Ransomware on the Factory Floor: Why OT/IT Convergence Is Semiconductor's Most Dangerous Security Gap

The Threat That Was Already Inside

When a leading semiconductor contract manufacturer suffered a ransomware attack through a maintenance vendor's remote access tool, thirty thousand automated guided vehicles across three fab buildings received conflicting instructions within hours. Production halted for eleven days. The financial damage exceeded what the company had spent on cybersecurity in the previous five years.

This was not a failure of perimeter security. The perimeter had been compromised years earlier — through a vendor laptop, a poorly segmented engineering workstation network, and an IT/OT boundary that existed in policy documents but not in the actual network architecture. The ransomware did not force its way in. It waited, mapped the environment, and struck at the moment of maximum leverage.

Every major semiconductor facility operating today faces a version of this risk. The convergence of operational technology — fab floor control systems, SCADA, PLCs — with enterprise IT infrastructure is not a planned architecture. It is the accumulated result of decades of operational improvements, each of which opened a small new connection between networks that were originally designed to be physically isolated.

Why Semiconductor Fabs Are in a Category of Their Own

Most industries face some degree of OT/IT convergence risk. Semiconductor manufacturing faces it in its most extreme form, for three interconnected reasons.

First, the equipment runs for decades. A fab tool installed in 2008 may be running firmware that has not received a security update since 2012, on an operating system that the vendor no longer supports, connected to a network it was never designed to be on. Replacing or patching it is not straightforward — a firmware change on a process-critical tool can require a full qualification run costing millions in test wafers and weeks of engineering time.

Second, modern yield management, predictive maintenance, and MES integration all require continuous data flows between fab floor equipment and enterprise systems. Each integration that improves operational efficiency also opens a path between networks. The business case for each individual connection is clear. The cumulative security implication is rarely assessed.

Third, the cost of downtime creates extraordinary leverage for ransomware operators. A leading-edge fab generates several million dollars of revenue per hour of uptime. Attackers know this. Their demands and negotiating positions reflect a precise understanding of what halting production costs.

What Conventional IT Security Cannot See

Standard enterprise security tools — endpoint detection, vulnerability scanners, SIEM platforms — are built for IT environments running standard operating systems and network protocols. They are largely blind to OT environments for a straightforward reason: active scanning of a fab tool can cause it to malfunction. Running a standard vulnerability scanner against a lithography system is not a security practice. It is a production incident waiting to happen.

The result is a fundamental visibility gap. A security team can tell an organisation exactly what software is running on every office laptop. It often cannot tell that organisation what firmware version is running on a reactive ion etch tool, whether that tool has been communicating with an unknown IP address, or whether a USB device was connected to its controller panel the previous week.

Three Actions That Reduce Risk Without Stopping Production

1. Deploy passive OT asset discovery first — Passive network monitoring tools build a complete inventory of OT devices by observing traffic without generating any of their own. No active scanning, no risk of tool disruption. This is the essential first step, and it consistently surfaces devices and connections that no one in the organisation knew existed.
2. Implement zone-based access controls at the IT/OT boundary — Define precisely which IP ranges, protocols, and users are permitted to cross the boundary between enterprise and fab networks. Enforce this with industrial-grade firewalls that understand OT protocols — not just repurposed enterprise firewall rules applied to a boundary the tool was not designed for.
3. Audit and restrict vendor remote access — Conduct a complete inventory of all vendor remote access credentials and VPN accounts. Revoke any unused in the past ninety days. Implement just-in-time access with full session recording for active vendor connections. The vendor remote access vector accounts for a disproportionate share of successful OT intrusions.

Request a Free OT Security Audit

We help semiconductor manufacturers close the OT/IT convergence security gap without disrupting production. Request a free OT security audit from our security practice to understand where the current exposure lies.