Semiconductors are increasingly playing a role in securing IT infrastructure at the hardware level while also being more likely to be a target of bad actors, prompting SEMI to create a strategic roadmap for cybersecurity implementation throughout the industry.

In partnership with the National Institute of Standards and Technology (NIST), the SEMI Semiconductor Manufacturing Cybersecurity Consortium (SMCC) will develop a semiconductor manufacturing industry profile for NIST Cybersecurity Framework 2.0 to serve as the foundation for the roadmap, which is expected to be published by NIST in mid-2025.

In a briefing with EE Times, Jennifer Lynn, working group chair of SMCC and semiconductor cybersecurity lead at IBM Research, said the roadmap will illuminate the specific challenges of the semiconductor industry and add to the NIST cybersecurity framework that’s been around since 2014 and was recently updated. “We have so many unique challenges, particularly in the area of legacy equipment and hardware,” she said.

A key challenge is that even brand-new equipment can be legacy hardware that meets functional requirements for a system but doesn’t reflect today’s cybersecurity reality, which leads to a red light on an IT security dashboard, Lynn said. “When you look at the piece of equipment itself, it’s running fine. But over time, the software or even hardware can be introducing additional vulnerabilities. Time goes by, so that’s really the challenge.”

SEMI has standards to address that specific problem, Lynn said, but it wants to tackle that among other things through the NIST cybersecurity framework.

Operational technology presents a whole host of challenges from a security perspective because it means that monitoring systems for toxic gas detection, for example, can be tampered with and lead to physical harm, so the SEMI initiative will be addressing semiconductor security through that lens, Lynn said.

She said there are already many organizations in the semiconductor ecosystem that have already adopted the NIST cybersecurity framework over the years even though it’s voluntary. “It is a fantastic tool to manage, address and communicate your risks internally to your organization.”

Lynn said SEMI is trying to help existing adopters to improve on the legacy front to mitigate risks, as well as bring on those who have never used the NIST cybersecurity framework, which is U.S.-only, but SEMI sees it as a base layer. “We take it a little bit further and give some additive advice and guidance,” she said, adding that the long-term goal is to map it to the European Cyber Resiliency Act.

Lynn did clarify that this initiative does not relate to anything in the actual chip design or intellectual property of vendors making them.

SMCC will provide cybersecurity recommendations for semiconductor manufacturing equipment, information on implementation and updates on the development of the community profile.

The community profile will open for public review and commentary in accordance with NIST’s official process prior to completion, although the review period has yet to be announced.

SEMI already has E187: Specification for Cybersecurity of Fab Equipment and E188: Specification for Malware-Free Equipment Integration. “Partnering with NIST just enhances what we’re doing,” Lynn said.

The integrity of manufacturing equipment as well as semiconductor hardware such as memory has become increasingly important with the exponential growth of IoT devices, connected vehicles and generative AI.

AI workloads represent valuable intellectual property, which means the memory and storage devices that store them must have robust security so that data can’t be stolen or corrupted. Many networking and memory technologies have built-in security features—SSDs have long had the ability to encrypt data. However, it’s critical that users are educated on how to effectively implement them.

Security can’t hinder performance either, which is why companies such as Nvidia have developed a purpose-built data processing unit to offload, isolate, accelerate and secure data center infrastructure services so that CPUs and GPUs can focus on running and processing large volumes of workloads for AI and other data center applications.

By: DocMemory
Copyright © 2023 CST, Inc. All Rights Reserved