Semiconductor Equipment Security: Virus Protection Guidelines

Transcription

1 Semiconductor Equipment Security: Virus Protection Guidelines Harvey Wohlwend harvey.wohlwend ismi.sematech.org SEMATECH, the SEMATECH logo, AMRC, Advanced Materials Research Center, ATDF, the ATDF logo, Advanced Technology Development Facility, ISMI and International SEMATECH Manufacturing Initiative are servicemarks of SEMATECH, Inc. All other servicemarks and trademarks are the property of their respective owners.

2 Agenda Background Purpose / Scope Process Equipment Security Goals Security Risks / Source of Vulnerabilities IC Maker Guidelines OEM Guidelines Summary 11/28/2005 j://stdpres/template.pot Slide 2

3 Cyber Security Risks Slammer Lovegate Sendmail Sobig Blaster Sasser Nachi # Instances Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan'03 Feb Mar April May June July August September October November December SAS Virus Alerts # of High Risk Assessments Cyber threats are growing at alarming rate High rate of critical vulnerabilities (5-10 patches/quarter) Significant business impact during attacks Shrinking time between vulnerability and attacks (< 1 month) 11/28/2005 j://stdpres/template.pot Slide 3

4 Shrinking Time to Vulnerabilities Vulnerability reported; Patch in progress Bulleting and patch available; No exploit Exploit code in public Worm in the world Days between patch and exploit there is no more patch window," wrote Johannes Ullrich, chief research officer at the SANS Internet Storm Center, "Defense in depth is your only chance to survive the early release of malware." Nimda Nimda SQL SQL Slammer Slammer Welchia/ Welchia/ Nachi Nachi 25 Blaster Blaster 0 Zero Day Attack: Vulnerability exploited before it was ZoToB ZoToB reported to the rest of the security community 11/28/2005 j://stdpres/template.pot Slide 4

5 Sources of Equipment Vulnerability Automation Applications Service Laptops Removable Media Direct to tool Direct Connections Utility PC Remote-Diagnostics Office PC Network connectivity and direct human interaction is main path of cyber infections 11/28/2005 j://stdpres/template.pot Slide 5

6 Purpose / Scope ISMI and Member Company Working Group reviewed the issues and requirements and established guidelines to address semiconductor equipment security for IC Makers and Equipment suppliers Establish guidelines at factory network and equipment level Describe capabilities to successfully integrate equipment into an IC Maker s Intranet, including: Guidelines based on standard capabilities Configuration guidelines for the IT personnel for components such as network equipment, computers, operating systems, and products Security design guidelines for equipment application architects and designers 11/28/2005 j://stdpres/template.pot Slide 6

7 Out of Scope Recommend products or services Endorse or advocate security business models Use cost estimations in the recommendations Recommend deviations from these guidelines based on individual company policies and practices 11/28/2005 j://stdpres/template.pot Slide 7

8 Goals: Protect Equipment from Unsolicited virus infections from any place in the network Network-based denial of service from worm-based attacks Exploitation of weaknesses in equipment computer software 11/28/2005 j://stdpres/template.pot Slide 8

9 IC Maker Guidelines Best Practices Use firewalls in the IC Maker Factory Network to control access Provide proxies for communications between equipment and factory Proxies provide virus protection capabilities Institute business process for local equipment users Backup and recovery procedures Scanning of removable media (memory sticks, floppies, CDs, etc.) Security Requirements for mobile devices (laptops, PDA,Tablets, etc.) Infrastructure for anti-virus protection 11/28/2005 j://stdpres/template.pot Slide 9

10 Equipment Supplier Guidance Institute business process Backup and recovery procedures Procedures and training for field service engineers Hardened Computer configurations Strong password, non-blank password, etc. No public network shares Avoid installing or enabling unnecessary programs and services on equipment (e.g., telnet, ICMP, FTP) Support applications running with minimum privileges Wherever applicable, equipment runs independently of each other from network perspective Support logging and audit of security related configuration changes Record all security related errors 11/28/2005 j://stdpres/template.pot Slide 10

11 Equipment Supplier Guidance (cont d) For new equipment, provide operating systems and anti-virus capabilities that are in the currently supported phase of their life cycle Security software upgrade support for equipment is optional and provided as a service for interested IC Makers. The service details include qualification and support for operating system, applications, and anti-virus capabilities The IC Maker and the equipment supplier shall agree upon the frequency of security updates Network Security layer 3 device for equipment (Optional) Allow only controlled access to/from equipment Additional packet filtering and firewall technology for equipment Wireless: Not Allowed Equipment internal wireless networks / LAN replacements Wireless networks between equipment Wireless: Allowed Factory components and equipment 11/28/2005 j://stdpres/template.pot Slide 11

12 Field service laptops Remote diagnostics Utility PC Vulnerability Paths Automation Apps Office PC Removable media HSMS enabled Process tool Factory with 100 s of tools Direct to tool SECURITY Safeguard against viruses Isolate, Segment, and Lockdown approach Isolate fab network from rest of company Segment tools and lock down Business processes to address removable media risk Keep current approach Keep patching equipment software to stay up-to date Use anti-virus to prevent infections Staying current system for tool management 11/28/2005 j://stdpres/template.pot Slide 12

13 Summary e-manufacturing era brings need for enhanced security Interface A standards define equipment level security Interface C defines moving data securely from the factory to supporting organizations ISMI Virus Protection Guidelines published Provides IC Maker best practices you should use Gives guidance to equipment suppliers on expectations and requirements Virus Protection, B-ENG, ismi.sematech.org/docubase/abstracts/4567beng.htm 11/28/2005 j://stdpres/template.pot Slide 13