Security for Smart Manufacturing
Vision
As the electronics manufacturing industry deploys ever more sophisticated and pervasive smart manufacturing solutions, cyber-security becomes more critical. Unmitigated, the threats increase due to the following trends:
Increasing integration between manufacturing equipment and facilities on the factory floor with other enterprise systems.
Increasing integration across ever more dynamic supply chains from semiconductor fabrication to OSAT to PCBA manufacturing facilities.
Increasing volume and variety of data flows from an ever widening array of manufacturing equipment, processes, facility infrastructure, and even the products themselves as they are being integrated and tested.
Increasing intelligence and automation as that the data architecture interacts with critical assets and business information (operational, commercial and technical data with IP).
Increasing variety of hardware and software components and of their suppliers/sources in the product BOM (bill-of-materials).
Essentially, there are more opportunities for cyber-based attacks and individual opportunities have greater potential to lead to larger-scale damages and losses.
Scope
The coverage here is on protection and mitigation of cyber-security threats to the following:
“Data at rest” ― i.e., data being stored.
“Data in motion” ― i.e., the transmission of data from one entity to another.
“Data at work” ― i.e., the use and processing of data.
The security management and configuration of the supporting infrastructure, e.g., including identification and access control.
Security of the manufactured product.
The roadmap focus is primarily on security within the factory facility with some additional comments on how to extend best practices, guidelines, and standards to enterprise- and ecosystem-level security.
Technical Needs, Gaps and Solutions
The technology issues surrounding cybersecurity, the associated needs, technology status of those needs, as well as gaps and challenges to overcome, are summarized below. The time period considered is from 2023 to 2033.
Technology Status Legend
For each need, the status of today’s technology is indicated by label and color as follows:
In-table color + label key | Description of Technology Status |
|---|---|
Solutions not known | Solutions not known at this time |
Solutions need optimization | Current solutions need optimization |
Solutions deployed or known | Solutions deployed or known today |
Not determined | To be determined (TBD) |
Definitions for “Gap,” “Challenge,” and “Current Technology Status” are below:
Term | Definition |
|---|---|
GAP | This is what is missing or what below in performance, in today’s technology, to meet the need for year X. |
CHALLENGE | Why is it difficult to meet the need in year X? Typically, this is some particular technical consequence of that need that is inherently difficult. |
CURRENT TECHNOLOGY STATUS in year X | How well does today’s technology and solutions meet the need in year X? |
Table 1. Smart Manufacturing Security Needs, Gaps, and Today’s Technology Status with Respect to Current and Future Needs
| ROADMAP TIMEFRAME | |||
TECHNOLOGY ISSUE | TODAY (2023) | 3 YEARS (2026) | 5 YEARS (2028) | 10 YEARS (2033) |
Security Management and Automation | ||||
NEED | Automated management of security processes and operations | |||
CURRENT TECHNOLOGY STATUS | Solutions need optimization | |||
GAP | Commonality of data models; application programming interfaces (APIs), and orchestration scripting is often proprietary. Disparate components exist that can help in the process. OpenConfig for network management exists but it is not explicitly used for security. | |||
CHALLENGE | Existence of manual “shadow IT”, i.e., ad hoc, bottoms-up deployment and management of security solutions. No standardization in place. Government regulation or buying power may force issue. | |||
NEED | User (i) authentication and (ii) authorization on factory floor. | |||
CURRENT TECHNOLOGY STATUS | Solutions need optimization | |||
GAP | ||||
Secure Data | ||||
NEED | Data at rest (i.e., when stored) For data being stored, it should be―
e.g., Cybersecurity Maturity Model Certification (CMMC)3, NIST Cybersecurity Framework (CSF) 2.04 in the U.S. | |||
CURRENT TECHNOLOGY STATUS | Solutions need optimization | |||
GAP | Dynamic securing of data depending on the customer’s security status | |||
CHALLENGES | Variety and scale of items whose data needs to be secured. | |||
CHALLENGES | Upstream promotion of security levels | |||
CHALLENGES | Loss of control when printing | |||
NEED | Data in motion (i.e., Security of transfer and validation of what is transferred) | |||
CURRENT TECHNOLOGY STATUS | Solutions not known | |||
GAPS | Simultaneous delivery of both transfer and validation | |||
CHALLENGES | Validation requires transparency, in contradiction to security of transmission | |||
CHALLENGES | Establishment of data brokers to support solution. | |||
NEED | Data at work (i.e., being processed) | |||
CURRENT TECHNOLOGY STATUS | Solutions need optimization | |||
GAP | Lack of authentication and access control for legacy equipment and industrial control protocols | |||
CHALLENGES | Legacy infrastructure. | |||
Product Security | ||||
NEED | Securing the components and products throughout the manufacturing process, ensuring product security service-level agreements (SLAs) are met (high-margin devices, such as medical devices) | Securing the components and products throughout the manufacturing process (mid-level-margin, e.g., automotive) | Securing the components and products throughout the manufacturing process (low-margin devices, e.g., consumer) | |
CURRENT TECHNOLOGY STATUS | Solutions need optimization | Solutions not known | Solutions not known | |
GAP | Not all components can hold a “root of trust” in an economic manner | Not all components can hold a “root of trust” due to design constraints | ||
CHALLENGE |
| Lack of compute and connectivity to support this | ||
Many of the issues identified and discussed above can be addressed through the adaptation and deployment of standard IT security solutions to the factory floor environment. Often this is more of a cultural and business challenge than a technical one. This is reflected in Table 2 below.
However, there are two outstanding technical challenges that require additional development, as follows:
There is a tension between securing data, e.g., during transmission, and its validation and use―the latter requires transparency at the cost of security.
Product security from design through to deployment is a major complex area beyond the scope here. However, even just ensuring product security in a smart manufacturing environment is increasingly difficult due to the wide variety of hardware and software components. In particular, building security measures into low-margin, high-volume products is often challenging due to design constraints.
Approaches to Address Needs, Gaps and Challenges
Table 2 considers approaches to address the above needs and challenges. The evolution of these is projected out over a 10-year timeframe using technology readiness levels (TRLs).
In-table color key | Range of Technology Readiness Levels | Description |
|---|---|---|
2 | TRL: 1 to 4 | Levels involving research |
6 | TRL: 5 to 7 | Levels involving development |
9 | TRL: 8 to 9 | Levels involving deployment |
Table 2. Security: Potential Solutions for the Factory Floor
|
| EXPECTED TRL LEVEL* | |||
TECHNOLOGY ISSUE | POTENTIAL SOLUTIONS | TODAY (2023) | 3 (2026) | 5 (2028) | 10 |
Security Management and Automation |
Vendor-specific implementation of automated management of security-related process and operations | 5 | 8 | 9 | 9 |
| Likely consolidation in the industry but will result in multiple centers of gravity. |
|
| ||
Standards for automated management of security-related process and operations | 4 | 6 | 8 | 9 | |
No standards in place. Government regulation or buying power may force issue. | Work amongst competing organizations and geo-dominated bodies begins. | Possible standards established through National Institute of Standards and Technology (NIST) or others like entities. Adoption likely fractured along incentivizing organizations. | Common standards compliance found in security tools. | ||
Secure Data | [Data at rest] Tools for automated classification, flagging and tagging | 7 | 9 | 9 | 9 |
[Data at rest] QR coding to hide info on paper | 8 | 9 | 9 | 9 | |
[Data in motion] Adapt and reuse defensible network design principles from highly automated and instrumented parts of the industry, e.g., front-end semiconductor fab | 8 | 8 | 9 | 9 | |
[Data in motion] Canaries5 to track data flows (end node is networked) | 7 | 7 | 9 | 9 | |
[Data in motion] Leak detection and sourcing tools | 6 | 7 | 9 | 9 | |
[Data at work] Adapt, reuse and expand existing IT security standards for software bill of material (SBOM) as applied to SW in manufacturing equipment | 8 | 8 | 8 | 9 | |
[Data at work] Adapt and reuse and expand existing IT security standards for SBOM as applied to SW components for products | 8 | 9 | 9 | 9 | |
Product Security | Expand trusted platform module (TPM) concepts of identity to components/parts, from equipment and computers | 6 | 8 | 9 | 9 |
Enterprise- and Ecosystem-Level Security
Securing “data in motion” is a primary concern. The need is to have complete validation of data flows both within an enterprise (logistics, manufacturing, test) and between enterprises (throughout the supply chain), while ensuring security of that data. The usual tension exists between visibility and security.
In-enterprise data flows also need complete traceability (e.g., establishing data provenance), through the organization, but also across the product lifecycle. Inter-enterprise flows have additional concerns about IP-leakage, especially through inference across a variety of data sources.
References
SEMI, “Specification for Cybersecurity of Fab Equipment,” SEMI E187-0122, 2022
SEMI, “Specification for Malware Free Equipment Integration,” SEMI E188-0222, 2022.
Chief Information Officier, U.S. Department of Defense, “CMMC Model”, https://dodcio.defense.gov/CMMC/Model/, 2023.
National Institute of Standards and Technology, “The NIST Cybersecurity Framework 2.0 (Draft)“, https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd, 2023.
Fortinet, “What is a Canary in Cybersecurity?”, https://www.fortinet.com/resources/cyberglossary/what-is-canary-in-cybersecurity, 2023.