downloadGroupGroupnoun_press release_995423_000000 copyGroupnoun_Feed_96767_000000Group 19noun_pictures_1817522_000000Member company iconResource item iconStore item iconGroup 19Group 19noun_Photo_2085192_000000 Copynoun_presentation_2096081_000000Group 19Group Copy 7noun_webinar_692730_000000Path

Fortifying the Future: How SEMI E187 and E188 Standards Elevate Cybersecurity in the Semiconductor Industry

By Mr. Darren Chung, Technical Writer from TXOne, Fab & Equipment Information Security Task Force Member (I&C GTC Taiwan Chapter)

Introduction

In the current digital transformation era, the semiconductor industry, pivotal to technological advancement, cannot afford to overlook its cybersecurity. A minor security lapse could lead to substantial losses, especially in this sector. To address this, SEMI has introduced two key standards: SEMI E187 and E188. These standards aim to enhance the cybersecurity of semiconductor manufacturing equipment, thereby safeguarding the health of the entire supply chain. The launch of these standards signifies the industry's commitment to elevating security awareness and capabilities. This article delves into the characteristics, complementarity, and significant impact of these standards on the semiconductor industry. 

SEMI E187: The Cybersecurity Cornerstone for New Equipment

SEMI E187 focuses on the development phase of new equipment, covering four fundamental elements: operating system security, network security, endpoint protection, and security monitoring. It mandates that equipment suppliers implement these security features before equipment dispatch, particularly for devices running Windows and Linux operating systems. By standardizing these devices, SEMI E187 lays a secure foundation for new equipment entering the production line.

SEMI E188: Extending Security to Existing Equipment

In contrast to E187, SEMI E188 has a broader scope, applicable not only to new but also to existing equipment and all computational components like computers, controllers, and PLCs. E188 emphasizes a malware-free deployment process for equipment, requiring suppliers to adhere strictly to a malware-free procedure during equipment delivery, installation, and maintenance, ensuring the device's security both before and after entering the factory.

Complementarity of the Two Standards

SEMI E187 and E188 describe the cybersecurity standards needed at different stages of the lifecycle, complementing each other, akin to a digital bloodline with E188 functioning as a descendant to the E187. SEMI E187 defines a universal set of basic cybersecurity norms, setting security standards for new equipment before delivery. E188 extends these norms to pre-deployment security processes for equipment, focusing on three key steps: malware scanning, vulnerability scanning, and network security. This complementary design ensures not just the security of new equipment but also reinforces the standing defense of existing devices. It includes defining qualified scanning tools, implementing scanning procedures, and standardizing scanning reports, forming a comprehensive security protection system.

The integration of these two standards presents a formidable defense against cybersecurity threats in the semiconductor industry, reflecting a proactive and thorough approach to protecting critical technological infrastructure in an increasingly connected world.

Impact On the Semiconductor Industry

Since 2022, cyberattacks have continued to escalate, with significant security incidents involving persistent threats from cybercriminal organizations such as Lapsus$, LockBit, UNC4736, Cuba, RansomHouse, and LV gangs. Threat actors are exploiting the complex networks between organizations, their equipment suppliers, component/material providers, and third-party service providers. They are leveraging the interconnectedness of digital supply chains, targeting the weakest links within. Even organizations with comprehensive defenses are vulnerable to supply chain attacks.

Moreover, digital product cybersecurity is crucial for managing supply chain risks. Many attackers focus on the software systems of target organizations' suppliers, indicating that managing supply chain risks extends beyond the scope of cybersecurity governance. It also involves securing the cybersecurity of digital products. This reflects the significance of legislations like the United States' IoT Cybersecurity Improvement Act of 2020, the European Union's Cyber Resilience Act, and the UK's PSTI Act. Digital products must be designed with a default emphasis on security and vulnerability management processes to prevent end-user infiltration.

Production environment equipment, especially in the semiconductor manufacturing industry, has become a primary target for hackers. Observations of recent security incidents reveal that hackers mainly target customer device data, including customer information, process equipment data, and intellectual property rights. Clearly, any security incident can severely impact a company's market competitiveness. With the implementation of the SEMI E187 and E188 standards, semiconductor manufacturers will be able to guard against cyberattacks more effectively. This not only protects the economic interests of companies but also enhances the overall security standards and reputation of the industry. For example, in 2022, TSMC, in collaboration with SEMI, began compiling a guide for the introduction of the SEMI E187 cybersecurity standard for Fab equipment, assisting the supply chain in elevating cybersecurity awareness and meeting protection standards. To further enhance the security of wafer fab operations, in 2023, this standard was officially included as a requirement in procurement contracts. As the industry continues to digitalize and automate, these standards will become key to fortifying the continuous healthy development of the semiconductor industry.

Conclusion

SEMI E187 and SEMI E188 are essentially analogous to parent-child relationships. In SEMI E187, a general set of basic cybersecurity specifications is defined, focusing on network-facing computers in the new semiconductor equipment, including operating system security, network security, endpoint protection, and security monitoring. However, SEMI E188 is suitable for all equipment components, such as computers, controllers, and PLCs. Moreover, the cybersecurity domain regulated by SEMI E188 focuses on the three critical points of malware scanning, vulnerability scanning, and network security. It supplements the implementation details that SEMI E187 has not covered, such as qualified scanning tools, processes, and standardized scanning reports.

The publication of the SEMI cybersecurity standards is only the first step taken towards strengthening the cybersecurity of the semiconductor industry. There is more work to be done with regard to implementation and accelerating compliance.

Get Involved

SEMI Standards development activities take place throughout the year in all major manufacturing regions. To get involved, join the SEMI International Standards Program at: www.semi.org/standardsmembership.

For more information, please visit our main Web site and current events page. If you have any questions regarding SEMI Standards activities, please contact your local SEMI Standards staff.

About the Author

Mr. Darren Chung is a Technical Writer at TXOne. To learn more about TXOne and their implementation solutions on cybersecurity, please visit TXOne Networks’ solutions and the OT zero trust cybersecurity defense architecture for semiconductor production on the shop floor based on the SEMI cybersecurity standards.

 

Standards Watch
SEMI
www.semi.org
March 7, 2024