Oftentimes, the first time you look at a problem, the bigger it looks. It's only after you spend some time analyzing it that you realize that you can break it up into bite-sized chunks and begin to attack it. (Sort of the same way you'd attack that 24oz New York Strip: First, skip the salad; second, just the right Cabernet; third, leave dessert for the vegans at the next table; fourth, where's that steak knife?...mmmmm...)
I'd argue that securing the supply chain is no exception. At first glance, it seems like an impossible task. How can we possibly ensure that we've secured all the factories, consolidators, ports and terminals, ocean carriers, etc., from penetration from a sophisticated and determined adversary?
That is a daunting task, but it's really not a useful exercise -- as it turns out, supply chains are not equally vulnerable everywhere. For a good illustration of supply chain risk areas, I'd point you to a study done by Unisys titled "The Secure Commerce Roadmap". (See graphic below)
The graphic does a great job illustrating what those involved in moving maritime containerzied cargo into the U.S. see everyday -- importers typically have the least amount of visibility and control over their goods as they move from overseas manufacturer to the foreign port. From the point that the container is loaded overseas at a factory or consolidator until it passes over the rail of an ocean carrier is the area of greatest vulnearbility with the fewest direct security controls -- in other words, the area of greatest risk (risk = threat + vulnearbility). If you think about it, this makes sense. Once the container is at sea aboard a vessel carrying 4,000 containers, how would you penetrate that? Answer: It's hard, so if you're a terrorist, you don't try and look elsewhere.
So how might a determined and sophisticated terrorist organization take advantage of this knowledge to either attack the supply chain or use it as a delivery vehicle to attack the U.S.? Two primary risk area scenarios emerge:
1. At point of stuffing: A terrorist organization penetrates the supply chain and introduces a weapon into the container at the point the container is loaded.
2. During inland drayage: After the container has been stuffed, a terrorist organization penetrates the supply chain as the container moves from manufacturer/consolidator to the foreign port, probably via an inland truck carrier.
So now that we have two scenarios, the problem gets a little easier to scope and address. To prevent penetration at point of stuffing, we need to know who our business partners are, what are their security practices (including hiring -- do they vet their own employees?), how do they handle containers before, during and after loading, etc. To prevent penetratioin during movement to the port, we need to know the same kind of information about those companies we hire for inland trucking. We also need to address how those movements are booked, and leverage overseas consolidators to help extend our reach (and our controls) deep into the supply chain.
So are these easy problems to address? No way. But by more realistically assessing risk areas to your supply chain, you decrease the chance that you waste your energy and resources on areas that aren't that risky after all. Because all risks are not created equal...
