First SEMI Cybersecurity Standard Proposal - New Requirements to Make Fabs Safer
By Inna Skvortsova, SEMI HQ
While the world is monitoring the public health and economic impact of the COVID-19 outbreak, SEMI is taking actions to address the propagation of other types of viruses, specifically those that impact semiconductor manufacturing facilities.
The first SEMI Cybersecurity Standard ballot was issued in Cycle 2-2020 by the North America Information and Control Standards Committee for industry expert review and feedback. Specification for Malware Free Equipment Integration (Ballot #6566) is focused on mitigating propagation of malware into the factory during initial equipment integration or through ongoing activities, including field service repairs, patching and maintenance.
This new Standard will define requirements for equipment, computing devices, and systems brought in by suppliers to operate on the manufacturing facility’s factory network. In particular, the document outlines a level of protection and reporting that will be consistent across different equipment entering the manufacturing facility by:
- Defining minimum malware scanning requirements to ensure the supplier conducts pre-shipment scans on the equipment for initial delivery and any devices used in maintenance and support operations. Malware scanning is a proven method to protect against the introduction and transmission of malicious code.
- Referring to external respected sources for approaches to “harden” a system to reduce the attack surface for malware and to identify and report vulnerabilities. This includes the Security Content Automation Protocol (SCAP) and the National Vulnerability Database (NVD) - Common Vulnerability Scoring System (CVSS) provided by National Institute of Standards and Technology (NIST).
- Specifying configuration documentation for users to ensure equipment does not introduce insecure network configurations to the factory networks.
Many manufacturing facilities already have their own network and security policies for databases and servers that are connected to the production floor. The proposed new Specification for Malware Free Integration takes this into account and offers additional layers of security around equipment and devices provided by different suppliers to operate on the factory network.
By implementing this new Standard, device manufacturers and equipment suppliers will experience improved equipment reliability as there will be reduced probability of malware incidents.
Specification for Malware Free Equipment Integration is part of a comprehensive series of new SEMI Standards on Cybersecurity. Triggered by the industry need to create a robust secure data exchange infrastructure that meets Big Data and AI driven manufacturing environments, these new standards support the advancement of the “connected fab”.
Completion of the first Cybersecurity standard ballot is a major milestone in a global collaborative effort among industry stakeholders working within the SEMI Standards Program. “Given the major role semiconductors play in the modern economy, information security is of the utmost importance and thus requires industry-wide alignment.” states James Amano, Sr. Director International Standards at SEMI.
In parallel with the North America Chapter of the Information and Control Committee, the Taiwan Chapter is working on a high-level SEMI Specification to define major topics to be covered by SEMI Cybersecurity standards identifying security threats from Fab operations perspective. The Specification for Cybersecurity of Fab Equipment (Ballot #6506) is planned for submission in Cycle 3-2020 for industry review.
The next document in the suite of SEMI Cybersecurity standards under development is within the North America Chapter. The team will focus on Specification for Application Whitelisting to outline how whitelisting applications should protect equipment and systems. These implementations can be tailored to the security management plans of individual equipment users or Fabs. The Fab & Equipment Computer Device Security (CDS) Task Force invites industry members experienced in using application whitelisting to contribute to the development of this new SEMI standard.
Motivated by the growing number of direct data exchanges essential for Smart Manufacturing within and beyond the factory integration space, industry stakeholders are looking forward to guidance from standards organizations to establish a common set of definitions, procedures, and best practices to achieve new security targets. Development and deployment of consistent information security frameworks presents a transformational opportunity for the industry to protect and secure its resources while enabling the data driven technologies needed for SMART Manufacturing.
If you have any questions regarding the SEMI Standards mentioned in this article or would like to participate in standards development, please contact Inna Skvortsova at email@example.com.
SEMI Standards development activities take place throughout the year in all major manufacturing regions. To get involved, join the SEMI International Standards Program at: www.semi.org/standardsmembership.
The next North America Information and Control Technical Committee Chapter Meeting is scheduled for April 1, 2020 in conjunction with the SEMI Standards North America Spring Meetings at SEMI Headquarters in Milpitas, California. To attend these meetings, you must be a SEMI Standards Program member. There is no cost, but registration is required.
March 5, 2020