicious behavior or poor performance. Both product risks can damage customers and suppliers resulting in failed or inferior products, revenue and brand equity loss, and disclosure of intellectual property. Because governments and enterprises have begun to seek assurance that the products they use have assurance, providers of COTS ICT are focusing on protecting the integrity of their products and services as they move through the global supply chain.”

Publication of these standards should make Steve Banker happy. Last month he wrote, “There are certain supply chain topics that are rarely discussed publicly. ‘Supply chain integrity’ is one of them. Companies don’t want to admit that their products are being counterfeited, or that theft and grey market diversions are hurting profitability. They also don’t want thieves to know about the security measures they are taking to protect their products.” [“Supply Chain Integrity is Not Discussed Publicly,” Logistics Viewpoints, 27 February 2012] What motivated Banker to write about the subject were discussions held in Supply Chain Integrity track at a February ARC forum. During those discussions, “professionals shared, confidentially, their experiences and insights on this topic.” Banker writes that some of the “key takeaways from the session” include:

Companies that have experienced counterfeiting issues do not have to face this problem on their own. The Department of Homeland Security (DHS) will undertake investigations and prosecute offenders, particularly if companies provide them with promising intelligence. DHS can do this while keeping the name of the company that brought the matter to their attention private.

No one wants to say this publicly, but companies that outsource manufacturing to China are at greater risk. With branded apparel, for example, there are cases where a contract manufacturer produces goods and ships them to the brand owner, then at night they continue to produce the same products and sells them into black market channels. If you are using a contract manufacturer, the contract should include a provision that allows you to conduct spot inspections at any time without cause. Even better would be having staff on site during all hours the factory is in operation.

Service parts counterfeiting can put manufacturing companies at risk. For example, Oil and Gas companies have found counterfeit electronic components in their plant floor automation. If key components fail, the risk of safety incidents is greatly increased.”

Most people are aware that counterfeit parts have been put on commercial and military aircraft and, more recently, fake cancer drugs have found their way into the U.S. pharmaceutical supply chain. Developing countries have faced this latter challenge for years. Counterfeit and tainted drugs put both consumers and companies at risk. Questionable technologies can be equally dangerous. That is why The Open Group has received broad support for its standards initiative. Its press release indicates that those standards were “shaped by [inputs from] the following organizations: Apex Assurance, atsec Information Security, Boeing, Booz Allen Hamilton, CA Technologies, Carnegie Mellon SEI, Cisco, EMC, Fraunhofer SIT, Hewlett-Packard, IBM, IDA, Juniper Networks, Kingdee, Lockheed Martin, Microsoft, MITRE, Motorola Solutions, NASA, Oracle, Office of the Under Secretary of Defense for Acquisition, Technology and Logistics (OUSD AT&L), SAIC, Tata Consultancy Services, and U.S. Department of Defense/CIO.”

Banker correctly insists that “addressing supply chain integrity issues after products come to market is too late; companies should start thinking about supply chain integrity during product development.” He writes that companies need to ask themselves some important questions during the development process. They include: “How long will this product be on the market? And for how long after that will we continue to provide service parts? And if we don’t supply the service parts, how can our customers be assured of safe replacement parts?” He recommends the following:

Companies should use multiple technologies to detect counterfeit products. Track and trace technologies, particularly serialization, are one key set of technologies. But track and trace is not sufficient. Some bar codes can be counterfeit. Tough to counterfeit bar codes have been scraped off returned goods and reapplied to counterfeit goods.

Serialization can help companies detect gray market diversions, which can actually be legal. For example, in Europe, drugs might sell at different prices in different nations. It is perfectly legal for a distributor to buy more goods than it needs in a low retail price nation and then ship them to a high price nation. However, serialization gives a pharmaceutical company the ability to detect this and tell the distributor, ‘Knock it off or we are going to stop doing business with you.’

Track and trace technologies are being piloted in consumer-facing applications. For example, a consumer might be able to use their smart phone to read a QR code and call a hotline number to make sure a drug is legitimate. Or a customer in a store might scan a QR code at a produce bin to see what field the produce was grown in, whether domestic or foreign, and whether it is truly organic.

Many pharmaceutical pilots of serialization will begin next year because of the California ePedigree mandate that starts to phase-in in 2014. We will likely also soon see serialization requirements for spare parts sold to the Department of Defense.

Companies should segment their supply chains. Not all customer segments require the most expensive supply chain integrity technologies. Customer segments with less stringent requirements should not be burdened with extra costs.

And finally, companies can use the same continuous improvement processes that they have used to improve manufacturing and logistics to improve supply chain integrity.”

Barry Brandman, president of Danbee Investigations, told the staff at SupplyChainBrain, “One of the most common mistakes is for companies to have a higher opinion of their supply chain safeguards than is true in actual reality.” [“How Secure is YOUR Supply Chain?” 12 August 2011] The article continues:

“As a best practice, companies should re-assess their security to determine what aspects are superficial and where there is meaningful protection. ‘It is important to go beneath the surface and to test systems to see if they can counteract the type of threats we are seeing today,’ he says. These include inventory theft from DCs, cargo theft in transit, sabotage, product tampering and the placement of unmanifested materials or weapons inside conveyances bound for this country or moving domestically, Brandman says. Once an assessment is made, companies need to strengthen areas of weakness. … In addition, it is extremely important for companies to audit their programs, he says. … Sometimes undercover work may be the best way to get to the bottom of security issues, he says. ‘Undercover information can shed tremendous intelligence on individual theft, collusion and fraud, and can uncover problems like workplace substance abuse, poor supervision, neglect or non-adherence to company policies and procedures,’ says Brandman. ‘These are issues that can negatively impact the bottom line and expose a company to significant loss, which is why undercover continues to be frequently used.'”

The Economist reports that “good forgeries can be hard to detect—even for experts.” [“Zapping fakes with lasers,” 3 September 2011] The article reports that a London-based company called Ingenia Technology has developed a fast, low-cost way of shining a laser at the surface of an object to record “the characteristic way in which the light is reflected back.” The process records “patterns [that] are unique to each item and thus could be used like a fingerprint, to provide an almost foolproof means of identification.” They call this process “laser surface authentication.” The article continues:

“According to Andrew Gilbert, one of Ingenia’s directors, the probability of two surfaces generating the same code is less than one in a million trillion trillion. That is far more accurate than fingerprints, for example. Nor is the system easy to fool. A piece of paper such as a banknote can be crumpled, soaked in water, scorched and scribbled on but will still be readable. Even torn, scratched and partially missing surfaces can be read. … With scan times of less than a second, the system is fast enough to be used on a production line. Nor does it involve having to make changes to a product or its packaging to incorporate security features, such as adding watermarks, fitting holograms or implanting microchips. Ingenia has tested the system on the packaging used for various luxury goods, along with the security seals used on dangerous or valuable substances, and on passports, postage stamps and documents such as financial instruments. Indeed, should a bank want to, it could match every note it issued against its printed serial number. However clever a counterfeiter was, forgery would then be all but impossible.”

While laser scanning may not be useful for detecting some tainted technology products, it’s another weapon in the arsenal that can help secure the supply chain. The point is that tainted and counterfeit goods have become such a challenge (and such a threat) that much more attention is being paid to find solutions to counter the problem. For consumers and companies, this is good news.