Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

Understanding the Relationship Between SEMI E187 and ISA/IEC 62443 in Equipment Security Implementation

Read More

Categories Arrow

All Posts

Understanding the Relationship Between SEMI E187 and ISA/IEC 62443 in Equipment Security Implementation

Introduction

In the evolving landscape of industrial cybersecurity, semiconductor manufacturing equipment suppliers are increasingly required to demonstrate comprehensive security capabilities. Two pivotal standards have emerged as essential references: SEMI E187, developed by SEMI specifically for semiconductor manufacturing equipment, and the globally recognized ISA/IEC 62443 family of standards.

SEMI E187 outlines explicit security requirements tailored to meet the semiconductor industry's specific security expectations, while ISA/IEC 62443-3-3, 62443-4-2 and 62443-4-1 provide broadly applicable standards addressing technical security requirements and secure product lifecycle management. This article explores the practical relationship between these standards, highlighting areas of alignment as well as nuances where the standards partially overlap.

Additional Remarks

This article is positioned as an informal, lightweight and implementation-focused starting point to support early-stage awareness. It is purposefully distinct from a formal white paper or detailed clause-by-clause cross-reference.

It may be of particular interest to semiconductor equipment suppliers, especially those involved in secure product development, compliance and customer-facing documentation. Many of these suppliers also maintain product lines that fall within the industrial automation control systems domain. As a result, they are increasingly expected to address both SEMI E187 and ISA/IEC 62443 requirements in parallel. The article is also relevant to OEM customers, auditors and system integrators who need to understand how supplier-side practices align with broader industrial cybersecurity standards such as ISA/IEC 62443.

The informal comparison in this article may help suppliers:

  • Streamline audit and compliance preparation, as well as customer communication  
  • Avoid redundant implementation or documentation work  
  • Provide early guidance for aligning with evolving requirements  
  • Approach compliance in a more systemized and unified way

SEMI E187 Overview

Launched in January 2022 by the SEMI Association, SEMI E187: Specification for Cybersecurity of Fab Equipment defines fundamental cybersecurity requirements for securing semiconductor manufacturing equipment throughout its lifecycle, including design, operation and maintenance.

The specification organizes its controls into four security domains:

  • Operating system security
  • Network security
  • Endpoint protection
  • Security monitoring

These domains guide equipment suppliers in implementing security practices that fulfill baseline cybersecurity expectations. SEMI E187 requirements are commonly referenced in supplier self-assessments, customer audits and procurement specifications.

Notably, SEMI E187 applies specifically to:

  • Computing devices installed on fab equipment
  • Devices operating Microsoft Windows or Linux

It does not apply to:

  • PLCs, SCADA systems or devices connected to sensor-actuator networks
  • Factory-supplied IT systems, such as manufacturing execution systems (MES)

The table below shows the overview of the SEMI E187 requirements.

Table 1 SEMI E187 OverviewTable 1: SEMI E187 Overview

ISA/IEC 62443 3-3, 4-2 and 4-1 Overview

The ISA/IEC 62443 standards series establish requirements and procedures for implementing and maintaining secure industrial automation and control systems (IACS). It provides a structured, risk-based approach to cybersecurity across products, systems and organizational levels.

Among the ISA/IEC 62443 standards, three are particularly relevant for equipment suppliers:

  • ISA/IEC 62443-3-3 – System Security Requirements and Security Levels
    This standard defines the cybersecurity capabilities that an industrial automation and control system must implement to achieve a target Security Levels (SLs), based on the risk assessment results. It specifies system security requirements (SRs) grouped into foundational requirement categories such as identification and authentication control, use control, system integrity, data confidentiality and others. The standard is primarily intended for system integrators and asset owners to ensure that the overall system architecture incorporates sufficient security functions to withstand defined threat scenarios. It also provides a structured way to demonstrate system compliance aligned with business and operational risk contexts.
  • ISA/IEC 62443-4-2 – Technical Security Requirements for Components
    This standard specifies technical security requirements, referred to as Component Requirements (CRs), for securing individual IACS components, including embedded devices, host devices, network devices and software applications. The CRs are organized under seven Foundational Requirements (FRs), covering areas such as identification and authentication control, user control, system integrity, data confidentiality, restricted data flow, timely response to security events and resource availability. These requirements are aligned with defined SLs from the 62443 standards, allowing suppliers to implement appropriate controls based on specific threat scenarios and risk tolerances. By addressing each component type individually, the standard supports secure-by-design development and ensures consistent integration into system-level security architectures.
  • ISA/IEC 62443-4-1 – Secure product development lifecycle requirements
    This standard emphasizes processes such as security management, security requirements specification, secure design principles, secure implementation, security verification and validation testing, management of security-related issues, security update management and the provision of security guidelines. The goal is to integrate cybersecurity considerations throughout the entire product development lifecycle, enabling suppliers to clearly demonstrate secure development practices to customers and auditors.

Together, these standards reflect a structured cybersecurity architecture: 62443-4-1 governs the development process, 62443-4-2 ensures secure-by-design at the component level and 62443-3-3 defines system-level protections that asset owners and integrators must realize.

Collectively, ISA/IEC 62443-3-3, 62443-4-2 and 62443-4-1 define complementary and multi-layered cybersecurity requirements, covering system-level protections, component-level capabilities and secure development practices needed to achieve and sustain defined SLs.

SEMI E187 and ISA/ IEC 62443 Alignment: Overview Table

The table below provides a concise mapping of selected SEMI E187 clauses to corresponding clauses in ISA/IEC 62443, indicating clear or partial alignments.

Table 2 Summarized Mapping of SEMI E187 and ISAIEC 62443 RequirementsTable 2: Summarized Mapping of SEMI E187 and ISA/IEC 62443 Requirements

Note 1: The mapping provided in this table is based on the author's interpretation of publicly available references from the respective standards. It is intended as a general guideline rather than an official cross-standard specification.

Note 2: An asterisk (*) denotes partial alignment between standards.

 

The comparison demonstrates that many SEMI E187 requirements align clearly with ISA/IEC 62443 controls. However, some requirements exhibit only partial alignment due to differences in the scope, approach and enforcement context of the two specifications.

Partial Alignment Analysis

The comparison between SEMI E187 and ISA/IEC 62443 indicates substantial alignment across many requirements. However, specific requirements demonstrate partial alignment due to differences in scope, enforcement context and the underlying approach to security implementation. The analysis below highlights these nuanced distinctions.

Table 3 SEMI E187 and ISAIEC 62443 Partial Alignment ComparisonTable 3: SEMI E187 and ISA/IEC 62443 Partial Alignment Comparison

Detailed Analysis

Partial Alignment 1: OS Support and Lifecycle Management [E187-RQ-00001]

  • SEMI E187 Requirement:
    Equipment suppliers must explicitly prohibit shipment of equipment utilizing unsupported operating systems (e.g., end-of-life OS).
  • ISA/IEC 62443-4-1 Practice (SUM-3):
    It requires suppliers to document compatibility information regarding OS security updates. It explicitly clarifies the product’s compatibility status and provides recommended mitigations when certain updates are not approved by the supplier. However, it does not directly prohibit the shipment of equipment with unsupported operating systems.
  • Interpretation:
    SEMI E187 enforces an explicit preventive measure by mandating the use of supplier-supported operating systems. This requirement applies even if no current vulnerabilities are identified, explicitly prohibiting the use of end-of-life operating systems. Conversely, ISA/IEC 62443 emphasizes documenting product compatibility, clearly communicating update statuses and providing recommended mitigation measures for updates that are not explicitly supported by the supplier. Although ISA/IEC 62443-4-1 does not explicitly prohibit the shipment of equipment with unsupported operating systems, practically, suppliers will find it challenging to comply with multiple standard requirements, especially those related to Software Update Management (SUM), unless the operating system remains actively supported.
  • Key Insight:
    Both standards aim to mitigate OS-related security risks. However, their approaches to enforcement vary notably. SEMI E187 employs direct prohibition, whereas ISA/IEC 62443 emphasizes a structured and documented approach that allows informed risk management decisions, resulting in partial alignment between the two standards.

Partial Alignment 2: Malware Scanning as a Security Validation Activity [E187-RQ-00006]

  • SEMI E187 Requirement:
    Suppliers are required to conduct explicit malware scanning prior to equipment shipment, providing detailed documentation including the scanning tool’s name, version, coverage scope and date of scanning.
  • ISA/IEC 62443-4-1 Practice (SVV-1):
    It requires structured testing processes to verify product security functions. These processes ensure the product meets defined security requirements and appropriately handles errors and invalid inputs. Included tests cover anti-tampering, integrity functionality and signed image verification, all of which could indirectly support malware detection activities. Additionally, functional testing, performance evaluations, scalability tests, boundary condition assessments and stress tests involving unexpected inputs are part of this validation requirement. Explicit malware scanning is not specifically mandated.
  • Interpretation:
    SEMI E187 explicitly specifies required operational activities and documentation deliverables. In contrast, ISA/IEC 62443 outlines a broader validation requirement and grants suppliers’ flexibility regarding specific validation activities such as malware scanning.
  • Key Insight:
    Malware scanning aligns conceptually within ISA/IEC 62443’s broader security validation objectives, though the absence of an explicit requirement in ISA/IEC 62443 results in only partial alignment between the standards.

Insights on Capability Versus Process Coverage

SEMI E187 is commonly viewed as a capability-oriented specification, explicitly defining functional security requirements that equipment suppliers must satisfy. However, it also implicitly addresses process-related expectations, especially concerning patch management, documentation procedures and security validation activities.

Representative examples (non-exhaustive) include:

  • RQ-00001 – Governs operating system updates.
  • RQ-00002 – Specifies procedural documentation for applying security patches and updates.
  • RQ-00005 – Mandates vulnerability scanning and reporting prior to equipment shipment.
  • RQ-00006 – Mandates malware scanning and reporting prior to equipment shipment.

These requirements illustrate how SEMI E187, despite its capability-driven framing, also integrates aspects of secure lifecycle processes.

Conclusion

The comparative analysis between SEMI E187 and ISA/IEC 62443-3-3/4-1/4-2 reveals important alignments and key distinctions. SEMI E187 generally adopts a prescriptive approach, explicitly specifying required cybersecurity actions, while ISA/IEC 62443 utilizes a broader, flexible and process-oriented standard, allowing suppliers to determine implementation specifics.

Recognizing these similarities and differences enables suppliers to strategically align their compliance activities, streamlining efforts, enhancing documentation reuse and improving communication with customers and certification bodies. Effective industry collaboration on developing open mapping tools or shared implementation templates is recommended to further enhance alignment, simplify compliance, reduce development timelines and optimize resource allocation.

References

[1] ANSI/ISA-62443-3-3-2013 Security for industrial automation and control systems Part 3-3: System security requirements and security level

[2] IEC 62443-3-3:2013 Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels

[3] ANSI/ISA-62443-4-1-2018 Security for industrial automation and control systems Part 4-1: Secure product development lifecycle requirements

[4] IEC 62443-4-1:2018 Security for industrial automation and control systems Part 4-1: Secure product development lifecycle requirements

[5] ANSI/ISA-62443-4-2-2018 Security for industrial automation and control systems Part 4-2: Technical security requirements for IACS components

[6] IEC 62443-4-2:2019 Security for industrial automation and control systems Part 4-2: Technical security requirements for IACS components

[7] SEMI E187-0122 - Specification for Cybersecurity of Fab Equipment
SZ Lin
SZ Lin
SZ Lin (林上智) has over 15 years of experience in ICS/OT cybersecurity, with expertise in critical infrastructure protection and open source security. He currently serves as the President of the ISA Taiwan Section and is an ISA qualified instructor, contributing to the development of ISA/IEC 62443 standards and the ISASecure certification program.

In the open source community, SZ is a Debian Developer and the initiator of the OpenChain Taiwan workgroup, where he actively develops and contributes to open source security and compliance. He formerly served as Chair of the Civil Infrastructure Platform (CIP) Kernel Workgroup and Board Member of OpenChain in the Linux Foundation projects.

SZ holds multiple industry-recognized certifications, including CISSP, ISSAP, CSSLP, GICSP (Gold) and ISA/IEC 62443 Expert. He regularly shares insights at global ICS/OT security conferences.

    Recent Posts

    Brighten Your Automation Future with ISA Self-Paced, Modular Training

    Related Posts

    Understanding the Relationship Between SEMI E187 and ISA/IEC 62443 in Equipment Security Implementation

    Introduction In the evolving landscape of industrial cybersecurity, semiconductor manufacturing equipment...
    SZ Lin May 30, 2025 1:00:00 PM

    Reasons to Prioritize the 2025 ISA OT Cybersecurity Summit

    As operational technology (OT) environments grow increasingly complex and interconnected, the cybersecuri...
    Kara Phelps May 7, 2025 11:30:00 AM

    Understanding the Dark Web's Role in Industrial Cyber Threats

    As industrial systems become increasingly connected, the risks to OT (operational technology) and ICS (in...
    Sushil Dahiya Apr 4, 2025 7:00:00 AM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2025 International Society of Automation. All rights reserved.