At SEMICON West, McKinsey’s James Kaplan delivered one of the event’s defining keynote addresses, outlining how semiconductor manufacturers must reshape their cybersecurity strategies to meet the realities of hyperconnected industrial operations. Kaplan’s insights blended operational pragmatism with strategic urgency, reflecting the growing complexity of modern fabs and the escalating threats confronting them.
Kaplan argued that semiconductor companies have reached an inflection point: digital integration has outpaced cybersecurity adaptation, creating vulnerabilities that adversaries are increasingly exploiting. His keynote provided a blueprint for fab leaders seeking to modernize their security strategies while preserving uptime, efficiency, and innovation.
1. Digital Integration Has Redefined the Fab Security Landscape
Kaplan opened by noting that fabs are no longer siloed OT environments. Instead, they are interconnected digital ecosystems where engineering systems, production equipment, enterprise IT, cloud analytics, and global supply chain processes are bound together by data.
This transformation brings operational benefits—such as real-time optimization, better yield control, and predictive maintenance—but also introduces new risks. A single compromise in engineering or supplier systems can now cascade across entire production flows.
Kaplan described modern fabs as “digitally dense environments where every system influences another,” making traditional perimeter defenses insufficient.
2. Escalating Threat Activity Requires Deeper Security Capabilities
Kaplan cited the increasing number of ransomware and data theft incidents affecting semiconductor companies since 2021. He emphasized that while basic cybersecurity hygiene remains essential, adversaries have evolved beyond simplistic attacks.
Modern threat actors:
- Target design IP and engineering systems
- Use compromised vendor accounts for lateral movement
- Exploit unpatched OS components
- Deploy ransomware designed to disrupt operational workflows
Kaplan stressed that security must mature beyond blocking known threats and embrace real-time detection, architectural resilience, and threat-informed governance.
3. Strengthening Supply Chain Security Is No Longer Optional
Given the semiconductor industry’s heavy reliance on third-party tools and services, Kaplan urged fabs to adopt structured supply chain security programs. These should include:
- Supplier maturity assessments
- Clear requirements for secure development
- Verification of remote access practices
- Continuous visibility into third-party controls
Supply chain integrity must be treated as a strategic function, not an administrative task.
4. Operating System Security: The Foundation of Fab Resilience
Kaplan highlighted that many manufacturing systems operate on outdated or inconsistent OS configurations, making them vulnerable to exploitation. He outlined essential practices:
- Anti-virus and anti-malware mechanisms
- Regular vulnerability scanning
- Consistent baseline configurations
- Removal of unnecessary services and components
He described operating system hardening as “the first line of defense for everything that runs on top of it.”
5. DevSecOps Must Be Integrated Into Engineering Workflows
A consistent theme across Kaplan’s remarks was the need to move security upstream. He urged semiconductor companies to integrate cybersecurity into every phase of engineering through:
- Threat modeling
- Automated testing pipelines
- Rapid iterative cycles
- Development baselines
This reduces the downstream risk of vulnerabilities entering production systems.
6. Preparing for Intensifying Regulation
Kaplan warned that regulatory requirements—ranging from government mandates to industry standards—will shape future investment decisions. He advised organizations to define risk appetite, implement common frameworks, and adopt real-time policy tracking systems.
Fab operators who adapt early, he noted, “will treat compliance as a competitive advantage rather than an operational burden.”
Source: Keynote: “Strengthening Cybersecurity in Semiconductor Fabs: Practical Strategies for Mitigating Evolving Threats in a Hyperconnected Era,” SEMICON West 2025. Speaker: James Kaplan (McKinsey & Company).
