Semiconductor Equipment Security: Virus and Intellectual Property Protection Guidelines Harvey Wohlwend harvey.wohlwend ismi.sematech.

Similar documents
Semiconductor Equipment Security Guidelines Virus Protection

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

The Protection Mission a constant endeavor

Industrial Security for Process Automation

ABB s approach concerning IS Security for Automation Systems

HACKING RELOADED. Hacken IS simple! Christian H. Gresser

System Security Policy Management: Advanced Audit Tasks

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Defending Against Data Beaches: Internal Controls for Cybersecurity

Network Security Guidelines. e-governance

Best Practices for DanPac Express Cyber Security

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

The Leading Provider of Endpoint Security Solutions

How To Secure Your System From Cyber Attacks

DeltaV System Cyber-Security

Implementing Security Update Management

BM482E Introduction to Computer Security

Network Instruments white paper

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Driving Company Security is Challenging. Centralized Management Makes it Simple.

13 Ways Through A Firewall

13 Ways Through A Firewall What you don t know will hurt you

Critical Controls for Cyber Security.

Building A Secure Microsoft Exchange Continuity Appliance

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Document ID. Cyber security for substation automation products and systems

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

March

Network/Cyber Security

Locking down a Hitachi ID Suite server

SANS Top 20 Critical Controls for Effective Cyber Defense

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Remote Services. Managing Open Systems with Remote Services

INFORMATION TECHNOLOGY ENGINEER V

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

GE Measurement & Control. Cyber Security for NEI 08-09

Designing a security policy to protect your automation solution

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Section 12 MUST BE COMPLETED BY: 4/22

Security Best Practice

Xerox Mobile Print Cloud

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

PCI Requirements Coverage Summary Table

Department of Education. Network Security Controls. Information Technology Audit

How To Manage A System Vulnerability Management Program

Protecting Your Organisation from Targeted Cyber Intrusion

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Mobile, Cloud, Advanced Threats: A Unified Approach to Security

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Effective Defense in Depth Strategies

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Vistara Lifecycle Management

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Cybersecurity considerations for electrical distribution systems

INTRUSION DETECTION SYSTEMS and Network Security

User Security Education and System Hardening

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Glasnost or Tyranny? You Can Have Secure and Open Networks!

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Payment Card Industry Data Security Standard

Security Management. Keeping the IT Security Administrator Busy

Data Security and Healthcare

Ovation Security Center Data Sheet

PICO Compliance Audit - A Quick Guide to Virtualization

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Protecting productivity with Plant Security Services

Basics of Internet Security

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

PCI Requirements Coverage Summary Table

Network Security: A Practical Approach. Jan L. Harrington

FIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES

Cyber Essentials KAMI VANIEA 2

On-Site Computer Solutions values these technologies as part of an overall security plan:

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

CYBER SECURITY. Is your Industrial Control System prepared?

Best Practices for DeltaV Cyber- Security

ADM:49 DPS POLICY MANUAL Page 1 of 5

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Client Security Risk Assessment Questionnaire

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Sygate Secure Enterprise and Alcatel

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Zone Labs Integrity Smarter Enterprise Security

Decrease your HMI/SCADA risk

Data Usage. SEMICON Japan ISMI NGF Briefing and e-manufacturing Workshop December 2, 2008

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

Avaya G700 Media Gateway Security - Issue 1.0

Global Partner Management Notice

Critical Security Controls

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Transcription:

Semiconductor Equipment Security: Virus and Intellectual Property Protection Guidelines Harvey Wohlwend harvey.wohlwend ismi.sematech.org Advanced Materials Research Center, AMRC, International SEMATECH Manufacturing Initiative, and ISMI are servicemarks of SEMATECH, Inc. SEMATECH, the SEMATECH logo, Advanced Technology Development Facility, ATDF, and the ATDF logo are registered servicemarks of SEMATECH, Inc. All other servicemarks and trademarks are the property of their respective owners.

Two Key Elements of Security System Integrity due to Network integration of equipment is required Highly integrated network likely to get cyber attacks Cyber attacks are growing Intellectual Property (IP) due to Business integration of various roles process, yield, equipment engineering, industrial engineering, field service, equipment design, factory automation, etc. Joint Development OEMs and IC makers working in compensatory environments Automation Apps Removable Media Utility PC Vendor Systems Remote Diagnostics Direct to Tool Office PC Sources of Vulnerability

Shrinking Time to Vulnerabilities Vulnerability reported; Patch in progress Bulleting and patch available; No exploit Exploit code in public Worm in the world Days between patch and exploit 331 180 151 there is no more patch window," wrote Johannes Ullrich, Chief Research Officer at the SANS Internet Storm Center. "Defense in depth is your only chance to survive the early release of malware." SQL SQL 25 0 Zero Day Attack: Vulnerability exploited before it was reported to the rest of the security community Nimda Nimda Welchia/ Welchia/ Blaster Blaster Nachi ZoToB ZoToB Slammer Slammer Nachi

Virus Protection Guidelines An ISMI and member company working group reviewed the issues and requirements and established guidelines to address semiconductor equipment security for IC makers and equipment suppliers Established guidelines at factory network and equipment level Describe capabilities to successfully integrate equipment into an IC maker s intranet, including Guidelines based on standard capabilities Configuration guidelines for the IT personnel for components such as network equipment, computers, operating systems, and products Security design guidelines for equipment application architects and designers

IC Maker Guidelines Use firewalls in the IC maker factory network to control access Provide proxies for communications between equipment and factory Proxies provide virus protection capabilities Institute business process for local equipment users Backup and recovery procedures Scanning of removable media (memory sticks, floppies, CDs, etc.) Security requirements for mobile devices (laptops, PDA, tablets, etc.) Infrastructure for anti-virus protection

Equipment Supplier Guidance Institute business process Backup and recovery procedures Procedures and training for field service engineers Hardened computer configurations Strong password, non-blank password, etc. No public network shares Avoid installing or enabling unnecessary programs and services on equipment (e.g., telnet, ICMP, FTP) Support applications running with minimum privileges Wherever applicable, equipment runs independently of each other from network perspective Support logging and audit of security-related configuration changes Record all security related errors

Equipment Supplier Guidance (cont d) For new equipment, provide operating systems and anti-virus capabilities that are in the currently supported phase of their life cycle Security software upgrade support for equipment is optional and provided as a service for interested IC makers The service details include qualification and support for operating system, applications, and anti-virus capabilities The IC maker and the equipment supplier shall agree upon the frequency of security updates Network security layer 3 device for equipment (optional) Allow only controlled access to / from equipment Additional packet filtering and firewall technology for equipment Wireless: Not Allowed Equipment internal wireless networks / LAN replacements Wireless networks between equipment Wireless: Allowed Factory components (e.g., ID readers) and equipment

2007 Virus Protection Guidelines Update Best Known Methods Network Security Create equipment security model Create mapping of security to equipment groups, Port Security New equipment installation Move equipment to a known location, Virus Management Support network segmentation (links to network BKMs) Shut down unneeded network ports at the tool, Patch Management Identify patching candidates Create software upgrade plan,

Vulnerability Paths Field service laptops Remote diagnostics Automation apps Removable media HSMS enabled Process tool Factory with 100s of tools Direct to tool System Integrity Virus Protection vis-à-vis System Integrity 2007 update includes IC maker best known methods for cyber security, shows greater IC maker synergy and sharing IC makers have significantly matured in handling cyber attacks on equipment Most IC makers are using two or more methods to handle cyber security for equipment Utility PC Office PC Time to move on to other challenges

Equipment Security Roadmap 2004-2007 2007 Onwards 2005 ITRS Update We are at an inflection point

Ongoing Equipment Security Needs R&D is a key element of business and operating strategy in semiconductor industry IC maker focus on the process and end products OEM focus on the equipment for the process Collaboration is a mega trend Moving to a new technology node, shared cost model Results in more sharing of data, e.g., design data, recipe data, test data, equipment data, wafer characterization, contamination data, yield data, cycle time, etc. Operational challenges Environmental: System integrity due to cyber attacks Manufacturing: IP sharing due to defects, yield, throughput and reliability issues Financial: IP sharing due to joint development Challenge: How can IC makers and OEMs create a balance between protecting their investments and sharing IP for operations?

Equipment IP Protection IP Protection Requirements for member companies have been collected and jointly analyzed Key observations from requirements: IP protection currently enforced by business process such as NDAs with scant technology support Only a few objects need to be protected (limited depth scope) Role-based security needed for specific IP-laden objects Didn t focus on tool operations (limited breadth scope) Some areas are more applicable than others Some timeframes are more applicable than others There are many Use Cases Tool Down/Repair, ICM ICM Collaboration, ICM to foundry, ICM Nth & N+1th Gen separation Approach: Created a multi-faceted security framework using e-diagnostics security architecture Tiered architecture provides rich set of comprehensive security capabilities The need for risk and control management is increasing IP protection guidelines are based on business requirements

Equipment IP Protection Strategy Key Concept: IP protection needs to be part of equipment software and not only a business process Identify key software security technologies such as role-based security Leverage existing software security architecture in equipment area (e-diagnostics lineage) Identify Use Cases for different business models, e.g., IC Maker-IC Maker collaborations IC Maker-Supplier collaborations IC Maker (N+1)th & Nth process generation handling IC Maker- Foundry collaborations Tool end-of-life Identify functional areas and times where IP protection is not relevant Pilot IP protection guidelines through OEM implementation Educate and reinforce industry needs for IP protection and current risks Supplier implications: Incremental change required to the equipment controls software to add role-based security to a small set of files and directories User / group access to IP based on Need to Know Sharing / control of IP is automated through software (as opposed to manual) and can be dynamic depending upon business conditions Automatic software-based user accounting and auditing Ability to turn off security when not needed, but in controlled manner Technology is available today to solve equipment IP problems!

2007 Equipment Security Summary Objective: Strengthen the Equipment Virus Protection Guidelines due to complex network connectivity requirements Drive the need to protect IP within equipment among IC makers and create industry-level guidelines Benefits: Protects stakeholder financial investments in the technology Enables factory-wide standardized IP protection and cyber security Strengthen the enforcement of NDA through technology Provides clear operating procedures for IP protection and cyber security for situations such as troubleshooting, joint design, technology transfer, sub-contracting, etc. Need for Cyber Security Need for Equipment IP Protection Automation Apps Vendor Systems Direct to Tool Removable Media Office PC Utility PC Remote Diagnostics ISMI Guidelines Provided! 2007 Project Focus

Summary e-manufacturing and collaboration era brings need for enhanced security e-diagnostics Guidelines define security framework Interface A standards define equipment-level security (SEMI E132 Equipment Client Authentication and Authorization) Interface C defines moving data securely from the factory to supporting organizations ISMI Virus Protection Guidelines published, ismi.sematech.org/docubase/abstracts/4567ceng.htm ISMI IP Protection Guidelines being published Development of security framework is central to the solution space Need collaboration from all ICMs and OEMs

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information