Silicon Safeguards: Securing the Circuit Board Supply Chain

Part 1: Emphasizing Cybersecurity Best Practices in Circuit Board Manufacturing

Introduction to Cybersecurity in Manufacturing

When selecting vendors for their manufacturing projects, our customers have several factors to consider, such as timelines, quality, and expertise. Cybersecurity responsibility must also factor into the decision. 

Cybersecurity is like a chain, and each vendor is a link. One weak link and the system fails. This requires that each vendor involved in the fulfillment of each contract maintain exacting standards for cybersecurity as it only takes one incident to put the customer in jeopardy.  

The stakes for each customer are different, but at a minimum a cybersecurity breach could leak their intellectual property, government secrets, or lead to attacks like ransomware. As a supplier, it is our job to ensure that we are doing our best to protect our customers’ sensitive information. 

The Essence of Cybersecurity Best Practices

There are many certifications a company can participate in to demonstrate they meet cybersecurity standards, with the requirements varying by industry.  

Here are a few standards that you may be subject to: 

  1. ITAR (International Traffic in Arms Regulations): Regulations for companies in the defense industry or those dealing with military-related technology. 
  2. DFARS (Defense Federal Acquisition Regulation Supplement): Regulations for companies working with the US Department of Defense (DoD). 
  3. PCI DSS (Payment Card Industry Data Security Standard): These regulations apply to companies handling payment cards such as retailers and online merchants.   
  4. HIPAA (Health Insurance Portability and Accountability Act): Organizations that deal with protected health information must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. 
  5. GDPR (General Data Protection Regulation): Although not exclusively a cybersecurity standard, GDPR has a significant impact on data security practices. It’s a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. 
  6. ISO/IEC 27001: This is an international standard on how to manage information security. 
  7. SOC 2 (Service Organization Controls 2): Specifically designed for service providers storing customer data in the cloud, SOC 2 defines criteria for managing customer data based on five “trust service principles”: security, availability, processing integrity, confidentiality, and privacy. 

While the requirements of each standard differ, at the core of it, they all require basic cybersecurity hygiene for your organization. Even if you are not subject to any of these requirements, compliance with basic cybersecurity measures should be high on your list to protect your customers, and to prevent your organization from being the weak link in your supply chain.  

First Steps for Your Organization

Whether your organization is subject to these or other cybersecurity requirements, there are some minimum best practices that should be considered, which include:  

  1. Regular security audits: Standards like NIST SP 800-171 are published online with their whole list of requirements. An initial self-audit might take one to several weeks, depending on the complexity of your organization, but once your organization has a solid understanding of the requirements, subsequent audits should take only a day or so.  
  2. Employee training: You do not have to be a cybersecurity expert to impart cybersecurity wisdom. Share security bulletins with your team, give examples of phishing attempts you come across, and keep the discussion going. Interested in going further? There are entire eLearning resources you can assign to your team, and even phishing compliance audits that can alert you to the need for additional training.  
  3. Incident response planning: You have been hacked. What now? Do you know who to report cybersecurity incidents to? Do you know HOW to report a cybersecurity incident? Turns out there is a system for incident response, but you need to be pre-registered – not a bad idea to get this out of the way now and have a plan in place for your organization.  
  4. Identify your “who”: If you are a small company with no technical expertise, you may find this all to be a bit overwhelming. The NIST SP 800-171 is certainly a dense, vague set of requirements, and you may need some professional help. Invest some time figuring out who that person or people are for you. If you don’t have the expertise internally, there are plenty of resources available that can help you through your first audit. That said, it’s best to stay out of “throwing money at the problem”. Cybersecurity only becomes a habit when your organization understands the importance and best practices, so simply paying somebody to conduct the audit can distance you from valuable experience and ownership.  

Cybersecurity can often feel like a bottomless pit in terms of investment, where pouring in more money and effort does not always equate to absolute security. This is where the 80/20 rule comes into play – a significant portion of the cost is incurred in the deeper, more complex stages of implementation. However, the most substantial impact often comes from mastering the basics. Understanding potential risks, educating your team, having a responsive plan, and knowing the right contacts for continuous improvement form the cornerstone of effective cybersecurity. Remarkably, these fundamental steps can be cost-free but incredibly effective.  

Looking For a Security-Conscious Manufacturing Partner?

California Integration Coordinators (CIC) is a one-stop printed circuit-board partner supporting customers with their electronic components and board manufacturing requirements for over 35 years. CIC is certified for both ITAR and DFARS, as well as ISO9001:2015. Want to see if CIC can help with your next project? Contact us at cic@cic-inc.com. 

Looking For More Information to Bolster Your Cybersecurity Defenses?

This post is part of a multi-part series on cybersecurity in the electronics manufacturing supply chain. For more ideas on effective controls, training, awareness, and putting it all together, follow our blog at https://cic-inc.com/articles or follow us on LinkedIn at www.linkedin.com/company/california-integration-coordinators.