The critical questions to ask EMS providers about data security

The importance of security for electronic manufacturing
Recent concerns have highlighted how security threats could derail the application and uptake of IoT. A study released by Hewlett-Packard discovered that 70% of the most commonly used IoT devices contain at least some vulnerabilities.

But these concerns about security are not just about the end-products but can be found in the manufacturing process itself.

Here are some of the stories that have hit the headlines in the last few years:

• Electronics manufacturer Foxconn was breached by a hacktivist group that released every employee's login information.
• Boeing was compromised repeatedly for four years by foreign nationalists trying to steal defence program manufacturing plans.
• In Japan, Korea and Germany manufacturers have been targeted by hackers, believed to be from China, trying to access IP data, trade secrets and blueprints.

And here’s a story that did not make quite such a big splash but is even more alarming.

• 48% of UK manufacturers have been subject to a cyber-attack – and half of these businesses suffered either financial loss or disruption to business as a result
• Manufacturing is now the third-most targeted sector for attacks by hackers

These shocking statistics are from a report on cyber-security for manufacturers, published by EEF and AIG and carried out by the Royal United Services Institute (RUSI)

It goes on to suggest that this threat will only deepen with increasing digitisation – and notes that 91% of manufacturers are investing in digital technologies.

The report also found that across the manufacturing sector cyber security maturity levels are ‘highly varied’ both in terms of awareness of the cyber security challenge and the implementation of appropriate risk mitigation measures.

Which suggests there are many weak links in the supply chain out there.

Critical questions to ask your EMS provider
The good news for electronic manufacturers is that GDPR has helped to focus minds. Manufacturers are increasingly willing to question their suppliers to ensure adequate security procedures are in place.

The EFF/AIG report found that 58% of manufacturers have been asked to demonstrate or guarantee the robustness of their cyber-security processes by a business within their own supply chain. Worryingly, 42% haven’t, and of even more concern is that 37% of manufacturers admitted they would be unable to do this if asked today.

If you are looking for an EMS provider to partner with here are four critical questions you should ask about their security arrangements.

(Chemigraphic provided our own answers after each one.)

1/ How do you ensure the security of your customer’s product data?

• Data is stored in a protected area that has restricted access
• Data is only ever distributed on a need to know basis
• The network has strict access controls, with verification required at each level of security
• Do not outsource any area of your PCB assembly – to ensure there is no risk of compromise from this
• Manage our supply chain robustly, establishing long-term relationships and always ensuring Non-Disclosure Agreements are in place where needed

2/ How do you ensure security on-site?

• The site has controlled access – this extends to each facility and internal area
• Carefully manage any contractors on site – access to customer data is never granted to anyone not employed by Chemigraphic
• The data itself is stored in a vault storage
• Have access-controlled IT server rooms

3/ How do you manage your supply chain to ensure data security?

• As the outsourced manufacturing partner to our customers, take full responsibility for the entire manufacturing process and the management of any suppliers and materials within it
• Source excellent materials using only reputable partners
• Have enhanced inspection and qualification procedures for new parts to minimise the risk of counterfeit parts with security feature defects or malicious designs
• Undertake supplier site security audits if necessary – especially for overseas suppliers
• All employees and contractors are thoroughly screened
• If you prefer, can work only from UK sources.
• Discretely manage customer information, including the restriction of signage and non-publicity clauses etc.
• Offer segregated materials storage and build areas – and providing a dedicated restricted-access area for security-conscious customers.

4/ Can you show me an example of a project of yours that had high security requirements?
Sure. This case study of work with a cyber-security sector customer is just one example of a project we’ve delivered where customer data and through processes were highly important.

Ask us about your data’s security with us
Everything Chemigraphic do is governed by robust processes. These are designed to meet exacting standards of security while delivering optimal efficiency and consistently excellent results. It believes that through intelligent planning, proper process and strict control, anything can be achieved.

Article written by John Johnston, NPI Director, of Chemigraphic.