How to Secure a Semiconductor Fab

Semiconductor fabs form the backbone of the global technology supply chain. But as these facilities take on the role of critical infrastructure, they’re turning into prime targets for cyber threats. For chipmakers, the stakes of staying online are high.

Downtime in a large fab can cost millions of dollars per hour, and any production disruption can send ripples around the world. The situation is getting more complicated as chips and the fabs where they’re made emerge as a focal point of geopolitical competition.

In response to these risks, the chip industry is rethinking how to secure these facilities. Industry groups and governments are building frameworks to help secure the operational technology (OT) in fabs — the gear that monitors and controls the chipmaking process.

In late 2023, SEMI released a blueprint for doing that: the Cybersecurity Reference Architecture for Semiconductor Manufacturing Environments (version 1.0). It outlines how chip firms can apply “zero-trust” and “defense-in-depth" principles directly to their operations.

Building on this momentum, Japan’s Ministry of Economy, Trade, and Industry (METI) released version 1.0 of the OT Security Guidelines for Semiconductor Device Factories in October 2025. These guidelines reference the SEMI architecture and align with SEMI E187/E188 standards and the NIST Cybersecurity Framework 2.0. METI has indicated that these security guidelines may become requirements for investment promotion policies, giving foundries a financial incentive for compliance.

There are several practical solutions — what I refer to as “security pillars” — that companies can implement in fabs today to align with this global movement and secure their factory floors. These include network micro-segmentation, legacy equipment protection, and privileged access governance.

Why the Fab Floor Demands a Special Approach to Security

Semiconductor fabs operate under unique conditions that demand continuous uptime and precision. Security controls must be carefully designed to protect critical assets without disrupting sensitive, high-volume production.

Many tools run around the clock for years without stopping, often on operating systems that vendors no longer patch. At the same time, factory automation requires seamless connectivity across thousands of endpoints, from lithography tools to material handling systems.

This environment creates a broad attack surface defined by complex networks, unprotected legacy assets, and unmanaged vendor accounts. Incidents in other sectors, like the ransomware attacks at Norsk Hydro and JBS, show how operational downtime can inflict lasting financial and reputational damage. For fabs, where each wafer lot contains irreplaceable intellectual property, the risks are exponentially higher.

The First Pillar: Micro-Segmentation to Limit the Scale of Hacks

Broad and interconnected OT networks allow adversaries to move laterally — as in, from one piece of equipment to another — with ease once a single asset is compromised. Micro-segmentation is a powerful countermeasure that divides the network into smaller, isolated security zones and strictly controls the communication between them.

To implement it effectively, fabs should first define security zones for process areas like lithography, etching, metrology, automated material handling systems (AMHS), and facility monitoring and control systems (FMCS), documenting all approved data flows. Next, enforce default-deny policies at zone boundaries, permitting only verified protocols and connections to pass. Applying virtual patching or intrusion prevention systems at these boundaries can also block known exploits targeting unpatched devices.

Finally, building in resilience with hardware bypass and redundant connections ensures that production continues smoothly during maintenance or a device failure. The result is greater production stability and drastically shorter incident recovery times.

The Second Pillar: Protecting Indispensable Legacy Equipment

Legacy systems are often the most sensitive and vulnerable assets on the fab floor. Many essential tools still run on Windows XP, Windows 2000, or proprietary controllers that are no longer updated but remain vital for production.

Because patching isn’t an option, protection must focus on lockdown and control. Fabs can use application whitelisting to ensure only approved binaries and processes can run. This should be combined with endpoint hardening measures, such as enabling write protection, restricting the use of USBs and other removable media, and preventing unauthorized DLL injections.

For offline equipment, updates should be done using controlled portable media or local consoles, removing dependencies on cloud connectivity.

By taking these steps, fabs can keep critical legacy assets secure and operational without undertaking costly and disruptive replacement projects, making it far more difficult for attackers to use these systems as an entry point.

The Third Pillar: Tight Restrictions on Who Can Access What in the Fab

Fabs depend on a global network of equipment vendors and service partners for essential maintenance. While necessary, this external access introduces risk. With the right controls, though, vendor access can be both efficient and secure.

The key is applying zero-trust principles to all vendor accounts. Access should be managed through secure gateways or jump servers and granted on a time-bound and purpose-specific basis.

For scheduled maintenance, fabs can provide just-in-time access, with credentials that automatically expire once the window closes. To ensure accountability, all vendor sessions should be monitored and recorded to create a clear, auditable log of every action taken.

By implementing these controls, fabs can give vendors the access they need while retaining full visibility and assurance that privileges won’t be abused.

The Fourth Pillar: Reducing the Risks of Human Error and Insider Threats

Daily operations on the fab floor — from transferring recipes with a USB stick to downloading software updates — are essential for production. However, these routine data exchanges, often carried out by well-intentioned employees to achieve production goals, represent a major threat vector. Each transfer is an opportunity for malware injection or the exfiltration of valuable intellectual property, turning innocent actions into significant security risks.

The solution is to establish strict, secure channels for all data movement. This starts with a default-deny posture for outbound data transfers, permitting only explicitly approved exports through controlled, encrypted channels. For physical media, which remains common for updating air-gapped or legacy tools, fabs must harden all tool I/O ports. They also must enforce a strict policy of scanning all removable media at a dedicated kiosk before it can be used on the production network.

Similarly, all software updates should be managed through secure gateways that verify file integrity before they enter the OT environment. These controls safeguard intellectual property and prevent malware from entering the fab through seemingly routine, everyday actions.

Building and Rebuilding Security into the Fab Over Time

The new frameworks from SEMI and METI emphasize that security isn’t a one-time investment. It needs to be updated throughout the lifecycle of the fab. Some of the most important practices include:

• Conducting pre-move-in checks for all new tools, including malware scans and patch verification, with evidence reports.
• Enforcing default-deny configurations in tool firewalls and integration points.
• Performing weekly vulnerability assessments and maintaining a real-time asset inventory to have a constant pulse on the security posture.
• Integrating OT security telemetry into enterprise SIEM and XDR platforms to create a unified IT-OT incident response capability.

In the end, securing a fab requires OT-aware strategies that align with operational realities. The pillars of micro-segmentation, legacy protection, and controlled vendor access provide a resilient defense.

By adopting the SEMI Cybersecurity Reference Architecture and aligning with the new METI guidelines, fabs can stay on top of rising industry standards, customer expectations, and government demands. More importantly, they keep their production lines running smoothly.

In the high-stakes world of chipmaking, security isn’t just a technical discipline — it’s the foundation for safe, stable, and continuously productive operations.