Data Security Considerations relating to Fab Ecosystems

Subject: Abstract for Semicon West 2025

Author/Presenter: Nijaz Velic & Richard Morris

Affiliation: Creates, Albany, NY

Presentation Title: Data Security Considerations Relating to Fab Ecosystems

Abstract Details:
In the semiconductor manufacturing and related ecosystem, reliance on data integration, data-movement, volumetric data repositories, and data collaboration demands comprehensive and appropriate data security approaches. Each of these data types, if compromised, can lead to catastrophic outcomes, including intellectual property (IP) theft, product sabotage, process disruptions, and even long-term strategic disadvantages for entire nations. In recent years, nation-state actors and cybercriminal organizations have increasingly targeted semiconductor firms, driven by the high value of their data and the geopolitical importance of their products. Proactively protecting our data has never been more important in this industry. What are the major security threats in fabs and related environments and how do we eliminate, avoid, or reduce our risks? Unlike typical enterprise IT environments, semiconductor manufacturing involves complex, multi-vendor ecosystems with sensitive IP, highly specialized equipment, and operational technology (OT) networks that are often less secure than regular corporate networks. This convergence of IT and OT infrastructures presents a growing attack surface vulnerable to both insider and external threats. This presentation will offer a structured analysis of key data security threats in the semiconductor fab environment, including espionage targeting design IP, layout files, and process technology as well as malware and ransomware infections that compromise engineering workstations, data infrastructure, and production scheduling systems. Other data security threats include unauthorized access to fab data via compromised vendor accounts or insecure remote maintenance tools; insider threats from employees, contractors, or disgruntled engineers with access to sensitive process knowledge; and insecure integration of artificial intelligence (AI)/machine learning (ML) tools and digital twin platforms that inadvertently expose production telemetry and models to external networks. How are these threats evolving, and where do the semiconductor industry’s current defenses fall short? Emphasis will be placed on data flow mapping within fab related environments, identifying high-risk data aggregation points, collaboration projects, and assessing how legacy OT infrastructure complicates modern cybersecurity practices, such as network segmentation and zero-trust enforcement. The presentation will touch upon security frameworks and best practices including data classification and tagging for better governance of critical assets; deploying secure enclaves and data loss prevention (DLP) tools in design and fab environments; and adopting identity-based access control and continuous monitoring across IT and OT boundaries. Other security frameworks and best practices include enhancing collaboration between cybersecurity, process engineering, and vendor management teams; comprehensive monitoring, alerting, reporting and review; and baselining and establishing security compliance requirements. Finally, the session will address the role of policy and regulation, such as collaborative policies, export controls, trusted foundry programs, and government-led cybersecurity initiatives, in shaping the industry’s risk posture and response readiness. As semiconductor manufacturing becomes a strategic asset in the global technology race, securing its data pipelines is no longer a technical concern alone—it is a matter of economic and national security.