Legacy Software Is Not an IT Issue, But an Issue of Cybersecurity Depreciation
By Ming-Chang Wu, SEMI.org
In January 2022, SEMI Taiwan released SEMI E187 – Specification for Cybersecurity of Fab Equipment. Through the joint effort of global SEMI members, the specification was finalized after extensive deliberations, more than 100 questions from SEMI members globally and through three rounds of voting over a three-year period. What cybersecurity pain points does SEMI E187 ultimately address?
Legacy software is a security vulnerability across the global semiconductor industry. Even when there is no problem with the hardware, the software will reach the end of product lifecycle without the support of the latest patches, resulting in End of Life (EoL) or End of Service (EoS) often seen in the software industry. However, in the old software sales models of one-time purchase, the fab equipment software remains functionally workable at EoL, and top management often believes that there is no problem with the equipment, and thus no need for upgrade or replacement.
The lifecycle of semiconductor equipment extends up to 40 years.
With the lifecycle of semiconductor equipment reaching up to 40 years, the cybersecurity depreciation issue cannot be underestimated. Usually, at least 20 versions of operating systems are installed in a semiconductor fab, and on average, one or two operating systems will face the issue of EoL each year. For example, launched in 2001, Windows XP terminated patch updates in 2014, yet the operating system (OS) continues to be installed on new semiconductor equipment. Other operating systems have even shorter lifecycles and, on average, patch update services are terminated in four to six years. Thus, semiconductor equipment often faces the cybersecurity issue of OS depreciation quite early when the hardware has yet to depreciate with higher salvage value.
The cybersecurity issue of equipment cannot be tackled by a single company alone, as it requires inter-departmental and enterprise-wide actions, involving not only operating systems providers but also application providers throughout the semiconductor equipment supply chain. SEMI E187 covers endpoint protection, operating system, network security and security records and monitoring, which are all cybersecurity issues long overlooked in semiconductor equipment systems and applications. SEMI E187 helps strengthen cybersecurity in new equipment by defining fab equipment procurement cybersecurity requirements as a way of allowing equipment providers to incorporate Security by Design during the R&D of new fab equipment.
What about legacy software on the fab equipment still within lifecycle? For these pieces of equipment lacking cybersecurity protection, whitelisting the specific piece of equipment to be connected with another may be a solution. Simply put, whitelisting is like issuing a pass, which only allows a piece of equipment to connect to a pre-approved network, making it more difficult for hackers to gain access the network. However, if whitelisted equipment is installed on another piece of equipment, a software update might restore the settings to default, and thus erase the whitelist settings. If a firewall is installed on the equipment, then firewall whitelists can be set up to control access to the equipment. As new pieces of equipment in compliance with SEMI E187 gradually come online, firewalls reaching the end of lifecycle can gradually be replaced.
The promotion of SEMI E187 is not just the responsibility of the procurement department. The process of implementing SEMI E187 into enterprises epitomizes the formulation process of this standard. Enterprises seeking to implement SEMI E187 must consider the views and concerns of various departments, from equipment management, IT and cybersecurity to procurement and production line engineers.
Equipment managers often believe that equipment cybersecurity is not part of their role or a key performance indicator (KPI), nor do workers in charge of IT or cybersecurity believe that fab equipment cybersecurity is their responsibility. At the same time, the procurement staff looks to the IT or cybersecurity departments to provide equipment cybersecurity specifications. This gives rise to gaps in the overall cybersecurity monitoring and mitigation landscape on equipment and supply chain cybersecurity issues, very easily leading to a no man’s land in the company. From the perspective of equipment cybersecurity procurement, SEMI E187 establishes a foundation for global cybersecurity compliance across the equipment supply chain.
Proving that equipment is virus-free during implementation is the first step. Some providers have been part of that discussion with the SEMI Taiwan Cybersecurity Committee from the outset. An industry-led discussion is key to ensuring collaboration and workable solutions; gathering opinions and participating in committee meetings positions providers at the forefront of understanding both the issues and being part of the solutions.
Since 2018, the equipment manufacturer’s customers have increasingly required them to provide virus-free certifications when delivering new equipment. Simplifying SEMI E187 to prove that equipment is virus-free would help equipment providers and their customers in taking the first step towards moving forward.
References
Wu, M.C., Legacy Systems Pose Broad Security Risk for Chipmakers, EE Times (2022). https://www.eetimes.com/legacy-systems-pose-broad-security-risk-for-chipmakers/
Wu, M.C., Key Implementation Challenges on International Cybersecurity Standards and their Supportive Management Resources, ISSA Journal.(November 2021). https://www.issa.org/
Wu, M.C., “Emerging Standard Helps Address Cybersecurity,” Standards Watch (March 2021), SEMI, www.semi.org/en/standards-watch-2021March/tw-cybersecurity.
Note: The Chinese version of this article was published in Bloomberg Businessweek in February 2022.
About the Author
Ming-Chang (Bright) Wu is a founding member for Cybersecurity Committee at SEMI Taiwan and join the task force for drafting SEMI 187 since 2018. He is a qualified speaker for Taiwan Corporate Governance Association. His resilience book was selected as the 2020 “Book of the Month” recommended by the National Academy of Civil Service in Taiwan . Now he is helping localization of SEMI E187, NIST CSF and ISA/IEC 62443 in Taiwan. Bright Wu can be reached on LinkedIn.