Introduction
The semiconductor manufacturing industry is the backbone of the digital global economy. In most cases the data generated in this industry is highly sensitive and if obtained by competitors and bad actors including adversary nations can cause grave damage to the reputation and investments in innovation done by the company.
In addition to the economic impact, data breaches in the semiconductor manufacturing industry could also have national security implications. This is because semiconductors are used in many critical infrastructure systems, such as telecommunications, transportation, and power grids.
As per latest report:
- 55% of integrated circuit (IC) manufacturers surveyed reported that they had encountered counterfeit versions of their products.
- According to the CNBC Global CFO council, representing some of the largest US companies in various sectors, it is found that 1 in 5 of US companies has been a victim of IP theft by foreign companies or state-owned enterprises and this is, according to the US IP Commission, costing $600 billion (USD) annually to the US economy.
- AMSC, formerly known as American Superconductor, Inc., estimated their losses in one instance of IP theft by a foreign country at over $550 million.
In 2022, the CHIPS act was put in place to ensure the United States has secure and reliable access to supply of semiconductors. To comply with the CHIPS Act, and other data security regulations, semiconductor manufacturing companies need to take several steps, including:
- Implementing strong access controls to protect sensitive data.
- Using encryption to protect data in transit and at rest.
- Conducting regular security assessments.
- Training employees on data security best practices.
We worked on a project to assess the sensitive content shared by several applications, identify risks, define policies and procedures, and implement a solution to mitigate the risks. The focus of the discussion today is to highlight how such a project may be undertaken and a step-by-step approach be followed to yield comprehensive results.
What are the Steps for implementing a sensitive data compliance project?
The goal is to identify, classify the sensitive information across the organization and to ensure that the data shared internally and externally was secure at rest as well as in transit.
1. Risk Assessment
The first step was to identify the sensitive data that is generated and used in the semiconductor manufacturing process. The data targeted for the assessment was related to drawings and specification documents created by the engineering department. The data repositories were identified, and the data storage and security processes were documented.
2. Policies and procedures
Once the sensitive data was identified, Netwoven worked with the client to develop policies and procedures for protecting the drawings and specification documents. The policies and procedures addressed the data classification, security, storage, backup, and encryption of data assets. Some of the policies we developed were to limit access to sensitive data only to the application accounts, applying encryption to the documents at rest and in motion, providing encrypted documents to external and internal users and retracting the access to the documents as needed. Some of the procedures we developed were onboarding external users, content marking of sensitive documents, RBAC on sensitive documents, employee and external user training requirements to handle sensitive documents, etc.
3. Implementation
Netwoven built the solution to protect the drawings and specification documents shared from 10 different applications with internal and external users. Based on the new procedures defined, Netwoven built automation for protecting the documents based on the metadata (ex. File type, Sensitivity classification, Visibility level etc.) provided by the source systems. Protecting the sensitive data for external users (suppliers and customers) was a challenge that required Netwoven to build a tiered application to manage the access controls for the external parties.
4. Training
Netwoven built training material to train client employees on the data compliance policies and procedures. This training covered the importance of data security, the risks of data breaches, and the consequences of non-compliance. Netwoven built a self-help portal that documented the FAQs, short videos on how-to work on a particular topic and store training documents for easy access.
5. Monitoring
Netwoven built several reporting solutions to collect, refine and build Dashboards based on the compliance log data collected by the tools. Some of the reports we developed were to show the document encryption progress, document access reports, Vulnerability assessment reports. Security Incident reports etc.
What are the tools and technologies used?
The solution was built using Microsoft Purview compliance tools including Sensitivity labels and encryption, Azure File shares and SharePoint Libraries to store sensitive data, Azure Synapse Analytics to move and run workflows on the content released by source systems and Azure functions to properly secure the Microsoft Purview application.
Conclusion
The aim of this article was to share our experience and the methodology we followed for a successful data protection and compliance project implemented in the semiconductor manufacturing environment. The nuances will lie in the correct identification and classification of sensitive data to start with. One needs to be particularly mindful about the usable labeling scheme, policies, and procedures without being disruptive to the business processes at work. The other aspects of adoption, governance, compliance, and reporting need to be in place hand in hand. The comprehensiveness is the key and I hope the discussion helps.
