Emerging Standards Help Address Cybersecurity Maturity in the Supply Chain
By Ming-chang (Bright) Wu and Willis Towers Watson Taiwan
Fab equipment is not originally designed to serve the purposes of cybersecurity. However, cybersecurity incidents in 2018 and beyond in the global semiconductor industry have been significant wake-up calls for the industry to face these critical but often neglected issues. An international call for new standards is to integrate fragmented and proprietary IT/cybersecurity technology in the global supply chain.
Since 2018, the Fab and Equipment Information Security Task Force, under the Taiwan Information and Control Technical Committee, in collaboration with the North America and Japan Technical Committees and other global members, has played a key role to initiate new cybersecurity standards for the international semiconductor industry. Establishing minimum technical requirements, the scope of the new standard activity 6506 (Specification for Cybersecurity of Fab Equipment) includes legacy operating systems (Operating System Support), network configuration (Network Security), malware and vulnerability management (Endpoint Protection), and log management (Security Monitoring). These are often neglected issues in semiconductor equipment. To address these issues, 6506 is expected to promote the principles of security by design, in operation, and maintenance in production lifecycle management.
Management Issues
As stated above, these cybersecurity issues are beyond the scope of any single equipment owner, procurement, cybersecurity or cyber risk management colleague. Cybersecurity is a corporate issue. Since cybersecurity is now a top priority, cybersecurity expense seems no object in the semiconductor industry. In the managerial view, how do some emerging standards help address the cybersecurity issues in the semiconductor industry?
Our recent project at a Taiwan semiconductor client provides some clues. Based on the NIST Cybersecurity Framework (CSF), the project findings conclude some misalignments between business strategy, management, and operation vary across different issues among eight interviewed departments.
In addition to those misalignments, implementation of practices is another practical issue. How can we address corporate cybersecurity posture? Is a list of cybersecurity expenditure, equipment or policy enough to provide implementation results? How can we structurally review and evaluate the results over years? Shaped by international standards and practices, the CSF provides a systematic structure to track trajectory of cybersecurity improvement over years.
Mapping Out
For the equipment owner, source control in the cybersecurity management is the best way to keep track of cybersecurity improvement. Source control, such as inventory management and supply chain management, is also included in the CSF. If we map 6506 into the CSF, 6506 mainly focuses on Identify, Protect and Detect as defined in the NIST CSF. These functions provide a basis for other two functions during post-incident, Respond and Recover.
From a supply chain perspective, the implementation tiers, clearly defined by the CSF, are applicable for tracking improvements. The four tiers include partial (Tier 1), risk-informed (Tier 2), repeatable (Tier 3), and adaptive (Tier 4). Each tier represents different stages of improvement or so-called cybersecurity maturity in the supply chain.
To take care of cybersecurity lifecycle management, the integration of semiconductor cybersecurity standards and other existing standards is suggested for a cybersecurity awareness program to draw more attention to management and people in charge across departments. During the discussion of the standard draft in Taiwan, other existing cybersecurity standards, such as the CSF and IEC/ISA 62443, have been fully discussed and embedded into the Document 6506. Further work on other SEMI cybersecurity standards is encouraged to deepen the management of issues such as cybersecurity misalignments, implementation and evaluation practices and continuous improvement.
Get Involved
SEMI Standards development activities take place throughout the year in all major manufacturing regions. To get involved, join the SEMI International Standards Program at: www.semi.org/standardsmembership.
For more information, please visit our main Web site and current events page. If you have any questions regarding SEMI Standards activities, please contact your local SEMI Standards staff.
Standards Watch
SEMI
www.semi.org
March 11, 2021