Your phone. Your car. Your thermostat. Your tablet, laptop, and desktop. Virtually all of today’s electronic technology requires the use of semiconductors – specifically integrated circuits. When the ransomware WannaCry hit the world in 2017, Taiwan Semiconductor Manufacturing Company (TSMC), the largest semiconductor foundry in the world, had to halt production for three days – ultimately causing TSMC to lose an estimated 171 million USD, CommonWealth reports. SEMI, the global industry association of international electronic equipment manufacturers, was alarmed. The time for casual attitudes toward cybersecurity hygiene was over.
“Every company is one bad click away from a business altering incident.” – Chad Duffy, CyCraft Global Product Manager
The member list of SEMI, formerly known as Semiconductor Equipment and Materials International, has exceeded 2,000 corporate members and includes industry leaders such as Audi AG, Volkswagen AG, Sony Corporation, Samsung, Intel, and JP Morgan Securities Japan.
Since 1973, the members of SEMI have worked hard to create international (or regional) industry standards from silicon wafer specifications to factory health and safety standards. SEMI New Activity Report Forms (SNARFs) are numbered documents that contain the mentioned international standards for all SEMI members. SNARFs drive the mandatory policies for all members. Since last year, CyCraft and several other SEMI members have been in detailed talks over what may be one of the most influential SEMI documents of the 21st century – SNARF 6506: New Standard Specifications for Computer System Security of Fab Equipment.
With over 1.3 million members being served, updating SEMI’s entire computer network is a big ship to turn; however, failure to do so is not an option. Since the Maroochy Water Breach in 2000 (where a cyberattack caused the release of more than 265,000 gallons of untreated sewage), ICS cyberattacks have been increasing in frequency and severity. Attacks have escalated from the lone Mitnick hackers of the 70s and 80s to state-sponsored attacks, highlighted by STUXNET in 2010, Havex in 2013, the Ukraine Power Grid in 2015 and again in 2016, the Triconex breach of 2017, and the recent cyberattack on the US power grid in 2019.
SEMI needs an extensive overhaul and modernization of its cybersecurity; however ICS networks and endpoints provide a wide range of unique challenges. Chad Duffy, CyCraft Global Product Manager, explains.
“These challenges are present due to industry constraints – not just tech limitations. One of the biggest security issues in manufacturing is integrating modern AI-driven solutions, like ours, into legacy hardware and software. This presents unique challenges. Hardware diversity and high availability are some of the main concerns of ICS. PLC’s don’t offer the same computing environments as full operating systems, leading to different approaches to security than we see in office IT environments; and upgrading every OS patch could cost companies millions of dollars in downtime – which isn’t an option given the industry’s competitive environment. This leads to legacy solutions, even those way past their end of life date, to still be in use; hackers, who continue to find bugs and develop new techniques, can thrive in this terrain, so it’s paramount that we work with organizations like SEMI to find the best middle ground to better achieve security goals for the industry.” – Chad Duffy, CyCraft Global Product Manager
For the last 30 years, SEMI members and other ICS networks have been following the Purdue Enterprise Reference Architecture, often simply called “the Purdue Model”. This model for enterprise architectures to incorporate computer integrated manufacturing was designed by Theodore J. Williams and the Industry-Purdue University Consortium in the 1990’s.
The hierarchical nature of these reference models of the 80’s and 90’s are still useful tools to discuss taxonomy and classification; however, as more and more ICS integrate IoT devices and cloud-based networking, the more outdated the Purdue Model becomes, especially in terms of security. The manufacturing automation protocol and token bus network protocol, which the original Purdue Model documents heavily discussed, weren’t widely adopted and lost market share to the then contemporary Ethernet standard. Enterprise network architecture has evolved; it’s time for ICS networks to make an evolutionary jump into the 21st century.
This isn’t to say that cybersecurity for ICS, SCADA, or DCS have stayed static since the 1990’s – far from it. In 2011, the Institute of Standards and Technology (NIST, formerly the National Bureau of Standards) released the NIST Special Publication 800-82, which was revised in 2013 and again in 2015. The ISA99/IEC 62443 series of standards, originally developed by the ISA99 committee and then adopted by the International Electrotechnical Commission (IEC), provides an even more flexible framework to address and attenuate known security vulnerabilities in Industrial Automation and Control Systems (IACSs). With both of these standards laying out the groundwork and CyCraft consulting, SEMI’s first draft of SNARF 6506 should be released on schedule.
SNARF 6506 will address the issues of the aging Purdue Model and build a cybersecurity standard for SEMI members to help system integrators, product suppliers, and service providers of computer components of fab equipment defend against the full scope of modern threats. Each SEMI member has their own unique network structure and operational capabilities; this further complicates the standardization process.
“I think the biggest problem is end-of-service (EOS). Not being able to patch vulnerabilities in software library packages of fab equipment allows threat actors to even use off-the-shelf malware against known security vulnerabilities to ultimately cause system crashes or interrupt operations. Most fab equipment is currently unable to defend against those kinds of attacks, let alone against variations of customized ICS malware, such as STUXNET, Havex, BlackEnergy, Industroyer, or TRITON. Segmentation and whitelisting can only go so far, so we are still looking for the best practical solution to detect and respond to zero-day threats in the fab environment.” – James Lai, CyCraft Senior Cybersecurity Consultant
Indeed, the primary concern of SNARF 6506 is OS security and longevity. SEMI members will need long-term support and the capability to frequently and expeditiously maintain and update tools and equipment. SNARF 6506 isn’t only concerned with operating systems. CyCraft is also consulting SEMI members on matters of network security hardening, EPP, EDR solutions, system and equipment requirements for IT and OT security, and developing new APIs for SOCs for further security monitoring. However, this isn’t CyCraft’s first interaction with SEMI.
In 2018, CyCraft was commissioned by one of the four leading fabless semiconductor companies in the world, with over 7.7 billion USD in annual revenue and over 25 global branches, to perform a digital forensic due diligence investigation on the entire IT system of a recently acquired company. The client estimated the due diligence investigation to take several months. CyCraft completed the task in a few days, saving the billion-dollar company 95 percent of the projected cost.
SNARF 6506 is still in development and is slated for member approval in 2020. In the meantime, SEMI members have already begun the extensive process of upgrading and modernizing their ICS networks and endpoints. CyCraft is proud to consult and provide AI-driven MDR services to members of the SEMI community as securing semiconductor technology is vital for the future of the digital age.