Semiconductors are integral to modern electronics and essential for global economic growth, national security, and competitiveness. They are crucial in fields like communication, automation, AI, healthcare, military, smart transport, and clean energy. Global efforts, such as the U.S.’s ‘CHIPS and Science Act’, EU’s ‘European Chips Act’, and Japan’s semiconductor plan underscore the need to strengthen semiconductor production, innovation, and supply chain resilience. Given its value, the semiconductor industry has become a prime target for cybercrime. In response, SEMI, the leading semiconductor industry association, has developed advanced cybersecurity measures: Standards, Assessments, and Cybersecurity Architecture. A key milestone this year is SEMI’s November 2023 release of the “Cybersecurity Reference Architecture for Semiconductor Manufacturing Environment.”
Semiconductor Cybersecurity Challenges
In the era of Industry 4.0, the integration of Information Technology (IT) and Operational Technology (OT) has brought unprecedented interconnectivity and efficiency enhancements to manufacturing and supply chains. However, with the growing sophistication of ransomware and other cyber threat technologies, as well as the continuous rise of supply chain attacks, these risks become ever more pronounced. In this interconnected ecosystem, every individual link in the chain, from semiconductor manufacturing to supply chain management can become a target for cyberattacks. These attacks would lead to substantial production, financial, and brand reputation losses in the event that they succeed. To address these challenges, special consideration should be given to the following security vulnerabilities:
- Supply Chain Threats: Interdependence in the supply chain means that overall cybersecurity can only be as strong as its weakest link overall. This is a matter of great concern for those suppliers lacking effective cybersecurity measures.
- Industrial Network Complexity: The vast interconnectedness of tool, while efficient, also creates potential security vulnerabilities. Attackers might exploit insecure network connections to access sensitive systems.
- Data Leakage Risks: With the increase in connected devices and data sharing, the risk of sensitive data leakage from machines also rises. Sensitive data transmission without proper protection might be accessed by unauthorized users.
- Tool Maintenance Security: As factory automation increases, ensuring the security of production line equipment maintenance becomes more crucial. Negligence in remote maintenance or the introduction of unauthorized equipment could lead to severe repercussions for an organization’s cybersecurity posture.
- Facility Security Management: Fab tools are highly integrated with power, chemicals, gas, and waste process management facilities. Unauthorized access can lead to equipment damage. Without proper management of power, chemicals, gas, and waste processes, these tools cannot operate.
Therefore, to address these challenges, organizations need to adopt a comprehensive cybersecurity strategy, including improving connection security, strengthening data protection, guarding against insider threats, ensuring the security of tool maintenance, and enhancing the cybersecurity measures of supply chain partners.
SEMI Prepares Three Moves for the Industry: Standards, Assessment, and Cybersecurity Architecture
Semiconductor factories, due to their expansive attack surface, are particularly vulnerable to attacks. Unauthorized users may gain access through various means, allowing them to extract data or cause damage. Additionally, as factory-operating software becomes outdated or as attackers have more time to probe, new security vulnerabilities may emerge, exposing exploitable weaknesses. With the increasing complexity of the global semiconductor industry, the number of exploitable vulnerabilities also rises, making future attacks seem inevitable. To safeguard cybersecurity in the semiconductor industry, participation and cooperation from the entire industry are essential. SEMI Taiwan’s cybersecurity committee’s blueprint mainly involves: Standards, Assessments, and Cybersecurity Architecture.
The First Move: Standards
In January 2022, SEMI E187 was officially published, becoming the world’s first cybersecurity standard for semiconductor equipment. It aims to address the two biggest challenges faced by semiconductor factories: (1) unknowingly integrating infected tools into factories; (2) tools becoming vulnerable over time due to lack of maintenance. SEMI E187, a wafer fab equipment cybersecurity specification, outlines the necessary cybersecurity measures in the design, operation, and maintenance of semiconductor production equipment and automated material handling systems, providing a baseline security level for semiconductor fab equipment.
SEMI, in collaboration with industry, academia, and research institutions, including TSMC, ITRI, TXOne Networks, NYCU, and many partners in Taiwan’s Cybersecurity Standards Task Force members, published the ‘SEMI E187 Reference Practice’ in October 2022. This was intended to assist the supply chain in implementing cybersecurity standards, accelerating standard deployment, and promoting the enhancement of cybersecurity awareness.
The industry will further implement semiconductor equipment cybersecurity standards through the power of procurement contracts. In 2023, the SEMI E187 standard was officially included in TSMC’s procurement contract requirements to further enhance the security of semiconductor factory operations. A verification mechanism was established to ensure that suppliers properly implement standards in computer operating systems, network security, endpoint device security, and cybersecurity monitoring before introducing new equipment. In 2023, SEMI collaborated with Digital Industry Management Bureau of Ministry of Digital Affairs in Taiwan to guide semiconductor equipment manufacturers through cybersecurity verification. Notably, GPM Company became the world’s first supplier to comply with semiconductor equipment cybersecurity standards verified by a third party, following their integration of the full range of TXOne solutions into their operations.
The Second Move: Assessments
In recent years, the impact of supply chain cybersecurity issues has grown significantly, making supply chain security management one of the key responsibilities for CISOs. For semiconductor manufacturers, this involves managing suppliers of manufacturing equipment, materials, software, and computer hardware; for software suppliers, it includes third-party libraries. For equipment suppliers, this encompasses numerous component suppliers. Given the vastness of this ecosystem, effectively mitigating supplier risk becomes a huge challenge. For instance, Aernout Reijmer, the CISO of ASML, noted that their equipment is composed of approximately 380,000 components supplied by about 5,000 suppliers.
The SEMI Taiwan Cybersecurity Committee, led by TSMC and Cisco, tailored the ‘SEMI Semiconductor Cybersecurity Risk Rating Service‘ specifically for the semiconductor industry. This service assists companies in quickly identifying security vulnerabilities and evaluating the effectiveness of their protective measures. In 2023, over 1000 companies adopted this service. Through continuous improvement in security management, TSMC, government agencies, SEMI, and industry partners are collectively constructing a robust cybersecurity ecosystem. This initiative provides cybersecurity education and training for the semiconductor supply chain, especially benefiting small suppliers that do not have large cybersecurity teams.
The Third Move: Cybersecurity Architecture
In light of the increased smart production in semiconductors which enhances the interconnectivity of machines, processing systems, and plant facilities, future semiconductor factories must consider a combined defense architecture that addresses both production line safety (such as production line machines, processing systems) and plant facility safety (electricity, gas, chemical transport, and waste management). In 2023, SEMI, in partnership with key figures, proposed the ‘Cybersecurity Reference Architecture for Semiconductor Manufacturing Environment.’ These figures include Dr. James Tu, Chair of SEMI Taiwan’s Semiconductor Cybersecurity Committee and Director of Corporate Information Security at TSMC; Leon Chang, Department Manager of the IT Security Program at TSMC; Dr. Terence Liu, CEO of TXOne Networks and co-head of the Committee’s fourth working group; and Chair Professor Hsieh Hsu-Ping of NYCU, also a co-head of the Committee’s fourth working group. This architecture sets out universal and minimal security requirements for semiconductor manufacturing environments, aiming to build high-tech factories that balance production efficiency with robust cybersecurity defenses, thereby maintaining the industry’s competitive advantage.
- Highlight 1 – Extending the Scope of SEMI E187:
The new reference architecture not only considers secure-by-design tools but also encompasses tool move-in/transfer, tool configuration, and cybersecurity guidelines for factory operations and maintenance, all in line with the practice of sustainable development for the common good. - Highlight 2 – Identifying key assets and security zones in a semiconductor factory:
Leveraging the layered structure of the Purdue Model’s security zone, it introduces a model for critical asset security zones that is specifically relevant to semiconductor manufacturing environments. This model assists in the thorough comprehension of the risk status of all network assets within the factory. - Highlight 3 – Emphasizing the Importance of the Asset Life Cycle:
For the first time, it introduces the ‘Sustainable Security in an Asset Life Cycle’ approach, outlining reference architectures for each stage of the asset life cycle, including tool design and configuration, asset inventory control, network and application integration tools, vulnerability and patch management, local and remote access, secure data exchange, cybersecurity education, and defense detection and response. - Highlight 4 – Focusing on Combined Tool and Facility Defenses:
It proposes a combined defense architecture for smart manufacturing shop floors and plant facility security. - Highlight 5 – Defining Security Key Performance Indicators (SKPI):
It proposes Security Key Performance Indicators (SKPI) for semiconductor factories. These SKPIs could aid the industry in assessing the extent of organizational management of cyber risks and provide guidance for continuous improvement.
Implementing TXOne’s Solution to Secure Semiconductor Manufacturing Excellence
TXOne Networks has always been instrumental in introducing a sustainable asset life cycle defense framework for semiconductor manufacturing and its supply chain. Since the early stages of tool design, we have incorporated cybersecurity to facilitate key tools in supporting the security management of modern smart factories. We are delighted to have collaborated with semiconductor industry leaders to launch the ‘Cybersecurity Reference Architecture for Semiconductor Manufacturing Environment’.
It is well-known that the goal of cybersecurity teams in the semiconductor industry is to maintain the stability of equipment and systems to maximize operational availability. Therefore, while cybersecurity is crucial for all departments, any mitigation of control must be adjusted to protect the equipment without compromising its performance. TXOne Networks’ comprehensive solution suite perfectly caters to the entire life cycle protection of critical semiconductor assets and meets the industry’s need for in-depth defense with its CPSDR (Cyber-Physical System Detection and Response) technology.
By adopting a “never trust, always verify” approach at each stage, whether it’s against threats, unintended configuration changes, or any other anomalies, TXOne Networks’ Security Inspection, Endpoint Protection, and Network Defense solutions can effectively prevent any unauthorized changes, detect threats and respond to them immediately. If you want to learn more, please feel free to Contact Us, and we will assist you in ensuring the continuous operation of your plant.