What is Show and Shadow Manufacturing?

Posted on October 1, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is contract manufacturing?

The economics of manufacturing in the 21st century meant many factories relocated to developing countries where labour is plentiful and costs lower. To further reduce costs and focus on ‘core business’, many manufacturers (principals) outsourced production to Contract Manufacturing Organisations (CMOs). This involves standard outsourcing activities as well as winding down a principal’s factories in favour of focusing on higher value add activities such as R&D, product management, sales and marketing. Examples of industries using CMOs include pharmaceutical and electronics companies.

Contract manufacturing allows outsourcing of noncore functions — Photo by Los Muertos Crew on Pexels.com

Whilst use of CMOs might make commercial sense, it also introduces unique risks such as ‘shadow manufacturing’ which must be managed to maintain brand, product and supply chain integrity.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

‘Show factories’ versus ‘shadow factories’ – what’s the difference?

Most CMOs are completely above-board and legitimate, offering excellent service and conforming to a host of certification standards and regulatory obligations. However, ‘show factories’ and ‘shadow factories’ are an exception. Show and shadow factories can be defined as follows (adapted from APEC, 2017):

Show factories – typically ‘impressive’ facilities which claim to manufacture a given product or component; however, this is intended to mislead (defraud) the principal seeking to contract with the show factory CMO
Shadow factories – manufacturing facilities which operate in the shadows, either owned by a show factory or a ‘sub-contractor’ to a show factory

Theoretically, there is nothing to say a CMO cannot become a show factory at some point during the supplier lifecycle. Examples of triggers for this transition might include management or ownership changes, local crime or corruption in the area where the factory is based, or financial distress. This highlights the importance of performing regular, ongoing supplier integrity and supplier assurance throughout the supplier lifecycle.

Shadow factories can involve forced labour — Photo by u041cu0430u0440u0438u044f u041au0430u0448u0438u043du0430 on Pexels.com

Shadow factories introduce a host of risks for principals

The nature of shadow factories mean they expose the principal to a wide variety of risks, some of which can materialise or persist many years after the shadow factory has been shut down or eliminated from the supply chain, such as regulatory action or litigation arising from involvement with modern slavery. Examples of these risks include:

Product Diversion – conforming product can be diverted, such as through overproduction using molds or trade marked materials supplied by the Principal to the show factory
Product Integrity – shadow factories can introduce problems with product conformance and product safety, which mean the product obtained by an end user does not meet expectations and can give rise to financial, brand, ESG and safety ramifications
IP and Trade Secrets theft – shadow factories might be provided with commercially valuable IP, such as trade secrets, manufacturing molds, recipes and authentic packaging. When uncontrolled, these could be used for counterfeiting, product diversion, and establishing competing businesses
Brand Integrity & reputation risk – companies which find shadow factories in their supply chain can be left with adverse brand and reputation damage, as well as be required to pay damages to workers who may be victims of wage theft, modern slavery, or workplace accidents
Modern Slavery – workers in shadow factories are often also vulnerable members of society. There is a high chance workers could be victims of modern slavery, such as bonded labour, debt bondage, or child labour
Occupational Health & Safety (OHS) – shadow factories often have poor safety conditions, which can give rise to deaths or dreadful workplace accidents. Shadow factory owners may bribe public officials, such as workplace inspectors, to look the other way, further impacting the welfare of factory workers
Environmental protection – as with OHS, a track record of environmental damage is common with shadow factories, particularly those which use hazardous chemicals or substances. The need for environmental remediation to remove legacy toxins or pollution is common when shadow factories are closed
Business Continuity – shadow factories run as lean as possible, and are unlikely to be able to effectively mitigate unplanned interruptions. Further, show factories might not be able to scale up quickly enough in the event something happens to the shadow factory, leaving the principal with a false sense of security and no protection against business interruptions

By their nature, shadow factories are much cheaper as they typically lack the quality management, regulatory compliance, occupational health and safety, and environmental protections found in legitimate factories. Additionally, workers in shadow factories may be victims of modern slavery, which introduces legal, ethical and integrity issues for the contracting principal, not to mention ESG risk for the principal’s lenders or investors.

Indicators of show and shadow factories

When thinking about how we can detect show and shadow factory activity it is important to remember that manufacturing is a process comprising inputs (raw materials, components) which feed production, resulting in a standardised output. Conforming products are manufactured to a consistent standard, with inputs defined by the Bill of Materials (or BOM lists the precise inputs and quantities required to produce a conforming product).

It is possible to forensically identify potential shadow factory activity — Photo by Anton Mislawsky on Pexels.com

The nature of manufacturing means it is possible to identify discrepancies between expected and actual inputs, production metrics, and outputs which could indicate a CMO is actually operating a ‘show’ factory and that work is being performed by elsewhere by a ‘shadow’ factory. According to APEC, indicators used to determine whether a CMO is operating a show or shadow factory include:

Capacity versus output calculations in relation to a given factory’s estimated production capacity
Recieving records which may indicate discrepancies in volumes, values, dates / times or other data points
Materials reconciliation – reconciling usage versus output may identify unexplained anomalies or inconsistencies
‘Unavailability of packaging materials’ onsite for a given client – such as where the expected packaging materials are not physically located in the show factory (i.e.because they have been shipped to the shadow factory)
Maintenance records – including records showing longer than expected gaps between servicing due to inactivity
Production records – including staff rosters and payroll records
Distribution records – including vehicle logs and delivery records
Security access control records and vehicle access logs such as truck deliveries via a security gate)
Equipment usage logs – including records showing below expected machinery usage counts
Cleaning logs – potentially showing cleaning performed infrequently or less than planned in the show factory
Accountability and traceability of rejected materials or defects arising during manufacture
Utility usage versus manufacturing output – comparisison of electricity, gas, water usage and bills against plan

Identification of these red flags requires organisation. Prior to performing a site visit or desktop audit, auditors or investigators should have already built a spreadsheet model or similar assessment tool which outlines the expected case value for each of these indicators specific to the product, location of the factory, and other relevant contextual information. This allows auditors to focus on collecting the information necessary to provide an evidence-based assessment, as well as minimising distractions on what they need to collect or questions to ask during a site visit and enabling a laser focus on what they are seeing and hearing during the inspection.

Manufacturer Fraud Audit

To this day I can recall one of the earliest fraud audits performed in my career involving a manufacturing facility recieving government grants. I was green in those days and assigned to perform the audit alone. After spending a few hours examining the manufacturer’s books and records, something wasn’t adding up. I went into the CFO’s office asking him to explain some discrepancies, only to be asked which set of records I would like to see – the records he provided me, a set they maintained for tax purposes, or the real records!

Shocked, I left his office and called my boss, who informed the government. Suffice to say the CFO no longer worked there when I went back to continue my work the next day. However, the moral of the story for these types of audits is that you only have a limited time onsite in which to make sense of the data you are being given and take action. You need to be efficient, organised and prepared, otherwise you will miss your window of opportunity – by the time you get a chance to come back, all evidence of fraud or non-compliance will likely be destroyed.

As highlighted in this article, the involvement of shadow factories in your supply chain can introduce a host of risks, not to mention legal, ethical, safety, and brand concerns. The positive, however, is that it is possible to identify potential show and shadow factory involvement in your supply chain using data analytics. Analytics, supplemented with intelligence, can be used to target your audits or investigations towards high risk third parties, ensuring they know the right questions to ask and what to look out for during site inspections.

Further Reading

APEC (2017). Show and Shadow Factories, Roadmap for Global Medical Product Integrity and Supply Chain Security, Manufacturing Practices Work Group, Life Sciences Innovation Forum – Regulatory Harmonization Steering Committee (LSIF-RHSC), https://www.apec.org/rhsc/rhsc-priority-work-areas/global-supply-chain-integrity
Curwell, P. (2021). Magazine article – “Supply Chain Integrity: Detecting Product Diversion”
Curwell, P. (2021). Modern Slavery, Human Trafficking & People Smuggling? (Part I)
Curwell, P. (2021). How is confidential information compromised?
Curwell, P. (2021). Unpacking AS6174 in relation to Supply Chain Integrity
Curwell, P. (2022). Building your supplier integrity framework

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Supply chain integrity and security: what are the risks? (Part II)

Posted on September 17, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Introduction

Part I of this article addressed the concept of Supply Chain Integrity, which is increasingly being bunded with security under the banner ‘Supply Chain Integrity and Security’ (SCIS). SCIS is part of the broader domain of Supply Chain Risk Management (SCRM), which is undergoing its own renaissance thanks to distruptions to global trade and commerce arising from the COVID-19 pandemic and the war in Ukraine.

Part II of the article is continued here examines what we mean by the concept of Supply Chain Security, and how the field is evolving in response to the world’s changing geostrategic climate.

Supply Chain Security – a rapidly changing field

Supply Chain Security has undergone multiple expansions in scope to accomodate the evolving global threat environment, changes in international commerce, technological innovation and increasingly the 4th industrial revolution. However, this evolution has largely gone unreported by commentators in the field, with many books and articles on the subject failing to reflect the broad scope of risks now recognised by critical infrastructure and governments globally. As an example, Supply Chain Security traditionally focused on two main risks:

Cargo Theft and Warehouse Theft, and,
Product Diversion (see here for an explanation of product diversion, and here for a recent case study)

Practitioners in this area have largely focused around logistics, with security programs focusing on controls such as shipping container seals and GPS vehicle tracking. The events of September 11, 2001, helped sharpen this focus, with the USA enhancing a scheme to help mitigate supply chain security risks posed by terrorism (known as C-TPAT). Examples of equivalent national schemes include:

Australian Trusted Trader
Authorised Economic Operator Program (EU)
Customs Trade Partnership Against Terrorism, C-TPAT (USA)
Partners In Protection (Canada)
Secure Trade Partnership (Singapore)

To coordinate a consistent global response and maintain safe and secure trade and commerce, the World Customs Organisation (WCO) introduced the SAFE Framework of Standards to Secure and Facilitate Global Trade in 2005, followed by the Authorized Economic Operators (AEO) Programme in 2007. This perspective on supply chain security is reinforced by various global standards including ISO28001, which is intended to complement the SAFE Framework. However, whilst risks like terrorism, theft and product diversion all remain relevant, Supply Chain Security has evolved even further in the past ten years to reflect geopolitical threats in the current operating environment.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Consequently, the USA, UK, Canada and Australia have all issued updated guidance on Supply Chain Security, which has expanded significantly from theft, diversion and terrorism to encompass the more complete spectrum of what the US Government calls ‘Supply Chain Threats’:

Foreign Ownership, Control and Influence (FOCI – USA) or Hostile Ownership (UK)
Software Supply Chain Attacks
Insider Threats
Supply Chain Integrity issues (refer Part I)

In addition to ‘security’ focused risks, a range of frauds can also materialise in the supply chain. For some organisations, it makes sense to address security, integrity and fraud issues in the supply chain within the same business function or framework, whilst for others they are separated to completely different parts of the organisation. However, common risks here include:

IP or Trade Secrets theft
IP licensing abuse and royalty frauds
Product counterfeiting
Product Tampering
Product Extortion
Manufacturing frauds
Distribution frauds
False End User frauds
Vendor frauds

I have already written about a number of these supply chain frauds in other articles on @ForewarnedBlog (refer hyperlinks above). Future articles will also cover aspects of this topic.

Risks and business processes with a nexus to Supply Chain Integrity and Security

In any organisation, there are a number of business functions which commonly touch on aspects related to Supply Chain Risk Management. SCIS programs should try to leverage these resources where possible, either through use of common team to execute a process or through smart process design, which means a common process is used to address multiple distinct business requirements.

Examples here include due diligence and supplier audits which can be performed once and the results reused multiple times to comply with a range of regulatory obligations or business needs. Examples of risks with a nexus to SCIS that might be leveraged include:

Geopolitical risk management
Natural hazards (often managed by business continuity or crisis managers)
Export Control and Trade Compliance
Third Party Risk Management programs
Supplier Integrity, Supplier Compliance and Business Integrity programs
Bribery and Corruption risk
Modern Slavery risk
Economic and Trade Sanctions compliance
Other Environmental, Social, Governance (ESG) risks

When designing your supply chain risk management program, look across your organisation into other areas or teams (such as procurement, finance, sustainability and compliance) to understand work already performed and identify opportunities to streamline processes and systems.

In addition to reducing your operating costs, this approach could improve your supplier’s experience when dealing with you. Sometimes from a supplier’s perspective, a customer can just become too much hard work, leading to increased prices (in an attempt to encourage you to find an alternate supplier) or severance of the relationship overall.

A common example I encounter is where a supplier is asked for the same information multiple times by different teams from the same buyer, leading to wasted effort and frustration. Managing third party or supplier relationships are exactly that – a relationship – so there needs to be an element of give and take by both parties.

Supply chain integrity and security: what are the risks? (Part I)

Posted on September 3, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Introduction

Supply Chains are complex involving many levels of suppliers who are typically located in multiple countries around the world. For high reliability industries (such as airlines and oil rigs) or industries where there is a chance of life or death (e.g. defence applications, pharmaceuticals and food products), the introduction of a sub-standard or below specification (non-conforming) product could have serious consequences. Further, many of these industries are highly regulated to protect consumers.

The nature of global supply chains today presents a real challenge, as illustrated by the global supply chain for the Boeing 787 and Bombardier Global Express in this article from Canada’s Aerospace Review. These challenges are magnified somewhat in relation to security and integrity risks, as explored later in this article. To assist readers unfamiliar with these concepts, a simple product supply chain could be considered as having at least eight categories of actors, as illustrated below:

An illustative example of a simple supply chain

Part I of this article addressses the concept of Supply Chain Integrity. Part II, continued here, examines what we mean by the concept of Supply Chain Security, and how the field is evolving in response to the world’s changing geostrategic climate. Supply Chain Integrity and Security’ (SCIS) is part of the broader domain of Supply Chain Risk Management (SCRM), which is undergoing its own renaissance thanks to COVID-19 and the associated distruptions to global trade and commerce arising from the pandemic.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What is Supply Chain Integrity and Security?

The concepts of Supply Chain Integrity and Supply Chain Security are often bundled together under the guise of Supply Chain Integrity and Security (SCIS). One example of this is in the life sciences industry, with the following defintion of SCIS being commonly cited from the U.S. Pharmacopea (a compendium of drug information, effectively the standards for all pharmaceutical compounds in the USA whose application is enforced by the US Food and Drug Administration):

Supply Chain Integrity and Security (SCIS) is defined as a set of policies, procedures, and technologies used to provide visibility and traceability of products within the supply chain. This is done to minimize the end-user’s exposure to adulterated, economically motivated adulteration, counterfeit, falsified, or misbranded products or materials, or those which have been stolen or diverted. This is minimized by implementing procedures to control both the forward and the reverse supply chains. SCIS involves reducing risks that arise anywhere along the supply chain, from sourcing materials and products to their manufacture and distribution. The ultimate goal is to detect adulterated, falsified, or counterfeit products and prevent them from entering the supply chain.

Supply Chain Integrity defined

Supply Chain Integrity is sufficiently different from Supply Chain Security to require its own explanation. Supply Chain Integrity is defined by ENISA as providing an “indication of the conformance of the supply chain to good practices and specifications associated with its operations”. When I think about what this means in plain english, I deconstruct the concept of Supply Chain Integrity into three core elements:

Provenance – What are the origins of all components or raw materials in my product? For example, a ‘blood diamond’ extracted illegally from a war zone using slave labour is still an authentic diamond, however its provenance is questionable.
Authenticity – Is the product what it claims to be, or has it been tampered with or substituted? Have the products or components been “produced with legal right or authority granted by the legally authorized source” (AS6174A)?
Traceability – Can I trace the movement of components in my product from raw material to the end user? This is defined in AS6174A as “having documented history of material’s supply chain history. This refers to documentation of all supply chain intermediaries and significant handling transactions, such as from original manufacturer to distributor”

As I previously discussed in this article on SAE’s standard AS6174 and which are worth reproducing again here, the World Economic Forum identified “four key questions that must be answered at the product level as part of Supply Chain Integrity (Pickard & Alvarenga, 2012):

Integrity of Source – did this product come from where I think it did?
Integrity of Content – is the product made the way I think it is?
Integrity of Purpose – is the product going to do what I think it will do?
Integrity of Channel – did this product travel the way I think it did?”

To address each of the elements of Provenance, Authenticity and Traceability, Supply Chain Integrity programs typically comprise a variety of activities, including:

Track and trace programs as well as serialisation to uniquely identify each component and locate where it resides globally in the supply chain at any point in time
Quality management programs, to identify conforming vs. non-conforming products
Supplier integrity programs, to understand exactly who the seller of a product, part or raw material is and assess what if any integrity risks this poses
Market surveillance (market monitoring) – intelligence activities to identify where products are being sold and by whom, to manage the risk of counterfeit or diverted products to end users and the manufacturer’s brand or reputation

A taxonomy of Supply Chain Integrity risks

As with any type of risk, it is possible to build a taxonomy of individual risks which reside under the category of Supply Chain Integrity. Based on my research, I have listed fourteen risks associated with Supply Chain Integrity below:

Adulteration of products or raw materials
Tampering of products, parts or components
Introduction of counterfeit material
Gray market products
Substitution of raw materials, parts, components or products
Falsified or fraudulent material
Use of substandard material (i.e. non-conforming or below specification)
Misbranded or falsely-labelled products
Expired products (moved to less-regulated jurisdiction, re-labelled, and then re-sold)
Products marked for destruction are diverted, re-labelled then re-sold
Ineffective product recall
Ineffective product storage and / or transport
Supplier integrity

These risks are related to, but also quite different to the risks listed in Part II of this article on Supply Chain Security (see link at the bottom of the page).

The relationship between Supply Chain Integrity and your Quality Management System

I have mentioned the term ‘conformance’ a number of times throughout this document, which is defined by ISO22000 as “a product which filfils a requirement”. Conformance assumes that a buyer goes to market seeking to procure products or services which do a particular thing or meet a particular standard (the requirements), and that a supplier is contractually obligated to provide a product or service which addresses these requirements.

Photo by Karolina Grabowska on Pexels.com

For buyers, Quality Management Systems (QMS) play an important role in ensuring the products which are shipped to your door for use are firstly what you purchased (hopefully addressing your requirements), and secondly what they claim to be. This process is referred to in AS6174A as ‘Product Assurance’ which involves “confirming the authenticity of materiel or its compliance with manufacturer’s specifications” (SAE International, p27) to minimise the likelihood of non-conforming materiel entering the supply chain. Product Assurance is undertaken using one of four methods listed below:

Documentation & Packaging Inspection
Visual Inspection
Non-Destructive Testing (NDT)
Destructive Testing (DT)

Readers wanting more information on the Product Assurance process can refer to my previous article. In many organisations, the Product Assurance process is typically performed by a combination of warehouse personnel and / or engineers, scientists or quality management teams upon delivery of new parts or products. Alternately, other organisations perform these inspections before a product leaves the factory, ensuring adequate SCIS processes are in place to mitigate any security or integrity risks that may arise between the shipment leaving the factory and delivery to its final destination.

Failure to properly perform Product Assurance may mean company takes receipt of a non-conforming product or component on day 1, however that this non-conformance is not identified until the product or component is placed into service (potentially some days later). This gap between delivery date and usage date may be an extended period of time during which warranties or guarantees may become voided. Risks here are particularly high for business critical or hard to source parts held in inventory as spares in the event of an in-service part failure, which could provide a false sense of security that sufficient spares are held in case of emergency.

To read Part II of this article, click here.

Never heard of Research Security? Why safeguarding your research today is critically important

Posted on July 9, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

How did we get here?

Research Security refers to the ability to identify possible risks to your work through unwanted access, interference, or theft and the measures that minimise these risks and protect the inputs, processes, and products that are part of scientific research and discovery.

Source: Why safeguard your research? Government of Canada (2021).

Photo by Chokniti Khongchum on Pexels.com

Followers of my blog will know that I regularly write about the scourge of Intellectual Property (IP) theft. One of my observations from working with Australian organisations of all shapes and sizes (including research and development, or R&D intensive ones which depend on commercialisation for success) is that we all too often ignore the importance of protecting our IP and early stage research.

Indeed, according to The Commission on the Theft of American Intellectual Property (2013), theft of United States IP alone is estimated in the vicinity of US$300 billion per annum impacting jobs, GDP and innovation. According to testimony given by the former US National Security Agency Director General Keith Alexander:

“The stealing of U.S. private company information and technology has resulted in the greatest transfer of wealth in history”
HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION, 9 July 2013.

Is all research and development the target of theft?

Most commonly it is applied research which is stolen (i.e. outcomes that can be directly applied to a tangible application or outcome which can be commercialised), as opposed to basic or discovery research. The coordinated theft of IP focuses on Science, Technology, Engineering an Mathematics (STEM) domains, as opposed to social science or humanities research.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

One challenge with the R&D process is that you never know what you’re going to find – funding of R&D effectively involves placing strategic ‘bets’ to fund those programs assessed as having the greatest chance of success. So why don’t we put more time into protecting our research?

Part of the protection challenge stems from the nature of research itself, and of the knowledge creation process. Knowledge creators need to be able to operate in a creative environment that allows them to share ideas and concepts with others, and ultimately generate a positive R&D outcome over time. By their nature, many researchers are inclined to share and collaborate with others, and many (falsely) perceive the risk if IP theft as very low.

The knowledge creation process is very easily stimied through excessive security, which can inhibit creativity and innovation. But on the other hand, too little security can mean your research walks out the door either with an unscrupulous competitor or a departing employee. This is where the concept of research security comes in.

Photo by Tamu00e1s Mu00e9szu00e1ros on Pexels.com

What is research security?

Successful research and innovation requires collaboration and formal partnerships between multiple parties, including governments, businesses, and academics. These collaborations and partnerships can occur in one country or internationally, almost like a ‘patchwork quilt’ of skills, competencies and capital.

Unfortunately, some bad actors and unscrupulous organisations have taken advantage of this process for their own game. This includes nation states, some of which have been involved in state-sponsored industrial espionage (‘economic espionage’) for decades.

What is the impact of research theft?

Diminished trust and confidence in your research data and results
Loss of research data
Loss of exclusive control over intellectual property, patent opportunities, and potential revenue
Legal or administrative consequences
Loss of potential future partnerships
Tarnished reputation

Source: Why safeguard your research? Government of Canada (2021).

In response, countries such as the US, UK, Canada, New Zealand and more recently Australia have introduced ‘research security’ programs to help the research and innovation sector understand and manage this risk, as outlined below.

Source: US Director of National Intelligence, dni.gov

Canada’s Safeguarding Your Research program

The Government of Canada started raising research theft and research security as an issue in 2016, subsequently forming a joint Government of Canada-Universities Working Group to “advance open and collaborative research in a way that also safeguards research and maximizes benefits to Canadians”. The government has created the Safeguarding your Research portal which contains useful resources including:

Tools for building Security Awareness in the Academic Community
A checklist to help determine whether you are at risk
Information on mitigating economic and/or geopolitical risks in sensitive research projects
National Security Guidelines for Research Partnerships

United Kingdom

In contrast to Canada, the UK Government started its research security journey in 2019, with security programs being coordinated by the Center for the Protection of National Infrastructure (CPNI). With almost 20% of UK research funding coming from international sources, CPNI suggests three key actions to safeguard your research:

Due diligence – who are your research partners, actually? Who are their research partners or investors? Remember that affiliations and company ownership can change over time: who you partnered with on day 1 may not be who you are partnered with on day 365. Bad actors frequently materialise after you have signed the partnership agreement, so due diligence should be undertaken on an ongoing basis.
Conflicts of interest – identify any actual or potential conflicts and ensure they are managed. This could include your research partner’s collaborations with your competitors.
Segregation – use security programs to segregate your valuable research programs, both physically and logically (i.e. cyber, physical and personnel security).

United States

Since mid-2018, the US Government has introduced a range of rules, policies and regulations to address concerns about foreign interference in research and the theft of intellectual capital. Various departments and agencies have introduced new measures to address risks to the integrity of the research enterprise, such as the establishment of the Joint Committee on Research Environment by the Office of Science and Technology Policy at the White House.

In 2018, the National Institutes of Health (NIH), one of the largest R&D funding bodies in the world, took the unprecedented step of writing to NIH grant receipients to inform them of the threat of foreign interference and IP theft in relation to biomedical research. This step has set the tone in terms of the seriousness of this issue, and should highlight to the research community globally the nature of the threat – which is manageable with the right mitigations.

Australia – time for a change of attitude?

In Australia, how we protect our research and innovation is largely dependent on who the threat actor is. From a commerical perspective, we typically adopt a legalistic approach to protecting our valuable research, historically relying predominately on formal IP protections such as patents and copyright. This remains very important, but it is also largely ineffective against the threat of IP theft. By the time the matter gets to court, assuming you can find the thief, it’s too late and the only people who benefit are lawyers.

Once you have lost your valuable research, you face an expensive and time consuming battle to restrain the offending party from using the IP or gaining commercial advantage. Assuming you have the legal defence fund to pursue this course of action – noting your pockets may need to be deeper than your opponent in order to continue funding any litigation – you may not even recover 100% of what you lost. Further, if you didn’t take ‘appropriate’ actions to try and protect the information, a court may deem you also at fault.

Australia does not have formal trade secrets protection under IP law, unlike other countries. This means business is reliant on various Confidential Information provisions to protect its research and innovation, something which can be hard to defend. There is a litany of Australian case law showing companies which learned the hard way here when trying to protect their valuable information from competitors, third parties and former employees.

Where the threat actor is ultimately a nation state, Australians now have provisions in the Criminal Code 1995 (Cth) in relation to economic espionage – which also contains the first mention of the term ‘trade secret’ that I am aware of in Australian law – as well as the University Foreign Interference Guidelines. The Guidelines, which I will write about in a subsequent post, were refreshed in 2021 and provide an excellent introduction to developing what I would call a ‘research security framework’, but which can be applied to address all security threats to research and innovation, not just foriegn interference.

I’m a research or commercialisation manager – what can I do about it?

Effectively managing this risk involves understanding what your critical information assets are, who has access to them, and how. This will allow you to identify those areas of greatest risk and focus your limited resources and effort accordingly. Doing this effectively involves a combination of cybersecurity, physical security, non-cyber information security and personnel security (insider threats) measures deployed as part of a holistic program.

The second critical aspect here is managing your research partnerships via a supply chain (third party) security program. This is broader than security – you need to perform proper due diligence (before commencing, throughout the life of the relationship, and for a period afterwards), as well as implementing the right security and legal controls to manage these risks, all whilst creating an environment where the actual researchers can collaborate and work their magic.

This is not easy and requires a good understanding of both security and research / innnovation to be successful, but it is possible. As highlighted in this post, there are plenty of resources available to support you on this journey but remember, the one thing that is clear is the risk of inaction.

Critical Minerals – what’s the problem here?

Posted on May 28, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What are critical minerals anyway?

Critical minerals are defined by Geoscience Australia as “metals and non-metals that are considered vital for the economic well-being of the world’s major and emerging economies, yet whose supply may be at risk due to geological scarcity, geopolitical issues, trade policy or other factors” (2022). One category of critical minerals, ‘rare earth elements’ (listed below) are particularly important:

(Ga) Gallium
(In) Indium
(W ) Tungsten
Platinum-group elements (PGE) including
- (Pt) Platinum (Pt)
- (Pd) Palladium
(Co) Cobalt
(Nb) Niobium
(Mg) Magnesium

(Mo) Molybdenum
(Sb) Antimony
(Li) Lithium
(V) Vanadium
(Ni) Nickel
(Ta) Tantalum
(Te) Tellurium
(Cr) Chromium
(Mn) Manganese

The problem with critical minerals is their availabiilty: they are not distributed evenly throughout the world, and in some cases it is not economical to extract them using current technology. This is particularly the case with rare earths, where according to InvestingNews, the top 10 countries for rare earth production are:

1 China	6 India
2 United States	7 Russia
3 Myanmar	8 Thailand
4 Australia	9 Vietnam
5 Madagascar	10 Brazil

InvestingNews (2021)

Readers will note that some of the countries are subject to greater geopolitical risks than others – ranging from emerging to developed economies and sanctioned to non-sanctioned jurisdictions. One of Australia’s strengths is our proliferation of critical minerals and our geopolitical and economic stability. As shown in the following figure, Australia has critical mineral deposits distributed across the country:

Critical Minerals Supply Chain in the United States: Mapping the Landscape for Australian Suppliers (AUSTRADE, 2019)

As demands for the world’s critical minerals increase and supplies dwindle, rich countries will increasingly seek alternative sources. Deposits that were previously uneconomic to extract may become economical, whilst other countries may resort to war or coercion to achieve or maintain geostrategic advantage. Geoscience Australia has ranked Australia’s resource potential for critical minerals and their associated criticality (or scarcity):

Geoscience Australia (2022). Critical Minerals.

Understanding the criticality of raw materials is particularly important when assssing your supply chain threats and risks, as is understanding the geopolitical risks associated with the Critical Minerals value chain (refer figure below).

Geoscience Australia (2022) notes that some “category one and category two metals and semi-metals are primarily by-products of refining of the major commodities such as zinc, copper, lead, gold, aluminium and nickel”. Australia has abundant stockpiles for many of these commodities, however they are not always cost effective to extract. In the future, advances in processing techniques might mean these can be extracted in a highly targeted way at a cost that makes economic and environmental sense.

What industries use critical minerals?

Critical minerals underpin the world’s 4th Industrial Revolution as well as the high tech gadgets as well as enabling a green low-carbon, digitised economy. Without access to critical minerals, we would not be able to have our computers, phones, wind turbines, electric vehicles or solar panels that are decoming de rigueur in Australia and worldwide. Here are some lesser known examples and their applications:

Critical Mineral	Usage (examples, not exhaustive)
Yttrium	Ceramics (abrasives, jet engine coatings, oxygen sensors in cars, and corrosion resistant cutting tools) Electronics (microwave radar, dental and surgical procedures, digital communications, industrial cutting and welding, photochemistry, distance and temperature sensing) Metallurgy (superalloys, high-temperature superconductors)
Tantalum	Production of tantalum alloys, capacitors, compounds and metal Major end uses for tantalum capacitors include automotive electronics, mobile phones and personal computers Tantalum oxide is used in glass lenses and tantalum carbide is used in cutting tools
Germanium	Fibre optics, infrared optics, electronics and solar applications including solar cells for satellites

Critical Minerals Supply Chain in the United States: Mapping the Landscape for Australian Suppliers (AUSTRADE, 2019)

As you can see, the applications for critical minerals are diverse – without them, much the advanced civilisation we live in today would cease to function.

What are the security and supply chain risks for Australian companies?

Two principal security and supply chain risks associated with critical minerals are worth highlighting, both of which have a geostrategic flavour – (1) foreign ownership, control and influence, and (2) sanctions and trade embargo risks, as illustrated below:

Paul Curwell (2022) – adapted from AUSTRADE *Critical Minerals Supply Chain in the United States* (2019)

The Foreign Ownership, Control and Influence (FOCI) risks we have seen globally tend to materialise in two scenarios, outlined in the following table:

FOCI Risk	Risk Description / Scenario
Mining rights (licences) are held by a single company which controls a substantial percentage of production	This scenario is particularly applicable to Rare Earth Elements which are only found in a few locations around the world, hence global supply is very low in comparison to demand. In this case, a single company could conceivably control a substantial percentage of the production for a given rare earth element globally.
Ownership of multiple mines is held by shareholders of the same nationality (i.e. a concentration risk)	This effectively gives the parent country ‘control-by-proxy’ of critical minerals production, meaning the minerals can be exported under the guise of legitimate trading contracts to the parent country for stockpiling and / or use in manufacturing. Once extracted and shipped, there is no easy way of getting the minerals back, and the country which holds all the stockpiles effectively controls both market pricing as well its permitted end use (for example, military end-use export controls might be applied, effectively giving the controlling country a military advantage).

The second type of risk is sanctions and embargos risk. Historically, when we think of sanctions, trade embargos or even naval blockades it is typically on countries such as North Korea and Iran for their actions against the global community and internationally acceptable norms and behaviours.

As a source country for critical minerals, there is always the possibility that Australian companies or Australian exports could be sanctioned. However, two factors act in our favour to mitigate this risk with critical minerals:

First is global availability, being that critical minerals are either only located in specific geographic regions or can only be extracted in a way that makes economic sense from a small number of locations.
Second is the global balance of power. Whilst geostrategic power is shifting away from the United States, we are not yet at the point where other geostrategic players have sufficient power or leverage to impose meaningful sanctions or export restrictions at a large scale (note this does not mean that targeted, and even non-conventional forms of sanctions would not be possible or effective).

Another commonly used sanctions and embargo tool is the naval blockade would be very oenerous to enforce in a country such as Australia, which is so large and surrounded by navigable waters.

What can we do about it?

Like an increasing number of countries around the world, Australia has implemented foreign ownership and foreign investment restrictions to prevent the scenario arising whereby our mining companies or mining licences are owned by foreign investors either at issue or throughout their period of validity, without appropriate review. Additionally, we have introduced a range of foreign intereference laws to criminalise and help prevent actions by foreign governments and their proxies (including legal entities) from interfering in Australia’s sovereignty.

As with saw with trade restrictions on Australian exports, the management of sanctions, embargos and the like are much harder to mitigate. This is particularly the case where Australia sends extracted ore to a third country for processing and refining, which may then be purchased for re-import back to Australia. In this scenario, Australian manufacturers or businesses are immediately exposed to potential sanctions risks. One way to mitigate this is to conduct mineral processing and refining here in Australia, allowing Australia to export refine material as well as to use it directly in Australian manufacturing.

If there is one positive thing that can be said for the COVID-19 pandemic (aside from introducing more flexible working practices), it is that the supply chain disruptions have really refinforced the need for Australia to expand our domestic manufacturing capability and the need to be less reliant on other countries for our critical supplies and services in the Australian psyche. Understanding where security, geopolitical (country) and resilience risks lie in your supply chain, and implementing appropriate risk treatments, is critical for every Australian business.

Theft of fuel from HMS Bulwark – a diversion case study

Posted on April 30, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What happened?

This story broke in the media on 7 April 2022, with multiple articles claiming the theft of fuel from a high security Royal Navy base in the United Kingdom. According to Sky News, “the diesel was siphoned from a tanker in a heist that reportedly “ran for weeks” with most of it having been “flogged on the black market”. Some articles claim the fuel was being used to run diesel generators on HMS Bulkwark whilst it is alongside and undergoing refit.

HMS Bulkwark, Albion-class assault ship, Royal Navy, United Kindgom

Further details on the case are limited, other than the fact that the case is under invetistigation by the UK Ministry of Defence and that the alarm was drawn when a guard at the base became suspicious. Unfortunately the theft of fuel is a common occurance – as a perisable commodity which retains its value in the market, fuel is in high demand and can be readily converted to cash when diverted even in small quantities, or alternately consumed for personal use.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

A case of diversion or shrinkage? Motive is key

The fact that fuel was stolen means this is an offence of theft, or potentially fraud depending on whether deception was used to perpetrate the crime. Given events took place on a secure military base where it is reasonable to assume you cannot simply walk in or out, it is reasonable to assume an element of deception (i.e. fraud).

Either way, whilst details are limited in the public domain it is possible to develop further insights into the crime for the purposes of building this case study. For example, we know this scam went on for weeks. According to Wikipedia, the capacity of a fuel tanker truck ranges from 20,800 to 43,900 litres. Google reveals that the average capacity of an SUV on the road is up to 70 litres.

To provide an order of magnitude, 2% of 43,900 litres is 878 litres, which equates to around 12.5 full SUV tanks. If this scam was perpetrated once a day for 7 days, we are talking about over 6,000 litres of diesel being stolen each week. With current Australian diesel costs averaging $1.95 per litre as at 14 April 2022, this equates to illicit earnings of just under AUD$12,000 per week (AUD$624,00 per annum). To be clear, there is no indication of quantum or order of magnitude in the media, so this is hypothetical and indicative only.

AA van with Jeep SUV broken down in Kensington Gardens by David Hawgood is licensed under CC-BY-SA 2.0

So does this activity equate to shrinkage or diversion?

Shrinkage is an accounting term used to describe when a store has fewer items in stock than in its recorded book inventory (Shopify). Shrinkage can be the result of process or quality issues, as well as theft and fraud.
Product Diversion refers to goods that are redirected from the manufacturer’s intended area of sale or destination to a different geography or distribution channel (Curwell)

In practice, I tend to view shrinkage as being less organised and not ‘commercial’ in scale, whereas diversion is typically more organised and more commercial in nature. Given this has been going on for weeks as well as the volume and illicit revenue estimates outlined above, I would suggest this is clearly a case of product diversion. Further, in my taxonomy of product diversion risks, this is defined as “Product stolen from distribution or supply chain“.

How can these types of product diversion events be detected generally?

Product diversion shares similarities with other frauds. According to the Association of Certified Fraud Examiners (ACFE) Occupational Fraud 2022: Report to the Nations study:

42% of business frauds globally are detected via tip offs,
16% through internal audit, and,
12% through management review.

Interestingly, 5% of cases were detected by accident – exactly how the Royal Navy guard discovered this diversion incident.

When you know what you are looking for, the application of fraud analytics techniques means product diversion can be detected provided you have the right data and you assemble and analyse this data in a manner that will allow you to identify potential indicators of diversionary activity.

Photo by Lou00efc Manegarium on Pexels.com

From my understanding of the situation, there are at least four primary records that, when ‘joined‘ together, could be used to identify similar product diversion cases pertaining to oil and fuel:

Order records – invoices and purchase orders should state the quantity of fuel ordered and the delivery dates. Given this is a military base, there are likely to be some sort of movement records to register in advance the potential delivery.
Tanker truck records – records of how many tanker trucks entered the base and their capacity (this might be captured at the front security gate for emergency management reasons in case of fire).
Fuel transfer records – these should record how much fuel was actually delivered from the tanker to HMS Bulwark, and would likely be maintained by the driver or the fuel tanker company’s order delivery system (most likely a smart phone app). Requirements to supply these to the customer could be mandated in the contract of sale.
Fuel receipt records – these would be maintained by the crew of HMS Bulwark, recording all details of the delivery including fuel quality records through onsite Quality Assurance testing performed by the ship’s engineers as well as the quantity of fuel recieved.

These four datasets could be collected by customers and monitored on a proactive, ongoing basis to identify discrepancies indicative of potential product diversion using data visualisation tools such as Tableau or even Microsoft Excel. Alternately product diversion schemes such as this may also be identified during distributor audits or compliance investigations.

What other preventative and detective controls might be relevant in this scenario?

In addition to the data points outlined above, a range of other preventative and detective controls could be used to identify potential diversion. These measures may be more expensive than the ‘books and records’ approach outlined above, hence their application should be risk-based. Relevant examples include:

Accurate calibration of measures to calculate the volume of fuel delivered – just like petrol stations, fuel delivery measures need regular re-calibration, and in some instances may be tampered with to under- or over- deliver. There may be two such devices in this example – (1) the tanker truck and (2) HMS Bulwark.
Quality checks should be performed by the customer to ensure the diesel is appropriate quality and that product substitution has not occured (e.g. fuel diluted with another substance, fuel sitting on top of a heavier substance to give the appearance of conformance).
GPS monitoring on the tanker truck allows both the vendor and customer to monitor for unscheduled stops, which could be indicative of an accident or unscheduled delay, cargo theft (e.g. hijacking), or collusion with organised crime elements. These systems typically generate an alarm or alert in an operations centre.
IOT sensors may also be attached to fuel lines or guages, to confirm quality and volume of product in real-time as it is decanted from the tanker to the fuel storage tank.
High-value or sensitive facilities should be subject to a range of physical security measures.
Third parties loitering in a secure area, either pre- or post-fuel delivery, are also indicative of suspicious activity that would warrant further investigation (as allegedly occured in this case)

As you can see, the Internet of Things (IOT) and the proliferation of sensors in daily life provide excellent opportunities for detecting product diversion in near real-time.

Lessons learned – what to do about it?

Performing a thorough anti-diversion risk assessment, and then implementing appropriate detective measures to identify potential diversion incidents early, before any substantial loss is the foundation of a proactive approach to managing diverison risk. The data required for detecting this type of diversion is likely to be readily collected in most organisations, and simple tools such as a spreadsheet can help identify anomalies. Detecting diversion in your data can be easy and cost-effective when you know what to look for.

Further Reading

Association of Certified Fraud Examiners (2022). Occupational Fraud 2022: Report to the Nations, http://www.acfe.com.
Curwell, P. (2021). Emerging Supply Chain Integrity Practices: What this means for detecting product diversion, in The Brand Protection Professional, June 2021, Volume 6 Number 2, Michigan State University.
Curwell, P. (2021). The USP/APEC ‘Supply Chain Security Toolkit for Medical Products’, https://forewarnedblog.com/2021/08/29/the-usp-apec-supply-chain-security-toolkit-for-medical-products/
Curwell, P. (2022). Los Angeles rail hijackings – a form of cargo theft, https://forewarnedblog.com/2022/01/18/los-angeles-rail-theft-an-form-of-cargo-theft/
Sky News (2022). Fuel ‘worth more than £250,000’ stolen from high-security Royal Navy base, 7 April 2022, https://news.sky.com/story/amp/fuel-worth-more-than-250-000-stolen-from-high-security-royal-navy-base-12584280
Vona, L. (2016). Fraud Data Analytics Methodology: The Fraud Scenario Approach to Uncovering Fraud in Core Business Systems, Wiley.

Upcoming changes to private investigator and security licencing in New South Wales

Posted on February 15, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Australia’s path to security industry regulation

Australia has had legislation to regulate the security industry since the 1980’s, and was introduced to establish minimum qualification and character requirements (including criminal history checks) and to try to prevent infiltration of the sector by organised crime (see Prenzler and Sarre 2012).

This is State or Territory-based legislation: there is no regulation of the private security industry by the Commonwealth, and arrangements involving Australian Government security clearances and the Defence Industrial Security Program are completely separate. State police predominately manage security licencing in Australia, however there are exceptions where this role is performed by a state’s Office of Fair Trading. Legislation in each state or territory contains provisions for mutual recognition of licences held in other Australian jurisdictions, as well as limited provisions for temporarily working in other states.

Current legislation in NSW

In New South Wales (NSW), Australia’s most populous state, the NSW Police currently manages licencing for Private Investigators and Security Consultant’s under two pieces of legislation as at the time of writing:

Security Industry Act 1997 (NSW)
Commercial Agents & Private Inquiry Agents Act 2004 (NSW)

The legislation establishes licencing requirements for individuals (known as ‘operator licences’) and employers (known as ‘master licences’). In 2016, the Security Industry Amendment (Private Investigators) Act 2016 No 40 (not commenced) was passed to establish the legal basis for these changes, however there was no date when this was to take effect until October 2021, creating an element of confusion for licencees.

Effective 1 July 2022, licencing of private investigators will be incorporated into the Security Industry Act. In practice, this means professionals who offer both private investigator and security consulting services go from requiring two master and operator licences to one of each category. The addition of Class 2E to an operator’s security licence authorises the licensee to act as a private investigator or act in a similar capacity. These improvements to regulations, warmly welcomed by me as a holder of both licences, will streamline compliance.

Individual (operator) licencing in Australia

In Australia, it is common to find individuals working in roles that provide services which involve private investigation and security consulting within the same engagement. An example might be where an investigation is performed into theft, which also results in advice on how an organisation can improve its internal controls to prevent theft in the future.

Cybersecurity professionals are not explictly included or excluded from the need for operator licencing in Australia, which means some people are licenced and others are not. In my view, licencing of cybersecurity professionals is overdue, this gap creates confusion and inconsistency. It is reasonably safe to assume that some unlicenced activity is being undertaken in Australian industry.

The scope of licenced security consulting and private investigation services in NSW are as follows:

Private Investigator

private investigator means a person who is employed or engaged for the purposes of either or both of the following:(a) the investigation of persons, being any activity carried out by a person on behalf of a second person (not being his or her employer) that involves finding a third person or investigating a third person’s business or personal affairs,
(b) the surveillance of persons, being any activity carried out by a person on behalf of a second person (not being his or her employer) that involves the surveillance of a third person.

Security Consultant

Security Consultant (licence class 2A) —authorises the licensee:
(i) to sell security methods or principles, and
(ii) to act as a consultant by identifying and analysing security risks and providing solutions and management strategies to minimise those security risks,

Definitions of activity licenceable under NSW law

To be eligible for the above licence, individuals must hold the relevant qualifications, as well as satisfy relevant employment experience and character requirements (including undergoing fingerprinting by police).

Performing the above services without a licence is a criminal offence in all Australian states and territories. The maximum penalty for “carrying on a security activity” unlicenced in NSW is a fine of 500 penalty units ($110 fine per penalty unit, so $55,000) or imprisonment for 2 years, or both (refer legislation).

Employer (master) licencing in Australia

Holding a master licence means organisations can provide licensed security operatives to carry out security activities in NSW (i.e. including security consulting services and, as of 1 July 2022, private investigation services). Master licence holders must ensure that only appropriately licenced employees provide security services. There are three categories of master licence holder under NSW law:

Individual – individuals registered as a sole trader (or partnership) who wish to either carry out security activities in a self-employed capacity with a Class 1 or Class 2 security operative licence, or provide security operatives under an ABN
Corporation – ASIC-registered corporations, excluding trusts and partnerships, that wish to provide security operatives to carry out security activities
Government Agency – government agencies that wish to provide security operatives to carry out security activities.

A master licence holder is subject to a number of prerequisites as well as character checks of directors and ‘close associates’. As with individual licences, there are penalties for providing unlicenced security services. These are currently 1,000 penalty units in the case of a corporation ($110,000) or in the case of an individual, 500 penalty units ($55,000) or imprisonment for 2 years, or both.

How to check an individual or business is licenced in Australia?

The regulator for security industry and private investigator licencing in each state or territory manages their own register of licencees. In NSW, this register can be queried by members of the public here: Service NSW.

As with any industry, there are a range of practitioners from those offering highly professional, highly skilled services through to those with substantially less experience. Prospective buyers of these services should perform appropriate due diligence.

Understanding the risk of organised crime infiltration in your business

Posted on February 1, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is Serious Organised Crime anyway?

The concept of organised criminal infiltration into your business or supply chain is interesting. I’ve worked with a number of critical infrastructure operators in Australia who have this concern: the nature of their business provides a unique opportunity for criminals to exploit their business, or the employees position, to facilitate their own or others criminal activity. Before we start to get carried away that serious groups like the mafia are infiltrating your business, it’s worth understanding key elements of the ‘spectrum of crime’ which forms a basis for any Threat Assessment:

Criminal enterprise – a group of individuals with an identified hierarchy, or comparable structure, engaged in significant criminal activity (FBI)
Opportunistic individuals – individuals who take advantage of internal control gaps or weaknesses and opportuinities of circumstance to perpetrate criminal and / or unethical activity (e.g. fraud or business espionage) (Curwell, 2022)
Organised criminals – “small, organised networks of entrepreneurial offenders, often transitory in nature, that develop to exploit particular opportunities for illegal profit. These groups vary from temporary associations created to commit a time-limited series of offenses, to enduring businesses that invest in on-going criminal activities” (Eck & Clark, 2013, p28).
Organised crime (organised criminal group) – “a structured group of three or more persons, existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain, directly or indirectly, a financial or other material benefit” (Smith 2018 in United Nations 2004: 5).
Transnational Organised Crime – those self-perpetuating associations of individuals who operate transnationally for the purpose of obtaining power, influence, and monetary and/or commercial gains, wholly or in part by illegal means, while protecting their activities through a pattern of corruption and/or violence, or while protecting their illegal activities through a transnational organisational structure and the exploitation of transnational commerce or communication mechanisms (FBI)

Its important to remember that not all crime that happens somewhere like a border, port or airport will be perpetrated by serious organised crime. Anecdotally, a lot of the crime I come across day to day involves opportunistic individuals and organised criminals. These risks are managed through employment screening and internal controls (which might include detection programs – see What can be done about it? below).

Common activities of serious organised crime – is there a nexus with your business?

Understanding the types of activities which commonly involve serious organised crime groups can help businesses assess their likely exposure to this activity. In the following list, I have compiled a list of offences based on information published by the FBI and ACIC:

Bribery
Currency Counterfeiting
Embezzlement
Fraud schemes
Cybercrime
Investment and financial market fraud
Revenue and tax fraud
Credit card fraud
Superannuation fraud
Money Laundering
Murder for Hire
Drug Trafficking
Prostitution
Exploitation of Children
Organised retail crime

Human Trafficking and Slavery
Intellectual Property Crime – including Counterfeit Goods
Illegal Sports Betting
Cargo Theft
Sale and distribution of stolen property
Murder
Kidnapping
Gambling
Arson
Robbery
Extortion
Tobacco and firearms smuggling
Vehicle theft

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What we know about Serious Organised Crime in Australia today

Access to detailed assessments of the nature and sophistication of serious organised crime in Australia are not publicly available. However, one of the most useful reports is the periodic assessment of Serious Organised Crime released approximately every 5 years by the Australian Criminal Intelligence Commission. This report provides a useful outline of serious organised criminal markets in Australia, as follows:

Illicit Commodities	Serious Financial Crime	Specific Crime Markets	Crimes Against the Person
Narcotics	Cybercrime	Visa & Migration Fraud	Exploitation of Children
Illicit Pharmaceuticals & Anaesthetics	Investment & Financial Market Fraud	Environmental Crime	Human Trafficking & Slavery
Performance Enhancing Drugs (e.g. steroids)	Revenue & Taxation Fraud	Intellectual Property Crime
llicit Tobacco	Superannuation Fraud
Illicit Firearms	Credit Card Fraud

ACIC (2017). Serious Organised Crime in Australia, Canberra

Understanding whether your business, including your supply chain, has a nexus with any of these criminal markets will help inform your threat and risk assessment process in relation to organised criminal infiltration. As with assessing physical security of your office premises or facilities, you may not have a direct nexus with organised crime but your suppliers or neighbouring businesses might. This creation of an indirect nexus should also be considered, as this could have adverse reputation, safety and disruptive effects on your business, employees or customers.

The role of criminal enablers

Some organisations may not be directly of interest to OCG, but they may be recognised as having something or someone who can enable or facilitate their objectives. Examples here include access to information, professional facilitators (eg. lawyers, accountants, trust & company service providers), systems (eg being able to change a database record in a third party system), or sub-leasing warehouse or storage space.

The Australia Criminal Intelligence Commission identifies six enablers of serious and organised crime (ACIC, 2017):

Money laundering
Technology
Professional facilitators
Identity crime
Public Sector corruption
Violence and intimidation

Enablers can be targeted by organised crime either directly (eg group leases warehouse space for its own activities) or in relation to employees in key positions. Employees who have some sort of vulnerability, either at home or at work, may be coerced, bribed, intimidated or extorted to perform acts at the direction of a group.

Photo by ThisIsEngineering on Pexels.com

What can be done about the risk of organised criminal infiltration?

So far in this post, we’ve demystified what constitutes serious organised crime, the types of activities (offences) commonly associated with this activity, the criminal markets where organised crime groups are found, and the professional intermediaries and enablers who might knowingly (or unknowlingly) support them. The next question is what to do about it.

The starting point for any business leader concerned about potential organised criminal infilitration in their business is a thorough, objective and factual assessment of the threats and risks, and their associated likelihood and consequence. Once understood, a proper security plan can be implemented to mitigate these risks.

With infiltration by organised crime there is a potential insider threat. This can materialise within both the employee and contractor / third party populations, including within the extended supply chain. This also needs to be considered when scoping any assessments. Suggested actions for businesses concerned about organised criminal infiltration include:

Perform a Threat Assessment to map your ‘threat universe‘ (i.e. who is likely to target your organisation), and why
Undertake a Security Risk Assessment, which incorporates identifying critical assets, vulnerabilities (control gaps), consequence and likelihood (i.e. which of your assets might serious organised crime groups actually consider attractive) for the various threats identified in the Threat Assessment. For risk such as product theft or product diversion, don’t forget to assess if your products are CRAVED.
Undertake a Personnel Security Risk Assessment – this is commonly separate to your Security Risk Assessment, but identifies high risk positions and roles in the organisation which give acceess to your critical assets, and the types of employment screening (background investigation) and continous insider threat detection programs that may be required to mitigate the risk
Perform due diligence on prospective and current employees, contractors, suppliers and business partners / third parties based on the risks idenitifed in your Security Risk Assessment and Personnel Security Risk Assessment.
Develop a robust intelligence and security program to monitor for ongoing changes to your organisation’s threat landscape (including building capabilities such as media monitoring), and where appropriate, develop partnerships with police and security agencies to help mitigate the risk to within your organisation’s risk appetite.

Following these steps will ensure you know where you need to focus your security effort and resources. It may be that your greatest risk is that of opportunistic individuals and organised criminals (including trusted insiders and employees or contractors of your third parties or business partners) and not serious organised crime, requiring a different treatment strategy. If in doubt, seek assistance from an appropriately qualified professional who is licenced by the State Police to give security advice in the relevant Australian jurisdiction. If in doubt, have a read of this advice from ASIAL, the Australian Security Industry Association.

Los Angeles rail hijackings – a form of cargo theft

Posted on January 18, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is going on?

Recently, there has been substantial coverage of the hijacking of goods trains by thieves on Los Angeles (LA) goods lines (McFarland & Mossburg 2022). Images of damaged or discarded shipments from distributors to consumers (end users) strewn across the train tracks are common, as are photos of railway police trying to apprehend individuals and small groups running along the tracks.

Reportedly, these criminals either force entry to stationary or slow-moving goods trains, ransacking any items which appear to be of value. Since they have been doing this for a while now, one must presume they have learned what more expensive packages look like (e.g. branded shipping boxes, specific logos) and are likely selected over lower value items (see my previous article here). Additionally, media reporting also stated that larger, harder to move goods are discarded on the train tracks over smaller items easily transported by a single human trying to flee the scene quickly. This activity is a form of Cargo Theft.

What is cargo theft?

The prevention of cargo theft is a core pillar of any supply chain security program, ensuring goods are not stolen in transit either from the factor to a distributor (for larger or bulk shipments), or distribution centre to end user (as appears to be seen in this example).

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

How does cargo theft impact brand integrity?

When cargo theft occurs in bulk, there is a real risk the diverted product is moved into grey markets (gray markets) or alternately that stolen product is infiltrated into legitimate supply chains, and then on-sold to end users (see Sugden 2009). An example of the scenario that occurs here is where an authorised distributor is approached by a purported ‘wholesaler’ to purchase legitimate (non-counterfeit) stock at a discount to prices set by the manufacturer or standard wholesale prices.

In this scenario, distributors may knowingly or unknowingly purchase stolen but non-counterfeit product and then sell this to end users, with three potential business impacts:

The manufacturer is disadvantaged through erosion of their profit margins,
A ‘legitimate market’ is created for the stolen goods through poor purchasing controls by the distributor, and,
Potential future revenue leakage and brand damage to the manufacturer through services and warranty fraud, if a customer who purchased the non-counterfeit good from an authorised distributor makes a claim.

Cargo Theft Typologies

According to the latest BSI Survey on Supply Chain Risks (2020), there are four primary cargo theft typologies (note the report does not define each typology, I have added my own definitions here)

Hijacking – where the vehicle (truck, train, plane, ship) carrying the goods is stopped and control is taken of the entire vehicle. Typically, vehicles are typically taken to a third location controlled by the hijackers for unloading and disposal. Hijackers may be working in collusion with trusted insiders (e.g. drivers or warehouse staff).
Theft from a vehicle – whereas hijacking involves the whole vehicle, this typology involves stealing selected goods from the vehicle (e.g. specific boxes), and is what we see in the LAX examples.
‘Slash and grab’ – when cargo is transported in soft skinned trucks, the vinyl or canvas covers can be slashed and any items to hand quickly stolen.
Other – undefined typologies, presumably including theft by employees or third parties as well as fraud (e.g. claims of shipments being damaged as cover for theft).

According to BSI, cargo theft primarily occurs in six geographical locations:

In-transit – whilst the vehicle is moving (e.g. slowed due to traffic congestion, stopped at traffic lights or an accident)
Rest areas – trucks carrying high value cargo without two drivers are at risk when the driver stops for a break or sleep
Warehouse – there are at least two risks here:
- Theft from warehouse by criminals (e.g. breaking & entering) with no insider involvement
- Inventory theft or fraud by trusted insiders (e.g. employees)
Unsecure roadside parking – where a loaded vehicle is parked either at the point of origin or destination
Freight facility – where multiple trucks / trains are unloaded in a single location
Other locations – these are not defined

How do the proceeds of cargo thefts end up in grey markets?

We sometimes see high value goods, such as stolen motor vehicles, being exported from the jurisdiction where the theft occurred (e.g. the USA) to an overseas jurisdiction where the product is in high demand and where criminals can obtain substantial profit margin on the sale of the stolen goods.

It might also be common to see sales of consumer products being sold online (either individually or in bulk) by either a business or individual seller or sold to authorised or unauthorised distributors [an ‘authorised distributor’ is defined as one which has a signed distribution agreement with the manufacturer or Intellectual Property Rights (IPR) owner and is conducting their business operations in the geographic area(s) stated in the agreement].

In the case of the LA activity, the stolen goods seem to be packages shipped from distributors which are stolen before delivery to the consumer (end user), rather than bulk shipments (e.g. multiple copies of the same product). These stolen goods can also be sold online, in person through social networks or street corners, or local flea markets.

What can be done to help mitigate this type of cargo theft?

There are three main strategies that can be employed to mitigate the types of risks seen in Los Angeles, as follows:

Physical Security (including use of tamper evident seals) – appropriate (i.e. risk-based) physical security should be part of any Supply Chain Security program. This may be the responsibility of the logistics provider (i.e. a third party) or the manufacturer. Most shipments are covered by insurance against theft or damage, but this may be subject to exclusions.
Market Surveillance – a robust market surveillance program is essential for the protection of your products, IPRs and ongoing brand integrity. This involves using Open Source Intelligence (OSINT) techniques to monitor physical and online markets (e.g. flea markets, online market places like eBay and Gumtree) as well as social media for sales of your products, monitoring pricing (pricing surveillance), conducting test purchases (to determine the origin of the product for diversion and grey market purposes), and identification of sellers to determine whether they are authorised or unauthorised.
- This data should be added to a Graph database to facilitate Social Network Analysis and other intelligence analysis and investigative methods which might help to identify the criminal value chain and map organised crime groups involved in this activity.
Collection and analysis of incident data – in my previous post on product fraud and security risk assessments, I discussed the importance of capturing current and historical incident data for analysis. The sorts of questions you need to ask of your data here includes whether there are any common themes or trends and whether any specific products are at higher risk than others (e.g. those which are more valuable or CRAVED by thieves).

Conclusion

Whilst cargo theft is a risk, there are controls and other measures which can be implemented to mitigate it. Proper planning is essential, as is the use of security risk analysis to identify where effort (and budget) should be allocated, and the use of intelligence methods to continuously monitor the market and those actors (individuals, legal entities) involved in it. Ideally, any incidents are either prevented, detected or disrupted before a loss is incurred, but in some cases formal investigation may be required.

Natural Hazards and Accidents, and their intersection with physical threats

Posted on November 20, 2021 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Introduction

With the impending passing of the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (referred to as SOCI, or Security of Critical Infrastructure) in the Australian Parliament, and the Department of Home Affairs working through definitions of the Rules which prescribe the requirements for critical infrastructure operators around integrated risk management, there is a lot of movement and discussion underway within Australia’s expanded eleven critical infrastructure sectors to ensure readiness to comply with the new legislation.

As it currently stands, the legislation refers to “physical and natural hazards” which is out of alignment with terminology used in various Australian / New Zealand and International Standards (ISO). When it comes to physical threats and hazards, there are effectively three categories:

Physical threats – pertains to security risks and are caused, ultimately, by humans. The difference between physical threats, natural hazards and accidents is intent to do harm or otherwise impact the ‘security’ of something. These are generally assessed via a ‘Threat and Risk Assessment’ or ‘Security Risk Assessment’.
Natural hazards – are those which derive from nature (sometimes referred to by insurers as ‘acts of god’). These are generally assessed using different techniques, such as risk bowties.
Accidents – includes industrial accidents and similar events which can have the same / similar impact as natural hazards but are caused by humans, rather than nature. There is a possibility that what appears as an accident might actually be caused by a physical threat, such as an insider seeking to perpetrate an act of workplace sabotage or terrorism.

In my work, I primarily focus on risks with a root cause in national security or crime, as opposed to working on business continuity generally. I regularly encounter situations in my work with clients where I am requested to assess natural hazards (including accidents) and physical threats using the same underlying risk assesment methodology.

Whilst you can aggregate the results of risk assessments against physical threats with natural hazard and accident risk assessments (some of which have a close relationship to occupational health and safety or Health Safety Environment risk management), trying to apply the same underlying risk assessment methodology on an asset by asset or site basis is not leading practice.

Photo by Genaro Servu00edn on Pexels.com

Types of Natural Hazard

So what is a hazard anyway? A hazard is defined by ISO31000 as “a source of potential harm’ and is different to a risk. In fact, hazards (like physical threats) both cause risk events if controls to prevent their occurance either do not exist or are inadequate. Have a read of this excellent article from the team at Broadleaf Capital International if you want more information.

For the purposes of this article I have used the Centre for Research on the Epidemiology of Disasters (CRED) EM-Dat taxonomy, an excellent resource, which records 17 types of natural hazard across 6 categories:

Natural Hazard Category	Natural Hazard
Geophysical	Earthquake
	Dry mass movement
	Volcanic activity
Meteorological	Extreme temperature
	Fog
	Storm
Hydrological	Flood
	Landslide
	Wave action
Climatological	Drought
	Glacial Lake Outburst
	Wildfire (bushfire)
Biological	Epidemic / Pandemic
	Insect infestation
	Animal accident
Extraterrestrial	Impact event
	Space weather

CRED EM-DAT General Classification (emdat.be/classification)

You will recall that the core risk assessment methodology focuses on Consequence (or impact) and Likelihood. When assessing Likelihood, or the chances of a natural hazard arising, you need to determine whether your asset is in a geographical area impacted by that given type of hazard. There are two main considerations here:

Regional geographical factors – this relates to where your asset is situated on the planet and is something you can’t readily influence. If your asset lies within an earthquake or cyclone (hurricane) prone zone, this increases the likelihood of the risk.
Local geography – is more specific to where exactly your asset is sited. An asset situated at the bottom of a deep valley is likely to be more prone to flooding than an asset situated at the top of a hill.

Governments and scientific research organisations all publish data on natural hazards which inform their likelihood. Some produce complex scientific models which can also be used to help understand factor such as when a natural hazard might arise, where exactly it will impact within a given geographical area, and how severe it might be. For many natural hazards, there are underlying indicators which are monitored by governments and research centres that provide advance warning of an impending natural hazard. One example here is the amount of dry fuel load in the case of bushfire risk. You can quickly locate relevant data for your risk assessments with the help of Google, most of which is free.

Photo by Recognize Productions on Pexels.com

Accidents

For the purposes of any risk assessment, the second main category of hazard is that of accidents. Sometimes, this category is referred to as ‘manmade accidents’ as the cause of an accident is effectively poor controls, human error, negligence etc – all of which are foreseable and theoretically preventable. The key difference between accidents and physical threats is intent. A worker at a chemical plant might accidentally drop a barrel which results in a chemical spill (an accident), or they could intentionally empty a barrel of chemicals to for example commit physical sabotage in the workplace (an ‘insider threat’).

Where accidents such as those outlined below are possible, it is not sufficient to simply address these from a safety or HSE perspective. Physical threats (in the form of insider threats) could intentionally cause one of these events which might pass undetected as an ‘accident’. A complete assessment of physical threats will reflect this.

Technological Hazard	Accident type
Industrial Accident	Chemical spill
	Collapse
	Explosion
	Fire
	Gas leak
	Poisoning
	Radiation
	Oil Spill
	Other
Transport Accident	Air
	Road
	Rail
	Water
Miscellaneous Accident	Collapse
	Explosion
	Fire
	Other

CRED EM-DAT General Classification (emdat.be/classification)

‘Show factories’ versus ‘shadow factories’ – what’s the difference?

Shadow factories introduce a host of risks for principals

Indicators of show and shadow factories

Risks and business processes with a nexus to Supply Chain Integrity and Security

Further Reading

What is Supply Chain Integrity and Security?

Supply Chain Integrity defined

A taxonomy of Supply Chain Integrity risks

The relationship between Supply Chain Integrity and your Quality Management System

Further Reading

How did we get here?

Is all research and development the target of theft?

What is research security?

Canada’s Safeguarding Your Research program

United Kingdom

United States

Australia – time for a change of attitude?

I’m a research or commercialisation manager – what can I do about it?

Further reading

What industries use critical minerals?

What are the security and supply chain risks for Australian companies?

What can we do about it?

Further reading

What happened?

A case of diversion or shrinkage? Motive is key

How can these types of product diversion events be detected generally?

What other preventative and detective controls might be relevant in this scenario?

Lessons learned – what to do about it?

Current legislation in NSW

Individual (operator) licencing in Australia

Employer (master) licencing in Australia

How to check an individual or business is licenced in Australia?

Further reading:

What is Serious Organised Crime anyway?

Common activities of serious organised crime – is there a nexus with your business?

What we know about Serious Organised Crime in Australia today

What can be done about the risk of organised criminal infiltration?

Further Reading

What is going on?

What is cargo theft?

How does cargo theft impact brand integrity?

Cargo Theft Typologies

How do the proceeds of cargo thefts end up in grey markets?

What can be done to help mitigate this type of cargo theft?

Conclusion

Further Reading

Types of Natural Hazard

Accidents

Further Reading