downloadGroupGroupnoun_press release_995423_000000 copyGroupnoun_Feed_96767_000000Group 19noun_pictures_1817522_000000Member company iconResource item iconStore item iconGroup 19Group 19noun_Photo_2085192_000000 Copynoun_presentation_2096081_000000Group 19Group Copy 7noun_webinar_692730_000000Path

New SEMI Cybersecurity Standards Address the Challenges of Diverse Computing Devices on Factory Networks

By Albert Fuchigami, PEER Group,  and Dave Dunne, Applied Materials

One of the greatest challenges for a semiconductor factory in defending against malicious attacks comes from within: the various computing devices connected to its network.

A factory’s IT department controls these connected devices—such as computers, servers, sensor hubs, and embedded systems—and dictates minimum security requirements for them. On the factory floor, there are computing devices sourced from multiple equipment suppliers, each running different operating systems (OS) and software. These computing devices can range from using popular, mainstream OSs, to niche, real-time OSs and industrial controllers, such as programable logic controllers.

With this broad diversity of computing devices, it is a challenge for equipment users to understand what exactly is running on their networks, and if those computing devices are putting factory operations and critical intellectual property (IP) at risk.

The North America Fab & Equipment Computer and Device Security (CDS) Task Force, with input from the Semiconductor Manufacturing Cybersecurity Consortium (SMCC) Technical Community members, has developed a new set of SEMI® Cybersecurity Standards to collect information from factory network-facing computing devices to help equipment users assess what kind of cybersecurity risk they present.

SEMI E191 - Specification for Computing Device Cybersecurity Status Reporting - is the primary standard. It defines what cybersecurity status information the equipment supplier reports for each computing device they provide that connects to the factory network. For this first revision, SEMI E191 outlines basic operating system details to report, including the computing device identifier, OS manufacturer, OS name, OS version, and OS build number, if applicable.

There will be several subordinate standards developed to support SEMI E191 that details how the cybersecurity status information is reported through various protocols. The first published subordinate standard is SEMI E191.1 - Specification for SECS-II Protocol for Computing Device Cybersecurity Status Reporting. This specification defines new status variables that the factory host can query through the SECS-II protocol to retrieve the cybersecurity status information.

Future revisions will expand the scope of the reported cybersecurity status. For example, if the equipment users know what OS components, service packs, and patches are installed on the computing device, they can evaluate if that computing device is sufficiently protected against their list of high-risk vulnerabilities. The CDS Task Force is considering other protocols to access SEMI E191 data, such as gRPC® and Protocol Buffers.

Attributed to Lord Kelvin, the quote: "If you cannot measure it, you cannot improve it" perfectly sums up the risk computing devices pose. The first revisions of these new SEMI Standards will help equipment users identify how many computing devices on their factory networks are running legacy OSs that no longer receive security updates and measure the level of risk they present. Future updates to the SEMI Standards will let them refine their analysis to ensure modern OSs have the required security updates needed to protect their IP, equipment, and factories, improving the overall protection of the entire semiconductor manufacturing industry.

Get Involved

SEMI Standards development activities take place throughout the year in all major manufacturing regions. To get involved, join the SEMI International Standards Program at: https://www.semi.org/standardsmembership

For more information, please visit the Standards website and events page. If you have any questions regarding SEMI Standards activities, please contact your local SEMI Standards staff

The SMCC is made up of IDMs, foundries, fabless companies, equipment manufacturers, technology solutions providers, and other members of the semiconductor design-to-manufacturing supply chain collaborating to modernize factory security processes. There are several working groups focused on semiconductor industry-specific frameworks and best practices to improve cybersecurity and accelerate implementation of actionable solutions for the entire supply chain. For more information and to participate, please contact [email protected]

 

Albert Fuchigami

Albert Fuchigami is a senior standards specialist at PEER Group. He is active in the SEMI Standards Program, co-chairs the North America Information & Control (I&C) Technical Committee, and co-leads the Data Diagnostic Acquisition (DDA) Task Force. Fuchigami is currently helping to establish the Semiconductor Manufacturing Cybersecurity Consortium (SMCC) and guiding how it collaborates with the SEMI Standards Program. Fuchigami enjoys demonstrating how standards provide factory host systems with a way to optimize their operations through automation and cybersecurity resilience. He is a champion for integrating HTTP/2 with gRPC and Protocol Buffers technology into the Equipment Data Acquisition (EDA) / Interface A standards.

 

Dave Dunne

Dave Dunne is a Product Security Engineer at Applied Materials.

Dunne is also an active member in the SEMI Standards Program taking part in the Fab & Equipment Computer and Device Security (CDS) Task Force and is co-chair of multiple working groups in the SEMI Semiconductor Manufacturing Cybersecurity Consortium (SMCC).

Dunne has been working in the semiconductor industry in a variety of roles for more than 30 years.

 

 

Standards Watch
SEMI
www.semi.org 
December 5, 2024