Securing Semiconductors and the Future of the Semiconductor Ecosystem

PK Tsung, Co-Founder & CSO of CyCraft Technology, spoke at SEMICON TAIWAN on the dangers of, and the solutions to, four common pain points targeting electronics manufacturing, design supply chain, and other SEMI member-related industries.

Taiwan companies supply roughly 63% of the global semiconductor market share.

‍

What is SEMI?

Since the 1970s, the global industry association SEMI (formerly known as Semiconductor Equipment and Materials International) has worked tirelessly to create international industry standards from silicon wafer specifications to factory health and safety for electronics manufacturers worldwide as well as adjacent industries in the supply chain.

SEMI membership has now far exceeded 2,400 corporate members and includes industry leaders such as Sony, Volkswagen, Samsung, Intel, Audi, and JP Morgan. Visit semi.org to learn more.

‍

SEMICON TAIWAN

In the last four decades, the Taiwanese semiconductor industry has reshaped the global semiconductor industry through leading-edge semiconductor technology. By 2020, Taiwan Semiconductor Manufacturing Company (TSMC) alone accounted for more than half of the entire global market.

For years now, SEMICON Taiwan, organized through SEMI, has been strengthening and smoothing collaborations between Taiwan, global microelectronics ecosystems, government agencies, academia, and research institutions.

SEMICON Taiwan has developed many successful business collaborations over the years while consistently staying true to their mission of leading technology trends, driving technology innovation, and facilitating collaboration.

Visit semicontaiwan.org to learn more.

‍

‍

At the most recent SEMICON Taiwan 2021, CyCraft continued its ongoing effort to secure the semiconductor industry by joining hands with organizations in the Semiconductor industry, other cybersecurity firms, government agencies, and academia in promoting the newly formed Semiconductor Cybersecurity Committee (半導體供應鏈資安聯盟).

‍

Identifying & Resolving Four Pain Points in SEMI Industries

As more organizations across all industries undergo digitization, each individual organization’s attack surface increases. While an individual organization’s internal networks may now have hundreds of thousands of endpoints and devices, when including the networks of their suppliers, vendors, cloud providers, and other service providers, those numbers could exceed well beyond one million over a single manufacturer’s supply chain.

Organizations in the 21st century face a unique challenge in maintaining security; as their attack surface increases, through growth and digitalization, their visibility of digital assets, as well as their capacity to monitor and assess the security of their network decreases.

In response to this, many firms have opted to deploy additional security products and controls into their defenses which commonly has had the adverse effect of reducing MTTD (mean-time-to-detect) and MTTR (mean-time-to-response) due to an overwhelmed SOC with alert fatigue.

In theory, the more security products or controls that are implemented into an organization’s defense, the more threats and risks are managed via increased visibility. In reality, increasing the number of security products or controls also increases operational costs, time overheads, and the need for expertise to manage said security products and controls. Both industry constraints and technology limitations have led to four common pain points in SEMI member-related industries.

‍

Pain Point 1

Legacy preventive solutions, such as antivirus and firewall, have failed to block ransomware attacks. Despite the many advantages provided by automated detection and response solutions, organizations across all industries typically rely solely on antivirus and firewall products. Recent trends in ransomware, such as double extortion, supply chain attacks, the specialization of the cybercriminal ecosystem, and the RaaS (Ransomware-as-a-Service) business model, have allowed underfinanced cybercriminal organizations the ability to launch ransomware attacks that are not only more effective and profitable but also more frequent.

Proposed Solution: CyCraft has developed effective digital vaccines for specific ransomware families capable of hunting, identifying, and blocking said ransomware and possible variations.

‍

Pain Point 2

Security teams have failed to detect and respond to APT-level threats. Nothing illustrates this better than the detection of Chimera — a China-based threat group that orchestrated a year-long attack campaign targeting the Taiwan semiconductor industry. While automated detection and response solutions are beneficial, these products can prove challenging when integrating with specific hardware; however, all devices and hardware need automated self-protecting mechanisms.

Proposed Solution: Rather than developing and maintaining a functional automated detection and response solution, many organizations have been working with MDR vendors to handle detection and response for them. MDR vendors with experience in protecting ICS and manufacturers, such as CyCraft, offer organizations within the semiconductor ecosystem the necessary automated cybersecurity they need to remain functional without interruption.

‍

Pain Point 3

Existing supply chain risk cannot be accurately measured. While digitization has allowed for greater efficiency and reliability within the business world, it has also significantly increased the attack surface for all organizations within one ecosystem. Recent supply chain attacks such as Solar Winds, the Microsoft Exchange Server, or Kaseya have each had a severe impact on their related industries. Organizations not only need more risk awareness but better risk assessment tools that accurately convey and triage risk to their environment.

Proposed Solution: Tools and services, such as CyCraft RiskINT, that continuously monitor dark web activity for stolen credentials of partners and associates could have prevented or mitigated attacks such as the 2021 Colonial Pipeline ransomware attack.

‍

Pain Point 4

EoS or unpatched products are still in operational use. Legacy solutions have always been a pain point of manufacturing. Endpoints running operating systems that have reached their end of life or end of service no longer receive new security patches and therefore have no way to patch newly reported vulnerabilities. This could prove exceedingly dangerous, especially when considering last year’s threat-landscape-defining vulnerabilities, such as ProxyLogon and Log4j. 2021 saw vulnerabilities increase in severity as well as in frequency, with the number of WordPress vulnerabilities more than doubling. Each Patch Tuesday is essentially a list of vulnerabilities for cybercriminals to exploit against targets running an out-of-date OS or server.

Proposed Solution: Organizations in this situation need to not only perform a major overall of their systems but need to be able to virtually patch these vulnerabilities in the interim as well as incorporate zero-day hunting capabilities into their defenses.

‍

“These challenges are present due to industry constraints — not just tech limitations. One of the biggest security issues in manufacturing is integrating modern AI-driven solutions, like ours, into legacy hardware and software. This presents unique challenges. Hardware diversity and high availability are some of the main concerns of ICS. PLC’s don’t offer the same computing environments as full operating systems, leading to different approaches to security than we see in office IT environments; upgrading every OS patch could cost companies millions of dollars in downtime — which isn’t an option given the industry’s competitive environment. This leads to legacy solutions, even those way past their end of life date, to still be in use; hackers, who continue to find bugs and develop new techniques, can thrive in this terrain, so it’s paramount that we work with organizations like SEMI to find the best middle ground to better achieve security goals for the industry.”

— Chad Duffy, CyCraft VP of Strategy

‍

The Road to Resolving Pain Points

SEMI members worldwide need to cooperate with each other as well as create and maintain uniform security standards and guidelines for all members to follow. The newly formed Semiconductor Cybersecurity Committee (半導體供應鏈資安聯盟), of which CyCraft Technology is a part of, aims and tackling this monumental task via the collaborated efforts of organizations in the semiconductor ecosystem, cybersecurity firms, government agencies, and academia.

The Semiconductor Cybersecurity Committee(半導體供應鏈資安聯盟), established by SEMI Taiwan, has been working with Taiwan companies and factories to formulate effective semiconductor cybersecurity standards.

At SEMICON Taiwan 2021, SEMI CMO and SEMI Taiwan President Terry Tsao (曹世綸) announced that January 2022 would see the launch of the new semiconductor cybersecurity standard officially regarded as SEMI E187-Specifications for Cybersecurity of Fab Equipment.

This new standard covers four major areas:

‍

• Operating System Specifications: All equipment and hardware need to use either current (non-legacy and non-deprecated) OS or long-term supported OS with security updates and tools for maintenance.
• Network-Related Security: IT personnel must be able to close unused services and monitor the use and management of high-risk TCP/UDP ports, as well as be provided configuration and setting-related instructions for all equipment and hardware.
• Endpoint Security: While detection and response capabilities are preferred, all devices need self-protection mechanisms, such as antivirus, application allowlists, and vulnerability scanning.
• Continuous Monitoring: All hardware must be able to support access control and provide functionality for continuous cybersecurity monitoring.

‍

While SEMI members are strongly advised to adhere to these guidelines, each individual organization is responsible for budgeting and upgrading their own defenses. MDR services can help enterprises reduce this added operational cost while at the same time increasing detection and response capabilities.

‍

“CyCraft strives for human-AI collaboration in cybersecurity. All our solutions — from our dark web intelligence fusion platform, RiskINT, to our endpoint detection and response Xensor agent — are driven by our CyCraft AI Virtual Analyst as well as our team of seasoned human professionals. Not only is the security and safety of the entire CyCraft customer community and their data important to us but so is creating a frictionless and intuitive user experience that puts all our customers’ cybersecurity concerns at ease. Our technology is complicated; our service isn’t.”

— PK Tsung, Co-Founder & CSO of CyCraft Technology

‍

‍

PK Tsung, CyCraft CSO & Co-Founder

Tsung Peikan (aka PK), an expert in Advanced Persistent Threat (APT) investigation and research, has extensive experience in intensive computer forensics, malware and exploit analyses, and reverse engineering. PK, specializing in cybercrime and APT investigations, worked for the Taiwan National Police Agency, Ministry of the Interior for six years, and, later, Academia Sinica for two years. PK then moved to Verint Systems Taiwan as Chief Cyber Researcher until September 2017. PK went on to co-found CyCraft Technology with Birdman Chiu and Benson Wu, where he is currently serving as Chief Security Officer (CSO).

‍

He has conducted long-term research on APTs, IoTs, as well as automotive ECU safety. For the last several years, PK has been the chairman of the Hacks In Taiwan Conference (HITCON) Reviewboard and has spoken at numerous cybersecurity and hacker conferences, including the Taiwan Network Information Center (TWNIC), BlackHat, DEFCON, Singapore SyScan Information Security Conference, HITCON, the High Tech Crime Investigation Association (HTCIA), and most recently gave a very well-received lecture at the 2021 NExt Forum: Cybersecurity Challenges in E-vehicles.