Of late, it seems to this Editor that the topic of the threats and implications of cyberattacks has been far more prevalent in 2017, for very good reasons.

There are many facets of supply chain risk and major disruption, and combating cyberattacks is clearly becoming top-of-mind.

A new reminder to such threats comes from a recent, albeit disturbing, ABC News-Associated Press report indicating that incidents of malware attacks have been specifically targeting industry supply chains that predominately are managed by just-in-time (JIT) inventory and production processes. 

The report profiles a North Carolina automotive transmission supplier that was impacted by a malware attack a year ago, literally shutting-down the production line until the company paid a ransom to the hackers. It seems that today’s hackers fully understand the JIT principles where supply chains manage inventory and production to hourly or daily replenishment needs, and little more. Thus, any significant disruption has a disruption further up and down the supply chain, one that can translate to a rather expensive exposure. In the specific case of the North Carolina automotive supplier, it was upwards of $270,000 in lost revenue and wages for every hour the factory was not shipping parts to nine Toyota Motor car and truck assembly plants.

As Supply Chain Matters has noted in prior commentaries related to either specific cyberattacks or Internet-of-Things enabled manufacturing processes, many of today’s factory systems and networks are aging and do not necessarily have all the latest information security safeguards installed.  Some data and application interfaces have not been updated in months or years, some have technology no longer supported by the original provider. That places a difficult burden on internal IT support teams to ensure that continuous production uptime is maintained, not to mention marshaling an effective response when a malware attack was to occur. That is especially an ongoing concern for specialty or mid-sized manufacturers who do not necessarily have access to a large in-house IT support team.

The AP report cites a Cisco Systems survey of nearly 3000 cybersecurity executives conducted last year indicating that one out of four (25 percent) of manufacturing organizations reported cyberattacks that cost them money in the prior 12 months. No doubt, that number is a lot higher since many companies tend to treat such information as confidential and not for disclosure.  Other data cited indicate that cyberattacks that target industrial control systems have double in the past year, in the U.S. alone.

In a Supply Chain Matters July posting, Actions to Consider in Cyberattack Defense and Mitigation, we reinforced the obvious takeaway that the frequency and scale of cyberattacks are indeed on the increase, with many more to come. This is a multi-billion-dollar problem, and now we know that hackers are sophisticated enough to understand industry supply chain process vulnerabilities, weak points that provide lots of leverage in securing ransom demands.

In our July commentary, we outlined four mitigation actions that supply chain teams should be actively working on. Given this latest reminder of targeted vulnerabilities, we are compelled to reiterate:

• Scope and continually understand your company’s supply chain risks.
• Factor the age of legacy systems, particularly those related to older factory control systems.
• Determine in-advance, the specific roles and responsibilities in Business Continuity Management.
• Insure active training, questioning and inquisitiveness with internal and external teams regarding information as to unusual or suspicious activities, security awareness and action plans if and when a cyberattack occurs.

Hackers are indeed becoming more sophisticated in many dimensions including an understanding of supply chain vulnerabilities.

Bob Ferrari

© Copyright 2017. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.

There are many facets to supply chain risk and major disruptions, and an ever-growing facet is that of a cyberattack disrupting supply chain operations, compromising data and risking harm to the business. There have been acute reminders already this year, the latest coming last week, when a new version ransomware attack spread from Europe across multiple countries, and disrupted the globe’s largest ocean container shipping operator. 

Many analysts and bloggers have reminded their respective functional readers of their responsibilities in either protecting the business from the threat of cyberattacks and in insuring their teams know what to do when such an attack occurs.  Supply Chain Matters adds its voice as-well. 

Brute Realities

The obvious takeaway for readers is that the frequency and sheer scale of cyberattacks are on the increase, and with that is a realization that there will be many more to come. Cybersecurity has become a multi-billion-dollar problem and concern that spans from the boardroom and C-Suite across many lines-of-businesses.

The skill levels of the attackers continue to be more sophisticated, taking advantage or all system vulnerabilities. Experts now believe that last week’s attack was yet another test of a new method, that being a piggyback of an automatic software updater for a specific business application.

Last week served yet another sobering reminder that some companies were not prepared, either in keeping systems and software updated with the latest patches or had not practiced various risk mitigation scenarios in terms of keeping business operations operational with protected back-up systems or in advising customers with timely updates as to what to expect.

Actions to Consider

Here are four specific actions that we at the Ferrari Consulting and Research Group advise supply chain leaders and practitioners to consider regarding cybersecurity:

Scope and Continually Understand Your Company’s Supply Chain Risks

Depending on the size of your company, there may well been many external systems risks prevalent in your company, or within your specific operational location. The reality is the supply chain teams have the most direct or intimate knowledge as to the many external information system touch points, which have increased with the expanded scope of globally-based operations. That includes outsourced product designers, externally based suppliers connected via EDI and B2B electronic business networks, contract manufacturing partners, services vendors, third-party logistics and customer fulfillment partners. Previous attacks have exploited such vulnerabilities, for example, hacking a services vendor web site to capture the system login credentials of a large and prominent customer. That was the profile of the massive credit-card hack that involved retailer Target several year’s back.

In last week’s incident, A.P. Moeller Maersk discovered that the attack spread across many of its linked operational systems, including its business subsidiary, APM Terminals, disrupting a reported 17 individual port operations including those of Rotterdam, New York- New Jersey, Los-Angeles-Oakland, and Mumbai.  The virus spread so quickly that the company’s IT teams were forced to immediately shutdown all systems. Backup systems were not activated for fear that the virus would impact them as-well. Exporters and importers could not tender any loads, phones could not be answered, massive cranes and supporting tugboats had to be operated manually without systems support. Mobile-based phone calls, text messages and social-media were the back-up plan.

If industry supply chain management teams have not done so, it is an imperative that they actively collaborate with internal IT systems and business continuity teams to scope, understand and take actions related to the most vulnerable systems related risks and to identify various scenarios for responding to and mitigating a cyberattack or system vulnerability.

Factor the Age of Legacy Systems

A reality of many legacy operational systems is that of age, in some cases systems and applications that have existed for over ten years. This author once heard a stat that the average age of some manufacturing and logistics focused systems is something in the order of 15 years. That statistic implies many vulnerabilities- operating systems that long-ago, stopped being supported by automatic system updates and patches. Further, as we all know, lots of change and customization can occur in such time periods, making it rather challenging to debug or trace a virus attack. Global hackers are well aware of the vulnerabilities of such on-the-ground systems, some with login credentials that have never been updated. The adage that: “if it ain’t broke, don’t mess with it” no longer has credence and can be putting the entire business at-risk.

At the same time, ripping-out and replacing many of such legacy systems can often be very disruptive and costly. Now is the time to consider investing in more security aware Cloud based systems or infrastructure platforms that touch critical business process areas such as manufacturing and customer order processing and fulfillment. That bring up another point, insure that your Cloud services and infrastructure provider is certified in the latest data security standards including the encryption of critical data.

Determine Specific Roles and Responsibilities in Business Continuity Management

Firms most able to effectively respond to a cyberattack, or for that matter, any major business disruption, are those that have well-defined, multi-functional and multi-line-of-business continuity responsibilities and action plans. responsibility for risk response to those closest to the actual process being disrupted. Cyber security is not the sole responsibility of corporate security and IT teams, instead it involves broader involvement and accountability. Who has responsibility for actively working with suppliers, trading partners and/or key customers on cybersecurity awareness and action plans? Who are the primary contacts for IT teams to know when considering the shutdown of a specific supply chain related mission critical system.

Such plans should include at a minimum, executives with specific responsibilities, designated response teams, emergency communications procedures including back-up processes when email, corporate phone or other prime communication systems are disrupted. One of the more important tenets of such plans is prioritization of tasks based on the assessment or perceived severity of the disruption, and of the protection of people, processes, and mission critical systems during the disruption.

A further consideration is assigning responsibilities to teams closest to the penetration to take to protect data and information from further compromise.

A business continuity plan that has too much dependence on corporate hierarchy decision-making can at-times risk the ability to have a timely response. The good news is that many businesses that have developed effective business continuity plans have been willing to share important watch-outs and learning.

Active Training, Questioning and Inquisitiveness

Partner with business continuity, internal and external supply chain teams to offer timely training and/or webinars on responding to cyberattacks as well as information security and awareness. Encourage questioning and inquisitiveness as to prior history of cyberattacks, which systems seem to be the most involved, what to look out for in unusual or suspicious activity, and who to call if something indeed looks suspicious.

Rather than a response of: “I’m too busy”, encourage a climate where information security is everyone’s concern, and better to make aware than to ignore.

Information and data security is an especially critical consideration for industry supply chain teams, one that demands added attention and actions in the weeks and months ahead.

Bob Ferrari

© Copyright 2017. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.

There are many facets to supply chain risk, and one such facet is the threat of cyberattacks disrupting global supply chain operations and compromising data.

Today, global news wires are abuzz regarding a spreading cyberattack that is spreading from Europe to other countries including the United States. Reports indicate that this attack has similarities to the recent WannaCity ransomware virus that struck in May but is likely a new variation that exploits vulnerabilities in the Windows operating system.

The attacks included widespread outages across the country of Ukraine, and spread across at least nine other European countries and into the United States, crippling thousands of systems. Computer experts are still attempting to figure out the components to this latest hack as well scrambling in efforts to ward-off continued attacks.

One multi industry supply chain area that has been affected is that of A.P. Moeller Maersk, operators of Maersk Line, one of the globe’s largest ocean container shipping firms. Maersk has confirmed that many of its IT systems are not operating and that multiple sites and business units have been temporarily shut down due to the cyberattack outage. Reports indicate that 17 shipping container terminals run by APM Terminals, a Maersk subsidiary, have been hacked including the Port of Rotterdam, one of the busiest ports in the world. The web site of the Port of New York and New Jersey has been alerting shipping concerns that the APM terminal there has also experienced a systems outage and operations are suspended for the remainder of today.

Among U.S. resident companies confirming computer outages thus far are Merck and Mondelez International. Both have confirmed via Twitter that they are experiencing systems outages.

We suspect there are other outages and disruptions affecting the movement of materials and goods but it’s too early to assess the extent or duration.

Industry supply chain teams are advised to keep-up with ongoing reports and collaborate with associated IT support teams to strengthen systems defenses.

© Copyright 2017. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.

In the history of any industry, along with its associated supporting supply chains, there comes a seminal series of events that ultimately point to a major inflection point, one that clearly indicates that business-as-usual is no longer an option. For the food and grocery industry, and all of its supply chain stakeholders, the year 2017, in the second week of June, two thunderbolt events ignited a seminal industry change.

As we pen this Supply Chain Matters posting, business and general media are broadcasting the headline announcement that Amazon intends to acquire Whole Foods Market for $42 per share, or more than $13 billion, a clear and obvious effort to directly penetrate the retail grocery landscape. This is Amazon’s largest acquisition to-date, and no doubt, there were likely multiple choices. In the press release announcing the acquisition, Amazon CEO Jeff Bezos indicated that the attraction to Whole Foods was the wide offering of natural organic foods.  

By our lens, healthy margins, a loyal brand, and future methods to leverage online and in-store shopping were an obvious consideration, Whole Foods has also been under intense pressure from private-equity firm Jana Partners. Whole Foods CEO John Mackey has been quoted as characterizing Jana as greedy. (Actually, he utilized a more direct term)

According to the release, Whole Foods will continue to operate under its current branding, and CEO Jim Mackey will stay-on as CEO.

News and social media reports further indicate that if the grocer receives a better acquisition offer, Whole Foods would be obligated to pay a $400 million termination fee to Amazon.

The other industry shockwave this week came from Kroger Company, one of the largest retail supermarket chains in the U.S., who issued unexpected lowered earnings forecast for the year. The aftermath of this news caused the chain’s stock to drop by 19 percent, the steepest one-day drop for the company’s stock in more than 17 years.

Kroger CEO Rodney McMullen is noted as sting the following in an interview:

“The change right now in what the customer wants has never been faster.”

Business and general media reports are citing Nielsen and other retail sales data all indicating that consumers are both more price conscious in their food shopping, continue to seek out healthier food and beverage choices, and are increasingly turning to online channels for food and grocery needs. Nielsen data indicates that online grocery orders have risen 6.8 percent while visits to deep-discount chains are up 2.9 percent.

Other grocery retail chains are also feeling the effects of quickly changing  grocery shopping trends and the words, industry consolidation, are now coming to the forefront.

At the same time, discount grocery chains Aldi and Lidl are making a major expansion within the U.S. to take advantage of the current shopping trends, which will add to increased industry competition at the retail level.

What is now occurring in the retail channel will continue to cascade across consumer product goods, food and beverage supply chains in the form of tougher price negotiations and demands for increased product innovation addressing healthier food choices. The industry has already experienced the pressures from both Amazon and Wal-Mart as to which will receive the most attractive supply pricing deals.

As noted in our Supply Chain Matters industry commentary published in May, the industry winners are supply chain leaders who educate senior management on the differences of supply chain as a cost center vs. a business innovation enabler. They will also be those that can keep a laser focus on the end-goal, meeting and accommodating far different consumer preferences with changed thinking and distribution methods. By our lens, industry supply chains that invest in talent that can bring forward new creativity, collaboration and thinking for a supply chain model that leverages both online and in-store buying needs will likely benefit.

CPG suppliers are also subject to the influences of private equity, specifically 3G Capital, and no doubt, there will likely continue to be influences for additional M&A among major suppliers and food producers.

Consumer packed foods and associated industry supply chain teams need to pay very close attention to industry developments and associated implications. The notions of single-channel product demand forecasting or other business-as-usual supply chain planning and distribution methods no longer apply during now permanent industry shift. Agility, resilience, and a predictive understanding of consumer needs in food and food buying preferences are table stakes.

Be it noted that in June 2017, two industry shockwave developments became the catalyst for structural packaged and fresh food industry change.

Supply Chain Matters will continue to monitor industry supply chain developments and share insights. We predicted significant industry changes at the start of the year, and the clock speed has accelerated.

Bob Ferrari

© Copyright 2017. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.

Supply chain management professionals are often attuned to the weakest link that may develop among various tiers of the product value-chain. There are now building concerns that consumer electronics supply chains may be dealing with a potential industry-wide shortage of a key component during its most critical product demand period.

The Wall Street Journal recently called attention to a looming battle between electronic game console producer Nintendo against high-volume consumer electronics producers such as Apple. (Paid subscription required)

Component supply challenges include liquid-crystal displays (LCD’s), miniature motors and NAND flash-memory chips. The latter specifically points to NAND supplier Toshiba, which has become the second largest supplier of more advanced NAND memory chips.

For Nintendo, enthusiastic consumer demand for its newly released Switch gaming console is leading to aggressive planning for console output for its current fiscal year that ends in March 2018. According to the report, while Nintendo’s official sales target is 10 million units, the producer is reportedly pursuing plans to produce as many as 20 million units, double the official amount. 

As supply chain planners are acutely aware, that is a considerable variance to hedge for.  A Toshiba spokesperson indicated to the WSJ that demand for NAND has been overwhelmingly greater than existing supply and the situation is expected to remain the same through the end of the current year. Compounding the component challenge are the realities of high-volume smartphone producers such as Apple, who can garner a heck of a lot of NAND memory supplier influence based on shear buying volume.

Companies such as Nintendo therefore must factor such realities and find more ways to garner added influence with Toshiba as well as other NAND suppliers.  A further, and likely more dynamic situation involves a building significant financial crisis surrounding Toshiba itself.

The supplier’s U.S. focused Westinghouse Electric nuclear reactor construction business unit has incurred significant financial losses forcing that unit to file for bankruptcy in March, leading to concerns for Toshiba’s financial survival as well.   In March, in what was reported as an acrimonious annual shareholder meeting, Toshiba shareholders agreed to split off the prized NAND flash memory unit in hopes of raising at least $9 billion to cover U.S. nuclear unit losses.

According to various reports, Toshiba’s NAND chip business includes a venture originally contracted with memory producer SanDisk, and that company was since acquired by Western Digital, which in-essence took ownership of the SanDisk stake in Toshiba’s memory operations.  Toshiba began making overtures that it would sell its attractive memory chip business to raise immediate cash.  Upon learning of that move, Western Digital threatened to block such a sale, based on its stake in the business. The latest reported iteration is that Toshiba has made a legal concession, in-essence keeping part of the memory unit in-house to appease Western Digital. However, the reality is that there are many active bidders for the prized memory business, including Western Digital.  Other reported bidders are industry leader SK Hynix, Broadcom as well as contract manufacturing services provider Foxconn. The latter, to little surprise, has sought the influence of Apple in helping to leverage its financial offer for the NAND business. As has been the case with Japan’s high-tech producers, the government of Japan, in the presence of Innovation Network Corp. of Japan,  remains active behind the scenes to ensure that any sale address concerns for intellectual and advance technology protection.

Where all this maneuvering ends-up is the purview of lawyers and industry-watchers.  A recent published report by The Financial Times concludes that negotiations are likely to be complex and subject to further delay, which adds more pressure on Toshiba’s need to stem overwhelming red ink. The length and overall outcome adds to the obvious uncertainties as to Toshiba’s plans to continue to be able to meet overall customer demand for NAND chips, not to mention the overall industry’s capacity availability.  With Apple planning to ramp-up production for the 10^th anniversary editions of the iPhone, along with other global smartphone producers hoping to outdo Apple in second-half consumer demand, supplier influence and bargaining power are likely to be important determinants as to which producers garner the bulk of capacity-constrained supply.

Supplier contingency planning, along with the adherence to business and product-margin objectives will be a further challenge for industry supply chain teams, once-again placing an emphasis on more informed and data-driven planning and decision-making capabilities, not to mention supply chain risk mitigation as-well.

Approaching the mid-point of the year, with keen awareness that the second-half is most critical for business results, consumer electronics and high-tech supply chains have likely awareness to a difficult period ahead, one where agility, built-up supplier relationships and overall planning and execution capabilities will again be put to the test.

Stay tuned.

Bob Ferrari

© Copyright 2017. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.