Securing the High-Tech Supply Chain

1
Securing the High-Tech Supply Chain

• Steve Lund
• Director of Corporate Security
• Intel Corporation

2
Agenda

• Intels Supply Chain Security model
• Creation and Evolution of TAPA
• Using standards and TAPA models to meet new
  threats of terrorism
• U.S. Customs Trade Partnership Against Terrorism
  (C-TPAT)
• Intels Threat Response and Emergency Management
  Program
• Drilling for Success

3
Why Develop Freight Security Requirements?
4
Intels Transportation Supplier Management Model

• For more than 10 years, Intel has embedded
  security requirements in freight transport
  contracts
• Physical security of premises and equipment (e.g.
  trucks)
• Procedural security (e.g. background
  investigations)
• Contractually obligated, with established metrics
  and periodic performance evaluation
• With the introduction of the Pentium product
  line, this program was further refined to achieve
  door to door security
• Zero losses of Pentium product in first quarter
  of shipping
• Intels model gained notice among other high-tech
  companies experiencing freight theft, which led
  to the formation of the Technology Asset
  Protection Association

5
What is TAPA?

• The Technology Asset Protection Association is
  an non-profit forum of security, insurance and
  logistics professionals representing high
  technology companies who have organized for the
  purpose of addressing the emerging cargo security
  threats common to the technology industry.

www.tapaonline.org
6
WHAT TAPA IS NOT

• Forum for blacklisting of suppliers
• Information sharing is done on standards and
  BKMs, not on any supplier performance issues
• Forum for comparison of industry/supplier losses
• All discussion under NDA-- dont ask / dont
  tell
• Guarantor of business
• Supplier compliance to standards gauged
  independently
• Certified suppliers to be listed on limited
  access website--non-certified locations not
  listed
• Unreasonable or cost-prohibitive

www.tapaonline.org
7
Evolution of TAPA

• 1997 Security professionals meet to address
  problem of high tech theft
• Global problem -- no one exempt from cargo theft
• Demand for product peaking
• Highly liquid components and demand on grey and
  black markets
• Conclusion Establish a forum dedicated to
  development of best known protective measures,
  benchmarking and global implementation A
  rising tide lifts all boats
• 1998-2000 Development of Standards
• Audit Criteria
• Contractual Security TCs in form of Freight
  Security Requirements
• Scoring Matrix
• RFQ for Independent Auditors
• 1999 TAPA EMEA formed
• 2000 TAPA Asia formed, TAPA Worldwide Council
  developed
• 2001 Independent Audit program proliferated
• Audit companies trained, three day course -
  Certification process begins
• eTAPS developed in Europe
• 2002 Worldwide membership exceeds 450
• Benchmarked as best in class by Technology and
  Terrorism Committee, U.S. Senate
• Pharmaceutical membership extended
• Over 200 audits scheduled worldwide

www.tapaonline.org
8
Partnership Leverage

• 450 worldwide members
• Active organizations in Americas, Asia, EMEA
• Market Capitalization of member companies gt 1.25
  Trillion
• In 2000, was 3.0 Trillion
• Annual Sales of member companies gt 750 Billion
• Uniform approach to problematic locations versus
  fragmented efforts
• Support of law enforcement investigations
• Product, equipment, packaging, information
• Industry contacts worldwide - strong
  communication infrastructure
• Information and training on products and
  vulnerabilities
• Access to TAPA quarterly meetings
• Presentation, Participation, Networking

www.tapaonline.org
9
Putting the Right Security Measures in Place

• Classification of facilities in 3 categories (A,
  B, C) depending on level of threat
• Threat calculated by environmental and historical
  data and risk aversion level for individual
  company
• Highest level classification requires highest
  level of security
• Applied to trucking operations as well as air
  operations
• Assessment protocol using 0 - 2 qualitative
  score--no weighting

www.tapaonline.org
10

• VALUE
• VOLUME
• VULNERABILITY

11
Freight Security Model
Training
Contractual Language
Standard Assessment Protocol
Investigations
Consequences
Freight Security Requirements
www.tapaonline.org
12
Independent Auditors Move From This
To This
13
TAPA Sub-Teams

• Insurance Team
• Leverage insurance industry influence on
  mandatory standards
• Insurance premium analysis
• Program proliferation
• Waiver Committee
• Review body for all supplier waivers
• Integrator/3rd Party Logistics
• Standards development for inventoried
  product/outsourced warehousing
• Work with Integrator market on program
  certification and standards

www.tapaonline.org
14
Post - 9/11 Threats Leveraging Existing
Programs and Creating Models to Meet New
Challenges
15
Positioned for Emerging Threats

• September 11, 2001 re-focused attention on the
  threat of terrorism to all operations, including
  supply chain
• Employee safety and security home, office,
  travel
• Airline grounding in aftermath of attacks
  alternative shipping lanes, managing product
  backlog
• Contingency plans for design, manufacturing,
  distribution
• Upstream and downstream impacts of direct attack
  or collateral impact are suppliers and
  customers prepared?
• Communications infrastructure vulnerabilities
• Scarcity or unavailability of insurance
• The comprehensive nature of the supply-chain
  security measures established and proliferated
  through TAPA have shown ancillary benefits to
  anti-terrorism efforts

16

• Customs Trade Partnership
• Against Terrorism (C-TPAT)
• Establishes Supply Chain Security requirements
  Factory, Warehouse, Docks, Forwarder/Integrator
  Facilities
• Shared FSRs, Audit Protocol, and Scoring Matrix
  with program management, best known methods to
  date
• USC agreement that TAPA security requirements
  fulfill supplier and manufacturer obligation if
  C-TPAT certified
• Several companies have been C-TPAT certified by
  implementing TAPA supply chain model
• Intel certified September, 2002

17
C-TPAT Focus Areas

• Develop and implement a sound plan to enhance
  security
• procedures. These are general recommendations
  that should
• be followed on a case-by-case basis depending on
  the
• companys size and structure and may not be
  applicable to all.

• Required Locations
• Supply Chain
• Importer
• Broker
• Manufacturer
• Warehouse
• Air / Sea /Land Carriers

• Required Elements
• Procedural Security
• Personnel Security
• Physical Security
• Education and Training
• Conveyance Security
• Access Controls
• Manifest Procedures

18
C-TPAT Membership Benefits

• A reduced number of inspections
• Avoids delays in shipment and negative impact to
  customers
• More secure supply chain for employees, suppliers
  and customers
• Account Based Processing (bi-monthly/monthly
  submission of duties)
• Self policing and assessment
• Partnership with government against terrorism
• Membership in first worldwide supply chain wide
  security initiative
• Account Manager will be assigned
• Access to the list of other C-TPAT members

19
Threat Management

• Internal focus after 9/11/01 and anthrax mailings
  on emergency preparedness and business recovery /
  continuity
• Developed a Security and Safety Task Force
  comprised of all major business groups
• Corporate Business Continuity program office an
  outgrowth of effort
• Operational risk assessments to identify single
  points of failure and critical assets, with
  specific action plans to mitigate vulnerabilities
• Clear deliverables, timelines, and continuous
  review of progress
• Response plans for various major or catastrophic
  scenarios
• Loss of facility
• Loss of supplier capability (equipment,
  transportation, services)
• Anthrax or other biohazard introduced into
  environment
• Creation of a Corporate Emergency Operations
  Center to ensure an mechanism for top-level
  management of crises, enable effective
  communication and coordination of site responses

20
Intel Site Emergency Operations Centers (EOCs)
and Corporate Emergency Operations Centers
(CEOCs)
Ireland
England
Dupont
Oregon
Hudson
Colorado
Japan
Folsom
China
Israel
Utah
Santa Clara
Malaysia
New Mexico
Philippines
Arizona
Costa Rica
India
Blue font location of Site and Corporate EOCs
21
Site EOCs

• Located at each major site worldwide
• Locally managed, with EOC director from major
  business group, cross-functional participation
• Local business groups
• Security
• EHS
• Public Affairs
• Site Services
• Established location on-site, with equipment and
  procedures as required by Corporate Emergency
  Management program, including
• Response templates for various scenarios
• Multiple computer connections
• Media connection (e.g. satellite TV news)
• Redundant communications
• PBX phone lines
• Dedicated copper phone lines
• Local channel radios
• Satellite telephones
• Ham Radio equipment / operators

22
Corporate EOC

• Multiple locations for redundancy and efficiency
• Membership at senior-level management
• Core CEOC Director, Coordinator, Security, EHS,
  Corporate Communications, CEOC Scribe
• Extended CEOC Legal, HR, Sales, Finance, other
  business groups
• Established rooms, fitted with all site EOC
  elements
• CEOC guidelines specific to CEOC operations
• Controlled document, scheduled revisions
• Activation linked to existing Security or EOC
  escalation actions, or at discretion of core team
  members

Intent to enable response at site level,
coordinate communication between sites and senior
management, and enable informed and effective
internal and external messages by Executive Staff
23
Drills

• Corporate Emergency Management group, site EOCs,
  and various business groups have historically
  utilized tabletop exercises and full drills
  Corporate Drill Roadmap
• After September 11th, some drill scenarios were
  added, and scope of drills increased to
  comprehend all operational elements
• Anthrax response (based on existing plans)
  included test kits, expanded communication,
  employee awareness (mail rooms)
• Other biohazard scenarios
• Aviation disaster response
• Function-specific business recovery
• CEOC and EOC emergency response capability
• Dirty bomb scenario
• Typically 10-12 separate drills per quarter
• Designed and led by affected business group (IT,
  TMG, HR, etc.)
• Site EOC and CEOC participation as warranted by
  scenario

24
Supply Chain Drills

• Business unit drills designed to include all
  potentially impacted elements of that group
• Clear and detailed drill scenarios
  outlinedincluding
• Participants and their roles
• Design of drill
• Objectives of the exercise
• In scope / Out of scope
• Artificialities of the drill (assumptions)
• Starting script
• Drills involve accelerated timelines,
  role-playing, simulated supplier engagement
• Key suppliers have been engaged in establishing
  Business Continuity and identifying gaps and
  focus areas
• Supply network rebalance/reset has become a key
  aspect of drills

25
Recent Drills Involving Supply Chain

• Q2 2002
• Scenario involved loss of key manufacturing
  facility in the Philippines
• All immediate emergency response elements assumed
  to be under control
• Impact to employees managing casualties and
  communication
• Explored transportation and warehousing
  capability in first 72 hours, at 3-7 days, and at
  7 days following the incident
• Impacts to other sites
• Internal and External communications

• Q4 2002
• Scenario involved loss of production in Oregon
  due to massive earthquake
• All emergency response elements assumed under
  control
• Airport closure part of scenario
• Team worked through transportation and warehouse
  capabilities in first 24 hours, 24-72 hours, 3-7
  days, 8-14 days, 30 days, and 45 days after
  incident
• Prioritizing shipments, identifying alternative
  transportation methods and routes

26
Key Elements

• Effective supply chain management program, door
  to door
• By starting with focus on security, have
  infrastructure in place to influence or manage
  the entire process
• Effective Risk Assessment protocol to identify
  single points of failure, critical focus areas,
  and mitigation strategies
• Understand context of risks / threats, local
  flavors, key relationships with internal groups
  or suppliers, and how those relationships can be
  affected by a crisis
• Senior Management and Business Group commitment
• Corporate-level processes and coaching, but need
  each group to leverage their expertise and
  experience to their functional area
• Integrated response capability
• All business groups engaged in crisis management
  planning
• Key service groups (Security, EM, EHS) linked to
  response and continuity efforts
• Drill, Drill, Drill

27
QUESTIONS?
28
Back Up
29
TAPA Partners

• The Infrastructure Security Partnership
• Cargo Security
• Risk/Threat Assessments in Supply Chain
• Transportation Security Administration
• Partnership on development of FTL / LTL trailer
  load security requirements
• TAPA Standards template for in transit cargo
  protection
• National Cargo Security Council

30
TAPA Independent Audit Firms