According to IPC-1792, when a cybersecurity incident occurs within an organization's supply chain (such as a factory), a mechanism should be in place to provide timely notification of the incident to downstream stakeholders.

Specifically, a stakeholder performs a cybersecurity incident quick assessment (CIQA) when an incident occurs. Based on the results of this assessment, the impact area (target product) and impact level are analyzed, and the results are transmitted to downstream stakeholders.

The following explains how the stakeholder incident notification works in accordance with IPC-1792.

Incident Notification Example

The following example of delivering an IT system to an end customer illustrates the flow of incident notification through a simple supply chain model. 

Factory A1 is a factory that produces components, including storage devices (pictured here), for use in IT system components. For Factory A1, Factory A2 is a competitor that produces storage devices in a similar manner. Factories B1 and B2 manufacture server equipment using storage devices supplied from Factory A1. Factory C1 buys server equipment supplied by Factory B1, and Factory C2 buys server equipment supplied by Factory B2 as components. Factory D purchases components from Factory C1 and Factory C2 to build the IT systems and provide them to client companies.

In this supply chain, Factory D is the so-called final shipping factory.

In the supply chain model described above, Factory A causes a security accident. Because a security accident occurred in the line where Factory A produces storage devices, the quality of the storage devices was questioned. This security incident needs to be communicated downstream in the supply chain.

The basic idea is to notify the stakeholder (factory) that is believed to have adopted the storage device of the incident. The stakeholder (factory) that is not related to competition or supply chain need not be informed of the incident.

The steps to achieve this are outlined and illustrated below.

Step 1

When Factory A1 detects the occurrence of a security incident, it notifies the delivery destination of the suspected product (storage device) involved in the incident, based on the shipping information it possesses. In the example in the figure, Factory B1 and Factory B2 are notified. It is not necessary to notify Factory A2, which is a competitor, even if the factory is compliant with IPC-1792.

Incident notification is made by communicating the Cybersecurity Incident Quick Identification (CIQI) resulting from the incident assessment conducted by the Factory, as specified in IPC-1792.

Step 2

The stakeholder (factory) downstream of the supply chain receives a notification from the upstream stakeholder from which the component is delivered and investigates the affected area of the component. In the figure, Factory B1 examines the shipment record of the product using the storage device supplied by Factory A1.

Factory B1 notifies Factory C1 of CIQI in the same manner as Factory A1 based on the shipment record.

This flow applies equally to factory B2 and factory C2.

Step 3

Factory C1 receives the result of CIQA from Factory B1 in the same manner as the flow in which Factory B1 responds to the notification of Factory A1. Factory C1 then examines the shipment record of the product with the server equipment supplied from Factory B1 and notifies Factory D of the CIQI.

 The same applies to factory C2.

Step 4

Factory D is the final shipping factory. As described earlier, it procures IT components from upstream in the supply chain, builds IT systems, and delivers them to final customers. 

Factory C1 receives the CIQI from Factory B1 in the same manner as the flow in which Factory B1 responds to the notification from Factory A1. Factory C1 then examines the shipment records of products with the server equipment supplied by Factory B1 and notifies Factory D of the CIQI results.

Upon receiving notification from the stakeholders (Factory C1 and Factory C2), Factory D notifies the final customer of the incident occurrence.

Return to Cybersecurity Guidelines