Lean Digital Thread: The Secure Digital Thread


Reading time ( words)

Securing intellectual property has become a priority for manufacturers, and recent reports from the U.S. and EU governments highlight the risks and direction for securing the supply chain. In February, the U.S. Department of Homeland Security published an assessment of supply chains supporting electronics manufacturing1. Following closely in March, Europol released the 2022 Intellectual Property Crime Threat Assessment report2, bringing attention to the risks counterfeit electronic components pose to supply chains. Then in April, the direction for the U.S. Department of Defense Cybersecurity Maturity Model (CMMC) program became clearer as NIST released a draft of Special Publication 800-823, which serves as the framework for securing operational technology within the defense contractor network. Let’s look at some of these recent publications and how they affect manufacturers.

Intellectual Property Security
The CMMC program is an initiative to improve information security within the U.S. defense contractor network. The program has been ongoing for a few years, but last November, the Department of Defense announced plans to clarify and enhance the program in an update dubbed CMMC 2.0. The goal of the update is to make CMMC a program that can be implemented by the entire defense industrial base, including smaller subcontractors that may not have expertise in cybersecurity.

Three key components of the CMMC program are:

  • Contracts with the U.S. Department of Defense that include clauses requiring security for controlled unclassified information (CUI)
  • Security frameworks and guidelines built on NIST standards and publications
  • Third-party auditing of the CMMC controls implemented at manufacturers

Securing information is not necessarily a new topic for most manufacturers. Security controls around information technology (IT) processes are generally in place for most publicly traded companies to adhere to financial regulations, and ongoing concerns about malware and hacks lead most organizations to keep their network secure from external threats. Even smaller companies can leverage outsourced IT contractors and cloud-based systems to have a well-managed, secure infrastructure. Of course, exploits occur, companies get hacked, and intellectual property is stolen, but not because we do not know how to secure IT systems. It is usually the case that some generally accepted control was not implemented, or social engineering was used to exploit the organization.

What may be a new challenge for manufacturers is the requirement in CMMC 2.0 to secure the operational technology (OT)—the machines and processes building the products. Typically, these machines are on segregated “unmanaged” networks that fly under the radar of traditional IT security. But with CMMC 2.0, manufacturers will need to implement similar security controls in this relatively uncontrolled environment. If this has you wondering how you will implement multi-factor authentication on the Windows 95 computer running that ancient, but critical, piece of equipment in your factory, do not fret too much; the CMMC requirements take these scenarios into account. For instance, physical security is considered one security factor, so as long as there is an acceptable control on who has physical access to the equipment, then multi-factor authentication is covered with a simple PIN or password control on the equipment.

The NIST Special Publication 800-82 Rev. 3 Draft released in April provides a framework for implementing the security controls in operational technology. It provides guidance on the typical OT system layouts, identifies common vulnerabilities, and recommends methods to mitigate system risks.

Supply Chain Security
While the electronics manufacturing industry continues to recover from the capacitor shortages of a couple of years ago, the supply of silicon is still constrained. The industry is planning new foundries to alleviate the lack in supply of IC components, but many manufacturers are stockpiling components to weather the current deficits, often turning to less-qualified, second-source vendors. Until IC supply catches up with increased demand, manufacturers face an increased risk of counterfeit, recycled, or otherwise inauthentic components.

With supply chain issues forcing manufacturers to use second- or third-tier suppliers for components, there is an additional risk of inauthentic materials being assembled on the line. These could be aged components, mixed lots, counterfeit, recycled, or even tampered components. Current methods of mitigating these risks rely on destructive samples of components or partial inspection of the top of the component. These methods leave open gaps where bad components can enter the supply, be assembled into products, and then shipped out to the field. Is there an efficient way to inspect 100% of components to prevent the use of bad components?

There are several points in the typical PCB assembly process where images are taken of the product and the components. The SMT machine takes a picture of the bottom of every component to use when aligning the component properly before placement. The AOI process takes a very detailed image of the board and the top of components after assembly. All these images can be used by AI to identify the source of the component and flag any components that are damaged (cracked, recycled, tampered).

Especially in the SMT process, the decision to assemble or waste the component can be made during the assembly cycle to prevent assembling any bad components. As an extra benefit, the traceability for the board is based on actual evidence of the component on the board and does not rely on operators labeling and scanning materials properly.

With this capability, each and every component placed on the board is inspected without any additional labor or loss of efficiency on the line.

Next Steps
To learn more about how manufacturers are adapting to the requirement of CMMC, check out the upcoming July 2022 issue of SMT007 Magazine.

References

  1. Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry, U.S. Department of Commerce and U.S. Department of Homeland Security, Feb. 23, 2022.
  2. Intellectual Property Crime Threat Assessment 2022, European Union Intellectual Property Office.
  3. SP 800-82 Rev. 3 Guide to Operational (OT) Security, Computer Security Resource Center, NIST.

Zac Elliott is technical marketing engineer for Siemens Digital Industries Software. Additional content from Siemens Digital Industries Software:

Share




Suggested Items

Exploring High Density With Axiom

05/06/2022 | I-Connect007 Editorial Team
Nolan Johnson and Barry Matties talk with Axiom’s Rob Rowland and Kevin Bennett about the current high-density challenges facing EMS manufacturing. In this interview, Bennett and Rowland zero in on component packaging and feeder technology as critical areas in need of improvement.

VJ Electronix: Automating the X-ray Inspection Process

05/04/2022 | Nolan Johnson, I-Connect007
VJ Electronix's Brennan Caissie shares the benefits of a new inspection tool that can be used on a variety of boards, with an automated system that takes the pressure off the manufacturing floor operators and can provide feedback all the way to the design process.

Finding Solutions in the Quoting Process

05/03/2022 | Duane Benson, Screaming Circuits
It’s easy to frame all our supply chain woes around the COVID-19 pandemic. However, at Screaming Circuits, we started receiving dire warnings about component shortages in early 2018. At that time, we were told that the supply upheaval could last years and that we should expect it to get much worse before it got better. Now, four years later, I would say those warnings nailed it.



Copyright © 2022 I-Connect007. All rights reserved.