9 Steps to Build Supply Chain Resilience
U.S. President Biden signed an Executive Order on the 24th of February, focused on making America’s supply chains resilient. The order states that resilient, diverse, and secure supply chains are necessary to ensure economic prosperity and national security. Greater domestic production, built in redundancies, adequate stockpiles, and safe and secure digital networks are the characteristics of resilient supply chains as cited in the order.
The order has two components. There is a hundred day review and a one year review. The outcome of the reviews will be reports that identify any and all risks related to manufacturing capacities, skills, single source risks, and deep concentration of sources of supply among others. The 100-day review includes semiconductors, high capacity batteries, critical minerals and rare earth materials, pharmaceuticals, and active pharmaceutical ingredients. Included in the one year review are these additional industries: defense industrial base, public health, communications technology, energy sector, and transportation industrial base. The Assistant to the President for National Security Affairs (APNSA) and the Assistant to the President for Economic Policy (APEP) will coordinate the reviews that will involve a number of other entities.
In a previous blog, I discussed recommendations for how the Biden Administration can bolster the success of this initiative. The Executive Order has significant implications for companies that are in the industries in scope. It serves these companies well to be proactive by taking a number of practical steps before the government starts to mandate them to do so. Besides proactively addressing any regulatory mandates, these steps will help companies in making their supply chains far more resilient. Let us examine these:
- Map your multi-tier supply chain: Even the most mature and sophisticated companies often lack visibility beyond their Tier 1 or Tier 2 suppliers. Single source risks can be hidden in lower tiers beyond plain sight. Going through the multi-tier mapping exercise can help your organization identify hidden risks in your supply chains, for example, a specific type of polymer supplier that serves multiple industries and geographies.
- Assess the impact of the single source risk: Understanding the percentage of the overall portfolio tied to a single source or derivative components from the single source, along with the revenue contribution, helps you assess the impact of what happens when the single source is no longer available.
- Find alternate sources where possible and practical: Collaborate with and guide your supplier community in finding potential alternatives for a lower tier single source supplier. If the single source is a Tier 1 supplier, create and launch sourcing events to identify alternate suppliers. When not feasible in certain situations, such as when the supplier has a very unique intellectual property, a potential acquisition strategy should be evaluated. Alternatively helping the supplier diversify geographically will help mitigate risks. In areas where an entire industry depends on a critical supplier, a collective approach works better than each company for itself.
- Monitor suppliers for risks: The explosion in data sources and cloud powered AI allows organizations to monitor the supplier base for emerging risks such as judicial, financial, and environmental risks. Natural language processing can be applied to tap into news sources to identify newer sources of risks. Buyer and supplier networks tapping into transactional data can gain from broader community intelligence to benchmark and compare supplier performance.
- Mitigate risks with continuous design: In a world where disruptions are the new norm, episodic approaches to supply chain design no longer work. Organizations are moving from episodic to continuous design. Digital twin technologies can help tremendously in reducing the flows from riskier supplier nodes to test the resiliency of the supply chain and assess operational and financial KPI impact. Alternate scenarios can be evaluated and implemented through the continuous design process. Cost-to-serve models can inform what alternative strategies make sense to mitigate supplier risks and the incremental cost associated with the same. Strategic stockpiling locations can be determined and inventory policies can be established for the same. Algorithmic intelligence can be used to establish triggers to assess significant shifts from baseline and drive the need for redesigning the supply chain.
- Model and implement networks of the future: The Executive Order will push for more near-shoring of the manufacturing of critical components and products. It is reasonable to expect significant shifts in the centers of gravity of the existing networks with higher levels of fragmentation and shortening of supply chains. This has implications on capital investments, taking advantage of government incentives, routes to market, assessing alternate sources of supply, among other things. The aforementioned digital twin technologies can help model networks of the future and help you be better prepared.
- Turbocharge sustainability and diversity initiatives: With concerns about climate change and the topic of systemic racism coming to the fore, the Biden administration is also approaching the Executive Order through the lens of job creation in underserved communities and promoting a clean environment. As near-shoring efforts ramp up, companies need to perform carbon footprint studies to ensure documentation and reports on the improvements being made to reduce greenhouse gas emissions. Hiring and supplier selection processes should account for diversity targets and focus on attaining them. Documenting sustainability and diversity initiatives will be critical as it is reasonable to expect the government to be incentivizing these activities. This also helps with corporate ESG (Environmental, Social, and Governance) priorities.
- Tighten the cyber security protocols: As the highlighted industries in the Executive Order are deemed to be of importance from a National Security perspective, cyber risks are cited as critical to be addressed. Companies in the aforementioned industries should focus efforts on auditing systems security and ensuring cyber risks are mitigated and appropriate defenses are in place. With the risk of a rogue hacker potentially bringing an entire supply chain down to its knees, organizations will need to be adequately prepared with cyber security measures and document the steps taken towards cyber security.
- Proactively engage with government agencies and peers in the industry: If you are in one of the affected industries, joining hands with your peers and competitors for the common good of the industry will bring a collective voice to represent industry interests. Building supply chain resiliency will not happen overnight. It will require significant collaboration between the government and the private enterprises. As an example, mass relocation of manufacturing, besides being capital intensive which will call for government incentives, also exposes the skills gap prevalent in the manufacturing industry. In industries such as semiconductor manufacturing, with more companies becoming fabless, there is a significant atrophy of the skills and training needed to ramp-up manufacturing. Being proactive will help influence regulation that will better serve the needs of the industries and communities as a whole, making it a win-win.
This Executive Order is certainly a pressing need of our times. It further elevates the criticality to build resilience in supply chains, not just for America, but for the world. Organizations in the highlighted industries and beyond will need to be proactive in addressing supply chain vulnerabilities. This calls for investments and the C-suite should be willing and open to sponsor supply chain resilience initiatives.
Google and NIST Address Supply Chain Cybersecurity
As high-level supply chain attacks hit the news, Google and the U.S. National Institute of Standards and Technology (NIST) have both developed proposals for how to address software supply chain security. This isn’t a new field, unfortunately. Since supply chains are a critical part of business resilience, criminals have no qualms about targeting its software. That’s why identifying, assessing, and mitigating cyber supply chain risks (C-SCRM) is at the top of Google and NIST’s respective agendas.
High-Profile Supply Chain Attacks
According to Google, no comprehensive end-to-end framework exists to mitigate threats across the software supply chain. [Yet] ‘there is an urgent need for a solution in the face of the eye-opening, multi-billion-dollar attacks in recent months...some of which could have been prevented or made more difficult’.
Here are several of the largest cybersecurity failures in recent months:
- SolarWinds. Alleged Russian hackers slipped malicious code into a routine software update, which they then used as a Trojan horse for a massive cyberattack.
- Codecov. Attackers used automation to collect credentials and raid ‘additional resources’, such as data from other software development vendors.
- Malicious attacks on open-source repositories. Out of 1,000 GitHub accounts, more than one in five contained at least one dependency confusion-related misconfiguration.
As a result of these attacks and Biden’s recent cybersecurity mandate, NIST and Google took action. NIST held a 1,400-person workshop and published 150 papers worth of recommendations from Microsoft, Synopsys, The Linux Foundation, and other software experts; Google will work with popular source, build, and packaging platforms to help companies implement and excel at their SLSA framework.
What Are Their Recommendations?
Here’s a quick recap: NIST has grouped together recommendations to create federal standards; Google has developed an end-to-end framework called Supply Chain Levels for Software Artifacts (SLSA)—pronounced “Salsa”. Both address software procurement and security.
Now, here’s the slightly more in-depth version:
- NIST. The organisation wants more ‘rigorous and predictable’ ways to secure critical software. They suggest that firms use vulnerability disclosure programmes (VDP) and software bills of materials (SBOM), consider simplifying their software and give at least one developer per project security training.
- Google. The company thinks that SLSA will encompass the source-build-publish software workflow. Essentially, the four-level framework helps businesses make informed choices about the security of the software they use, with SLSA 4 representing an ideal end state.
If this all sounds very abstract, consider the recent SolarWinds attack. The attacker compromised the build platform, installed an implant, and injected malicious behaviour during each build. According to Google, higher SLSA levels would have required stronger security controls for the build platform, making it more difficult for the attacker to succeed.
How Do The Proposals Differ?
As Brian Fox, the co-founder and CTO at Sonatype, sees it, NIST and Google have created proposals that complement each other. ‘The NIST [version] is focused on defining minimum requirements for software sold to the government’, he explained, while Google ‘goes [further] and proposes a specific model for scoring the supply chain. NIST is currently focused on the “what”. Google, along with other industry leaders, is grappling with the “how”’.