Cybersecurity vulnerabilities within the semiconductor supply chain are a growing concern, ranging from individual threats to whole supply chain cyber resilience. It is imperative that the semiconductor industry addresses these risks. Last year, the Semiconductor Manufacturing Cybersecurity Consortium (SMCC) at SEMI introduced Semiconductor Supplier Cybersecurity Assessment (SSCA), providing a streamlined framework allowing suppliers to complete one standardized questionnaire to comply efficiently. The assessment process involves suppliers presenting evidence to support their claims of security controls and measures put in place. Such a body of evidence is critical to establish confidence in the suppliers’ ability to manage risk and comply with standards. The SSCA is a free, open-access resource for the semiconductor industry. This is intentionally made openly available to support SMCC’s mission to strengthen cybersecurity across the semiconductor manufacturing ecosystem. The questionnaire aligns with the six functions of the National Institute of Standards and Technology (NIST) cybersecurity framework 2.0: Govern, Identify, Protect, Detect, Respond and Recover. A recent project led by Swansea University’s Systems Security Group (SSG), in close collaboration with SEMI SMCC, is mapping the evidence requirements necessary for SSCA assurance. The project is funded by the UK Research and Innovation (UKRI) as part of seed funding to support UK/US/Germany collaborative research and innovation projects in the field of semiconductor security. UKRI supports such collaboration in the interest of “maintaining confidence in security throughout the design and manufacturing processes,” and particularly to support research addressing “what tools and techniques could help to reduce the risks associated with third-party hardware design and manufacturing services?”.The project ensures that the global ecosystem is engaged so that evidence requirements developed are acceptable, cost-effective, in line with the latest standards and practice, and ultimately suitable for adoption. As part of this project, two workshops are being organized, one in Germany at Bavarian Chip Alliance, Nuremberg on Tuesday, March 10 and one in the UK at Swansea University on Thursday, March 12, aiming to introduce SSCA and the evidence requirements, gather feedback and inspire early adoption. Join either of these workshops to help shape the evidence requirements and help prepare for effective supply chain security assurance. Participants must download the SSCA framework prior to the workshop.Register for the Germany Workshop on March 10Register for the UK Workshop on March 12Key TopicsIntroduction to Semiconductor Manufacturing Cybersecurity Consortium (SMCC)Standardized Semiconductor Cybersecurity Assessment (SSCA)Supply chain assurance and evidence mappingGroup discussion to feedback on evidence requirementsOpen Q A with cybersecurity and compliance expertsWho Should AttendCybersecurity and compliance professionalsSemiconductor suppliersLegal and regulatory affairs professionalsFabless chip designers and foundriesTesting, packaging, design software, R D tools and IPManufacturing/assembly equipment and ancillary fab servicesIntegrated device manufacturersAbout the authors:Siraj Shaikh is a Professor in Systems Security at Swansea University (UK). His research interests lie at the intersection of cybersecurity, systems engineering, and computer science addressing cyber-physical systems security for automotive and transport systems. He is also Co-Founder and Chief Scientist at CyberOwl, which is dedicated to risk analytics and security monitoring for the maritime sector.Mayura Padmanabhan is a Technical Project Manager at SEMI who manages the Cybersecurity Technology Coalition and Traceability activities.
