The Vulnerability That Cannot Be Fixed the Normal Way
In a well-documented incident at a major semiconductor facility, an intrusion into a process control network went undetected for more than eight months before a routine maintenance check revealed anomalous communication patterns on a SCADA historian server. The attacker had mapped the entire process network, understood the tool configurations, and established persistent access that was technically capable of issuing process commands. Production was not interrupted — in this instance. The investigation that followed found that the entry point had been a known vulnerability in a PLC controller for which a patch had been available for three years and had never been applied.
This gap between patch availability and patch application is not the result of negligence. It is the result of a specific constraint that applies to semiconductor fab environments and almost nowhere else. In enterprise IT, applying a patch to a critical system is a matter of scheduling, testing, and deployment. In a semiconductor fab, applying a firmware update to a process-critical tool controller can require a full process qualification run — testing the tool's performance on production wafers after the change to confirm the process has not been affected. For a critical tool in a leading-edge process, this qualification can take weeks and cost millions of dollars in test wafers. The calculation for each individual patch is rational: the certain cost of qualification versus the uncertain probability of exploitation. The aggregate result of thousands of rational individual decisions is a dense layer of known, unpatched vulnerabilities across every major fab in the world.
Why SCADA Systems Are the Highest-Leverage Target
- Physical consequences distinguish OT attacks from IT attacks — A successful attack on a SCADA system controlling fab process equipment does not merely cause data loss or system downtime. It can cause physical damage to equipment, contamination of product, or safety incidents. This dramatically increases the leverage available to ransomware operators and the damage potential for state-sponsored actors seeking economic disruption.
- Extended dwell times before detection — OT networks are monitored far less intensively than enterprise IT networks. An attacker who gains access to an OT environment can establish persistence and remain undetected for months while mapping the network, learning the process, and identifying the optimal point of intervention. The eight-month dwell time in the incident described above is not exceptional.
- Legacy protocols without authentication — Industrial control protocols designed in the era of air-gapped networks operate without authentication. Any device on the same network segment can send commands that a PLC or SCADA system will execute without verification. This is not a flaw to be patched — it is a design characteristic that can only be addressed through network architecture.
Compensating Controls for Environments That Cannot Be Patched
When patching is not feasible, the security posture must rest on compensating controls that reduce the impact and probability of exploitation without requiring changes to the vulnerable systems themselves.
- Network segmentation as the primary defence — If a SCADA system cannot be patched, the most effective control is ensuring that only authorised, known-good devices can communicate with it. Zone-based segmentation using industrial-grade firewalls that understand OT protocols, with whitelisted permitted communications and default-deny for everything else, contains the blast radius of any intrusion to the zone in which it occurs.
- Application whitelisting on HMI and engineering workstations — Human-machine interface workstations and engineering stations that interact with SCADA systems should run only approved, explicitly whitelisted software. Application whitelisting on these systems is both effective and feasible — unlike on enterprise endpoints, the approved application set for an HMI workstation changes infrequently.
- Unidirectional security gateways for historian connections — Data historians that collect SCADA data for enterprise analytics should be isolated using unidirectional security gateways (data diodes). Data flows from OT to IT; no commands can flow in the reverse direction. This eliminates the historian as an attack path while preserving its operational and analytical function.
- Continuous passive OT monitoring aligned with IEC 62443 — Passive monitoring that establishes a baseline of normal communication patterns and alerts on anomalous behaviour — unexpected command sequences, communications to undocumented destinations, access outside normal maintenance windows — provides the detection capability that compensates for the absence of patching.
The nation-state dimension: SCADA systems in semiconductor fabs are a documented high-priority target for state-sponsored actors. The objective is not always economic damage — access to process control systems in a leading-edge fab also provides intelligence about the manufacturing process itself. The question is not whether the environment will be targeted. It is whether the intrusion will be detected before it reaches an actionable stage.
Get a SCADA Security Assessment
We conduct SCADA and OT security assessments for semiconductor manufacturers aligned with IEC 62443 and the NIST Cybersecurity Framework. Get a SCADA security assessment.
