Cybersecurity is one of the most pressing issues facing the semiconductor industry. Because of the complex nature of supply chains, cybersecurity standards and frameworks are still being developed. Legacy systems are one significant aspect of semiconductor cybersecurity that can have major implications, yet they remain in organizational blind spots.

1. Advertisement
DESIGNLINES | SOC DESIGNLINE
Legacy Systems Pose Broad Security Risk for Chipmakers
By
Ming-Chang (Bright) Wu, SEMI Taiwan
03.15.2022
2
Cybersecurity is one of the most pressing issues facing the semiconductor industry. Because of the complex nature of
supply chains, cybersecurity standards and frameworks are still being developed. Legacy systems are one significant
aspect of semiconductor cybersecurity that can have major implications, yet they remain in organizational blind spots.
It is not uncommon, for example, to still find fab equipment running Windows XP. Since 2018, the global community has
worked together to come up with a new standard: Specification for Cybersecurity of Fab Equipment (SEMI E187),
released in January this year.
Legacy systems are not simply an IT issue, but a much larger problem involving
cybersecurity governance. Organizational silos must be brought together by cybersecurity
teams, aligning procurement, risk management and even finance teams to ensure
cybersecurity accountability.
Cybersecurity is one of the gravest issues facing the semiconductor industry with ongoing vulnerabilities, all while
equipment within the supply chain fails to meet cybersecurity standards. After a 2018 cyber incident hit Taiwan’s
semiconductor industry, the global chip and cybersecurity community have worked together to develop new standards to
reduce equipment vulnerability.
A critical, but often neglected, vulnerability is legacy systems installed in equipment, including operating systems and
applications. Systems might have reached end of life, and legacy issues such as insufficient patch services could go
unnoticed with potentially catastrophic implications. The global cybersecurity supply chain issues require engagement
by chipmakers, equipment providers and probably even government regulators.

Ming-Chang (Bright)
Wu, SEMI Taiwan
 

2. To address these vulnerabilities, the SEMI E187 standard not only covers legacy OS issues, but also addresses endpoint
protection, network security, and security logs and monitoring. When new equipment is developed, these imperatives
must be integrated under product life cycle management. For chipmakers, SEMI E187 is not only for equipment
procurement but also for equipment operation.
But without specialized individuals or standard operating procedures for equipment cybersecurity, it is not yet a daily
routine in chip fabs today. Lacking sufficient cybersecurity experience, equipment managers and operators might not be
proactive enough to suggest upgrades or purchases of more secure equipment. In a factory, those responsible for IT or
cybersecurity might not be familiar with production equipment and its cybersecurity issues. With a lack of understanding
among these organizational silos, equipment cybersecurity might become an issue that could potentially impact fab lines
and facilities for water, electricity and gas.
This scenario is a typical black swan issue, with top management not fully aware of the risks. A normal lifespan for
semiconductor equipment is over 30 years. Due to the residual value of equipment, financial officers want to maximize
profit from depreciated equipment or sell it to other fabs. Legacy systems should not only remain in the domain of IT
teams, but also finance teams aiming to boost profitability. The key problem here is managing cybersecurity depreciation.
This concept should be applied to equipment both new and existing. An end–of–life system installed in new equipment
incorporates cybersecurity depreciation. For existing equipment, some protective devices such as equipment firewalls
are still necessary. Legacy system issues need to be fully addressed by board members with a constructive dialog
between chief officers of information security and finance.
— Ming–Chang (Bright) Wu, a founding member of the Cybersecurity Committee at SEMI Taiwan, currently works as a
cybersecurity risk management consultant.
RELATED TOPICS:
CHIP SECURITY, CYBERSECURITY, ICS, LEGACY EQUIPMENT, LEGACY SYSTEMS,
SEMICONDUCTOR DESIGN & MANUFACTURING, SEMICONDUCTORS, SOFTWARE, SUPPLY CHAIN
CrowdStrike® Open
Download the Whitepaper
Learn Why Antivirus Solutions Are Designed For Yesterday's
Attacks.
Ad
Securing chips in the design phase. (Source: Tortuga Logic) (Click image to
enlarge)