Introduction
The semiconductor industry, pivotal to technological advancement in the current digital transformation era, cannot afford to overlook its cybersecurity. A minor security lapse could lead to substantial losses, especially in this sector. To address this, SEMI has introduced two key standards: SEMI E187 and E188. These standards aim to enhance the cybersecurity of semiconductor manufacturing equipment, thereby safeguarding the health of the entire supply chain. The launch of these standards signifies the industry’s commitment to elevating security awareness and capabilities. This article delves into the characteristics, complementarity, and significant impact of these standards on the semiconductor industry.
SEMI E187: The Cybersecurity Cornerstone for New Equipment
SEMI E187 focuses on the development phase of new equipment, covering four fundamental elements: operating system security, network security, endpoint protection, and security monitoring. It mandates that equipment suppliers implement these security features before equipment dispatch, particularly for devices running Windows and Linux operating systems. By standardizing these devices, SEMI E187 lays a secure foundation for new equipment entering the production line.
SEMI E188: Extending Security to Existing Equipment
In contrast to E187, SEMI E188 has a broader scope, applicable not only to new but also to existing equipment and all computational components like computers, controllers, and PLCs. E188 emphasizes a malware-free deployment process for equipment, requiring suppliers to adhere strictly to a malware-free procedure during equipment delivery, installation, and maintenance, ensuring the device’s security both before and after entering the factory.
Complementarity of the Two Standards
SEMI E187 and E188 describe the cybersecurity standards needed at different stages of the lifecycle, complementing each other, akin to a digital bloodline with E188 functioning as a descendant to the E187. SEMI E187 defines a universal set of basic cybersecurity norms, setting security standards for new equipment before delivery. E188 extends these norms to pre-deployment security processes for equipment, focusing on three key steps: malware scanning, vulnerability scanning, and network security. This complementary design ensures not just the security of new equipment but also reinforces the standing defense of existing devices. It includes defining qualified scanning tools, implementing scanning procedures, and standardizing scanning reports, forming a comprehensive security protection system.
The combination of these two standards presents a formidable united defense against cybersecurity threats in the semiconductor industry, reflecting a proactive and thorough approach to protecting critical technological infrastructure in an increasingly connected world.
Table.1 Combining the SEMI E187 and SEMI E188 to Fully Protect the Semiconductor Production Shop Floor
| Standards | SEMI E187 | SEMI E188 | |
| Purpose | Two standards designed to prevent the introduction of equipment vulnerabilities and threats to the manufacturer’s shop floor. | ||
| Stage of Asset Lifecycle | Planning, Acquisition, and Development | Implementation and Maintenance | |
| Protection Subject | Devices | • Operating System Support • Malware Protection |
• Operating System Checking and Hardening |
| Applications | • Vulnerability Scanning • Malware Scanning |
• Vulnerability Scanning • Malware Scanning |
|
| Networks | • Network Service Hardening | • Network Segmentation • Network Service Hardening • Network Connection |
|
| Data | • Requirement of Logs | • N/A | |
| Users | • Access Control | • N/A | |
Impact On the Semiconductor Industry
Since 2022, cyberattacks have continued to escalate, with significant security incidents involving persistent threats from cybercriminal organizations such as Lapsus$, LockBit, UNC4736, Cuba, RansomHouse, and LV gangs. Threat actors are exploiting the complex networks between organizations, their equipment suppliers, component/material providers, and third-party service providers. They are leveraging the interconnectedness of digital supply chains, targeting the weakest links within. Even organizations with comprehensive defenses are vulnerable to supply chain attacks.
Moreover, digital product cybersecurity is crucial for managing supply chain risks. Many attackers focus on the software systems of target organizations’ suppliers, indicating that managing supply chain risks extends beyond the scope of cybersecurity governance. It also involves fortifying the cybersecurity of digital products. This reflects the significance of legislations like the United States’ IoT Cybersecurity Improvement Act of 2020, the European Union’s Cyber Resilience Act, and the UK’s PSTI Act. Digital products must be designed with a default emphasis on security and vulnerability management processes to prevent end-user infiltration.
Production environment equipment, especially in the semiconductor manufacturing industry, has become a primary target for hackers. Observations of recent security incidents reveal that hackers mainly target customer device data, including customer information, process equipment data, and intellectual property rights. Clearly, any security incident can severely impact a company’s market competitiveness. With the implementation of the SEMI E187 and E188 standards, semiconductor manufacturers will be able to guard against cyberattacks more effectively. This not only protects the economic interests of companies but also enhances the overall security standards and reputation of the industry. For example, in 2022, TSMC, in collaboration with SEMI, began compiling a guide for the introduction of the SEMI E187 cybersecurity standard for Fab equipment, assisting the supply chain in elevating cybersecurity awareness and meeting protection standards. To further enhance the security of wafer fab operations, in 2023, this standard was officially included as a requirement in procurement contracts. As the industry continues to digitalize and automate, these standards will become key to fortifying the continuous healthy development of the semiconductor industry.
8 Steps for Practical Implementation of SEMI E187 and E188
SEMI E187 focuses on cybersecurity for the pre-delivery of semiconductor manufacturing equipment, addressing the unique challenges posed by interconnected systems and sensitive data processing within these environments. It is centered around supply chain enhancement to secure equipment being delivered to the manufacturer.
Implementing SEMI E187 for an OEM involves adopting robust cybersecurity measures at various levels, including hardware and software infrastructure. This may include implementing secure boot mechanisms to prevent unauthorized access to equipment firmware, encrypting data transmissions to protect against eavesdropping and tampering, enforcing access controls to restrict system privileges, as well as scanning for malware and vulnerabilities before the equipment leaves the OEM to limit exposure to potential threats.
SEMI E187 also emphasizes the importance of applying security updates and patches to address vulnerabilities and exploits in equipment firmware and software before delivery. This requires establishing comprehensive update procedures and mechanisms to ensure deployment of security patches prior to delivery, avoiding disruption of manufacturing operations.
On the other hand, SEMI E188 focuses on cybersecurity for semiconductor manufacturing facilities, addressing broader concerns related to network security, access controls, and a deeper understanding of cybersecurity best practice among personnel. E188 also discusses practical application of malware and vulnerability scanning standards. Implementing SEMI E188 involves conducting thorough risk assessments to identify potential cybersecurity threats and vulnerabilities within the facility’s infrastructure and operations.
Implementing SEMI E187 and SEMI E188 cybersecurity standards is crucial for mitigating cybersecurity risks and protecting critical assets within semiconductor manufacturing facilities. By adopting proactive measures to secure equipment, networks, and facilities, organizations can enhance resilience against cyber threats, safeguard intellectual property, and maintain the trust and confidence of customers and stakeholders.
Practical Implementation of SEMI E187 and E188 cybersecurity standards requires a systematic approach to ensure a comprehensive and effective integration into existing manufacturing processes.
Conclusion
SEMI E187 and SEMI E188 are essentially analogous to parent-child relationships. In SEMI E187, a general set of basic cybersecurity specifications is defined, focusing on network-facing computers in new semiconductor equipment, including operating system security, network security, endpoint protection, and security monitoring. However, SEMI E188 is suitable for all equipment components, such as computers, controllers, and PLCs. Moreover, the cybersecurity domain regulated by SEMI E188 focuses on the three critical points of malware scanning, vulnerability scanning, and network security. It supplements the implementation aspects that SEMI E187 has not covered, such as qualified scanning tools, processes, and standardized scanning reports.
Now that the SEMI cybersecurity standard has been published, this is only the first step taken towards strengthening the cybersecurity of the semiconductor industry. To implement these SEMI standards with all its implications, it is still necessary to combine cybersecurity solutions to accelerate compliance with cybersecurity standards for the semiconductor supply chain. TXOne Networks’ solutions can serve this twofold purpose by providing semiconductor equipment suppliers aid in complying with the SEMI standard requirements while also enabling asset owners to implement the OT zero trust cybersecurity defense architecture for semiconductor production on the shop floor.
