IPC-1792 Cybersecurity Training Guideline
Implementing IPC-1792 requires more than just desk-based understanding. Traditional cybersecurity training programs may be suitable for IT departments, but they are not effective for factories implementing the standard. Targeted, fit-for-purpose training is essential.
Cybersecurity fitness training is necessary. In addition, as electronics manufacturing sites are shifting from China and Western countries to Southeast Asia, training for new factories is becoming increasingly important to prevent entry points for attacks on new factories.
Therefore, trainer education and qualification screening are necessary, as is Business Continuity and Disaster Recovery (BCDR) Practice Training
BCDR includes methods of escalation in the event of an incident.
As a concrete example, the following points should be prepared to ensure that actions can be taken smoothly in the event of an emergency.
- Regular training is necessary to ensure a smooth response in the event of an intrusion.
- Senior management should also be involved because cyber incidents require management decisions.
- Each of these initiatives should be based on the characteristics of the specific company.
- It should be implemented in accordance with the level of trust that indicates confidence in each company and each product.
- Training Assessors or Training Planners are trained within each company.
In the context of IPC-1792, procedures and preparations for responding to cyberattacks are referred to as cyberattack BCDR to distinguish them from procedures and preparations for responding to natural disasters. A common pitfall when promoting countermeasures is that production departments often assume the IT department will manage all aspects of cyberattack BCDR. When this happens, factory-specific preparations are frequently overlooked. This highlights the importance of maintaining early awareness across all departments to ensure a comprehensive response.
Initial Awareness and Training Results
A factory may have IT management security measures and certification under ISO 27000 in place; however, in order to realize the immediate notification aspects of IPC-1792, it is necessary to identify the size and scope of the impact and take initial action as soon as unusual behavior is detected on the factory floor. The operational technology (OT) department makes these in-depth understandings of the factory decisions, and not information technology (IT).
Traditionally, cyberattack BCDR has been the responsibility of IT experts; however, to meet IPC-1792, it is necessary to raise awareness with OT from the start.
In the scenario to follow, managers and production teams were engaged to recognize the problem, form response teams, and conduct a cyberattack BCDR drill. The training broadens awareness, strengthens countermeasures, and demonstrates how IPC-1792 practices can be applied beyond a single OEM factory to the wider electronics manufacturing industry.
Preparation for Training (Awareness Raising)
BCDR for Natural Disaster Countermeasures and BCDR for Cyber Security Countermeasures
The first step is to give an overview of the differences between natural disaster response BCDR and cyber-attack response BCDR. There is no difference in aiming for disaster mitigation and early recovery. The major difference is whether the occurrence of a disaster is clear or uncertain. In many cases, organizations do not even know when a cyber-attack occurred. This means that in cyber-attack response BCDR, in addition to disaster mitigation and early recovery, early detection is an important issue. This is the basis for IPC-1792.
Figure: Natural Disaster BCDR and Cyber Attack BCDR (overhead view)
BCDR procedures for general cyber-attacks, excluding factory attacks, remain the same as before; once an intrusion is recognized, the network is immediately shut down, operations are halted, and a forensic investigation is conducted. Once that is complete, the system is fully restored; however, the factory must ensure the delivery of production units on a weekly basis.
The business impact is too great to apply this same method. In other words, preparations are made in parallel to initiate the initial response and restore the business without waiting for the forensic investigation to be completed (see below for details).
Factory Features
Next, consider the characteristics of factories. Above all, an important characteristic that defines BCDR is that the factory is directly connected to the downstream market. Due to this direct connection to business, rapid detection and recovery are essential, along with accurate detection to minimize false positives. Failure to do so can lead to major business losses, loss of credibility, and supply chain disruption.
The difference in the units of time allowed is easily understood when one considers that a typical forensic analysis is performed in days or weeks, whereas a factory requires recovery in hours or days.
Table: Factory Characteristics
Factory Features | Reason | Example |
Directly connected to the market (downstream) | Manufacturing is the role of the factory, and its impact is directly related to digitalized social systems. | False information from IoT devices, intrusion from IT devices |
Local cache | Real-time performance data for production and inspection equipment Production continuity in the event of network failure | SMT, ROM writer Testing machine control PC MAC payout cache, SMT material setup information server |
Equipment is a "black box" | Equipment is a mass of technology from various equipment manufacturers | Computer security measures inside inspection equipment vary from one equipment manufacturer to another |
Fragmented local networks | Minimize impact of network load on real-time devices Without a network, production continuity hampered | Isolated from backbone network for sensitive test equipment |
Analog | If not fully automated, a human determines what is correct and what is trustworthy | Employee appearance, physical condition, camera footage (even if recorded, must be reviewed by a human being after the fact) |
Have the Factory Consider BCDR Measures
Approval of Attacks
The first question to be addressed is what, and who, determines what constitutes a malicious attack and whether that attack will develop into an intrusion. This is similar to the BCDR for natural disaster response, but it includes aspects that must be considered unique to the BCDR with respect to responding to "malicious" attacks.
Take video camera surveillance, for example. Malicious attacks cannot be detected simply by recording. Even if someone watches a recorded video, they cannot detect malicious attacks unless there is a definition of what is judged to be abnormal. It is necessary to objectively define in advance which parts of the recorded data to focus on, and to observe them based on the criteria of what conditions are judged as abnormal. In other words, risk analysis must be conducted in advance. The challenge is to extract risks based on the assumption that criminals launch unpredictable attacks.
The following are recommended methods for risk extraction:
- Extract data that affects the quality and functionality of the product being produced. The risk is that the integrity and availability of the extracted data will be compromised (data-oriented security).
- Equipment without data is also involved in production and affects the quality and function of the products produced. Pick a "failure you do not want to occur" and consider as a risk a situation where a failure occurs due to malicious intent. (CCE)
Table: Risk Extraction Methodology
Risk extraction method:
Extract data that affects the quality and functionality of the product being produced. The risk is that the integrity and availability of the extracted data will be compromised (data-oriented security).
Equipment without data is also involved in production and affects the quality and function of the products produced. Pick a "failure you do not want to occur" and consider as a risk a situation where a failure occurs due to malicious intent. (CCE) See https://inl.gov/wp-content/uploads/2020/01/CCEMethodologydeck.pdf
In data-oriented security (DOS), the scope of influence of all information in the factory is simulated in order to extract data that affects the quality and function of the products produced. Using the "know" approach, the scope of impact should be identified, appropriate permissions set, the placement of data on the network determined, and network isolation through segmentation considered. This enables the instant identification of affected products based on the leaked data, a crucial measure for achieving early detection of BCDR.
Distinguishing Between Failures and Attacks
Another distinction needs to be made between a failure and an attack. In the unlikely event that a tablet device experiences slow response times to assembly instructions, there could be several causes, including the effects of a software bug, device malfunction, or congestion due to an OS update. It could also be a sign of an attack.
The extent of the affected products depends on which network segment the tablets belong to, but this does not clarify whether the issue is a fault or an attack. Often, it is not possible to clearly distinguish between a fault and an attack. A straightforward approach is to analyze the details, isolate the affected devices, and determine whether the issue is a fault or an attack. However, due to the nature of the factory, it is necessary to make a reliable determination in a timely manner. Based on this determination, a decision is made as to whether to halt production of the affected products.
Example of a description of a definitive procedure:
- Reboot in the event of a situation where a virus attack is not confirmed.
Note: In the event of a suspected or confirmed virus/attack, rebooting may affect any forensic data in cache, routing tables, process tables, memory, and other relevant areas. Reboot should not be used in these cases until this volatile digital evidence has been collected. - Replace it with a replacement machine and see what happens.
- Check the status of peripheral terminals in the same segment.
It is important to clarify disaster recovery procedures and determine in advance at what point an incident will be considered an attack, and the cyber-attack response BCDR will be triggered. If the decision is made in advance, timely decisions can be made; however, if the decision is not made in advance, decisions will be delayed. An example of a predetermined decision is when other devices in the peripheral segment to which the problematic device belongs are checked, and multiple abnormalities are found, indicating that an attack has occurred. By recording these judgment criteria in the factory’s manual, the organization can conduct the evaluation smoothly and without confusion.
Keep in mind who makes the decision in each case. Many people may think that anyone can make a decision by following the manual, but as long as the decision is to be made before a thorough analysis is completed, the decisions when other devices in the peripheral segment to which the problematic device belongs are checked and multiple abnormalities are found, indicating should always be made by the person responsible for management.
For example, a plant manager was about to resume production after an interruption due to a natural disaster, but then changed their mind because, in making such a decision, management must consider the impact on the business and, depending on the severity of the situation, contact customers or disclose information to the external media.
Additionally, management must determine in advance the amount to allocate for security measures for each relevant product.
Therefore, in addition to having the criteria for judgment prepared in advance as a manual, it is an issue to be considered for BCDR in response to cyber-attacks, namely deciding on a system and a designated person (manager) to make decisions in advance.
Basic Concept of Early Recovery
Full-scale countermeasures, including measures to prevent recurrence, need to wait until forensics are completed, including the identification of intrusion routes. However, the goal is to expedite recovery without adversely affecting the factory's business characteristics. Alternative production at other factories could be considered, or production could be increased on other lines of production at the factory. This is the first appropriate response that should be taken.
At the same time, the option of building a new line for alternative production in the plant should be prepared. Building a new production line itself in a new segment is an important way to safely resume production if the backbone network has not been compromised. In this case, equipment from the attacked line should not be reused. To reuse it, the organization must do a clean install from the OS level only after all forensic data collection for that equipment has been completed to prevent forensic data loss.
Facilitating restoration through such new construction is an effective means, but advance preparation is essential. In addition to preparing the necessary equipment, regular practice is needed to ensure a smooth transition of new construction on alternative routes.
Since production and inspection equipment can only be treated as black boxes in a factory, it is desirable to have alternative spare equipment available in advance. However, because production and inspection equipment can be expensive or large, it is difficult to secure alternative equipment in advance. In such cases, existing equipment must be installed neatly. Therefore, advance preparation of response procedures for emergency situations involving production equipment companies, inspection equipment companies, and other related entities is essential, and applicable contracts and daily practices are required.
Judging the timing reconstruction is an important decision and, as with the attack, it should also be considered in advance. It is essential to determine the conditions of the decision in advance, along with the reasons for the decision, and prepare a manual accordingly. Additionally, design a process for who will make the decision.
Note: The reasons for the decision to rebuild in this state must be something that can be disclosed with confidence. As a result, it is essential to reflect on accidents that have occurred worldwide, to incorporate new laws and industry standards, to incorporate changes in human common sense, and to establish a mechanism for periodic review.
Figure: Reconstruction Process Overview
BCDR Requirements Analysis
The table below provides an analysis of BCDR requirements in three stages: primary requirements, secondary requirements, and response policies. These are keyed to factory characteristics and cyber characteristics (as compared to natural disasters).
The analysis of critical data related to factory production focuses on integrity and availability, which directly affect BCDR. Confidentiality is important from the perspectives of personal information protection, trade secret protection, and economic security; however, since this analysis focuses on BCDR, it is excluded from the analysis. Note that confidentiality cannot be omitted as a security measure in actual factories.
Table: Analysis of BCDR Requirements
| Point of View | Feature Point | Required for BCDR | Secondary Requirements | Points to Keep in Mind (Response policy) |
Features unique to the factory
| Directly connected to the market (downstream) | Detection speed | Preliminary understanding of data affecting the product | Monitoring of critical production-related data |
| Scope of influence (simulation) | ||||
| Alignment of data impact scope and network segments | ||||
| Distinguish between obstacles and attacks. | Peripheral search in case of failure | |||
| Criteria and manual preparation | ||||
| Practical training | ||||
| Immediate decision by management (*) | System definition | |||
| Criteria and manual preparation | ||||
| Practical training | ||||
| Accuracy (reduction of false positives) | Subdivide the sphere of influence | Check your surroundings | ||
| Criteria and manual preparation | ||||
| Recovery rate | Rebuild without waiting for forensics | Clean install | ||
| Practice | ||||
| Local cache | Detection speed | Ensure integrity of critical data | Data monitoring | |
| Route Monitoring | ||||
| Practice | ||||
| Control the frequency of damage | Data Placement and Access Control | |||
| Physical partitioning and access control | ||||
| Human resources training and qualification system | ||||
| E-signature | ||||
| Recovery rate | Ensure availability of critical data | Backup | ||
| Recovery practice | ||||
| Equipment is a black box | Detection speed | Ensure means of detection | Peripheral device monitoring | |
| Port monitoring | ||||
| Detection tools / Service request | ||||
| Control the frequency of damage | Access control | Isolation | ||
| Data placement and access control | ||||
| Physical partitioning and access control | ||||
| Human resources training and qualification system | ||||
| Recovery rate | Prepare for emergencies | Securing spare aircraft | ||
| Emergency response contracts with equipment manufacturers | ||||
| Practice | ||||
| Fragmented local networks | Detection speed | Ensure integrity of critical data | Data monitoring | |
| Route Monitoring | ||||
| Practice | ||||
| Control the frequency of damage | Data placement and access control | |||
| Physical partitioning and access control | ||||
| Human resource education and qualification system | ||||
| Digital signature/Encryption | ||||
| Recovery rate | Ensure availability of critical data | Backup | ||
| Recovery Practice | ||||
| Analog | Detection speed | Ensuring human health | Qualification system, periodic examinations | |
| Double-checking | ||||
| Behavior monitoring | ||||
| Human resource education and qualification system | ||||
| Control the frequency of damage | ||||
| Protection against human error | Digital signature / Encryption | |||
| Need to know | ||||
| Data placement and access control | ||||
| Physical partitioning and access control | ||||
| Double quota | ||||
| Recovery rate | Securing replacement personnel | |||
| Recovery rate | Ensure availability of critical data | Backup | ||
| Recovery practice | ||||
Characteristics of cyber disasters (compared to natural disasters) | Unclear time of occurrence due to malicious attack (occurrence and detection differ) | Accurate (fewer false positives) Prevents false positives | Recognize multiple failures as attacks | Peripheral search in case of failure |
| Manual preparation | ||||
| Practical training | ||||
| Cause of intrusion unknown | Recovery rate | Rebuild without waiting for forensics | Clean install | |
| Practice | ||||
| It is not easy to determine the extent to which a device has been compromised | Recovery rate | Rebuild without waiting for forensics | Clean install | |
| Securing spare aircraft | ||||
| Backup | ||||
| Practice | ||||
| Disaster mitigation measures are defense and monitoring (natural disaster resistance and regular inspections) | Disaster mitigation measures | Security measures | Anti-malware | |
| Firewall | ||||
| ITS / IDS | ||||
| Data placement and access control | ||||
| Physical partitioning and access control | ||||
| Human resource education and qualification system | ||||
| Establishment of rules, creation of manuals | ||||
| Digital signature / Encryption | ||||
* For natural disasters, the person in charge of the factory makes decisions on site, but for cyber attacks, the person in charge of the head office has no choice but to make decisions.
| ||||
Overview of BCDR measures
The BCDR measures for factories described so far are organized by status, such as preparation, operation, and recovery, as shown in the table below. Not all measures must be implemented in-house. For example, one option is to use a business that provides secure storage services instead of implementing data security measures in-house. The important thing is to deeply consider what should be done, how deeply, and why.
As a reminder, copying data that already exists locally to a secure storage service without modifying it will not resolve the issue. This is important to strongly consider.
Table: Summary of Requirements and Countermeasures for Factory Cyber Attack Response BCDR
BCDR requirements: speed of detection, accuracy (few false positives), speed of recovery, prevention of false positives, disaster mitigation measures, and reduction of damage frequency | ||
Overview of BCDR Measures | reserve | Understand the scope of impact of critical production-related data (simulation) Alignment of data impact scope and network segments Creation of intrusion criteria and manuals System definition Practical training Data placement and access control (including quarantine) based on need-to-know Physical partitioning and access control Personnel training, qualification system, periodic examinations Securing spare aircraft Emergency response contracts with equipment manufacturers |
operation | Monitoring of critical production-related data Peripheral search in case of failure Data monitoring Route Monitoring Double-checking Double quota Behavior monitoring Digital signature/encryption Backup Port monitoring Detection Tool/Service Request Anti-malware Firewall ITS / IDS | |
recovery | Clean install (line rebuild) | |
Note: Underlined items are major items that were added in developing the cyber-attack response BCDR after the security measures were completed.
| ||
Practical Training (Incident Response Training)
It is imperative that training exercises on taking immediate action in the event of an actual incident involve senior management and personnel at the production site. With this training, participants will be able to identify issues independently and initiate a cycle of improvement.
It is advisable to prepare two types of training: one for senior management, who will make decisions on the establishment and termination of the task force in the event of an incident, and the other for production sites, who will experience the sequence of events from detection and escalation to the termination of the task force. Participation in the training will also help foster security awareness.
The following table provides an example role-playing format for this training.
Table: Classification of Desk Training
(Data) Item | Workshop Practice | Role-playing practice |
Type | Debate type | Interactive type |
summary | Provides a general situation. Spend sufficient time on the topic, discuss it within the team and come up with a solution. Practical training focused on a multitude of people considering various aspects of a crisis situation and responding to each of them. | Controllers manage the progress of each exercise players are trained. The controller provides the player with an ever-changing situation as a "situational scenario" and the player responds to the given situation according to their role and within strict time constraints. The training focuses on practical crisis response skills in each situation.
Note: The controller manages the progress of the practice and gives the players the situation to proceed with the practice. The player is a practitioner, who assumes the role of a responsible person and handles the situation within the team as it should be given. |
Feature | Since it can be participant-driven, it is easy to prepare in advance. The discussion-based workshop exercise is a practical exercise to organize the main points before formulating the BCDR. It is also a useful venue for review and verification after the BCDR is formulated. | Creating specific situations requires time and expertise in advance preparation. By narrowing down the objectives and themes of the practical training and giving various situations, multiple departments will find it useful for confirming roles such as collaboration between gates and between companies. |
In preparation for the training, determine the training line and coordinate the dates, participants, and location. The security department will need to create training scenarios to make the training as realistic as possible. Once the training has matured, it is essential to continue the training with a scenario structure and add new scenarios for participants to consider. On-the-job training is important for both identifying remaining issues and refining measures that have been confirmed to be effective.
Here, by experiencing it for themselves, they will be able to stabilize the plant and operate the security practices themselves, after which KAIZEN will be set in motion. To make it their own, it is essential to place particular emphasis on the initial practical training. In the initial practical training, role-playing practice is employed to enhance the effectiveness of the training through actual experience.
Regular hands-on training is also necessary because security is constantly evolving, and so are the individuals responsible for responding to it.