Liu said that as these internal measures matured, “the focus expanded to securing what enters the fab environment,” adding that “strict inspection and validation processes were established for incoming equipment and devices, particularly those introduced by employees, contractors, or integration partners.” This step helped reduce the risk of inadvertently introducing threats into highly sensitive production areas.
Sources say companies came to recognize that effective cybersecurity must extend to the broader supply chain. Suppliers are now expected to demonstrate stronger security practices. This often involves completing structured questionnaires and undergoing external vulnerability scans to validate the maturity of their internal cybersecurity controls.
At the same time, there is growing awareness that securing the semiconductor industry requires collective action across the entire value chain, including manufacturers, equipment vendors and software providers.
Several major semiconductor firms have taken the lead in forming communities under the influential organization SEMI, formerly known as the Semiconductor Equipment and Materials International. A notable example of this collaboration is the Taiwan Semiconductor Cybersecurity Committee, chaired by TSMC.
One notable outcome is the development of the SEMI E187 fab equipment cybersecurity specification. This landmark standard is tailored to the unique characteristics of semiconductor manufacturing environments, where equipment lifecycles often span decades and operational continuity is critical.
The standard has evolved into a key purchasing requirement for many leading manufacturers and is now enforced throughout their supply chains. The supply chain enforcement is real and growing, with E187 certification now a baseline expectation for OEMs supplying to global fabs.
TSMC’s contract now mandates it, and official reference guides firmly embed it into procurement criteria. Certification bodies, such as Bureau Veritas and Intertek, offer formal assessment services and structured paths toward compliance. Companies such as Gallant, Control, and Delta have already qualified, signaling the existence of structured, scalable compliance paths, not just voluntary guidance.
What began as a regional initiative has quickly grown into a global movement.
James Tu, TSMC’s head of corporate information security, outlined a vision to extend this cybersecurity uplift across the entire global semiconductor ecosystem during a talk at Semicon West in 2023. Tu plays a key role at Semi’s Taiwan Cybersecurity Committee.
“Let us work together to enhance global supply chain security by influencing our own suppliers and partnering with SEMI,” he said. Tu stressed the need to influence TSMC’s suppliers, collaborate with SEMI, and support the committee’s members to create a ripple effect that boosts supply chain security broadly.
This vision ultimately led to the formation of the Semiconductor Manufacturing Cybersecurity Consortium, a global group dedicated to advancing cyber resilience across the semiconductor supply chain.
SMCC aims to unite chipmakers, equipment firms, cybersecurity vendors and nonprofits to safeguard semiconductor production from rising cyber threats. Its working groups focus on building implementation frameworks, aligning with global regulations and strengthening supply chain resilience. SMCC also monitors regulations such as the European Union’s Cyber Resilience Act.
In the past, each semiconductor fab required suppliers to complete its own cybersecurity questionnaire, which placed a heavy burden on suppliers who had to respond to numerous, varying assessments. SMCC consolidated expert input and developed a unified cybersecurity assessment questionnaire, serving as a standardized baseline for self-assessment and continuous improvement. This reduced the time and effort required from suppliers. SMCC also published the NIST Cybersecurity Framework 2.0 Semiconductor Profile.
During a February 2023 NIST workshop, then-Cybersecurity and Infrastructure Security Agency Director Jen Easterly applauded NIST’s work to update the framework. She and CISA had been pushing for the technology community to focus on “product safety” and “the idea that software and hardware must be secure by design and secure by default”. She said the framework had been useful to companies seeking out a clear and actionable foundation for implementation — especially one that aligns with globally recognized best practices.
This comes as the sector still faces a wave of cyber threats, with attackers targeting critical infrastructure, intellectual property, and production systems. Advanced persistent threats, ransomware and firmware-level attacks are becoming more sophisticated, often backed by nation-state actors.
Experts say that what distinguishes the semiconductor industry in its cybersecurity transformation is the ability to combine deep technical expertise with a collaborative, long-term plan that involves shared responsibility.
While not every industry operates with the semiconductor industry’s high level of complexity or automation, the principles are broadly applicable: Cybersecurity is no longer optional. It’s a foundational element of operational resilience and business trust.
