Securing intellectual property has become a priority for manufacturers, and recent reports from the U.S. and EU governments highlight the risks and direction for securing the supply chain. In February, the U.S. Department of Homeland Security published an assessment of supply chains supporting electronics manufacturing1. Following closely in March, Europol released the 2022 Intellectual Property Crime Threat Assessment report2, bringing attention to the risks counterfeit electronic components pose to supply chains. Then in April, the direction for the U.S. Department of Defense Cybersecurity Maturity Model (CMMC) program became clearer as NIST released a draft of Special Publication 800-823, which serves as the framework for securing operational technology within the defense contractor network. Let’s look at some of these recent publications and how they affect manufacturers.
Intellectual Property Security
The CMMC program is an initiative to improve information security within the U.S. defense contractor network. The program has been ongoing for a few years, but last November, the Department of Defense announced plans to clarify and enhance the program in an update dubbed CMMC 2.0. The goal of the update is to make CMMC a program that can be implemented by the entire defense industrial base, including smaller subcontractors that may not have expertise in cybersecurity.
Three key components of the CMMC program are:
- Contracts with the U.S. Department of Defense that include clauses requiring security for controlled unclassified information (CUI)
- Security frameworks and guidelines built on NIST standards and publications
- Third-party auditing of the CMMC controls implemented at manufacturers
Securing information is not necessarily a new topic for most manufacturers. Security controls around information technology (IT) processes are generally in place for most publicly traded companies to adhere to financial regulations, and ongoing concerns about malware and hacks lead most organizations to keep their network secure from external threats. Even smaller companies can leverage outsourced IT contractors and cloud-based systems to have a well-managed, secure infrastructure. Of course, exploits occur, companies get hacked, and intellectual property is stolen, but not because we do not know how to secure IT systems. It is usually the case that some generally accepted control was not implemented, or social engineering was used to exploit the organization.
What may be a new challenge for manufacturers is the requirement in CMMC 2.0 to secure the operational technology (OT)—the machines and processes building the products. Typically, these machines are on segregated “unmanaged” networks that fly under the radar of traditional IT security. But with CMMC 2.0, manufacturers will need to implement similar security controls in this relatively uncontrolled environment. If this has you wondering how you will implement multi-factor authentication on the Windows 95 computer running that ancient, but critical, piece of equipment in your factory, do not fret too much; the CMMC requirements take these scenarios into account. For instance, physical security is considered one security factor, so as long as there is an acceptable control on who has physical access to the equipment, then multi-factor authentication is covered with a simple PIN or password control on the equipment.
The NIST Special Publication 800-82 Rev. 3 Draft released in April provides a framework for implementing the security controls in operational technology. It provides guidance on the typical OT system layouts, identifies common vulnerabilities, and recommends methods to mitigate system risks.
Supply Chain Security
While the electronics manufacturing industry continues to recover from the capacitor shortages of a couple of years ago, the supply of silicon is still constrained. The industry is planning new foundries to alleviate the lack in supply of IC components, but many manufacturers are stockpiling components to weather the current deficits, often turning to less-qualified, second-source vendors. Until IC supply catches up with increased demand, manufacturers face an increased risk of counterfeit, recycled, or otherwise inauthentic components.
With supply chain issues forcing manufacturers to use second- or third-tier suppliers for components, there is an additional risk of inauthentic materials being assembled on the line. These could be aged components, mixed lots, counterfeit, recycled, or even tampered components. Current methods of mitigating these risks rely on destructive samples of components or partial inspection of the top of the component. These methods leave open gaps where bad components can enter the supply, be assembled into products, and then shipped out to the field. Is there an efficient way to inspect 100% of components to prevent the use of bad components?
There are several points in the typical PCB assembly process where images are taken of the product and the components. The SMT machine takes a picture of the bottom of every component to use when aligning the component properly before placement. The AOI process takes a very detailed image of the board and the top of components after assembly. All these images can be used by AI to identify the source of the component and flag any components that are damaged (cracked, recycled, tampered).
Especially in the SMT process, the decision to assemble or waste the component can be made during the assembly cycle to prevent assembling any bad components. As an extra benefit, the traceability for the board is based on actual evidence of the component on the board and does not rely on operators labeling and scanning materials properly.
With this capability, each and every component placed on the board is inspected without any additional labor or loss of efficiency on the line.
To learn more about how manufacturers are adapting to the requirement of CMMC, check out the upcoming July 2022 issue of SMT007 Magazine.
- Assessment of the Critical Supply Chains Supporting the U.S. Information and Communications Technology Industry, U.S. Department of Commerce and U.S. Department of Homeland Security, Feb. 23, 2022.
- Intellectual Property Crime Threat Assessment 2022, European Union Intellectual Property Office.
- SP 800-82 Rev. 3 Guide to Operational (OT) Security, Computer Security Resource Center, NIST.
Zac Elliott is technical marketing engineer for Siemens Digital Industries Software. Additional content from Siemens Digital Industries Software: