Semiconductor manufacturing supply chain meeting – ICS cyber security is relevant here also

Wednesday, April 20, 2016 I gave a presentation to a Chief Information Officer (CIO) forum representing the manufacturing supply chain for the micro- and nano-electronics industries. There were a number of interesting observations:

-        The FBI gave a presentation the day before. One of the CIOs complained the FBI did not have the requisite expertise and the FBI was not willing to share any information. Their focus was on finding and prosecuting offenders. The same FBI shortcomings occur in the control system cyber security space.

-        The need to form a bond between IT and Operations was discussed. The idea of embedding IT into the manufacturing operation was raised by several of the attendees.

-        There are only a limited number of ICS vendors that cross all industries and all geographic regions. The issues being discussed are not unique to the fab industry but are common to all. Consequently, the meeting and discussions would be very similar if you substitute the words, “electric power”, water”, chemicals”, “food processing” etc for “semiconductor manufacturing”.

-        For ICSs, the CIA paradigm is not only backward but is missing the letter “S” for safety. It turns out the equipment manufacturers’ use some very toxic gases and a cyber incident could be deadly to their personnel. There was a similar revelation when I spoke to the food industry (see March 18, 2016 blog).

-        The issue of ISO27000 not being adequate for ICS was mentioned. That is why we started ISA99.

-        After giving examples of actual ICS cyber incidents, one of the attendees mentioned they also had an ICS cyber incident (this is where I get many of the incidents in my database). This vendor has a lab where they build models of the equipment installed in the field. They were testing a Windows 98 system (this is common in industry where older versions of Windows cannot be upgraded without having to replace the equipment that is using the out-of-date HMI). There was a compromise of a chip that spread throughout the system. It took about 3 months to identify and mitigate the problem. The vendor found there were layers upon layers of systems using devices that didn’t look like computers. It was a significant learning experience. I was also told this type of problem is not uncommon and not unique to any specific equipment vendor.

April 19th, the electric utilities filed a response to FERC on why they should not have to address supply chain issues. Does that sound like a responsible answer for companies’ responsible for providing reliable electric power when the root of the supply chain may not be secure?

Joe Weiss

 

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • It is important to apply the principle of granularity to comprehend the myriad ways supply chain plays a significant and critical role in securing (and also in-securing) the industrial process and production systems. Regardless of the industry vertical, embedded electronics can be found in every automation system - be it factory automation or process automation or something else. These embedded electronics are prone to attacks - malicious, intentional, unintentional, accidental etc. The semiconductor use in building these systems can be targeted and taken over to cause physical damage such as releasing toxic waste at the wrong time and in the wrong place. Industrial devices such as valves, motors and actuators can be infected and remotely controlled by reading and over-writing the registers and coils or even extract critical information from the firmware. Bottom line is that semiconductor chips are vulnerable to cyber-attacks, hence the first step is to secure the supply chain so as to prevent intrusion and infection. Many of these electronic devices which form the core components of an ICS are common across various kinds of automation systems, hence one single vulnerability in any one kind of device can have disastrous effects across many sectors – not just one. Therefore, asset owner/operators have to ensure that their equipment suppliers which includes semiconductor manufacturers undertake adequate measure to secure the supply chain. All stakeholders have responsibility for cyber-physical security.

    Reply

RSS feed for comments on this page | RSS feed for all comments