Understanding the SECS/GEM Protocol
Semiconductors are an indispensable part of modern electronic products and are also a fundamental basis for the development of the AI industry. This industry is crucial for global economic growth, national security, and national . As the semiconductor industry transitions to Industry 4.0, the connection between production equipment and factory networks has expanded the attack surface, providing adversaries with more opportunities for intrusion. Today’s semiconductor manufacturing heavily relies on the SECS/GEM protocol to ensure smooth and efficient communication between different equipment and factory systems. This protocol, maintained by SEMI, serves as the communication standard between semiconductor equipment and factory hosts. It allows equipment from different manufacturers to communicate with various host systems in a standardized and consistent manner.[1] [2] In other words, the protocol facilitates equipment-to-equipment communication, aiding automation and utilizing data for monitoring, control, and analysis. This replaces repetitive and error-prone tasks, significantly contributing to the advancement of automation in the semiconductor industry.
The SECS/GEM protocol uses SECS-II messages for communication, which can be deployed over TCP/IP networks (using the SEMI E37 and E37.1 standards for HSMS) or RS-232 (using the SEMI E4 standard for SECS-I). Initially, the adoption of TCP/IP communication for SECS/GEM did not seem problematic, as semiconductor factory networks were highly isolated. However, as Ethernet and TCP/IP protocol stacks have gradually become core components of factory and plant networks, it has become easier and more popular to connect these networks with broader enterprise structures. In this era, factory networks have evolved into vast networks that are slowly opening up to the outside world.
The SECS/GEM protocol was developed early on, and cybersecurity was not a priority in its initial design, leading to a lack of security features. If an attacker manages to gain access to the OT environment, they could exploit the weaknesses of SECS/GEM to disrupt process control or inhibit response functions, thereby affecting the availability of production equipment or networks. Therefore, it is crucial for factory managers to understand the network threats associated with the SECS/GEM protocol.
How Do Threat Actors Exploit These Vulnerabilities?
Risk 1: Communication Interruption Through MITM Attacks
Due to the lack of authentication mechanisms in the SECS/GEM protocol to verify the legitimacy of message originators, it is particularly vulnerable to impersonation attacks. The HSMS protocol specifies that equipment can support only one active connection at a time. This operational limitation becomes a tactical vulnerability. Adversaries can interfere with communication between the host and the equipment through a Man-In-The-Middle (MITM) attack. An attacker can disrupt ongoing communication by issuing a “separate” request, effectively terminating the connection between the host and the equipment. Subsequently, they can establish a new connection with the equipment, preventing the legitimate host from reconnecting. This isolation can lead to significant disruptions in the manufacturing process.[3]
Risk 2: DoS Attacks Through Specialized Applications
The SECS/GEM protocol is commonly used to collect events and alerts, allowing the host to monitor equipment operations. Equipment collects events to notify the host of significant normal and abnormal activities. Some events are necessary for SECS/GEM connectivity standards, but it is also expected that equipment will define additional events to enable the host to monitor specific activities. However, these functions also bring potential security risks. Attackers can launch Denial-of-Service (DoS) attacks by sending a large volume of SECS/GEM messages, causing the interface to crash or become unresponsive.[4] This type of attack exploits the limitations that SECS/GEM interfaces have in handling a high volume of concurrent messages. Due to the lack of built-in rate limiting and traffic control mechanisms in the SECS/GEM protocol, when the interface receives more messages than it can handle, system resources can be exhausted, leading to service interruptions via shutdown.
Risk 3: Exploiting SECS Message Language (SML) File Vulnerabilities
SECS Message Language (SML) files are a crucial part of the SECS/GEM protocol, used to describe the structure and content of messages within the protocol, enabling automated control, equipment management, troubleshooting, data exchange, and more. However, the ability to handle SML files varies across different interfaces. Incorrectly formatted SML files can cause system crashes and disconnections from the equipment. Additionally, since SML files are readable text formats, attackers can tamper with these files for malicious purposes. They can exploit this by posing as legitimate suppliers or integrators and sending malicious SML files to operators. When operators import these files, they might execute unnecessary operations, leading to system crashes or loss of control.
Ensuring Availability and Security in Semiconductor Manufacturing
In the semiconductor manufacturing environment, availability and security are paramount. As technology continues to advance, attackers are constantly seeking new vulnerabilities to disrupt manufacturing processes. The security weaknesses of traditional communication protocols necessitate robust defense measures to protect the safety, availability, and reliability of operations.
Implementation of Access Control Mechanisms
Firstly, the SECS/GEM protocol needs to incorporate access control mechanisms so that only trusted devices and hosts can communicate. This can prevent Man-in-the-Middle (MitM) attacks, ensuring that all communications are trusted and secure. Additionally, TXOne’s Edge solutions can continuously monitor and analyze network traffic, identify abnormal communication patterns, and promptly detect and stop MitM attacks.
Implementation of Traffic Monitoring
Secondly, there should be IPS defenses deployed between SECS/GEM production equipment and hosts to implement traffic control mechanisms that prevent Denial-of-Service (DoS) attacks. These mechanisms can effectively balance and manage incoming network traffic, preventing the exhaustion of system resources. TXOne’s Edge solutions can filter out unnecessary or malicious traffic with granular security control, using this control to filter commands based on operational context and reduce human errors. Even under high traffic conditions, the system can continue to operate normally without being overwhelmed by malicious traffic.
Fortification Against Malware
Using an OT-native network defense solution like EdgeIPS can set operational thresholds for flood/scan attacks, blocking anomalous packets upon detection to prevent unauthorized modifications and ensure uninterrupted service. Additionally, malware detection can protect the factory network against the latest malware variants, spyware, and other content-level threats.
Comprehensive Visibility
Regular security monitoring and comprehensive visibility are essential. These measures help identify and address potential vulnerabilities in the SECS/GEM protocol and transmission files, maintaining continuous system security. TXOne’s EdgeOne, with its advanced threat detection, network security reports, integrated dashboards, deep visibility, packet fault tolerance, and easy deployment, offers comprehensive protection. This maximizes security levels while minimizing the workload for audit management, making operational management of the factory network both safe and efficient.
By implementing these solutions, SECS/GEM can significantly reduce the risks associated with MitM attacks, DoS attacks, and SML file vulnerabilities. Like a reliable guardian, these defensive measures can protect the semiconductor manufacturing industry from various network threats, ensuring its position in the intense global market.
To learn more about defending against these threats, please download the complete threat analysis report.
TXOne Provides Comprehensive OT Security
Industrial cybersecurity in the semiconductor industry faces unique challenges distinct from those in IT networks. TXOne specializes in Cyber-Physical Systems (CPS) security, providing native CPS security solutions designed specifically for industrial environments, equipment, and daily operations.
Contact TXOne’s cybersecurity experts immediately to learn more about protecting your CPS.
Reference
[1] InSphere Technology, “Introduction to SECS/GEM”, InSphere Technology, April 26, 2023.
[2] einnosys, “SECS/GEM: Demystifying the Semiconductor Communication Protocol”, Manufacturing Tomorrow, October 18, 2023.
[3] Shams A. Laghari, Selvakumar Manickam, and Shankar Karuppayah, “SECS/GEMsec: A Mechanism for Detection and Prevention of Cyber-Attacks on SECS/GEM Communications in Industry 4.0 Landscape”, IEEE, November 11, 2021.
[4] Shams A. Laghari, Selvakumar Manickam, and Shankar Karuppayah, “A Review on SECS/GEM: A Machine-to-Machine (M2M) Communication Protocol for Industry 4.0”, National Advanced IPV6 Centre University Sains Malaysia (USM), March 2021.
