At SEMICON West, experts from Sun Square, Moxa, and NY CREATES underscored a pivotal reality: regulatory pressure in the semiconductor industry has reached a historic tipping point. For the first time, global cybersecurity rules are converging in ways that directly reshape how fabs operate, how equipment is designed, and how suppliers demonstrate security to customers around the world.
What emerged from the conference was not a narrow compliance update but a sweeping transformation in how the industry must think about OT security. Standards such as ISA/IEC 62443, the EU Cyber Resilience Act (CRA), and SEMI E187/E188 now function as the backbone of a new global cybersecurity baseline—one that demands transparency, repeatability, and provable security at every step of the semiconductor lifecycle.
1. ISA/IEC 62443: The Foundation of Industrial Cybersecurity
The presenters made clear that ISA/IEC 62443 remains the anchor for all OT cybersecurity strategies. Although it predates some semiconductor-specific standards, it has become the most widely adopted industrial security framework worldwide.
62443 provides structured guidance for:
- Secure product development practices
- Risk-based system and component design
- Segmentation strategies (zones and conduits)
- Security levels for different operational contexts
- Lifecycle management of vulnerabilities
For semiconductor equipment manufacturers and fabs, the framework provides a shared vocabulary—and shared expectations—for how cybersecurity should be implemented and evaluated.
Speakers at SEMICON West emphasized that organizations ignoring 62443 are already behind. It is increasingly the foundation for procurement, supplier evaluation, and regulatory readiness.
2. The EU Cyber Resilience Act: A Global Regulatory Force
While 62443 establishes a technical baseline, the EU Cyber Resilience Act (CRA) introduces legal obligations. The CRA applies to virtually any product with digital components, which means that semiconductors embedded in downstream systems will be scrutinized for cybersecurity compliance.
Key requirements discussed at the conference include:
- Mandatory vulnerability handling processes
- Documented security throughout the product lifecycle
- Disclosure obligations for exploited vulnerabilities
- CE marking requirements to enter the European market
- Full enforcement by December 11, 2027
The presenters highlighted that compliance is not merely a technical checkbox—it is a market access requirement. Semiconductor companies serving European customers will need to demonstrate not only secure design, but also consistent processes for addressing vulnerabilities, incidents, and lifecycle updates.
3. SEMI E187/E188: Tailoring Cybersecurity to Semiconductor Equipment
Unlike broader industrial standards, SEMI E187 and E188 were developed specifically to address cybersecurity in semiconductor fabs and tools. Moxa, one of the key contributors, explained how these standards operationalize security expectations across semiconductor equipment.
They address semiconductor-specific concerns such as:
- Hardening of SEMI-standard interfaces (GEM, SECS, EDA)
- Pre-delivery malware scanning for equipment entering a fab
- Validation against CVSS/NVD/SCAP criteria
- Secure tool configuration and acceptance testing
- Requirements for secure remote support
Speakers stressed that these standards mark a shift from “security if desired” to “security by default.”
4. Multiple Regulatory Systems Are Converging — and Increasing the Burden
What became clear at SEMICON West is that semiconductor companies are now navigating overlapping frameworks, each with its own requirements and timelines. Rather than treat these initiatives as separate, the presenters advised leaders to look for convergence points:
- 62443 provides technical depth
- CRA imposes legal accountability
- SEMI E187/E188 tailor requirements for fab operations
Together, they form a regulatory ecosystem in which compliance requires coordination across engineering, product development, IT/OT security, procurement, legal, and vendor management.
5. Compliance Is Becoming Central to Competitiveness
Perhaps the most forward-looking insight came from NY CREATES: non-compliance will increasingly exclude companies from global supply chains. Customers, governments, and partners will simply not accept equipment or components that lack demonstrable cybersecurity maturity.
Speakers consistently urged organizations to proactively align with standards rather than wait for enforcement deadlines. Those who move early will have fewer operational disruptions—and greater competitive advantage.
6. The Call to Action: Treat Compliance as Strategy, Not Paperwork
The closing message from the panel was unequivocal: semiconductor cybersecurity regulations are not an administrative burden but a strategic transformation. Leaders who embrace them not only reduce risk but also improve product quality, strengthen customer trust, and secure long-term market access.
Source: “Secure Together: Building Cybersecurity Resilience Through Industry Alliances,” SEMICON West 2025. Speakers: James Kaplan (McKinsey & Company); Quentin Kantaris (TXOne Networks); Bradford Hegrat (Accenture); Nijaz Velic and Richard Morris (NY CREATES); Tom Palmaers and Giselle M.H. Van Tornout (imec); SZ Lin (Sun Square); Ross Mahler and Marty Wachi (Moxa); Simon Davies (Renesas); Jennifer Lynn (IBM); Prabhu Jayanna (AMD); Anusha Annapareddy (Applied Materials); Bertrand F. Cambou (High Entropy Security); Daniel O'Loughlin (Qualcomm). Panel moderator: Andrew M. Seward (Tokyo Electron America).