Estimated reading time: 5 minutes

Fresh PCB Concepts: Navigating Supply Chain Security and Traceability Through Standards

With increasing threats from multiple sources, the electronics industry has identified the need for protection with several levels of security concerns. This is reflected when you begin a new role, and you find yourself dealing with a number of protection practices during the onboarding process to secure your new employers’ intellectual property, the business, and even employees’ privacy and personal data. In addition to onboarding, larger organizations often require employees to adhere to new and updated protocols, undergo training, and adopt new work methodologies. These measures are implemented to address the growing risks posed by hackers, competitors, and foreign espionage activities.

The electronics industry plays a pivotal role in this landscape, serving as both the creator and manufacturer of devices that, when coupled with appropriate software and artificial intelligence, can inadvertently facilitate a wide array of unfriendly activities and threats. So, what do we do to protect ourselves?

In the electronic industry we have a wealth of standards to guide us into high reliability. These standards are developed for the entire production cycle from design to assembly. This also includes data protection, transfer of data, and dealing with data in production. A part of dealing with data is traceability, data protection, and to secure the supply chain toward interference from unfriendly external actors.

To help the industry protect itself, IPC has developed a series of standards to secure sufficient traceability in production and the supply chain, and cyber-related risk mitigation related to high-security products and industries exposed to foreign intelligence and potentially harmful cyberattacks. Regrettably, these standards are underutilized and often overlooked during industry discussions on companies' efforts to safeguard themselves. Have the task groups dedicated to developing these standards invested their time in vain, or is it simply a matter of the IPC failing to garner attention for these standards? I lack the definitive answer to this question, but I am inclined to investigate further to determine if these standards are relevant for both myself and the organization I represent.

Here are the standards:

IPC-1782B, Standard for Manufacturing and Supply Chain Traceability of Electronic Products

All larger companies working with high reliability have a need for traceability down to materials used, processes, and production lots. The main reason is to limit the damage to as few products as possible when a failure is detected. Depending on the nature of the failure, we can have a defect in one production panel, a production lot, or all panels made from one material delivery. From my experience, we do have this in place if we add a production lot number to the PCB traceability markings, and the factory has sufficient traceability in its production data system to find process and raw material lot data. At NCAB, we secure this by our corporate requirements to the PCB factory and requirements for production lot marking. In all factories we can find all related production data and raw material traceability.

I am also co-chair of D-33AA, the IPC task group responsible for IPC-6012XA, the automotive addendum to IPC-6012. We discussed the need to add IPC-1782B to this addendum, but we did not get a consensus since the automotive industry already had good traceability requirements in place through IATF16949 and Advanced Product Quality Planning requirements.

For me, this ends with no need for another traceability standard like IPC-1782B. 

IPC-1791D, Trusted Electronic Designer, Fabricator and Assembler Requirements

This is a standard focusing on cybersecurity and the implementation of Cybersecurity Maturity Model Certification (CMMC). This standard is probably among the lesser-known standards developed by IPC. There are several reasons for this. First, IPC-1791D is dedicated to U.S. DoD-related products, where the DoD has a focus on protecting the U.S. defence industry toward cybersecurity in the supply chain and to help suppliers be in compliance with CMMC regulations. The standard shall give confidence in the integrity of delivered products, ensure quality, supply chain risk management (SCRM), security and chain of custody (ChoC), and a trusted source certification of non-U.S. printed board design, fabrication, and assembly. The idea is to certify companies to IPC-1791. Still, this certification does not include DoD facility clearance unless compelled by customer-specific requirements and pursued independently of this standard.

The whole standard becomes complicated, and it is difficult to understand the need and benefit as long as DoD provides waivers to meet CMMC by at least the end of 2025. But suppliers to the DoD, whether located within or outside the U.S., should not fail to have updated information as regularly provided by the DoD.

IPC-1792, Standard for the Management and Mitigation of Cybersecurity Incidents in the Manufacturing Industry Supply Chain

This is a standard for all of us. IPC-1792 leads the user to create a safe environment protected against cyber-attacks in production, exchange of data, shipment of raw materials, shipment of the product between supplier’s warehouse, and gate-to-gate, to secure that no one has the opportunity to swap boxes, exchange goods inside a box, or as easy as swap labels, and finally reaches the buyer in a secure way. The intent of this standard is to eliminate the opportunity for the manipulation of software and hardware throughout the end-to-end manufacturing process, ensuring that products are built as intended by the original designer.

At NCAB Group, we have trusted suppliers throughout the entire supply chain. Nothing is left to chance. But even reading this standard can make you feel uncomfortable. Is the world really that cruel? The answer depends on your product, your customer's products, and if your factory could be subject to manipulation by a competitor, your customer’s competitor, or another country’s willingness to manipulate with competition. The answer is yes, we are all in the same boat. Among these three standards, I find this one most interesting to read and discuss within my organization. Does that mean we will implement the standard? Probably not, but it is good reading as a guide for our overall risk assessment.

So, what is the takeaway from this article? The world is cruel enough that we need to take measures to secure our businesses in the supply chain, and against space attacks. Our products can have defects, causing a problem at the customer side, where traceability can reduce the cost of damage. There are standards available, and we should all evaluate what is needed for our own businesses.

Jan Pedersen is director of technology at NCAB Group.