Cybersecurity

Cybersecurity vulnerabilities within the semiconductor supply chain are a growing concern, ranging from individual threats to whole supply chain cyber resilience. It is imperative that the semiconductor industry addresses these risks. Last year, the Semiconductor Manufacturing Cybersecurity Consortium (SMCC) at SEMI introduced Semiconductor Supplier Cybersecurity Assessment (SSCA), providing a streamlined framework allowing suppliers to complete one standardized questionnaire to comply efficiently. The assessment process involves suppliers presenting evidence to support their claims of security controls and measures put in place. Such a body of evidence is critical to establish confidence in the suppliers’ ability to manage risk and comply with standards. The SSCA is a free, open-access resource for the semiconductor industry. This is intentionally made openly available to support SMCC’s mission to strengthen cybersecurity across the semiconductor manufacturing ecosystem. The questionnaire aligns with the six functions of the National Institute of Standards and Technology (NIST) cybersecurity framework 2.0: Govern, Identify, Protect, Detect, Respond and Recover. A recent project led by Swansea University’s Systems Security Group (SSG), in close collaboration with SEMI SMCC, is mapping the evidence requirements necessary for SSCA assurance. The project is funded by the UK Research and Innovation (UKRI) as part of seed funding to support UK/US/Germany collaborative research and innovation projects in the field of semiconductor security. UKRI supports such collaboration in the interest of “maintaining confidence in security throughout the design and manufacturing processes,” and particularly to support research addressing “what tools and techniques could help to reduce the risks associated with third-party hardware design and manufacturing services?”.The project ensures that the global ecosystem is engaged so that evidence requirements developed are acceptable, cost-effective, in line with the latest standards and practice, and ultimately suitable for adoption. As part of this project, two workshops are being organized, one in Germany at Bavarian Chip Alliance, Nuremberg on Tuesday, March 10 and one in the UK at Swansea University on Thursday, March 12, aiming to introduce SSCA and the evidence requirements, gather feedback and inspire early adoption. Join either of these workshops to help shape the evidence requirements and help prepare for effective supply chain security assurance. Participants must download the SSCA framework prior to the workshop.Register for the Germany Workshop on March 10Register for the UK Workshop on March 12Key TopicsIntroduction to Semiconductor Manufacturing Cybersecurity Consortium (SMCC)Standardized Semiconductor Cybersecurity Assessment (SSCA)Supply chain assurance and evidence mappingGroup discussion to feedback on evidence requirementsOpen Q A with cybersecurity and compliance expertsWho Should AttendCybersecurity and compliance professionalsSemiconductor suppliersLegal and regulatory affairs professionalsFabless chip designers and foundriesTesting, packaging, design software, R D tools and IPManufacturing/assembly equipment and ancillary fab servicesIntegrated device manufacturersAbout the authors:Siraj Shaikh is a Professor in Systems Security at Swansea University (UK). His research interests lie at the intersection of cybersecurity, systems engineering, and computer science addressing cyber-physical systems security for automotive and transport systems. He is also Co-Founder and Chief Scientist at CyberOwl, which is dedicated to risk analytics and security monitoring for the maritime sector.Mayura Padmanabhan is a Technical Project Manager at SEMI who manages the Cybersecurity Technology Coalition and Traceability activities.

The SEMI Semiconductor Manufacturing Cybersecurity Consortium (SMCC) Work Group 3 (Supply Chain Cybersecurity) just released a major work product that will have a significant and lasting positive impact on the industry: the “Standardized Semiconductor Cyber Assessment (SSCA)” questionnaire. Creating a common security assessment process for device makers, equipment suppliers, software suppliers and other members of the global manufacturing value chain has been one of the principal focus areas for the SMCC from its outset. Its aim is to replace the plethora of company-specific questionnaires that are maintained, distributed, filled out, evaluated, and discussed. Given the breadth and importance of this objective, the work group involved expert stakeholders from across the globe, and the quality of their collective efforts reflects the robustness of this approach.This first-of-its-kind resource helps companies:Evaluate cyber readiness and reduce supply chain riskStreamline compliance with one standardized assessmentBuild trust and share results across multiple clientsAlign with NIST CSF 2.0 and industry best practicesHow is the SSCA structured?The questionnaire takes its basic structure from the Capability Maturity Model Integration (CMMI) framework, which is designed to improve and integrate processes across multiple disciplines, such as software development, system engineering, system testing, and even people management. It defines five distinct maturity levels for the relevant parts of an organization or aspects of a major topic (see figure below) with general explanations of what it means to be at a particular level.Source: WikipediaWorkgroup 3 tailored this model to the unique cybersecurity challenges faced by the semiconductor manufacturing supply chain, identifying six activity areas inspired by the NIST Cybersecurity Framework 2.0—Govern, Identify, Protect, Detect, Respond, and Recover. Within each area, there are specific descriptions of the attributes an organization must exhibit to be at a certain level.What does the SSCA include?The SSCA is delivered in multi-tab spreadsheet form with a tab of instructions and a tab of questions. Some of the questions are multiple choice (“Which CMMI maturity level are you, based on the attributes listed?”) and many are Yes/No (“Does the organization use secure technologies to share sensitive data with suppliers?”). In total, there are 165 questions across the six activity areas.The latter is already offered in five languages: English, Korean, Traditional and Simplified Chinese, and Japanese.How can I get the SSCA?Click here and fill out the form to download the SSCA.“Remembrance of Things Past” or has this ever been done before?No… and sort of.Those of you who remember the state of the semiconductor manufacturing industry in the early 90s will recall that one of the biggest problem areas was the poor and inconsistent quality of the embedded equipment control and communication interface software. SEMATECH and its member companies saw this as an ideal pre-competitive domain for the consortium’s focus, so the Manufacturing Systems Division evaluated best practices in the software engineering community of that era and selected the Capability Maturity Model (CMM) of Carnegie-Mellon’s Software Engineering Institute. Sound familiar?While wholly adopting the CMM at that time was beyond the reach of most equipment suppliers, the nugget that emerged was the decision to standardize on a set of “4-Up” charts that conveyed the most basic of software quality metrics. This got everyone using the same vocabulary, definitions, and visualization techniques to compare progress across process areas and timeframes, which was instrumental in identifying and addressing the root causes of the software issues. An example of a typical software quality “4-Up” chart appears below.Source: Techno-pmAnd in related news!Given the WG 1,2 recent (mid-July) release of the SEMI E187 Compliance Guidance document and the formation of the new South Korea Cybersecurity Work Group (WG9), the SMCC is poised to realize its vision of accelerating the adoption of SEMI Cybersecurity standards while creating vital complementary material.For more information or to participate in the cybersecurity working groups at SEMI SMCC, please contact Mayura Padmanabhan at [email protected] Weber is the VP, New Product Innovations at PDF Solutions and a long-time SEMI Standards participant, currently co-leader of the Equipment Data Publication Task Force and Computer and Device Security Task Force.