Cybersecurity is one of the most pressing issues facing the semiconductor industry. Because of the complex nature of supply chains, cybersecurity standards and frameworks are still being developed. Legacy systems are one significant aspect of semiconductor cybersecurity that can have major implications, yet they remain in organizational blind spots.
It is not uncommon, for example, to still find fab equipment running Windows XP. Since 2018, the global community has worked together to come up with a new standard: Specification for Cybersecurity of Fab Equipment (SEMI E187), released in January this year.
Legacy systems are not simply an IT issue, but a much larger problem involving cybersecurity governance. Organizational silos must be brought together by cybersecurity teams, aligning procurement, risk management and even finance teams to ensure cybersecurity accountability.
Cybersecurity is one of the gravest issues facing the semiconductor industry with ongoing vulnerabilities, all while equipment within the supply chain fails to meet cybersecurity standards. After a 2018 cyber incident hit Taiwan’s semiconductor industry, the global chip and cybersecurity community have worked together to develop new standards to reduce equipment vulnerability.
A critical, but often neglected, vulnerability is legacy systems installed in equipment, including operating systems and applications. Systems might have reached end of life, and legacy issues such as insufficient patch services could go unnoticed with potentially catastrophic implications. The global cybersecurity supply chain issues require engagement by chipmakers, equipment providers and probably even government regulators.
To address these vulnerabilities, the SEMI E187 standard not only covers legacy OS issues, but also addresses endpoint protection, network security, and security logs and monitoring. When new equipment is developed, these imperatives must be integrated under product life cycle management. For chipmakers, SEMI E187 is not only for equipment procurement but also for equipment operation.
But without specialized individuals or standard operating procedures for equipment cybersecurity, it is not yet a daily routine in chip fabs today. Lacking sufficient cybersecurity experience, equipment managers and operators might not be proactive enough to suggest upgrades or purchases of more secure equipment. In a factory, those responsible for IT or cybersecurity might not be familiar with production equipment and its cybersecurity issues. With a lack of understanding among these organizational silos, equipment cybersecurity might become an issue that could potentially impact fab lines and facilities for water, electricity and gas.
This scenario is a typical black swan issue, with top management not fully aware of the risks. A normal lifespan for semiconductor equipment is over 30 years. Due to the residual value of equipment, financial officers want to maximize profit from depreciated equipment or sell it to other fabs. Legacy systems should not only remain in the domain of IT teams, but also finance teams aiming to boost profitability. The key problem here is managing cybersecurity depreciation.
This concept should be applied to equipment both new and existing. An end–of–life system installed in new equipment incorporates cybersecurity depreciation. For existing equipment, some protective devices such as equipment firewalls are still necessary. Legacy system issues need to be fully addressed by board members with a constructive dialog between chief officers of information security and finance.
— Ming–Chang (Bright) Wu, a founding member of the Cybersecurity Committee at SEMI Taiwan, currently works as a cybersecurity risk management consultant.