By: Damir Akhoundov

The Semiconductor Industry Association (SIA), representing U.S. companies involved in semiconductor manufacturing, design, and research, announced that the global semiconductor industry posted sales totaling $335.2 billion in 2015, a very slight decrease of 0.2 percent compared to 2014^i. As we have previously observed, the number of parts reported annually to ERAI very closely correlates to the state of the overall semiconductor industry. The similarity throughout 2014 and 2015 was quite remarkable with 1138 and 1139 parts reported in 2014 and 2015 respectively.

As we can see in the Reported Parts linear trend graph, the last two years have seen a rather steady rate of parts being reported to ERAI with an overall growth trend over the span of the last seven years.





The 2015 linear trend displayed a rather constant rate of reporting while displaying a very slight overall downward trend.



The types of parts reported to ERAI show an overwhelming prevalence of integrated circuits, with programmable logic, memory, microprocessor and analog ICs comprising the majority of reports and accounting for almost twice as many reports as the rest of the part types combined.



When compared to the same graph depicting the part types reported by ERAI over the last 5 years combined, we can see that the 2015 results follow a trend and show a consistent pattern. The same four part types comprise the overwhelming majority of reported part types over the last 5 years.



When we examined the alleged manufacturers of the parts reported in 2015 we once again observed that the Xilinx brand is most frequently targeted by counterfeiters and totals 11% of the parts reported to ERAI in 2015. A total of 14 manufacturers’ brands account for as many parts reported to ERAI in 2015 as the rest of the 154 other manufacturers’ brands combined.



This is generally consistent with our findings over the last 5-year period during which Xilinx remains the most targeted manufacturer. The rest of the top 14 are largely the same brands with slight changes in ranking. Interestingly, once again, the number of parts attributed to the top 14 manufacturer brands that are most frequently targeted totals largely the same as the combined number of parts attributed to the other 353 manufacturer brands combined.



We then took a look at the number of tests performed that lead to the detection of a nonconformance. We observed that although the parts failing one test (usually visual inspection) remains very high (35%), the number of parts that have undergone 2, 3 or even 4 tests has grown substantially, accounting for 59% of all parts reported to ERAI in 2015.



Further examination reveals that by far the most commonly performed tests were visual inspection of the device package, visual inspection of the leads and remarking and resurfacing testing. These three economical inspection methods comprise 64% of all tests performed. In fact, 86% of all tests performed to detect nonconformances in 1139 parts reported to ERAI in 2015 did not require equipment more complex than a microscope. ERAI believes this is directly related to costs associated with test and inspection.  An organization identifies a single nonconformance and rejects the parts choosing not to proceed with additional, more costly counterfeit detection methods such as x-ray, decap or electrical test.  These tests cost time and money, so to spare the expense and knowing the customer will ultimately reject the goods, the inspection halts resulting in a lesser classification of NC or NC/SC when, in all likelihood, had the organization taken a closer look and performed the minimum recommended tests, additional anomalies could have been discovered. We therefore urge organizations with in-house testing capabilities to perform as many tests as possible and to share this information with ERAI. When uploading parts to the High Risk and Suspect Counterfeit Parts Database, we don’t just note anomalies and failures, but we additionally have the ability to note if parts passed a test method, resulting in a more robust and detailed report.



We further analyzed if any of the parts reported to ERAI in 2015 were previously reported by ERAI in previous years. The results indicated that the majority of the parts reported in 2015 (79.8%) were new occurrences that were not previously reported to ERAI. Of the remaining 20.2%, more than half were reported previously only once and the rest were reported multiple times in the past. This indicates that the threat of encountering a nonconforming part that has not previously been detected is high and once again reinforces the importance of reporting nonconforming parts to ERAI. Everyone who has ever benefitted from ERAI’s data has done so because someone chose to share their encounter with a suspect device by reporting the part data to ERAI.



Overall, the 2015 numbers were in accordance with the overall state of the semiconductor industry in general. There was no unusual activity and the number of nonconformances has followed the general trend of the last 5 years.

Please Note: ERAI has made revisions to the part "type" designations on the ERAI High Risk and Suspect Counterfeit Parts Database. The designations are:

Nonconforming – A part that displays one or more nonconformance(s).

Suspect Counterfeit - A part that displays one or more nonconformance(s) and shows evidence of counterfeiting.

Nonconforming / Suspect Counterfeit - A part that displays one or more nonconformance(s) and shows evidence this it is a used part sold as new.

ERAI services both the commercial and government sectors.  The definition of a suspect counterfeit part is decidedly different to the commercial sector than those supporting government. Specifically, the government has included “used parts sold as new” in its definition of counterfeit according to the U.S. DOD Defense Federal Acquisition Regulation Supplement: Detection and Avoidance of Counterfeit Electronic Parts (DFARS Case 2012-D055) published in the Federal Register on May 6, 2014.  While organizations in the commercial sector may argue selling a used part as new is “fraudulent”, most do not consider a used part sold as new as suspect counterfeit.  For that reason, parts that are used and sold as new may be considered “NC-Nonconforming” to commercial manufacturers but currently must be considered “SC-Suspect Counterfeit” by a government supplier.

Additionally, a fourth part designation was recently added:

FN = Federal Notice - A part or list of parts which are publically released as part of a U.S. federal/government agency notice. These parts may require additional evaluation based on your organization’s internal risk mitigation procedures.

"Federal Notice" or "FN" parts designate a part or list of parts which are publically released as part of a U.S. federal/government agency notice. These parts may require additional evaluation based on your organization’s internal risk mitigation procedures. Throughout 2015, ERAI began recording these parts and posted a total of 597. Parts designated as FN do not undergo our usual vetting process nor do they have a standard list of metadata accompanying them. Therefore, although these FN parts are available in our High Risk and Suspect Counterfeit Parts Database, these "FN" parts have not been included in the above report as they lack the data necessary to compare them to the other parts that ERAI has processed. Therefore, the report and accompanying graphs will only include the 1139 parts specifically reported by ERAI and vetted and verified in the usual ERAI process in 2015. The 597 FN parts reported by ERAI in 2015 will not be included in the calculations to prevent a misrepresentation of the data.

If you have any questions or would like to see any statistical data that has not been covered in this report please contact Damir Akhoundov at damir@erai.com and we will do our best to provide the information for you.

---

^i. Rosso, Dan. "Global Semiconductor Sales Top $335 Billion in 2015." Semiconductor Industry Association. N.p., 1 Feb. 2016. Web. http://www.semiconductors.org/news/2016/02/01/global_sales_report_2015/global_semiconductor_sales_top_335_billion_in_2015/

Report CBP Damage
Based on Members’ responses from our CBP survey, a new form has been added to ERAI website to enable Members to report goods damaged by CBP during an inspection. When these goods are not properly repackaged by CBP, the parts are often damaged in transit causing a financial loss to the importer. CBP appears to bear no financial responsibility or liability even if their negligence contributed to the damage of the goods. ERAI has begun documenting these types of incidents in an effort to demonstrate to CBP the importance of proper handling and repacking. Our objective is to raise awareness and provide feedback from the industry that might lead to changes in how shipments containing sensitive devices are inspected and repackaged. Your input is vital. If you receive a damaged shipment that is the result of improper handing or repacking by CBP, please take a moment to let us know. To access the form simply click on the "Report" tab in the website's top navigation bar and select "Report CBP Damage". You do not need to be a member of ERAI to submit a report. Your identity will remain confidential and will not be revealed to CBP.

Conflict Minerals Information
A new section has been added to the "Toolbox" section of the ERAI website regarding conflict minerals. The article provides information on which minerals are covered by legislation, relevant US regulations and useful links to assist companies in compliance with Section 1502 of the Dodd-Frank Act and corresponding SEC regulations.

New File/Images Upload in Company and Reported Parts Reporting Forms
Technology updates have been made to the ERAI website to enable reporting organizations to upload files and images to accompany information provided during the reporting of a nonconforming part or a company. The new technology allows users to select and upload multiple files at once, facilitating the reporting process.

By: Kristal Snider

Refurbished parts are defined as “parts that have been renovated in an effort to restore them to a ‘like new’ condition, e.g., leaded parts may have had their leads realigned and re-tinned and subjected to cleaning agents and chemical processing”i But what if this “restoration” process also involves altering the part’s surface and remarking?

In recent months ERAI has identified a disturbing trend particularly, but not exclusively, involving Chinese suppliers and service providers, whereby remarked parts are being sold or identified as refurbished. It’s as if these individuals believe they have circumvented the laws that have been broken if they merely identify the parts as refurbished as opposed to new. They have not. Organizations are violating intellectual property right law even if the true nature of the part is disclosed.

Parts that have been resurfaced and remarked by an unauthorized third party, whether sold as used, new or refurbished, have been completely devalued. Resellers around the world would be far better off leaving used, reclaimed, surplus parts in their original condition and selling those parts as used and without supply chain traceability. If the true condition of the goods could be seen, organizations in need of these parts, which might be obsolete or in short supply, can make an informed decision and take appropriate steps to mitigate the risks associated with parts that may not have been properly stored and/or handled. Used parts have value and while their use may not be approved for life or mission critical applications, they may be acceptable in non-critical applications.

Refurbishing parts should not include sanding, sandblasting, microblasting, acid etching, blacktopping, or remarking. Even if the part passes electrical testing, contains the correct die and is marked with the correct part number, once the parts are remarked by an unauthorized third party, they are counterfeit.

In closing, organizations need to pay close attention to industry recognized and/or adopted terms and definitions and should be sure to comply with intellectual property rights laws in your country. For your convenience I have enclosed a list of key terms referenced in this article. ERAI has created a comprehensive glossary of terms and definitions which is regularly amended to comply with the most up-to-date standards and regulations. This valuable resource is available on the public portion of our site (www.erai.com) which means membership is not required to access this free, publically available tool.

If you have questions or comments regarding this topic please do not hesitate to contact me. (ksnider@erai.com)

KEY TERMS

Blacktopped: A term used to describe the intentional covering of the original manufacturer part markings or masking the signs of rework and removal of original part markings.ii

Counterfeit Product:

1. Any part, documentation, packaging, labeling, or identifying information that has been modified so as to fraudulently misrepresent authenticity.ⁱⁱ
2. A fraudulent part that has been confirmed to be a copy, imitation, or substitute that has been represented, identified, or marked as genuine, and/or altered by a source without legal right with intent to mislead, deceive, or defraud. ^vi
3. Counterfeit Electronic Part means an unlawful or unauthorized reproduction, substitution, or alteration that has been knowingly mismarked, misidentified, or otherwise misrepresented to be an authentic, unmodified electronic part from the original manufacturer, or a source with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer. Unlawful or unauthorized substitution includes used electronic parts represented as new, or the false indication of grade, serial number, lot number, date code, or performance characteristics.^v
4. A fraudulent part that has been confirmed to be a copy, imitation, or substitute that has been represented, identified, or marked as genuine, and/or altered by a source without legal right with intent to mislead, deceive, or defraud.^vi
5. An unauthorized a) copy, b) imitation, c) substitute, or d) modified electronic part, which is knowingly, recklessly or negligently misrepresented as a specified genuine electronic part of an authorized manufacturer; or (2) a previously used electronic part which has been modified and is knowingly, recklessly, or negligently misrepresented as new without disclosure to the customer that it has been previously used.^vii
6. A counterfeit is an electronic part that is not genuine because it: is an unauthorized copy; does not conform to original OCM design, model, and/or performance standards; is not produced by the OCM or is produced by unauthorized contractors; is an off-specification, defective, or used OCM product sold as "new" or working; or has incorrect or false markings and/or documentation.^viii
7. An item that is an unauthorized copy or substitute that has been identified, marked or altered by a source other than the item’s legally authorized source, and has been misrepresented to be an authorized item of the legally authorized source.^ix
8. An item that is an unauthorized copy or substitute that has been identified, marked and/or altered by a source other than the item’s legally authorized source and has been misrepresented to be an authorized item of the legally authorized source.^x
9. (1) An authorized copy or substitute part that has been identified, marked and/or altered by a source other than the part’s legally authorized source and has been misrepresented to be from a legally authorized source; (2) An item misrepresented to be an authorized item of the legally authorized source; or (3) A new, used, outdated, or expired item from a legally authorized source that is misrepresented by any source to the end-user as meeting the performance requirements for the intended use.^xi
10. Counterfeit electronic part means an unlawful or unauthorized reproduction, substitution, or alteration that has been knowingly mismarked, misidentified, or otherwise misrepresented to be an authentic, unmodified electronic part from the original manufacturer, or a source with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer. Unlawful or unauthorized substitution includes electronic parts represented as new, or the false identification of grade, serial number, lot number, date code, or performance characteristics.^xii
11. A part made or altered to imitate or resemble an approved part without authority or right, and with the intent to mislead or defraud by passing as original or genuine.^xiii
12. Counterfeit trademark goods shall mean any goods including packaging, bearing without authorization a trademark which is identical to the trademark validly registered in respect of such goods, or which cannot be distinguished in its essential aspects from such a trademark and which thereby infringes the rights of the owner of the trademark in question under the law of the country of importation.^xiv

Electronic Waste (E-Waste): Discarded electronic devices, assemblies, sub-assemblies, components, and substances involved in their manufacture or use. E-Waste is exported to lesser-developed low wage nations such as China, India and parts of Africa due to mediocre or non-existent environmental standards and working safety laws. According to the US Environmental Protection Agency, millions of tons of electronic waste is gathered and exported annually to these regions. Only a small percentage of the waste collected is recycled. The balance of this material is exported overseas to “dismantling shops” where precious metals and electronic components are extracted for resale. This continuous supply of material is fueling the counterfeit market. International treaties are supposed to prohibit and deter the exportation of obsolete computer hardware from developed to developing countries; however, there are loopholes in the system. The waste that is sent to these regions for processing is done so illegally by transporting the goods through alternate ports, disguised as charitable donations or is done despite international laws and with lack of controls. It is well known that China is the largest recipient of E-Waste and that they have found more than one way to profit from global waste disposal. In certain regions of China, entire communities rely on E-Waste and counterfeit component trade as a source of revenue.

Microblasting: The process of microblasting uses a very fine abrasive media at 10 to 50 micron size which is then propelled through a fine-tip nozzle. This is used to texture or cut through materials where exacting detail is required. See also Sandblasting and Relabeling.^xv

New Part: (1.) Electronic Components that have not been previously used in any capacity. (2.) Goods that are free of any physical defects such as: scratches, test marks, third party markings, programs or bent leads. (The leads on NEW parts should be in pristine condition; this does not mean refurbished, if the leads have been retinned / refurbished, they should be classified as refurbished.) (3.) New product should be packaged in the original manufacturers packaging (tubes, trays, reels, or as is specified by the manufacturer). This does not mean the original factory box OR factory sealed. (4.) Components in tubes and in trays should have the same date code, lot code and country of origin. Components on a reel should have the same date code, lot code and country of origin unless otherwise specified on the original factory label. (i.e., as was packaged by the original manufacturer) A distributor can sell more than one date code in a shipment, however all components in a single tube, tray or reel, etc., should contain a consistent date code, (including week code and lot code) and country of origin. (5.) New product does not need to be factory sealed in order to meet the industry standard definition of "new". However, moisture sensitive and static sensitive devices should be packaged in the proper ESD packaging material.^xvi

Reclaimed Part: Large quantities of electronic equipment containing working devices are scrapped. Valuable components can be recovered for reuse; however, uncontrolled removal can damage and/or compromise the original electrical performance, reliability and operational life. These compromised parts can then be sold into the supply chain.^xvii

Recycled Part: (1.) A counterfeit part type. (2.) Components that have been removed from a used system, repackaged and remarked and then sold in the market as new. Note: “The most widely discussed counterfeit types at the present time are the recycled and remarked types. It is reported that in today’s supply chain, more than 80 % of counterfeit components are recycled and remarked [38]. In the United States, only 25 % of electronic waste was properly recycled in 2009 [73]. That percentage might be lower for many other countries. This huge resource of e-waste allows counterfeiters to pile up an extremely large supply of counterfeit components. The components become recycled when they are taken from a used system, repackaged and remarked, and then sold in the market as new. These recycled parts either may be non-functioning or prior usage may have done significant damage to the part’s life or performance.”^xviii

Remarked Part: Parts or devices in which the original part markings were removed or covered and then marked with a new part marking.^xix

Note: “In remarking, the counterfeiters remove the old marking on the package (or even on the die) and mark them again with forged information. During the remarking process, the components’ packages are sanded or ground down to remove old markings (part number, date code, country of origin, etc.). Then, to cover the sanding or grinding marks, a new coating is created and applied to the component. Components can also be remarked to obtain a higher specification than they are rated for by the original component manufacturer (OCM), e.g., from commercial grade to industrial or defense grade.”^xx

Sandblasting: The process of smoothing, shaping, or cleaning a hard surface by forcing solid particles across that surface at high speeds.^xxi

Sanding: The act of removing original manufacturer markings by sanding or other abrasive process. In terms of counterfeiting, the act of removing the top and/or bottom markings on a chip for the purpose of remarking.^xxii

Used Part: Product that has been electrically charged and subsequently pulled or removed from a socket or other electronic application, excluding electrical testing for acceptance. Used product may be received in non-standard packaging (i.e., bulk), and may contain mixed lots, date codes, be from different facilities, etc. Parts may have physical defects such as scratches, slightly bent leads, test dots, faded markings, chemical residue or other signs of use, but the leads should be intact. Used product may be sold with a limited warranty, and programmable parts may still contain partial or complete programming which could impact the part’s functionality. Used parts marketed as refurbished shall be declared as such.^xxiii

---

ⁱ SAE Aerospace Standard AS6081 - Fraudulent Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition – Distributors

ⁱⁱ IDEA Standard IDEA-STD-1010-B

ⁱⁱⁱ IDEA Standard IDEA-STD-1010-B

^iv SAE Aerospace Standard AS6081 Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition – Distributors.

^v DFARS 252.246-7007

^vi SAE Aerospace Standard AS5553 Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition

^vii SAE AS5553 Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition per the letter submitted to NASA and DoD, June/July 2013

^viii U.S. Department of Commerce Bureau of Industry and Security Office of Technology Evaluation survey

^ix Department of Defense Instruction, Number 4140.67 DoD Counterfeit Prevention Policy (April 26, 2013)

^x NASA Federal Acquisition Supplement (NFS) Regulatory Review No. 1, 78 Federal Register 23199 (April 18, 2013)

^xi Proposed DoD Defense Federal Acquisition Regulation Supplement: Detection and Avoidance of Counterfeit Electronic Parts (DFARS Case 2012-D055) published in the Federal Register on May 16, 2013

^xii Final Rule, Department of Defense, Defense Acquisition Regulations System: Detection and Avoidance of Counterfeit Electronic Parts (DFARS Case 2012-D055) published in the Federal Register on May 6, 2014

^xiii Federal Aviation Administration Advisory Circular 21-29C, Detecting and Reporting Suspected Unapproved Parts.

^xiv Agreement on Trade-Related Aspects of Intellectual Property Rights Part III – Enforcement of Intellectual Property Rights Article 51 Suspension of Release by Customs Authorities

^xv Engineering TV website.

^xvi ERAI, Inc.

^xvii iNEMI, “Development of a Methodology to Determine Risk of Counterfeit Use” by Mark Schaffer.

^xviii “Counterfeit Integrated Circuits: Detection, Avoidance, and the Challenges Ahead” by Ujjwal Guin, Daniel DiMase and Mohammad Tehranipoor

^xix IDEA Standard IDEA-STD-1010-B

^xx “Counterfeit Integrated Circuits: Detection, Avoidance, and the Challenges Ahead” by Ujjwal Guin, Daniel DiMase and Mohammad Tehranipoor

^xxi “Screening for Counterfeit Electronic Parts” by Bhanu Sood and Diganta Das – Center for Advanced Life Cycle Engineering.

^xxii IDEA Standard IDEA-STD-1010-B Acceptability of Electronic Components Distributed in the Open Market, Rev. B.

^xxiii SAE Aerospace Standard AS6081 Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition – Distributors

By Howard A. Miller, L/B/W Insurance & Financial Services, Inc.

In speaking with a number of companies regarding the potential risks of a data breach or unauthorized access, a common response is that we are not on the scale of company such as Target. We do not have the volume of information that would make us a target for attack and therefore do not need to be as concerned with the exposure of a breach of protected or confidential data.

I think it’s important to consider some details of the Target breach. The origin of the Target breach started with the compromise of Fazio Mechanical, an HVAC company who was tasked to monitor energy consumption. My understanding of a Krebs on Security Report, “Inside Target Corp., Days After 2013 Breach”, is that Malware was delivered by email which allowed thieves to steal the credentials needed to access Target systems. A Verizon assessment found that once inside the network, there were little controls to prevent access to POS terminals leading to the compromise of consumer credit information and around a $250-million-dollar loss for Target. To illustrate this further, it was found that access to a deli meat scale allowed communication with cash registers.

What does this teach us? The Internet of Things is connected system. There is also a connected ecosystem of relationships behind these things. There is data communicated between these things and these relationships. The vendors and service providers include everything from HVAC, accounting to cloud services. The third parties that you rely on could expose your company to liability and damage based on how diligent and prepared they are in protecting and defending the confidentiality and integrity of information assets, which in a lot of cases could be yours. Going back to the Target example, many small to mid-size organizations could closer align themselves to the HVAC contractor Fazio Mechanical Services than Target Corporation. The problem with being a small piece in the chain is that you are usually less prepared, less secure and less able to survive the financial and reputational consequences of a data breach then those at the top of the food chain.

The idea that we are only as strong as our weakest link starts to become an unacceptable risk when the integrity of the supply chain, the safety of our products, infrastructure, financial structure, and national defense are threatened. The society that we built on information technology and digital information must be maintained. We are not prepared to revert to an analog environment. Without the ability to meet a certain threshold of confidentiality, integrity and availability, we lose the ability to transact. An unmaintained road full of potholes turns into a crevasse that is not feasible to cross due to risk.

Enter Defense Federal Acquisition Regulation Supplement: Network Penetration guidelines related to Non-Federal Entities. Per the United States Government Accountability Office 02/2015 High Risk Series update, the DOD obligates more than $300 billion annually on contracts for goods and services, including major weapon systems, support for military bases, information technology, consulting services, and commercial items. One needs only to look at the similarities of the latest generation of fighter jets as an example of theft of intellectual property, R&D and Controlled Unclassified Information to see our country’s competitive and military advantage slipping away. Just like Fazio Mechanical, we must control risk throughout the supply chain as we are an integrated system.

Regarding non-federal information systems and organization - as a risk manager I would look at exposures, causes of loss and how strategic partnerships can more effectively manage the risk including risk control and the finance of potential losses. Section 252.204-7012 Safeguarding Covered Defense Information includes subcontracts (thousands of subcontractors who will be involved) “with the operationally critical support, or for which subcontract performance will involve a covered contractor information system, including subcontracts for commercial items.” This type of contractual requirement flows down to mandate better security. Further requirements discuss implementation of security measures NIST 800-171 by 12/31/2017 guidelines and rapid reporting of a cyber incident to the DOD and prime contractor.

What is the exposure? Covered defense information. Unclassified information that is provided, collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. Controlled technical information, critical information (operations security), export control, any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies (e.g., privacy, proprietary business information). There are dozens of categories under CTI further expanding this exposure for subcontractors.

What’s the causes of loss? They include perils such as unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred. Cyber/physical perils could include mechanical failure and altered materials or components.

Compare an example of NIST 800-171 key areas with an insurance application for cyber liability. NIST - 3.6 INCIDENT RESPONSE

Basic Security Requirements:
3.6.1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
3.6.2 Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.

Derived Security Requirements: 3.6.3 Test the organizational incident response capability.

Cyber Insurance-
Application Question - Do you have written and explicit policies in place to deal with a Data Breach?

How does insurance respond to a breach? It can pay up to the policy limits and provide prearranged forensic resources to determine the scope of breach. Notification coverage can assist with reporting requirements in effective time frame.

Application Question – Has a written data back-up and disaster recovery plan been created and adhered to?

How does insurance respond to a breach? Unlike business interruption triggered by physical loss to tangible property cyber liability insurance can be triggered due to damage caused by malware/viruses that can disrupt a company’s operations and cause loss of profit and extra expenses needed to resume operations. Insurance may provide resources or reimbursement for these type of losses.

You start to see the overlap with the proactive compliance of DFAR requirements. An idea: cyber insurance coverage for subcontractors can give an advantage in regards to breach response, the cost of mitigation and use of pooled resources. Meeting DFAR requirements improves security, shows due diligence and acceptability to qualify on better terms for cyber insurance. This can pay for resources involved in incident response, business interruption and potential legal liability. It helps to transfer risk which supports your efforts and balance sheet in the event of a loss. For those vetting subcontractors in the supply chain, insurance has proved in other areas to provide third party assurance of a financial backstop and possibly a better response in the event of loss.

Please note this is not legal advice so check with a qualified attorney. That being said, these issues will not be resolved immediately but the sense of urgency and the responsibility to meet a higher bar of information security management is evident. I believe involvement from multiple industry sectors and expertise including, but not limited to, legal compliance, insurance and risk control will need to converge in dealing with the lifecycle of information. The demands for a more secure future may become non-optional. Welcome to the internet of everything.

By Anne-Liese Heinichen

As many of you know, ERAI staff is involved in the industry standards development process, specifically through SAE International. As a whole, SAE standards are developed to “ensure the safety, quality, and effectiveness of products and services”i. While many of these standards tend to focus on aerospace, automotive, defense and other critical sectors, most are drafted to encompass general processes throughout multiple industries on an international level. Many are designed with a specific focus on an activity (e.g. distribution, manufacturing, integration) and material (e.g. EEE parts, counterfeit part mitigation).

Once the need for a standard is identified or a standard requires revisions, a committee is tasked with the creation or review. Committee members are generally comprised of individuals knowledgeable in a respective field who volunteer to draft language and provide suggested changes and comments on existing text for revisions to existing standards. These committee members represent different entities from government agencies (domestic and foreign), prime contractors, contract manufacturers, distributors (both authorized and independent), legal services, academia and other supply chain-related organizations. These individuals generously donate their time towards the development of these standards via regular teleconference and face-to-face meetings.

The process for the development or revision of a standard is more complicated than it appears. Most standards are consensus-based. This means that while some points are easily agreed upon by a majority of the committee members, other topics can and do often require hours of discussion and sometimes several re-visits before a consensus is reached. Many times specific topics are reviewed by sub-committee group members who volunteer to meet additional hours before presenting recommendations to the entire committee for review.

At SAE, comments submitted for review by the committee are maintained by a committee scribe and are taken up for consideration during the meetings. Once all of the comments are dispositioned, the document is presented to the respective SAE Committee for a 28-day ballot period. If there are no disapprovals/changes/comments submitted during the ballot period, after review by the Content Management Department, the document is presented to the SAE Aerospace Council for a respective 28-day ballot. As before, if there are no disapprovals or changes required by the Aerospace Council, the standard is published.

However, if during the ballot period comments/changes are submitted, the comments will be presented to the committee for consideration. Once those comments are dispositioned, the document will either be presented for another 28-day ballot or 14-day affirmation ballot (depending on the number of changes). This process continues if there are additional technical changes to the document. Once confirmed by the committee, the document is then presented to the SAE Aerospace Council as described above.

While this can result in a lengthy process, the procedure ensures that every committee member’s concerns are reviewed by the entire group. With the process in mind, below are the latest updates on standards currently in writing or under revision by SAE relevant to the industry:

SAE AS5553 Revision B issued by SAE G-19CI Continuous Improvement Committee:
As of the date of this article, Revision B of this document is currently in a 28-day ballot period through April 12, 2016. Intended for use by organizations that procure and/or integrate EEE parts and/or assemblies, the risk-based standard provides requirements for the mitigation of counterfeit EEE parts.

SAE AS6081 Revision A issued by SAE G-19D Distributor Committee:
AS6081 revision A, for use by independent distributors, is currently under development and is anticipated to go into a 28-day ballot after the approval of AS6171.

[NEW] SAE AS6171 issued by SAE G-19A Test Laboratory Standards Development Committee:
The AS6171 General Requirements document has passed committee balloting and has been sent to Aerospace Counsel for final balloting. Several of the slash sheets also passed committee balloting and are being sent to the Aerospace Counsel for final balloting:

• AS6171/1 Test Evaluation Method
• AS6171/6 AM TM
• AS6171/7 Electrical TM
• AS6171/8 Raman TM
• AS6171/9 FTIR TM
• AS6171/10 TGA TM
• AS6171/11 Design Recovery

There are four more slash sheets that are finalizing edits from previous balloting that will likely require committee balloting, but should be finalized in the next few weeks:

• AS6171/2 EVI
• AS6171/3 XRF
• AS6171/4 DDPA
• AS6171/5 Radiological

There are several slash sheets in development that will be included in the second release of AS6171. Detection of the Tampered counterfeit type will be out of scope for the first release, but will be included in the second release with some of the test methods in development.

All of the these slash sheets will need to be finalized and sent to the Aerospace Counsel before the first release of the standard is published. The Committee Chair anticipates all current slash sheets being completed and sent to the Aerospace Counsel, and perhaps published by end of Q2 this year.

[NEW] SAE AIR6273 issued by the G19T Terms and Definitions Committee:
AIR6273 completed a 28-day ballot on March 29, 2016 and comprises definitions from various G19 and G21 Committee standards. This document will provide a standard set of terms and definitions to ensure consistency throughout SAE’s anti-counterfeit standards.

[NEW] SAE ARP6328: Guideline for Development of Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition Systems:
This new standard arises out of the former Appendices contained in Revision A of AS5553 and provides guidance for implementing a counterfeit mitigation plan for compliance to AS5553. Ballot comments are currently being addressed.

In addition to the aforementioned SAE standards, JEDEC has recently published a new standard on counterfeit mitigation. JESD243, released in March of 2016, is intended for use by organizations (e.g. OCMs, aftermarket manufacturers) that manufacture monolithic microcircuits, hybrid microcircuits and discrete semiconductor products under their own brand/trademark. The standard identifies best practices for mitigating and/or avoiding counterfeit products through supply chain oversight and purchasing restrictions. The document requires the organization to have a counterfeit mitigation policy, counterfeit electronics control plan, customer returns process/material control, training and recording of scrap parts and materials.

---

ⁱ http://standards.sae.org/aerospace/

On December 12, 2014, Jeffrey Warga, former president of Bay Components LLC, waived his right to indictment and pleaded guilty to conspiracy to commit wire fraud in violation of Title 18, United States Code, Section 1343, which states:

to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce.

On January 21, 2016, Warga was sentenced by U.S. District Judge Michael P. Shea in Hartford to three years of probation and was ordered to pay a $10,000.00 fine for supplying customers with falsely remarked microprocessor chips, many of which were used in the assembly of U.S. military and commercial helicopters.  The chips have been examined and determined not to be the root cause of any mechanical problems experienced by the helicopters to date.

Warga's case once again highlights the US Government's willingness to prosecute suppliers that are "willfully and knowingly engaged in a scheme and artifice to defraud their business customers by means of materially false and fraudulent representations".

---

Additional Reading:

Jeffrey Warga Indictment
http://www.erai.com/customuploads/WARGA Jeffrey information.pdf

Jeffrey Warga Guilty Plea
http://www.erai.com/customuploads/WARGA Jeffrey plea agreement.pdf

DOJ Press Release- Owner of Rhode Island Electronics Parts Company Admits Defrauding Customers
https://www.justice.gov/usao-ct/pr/owner-rhode-island-electronics-parts-company-admits-defrauding-customers

DOJ Press Release - Owner of Rhode Island Electronics Parts Company That Defrauded Customers is Sentenced
https://www.justice.gov/usao-ct/pr/owner-rhode-island-electronics-parts-company-defrauded-customers-sentenced

On February 29, 2016, Paul Skiscim, President of Aerospec, Inc., was arrested on federal charges of supplying defective airplane parts to the federal government for use in its aircraft, including military aircraft. 

The charges were announced by Robert L. Capers, United States Attorney for the Eastern District of New York, and Kenneth J. Siegler, Resident Agent-in-Charge of the Defense Criminal Investigative Service (DCIS), New York Resident Agency.

According to the complaint, Aerospec had been a supplier of airplane parts to the United States from 2003 until 2013, when the company and Skiscim were debarred after supplying the government with defective airplane parts.  After his debarment, Skiscim allegedly continued to bid, contract, and supply defective airplane parts to the federal government through a series of shell companies using the names of relatives and fictitious people to mask his involvement from the United States Department of Defense, Defense Logistics Agency.  Since 2013, the shell companies received over $2.8 million for the supply of airplane parts, including parts that have been shown to be defective. 

The defendant was arraigned on February 29, 2016 before United States Magistrate Judge Anne Y. Shields at the federal courthouse in Central Islip.  The charges in the complaint are merely allegations, and the defendant is presumed innocent unless and until proven guilty.

The government’s case is being prosecuted by Assistant United States Attorneys Charles P. Kelly and Robert Schumacher.

---

DOJ Press Release: https://www.justice.gov/usao-edny/pr/president-aviation-parts-company-arrested-fraudulently-supplying-defective-airplane

New U.S. Customs Law Combats Counterfeiting
http://www.ttiinc.com/object/me-slovick-20160324.html

Aerospace and Defense Counterfeit Avoidance Accreditation Program Launched
http://p-r-i.org/aerospace-and-defense-counterfeit-avoidance-accreditation-program-launched/

JEDEC tackles counterfeiters with new standard
http://www.newelectronics.co.uk/electronics-news/jedec-tackles-counterfeiters-with-new-standard/116900/

NSWC Crane plays essential role in national security
http://www.tribstar.com/news/indiana_news/nswc-crane-plays-essential-role-in-national-security/article_deee3664-dfb7-11e5-a424-3b4bb6b74bf5.html

US bill on IP heads to President Obama for signature
https://www.securingindustry.com/pharmaceuticals/us-bill-on-ip-enforcement-heads-to-president-obama-for-signature/s40/a2690/#.VwVNaMvruiO

DOJ Press Release – President Of Aviation Parts Company Arrested For Fraudulently Supplying Defective Airplane Parts To U.S. Government
https://www.justice.gov/usao-edny/pr/president-aviation-parts-company-arrested-fraudulently-supplying-defective-airplane

Owner of Rhode Island Electronics Parts Company That Defrauded Customers is Sentenced
https://www.justice.gov/usao-ct/pr/owner-rhode-island-electronics-parts-company-defrauded-customers-sentenced

Electronics Counterfeiters Get Their Day in Court
http://electronicspurchasingstrategies.com/2016/01/15/electronics-counterfeiters-get-day-court/

Traceability of Supply Chain for Government Contractors
http://www.globalsupplychainlawblog.com/files/2015/12/Alerts-ElectronicPartsProposedRule.pdf

ECIA: DFARS Not ‘FAR’ Enough
http://electronicspurchasingstrategies.com/2016/01/06/ecia-dfars-not-far-enough/

Symposium on Counterfeit Parts and Materials

Technical Symposium and Expo: June 28-30, 2016
Workshops: June 30, 2016
Marriott Inn & Conference Center
University of Maryland, College Park, MD

SMTA and CALCE @ University of Maryland are pleased to announce the east coast venue for the Symposium on Counterfeit Parts and Materials. The program will be held June 28-29 at the College Park Marriott Hotel & Conference Center. The Workshops will be held June 30 at the University of Maryland. Don't miss this opportunity to learn from and share your insights with government, industry and academia who are addressing the counterfeit problem.

Changes in electronic supply chain had been fast and furious in the last decades and its impact on the practices of companies is still evolving. It is well understood that, the scourge of counterfeit electronic parts is related to the changes in supply chain but it is only one of the many impacts. This symposium will provide a forum to cover all aspects of changes in the electronic parts supply chain on how an organization performs part selection and management through whole life cycle of the parts.

Going beyond anecdotes and examples of counterfeit parts, this symposium focuses on the solutions that are available and are under development by all sectors of the industry.

The symposium is organized by SMTA in conjunction with Center for Advanced Life Cycle Engineering (CALCE) at the University of Maryland, College Park, MD, USA. This symposium will be valuable to quality and reliability manager, supply chain managers, brand protection specialists, inspectors, marketing and procurement policy makers, contracts and legal management, security specialists and government agencies. Our focus is to provide relevant information to the professionals that can be used for solving problems today while planning for a different business and technology environment in the future.

	Tracing the Supply of Components Used in Islamic State IEDs Why you should read it: Conflict Armament Research’s study produced with the financial assistance of the European Union describes the sourcing processes and speed with which Islamic State forces have acquired components for use in improvised explosive devices. ERAI Insight: Conflict Armament Research (CAR) was able to identify 51 organizations from 20 countries involved in the sale of components to the Islamic State. While the report includes documented sales of chemicals, detonators, fuses, cables and mobile telephones, of particular note, an investigation in Iraq revealed that signal relays, transistors and microcontrollers were contained in IEDs deployed by IS forces. A response from one manufacturer indicated that the company does not supply products to locations that threaten general peace and that the product in question is a general-purpose devices. While the manufacturer maintains records of customers who have purchased the parts in question, they refused to disclose the information due to contractual agreements. Another manufacturer responded that the information provided to them by CAR was insufficient to identify the recipient of each of the devices. http://www.erai.com/CustomUploads/ca/wp/Tracing_The_Supply_of_Components_Used_in_Islamic_State_IEDs.pdf
	Counterfeit Parts: DOD Needs to Improve Reporting and Oversight to Reduce Supply Chain Risk Why you should read it: This report by the United States Government Accountability Office (GAO) examines the use and effectiveness of GIDEP with regard to counterfeit part reporting, DOD’s efforts in the detection of counterfeit parts and DOD’s reliance on contractors’ implementation of counterfeit avoidance systems. ERAI Insight: This GAO report highlights the lack of reporting of suspect and confirmed counterfeit parts. Despite government mandates, counterfeit part reporting appears to lack oversight and direction from appropriate government agencies. The industry has not been provided with a standardized process for reporting, contractors appear to be reluctant to report data and a lack of proper governmental oversight have resulted in GIDEP being less effective as an “early warning” system to mitigate counterfeit parts from entering the defense supply chain. The GAO report provides much-needed recommendations to increase compliance with counterfeit reporting requirements. http://www.erai.com/CustomUploads/ca/government_studies/675227.pdf