The Biden administration’s push to revitalize U.S. manufacturing has increased efforts to onshore semiconductor production in the country. Such moves create thousands of jobs, less dependency on foreign trade partners like China and greater self-sufficiency and resilience when it comes to a critical industry.
But onshoring also opens up a host of cybersecurity issues. Semiconductor manufacturing is a major target of hackers looking to extort considerable sums out of companies, said Bob O’Donnell, president, chief analyst and founder of TECHnalysis Research.
One vulnerability that bad players target is the addition of new vendors and suppliers to a company’s supply chain.
Companies that change or move their supply networks often have little time to evaluate new partners’ vulnerabilities, including cybersecurity threats, said University of Tennessee Assistant Professor of Supply Chain Management Seongkyoon Jeong.
“Suppliers do not care about cybersecurity as much as you’d think,” Jeong said, adding that suppliers might unwittingly engage in risky behavior like entering their delivery information on a public Wi-Fi or downloading their data to a cloud that runs the risk of being hacked.
O’Donnell noted that the risks of onshoring semiconductor manufacturing are not too different from any other critical infrastructure. “Expanding the surface area” of an operation and creating new points of entry into intellectual property creates new opportunities for data leaks, he said.
When expanding a business’ size or simply changing its location, myriad risks arise from granting access to suppliers who might not do their due diligence, who might leak IP by entering delivery information or a component-related update on a public or buyer server.
Jeong cited the case of the Las Vegas casino in which a hacker used an internet-connected fish tank as an entry point to move around into other areas of the network, stressing that vulnerabilities can come from the unlikeliest of places.
On the other hand, other chipmakers might use the less subtle approach of poaching a worker who has access to desired IP. Creating a robust cybersecurity plan increasingly means creating not only technical safeguards against cyber threats, but protections against former employees walking off with valuable IP.
The consequences of leaving vulnerabilities exposed are potentially catastrophic to a semiconductor manufacturer’s operations.
“You might be able to tap into smart factories, fundamentally alter the ability of that equipment to perform like it should,“ said Amy Broglin-Peterson, a principal at Win*x Global Advisory and an adjunct professor of supply chain management at Michigan State University. That could then lead to everything from quality failures to disfunctions in technology applications for products like jetliners, Broglin-Peterson says.
"And for an industry that's as critical as semiconductors have become, you can see why there's a huge push to do this."
President, Chief Analyst and founder of TECHnalysis Research
So what can manufacturers do to safeguard against such risks?
“Start with a zero-trust approach,” said Vishal Gauri , president of the Americas of cybersecurity company Seclore. Manufacturers should start with the basics of verifying who at the company can access sensitive technology, devices and its network at large, “to bring the control of data closer and closer.”
A thorough cybersecurity audit means vetting not only primary suppliers, but also down-tier suppliers, including raw material vendors, according to Jeong. He recommends creating a supplier cybersecurity readiness scorecard to ensure a strict selection process and help evaluate the performance and effectiveness of a vendor over time.
Beyond maintaining visibility over what perimeters and networks the data passes through, Gauri stresses the importance of securing the data itself, making sure that every time a manufacturer’s data is accessed, the company can verify identity and IP addresses and encrypt or decrypt information. And importantly, a company should always be able to “revoke data retroactively,” Gauri added.
Jeong advises companies to monitor the cybersecurity and hacker landscape, by checking incident reports and hacking trends from the Cybersecurity and Infrastructure Security Agency and watchdog blogs like Hackmageddon. He added that just as important to risk mitigation will be to continually contribute to the conversation by sharing cybersecurity incidents with the SEC or even with security news sites like Krebs on Security.
"As companies and associated stakeholders have more common repositories for up-to-date issues in cybersecurity, the issue of opaque information might become better mitigated,” Jeong said.
Notwithstanding the troublesome nature of preventative cyber attacks, O’Donnell said that at the end of the day, the benefits of geographically diversifying the semiconductor supply to the U.S. and not being beholden to foreign chipmakers far outweigh the potential concerns.
“It's always better to have more choices than less,” O’Donnell said. “And for an industry that's as critical as semiconductors have become, you can see why there's a huge push to do this.”