Manufacturing Bits: Feb. 1

Fab equipment cybersecurity
In a major step to help provide security in the semiconductor manufacturing supply chain, SEMI has published the first cybersecurity specifications and standards for fab equipment.

For some time, the semiconductor industry has been developing new cybersecurity standards for fab equipment in an effort to protect systems from potential cyberattacks, viruses, and IP theft. The industry has been working on two cybersecurity fab equipment specs. The industry has been working under the auspices of SEMI.

The first standard, called SEMI E187, is a specification designed to help protect semiconductor manufacturing data. SEMI E187 provides the basic guidelines to follow for developing cybersecurity protections in semiconductor equipment. The spec, which came out of the SEMI Taiwan Cybersecurity Committee and Fab and Equipment Information Security Task Force, covers four key areas–computer operation systems, networks, endpoint protection, and monitoring.

SEMI, meanwhile, has also approved 6566, a specification for malware-free equipment integration, according to the trade group. This standard defines protocols for pre-shipment scans of equipment. It also addresses support for file transfers, maintenance patches, and component replacement.

Chipmakers can use both specifications as the cybersecurity requirements in equipment procurement contracts. The standard has been in the works for some time. Intel and TSMC have been leading the charge here.

Needless to say, it’s essential to have security measures in IT organizations as well as the fab. In a fab, chipmakers may have a multitude of IC production equipment, which are all connected in a network. But because much of the equipment is not brand new, a large percentage of the tools may incorporate computers with outdated operating systems and older ports.

For chipmakers, that’s a major cause of concern. Fab equipment with older computer operating systems and network ports are potentially vulnerable to attacks, according to SEMI. Potentially, malware or malicious software could use security exploits to attack equipment, causing the systems to crash.

It also could be used to attack the hugely valuable and competitive IP of foundries and packaging houses, as well as their customers. Nearly all chipmakers use third-party foundry and packaging services, and much of that involves highly proprietary data. In addition, the foundry processes themselves are extremely valuable.

Meanwhile, chipmakers continue to beef up their own, in-house cybersecurity efforts. For example, TSMC continues to improve its own supply chain security management strategy. “This includes designing supplier information security assessment and evaluation standards with reference to international standards covering 12 categories and 135 inspection items and assisting suppliers effectively evaluate information security maturity and improvement goals,” according to TSMC.

“Global enterprises face severe challenges in information security. TSMC is committed to solving the problem of information security protection in the semiconductor industry, and has expanded its promotion to the supply chain, working with industry partners to implement corporate sustainability,” said J.K. Lin, senior vice president of information technology and materials management & risk management at TSMC.

Cyberattack prevention
CyCraft, a managed detection and response provider, has announced plans to collaborate with the Semiconductor Supply Chain Cybersecurity Alliance in Taiwan.

The Semiconductor Supply Chain Security Alliance was recently established by SEMI’s Taiwan unit. The group has been working with Taiwanese companies and factories to formulate effective semiconductor cybersecurity standards.

As reported, the Taiwanese superconductor supply chain has seen a growing number of cyberattacks.

In a blog, CyCraft has identified four cybersecurity “pain points” in the semiconductor supply chain and how to resolve them.

“These challenges are present due to industry constraints — not just tech limitations,” said Chad Duffy, CyCraft’s global product manager. “One of the biggest security issues in manufacturing is integrating modern AI-driven solutions, like ours, into legacy hardware and software. This presents unique challenges. Hardware diversity and high availability are some of the main concerns of ICS. PLCs don’t offer the same computing environments as full operating systems, leading to different approaches to security than we see in office IT environments; upgrading every OS patch could cost companies millions of dollars in downtime — which isn’t an option given the industry’s competitive environment. This leads to legacy solutions, even those way past their end of life date, to still be in use; hackers, who continue to find bugs and develop new techniques, can thrive in this terrain, so it’s paramount that we work with organizations like SEMI to find the best middle ground to better achieve security goals for the industry.”

Cyber education
The Critical Infrastructure Resilience Institute (CIRI) is developing a cybersecurity curriculum for various U.S. universities to help solve a growing talent gap in the arena.

As stated, cyberattacks, intellectual property (IP) theft and identity theft are becoming too common. But there are too few cybersecurity professionals to fill the available positions in the market. There are over half a million positions available in the U.S. alone, according to the CIRI.

That’s where CIRI fits in. CIRI, which conducts research and provides education in cybersecurity, is funded by a $20 million five-year grant from the U.S. Department of Homeland Security. It is led by the University of Illinois at Urbana-Champaign (UIUC) with collaborators from other U.S. universities and national labs.

With support from an additional $2 million grant from the Cybersecurity and Infrastructure Security Agency (CISA), CIRI is developing a cybersecurity curriculum that will be accessible to colleges that either do not currently have programs or that wish to expand existing programs. CISA, a U.S. government agency, leads the national effort to understand, manage, and reduce risks in the cyber and physical infrastructure arena.

With help from Auburn University, Purdue University, and the University of Tulsa, CIRI has created a national network of institutes, which have helped create a cybersecurity curriculum and occupational pathways.

“We are taking an innovative approach to curriculum content, linking technical knowledge with social and organizational understandings and approaches. In the design of secure systems and organizational processes, we want to focus on designs that anticipate possible disruptions before crisis management becomes necessary. The framework for integrating technical and organizational learning we term – cybersocial systems,” said William Cope, a professor at UIUC.

Randall Sandone, executive director for CIRI, added: “For too long the cybersecurity community has been focused on cybersecurity products and technologies and not enough on the human element. This national program will begin to redress that imbalance with its focus on developing the knowledge, skills, and competencies needed to address the growing challenges in an increasingly cyber-dependent world.”