downloadGroupGroupnoun_press release_995423_000000 copyGroupnoun_Feed_96767_000000Group 19noun_pictures_1817522_000000Member company iconResource item iconStore item iconGroup 19Group 19noun_Photo_2085192_000000 Copynoun_presentation_2096081_000000Group 19Group Copy 7noun_webinar_692730_000000Path

A Baseline of Security for Fab Equipment Standards

By Mei-Tso Lin and Ming-Hui Chung, ITRI

 

With the rise of industry 4.0 and smart factories, new intelligent solutions like full automation, big data analysis and artificial intelligence are increasingly being adopted so that a variety of operational technology (OT) systems can be connected to networks. This brings great productivity, but also more cyberattacks. The main attack vector is a compromised device brought in by supply chain vendors, employees or contractors, that can interact with OT computers and networks. These trends have significantly increased cybersecurity risks of semiconductor manufacturing facilities. Therefore, more structured cybersecurity standards are required for semiconductor fabrication plants to protect fab equipment against various threats posed by malware.

The Taiwan Fab and Equipment Information Security Task Force, led by TSMC and ITRI, has been developing SEMI Draft Document 6506, Specification for Cybersecurity of Fab Equipment. This Document aims to define a common and minimum set of security requirements to secure semiconductor fab equipment by design and support security in operation and maintenance. The Document focuses on four major requirements of fab equipment discussed below: computer operating systems, network security, endpoint protection, and security monitoring. (The latest ballot is currently available for voting in Cycle 6-2020).

  1. Computer Operation System Security

In semiconductor manufacturing, the life cycle of production equipment is 20+ years in most cases. This means that the computer operating systems of fab equipment usually face challenges from end-of-life support or no up-to-date patches to fix vulnerabilities. Therefore, it is very important for the end user to be able to acquire complete technical support from equipment suppliers such as patches or security updates for vulnerabilities during the warranty period.

  1. Network Security

There are many different approaches to harden a system and its network. At a minimum, equipment should support secure network transmission in OT networks. Meanwhile, equipment suppliers should provide detailed instructions for end users to harden the system and network security to reduce the attack vectors for malware, such as enabling the configuration and management of security policy.

  1. Endpoint protection

Pre-shipment vulnerability scanning and virus scanning are useful for manufacturing equipment, providing a proven method to prevent malware intrusion. Meanwhile equipment suppliers should provide end users with the ability to install, manage, and maintain endpoint protection mechanisms. Additionally, an access control mechanism with authentication and authorization is required to prevent invasion attacks and unauthorized use.

  1. Security monitoring

Continuous monitoring is essential to understanding the current security state of OT computers and networks. When there are misconfigurations or other potential threats introduced in the fab equipment, recording complete security logs can help troubleshooting for end users to accurately analyze what happened and when, and quickly define the root cause of cybersecurity problems.

In summary, in the process of industry 4.0, semiconductor manufacturers not only need to strengthen the defense of their own digital infrastructure, but also pay more attention to global supply chain cyber risk management. The purpose of this standard is to define a set of overarching cybersecurity requirements for the semiconductor fab equipment supply chain, which will be reviewed and updated regularly to keep pace with the evolving environment. Ideally, in the future, cybersecurity issues will be considered in the design stage — if equipment suppliers and system integrators of semiconductor manufacturing plant start to implement security by design in their equipment and services, they will be more trusted by customers and the entire industry will benefit.

 

Get Involved

SEMI Standards development activities take place throughout the year in all major manufacturing regions. To get involved, join the SEMI International Standards Program at: www.semi.org/standardsmembership.

For more information please visit our main Web site and current events page. If you have any questions regarding SEMI Standards activities, please contact your local SEMI Standards staff. 

 

Standards Watch
SEMI
www.semi.org
September 10, 2020