At SEMICON West, Qualcomm’s Daniel O’Loughlin delivered one of the most wide-ranging examinations of semiconductor supply chain security presented at the conference. His session underscored a central, urgent truth: as semiconductor manufacturing has become globalized, specialized, and distributed, supply chain exposure has become one of the sector’s largest and most poorly understood risks.
The modern fabless ecosystem enables extraordinary innovation and scale, but it also increases the number of places where an attacker—or a careless supplier—can compromise a device long before it ever reaches a customer. O’Loughlin’s message resonated: today’s semiconductor products reflect not just engineering excellence but the security of every organization that touched them.
1. The Distributed Nature of Semiconductor Manufacturing Creates Distributed Risk
O’Loughlin opened by mapping the sheer complexity of today’s semiconductor supply chain. Even a single chip may involve:
- Design teams across multiple countries
- EDA tool providers contributing software and verification flows
- Third-party IP vendors providing licensed components
- Mask shops converting layouts into photomasks
- Foundries fabricating wafers
- Assembly and test houses (OSAT) packaging and validating devices
- Distributors and logistics partners shipping finished products
Every stage carries its own risk profile. Every participant introduces potential exposure.
And, importantly, no single company has end-to-end visibility—a reality that attackers increasingly exploit.
2. Hardware Trojans Are a Tangible, Not Theoretical, Threat
A central focus of O’Loughlin’s session was hardware Trojans—malicious modifications intentionally inserted into a design or manufacturing process. These can take the form of hidden logic, altered circuitry, or tampered design files.
What makes Trojans particularly concerning is that:
- They can be inserted at multiple points in the chain
- They may remain undetected through standard testing
- They can activate under specific conditions
- They can undermine security or functionality in ways software cannot easily detect
O’Loughlin emphasized that Trojan insertion is a real and escalating risk, especially in environments where contractors, subcontractors, and third-party vendors have direct or indirect access to design artifacts.
For governments and critical infrastructure customers, this is now one of the most pressing concerns in semiconductor assurance.
3. Intellectual Property Leakage Remains a Major Risk Vector
Qualcomm’s perspective is shaped by deep involvement in global supply chains and complex IP ecosystems. O’Loughlin highlighted that IP leakage remains a top threat, and it can occur through:
- Insider misuse of design files
- Insufficiently secured vendor networks
- Insecure transfer mechanisms
- Compromised engineering workstations
- Weak controls around subcontractor access
Once leaked, IP can be used for counterfeiting, unauthorized reuse, or competitive advantage by adversarial actors.
4. The Role of Traceability: Creating an Evidence Chain for Trust
To address these risks, O’Loughlin outlined the importance of traceability, the ability to track a device’s origin and every step in its creation.
Traceability creates:
- A verifiable manufacturing lineage
- Cryptographically secure links between process steps
- Mechanisms for detecting tampering or unauthorized alterations
- Support for forensic analysis
Traceability provides accountability not by assuming every actor is trustworthy, but by ensuring that every step is observable and auditable.
5. Threat Analysis Helps Prioritize Controls Where They Matter Most
Given the overwhelming complexity of the global semiconductor ecosystem, O’Loughlin recommended using structured threat analysis to identify:
- High-impact attack scenarios
- Most likely intrusion points
- Feasible avenues for adversarial manipulation
- Places where additional monitoring or isolation yields the best ROI
Threat-informed security, he argued, allows organizations to focus resources on securing the elements of the chain that attackers are most likely to exploit.
6. Industry Collaboration Will Define the Future of Supply Chain Security
O’Loughlin’s final message echoed across many SEMICON West sessions: Semiconductor supply chain security cannot be a solitary effort. It requires cooperation among OEMs, design houses, foundries, OSAT providers, tool vendors, logistics partners, and government stakeholders.
The path forward depends on shared frameworks, standardized assessments, and transparent risk communication, making integrity a collective achievement.
Source: “Secure Together: Building Cybersecurity Resilience Through Industry Alliances,” SEMICON West 2025. Speakers: James Kaplan (McKinsey & Company); Quentin Kantaris (TXOne Networks); Bradford Hegrat (Accenture); Nijaz Velic and Richard Morris (NY CREATES); Tom Palmaers and Giselle M.H. Van Tornout (imec); SZ Lin (Sun Square); Ross Mahler and Marty Wachi (Moxa); Simon Davies (Renesas); Jennifer Lynn (IBM); Prabhu Jayanna (AMD); Anusha Annapareddy (Applied Materials); Bertrand F. Cambou (High Entropy Security); Daniel O'Loughlin (Qualcomm). Panel moderator: Andrew M. Seward (Tokyo Electron America).
