In the spring of 2021 amidst the throes of COVID, another (related) crisis was reaching fever pitch. A global semiconductor shortage affected anyone in the market for a phone, computer, washing machine, medical device, etc. In other words, everyone. As the global chip shortage thankfully begins to recede, there are lessons to learn to help prevent a similar shortage moving forward.
One clear takeaway is the importance of bolstering resilience across the chip supply chain. Most of the attention — in part due to the CHIPS and Science Act signed into law by President Biden in August 2022 — has been focused on expanding manufacturing capacity domestically and diversifying the supply chain to not be overly dependent on singular suppliers and/or fabricators.
While those actions are important, one critical yet overlooked facet of resilience is ensuring the supply chain is digitally secure. The semiconductor supply chain is highly interconnected, with sensitive IP constantly being shared across fabs, designers, suppliers, installers, etc. This means that breaches like the ransomware attack of MKS Instruments materially impact not just MKS, but the vast web of third parties it works with. A break anywhere in the chain could result in stolen IP, delayed shipments and lost revenue everywhere in the chain. Given the highly competitive nature of the semiconductor industry where IP is the greatest currency, security vulnerabilities in the supply chain can be incredibly detrimental. More than that, with various nations each aiming to gain an edge in the so-called “chip wars,” an insecure chip supply chain also puts the United States at greater risk of being hacked by foreign actors.
Exacerbating the issue is that the chip industry is behind when it comes to cybersecurity. For example, across the supplier ecosystem, there is often a lack of visibility into how, if, when, or by whom proprietary information is being shared. While their role in the supply chain is critical, these suppliers often don’t have the budgets for robust security programs, despite the volume and value of the confidential information they process. As the saying goes – the chain is only as strong as its weakest link – and commonly, that weakest link is these suppliers.
To bolster digital security and resilience across the semiconductor supply chain, a critical first step is that organizations across the supply chain must re-orient their cybersecurity strategies. Historically, traditional security models primarily focus on securing networks and devices. Organizations should instead focus on securing the data itself. The significance of data-centric security lies in its ability to provide protection inside and beyond the enterprise perimeter. A data-centric approach ensures granular control, persistent protection, and comprehensive visibility over sensitive data no matter where it goes. Rather than relying on generic security measures, data-centric security allows organizations to apply specific security policies, encryption, access controls and data classification to individual data elements.
In addition, this approach can provide visibility into the supply chain, showing who is accessing the data, when they are accessing it, from which organizations and geographies and what they are doing with it. This visibility into the supply chain allows equipment companies to see the depth of their supply chain including tier-2 and tier-3 suppliers and gives them the ability to revoke access to the data retroactively if there are concerns.
The semiconductor equipment manufacturing sector functions as the driving force behind innovations that shape the modern world. Data security is non-negotiable and an integral part of building resilience.