Issue link: https://iconnect007.uberflip.com/i/1472190
JULY 2022 I SMT007 MAGAZINE 15 similar mindset in our industry with security issues. An execu- tive is saying one of two things. ose who are taking the more proactive approach ask, "What do we do? Where does our busi- ness stand today?" e other response is, "I don't under- stand it and my business doesn't work with the DoD." ose who are being proactive know that there's a bigger problem com- ing, and we need to take it seri- ously now. ose not taking CMMC seriously will be too relaxed about security in general; they frankly don't care and that's scary. Matties: Most of these pieces of equipment now are online in some fashion, connected in some way, right? Patel: Oh yes. Everything is connected to the network, which could be connected to the internet someway or somehow. Matties: e OEMs or the equipment manufac- turers, in many cases, will have remote access points back into this equipment for updates. ese are vulnerable openings as well. Patel: Yes. Let's say an EMS company has an air compressor for their production lines. To report errors on those production lines, that compressor could be sending event or main- tenance notifications. ose are connected to the network and they're communicating with other systems. People don't think about this. Air compressors can get on the network using WiFi. ere are IOT devices inside these devices and a lot of sensors that report infor- mation. We can get output on all sorts of things. ose devices are on a network. Companies can get an inventory of what's running inside their network, not just comput- ers, but devices such as IOT sensors. Are your AOI machines on the network? What are they doing? Do they have to be connected because they're communicating with other devices? Can they be isolated? My recommendation would be to get an inventory, then understand what the vulnerabilities are. Go back to the firmware or the manufacturers and check for updates to the firmware; take a proactive and measured approach. Matties: We're seeing a flood of IOT sensors, as you know, coming into the marketplace, both in personal life, but also in Industry 4.0 specifi- cally. Every sensor is going to be connected so every sensor is also an entry point. How does an EMS company bring in sensors and know that they're safe? How deep should that con- cern go? Patel: You can do vulnerability scans—a data- base that contains all the vulnerabilities that have been discovered. Say a company runs one every quarter, and they find new devices being introduced; they can look to see if there are any vulnerabilities found on these devices. If you don't want to do that, the simplest thing you can do is run a vulnerability scan. It will come back with a report that could be less than 50 pages or up to a few thousand. We ran a vulnerability scan for a 15-person com- pany, for example, and came back with 1,000 vulnerabilities.