SEMI to develop cybersecurity strategy and roadmap

The SEMI Semiconductor Manufacturing Cybersecurity Consortium (SMCC) has partnered with the National Institute of Standards and Technology (NIST) to develop a semiconductor manufacturing industry profile for NIST Cybersecurity Framework 2.0 (CSF 2.0) that will serve as the foundation for the aforementioned roadmap. NIST plans to publish the profile in mid-2025.

According to research by the Identity Theft Resource Center, cyberattacks rose by 72 percentage points in 2023 over the previous all-time high in 2021. As semiconductor factories become increasingly connected and autonomous, the industry must respond to the growing security vulnerabilities associated with this next level of digital reliance and align with broader government efforts to secure the building blocks of technologies vital to society.

“Semiconductors are integral to both national security and the global economy – we need to do everything in our power to protect the industry,” said Cherilyn Pascoe, Director of the National Cybersecurity Centre of Excellence (NCCoE) at NIST. “NIST is pleased to partner with SEMI SMCC for the development and adoption of a NIST Cybersecurity Framework 2.0 Profile for Semiconductor Manufacturing. This collaboration is important to identify and reduce cybersecurity challenges in semiconductor manufacturing.”

“It’s important to recognise and address the unique cybersecurity challenges facing the semiconductor industry,” said Jennifer Lynn, SMCC Working Group Chair and Semiconductor Cybersecurity Lead at IBM Research. “This community profile could allow us to better identify and execute a path forward.”

In support of the 2023 National Cybersecurity Strategy’s strategic objective to secure global supply chains for information, communications and operational technology products and services, the White House Office of the National Cyber Director (ONCD) included a Cybersecurity Framework Profile as part of initiative 5.5.5 in the National Cybersecurity Strategy Implementation Plan Version 2. SMCC recognised the need for a cybersecurity community profile specific to semiconductor manufacturing and worked with the federal government to develop one.

“Unlike air, space, land, and sea, cyberspace is the only battle domain created entirely by human hands,” said Anjana Rajan, Assistant National Cyber Director for Technology Security at ONCD, during the Global Executive Cybersecurity Forum at SEMICON West 2024. “This means we have both the power and the responsibility to shape it. The future of cyberspace where defenders have an inherent advantage over attackers starts with preparation, and that preparation must begin with securing the building blocks.”

Prior to completion, the community profile will open for public review and commentary in accordance with NIST’s official process. The review period has yet to be announced. The community profile is part of a broader NIST strategy to further standardise cybersecurity protocols for the semiconductor sector, in line with profiles for other industries.

“With the committed resources and support from NIST to support SMCC working groups, we’ll be able to accelerate the development of this semiconductor manufacturing industry community profile creation,” said Brian Korn, Director for SMCC and Staff Technologist focused on Cybersecurity and Automation at Intel Foundry.

SMCC will provide cybersecurity recommendations for semiconductor manufacturing equipment, information on implementation, and updates on the development of the community profile. For more information, visit the project webpage or contact cybersecurity@semi.org.

SMCC working groups are engaged with the SEMI Standards program to create a standards-based approach supporting the semiconductor ecosystem by leveraging the program’s 50-year history of industry alignment. SMCC is currently working on developments to two cybersecurity standards:

• E187: Specification for Cybersecurity of Fab Equipment
• E188: Specification for Malware-Free Equipment Integration