Conversations

Securing the Semiconductor Supply Chain Using the Cloud

A conversation with Deirdre Hanford, Chief Security Officer at Synopsys

Podcast | July 16, 2021

Fifty-two percent of manufacturers have seen a “significant increase” in cyber fraud during the pandemic, with the two most common attacks being ransomware and electronic payment fraud, according to a report from the Association of Certified Fraud Examiners. Deirdre Hanford, Chief Security Officer at Synopsys, a leader in electronic design automation (EDA), semiconductor IP and application security testing tools and service, and David Pellerin, Head of Worldwide Business Development for Semiconductors at AWS, sat down with the AWS Industrial Insights team to discuss the security challenges in today’s supply chains. Examining the issue from the perspective of the semiconductor industry, they explain how to strengthen security throughout the supply chain by inspecting current security exposure, monitoring users accessing the network, and leveraging the cloud.

Listen to the interview on the AWS Industrial Insights podcast

Spotify

Apple Podcasts

Google Podcasts

Semiconductor supply chains are highly stressed

AWS: Deirdre, what do you see as the biggest challenges in the semiconductor supply chain today?

Deirdre Hanford: Three things: confidentiality, integrity, and availability. We refer to these as CIA, and it translates to making sure that only the people who should be seeing certain design data or semiconductor manufacturing data get to see that data—making sure that that data isn’t compromised, and ensuring access to the data.

COVID has disrupted supply chains worldwide, microelectronics included. Simultaneously, we have seen a huge increase in demand from individuals needing more devices as they transitioned to working and learning from home, or deciding to upgrade their homes with smart electronics. And from businesses that have taken advantage of this time to accelerate their digital transformations. For instance, many companies have put industrial automation equipment on manufacturing floors, have accelerated moving to the cloud, and have taken advantage of big data analytics. All this has driven a surge in microelectronics. That’s the demand side.

Three Critical Determinants of Healthy Supply Chain Data

Confidentiality: Only people who should see certain design or manufacturing data can
Integrity: Data isn’t compromised
Availability: Those who should have access to data do

Now, if we look at the supply side of this availability challenge and the CIA, there’s only a finite amount of microelectronics fabrication capability in the world, and those foundries—that is, semiconductor manufacturing plants—are booked at over 100 percent capacity right now. And that was further challenged by fires in some Japanese manufacturing plants and big winter storms in Texas. So, the availability of semiconductors is a significant problem today. Demand is high, and the supply is fundamentally constrained.

AWS: Dave, you meet with semiconductor customers from all over the world. Are you also seeing these trends?

David Pellerin: Yes, the supply challenges in semiconductors are impacting nearly everyone. The automotive industry is particularly challenged right now because vehicles have become rolling data centers, particularly next-generation autonomous vehicles. So, any glitch in the supply chain for, say, emissions control or airbags or infotainment can put a damper on production. We’re hearing from customers who are trying to figure out how to better forecast supply chain risks or semiconductor yields, to improve the supply of chips and the traceability and predictability of the supply chain.

Also, customers are trying to pivot much faster. If you’re creating a next-generation design for the automotive industry, how do you get that to market significantly faster? How do you ensure that you’re moving to zero-defect for the needs of these important automotive customers? So, it’s spurring new thinking around using the cloud for verification.

Deirdre Hanford: I’ve read that there’s a lot of excellence around just-in-time inventory in many industries. This has been seen in the PC hardware industry for a time now. The automotive industry has long prided itself in having just-in-time inventory, and now the entire industry is rethinking inventory management. So the semiconductor supply challenge has affected many businesses.

David Pellerin: Such a long and complex supply chain results in a need to carefully manage multiple sources to determine where and when you should be stocking excess inventory. When the demand signals and the supply chain are disrupted simultaneously, you’ll have some organizations overbuying and some underbuying, and the whole inventory balance goes out of whack.

Deirdre Hanford: And even though most of the foundries have announced that they’re adding manufacturing capacity, it takes time—at least a year, if not more—to bring on new fabrication capacity. So there are no immediate fixes.

Where bad actors get in

AWS: With all these players, there must be many different points of entry for bad actors.

Deirdre Hanford: Yes, microelectronics is an extremely disaggregated industry, meaning that across the supply chain, multiple parties are contributing, multiple hands are touching the design as it goes through the design process, manufacturing process, packaging, and ultimately turned on in the field.

In security, everyone is on a journey. You’re never there, and it’s never perfect; you must always look for ways to enhance your security.”

—Deirdre Hanford

The confidentiality of the design has to be thought through as it goes through many parties, and the integrity of the design as well. This is a challenge for us as an industry. Recently, a foundry had a security breach when a software upgrade released malware. The confidentiality of the entire environment was compromised. In addition, with the tremendous supply challenge right now, bad actors can repackage old parts, slap a new label on them, and sell counterfeit devices, risking the integrity of any manufacturer incorporating those parts. Another security concern is a bad actor that inserts a trojan into a device, either debilitating it then or providing a backdoor for a bad actor when the part is deployed.

David Pellerin: At Amazon, we have chip development teams, we use Synopsys software, we have our chips fabbed at foundry partners, and we have intellectual property (IP) suppliers. We live this every day at Amazon in teams like Annapurna Labs that design data center chips. And we are working on how to collaborate more securely. For example, if we have developed a system on a chip or we’re working on a system on a chip, there will be intellectual property blocks or cores that we need to source from a third party such as ARM, or even Synopsys. And so, having a secure way to collaborate on that proprietary IP to customize, validate, and verify it is very important.

Collaboration is essential to solving complex problems

AWS: Can technology play a bigger role in securing the supply chain?

David Pellerin: Yes. The first step is to create an environment where you can segregate the data, to securely collaborate in a first-party and third-party way using a cloud-based chamber. A way to think about that kind of collaboration is to analyze manufacturing issues. So maybe you’ve got an outsourced assembly and test partner. You want to get some data off the test equipment and put it into a shared but carefully curated and protected data lake, so you can get at yield problems or maybe more quickly identify packaging issues.

The cloud can provide a very secure environment for collaboration. Cloud as a collaboration platform is here to stay.”

—Deirdre Hanford

We recently published a case study with Global Unichip, a Taiwan-based semiconductor firm that has IP for interfaces. They worked with one of our partners, proteanTecs, to improve 2.5D package reliability and provide reliable ways to repair those chips in the field using redundant lines in the chip interconnects. This is an example of how an end customer, working with Global Unichip, which is an IP provider, working with a foundry or an outsourced assembly and test partner, can get at the issues to create highly reliable chips.

We’re starting to see this kind of collaboration in all kinds of interesting ways, and we’re taking advantage of machine learning to get at some of these issues of reliability and traceability of IP through advanced analytics in the cloud. The cloud is a tremendous enabler for collaboration because you can quickly create highly secure environments, coupled with advanced analytics and the ability to scale quickly.

AWS: So, the cloud can help you overcome the security challenges?

Deirdre Hanford: The cloud can provide a very secure environment for this collaboration. You can see exactly who is accessing the data. You can understand if suddenly something looks anomalous, and you can take action and set up alerts. I think the pandemic has accelerated this collaboration, although AWS has certainly been a pioneer with its in-house work. I believe that cloud as a collaboration platform is here to stay, and Synopsys offers comprehensive cloud solutions that customers can leverage.

David Pellerin: Actually, our work with Synopsys helped pave the way. Synopsys is not just an EDA (electronic design automation) software vendor; it’s also a provider of IP that’s used in a wide variety of advanced chips, including Amazon’s. So, our ability to collaborate with partners like Synopsys and to move quickly to high-reliability products has been greatly enabled and dramatically accelerated these cloud-based collaboration methods.

Benefitting from cloud security and scale

AWS: It sounds as though there are many advantages to secure collaboration, but how does an industrial company start?

Deirdre Hanford: The first and most important thing to do is to think about the threat landscape, to consider the work environment, where threats could come in and where data could go out, and to prioritize. You need a whole security framework and approach, but thinking about a threat actor and how to mitigate threats is where I would start.

That said, within our own environment, we’ve had challenges. Recently there was an industry-wide security issue, and almost every company managing a network had to assess its vulnerability in the situation, as did we. We learned that although we could quickly determine that we were not compromised, to answer our customers’ questions about their vulnerability, we had to check with our suppliers. We needed to understand our supply chain because, if I’m relying on third-party software in my network and maybe that’s a SaaS application, then I need to make sure that that vendor was not compromised because it may be managing data.

You need a whole security framework and approach, but thinking about a threat actor and how to mitigate threats is where I would start.”

—Deirdre Hanford

So, there’s a whole supply chain that impacts my ability to assert that I’ve not been affected by an issue. One of the things we learned early this year was the importance of understanding vendor, partner, and supplier spaces and knowing whether your suppliers have resilience and the ability to protect assets.

AWS: How do you choose the right partners in your supply chain? What do you look at when you’re evaluating them?

Deirdre Hanford: We have an internal process anytime we onboard a new vendor, and during vendor selection, we use third-party tools to assess a company’s security profile. When we onboard a new vendor, we consider whether the vendor will be touching employee or customer data or accessing our networks. Answers to those questions trigger a vetting process to ensure that the vendor can stand up to our processes and controls. It’s not unheard of for us to audit a vendor, particularly if we believe they will be accessing secure data.

My simple message here is that supply chain organizations and companies have gotten more sophisticated. Many companies—I’m sure AWS is one—have a rigorous supply chain management department, and they want to make sure that vendors are constantly improving their business and security processes. In security, everyone is on a journey. You’re never there, and it’s never perfect; you must always look for ways to enhance your security.

AWS: Dave, how can companies use the cloud as a secure environment for design, and what kind of use cases are you seeing with customers?

David Pellerin: Over the past few years, we have seen a significant shift in thinking among global semiconductor companies, large and small. The 2018 announcement by TSMC and the later announcement by Samsung around cloud enablement for design were watershed moments. The foundries that have some of the most critical IP in the industry, their process design kits or PDKs, were embracing and promoting the use of cloud for secure IC (integrated chip) design. It was a big deal from a security perspective. Because if a foundry, a pure-play foundry, wants more business in the future, it’s going to need semiconductor firms of all sizes—from smart startups to midsize to maybe systems companies that are getting into chip design as they vertically integrate—to operate in a secure way.

And what better way to do that than to embrace cloud-based infrastructure that is more predictable and can provide customized levels of security that are frankly very difficult for small- to medium-sized semiconductor companies to deploy themselves? Because, as Deirdre said, it’s a journey. You can’t just go out and buy some firewalls and some network infrastructure and maybe some security-rated software and call it good. You need to continually stay ahead of various attack vectors and to continually improve your security.

And that’s very hard if all you really want to do is design semiconductor chips. In the cloud, you’re benefiting from the scale and the breadth of customers in important industries—government, financial services, energy, life sciences, health care, and so on—that have their own security requirements. Even the smallest semiconductor company can benefit from that level of security, and I think the foundries have seen that. We’ve seen a significant shift in thinking to where the most secure IP can and should be located. And it really is in the cloud today. Silicon design and verification in cloud is becoming a necessity to meet faster time-to-market targets; AWS provides secure cloud solutions in collaboration with Synopsys.