Cybersecurity has become imperative for chipmakers looking to protect their facilities and operations from rising threats. Otherwise, they are at risk of losing tens of millions of dollars from security incidents.  

A single 12-inch wafer used in high-end applications — such as artificial intelligence, high performance computing, or automotive chips — can be worth upwards of $20,000. If production is interrupted during critical stages, like photolithography or plasma etching, thousands of wafers may be damaged. This can result in significant losses from wasted materials, extended downtime, delayed shipments and diminished customer confidence.

On Aug. 3, 2018, a WannaCry variant affected Taiwan Semiconductor Manufacturing Co., disrupting both computer systems and manufacturing tools at multiple facilities in Taiwan. Several fabrication plants were forced to halt production and it took three days to recover approximately 80% of the affected equipment. In a 2018 report, TSMC says the virus led to nearly $84 million in losses for the third quarter.

While some in the industry have disputed his views, TSMC’s CEO C.C. Wei said at the time he didn’t expect any hacking and “this was purely our negligence.” At the time, a company spokesperson told Bank Info Security “this tool arrived at our facility with a virus already on it.”

The key lesson from this incident extended well beyond strengthening cybersecurity through technologies and processes. It underscored how critical security guidelines and successful implementation are across the chipmaking ecosystem.

In the years that followed, semiconductor fabs systematically enhanced their cybersecurity posture through a three-stage, inside-out approach: securing operational environments, inspecting inbound devices and reinforcing supply chain cybersecurity. Further incidents have happened in the years since and the industry has made a coordinated effort, led by a consortium, to bolster its work through initiatives such as a new security standard.

A growing issue

Terence Liu, CEO of Taiwan-based cybersecurity firm TXOne Networks, has had a tough job over the past decade. As a key provider for TSMC, TXOne purpose-built its software and hardware to protect critical infrastructure in more than a dozen countries.

Initial efforts focused on safeguarding internal operations. This included protecting critical production systems through network segmentation, endpoint protection and virtual patching to reduce exposure to known vulnerabilities.

Liu said that as these internal measures matured, “the focus expanded to securing what enters the fab environment,” adding that “strict inspection and validation processes were established for incoming equipment and devices, particularly those introduced by employees, contractors, or integration partners.” This step helped reduce the risk of inadvertently introducing threats into highly sensitive production areas.

Sources say companies came to recognize that effective cybersecurity must extend to the broader supply chain. Suppliers are now expected to demonstrate stronger security practices. This often involves completing structured questionnaires and undergoing external vulnerability scans to validate the maturity of their internal cybersecurity controls.

At the same time, there is growing awareness that securing the semiconductor industry requires collective action across the entire value chain, including manufacturers, equipment vendors and software providers. 

Several major semiconductor firms have taken the lead in forming communities under the influential organization SEMI, formerly known as the Semiconductor Equipment and Materials International. A notable example of this collaboration is the Taiwan Semiconductor Cybersecurity Committee, chaired by TSMC.

One notable outcome is the development of the SEMI E187 fab equipment cybersecurity specification. This landmark standard is tailored to the unique characteristics of semiconductor manufacturing environments, where equipment lifecycles often span decades and operational continuity is critical. 

The standard has evolved into a key purchasing requirement for many leading manufacturers and is now enforced throughout their supply chains. The supply chain enforcement is real and growing, with E187 certification now a baseline expectation for OEMs supplying to global fabs.

TSMC’s contract now mandates it, and official reference guides firmly embed it into procurement criteria. Certification bodies, such as Bureau Veritas and Intertek, offer formal assessment services and structured paths toward compliance. Companies such as Gallant, Control, and Delta have already qualified, signaling the existence of structured, scalable compliance paths, not just voluntary guidance. 

Looking ahead

What began as a regional initiative has quickly grown into a global movement. 

James Tu, TSMC’s head of corporate information security, outlined a vision to extend this cybersecurity uplift across the entire global semiconductor ecosystem during a talk at Semicon West in 2023. Tu plays a key role at Semi’s Taiwan Cybersecurity Committee.

“Let us work together to enhance global supply chain security by influencing our own suppliers and partnering with SEMI,” he said. Tu stressed the need to influence TSMC’s suppliers, collaborate with SEMI, and support the committee’s members to create a ripple effect that boosts supply chain security broadly.

This vision ultimately led to the formation of the Semiconductor Manufacturing Cybersecurity Consortium, a global group dedicated to advancing cyber resilience across the semiconductor supply chain. 

SMCC aims to unite chipmakers, equipment firms, cybersecurity vendors and nonprofits to safeguard semiconductor production from rising cyber threats. Its working groups focus on building implementation frameworks, aligning with global regulations and strengthening supply chain resilience. SMCC also monitors regulations such as the European Union’s Cyber Resilience Act.

In the past, each semiconductor fab required suppliers to complete its own cybersecurity questionnaire, which placed a heavy burden on suppliers who had to respond to numerous, varying assessments. SMCC consolidated expert input and developed a unified cybersecurity assessment questionnaire, serving as a standardized baseline for self-assessment and continuous improvement. This reduced the time and effort required from suppliers. SMCC also published the NIST Cybersecurity Framework 2.0 Semiconductor Profile.

During a February 2023 NIST workshop, then-Cybersecurity and Infrastructure Security Agency Director Jen Easterly applauded NIST’s work to update the framework. She and CISA had been pushing for the technology community to focus on “product safety” and “the idea that software and hardware must be secure by design and secure by default”. She said the framework had been useful to companies seeking out a clear and actionable foundation for implementation — especially one that aligns with globally recognized best practices.

This comes as the sector still faces a wave of cyber threats, with attackers targeting critical infrastructure, intellectual property, and production systems. Advanced persistent threats, ransomware and firmware-level attacks are becoming more sophisticated, often backed by nation-state actors.

Experts say that what distinguishes the semiconductor industry in its cybersecurity transformation is the ability to combine deep technical expertise with a collaborative, long-term plan that involves shared responsibility. 

While not every industry operates with the semiconductor industry’s high level of complexity or automation, the principles are broadly applicable: Cybersecurity is no longer optional. It’s a foundational element of operational resilience and business trust. 

As TXOne Networks’ Liu likes to emphasize, “strong [operational technology] security not only protects production but also safeguards long-term competitiveness.”