Data and IP Security: Hot Topics at APC 2019 Conference
By David Lammers
As semiconductor manufacturing moves into a “cyber-physical” era of smart manufacturing, providing data security in shared data environments such as cloud-based computing is proving to be an ongoing challenge.
Semiconductor manufacturers of all shapes and sizes face a similar dilemma: how to quickly solve problems and shorten time to market while climbing the yield curve faster than rivals. To do that, teams of people with a variety of skills must collaborate on problem solving, ensuring that costly assets are up and running. Collaborating with suppliers in the cloud seems to be a cost-effective solution, providing that sensitive data and associated intellectual property (IP) are protected from hackers, competitors, or even suppliers who are providing solutions for multiple customers.
At the Advanced Process Control (APC) Conference held in San Antonio, Texas, in late October 2019, technologists and managers grappled with the challenge of providing security for IP and streams of tool data that must be filtered and analyzed (figure 1).
Figure 1. Smart manufacturing integrates human expertise with advanced analytics applications, digital twins, the supply chain, and cloud computing. (Source: James Moyne, Applied Materials)
James Moyne, an associate professor at the University of Michigan and a consultant to the Advanced Services Group at Applied Global Services (AGS), said using the cloud for remote data analysis is “most useful, especially during the early offline solution development, when collaboration with suppliers is essential. But we make the cloud seem like such a mysterious thing, when really it is just a place with a lot of memory and computing power.”
A survey conducted at the APC meeting showed that relatively few companies are currently using the cloud for manufacturing, even though several speakers asserted that major cloud vendors can provide better security than many device makers (especially smaller ones) can with in-house data security capabilities. Part of the problem is in the definition of "security." While cloud vendors are providing solutions for data encryption and hacker security, the actual concern is with data partitioning and IP security.
Presenting at the APC Conference, Vinh Nguyen, director of Information Technology Manufacturing Systems at Qorvo, Inc. (Hillsboro, Oregon), described a data analysis effort—involving 35 process tools with up to 1 Hz data rates—using cloud-based vendor Amazon Web Services (AWS). "The biggest issue was how to make sure that information security was being provided. We concluded that by going to the cloud, we were taking advantage of the best experts available. We felt the security they provided was more reliable than that of an in-house system."
The cloud vendor was able to deliver machine learning (ML) expertise to analyze tool data. "We do not have the internal skills to install an in-house ML system. We are not the experts on machine learning, and we would have had to try to hire at least two experts," Nguyen said.
Data Sharing Risks
Doug Suerich, product evangelist at Peer Group (Kitchener, Canada) said the largest semiconductor manufacturers face "a very tough time" as they seek to collaborate with equipment and materials vendors, while avoiding the malware that has impacted semiconductor manufacturers in recent months.
"We are in a new world," Suerich said, one in which "any computer network is in danger of attack," even as some companies engage in data sharing with partners. "There has always been a risk in sharing data, but many times companies screw up by getting lazy on the [security] basics," Suerich said at the APC meeting. For example, the login page that semiconductor companies often use presents "a very small attack surface" to hackers, while cloud vendors have well-protected login procedures "which are monitored around the clock, seven days a week." Other entry points for hackers are wireless access points for printers and poor computer information system (CIS) controls.
"The reality is that the internal security that companies have is often not better than the security in the cloud, where they have the scripts, the people, and the experience to know when data is vulnerable to attack," Suerich said, describing the security experts at AWS and Microsoft’s Azure as "the Green Berets of data security."
While costs for cloud services can be attractive, those companies are searching for profits as well. Suerich said commercial cloud vendors can spread out the costs of electricity, the expense of upgrading server CPUs to gain 10% in performance, and other costs. "The cloud vendors have lower costs, higher security, and scalability. If HPC [high performance computing] is needed, the customer can buy it."
Others pointed out that over the long term, large companies may be able to match the commercial cloud vendors on cost and feel more secure by keeping data closely held in corporate-controlled data centers.
Some end-customers demand that data be stored for long periods, particularly if they sell to the automotive and other reliability critical markets. For others, the main goal is to quickly filter and analyze streams of data. Suerich said that "instead of a database, some companies want to be able to act on data as it streams through on and on." Cloud vendors have tools that can convert the variety of types of data coming from fab tools into forms that can be analyzed quickly (figure 2).
Figure 2. Fault detection and classification (FDC) and predictive techniques such as predictive scheduling and maintenance will be key components of smart manufacturing. (Source: J. Moyne and S. Banna, Applied Materials, APC Conference, October 2019)
"Every tool generates different sets of data, often in different formats. The cloud vendors have the tools to filter this data within the cloud, putting it into a standard format. They have experts who say, "I’m here to help you," Suerich said.
Data Security For the Back End
Kx Systems Inc.
Currently, smaller companies are more likely to adopt commercial cloud services than the largest IC manufacturers, who can create their own in-house networks, said Bill Pierson, vice president of Semiconductors and Manufacturing at Kx Systems Inc. (Palo Alto, California), a database company that has partnered with Applied Materials and others. Pierson said concerns with using the cloud for online operations are security and data latency, especially with large data volumes. Those issues cause many companies to maintain those time-critical APC analyses on local in-house data management systems.
"The cloud is being used now by smaller companies. The large semiconductor manufacturers have their own private clouds" and are not likely to use the commercial cloud vendors, according to Pierson, who earlier worked as an engineer at Samsung Semiconductor, ASML, and others.
Pierson said one challenge with using the cloud for online operations is data latency, which can cause many companies to do those time-critical analyses—which raise immediate alarms when a fault is detected—on in-house data management resources. Moyne said his research group at the University of Michigan has managed to get cloud analysis roundtrip latencies down to the 1-second range for certain applications, which he called "pseudo realtime" control.
Christopher Reeves, the global product manager for AGS’s SmartFactory™ control and productivity software technology, presented work done in collaboration with Pierson’s group at Kx Systems (figure 3). After an evaluation process, Reeves said Applied Materials determined that the Kx time-series database, called kdb+, was best structured to handle time-series data analysis with "much higher query speeds."
Figure 3. A relatively small fab with 30,000 wafer starts per month can generate a petabyte of data annually. And the total amount of data triples with each node. (Source: VLSI Research and Applied Materials)
Reeves said Applied is teaming with assembly and test companies who need to ensure customers of zero defects for products aimed at automotive, medical, and other safety-conscious markets. "While back end and front end have very similar requirements in terms of data content, back-end factories face challenges due to their need for high frequency data collection and management of huge data sets,” Reeves said, noting that "assembly houses can have upwards of a thousand wire bonders in operation, creating petabytes of data."
Semi Standards Needed
Moyne and several other speakers at the APC meeting said the semiconductor industry needs to develop SEMI data security standards. One goal is to delineate different levels of security access and classifications of data, sorting out the most sensitive recipe data from other types of information (figure 4). One approach, Moyne said, would be to identify, for example, the Level 0 access for data requiring the tightest restrictions. Level 3 access might be used for data that could go in the cloud. Semiconductor manufacturers and their suppliers could engage in “an interactive process” to identify the levels of access and classify data-types, such as tool log versus recipe data.
Figure 4. Data is generated in many ways—from sensors on tools, the subfab, the environment, and other sources. Getting all the data required, in the correct format, is a challenge for smart manufacturing. (Source: C. Reeves, Applied Materials; APC 2019 Conference)
Suerich said that classifying data can be "very tedious and prone to error. This is where SEMI standards could help us with the language. We need a combination of content and context, where the subfab could be the context, for example."
The APC meeting participants also discussed methods of encryption, data translation, and other security-related topics such as how to "normalize" data so that the exact values are not revealed, but the context and data relationships are maintained.
A particular challenge is that engineers who understand semiconductor manufacturing and process control usually do not also have expertise in security and data protection. Bill Montgomery, a process engineer at Northrop Grumman (Baltimore, Maryland), said that "we need a team of people because no one can understand everything" about such an interdisciplinary problem as data security.
Skywater Technology Foundry
Dave Gross, senior director of IT and Manufacturing Technology at Skywater Technology Foundry (Bloomington, Minnesota), suggested that chip manufacturers could benefit from studying the security standards developed by the National Institute of Standards and Technology (NIST).
"Sharing data with other people in the cloud is complicated," Gross said, but the effort can be made easier by data governance agreements. The NIST standard 800-171 for Protecting Controlled Unclassified Information "could be a starting point," he said.
For additional information, contact email@example.com