By Inna Skvortsova, SEMI HQ
With the rapid evolution of network technologies enabling Smart Manufacturing solutions across all industries, information security requirements have been elevated to a new stage. In the world where it may take just a fraction of a second to expose sensitive financial information or to shut down a state-of-the-art production facility, the severity of damage to business operations can be substantial and irreversible. For example, the revenue impact from malware that recently penetrated a major microelectronics manufacturing facility was approximately $225 million.
Managing manufacturing security is a major undertaking and requires a holistic and systematic approach. Every stakeholder involved in the microelectronics supply chain needs to make security a priority.
While information security procedures have been published in the past by various organizations, existing solutions are often fragmented or do not keep pace with the speed of threat landscape changes. The current state of technology suggests significant gaps in best practices for data sharing while maintaining intellectual property (IP) security, secure data transfers, and malware-free equipment delivery specific to the semiconductor manufacturing environment. Furthermore, microelectronics supply chain integration now calls for bigger IT architecture to support efficient and secure information exchange among stakeholders and, therefore, has greater risk of exposure to malicious actors.
The International Roadmap for Devices and Systems (IRDS), a technology roadmap for the semiconductor industry, states in the Factory Integration chapter, “Security is an increasingly important topic that permeates through all aspects of manufacturing disciplines. While it is expected that a security roadmap in microelectronics manufacturing will rely heavily on advancements in other manufacturing areas, a framework for security in microelectronics manufacturing factory integration is still needed”.
Under the guidance of leading device makers, equipment suppliers, and software integrators, the North America Chapter of the Information and Control Technical Committee has started development of new SEMI Standards to help the microelectronics industry define target security level requirements:
New Standard Proposal: Specification for Application Whitelisting
The ever-changing aspect of malicious code requires technologies capable of adapting to varied threats, while managing the diverse usage experienced by semiconductor manufacturing equipment. One solution set forth is application whitelisting to prevent the execution of malicious software. This standard will address the requirements of semiconductor manufacturing equipment to enable application whitelisting implementations. These implementations can be tailored to the security management plans of individual equipment users.
The New Standard will document universal concerns such as:
- Whitelist attributes, resources, and generation;
- Application change control and granularity;
- Whitelist management and usage;
- Documentation requirements for communicating whitelisted applications;
- Consideration of potential regional differences.
A standard for application whitelisting would benefit equipment suppliers by providing a framework for enhancing equipment reliability, while end users would benefit from the prevention of production disruption and costly factory downtime.
New Standard Proposal: Specification for Malware Free Equipment Integration
This new SEMI Specification will mitigate the propagation of malware to manufacturing facilities during capital equipment delivery and support activities by providing additional layer of security. The standard will address required measures for information security by defining protection system and processes to ensure the integrity of equipment information assets, including requirements for external connectivity, file transfers, and removable media.
The document will also outline considerations for field service repairs, patching, and other maintenance activities over the course of the equipment life cycle, as well as requirements for equipment restoration such as HDD or computer component replacement. The scope of the document will apply to any computing device, including computers, controllers, PLCs, etc. Equipment information assets include, but are not limited to companies’ IT infrastructures, servers, and digital assets.
As a result, device manufacturers and equipment suppliers would benefit from clear mutual expectations and improved equipment reliability.
Major cybersecurity incidents impacting semiconductor and other manufacturing sectors have illustrated the increasingly focused and personalized nature of malware. By taking proactive steps and enforcing consistent execution of procedures and best practices incorporated into Standards, stakeholders will build secure environments that foster connectivity and the data exchange that drives advancements in Smart Manufacturing. SEMI Standards provide the essential foundation to build consistency throughout the industry, enabling an effective path to security in microelectronic manufacturing and beyond.
Get Involved
If you have any questions regarding the SEMI Standards mentioned in this article or would like to participate in standards development, please contact Inna Skvortsova at [email protected].
SEMI Standards development activities take place throughout the year in all major manufacturing regions. To get involved, join the SEMI International Standards Program at: www.semi.org/standardsmembership.
The next North America Information and Control Technical Committee Chapter Meeting is scheduled for November 6, 2019 in conjunction with the SEMI Standards North America Fall Meetings at SEMI Headquarters in Milpitas, California. To attend these meetings, you must be a SEMI Standards Program member. There is no cost, but registration is required.
Standards Watch
SEMI
www.semi.org
September 12, 2019