Cybersecurity in Transportation: Implementation Challenges – Are You Ready?

This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.

Cybersecurity of Your Operational Systems: Are You Ready?

 

The media regularly report on the impact of cyberattacks in the industrial sector. Crucial to social cohesion and the economy, transportation is one industry that operates under the omnipresent threat of cyberattack.

In Quebec alone, several recently reported events have revealed the industry’s vulnerability, leading to production stoppages as targeted industrial equipment and/or computer networks have been paralyzed. The ever-increasing number of officially disclosed attacks is but a glimpse into the actual situation, the full scope of which is still impossible to comprehend.

One indisputable fact remains: the financial and reputational stakes cannot be denied. No company can afford to fall victim to an attack that leads to service breakdown, holding users, customers, suppliers, and employees hostage. In light of the situation and increased cyberrisk factors, businesses should be vigilant and prepare appropriately to ensure the resilience of their organization.

Increased Cyberrisk Factors

Cyberresilience Self-Assessment

Resilience refers to the ability of a person, ecosystem, or economy to resume optimal operation after trauma, disruption, or crisis.

Just as viruses threaten human health, it is practically impossible to anticipate when or what kind of attack could jeopardize the survival of a business. Beginning to tackle the situation right away by determining the current status of the organization is not only possible, but highly recommended.

Where to begin?

A few self-assessment questions
  • Is the organization ready to react in the event of a cyberattack?
  • What operational systems face the greatest risk?
  • What percentage of the budget is dedicated to operational cybersecurity?
  • Have a cybersecurity program or other protective solutions been implemented? Have they been reassessed?
  • Are the skill sets required to assess cyberrisk exposure and solution rollout available in-house?

 

Adopt Best Practices Now

As we’ve previously discussed, assessing cyberrisk and risk mitigation measures should extend to the entire ecosystem in which businesses operate. It involves conducting a complete 360-degree analysis that includes company processes and structure, as well as those of every vendor in the supply chain.

The process should consider systems in the broadest sense (information technology, operational systems, equipment, machinery, etc.) and the people that run them, as digital security is still often compromised by human error.

The first stage of working toward greater cyberresilience consists of mapping operational systems. Drawing up the list of attack surfaces to determine the most vulnerable systems and the scope of risks the organization is facing helps define what level of protection is appropriate and what measures should be taken.

That means making cybersecurity a priority in all day-to-day operations and at the highest levels of the organization, for easier decision-making and resource mobilization. Changes to the organizational structure may be needed to ensure responsibility for cybersecurity is entrusted to the right people with the skills to make the necessary decisions.

The next stage involves implementing an operational cybersecurity program that includes a review of the corporate computer architecture. Business technology systems can be accessed in multiple ways, and every point of contact should be considered – critical systems, of course, but also interconnected subcontractor systems that handle increasing volumes of data. That’s why collaborating with the various parts of the supply chain is essential to securing systems.

Successful cybersecurity programs rely just as heavily on cross-functional collaboration within organizations. Having specialized teams take part in the process helps limit the impact on systems, as they have an invaluable understanding of technology.

Change management underpins the entire process. It is important to lay the foundation for the teams involved, and more broadly, to raise employee awareness about the nature of cyberrisks and how employees can make a difference day to day, helping them grow more vigilant. Communication, education, and training efforts are necessary. Areas of responsibility can also be reviewed so that the organizational structure of the business reflects the importance placed on cybersecurity.

Beyond integrating a well thought out operational cybersecurity program to operations, periodically reviewing and validating measures in place is essential to keeping systems secure and adapted as technology develops.

The last stage consists of conducting regular audits of the cybersecurity program, along with complementary activities including surveillance and continued training for the teams involved. With these tools, businesses are in a better position to keep up with the new standards and regulations they will have to integrate over time, both when it comes to securing current systems and to designing and developing future systems.

Rising to the Challenge to Set Yourself Apart

The threat is latent. Business rolls on and it is in the interest of businesses to stay one step ahead and maintain their competitive edge.

Overlooking cybersecurity could put essential business relations at risk and threaten the survival of organizations. Businesses whose systems perform well but fail in terms of cybersecurity could be excluded from requests for proposals. Conversely, businesses with solid cybersecurity programs would be in an influential position and could prompt its own customers to adopt higher security standards, for the benefit of their entire ecosystems.

Operational systems that are covered by cybersecurity programs could even provide a competitive edge over the short term, as the vast majority of businesses are only beginning to implement such programs. Being ahead of the curve puts organizations in an enviable position.

While being prepared for attacks doesn’t prevent them from happening, it does help targeted businesses react quickly and appropriately. In doing so, they demonstrate their earnestness, skill, and professionalism, all of which inspire trust among customers and suppliers.

Technology is developing rapidly, and new fields of expertise are emerging in both computing and engineering. As a result, organizations should secure the right skill sets to uphold system cybersecurity over time.

Standards in the field are also evolving. Staying abreast of regulations and certifications being adopted in the markets in which businesses operate help them make sure that their systems are designed to upcoming cybersecurity requirements. It seems likely that regulations stemming from the ISO 21434 standard will be adopted progressively across North America. Businesses can draw from this standard to set up robust processes that ensure the highest levels of security.

In a similar vein, staying on top of legislative developments could lead organizations to make a real difference, or at least foster the adoption of secure practices. Keeping a log of cyberincidents is a good example. Beyond the documentary interest in strengthening organizational security processes, such logs could become standard in the near future. Canadian regulations are evolving, and bill C-26 is set to make it mandatory for businesses to report the cyberattacks they fall victim to, rather than the current voluntary disclosure.

Anticipating the adoption of such rules and complying with them now, if not outright going beyond set security criteria, puts businesses one step ahead in a changing environment. Taking the lead could even help set them apart and give them a say as these new regulations are developed.

Cyberthreats are ever-shifting disturbance vectors businesses must learn to deal with. Cybersecurity is not an end in itself, but it is becoming one component of businesses’ operational and financial health, and ultimately, of their survival.

As with any threat or crisis, the degree of preparation is often an indication of how quick and efficient organizations will be in recovering and resuming normal operations. Businesses can adopt a preventive approach to cyberthreats and develop greater agility, making a major positive difference in the long run.

CYBERSECURE YOUR
OPERATIONAL INFRASTRUCTURES

Get the free white paper to learn how to meet cybersecurity challenges in transportation.

Why so many OP-AMP? Which OP-AMP to select?

Denis Lachapelle, ing.
Francis Thiffault ing.

Introduction

Operational amplifiers have existed for over 50 years and each year there are many new op-amp introduced on the market, the questions are: Why so many op-amp are needed? Which op-amp to select?

The first monolithic op-amp appeared in the sixties with part numbers like uA702, uA709, LM101, uA741. But even before monolithic op-amps there were op-amps built with discrete transistors and even tubes. Since these early days of monolithic op-amp, new op-amps are introduced to the market every year.

Op-amp function is quite simple, as shown in Figure 1, it provides a differential input, a high-gain, and an output. Even if the function looks very simple op-amp can be used for realizing many types of circuit blocks such as inverting amplifier, non-inverting amplifier, adder, integrator, differentiator, non-linear gain block, multiplier, and you can possibly imagine more.

Figure 1, Modèle d’ampli opérationnel.

Feedback

All the types of circuit blocks listed above are based on the theory of feedback and more particularly negative feedback, as shown in Figure 2. The negative feedback principle is to take a portion of the output and to subtract it back from the input.

Figure 2, Feedback.

The equation of the output can be derived as :

Afb: Close-Loop gain.
Vout: Output Voltage.
Vin: Input Voltage.
Aol: Open-Loop Gain.
β: Feedback Path Gain

And if AOL is very large the equation simplifies to AFB ≈ 1 / β, notice that AOL is no more present in this equation. In the context of op-amp the AOL is the open loop gain of the op-amp. So according to this equation, the gain of the op-amp if large enough does not have impact on the circuit block function.

Follower

The most basic op-amp based circuit is probably the follower, which has a gain of one, as shown in Figure 3. In this case β is equal to 1 and the gain is one. So, what this circuit does, it has a gain of 1?

Figure 3, Suiveur.

This circuit is of great importance since it provides a high input impedance and a low output impedance, so it is used to adapt signal impedance. As example if we need to measure the voltage provided by a voltage divider and convert it to digital, in most case we cannot drive the ADC directly with the voltage divider, we insert a follower in between the voltage divider and the ADC input.

In this case we select an op-amp with a high input impedance, much larger than the Thevenin equivalent of the voltage divider and a low output impedance to make sure the output is not affected by the ADC input impedance. We also select an op-amp with the proper bandwidth and a small DC offset in between the plus and minus pins to limit DC error.

Now just with this simple circuit, the follower, we can list five parameters that are important for an op-amp, the Table 1 lists these five parameters and their respective value for three op-amp, two dating from the sixties and another more modern (2023).

Table 1, Basic Op-Amp Parameters

UA702 UA741 TLV365
Open loop gain 66 dB 94 dB 120 dB
Input impedance 50kohm 6Mohm 5pF (en anglais seulement)
Output impedance 300ohm 70ohm 40ohm
Bandwidth 20 MHz 1Mhz 50 MHz
Offset voltage 0,5 mV 0,8 mV 0,4 mV

Note that the UA702 is uncompensated compared to the other two op-amps, this explains why the gain bandwidth is so large compared to the UA741.

By just considering the follower circuit we understand that a simple op-amp has many parameters, we should understand each of them to select the proper op-amp for each particular application.

A high open loop gain will minimize the approximation error caused by the simplification of the negative feedback loop equation to AFB ≈ 1 / β. A high input impedance ensures the op-amp input has a minimum effect on the input voltage source. A low output impedance will reduce the gain error caused by the load on the op-amp output and will reduce the instability risk caused by capacitive load. A high bandwidth will flatten the frequency response. A low input offset voltage will reduce the DC error.

So, it is easy to imagine that manufacturers try to optimize each of these parameters to fit a particular class of applications, and since their processes differ and evolve, they come with better performances op-amp in each of their categories year after year.

Other Parameters

There are many more parameters than these five. For each application we consider many other parameters, the following paragraphs list some of these parameters including the few first we already discussed about.

Open loop gain (dB)

Open loop gain is particularly important to lower gain error, note that gain error will increase with frequency since the gain margin get lower. Note that open loop gain is measured at very low frequency.

Gain-Bandwidth Product (MHz)

The gain-bandwidth product is the frequency at which the gain is one or is 100 times the frequency at which the gain is 100.

Input Offset voltage (mV, uV)

Input offset voltage is the DC voltage between the +/- differential input. Ideally, we would seek to have zero offset voltage, but in practice it is not possible. The input offset voltage is reflected at the output affected by the close loop DC gain.

Input Offset Voltage Drift (uV/C)

The input offset voltage drift is important especially if you implement a circuit to trim the offset during calibration. In this case the offset of almost zero at the calibration temperature, but the offset will build up with temperature drift.

Input impedance (Ohm, pF)

Input impedance is an important factor to consider, the choice really depends on the application as example if the driving circuit is a low impedance microphone a few 100kohm input impedance will be fine as opposed to application like electrometer measuring charge, then an op-amp with input impedance in the order of Tohm will be necessary.

Input bias current (nA, pA, fA)

Input bias current may be reflected as a voltage output offset if the DC resistive path seen by each of the plus and minus input differs. Circuit topology should take care of this.

Input Offset Current (nA, pA, fA)

Even if the DC resistive paths are equal, a voltage output offset will exist due to Input offset current, but the offset is generally much lower than the bias current.

Input Common Mode Voltage Range (V)

The input common mode voltage is the range in which the op-amp will behave as expected and linearly, outside this range the gain may fall abruptly and in some of the first op-amp versions the gain was changing polarity. Many op-amps have input common mode voltage range from rail-to-rail and some have range over or below one rail or both rails.

Common Mode Rejection Ratio (dB)

This is the ability to reject signal apply to both plus and minus pin simultaneously. This parameter will impact circuit rejection to noise. A low CMRR will also contribute to the gain error.

Input Voltage Noise, Noise Density (uV, nV/√Hz)

Input voltage noise shall be seen as a noise voltage source in between the plus and minus input. It is specified as voltage or voltage density over frequency.

Input Current Noise, Noise Density (nA, fA/√Hz)

Input current noise shall be seen as a current source in parallel with the plus and minus inputs. It is specified as current or current density over frequency. Proper circuit design will minimize the total contribution of the voltage noise source and current noise source.

Output Voltage Range (V)

Output voltage range is limited by the supply range and internal op-amp design. Some op-amps have a range limit to 1 or 2 volts within the rails while some have range near one or both rails. When the input and output voltage range cover from negative rail to positive rail, op-amps are qualified as RRIO which means rail-to-rail-input-output.

Output impedance (Ohm)

Output impedance is most of the time specified as the open-loop output impedance, this value can be few ohms to few hundred ohms. The complete circuit output impedance (closed loop output impedance) depends on the topology, it is approximately the open loop impedance divided by the gain margin. Note that close loop output impedance tends to increase with frequency due to the reducing gain margin.

Output Current max (mA)

Output current max is the maximum current at which the op-amp is linear, at higher current there could be open-loop gain loss and clipping.

Slew rate (V/us)

Slew rate is limited by the op-amp internal current source feeding the internal capacitor creating the dominant pole. In a way, the slew rate is related to the gain bandwidth product. The slew rate limitation can create distortion in high amplitude and high-frequency signal. As example if the op-amp is used to create a square wave, the edge of the square wave will be limited by the op-amp maximum slew rate.

Supply Current (uA, mA)

Supply current per op-amp can range from few uA to few hundred mA. Generally, the higher the gain bandwidth product, higher is the supply current. Very low power op-amp have low gain bandwidth product.

Supply Voltage (V)

Supply voltage can be as low as one or two volts up to fifty volts and more for specialized op-amp.

Supply Voltage Rejection Ratio (dB)

Supply voltage rejection ration is a very important parameter to consider because it is the factor reducing the open-loop gain seen by the noise present on the supply voltage rails. At DC, it can be expressed as the ratio of input offset voltage change on the supply voltage change. Note that the rejection degrades with frequency increase.

Operating Temperature (C)

The operating temperature is the suggested temperature range in which the op-amp can be operated without imminent failure. Note that operating an op-amp at or near maximum operating temperature will reduce its life expectancy.

Absolute Maximum Ratings

Operating the op-amp over these limits may cause the device to become defective. As example maximum voltage on supply rails should be respected as well as maximum junction temperature and all other limits.

Why So Many Op-Amp?

Each different applications required different parameter set, as example for the follower we discussed above, we may be interested in lowering the DC error between the input and output, so in this case we look for small input offset voltage op-amp or we may be interested in a sufficiently large bandwidth to minimize the error up to 1Mhz. There are op-amp with input offset voltage from below 1uV to near 10mV and bandwidth from few kilohertz to few hundred megahertz, just 5 values in each dimension and you end-up with 25 flavors and this is only for two parameters and one manufacturer, it is easy to understand that many hundred flavors of op-amp exist. Note that the parameters are somewhat dependent; I mean they cannot all be controlled independently. As example the gain bandwidth product and the current consumption are related since for higher bandwidth transistor need more bias current.

You can visit a distributor web site and select general purpose op-amp to find that the offering is over many thousands various op-amp, and manufacturers release new version every year for over fifty years!

Which Op-Amp to Select?

This is a much more complex question to answer and there isn’t a single good answer. It depends on the application, including its environment, and trade-off between all parameters including price and availability.

Let’s start with the quality level such as commercial, industrial, automotive, military, medical, space. We should identify to which category the product belongs and limit our search to the category identified. As a note, there is less and less choice from commercial category to space category, in which one there are very few choices, and the costs are extremely high.

Then we go deeper with the most important parameters such as supply voltage, bandwidth, input offset voltage, input bias current, slew rate is important for large output signal, and of course cost is very important in some applications. You may also need to check the input common mode range, a parameter that is often overlooked.

There are some non-technical parameters like the cost and the manufacturer (Some companies try to focus on a limited set of manufacturers for strategic reasons).

The following table can be used to mark down the desired parameter values before starting the selection, if the application requires more parameters just add them to the list.

Parameters Value Unit
Category
Mounting Type
Supply Voltage
Bandwidth
Input Offset Voltage
Input Offset Voltage drift
Input Bias Current
Input offset current
Slew Rate
Input Common Mode Range
Output Voltage Range
Supply Current

In summary

This note presents the multitude of different op-amp parameters and op-amp offering addressing various application, it discusses some reasons why there are always new op-amp appearing on the market every year even given their simple functionality, it also proposes a simple method to select the op-amp for a given application.

Introduction to PCB Design and Supply Chains

Denis Lachapelle, P. Eng.
Anne-Marie Coutu, Tech.

Introduction

The primary functions of a printed circuit board (PCB) are to support electronic components and facilitate their interconnection. PCBs, also known as printed wired boards (PWBs), serve as the foundation for a wide range of devices, from smartphones and dishwashers to large-scale weather simulation computers. Integrated circuits, which power these devices, are typically mounted on PCBs.

This paper aims to explore various aspects of the PCB ecosystem, including design, materials, categories, and usage. Below, two examples of PCBs are provided for reference.

Manufacturing Companies

Several major companies dominate the manufacturing of PCB laminate, prepreg, and associated chemicals, including DuPont, Rogers Corporation, Isola Group, Ventec, and Iteq Corporation. These companies produce a wide range of materials necessary for manufacturing printed circuit boards, which serve as the foundation for installing and interconnecting electronic components.

The manufacturing process begins with finished PCB companies receiving inputs such as copper laminates, prepregs, and various chemicals. They etch copper on both sides of the laminate to create traces and copper areas. For multilayer PCBs, they repeat this process and laminate the layers with prepreg in between. Additional steps, including drilling, plating, and alignment, follow, culminating in a fully formed PCB. While the explanation provided is simplified, it captures the fundamental principle of PCB manufacturing. Additional steps, such as drilling, plating, aligning, and printing, are integral parts of the process but have been omitted for brevity.

PCBs come in various layer configurations to accommodate different circuit complexities and requirements. Single-layer PCBs are suitable for straightforward circuits, while two-layer PCBs offer increased reliability and are used for moderately complex designs. For power electronic boards, which require robustness and efficient power distribution, four and six-layer configurations are often employed. High-density and high-speed circuits, known as high-density-interconnect printed circuit boards (HDI PCBs), typically utilize eight, ten, or more layers to accommodate intricate designs and ensure signal integrity.

After PCB fabrication, the next crucial step is soldering the components onto the board, a task typically performed by board stuffing or EMS companies. These companies receive the bare PCB along with all the electronic components to be mounted on it. Their assembly lines consist of several key sections:

  • Solder Paste Applicator: This section applies solder paste precisely to the areas where components will be attached on the PCB.
  • Pick-and-Place: Automated machines in this section accurately position the components onto the PCB according to the design specifications.
  • Oven: The assembled PCBs are then passed through an oven, where the solder paste is melted, creating a permanent connection between the components and the board.

While this explanation simplifies the process, it encapsulates the core principle of component soldering onto PCBs.

After assembly, PCBs undergo thorough inspection and testing to ensure their functionality and reliability. The methods employed for inspection and testing vary depending on the product’s complexity and application. For instance, while simple commercial circuits may require swift testing to control costs, safety-critical medical or aerospace circuits demand meticulous scrutiny to ensure utmost reliability. In space applications, where part replacement is nearly impossible, reliability takes precedence over cost concerns. Thus, inspection and testing pose significant challenges, balancing the need for rigorous scrutiny with practical considerations such as testing time and cost constraints.

Inspection and testing of PCBs involve a range of methods tailored to different needs. In some cases, specialized workers conduct manual inspections, meticulously examining each board for defects. Alternatively, camera inspection systems are employed for swift and precise examination of PCBs.

Testing methods vary as well. Flying probes are used to measure the board’s components and trace connections, providing detailed insights into its functionality. Another approach involves using a bed of nails, which connects multiple nodes of the circuit to specialized test equipment. This setup enables the execution of comprehensive test procedures to validate the board’s performance. Additionally, manual testing procedures, carried out by technicians, involve executing test procedures, taking measurements, and validating results through hands-on inspection.

At the end, the assembled boards are fully functional and ready to be integrated in the final product.


Types of PCBs

Whilst non-exhaustive, this section lists various types of PCBs.

Most Common PCBs

The most common PCBs are typically constructed from FR4 epoxy glass laminate, which consists of a glass fabric filled with epoxy and laminated with copper on both sides. This material is available in thicknesses ranging from 2 to 200 mil. Additionally, prepreg, which is also composed of glass fabric filled with epoxy, is commonly used in PCB construction. Prepreg comes in thicknesses ranging from 3 to 8 mil, and multiple layers of prepreg are often incorporated into PCB designs for added strength and insulation.

Metal Plate PCBs

Metal Plate PCBs feature a laminate that incorporates a metal plate, as illustrated in Figure 1. A dielectric layer is laminated onto the metal plate, onto which a copper foil is subsequently laminated. This material composition is specifically employed in power applications where heat generation necessitates efficient heat dissipation through the board. The inclusion of the metal plate offers exceptional thermal conductivity, making it an ideal choice for such applications. Additionally, in many instances, the metal plate is affixed to a heat sink to further enhance heat dissipation capabilities.

Figure 1, Metal Base Laminate

High Frequency PCBs

High Frequency PCBs are specifically designed for high-speed and high-frequency signal transmission applications. These PCB laminates, along with their corresponding prepregs, are engineered to minimize signal loss and enhance signal transmission speeds at high frequencies. Unlike standard PCBs, which typically have a dielectric constant (Dk) ranging from 3.5 to 4.1, high frequency laminates boast a lower Dk of around 3.2. Additionally, they exhibit a significantly lower Dissipation factor (Df) of approximately 0.004 compared to the 0.016 commonly found in standard FR4 PCBs.

For specialized applications such as radar, RF power amplifiers, and antennas, even more advanced PCB laminates are available, featuring higher Dk values of up to 10 and remarkably low Df values, as low as 0.002.

Flexible PCBs

Flexible PCBs are designed to be bendable, allowing them to conform to different shapes and fit into tight enclosures. They are particularly useful for saving space and eliminating the need for connectors, and they are often employed in applications involving moving parts, such as printers and robotic joints. Typically, Flexible PCBs are manufactured using polyimide, although there are alternative materials available for applications requiring higher performance or lower cost.

Figure 2, Rigid-Flex, source Altium

Hybrid PCBs

hybrid PCBs, also referred to as rigid-flex PCBs, combine flexible PCBs with rigid PCBs to create versatile circuitry solutions. In rigid-flex PCBs, rigid sections are typically attached to the enclosure walls, while flexible sections are used to link and transmit signals between these rigid sections. This allows the PCB to conform to complex shapes and fit into tight enclosures. Additionally, in some applications, components such as passives, integrated circuits, and connectors are installed directly onto the flexible PCB sections.

Figure 3, Two rigids attached by a flex.

Heavy Copper PCBs

heavy Copper PCBs are a specialized type of printed circuit board designed to handle high current levels within PCB traces. Unlike standard PCBs with copper thickness typically around 0.5 ounces per square foot (approximately 17 micrometers thick), Heavy Copper PCBs are engineered with significantly thicker copper layers. These thicker copper layers help reduce resistivity and dissipate heat more effectively, making them suitable for applications requiring high current-carrying capacity.

Manufacturers achieve heavier copper layers by utilizing laminates with increased copper content or by employing electrodeposition methods to enhance copper thickness. Some manufacturers offer Heavy Copper PCBs with copper weights exceeding 10 ounces per square foot, providing enhanced current-carrying capabilities for demanding applications.

High Tg PCBs

high Tg PCBs, or high glass transition temperature PCBs, are designed to withstand extreme temperatures, typically exhibiting a glass transition temperature (Tg) exceeding 180°C. This is in contrast to the more common PCB types, which typically have Tg values ranging from 130°C to 150°C. High Tg PCBs find application in environments with extreme temperatures, either due to the operating conditions or the heat generated by certain components such as microcontrollers (MCUs) or field-programmable gate arrays (FPGAs).

Teflon Based PCBs

Teflon based PCB are used in some very specific applications such as RF power amplifier, radar circuit, and when very high operating temperature is required. The cost of this type of board is very high and they are difficult to manufacture; you should have very good reasons to select them.


PCB Cost Drivers

The following table lists a number of factors affecting PCB manufacturing cost.

FACTORS IMPACTS
Dimensions cost increases mostly linearly with PCB area.
Shape Complexity Complex shapes and features (V-groove, jump scoring, countersink holes, etc.)  require more machining time and may reduce material utilization efficiency, increasing costs.
Number of Layers Cost rises approximately linearly with the number of layers, with additional layers adding complexity and material costs.
Copper Thickness Thicker copper layers increase material costs and may require specialized manufacturing processes, impacting overall cost.
Overall PCB Thickness Meeting thickness requirements while controlling trace impedance can increase costs due to complex stack-ups and material choices.
Number of Drill Sizes Fewer drill sizes reduce tool changes and machining time, potentially reducing costs.
Number of Holes More holes increase drilling time and may lower yield, impacting manufacturing costs.
Complexity The use of through-hole vias is the simplest option, but costs increase with the complexity of other via types such as blind vias, buried vias, via-in-pad, back-drilled vias, and filled vias.
Controlled Impedances Controlled impedance with tight tolerance necessitates precise control over factors such as glass fabric thickness, dielectric constant, and trace width. Achieving these specifications may require the use of specialized materials with low dielectric constant and low loss factor.
Material As discussed in section 3 there are many types of PCB with standard FR4 being the most common. However, some materials are specifically engineered for high-speed digital PCBs, RF boards, high operating temperatures, or demanding dimensional stability requirements. Opting for these specialized materials can substantially increase costs.
Material Utilization As discussed in section 3 there are many types of PCB with standard FR4 being the most common. However, some materials are specifically engineered for high-speed digital PCBs, RF boards, high operating temperatures, or demanding dimensional stability requirements. Opting for these specialized materials can substantially increase costs.
Material Utilization Standard panel dimensions, such as 18x24 and 24x36, are commonly used in PCB manufacturing. Maximizing board utilization within these panels is crucial for cost efficiency. For example, if your board occupies 90% of the panel area, you lose only 10% in material waste. However, if it occupies just 75%, the material waste increases to 25%, leading to higher costs.
Traces and Gap Width When traces and the gaps between them are very thin, such as 0.004 inches or less, precise control over the etching process is essential. Over-etching can increase impedance or lead to trace breakage, while under-etching can result in reduced impedance or short circuits between traces. Additionally, maintaining a constant trace impedance along the entire length becomes more challenging with such thin traces, as controlling width tolerance becomes crucial.
Plating such as gold In some cases, special plating is necessary for specific applications such as keypad contacts, edge connector fingers, and side plating. While gold plating offers high reliability, it comes with a significant cost. Alternatively, less expensive options like Electroless Nickel Immersion Gold (ENIG) and Nickel-Palladium-Gold (NiPdAu) exist, although they may offer lower reliability compared to gold plating.
Aspect Ratio The aspect ratio in PCB manufacturing refers to the ratio of hole length to diameter. Maximum values vary among manufacturers, with some limiting it to 8:1 while others allow up to 12:1. High aspect ratios pose challenges during the copper plating process, as ensuring plating penetrates up to the center of the via becomes more difficult. Additionally, high aspect ratios can lead to poorer mechanical strength, signal integrity degradation, and challenges in thermal management, especially if the via supports high current. Therefore, careful consideration of aspect ratio is essential to ensure optimal performance and reliability in PCB designs.
Tolerances Board dimensions, shape, and mounting point tolerances significantly impact PCB manufacturing costs. It's advisable to specify larger tolerances where possible to lower costs. It's important to inquire with the selected manufacturer to understand their tolerance thresholds, as these can vary between manufacturers and may affect pricing. By understanding these thresholds, you can make informed decisions to optimize costs while meeting your design requirements.
Rigid, Flex and Rigid-Flex Rigid boards are typically the most cost-effective option, followed by flexible boards, with rigid-flex PCBs being the most expensive. However, it's essential to consider the total cost, as the use of flex or rigid-flex PCBs can offer benefits such as sparing connectors, saving space, and reducing workmanship. These advantages can lead to overall cost savings despite the higher initial cost of flexible or rigid-flex PCBs.
Surface Finish After assembling the laminates and prepregs, applying copper plating, and solder mask, it's crucial to protect the remaining exposed copper areas from oxidation and enhance solderability. Several surface finish processes are available, including:   · HASL or HAL (Hot Air Solder Leveling) · Electroless Nickel Immersion Gold (ENIG or ENi/IAu) · Electroless Nickel Electroless Palladium Immersion Gold (ENEPIG) · Immersion Silver Plating (IAg plating) · Organic Solderability Preservative (OSP) · Immersion Tin Plating (ISn) · Direct Immersion Gold (DIG) · Immersion Gold (ENEPIG)   Among these, HASL lead-free and ENIG are the most common options.
Silkscreen Silkscreen printing on PCBs offers a variety of color options, with the ability to choose multiple colors if needed. However, using more than one color can increase production costs
Package Type Some package types, once soldered, require x-ray inspection due to the inability to visually inspect the solder joints. Examples include packages like Ball Grid Array (BGA), which feature very small pitches (distances between two balls) such as 0.5mm, 0.4mm, or even smaller. With such small pitches, the pad size can be as small as 0.3mm, leaving only 0.2mm for routing traces in between, including two gaps and a trace. This presents significant routing challenges and requires careful consideration during PCB layout.
Turn-around Time and Quantity The quantity ordered significantly affects PCB costs, as non-recurring costs (NRE) are distributed across more units in larger orders. Additionally, turnaround time is a major cost driver, as expedited production may require overtime pay for staff and reorganization of production planning by the manufacturer.
Coating Depending on their application, PCBs may require coating with acrylic to enhance resistance against humidity, moisture, and pollutants once assembled.  

 

CAD Tools

Today, printed circuit boards are designed using computer-aided design (CAD) tools, which are software applications featuring graphical user interfaces and powerful algorithms to assist PCB designers. Before creating the PCB layout, a schematic is typically created using the same CAD suite used for PCB design. Additionally, circuit simulators are often employed to test specific circuit sections prior to PCB fabrication.

There are numerous software options available for schematic and PCB layout design, including Altium Designer, Siemens Xpedition and PADS, Eagle Autodesk, Cadence Allegro and Orcad, NI Ultiboard, KiCad, CircuitMaker, Zuken CR-8000, and many others. Some of these tools are open-source, while others are proprietary. Before selecting a CAD tool, it’s essential to understand your specific needs in terms of the number of boards per year, board complexity, and desired integrity level. Prices for these tools range from almost free to tens of thousands of dollars.

While some PCBs may be simple with few components and clearly understood circuits, more complex designs may benefit from circuit simulation. Simulation allows designers to ensure that circuit sections work as expected and extract critical parameters such as frequency response, peak power, and voltage or current levels. For simpler boards, circuit simulation may be skipped, but for designs with greater complexity, simulation can be advantageous in validating performance and functionality.

PCBs handling high-frequency digital signals such as USB, Ethernet, PCI, DDR, etc., require rigorous validation of signal integrity. Parameters such as voltage overshoot, undershoot, skew, crosstalk, and propagation delay must be carefully monitored. It’s crucial to control trace length matching, impedance, and spacing to ensure the functionality and reliability of the PCB.

PCBs containing large CPUs and FPGAs often draw substantial current, sometimes in the tens of amperes. Additionally, simultaneous bus switching can result in rapid variations in current, on the order of 1A/ns, leading to significant fluctuations in the supply voltage. To validate the power distribution of these boards, performing power integrity analysis is essential. This involves measuring the impedance of the power distribution network at various locations on the board.

PCBs containing large CPUs and FPGAs often draw substantial current, sometimes in the tens of amperes. Additionally, simultaneous bus switching can result in rapid variations in current, on the order of 1A/ns, leading to significant fluctuations in the supply voltage. To validate the power distribution of these boards, performing power integrity analysis is essential. This involves measuring the impedance of the power distribution network at various locations on the board.

 

Special Applications

As previously explained, printed circuit boards primarily support electronic components and facilitate their interconnection. However, PCBs can also serve as integral components in various applications. For instance, patch antennas utilize multiple radiating PCB copper sections arranged to create directional radiation patterns. Proximity sensors leverage metal sections on a PCB, with changes in capacitance between these sections indicating the proximity of objects with high permittivity. In RF design, PCB traces can function as passive components such as discrete inductors and capacitors. Additionally, in high-speed designs, the coupling between ground and power planes serves as VCC decoupling capacitance.

 

Conclusion

Printed circuit boards serve as commodities for some and complex, niche products for others, depending on factors such as technology level, operating environment, and safety and reliability requirements. Simple one- or two-layer PCBs, found in products like musical greeting cards, car remote starters, and garage door openers, contrast with more complex PCBs featuring four, six, or even more layers, used in power electronics, computer systems, aerospace applications, and beyond. Some manufacturers even fabricate PCBs with 20 to 30 copper layers.

The spectrum of complexity in PCB design and fabrication is vast, necessitating powerful design tools and a complex supply chain to meet diverse needs and requirement

Cybersecurity in Transportation: Implementation Challenges – Supply Chain

This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.

Securing the Supply Chain

 

Minimizing attack surfaces and the impact of potential cyberincidents on business by mapping risks diligently and implementing a cybersecurity program is a crucial first step – but it isn’t enough.

In a global economy, no business runs in a vacuum, and the supply chain is now a significant vector for cyberthreats. The smallest security breach detected in a supplier becomes a vulnerability for client businesses.

The cyberresilience of a business also depends on the security level of the weakest link in its supply chain. As a result, organizations should go beyond securing their own systems and make sure to secure their ecosystem, particularly the network of suppliers and subcontractors with whom they do business.

 

Why Is the Supply Chain a Risk Vector?

Vendors have become prime targets and victims of a wide variety of cyberthreats, if not outright cyberincidents. Many market analysts predict that those numbers are going to continue to rise.

PwC has revealed that 54% of Canadian respondents to its annual Digital Trust 2022(1) survey expect to see an increase in reportable incidents in 2022 due to attacks on the software supply chain, as well as higher risks related to third parties and the supply chain.

Among the various motives for attacks cited by the European Union Agency for Cybersecurity (ENISA)(2), seeking to exploit the trust between businesses and their suppliers is behind 62% of attacks, which is quite telling.

It would be rash to base a cybersecurity risk assessment solely on the trust between customer and vendor. In fact, adopting a structured approach and requiring minimum cybersecurity levels from suppliers appears vital.

Threat Landscape for Supply Chain Attacks

Supply chain attacks on the rise

 

Risks that Impact the Supply Chain

Where is the Weak Point in Your Supply Chain?

Just as they have analyzed and assessed their own information and operational systems, businesses will have to determine the level of risk for every vendor involved in their production process.

In the transportation industry, many systems that are generally outsourced to third parties can be targeted, including HVAC, door systems, and passenger counters. Publishers of the software businesses use will also have to be taken into account, just as the manufacturers that supply the electronic parts that go into building electric circuits.

Pinpointing the highest risks in the supply chain involves examining every component closely. To do so, businesses can choose to implement self-assessment questionnaires, for example, to identify subcontractors at greatest risk. Using the data they collect, businesses can then assess maturity levels and better understand what organizational and operational assets and what sensitive information vendors can access.

Vehicle Cybersecurity Ecosystem

 

Depending on the nature of the conclusions drawn when data is collected and questionnaire results are analyzed, businesses can review and improve their supplier selection process to strengthen minimum cybersecurity requirements. In time, certain organizations will choose to consolidate their supply chain to make it easier to enforce subcontractor requirements.

Whether they are long-time suppliers of the organization or new, it is important to integrate them fully into the assessment process and communicate clearly with them to ensure the entire supply chain is secured.

Setting clear minimum cybersecurity requirements is always easier when entering into new contracts than it is when dealing with long-standing partners. It is nonetheless vital to address cybersecurity issues and requirements with the latter, with the support of procurement department representatives (purchasers) and legal teams. They will be the catalyst for awareness and the necessary review of internal processes and contractual procurement clauses. These professionals will have to be appropriately trained on minimum cybersecurity requirements that could feature in negotiations with subcontractors.

As cybersecurity-enhancing regulations and certifications are adopted and applied across the industry, integrating specific cybersecurity measures will have to be considered as part of contractual supply operations.

The ISO 21434 standard calls for close collaboration between a system’s integrator or designer and its various suppliers, thus requiring that the roles and responsibilities of both parties be clearly identified, documented, and mutually accepted. The integrator will then have to ensure that set cybersecurity processes are followed, both in their own organization and by subcontractors.

 

Anticipating Risks

According to Statistics Canada, 47% of cyberattacks in Canada in 2019 targeted small and medium enterprises(3). The more than 1.14 million such businesses across Canada(4) are an essential part of the national economic fabric.

Believing themselves too small to present an attractive target, they often underestimate the cyberthreats they could fall victim to. SMEs often have less robust security systems that present more easily accessible back doors to penetrate the information systems of larger businesses.

Customers could limit such vulnerabilities by being proactive in encouraging a collaborative approach with all partners to strengthen the supply chain from end to end. They could also prompt SMEs they deal with to develop their cyberresilience by leveraging dedicated cybersecurity resources.

While international standards are still being developed or adopted, many solutions already exist to support SMEs in securing their information systems, including the federal government’s CyberSecure Canada program(5) that gives SMEs access to resources to better understand the risks they face. Barring the implementation of specific security checks, they can opt for certification to reflect their best cybersecurity practices.

Subcontractors that integrate cybersecurity policies to the very design of their products and/or systems emerge as winners in the process, benefitting all customers by reducing cybersecurity risks. This collaborative approach is mutually beneficial to everyone involved, and the supply chain is all the more secure as collaboration between parties is enhanced.

Maintaining high cybersecurity levels among all supply chain members becomes a prerequisite to its proper operation, but it requires long-term investments and efforts, the benefits of which are difficult to assess. Sharing information and best practices between customers and suppliers will enable organizations to take part in a broader-scale drive to increase their mutual cyberresilience. By investing time and effort in analyzing and strengthening the cybersecurity of their supply chain, businesses will help build value for their entire ecosystem.

 

 

 

(1) https://www.pwc.com/ca/en/services/consulting/cybersecurity-privacy/digital-trust-insights

(2) https://www.enisa.europa.eu/understanding-the-increase-in-supply-chain-security-attacks

(3) https://www150.statcan.gc.ca/n1/daily-quotidien/201020/dq201020a-eng.htm

(4) https://cyber.gc.ca/publications

(5) https://cybersecure-canada/en/get-started

CYBERSECURE YOUR
OPERATIONAL INFRASTRUCTURES

Get the free white paper to learn how to meet cybersecurity challenges in transportation.

Cybersecurity in Transportation: Implementation Challenges – Operational Systems

This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.

Securing Operational Systems

 

As we have seen in the first two articles of this special report, cybersecurity is becoming a strategic imperative to ensure business longevity. After identifying the risk exposure of information and operational systems within organizations, risk mitigation involves laying a solid foundation to build cyberresilience.

The approach will be a key ingredient in the design phase of new products to eliminate potential security breaches at the source. That way, businesses will ensure that their operational systems meet the minimum cybersecurity compliance requirements of public and private clients.

But what about current products and services? How can you make sure they withstand cyberattacks? How can you convince and reassure customers that systems are robust and cyberresilient?

Cybersecurity Programs and Certification

Implementing an operational cybersecurity program is becoming the norm in both Europe and North America. By taking a proactive approach and the necessary precautions to tackle cybercrime, businesses and para-governmental organizations show customers and third parties (investors, employees, and the general public) that they are proactive by setting up the necessary conditions to ensure business continuity in the event of cyberincidents.

An overview of the implementation phases of an operational system within the framework of developing a cybersecurity program is presented below.

Development Phases of a Cybersecurity Program

Life Cycle Project Management: Cybersecurity-Related Actions

Certification is another step in that direction. Although standards are not yet harmonized across continents, they are becoming clearer and being implemented in a number of countries.

That is the case for regulations RN155 and RN156 that are progressively being adopted in Europe, as well as for standard ISO/SAE 21434 that covers every phase of the life cycle of connected vehicles, from electric and electronic systems, including their components and interfaces, to integrated software and the tools required for their development.

ISO/SAE 21434 was created following the exponential increase in cybersecurity incidents involving connected vehicles recorded between 2016 and 2019 – a staggering 605% (1). That number is bound to grow if nothing is done to secure the multiple systems aboard cars, such as communication units and voice assistance systems, geotracking sensors and cloud-based platforms that connect vehicles to mobility services. The Juniper Research Institute (2) estimates that 206 million vehicles will feature such capabilities by 2025, including 30 million connected to the 5G network.

Overview of the ISO/SAE 21434 Standard

A Prerequisite for Responding to RFPs?

Although the transportation industry increasingly demands vehicles be certified and meet standardized cybersecurity requirements, the challenge lies in the fact that the vast majority of these vehicles are already designed, if not already built. It should be noted that many other industries face the same issue.

Implementing an operational cybersecurity program and taking the steps to have existing systems certified poses an additional challenge for businesses trying to reconcile minimum compliance requirements, technical and financial system constraints, and time to market.

The approach to certifying current systems is similar to certifying new ones, but it can be more difficult to conduct a full system analysis. As cybersecurity risk mapping and attack scenarios are prepared using the existing architecture, the latter can be ill suited to these new requirements, making the documentation process to demonstrate cybersecurity compliance difficult, if not impossible.

The effort and resources dedicated to these analyses will incur costs that businesses may be forced to absorb in order to market systems at a competitive price point. One potential solution involves conducting a gap analysis before undertaking a cybersecurity program to assess the scope of needed efforts. To do so, businesses can call on external experts to conduct or assist in conducting the inherent cybersecurity risk analysis or review the analysis as part of an internal auditing process.

To ensure these steps are successful, involving various professionals and areas of expertise from across the organization is essential, including the sales team to explain the process and its financial implications and raise awareness of the need to integrate these new requirements when responding to RFP. The sales team can then determine the additional costs related to cybersecurity activity and leverage these add-ons.

Suppliers and subcontractors of system components are also essential stakeholders in the process; that consideration will be covered in our next article focusing on supply chain issues.

One Key Step: Reviewing IT Architecture

As previously explained, the ISO/SAE 21434 standard focuses mainly on operational systems. However, it is crucial that all information technology (IT) teams be considered essential partners in helping businesses become cyberresilient.

It is all the more important as minimum operational cybersecurity requirements are often conflated with organizational cybersecurity concerns. For example, simple system intrusion testing is often required, even though they only represent part of the cybersecurity certification process of systems.

Organizations that have yet to implement cybersecurity programs will also need to secure their organizational IT infrastructure. That involves analyzing gaps with common IT practices, upgrading methods to adopt market-compliant cybersecurity practices, and establishing policies and processes that foster these practices going forward.

9 Elements of Network Security

Once organizations have cybersecurity programs in place, developing new operational systems will have to take the revised IT infrastructure into account to ensure consistency across IT and operational technology (OT).

Examples of necessary actions to upgrade IT architecture

In light of the efforts needed, it appears that certifying operational systems poses several challenges and compels businesses to follow a strict process that involves mobilizing significant human and financial resources. And while implementing an operational cybersecurity program may constitute a first step toward certification, its impact on existing IT systems should not be overlooked.

As is the case for all major projects, proper planning is crucial to successfully transitioning to an operational cybersecurity program, including a precise mapping of the systems involved and the assistance of experienced resources to support businesses in their efforts. Successfully implementing such programs then simplifies business processes when responding to RFP going forward.

 

(1) Source: ISO/SAE 21434 Automotive Cybersecurity Standards Guide (beyondsecurity.com)

(2) Source: Operator Connected Car Strategies Statistics: Market Summary | Infographics (juniperresearch.com)

CYBERSECURE YOUR
OPERATIONAL INFRASTRUCTURES

Get the free white paper to learn how to meet cybersecurity challenges in transportation.

Cybersecurity in Transportation: Implementation Challenges – Cyberresilience

This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.

Building Organizational Cyberresilience

 

Resilience refers to the ability of a person, ecosystem, or economy to resume optimal operation after trauma, disruption, or crisis.

The process is similar when it comes to cybersecurity. Zero (cyber)risk does not exist. But cyberresilient businesses can recognize and accept their vulnerability to cyberthreats and take measures to guard themselves, lowering the impact on their organizations, employees, customers, and reputations. What sets them apart is their ability to remain operational after a cyberattack and manage the resulting disturbances.

The effects of cyberattacks are many, and damages can be severe. No matter their nature, target, or scope, cyberattacks can tarnish the reputation of organizations and rattle the trust of stakeholders, i.e. customers, employees, shareholders/investors, the general public, etc.

In a core sector like transportation, organizational resilience is a must, both to ensure the economic survival of organizations and to secure their vehicles, equipment, and data networks. Integrating cybersecurity rapidly to organizational and operational processes is crucial.

 

At the Heart of IT-OT Convergence

 

Until a decade ago, information technology (IT) and operational technology (OT) were two fairly distinct areas. In the early 2000s, cybersecurity efforts were mainly focused on IT infrastructure, and cyberthreats, which were fewer and far between, almost never targeted operational systems. The systems did not communicate and the teams responsible for them had no need to collaborate.

Things have evolved and the emergence of cloud-based solutions has connected most operational systems to the Internet – for better and for worse. While advantages are undeniable, the situation also creates new vulnerabilities that businesses must analyze closely.

IT teams and implemented strategies still often reflect a misreading or poor understanding of operational systems, which hinders the comprehensiveness, effectiveness, and synergy of their approach.

Promoting convergence between IT and OT helps coordinate the work of the teams that oversee information systems and engineering departments. Using a cross-functional approach makes it easier to secure and make operational systems and their connected equipment an integral part of a shared, cohesive cybersecurity program.

Fully integrating networks (cloud, Internet of Things, etc.) to the implementation of a unified governance, process, and policy framework for IT and OT heightens businesses’ security for both their information and operational systems.

Businesses generally have an organizational cybersecurity program that defines activity in terms of information security – for which international standard ISO/IEC 27000 is used as a benchmark – but such programs are nonetheless ill suited to the reality of operational systems. As IT and OT face distinct, and sometimes divergent, issues, it is possible, and even beneficial, to include elements of organizational cybersecurity in order to promote the secure development and maintenance of operational systems.

If an organizational cybersecurity program has yet to be implemented, it is important to analyze operational processes and standards before moving on to any other cybersecurity-related activity. Determining gaps between current development processes and cybersecurity measures is an essential step in identifying vulnerabilities and potential security breaches.

This process is set to become an industry standard and compares to implementing a quality management program (ISO 9000). It involves implementing security controls from the very beginning of operational system design work. Doing so requires time, effort, and specific skills that can be provided by resources from outside the organization to support the process.

Over time, having a proactive approach to cybersecurity has a positive impact on company engineering decisions by fostering the secure development of new operational systems from the early design phase.

 

It’s Not Only About Technology

While a single vulnerable system can be enough to open a security breach into a digital environment, the ways to avoid such situations and the solutions to be implemented are not all technological in nature.

Organizational and human factors also play a crucial role in businesses’ ability to manage cyberrisks. Organizations have everything to gain by laying the foundations of a cyberculture that influences their actions, investments, technological innovation strategic planning, and the evolution of their processes and policies to secure systems. Effects will be all the more beneficial for businesses’ long-term health and success as decisions are supported by top management and communicated well to all teams.

One first step involves training all employees on the basics of cybersecurity to raise their awareness of the importance of practising good digital hygiene and the potential impact of their actions on company systems security. Promoting a solid understanding of these issues and business needs helps keep employees accountable.

Add to these awareness efforts more specialized training from IT teams as part of the business’s organizational cybersecurity program, to promote conducting risk analyses on systems and subsystems and clarify stakeholders’ roles and responsibilities. By developing a shared cybersecurity framework, the engineers responsible for individual subsystems will be able to respond to risk analyses and IT teams’ attack scenarios. Product managers will be kept informed of risks that may affect specific products.

Enhancing company cybersecurity requires specific skills and an effective strategy in the hands of a dedicated, duly coordinated team that is well represented at the upper management level.

Defining and implementing a cybersecurity program that is adapted to operational systems requires advanced expertise that current IT teams in the industry may not have. Businesses may need to recruit specialized resources or call on external expert cybersecurity services to support their efforts. Such dedicated resources capable of understanding and dealing with cybersecurity issues ensure that company stakeholders are kept informed and engaged throughout the organization.

In an ideal organizational structure, these efforts are coordinated by an executive-level specialist whose mission it is to uphold information and data security. This person, the Chief Information Safety Officer (CISO), plays a different role than the Chief Information Officer (CIO), whose tasks mainly focus on the strategic planning of organizational information technology initiatives. By working closely with the executive team, the CISO is aware of the company’s evolution, its development opportunities, and strategic direction when it comes to innovation. They can then see to it that operational cybersecurity concerns are integrated from the outset.

Transitioning to making cybersecurity central to business operations and strategic planning is crucial. The process may be long and complex, and it must take into account company constraints and avoid trying to change everything all at once. A gradual, properly explained implementation will encourage employees to adopt these important changes. A balance must be struck between the need to strengthen security activity and to ensure continued daily operations.

Just as businesses began undergoing a digital transformation a few years ago, a transition to cybersecurity is unavoidable. Businesses must adapt quickly to these new constantly shifting constraints. While most increasingly understand the related risks, many are still struggling to collect data and mobilize the resources they need to act.

One thing is certain: the days of handling cyberthreats in a vacuum are long gone, as every economic sector and organizational activity is affected. The time has come to secure current operational systems and make cybersecurity a design criterion for future systems. Today, clients are increasingly demanding confirmation that cybersecurity analyses are included in system development cycles, before even purchasing or implementing these systems.

As organizations grow cyberresilient, the ideal process will involve eliminating potential security breaches from systems right from the design stage. Until then, how can you ensure systems meet market requirements and expectations?

 

Read the first feature of our series.

CYBERSECURE YOUR
OPERATIONAL INFRASTRUCTURES

Get the free white paper to learn how to meet cybersecurity challenges in transportation.

Cybersecurity in Transportation: Implementation Challenges – Operational Networks

This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.

 

Cybersecurity and Operational Networks – Tackling New Challenges

 

As information and operational technologies are growing ever more interconnected and available to the general public, cyberthreats and security breaches pose new challenges that businesses must face.

While the digital transformation of businesses presents a wealth of new business opportunities, it also makes companies more vulnerable. Now present in all economic spheres, cloud-based solutions help blur the traditional boundaries between conventional computer systems and operational systems. Points of contact are multiplying, offering new attack surfaces for cybercriminals.

Unfortunately, the transportation industry has not been spared. The Government of Canada has even identified it as one of the top ten critical infrastructure sectors in terms of cybersecurity risk (1). Although the technologies in use vary from one vehicle to the next, most new vehicles are connected to a certain extent. Transportation networks are also largely dependent on connected equipment (sensors, controllers, onboard computers, management software, etc.), which leaves them vulnerable to cyberattacks seeking to disrupt operations or even take control with malicious intent.

Barring in-depth consideration at the highest echelons of organizations, cyberthreats pose a true challenge to the longevity of businesses and the proper functioning of society.

A New Playing Field

Operational technology (referring to equipment and software used to control physical devices or processes meant for operational environments) used to operate in closed circuits, i.e. with very little interconnection with corporate networks. Today, connected operational technology is omnipresent and integrates with other computer systems, making it possible to automate certain manufacturing processes, manage or control equipment remotely, and install updates.

However, operational systems are too often still run and maintained separately from conventional computer systems. As a result, the companies that operate them continue to consider related security concerns in compartmentalized fashion. There are more points of contact than before, and each one is a potential entry point or security breach for operational equipment.

Types of Cybersecurity

What Drives Cyberattacks?

Historically, cyberattacks mainly targeted organizational information infrastructure, i.e. servers, workstations, networks, etc., generally with the intent of stealing data. Several large-scale infiltrations have occurred in the last few years, including the infamous attack on SolarWinds in 2019.

The attack on one of the US software company’s servers targeted the production system of its flagship software, Orion, used by tens of thousands of businesses and organizations around the world. Among the hundreds of attacked clients that were identified (out of a total of nearly 18,000 clients) were six departments of the US Government, including the Departments of Energy, Commerce, Treasury, and the State Department. Although the nature of the information the group behind the attack sought to steal and the consequences of the operation remain unclear, such infiltrations highlight the vulnerability of organizations and the resulting domino effect on their ecosystems.

In Canada, many businesses and levels of government have also been the victim of cyberattacks in the last few years, underscoring the cybersecurity challenges organizations are now facing.

Recent technological advances have contributed to the spread of malicious software, as it becomes more easily available to individuals or groups with nefarious intent who are honing their strategies and increasingly well organized.

The development of enterprise IT solutions, multiplication of cloud-based services, and implementation of virtual infrastructure have granted businesses a tremendous amount of flexibility that goes beyond organizational infrastructure. Today, these connected operational systems commonly used in the manufacturing and transportation sectors are all potential security breaches that can inflict damage far beyond mere data theft.

Cyberattack Types

What Risks Are Businesses Exposed to?

While profit remains the main motive behind cyberattacks, potential damages can vary widely, depending on the perpetrators.

In the transportation sector, cyberthreats can, for example, seek to take control of equipment to disrupt, cripple, or even destroy a transit system. One recent example involves a computer virus attack on the transit authority of a large North American city. The infiltration affected over 60% of the organization’s servers, as well as a number of workstations, which forced it to mobilize vast resources to restore its servers and ensure no data was stolen. The cyberincident had no effect on the operational bus and subway systems, but other organizational platforms were disrupted, including its website and phone lines.

Another thought-provoking example that served as a wake-up call for the automotive industry involved two American scientists taking remote control of a Jeep Cherokee in 2015. The two information security specialists wanted to show that it was possible to disrupt certain car systems by infiltrating the onboard computer. Conducted with a journalist in the driver’s seat, the operation led Fiat Chrysler to recall over one million vehicles to correct identified vulnerabilities.

Although not all cyberattacks are alike in scope or severity, consequences can still be harmful to victim organizations, jeopardizing their financial health, reputation, and even their continued success.

According to a survey conducted by Deloitte (2), 32% of top executives worldwide indicated that the most significant repercussions are on an operational level. They also mentioned the theft of intellectual property (22%) and drops in share price (19%).

Operational systems are at even greater risk as they were often designed independently of organizational infrastructure and include no cybersecurity components. Generally built to last with life cycles of 10-plus years, operational technology relies on equipment and software with vulnerabilities that are often well known to hackers or become so from lack of updates.

 

Are Businesses Ready to Respond?

The very diverse nature of cyberthreats makes them difficult to anticipate and forces businesses to develop their cyberresilience. From inventorying assets connected to a network to identifying the skills needed to know, understand, detect, and prepare to face these new risks, businesses must rally their forces to present a united front against these threats.

On a global scale, governments, work groups, and regulatory bodies are also organizing to define new rules. Fighting against cyberrisks will soon involve clients and businesses demonstrating their ability to meet minimum cybersecurity requirements.

In the US, the National Institute of Standards and Technology (NIST), a non-regulatory federal agency, has developed a cybersecurity framework that includes several standards, guidelines, and best practices and made it available at no cost to private organizations seeking to develop or update their own cybersecurity programs. 

In the transportation industry, the United Nations has also drafted standards to prompt vehicle manufacturers to develop secure operational systems that include cybersecurity considerations right from the design phase. Adopted in 2021, UN regulations R155 and R156 lay the foundations of a cybersecurity framework for vehicles in various regions around the world, applying to both cybersecurity management systems and software update management systems. The European Union intends to impose these new measures to road vehicle manufacturers by 2022 for all new vehicle types and by 2024 for existing platforms.

In Canada, Transport Canada and various levels of government are taking these new security standards into account, particularly standard ISO/SAE 21434 (Road vehicles—Cybersecurity engineering) that seeks to integrate cybersecurity engineering practices at every stage of a vehicle’s life cycle.

The digital transformation is well underway and shows great potential for the transportation industry, in that it enables manufacturers to achieve greater efficiency and helps improve transportation safety for riders.

However, cybersecurity challenges are a growing concern for businesses, who should give them due consideration at the highest levels of the organization. They will have to assess organizational exposure to cyberrisks, mobilize the necessary resources to protect themselves appropriately, manage incidents and potential crises, and update operational systems. Adopting a comprehensive approach that includes third parties will also be important in managing the inherent risks of the supply chain, as we will discuss in upcoming articles in this special report.

 

 

Read the second feature of our series.

 

 

(1) Critical Infrastructure Partners (publicsafety.gc.ca)

(2) The Deloitte 2021 Future of Cyber Survey polled nearly 600 C-level executives about cybersecurity at companies with at least $500 million in annual revenue, between June 6 and August 24, 2021. the

CYBERSECURE YOUR
OPERATIONAL INFRASTRUCTURES

Get the free white paper to learn how to meet cybersecurity challenges in transportation.

The new reality of cybersecurity: operational networks

Operational Cybersecurity

 

Cyberattacks today go far beyond the traditional data theft-ransom combo that affects organizational IT. They now also aim to destabilize large parts of the economy, the market and the production and supply chain by directly attacking our operational infrastructures – which now often integrate virtual and cloud technologies – such as our communication networks, our factories and our transport. Hence the need and urgency to adapt our operational systems to this new reality.

Stay tuned as we will soon publish a series of articles on the challenges of implementing operational cybersecurity, more specifically in transportation where we will discuss topics such as implementing a culture of resilience within an organization, the best approach to certify an existing system, supply chain management and cybersecurity standards within the transport industry.

Cysca is well positioned to help you deal with cyber risks and cyber terrorism and modernize your systems.

Contact us to find out how Cysca can help you solve some of your biggest challenges, whether in software or systems engineering, systems integration, electronics design, IT architecture or cybersecurity.

 

ABOUT CYSCA TECHNOLOGIES

Since 1997, Cysca Technologies provides cutting-edge engineering solutions in systems engineering, electronics design, software engineering, systems integration and IT architecture and cybersecurity. We offer end to end services and support our clients in developing their own solutions by leveraging our expertise in developing electronic systems, the related embedded software and user interface applications. While bringing forth our creativity and innovative mindset, we harness innovation for the benefit of sustainable growth.

Proud to support the next generation

équipe Ourea étudiants génie Université de Sherbrooke

Cysca Technologies is proud to support the next generation

 

Resolutely looking to the future, Cysca Technologies is proud and very happy to sponsor Ourea, a team of graduating engineering students at the University of Sherbrooke, in the context of their drone design project.

The Ourea team has set itself the challenge of creating a hybrid multirotor-style drone with the ability to brave extreme weather conditions, autonomously, safely and economically. Among the outlets for future uses are the taking of imagery and scientific data and emergency assistance in difficult to access terrain.

Cysca strongly believes in creating innovative solutions and value for technological advancement for the benefit of sustainable growth. It was therefore natural for us to support the ambitions of this new generation of engineers.

We look forward to encouraging them at the 2022 edition of Expo MégaGÉNIALE, the largest exhibition of engineering projects in Canada, which will take place on December 2 and 3 at the Sports Centre of the University of Sherbrooke.

concept drone Ourea

Redesigned Website: A new interface with a refreshed brand

Cysca Technologies launches redesigned website with new refreshed corporate image

 

Cysca is excited to announce the launch of our newly designed website: www.cysca.com.

Through a more user-friendly and easier to navigate interface, our completely redesigned site offers a new simplified way of presenting our services and a few of the markets we support. Moving beyond a client centric philosophy, we aim to connect our clients with the solutions they need to solve the obstacles they are facing in developing innovative and sustainable products and services.

Our new site features a portfolio of a growing selection of projects showcasing our expertise and the innovative solutions we bring to our clients to help them solve some of their greatest challenges.

In addition to learning more about some of our projects, our audience will be able from now on to access thought leadership and other contents such as technical notes, articles, white papers and news on our Insights page. This knowledge centre, which will expand over time, will offer valuable and user-centric resources on a variety of topics to expand industry knowledge and find potential solutions to business pains.

Cysca’s President and Founding Partner Yves Tremblay said: “Our new corporate image and website are some of the steps we are taking as a way forward to pave our growth for the coming years. We are truly excited for the future and for extending our expertise and creativity in technology and electronic design solutions to support our clients in building a sustainable tomorrow for our society.”

We invite you to share your thoughts with us and look forward to seeing you at cysca.com.

 

ABOUT CYSCA TECHNOLOGIES

Since 1997, Cysca Technologies provides cutting-edge engineering solutions in systems engineering, electronics design, software engineering, systems integration and IT architecture and cybersecurity. We offer end to end services and support our clients in developing their own solutions by leveraging our expertise in developing electronic systems, the related embedded software and user interface applications. While bringing forth our creativity and innovative mindset, we harness innovation for the benefit of sustainable growth.