Chip Industry Needs More Trust, Not Zero Trust

Chipmakers call for unity over rising cybersecurity threat.

popularity

CISOs from Intel, TSMC, ASML, Applied Materials, and Lam Research unanimously called for the semiconductor industry to pull together to share information and develop cybersecurity protocols as a community at the Securing the Future for Semiconductor Manufacturing forum at SEMICON West.

Chief information security officers (CISO) detailed their company’s method for dealing with cybersecurity and what’s on their wish lists for securing their supply chain, their operational technology (OT), and intellectual property (IP). All the speakers concluded that their supply chains — in the case of ASML, 5,000 parts suppliers — were now the most likely source malicious attacks on fabs. The suppliers’ security hygiene is now the CISO’s problem.

Some suppliers don’t even run patches, for various reasons. “Remember a chain is only as strong as the weakest link, and so, yes, we control 90% of it, but 10% of it has to come from everybody else. If 10% is not doing it too, my 90% means nothing,” said Brent Conran, corporate vice president and chief information security officer (CISO) at Intel. To tackle the supplier issue, TSMC, Intel, and Lam said they all ran inventories of their equipment and suppliers. Following NIST’s layered Defense and SEMI’s E187 and 188 standards, the companies graded their suppliers in cybersecurity and determined which suppliers first were the most important to the security issues. Once they pinpointed the suppliers that could do the most damage and potentially pass on a hack, Intel and TSMC said they worked with those vendors to give them ongoing training and to pressure them to improve their cybersecurity.Top: ASML’s circles of security trust; bottom: Intel uses NIST’s Defense of Depth. Source: Semiconductor Engineering / Susan Rambo

Top: ASML’s circles of security trust; bottom: Intel uses NIST’s Defense of Depth. Source: Semiconductor Engineering / Susan Rambo

TSMC told its vendors they need to work together to make some positive changes, said James Tu, TSMC’s head of corporate information security. TSMC profiles vendors using their party security assessments to score vendors and create vendor profiles. The possibility of third-party assessments was raised by a couple CISOs, who contend that approach is better able to find security breaches and vulnerabilities.

The forum participants also said it is important to prevent regulations from becoming too burdensome. The paperwork alone required to “certify” security is varied, inconsistent, and cumbersome. “We get questionnaires sometimes that have 500 questions,” said Kannan Perumal, Applied Materials’ CISO. And just because you a check a box saying your product is secure doesn’t mean it is. The industry needs another solution to certifications, and the only way to figure it out is to put the semiconductor industry experts together to find a better way and standardize it.

Panelists left to right: TSMC’s head of corporate information security James Tu; ASML’s CISO Aernout Reijmer; Aziz M. Safa, vice president and general manager, Analytics & Technology Automation at Intel; LAM Research’s CISO Jason Callahan at the Securing the Future for Semiconductor Manufacturing forum on Wednesday, July 12 at SEMICON West 2023. Semiconductor Engineering / Susan Rambo

Panelists left to right: TSMC’s head of corporate information security James Tu; ASML’s CISO Aernout Reijmer; Aziz M. Safa, vice president and general manager, Analytics & Technology Automation at Intel; LAM Research’s CISO Jason Callahan at the Securing the Future for Semiconductor Manufacturing forum on Wednesday, July 12 at SEMICON West 2023. Semiconductor Engineering / Susan Rambo

The problem comes down to trust. We have to trust each other, and not lawyer up, said Intel’s Conran. We already do trust each other with our IP, said Jason Callahan, vice president and CISO at Lam Research. “We are the zero trust department. It’s fundamentally in our core, it’s our biggest buzzword in our industry for nearly 10 years now. Zero trust. We don’t want to trust anybody. But we all share intellectual property. So obviously, there’s a lot of trust going on and we’re out of alignment”

Callahan encouraged the chip industry to leave each other’s IP encryption on. If you are trusting your industry partners, trust their encryption, which Callahan said could be a vehicle for controlling IP and turning off access to it when needed.

Left: Intel’s Brent Conran, corporate vice president and chief information security officer, calls for security collaboration throughout the semiconductor industry. Right: Kannan Perumal, Applied Materials’ CISO, at the Securing the Future for Semiconductor Manufacturing forum on Wednesday, July 12 at SEMICON West 2023. Source: Semiconductor Engineering / Susan Rambo

Left: Intel’s Brent Conran, corporate vice president and chief information security officer, calls for security collaboration throughout the semiconductor industry. Right: Kannan Perumal, Applied Materials’ CISO, at the Securing the Future for Semiconductor Manufacturing forum on Wednesday, July 12 at SEMICON West 2023.  Source: Semiconductor Engineering / Susan Rambo

The forum served as a first step in getting the message out, complete with signups taken at the door for a mailing list that is expected to build into a consortium. (TSMC already initiated a consortium with SEMI Taiwan.) Aernout Reijmer, ASML’s CISO, put a 17th Dutch master painting, “The Night Watch,” on the screen and explained that it was a painting of townspeople getting together to defend their town or form a fire brigade. It was that moment when the community couldn’t take a situation anymore and came together to make things better. He said that’s what the semiconductor industry needs to do now is come together against a common enemy.

“We are frenemies. We compete, but we have to work together,” said Conran. “Get on the phone and call me to tell me when you have a security issue with your equipment. Don’t do nothing. I would do the same for you”



Leave a Reply


(Note: This name will be displayed publicly)