Issue link: https://iconnect007.uberflip.com/i/1472190
JULY 2022 I SMT007 MAGAZINE 13 follow the requirements stated." e ISO has certain mandates the company adheres to. But at some point, someone is not managing it like it should be and now can receive confidential unclassified information (CUI) through email. What happens to that email? Does your staff understand what they just received? e problem in the industry is that nobody's maintaining the security posture. I've seen this happen several times where companies start off with clean protocols, but the breakdowns can be as simple as endpoints not being patched and kept up to date. at's simple cybersecu- rity hygiene. People like to take showers reg- ularly and feel clean. Cybersecurity hygiene is the same. Barry Matties: What's the risk, though? What are they jeopardizing by neglecting this area? Patel: Specific to electronic manufacturing ser- vices (EMS), you find many types of devices, such as reflow ovens, AOI/SPI machines, screen printers, solder, and other equipment. If you don't update the firmware, the secu- rity, or operating patches, they're vulnerable to attacks. We've seen this repeatedly in EMS companies, where ransomware comes in, or they exploited the vulnerability, and then it wreaks havoc on the entire company. Here's another example. A customer is run- ning older-line assembly equipment with Win- dows NT from the 1990s. It's working and pro- ducing, and it's expensive to replace; it's doing the things it needs to do. From a security per- spective, however, we have not isolated that older-line assembly equipment or the end-of- life systems that are critical to its operation. It's a different game today, and attackers go aer this kind of stuff. Manufacturing is a very old industry, but still evolving and develop- ing. It hasn't been able to keep up with attacks. Once you set up a manufacturing company, you're just thinking about producing and get- ting product out the door. Your focus is bottom line revenue and you're not thinking about your vulnerabilities. Attackers are not people who want to randomly have fun on a network. ey have a mission. ey find vulnerabilities, exploit them, and make financial demands. at's a big problem in our industry. Matties: You mentioned an older piece of equip- ment as an entry point for a hacker. Is that the most common entry point? And how common is email compared to the equipment? Patel: e entry point is usually going to be through email or a phishing scam. at's the low-hanging fruit. Matties: What is the red flag when it comes to emails? How do you safeguard a company against such emails? Patel: It usually involves end-user, security awareness training. e biggest challenge for companies that want to safeguard their email is to know what to look for. It's as sim- ple as, "Do you even recognize who's sending you the email?" A lot of people click on links, because it says, "click here" and "do this." End users are not fully trained on what to look for. If you know you're expecting an email, do you know the person who's sending it? Even if you did "know" them, what are they ask- ing you to do? Does it sound like them? You must be more conscious and aware of what is being asked. In one instance, accounts payable was asked to send $110,000 to their vendor. e account- ing person noted the email was coming from the CEO, which suggested the email was legiti- mate. However, the email sender asked that the vendor change the banking details. Why? is request was made in the final hour of the trans- action. Something triggered in the account- ing person's mind to ask the CEO if they'd sent this email; the answer was "no." It happens just like that. You click on the email and suddenly something is running in the background, like a keystroke logging system, that sort of thing.