The semiconductor industry finally has its own cybersecurity standards, and if you build, buy, or operate fab equipment, they already apply to you. Here is what SEMI E187, E188, and E191 require, in plain language, and what to do about them before the next audit.

The semiconductor industry spent a long time assuming its fabs were air-gapped enough, proprietary enough, and important enough that the cybersecurity problems of process industries did not quite apply. A handful of well-publicised incidents later, and under pressure from both customers and regulators, the industry has its own set of cybersecurity standards.

If you build, buy, or operate fab equipment, SEMI E187, E188, and E191 apply to you. Here is what each one actually requires, in plain language.

SEMI E187: Cybersecurity for Fab Equipment

What it is. The baseline. SEMI E187 (first released 2022, updated since) specifies cybersecurity requirements that new fab equipment should meet when it is shipped and installed.

Who it applies to. Equipment suppliers first. Fab operators who procure equipment, second, because you will need to specify E187 compliance in your POs.

The core requirements, grouped:

• Operating systems.Shipping equipment on unsupported OSes is not acceptable. E187 requires a plan for OS support through the equipment’s service life, including update paths for when an OS version reaches end-of-support.
• Network security.Equipment must support secure communication, including authentication on management interfaces, support for encrypted protocols, and the ability to be deployed in a segmented network.
• Endpoint protection.Anti-malware capability, or a documented reason why it is infeasible, plus compensating controls.
• Access control.Individual accounts, not shared ones. Ability to revoke access without replacing the whole equipment login. Audit logging of privileged actions.
• Security monitoring.Equipment must emit logs that a SOC can actually ingest (standardised formats, useful content).
• Vulnerability handling.A documented process from the supplier for disclosing, patching, and communicating vulnerabilities.

What to do if you are a fab. Add E187 compliance to your procurement specifications. For existing equipment, request a compliance gap statement from the vendor. Plan retrofit projects for the gaps that matter most.

What to do if you are an equipment supplier. You need a product cybersecurity program. Design, development, testing, incident response, end-of-life. Each stage has E187 implications. This is not a documentation exercise; the internal engineering changes are real.

SEMI E188: Malware-Free Equipment Integration

What it is. A standard for the process of installing new equipment into a fab without introducing malware during the installation.

Who it applies to. Anyone touching a fab during an equipment install: suppliers, integrators, field service engineers, third-party contractors.

Why it exists. Multiple real incidents have started with infected USB drives brought onsite by field engineers, or infected service laptops connected directly to a tool during commissioning. E188 formalises a workflow to prevent that.

Key requirements:

• Equipment entering the fab must be scannedfor malware before network connection, to a documented standard (which includes keeping scanners up to date).
• Portable media(USB, laptops, service devices) used during installation must go through a sanitisation/scanning station.
• Network connectionduring commissioning is done in a controlled staging environment before the tool joins the production network.
• Audit trail.Every step is logged and signed off.

What to do. Build a physical Malware-Free Equipment Zone in your fab. Equip it with up-to-date scanning tools, a quarantine network, and trained personnel. Require every installation to pass through it. No exceptions for urgent work. The urgent installs are exactly the ones that cause incidents.

SEMI E191: Cybersecurity for Host/Equipment Communications

What it is. Security requirements for the communication between a host (typically SECS/GEM- or HSMS-speaking) and equipment. The wire-level stuff.

Who it applies to. Anyone whose fab uses host-level automation, which is virtually every modern fab.

What it addresses. Historically, SECS/GEM and HSMS communications were unauthenticated and unencrypted, exactly like their cousins in process industries (Modbus, DNP3). E191 pushes the industry toward authenticated, integrity-protected, and where possible encrypted host-equipment communication.

Practical impact:

• New tool interfaces must support authentication of the host connection.
• Logging of host/equipment command exchanges becomes expected, not optional.
• Defence against replay and injection attacks on the SECS/GEM link is no longer hand-waved.

How the three fit together

• E187:the equipment itself is secure.
• E188:bringing the equipment into the fab does not introduce malware.
• E191:the way equipment talks to the host is secure.

Together, they cover the full lifecycle (manufacture, installation, operation) of fab equipment cybersecurity.

What to do in the next 12 months

For fabs:

1. Add E187 and E191 to procurement specifications.
2. Stand up an E188 equipment intake process.
3. Commission a gap assessment of installed equipment against E187 (realistic expectation: 20 to 40% gap on most older tools).

For equipment suppliers:

1. Establish a product cybersecurity program if you do not have one.
2. Map your current product capabilities to E187 requirements.
3. Publish a compliance statement. Customers are going to ask.
4. Integrate E188-aware installation procedures into your field service playbook.

RelyBlue offers semiconductor cybersecurity assessments and roadmap services aligned to SEMI E187, E188, and E191. Talk to us if you are preparing for a customer audit or commissioning new equipment.