At SEMICON West, Accenture’s Bradford Hegrat offered a candid assessment of one of the semiconductor industry’s most persistent—and least visible—cybersecurity challenges: operational technology (OT) technical debt. In a sector where manufacturing tools can operate for decades and architectural decisions are built layer upon layer over time, technical debt accumulates quietly but with profound consequences.
Hegrat’s session made the case that semiconductor manufacturing’s current cybersecurity posture cannot be improved without reckoning with the legacy architectures, unsupported systems, and outdated reference models that shape today’s fabs. His message was not simply that security tools must evolve; rather, the very architecture of modern fabs must be reconsidered.
1. Technical Debt Is a Growing Structural Risk — Not an IT Cleanup Task
Hegrat emphasized that technical debt is not merely an operational inconvenience. It is a strategic business risk that undermines visibility, hampers incident response, and creates conditions in which adversaries can operate undetected.
Semiconductor fabs often rely on:
- Systems built on obsolete or unsupported operating systems
- Legacy network designs that reflect past assumptions
- Tools originally deployed without cybersecurity considerations
- Patches and compensating controls added over time without architectural cohesion
While these systems continue to enable production, they also create exposure. As Hegrat noted, many OT environments today “were never designed to defend against the kinds of cyber threats we now face.”
2. Outdated Architectural Models Limit Modern Security Capabilities
One of the most widely referenced frameworks in industrial environments—the Purdue Enterprise Reference Architecture (PERA)—was designed for an earlier era of networking.
Hegrat explained that while PERA provided a useful structure in its time, its linear, zone-based model does not accurately reflect the dynamic, distributed, and interconnected architectures of today’s fabs. In practice:
- Traffic often flows across zones in unpredictable ways
- Data paths resemble webs more than hierarchies
- Modern tools communicate with cloud platforms and analytics engines
- Engineering workstations interact with both IT and OT environments
Adversaries exploit these inconsistencies. A flat or insufficiently segmented network allows attackers to move laterally with minimal resistance. Meanwhile, overreliance on outdated models leaves organizations blind to how contemporary attack chains actually unfold.
3. Modern OT Security Requires Monitoring, Detection, and Real-Time Understanding
Hegrat argued that the most important shift in OT cybersecurity is toward a detection-first mindset. Rather than focusing only on perimeter controls or manual patch cycles, security teams must build systems that continuously observe, analyze, and contextualize behavior.
This requires:
- Accurate system inventories — the foundation of any detection program
- Data flow mapping — to identify where attacks can propagate
- Dependency mapping — understanding which systems are crown jewels
- Telemetry aggregation — enabling early anomaly detection
Hegrat stressed that many fabs make decisions based on outdated or incomplete system maps. Without accurate visibility, organizations cannot evaluate risk, prioritize controls, or detect intrusions before they escalate.
4. Attack Chain Analysis Reveals Where Defenses Must Be Strengthened
Another major theme in Hegrat’s session was the role of attack chain analysis—studying how real-world attackers operate, step by step, to identify where security controls fail.
This kind of structured analysis helps fabs:
- Understand which vulnerabilities adversaries are most likely to exploit
- Identify choke points where detection provides maximum value
- Prioritize compensating controls for legacy systems
- Strengthen network segmentation based on functional realities
In Hegrat’s view, OT cybersecurity cannot evolve without this threat-informed perspective. Defensive controls must be rooted in how adversaries actually behave, not how networks are theoretically structured.
5. Cloud Adoption Is Changing OT Security Architecture
Hegrat noted that semiconductor companies are increasingly integrating cloud-based analytics, telemetry pipelines, and remote support systems. This shift requires more than simply extending existing networks—it demands purposeful architectural planning.
Modern cloud-integrated OT environments require:
- Software-defined networking (SDN)
- Segmented machine-to-cloud communication
- Clear separation between human and system-level identities
- Enforced pathways for data synchronization and tool management
This approach supports both scalability and resilience, while reducing the risk of uncontrolled connectivity.
6. Modernization Requires Executive Commitment and Multi-Year Roadmaps
Hegrat concluded by emphasizing that OT modernization is not a project—it is a strategic transformation. It requires long-term investment, alignment between engineering and cybersecurity teams, and an understanding that technical debt compounds if left unaddressed.
At SEMICON West, his message resonated: to protect semiconductor manufacturing, the industry must rebuild its security foundations even as it keeps the lines running.
Source: “Secure Together: Building Cybersecurity Resilience Through Industry Alliances,” SEMICON West 2025. Speakers: James Kaplan (McKinsey & Company); Quentin Kantaris (TXOne Networks); Bradford Hegrat (Accenture); Nijaz Velic and Richard Morris (NY CREATES); Tom Palmaers and Giselle M.H. Van Tornout (imec); SZ Lin (Sun Square); Ross Mahler and Marty Wachi (Moxa); Simon Davies (Renesas); Jennifer Lynn (IBM); Prabhu Jayanna (AMD); Anusha Annapareddy (Applied Materials); Bertrand F. Cambou (High Entropy Security); Daniel O'Loughlin (Qualcomm). Panel moderator: Andrew M. Seward (Tokyo Electron America).
