The importance of the semiconductor industry to Taiwan and the world continues to grow. To help the industry strengthen cybersecurity defense, SEMI, the global industry association representing the electronics manufacturing and design supply chain, continues to promote the adoption of the SEMI E187 international standard for semiconductor equipment security. After releasing the SEMI E187 checklist and semiconductor security risk rating service, SEMI introduced the “Cybersecurity Reference Architecture for Semiconductor Manufacturing Environment.” This provides a clearer cybersecurity framework for the semiconductor supply chain to secure the manufacturing environment.
Terry Tsao, SEMI Global Marketing President, and Taiwan Country President noted: “With advances in information technology, semiconductor manufacturers are accelerating digital transformation, adopting smart solutions like automation, big data analytics, AI, and IoT to replace traditional infrastructure and analog control systems. The integration of IT, OT, and cloud data is increasingly important, but cybersecurity challenges remain. The SEMI Taiwan Semiconductor Cybersecurity Committee continues to advance the completeness of the SEMI E187 standard, making tremendous contributions to industry cybersecurity protection across the global semiconductor supply chain.”
Alex Tu, Chairman of the SEMI Taiwan Semiconductor Cybersecurity Committee and Corporate Information Security Officer at TSMC, said: “The semiconductor industry previously lacked consistent cybersecurity standards or was unable to update due to outdated equipment, leaving related equipment and nodes exposed in high-risk environments. Suppliers, employees, or contractors could all become cybersecurity loopholes, easily affecting operations, causing financial losses, or damaging brand reputation and partnerships. The ‘Cybersecurity Reference Architecture for Semiconductor Manufacturing Environment’ proposes a more structured network security design. This not only helps understand the status of all network assets in factories but also provides insights into these assets and their network communications. It protects equipment from various threats posed by malware.”
Comprehensively enhancing factory cybersecurity across IT, OT, and industrial control
With Industry 4.0 and digital technologies emerging, IT and OT convergence is increasing, with more systems, assets, personnel, and machines interconnected. While greatly raising productivity, this also exponentially increases cyberattack risks. Ransomware and threat techniques continue evolving, while supply chain attacks are endless. Any vulnerability in the supply chain easily becomes a target for malicious attacks or ransomware.
According to Trend Micro’s 2023 Cybersecurity Midyear Review Report, Taiwan detected 44 million malicious links in the first half of this year, ranking third globally after Japan and the US. Fortinet’s 2023 Global Cybersecurity Threat Report also shows that malicious threats rapidly increased in Taiwan in the first half of 2023, with nearly 150,000 attacks happening per second on average – the highest in Asia Pacific and over 80% increase from the same period in 2022. Hackers are shifting from random intrusions towards targeted attacks for maximized financial gain. As ransomware groups continue honing attack techniques, generative AI tools are also widely used to improve cybercrime efficiency, exploiting common enterprise software vulnerabilities and shifting from data encryption to data theft.
In light of this, SEMI has partnered with Alex Tu, Chairman of the SEMI Taiwan Semiconductor Cybersecurity Committee and Corporate Information Security Officer at TSMC, along with Liu Rong-Tai, Chairman of the Committee’s Working Group 4 and CEO of RaySecu, and Professor Hsieh Su-Ping from National Yang-Ming Chiao Tung University, to propose the “Cybersecurity Reference Architecture for Semiconductor Manufacturing Environment.” This defines a common, minimum set of security requirements for the semiconductor manufacturing environment across four aspects: computer operating system specifications, network security, endpoint protection, and information security monitoring. It adopts the industry-familiar Purdue Model spanning IT, OT, and industrial control across Layers 0 to 5. Reference architecture is proposed for areas like tool design and configuration, asset inventory control, network and application integration tools, vulnerability and patch management, local and remote access, secure data exchange, threat detection and response, etc. Enterprise security managers can use this to properly assess foundational asset applications, associated risks, and how to develop network access policies or remedies targeting these issues.
The SEMI E187, the first Taiwan semiconductor cybersecurity international standard, already has two companies receiving the first SEMI E187 Semiconductor Equipment CyberSecurity Verification of Conformity (VoC) certificates. The semiconductor cybersecurity risk rating service launched on the SEMI platform introduces third-party risk scoring and risk intelligence services, helping manufacturers monitor vendor cybersecurity posture. Integration of Panorays’ third-party domain scanning service technology further enhances security mechanisms. The semiconductor cybersecurity risk rating service also provides an industry-specific questionnaire tailored for the semiconductor industry by the SEMI Cybersecurity Committee Working Group 3. This provides efficient industry cybersecurity assessments.
The recent SEMI E187 Checklist released by SEMI Taiwan Semiconductor Cybersecurity Committee Working Group 1 Division Director, Information and Communication Research Laboratory, ITRI Ares Cho includes 12 key check items. For example, operating systems should have updates that are valid for at least 12 months, maintaining the latest security patches. Networks should provide secure protocols like HTTPS, SFTP, and SSH. Endpoint protection should have vulnerability scanning and malware monitoring. Tools should have access control settings. Security monitoring requires complete event log recordings, stored for at least one month. Such standardized verification procedures allow manufacturers to jointly address the crafty, changing cybersecurity threats and comprehensively strengthen cybersecurity.
With gradually increasing cybersecurity awareness and implementation in Taiwan’s semiconductor industry, SEMI recommends the supply chain include SEMI E187 in procurement specifications and encourage more semiconductor equipment manufacturers to obtain cybersecurity certification, accelerating improvements in overall factory cybersecurity. SEMI also plans to promote relevant reference frameworks and certification mechanisms to semiconductor partners worldwide in 2024, jointly building a resilient, collective cybersecurity fortress!