Security for Semiconductor and Cleanroom Manufacturing | CloseProtectionHire

The semiconductor fabrication plant is one of the most targeted industrial facilities on earth. The IP embedded in an advanced logic fab – the process chemistry, the lithography settings, the tool configurations, the yield optimisation data – represents decades of engineering investment and is worth more as strategic intelligence to a state competitor than any physical asset the plant contains.

The US CHIPS and Science Act, signed into law in August 2022 (P.L. 117-167), authorised USD 52.7bn for US semiconductor manufacturing and research, driven explicitly by national security concerns. The Act’s guardrail provisions – which prohibit recipients from expanding advanced manufacturing capacity in China for 10 years and require disclosure of foreign entity relationships – reflect a policy conclusion that semiconductor IP is a national security asset requiring active protection. The security community’s role is to operationalise that conclusion at facility level.

This guide covers the four security domains that matter most in semiconductor manufacturing: access control in the cleanroom and tool bay environment, insider threat programme design, export compliance as a security function, and the specific threat picture for fab facilities in P1 and P1-adjacent cities.

Cleanroom Access Control

A semiconductor fabrication plant is physically layered. The outermost layer – the factory building, perimeter, and administrative areas – requires standard commercial physical security: access control to BS EN 50131 Grade 2 or 3, perimeter fencing to BS 1722 or equivalent, CCTV to BS 8418:2015, and SIA-regulated guarding at primary entry points.

The critical security layer is the one inside: the cleanroom and tool bay environment. This is where the production process occurs, where the EUV and DUV lithography tools operate, and where the technical documentation that has collection value is accessed.

Cleanroom access control should be designed around the principle of minimum necessary access. Not every engineer needs access to every tool bay. EUV tool engineers, DUV tool engineers, etch and deposition process engineers, metrology staff, and production operators all have different functional requirements. Access tiering should map to these functional categories, with access to the highest-value documentation – EUV tool configuration data, process recipes, yield optimisation parameters – restricted to the minimum necessary group.

Badge reader technology for cleanroom entry typically uses multi-factor authentication: key card plus PIN, or biometric plus key card for higher-sensitivity areas. Tailgating (following an authorised person through a controlled door without presenting credentials) is a common failure mode. Airlock entry systems – which prevent the door behind from opening until the door in front has closed and credentials have been verified – are standard at advanced logic fabs.

A less obvious security concern is contamination as an attack vector. Cleanroom contamination procedures address accidental particle introduction – garment integrity, air shower function, glove change protocols. Security planning must also address deliberate contamination. A disgruntled engineer, or a recruited insider acting for a competitor, could introduce contaminants that destroy a production run without triggering conventional intrusion detection. Two-person integrity for certain critical process steps, and timestamped access logging for tool bay entry, create the audit trail necessary to identify the source of a suspected deliberate contamination event.

Insider Threat: The Primary Attack Vector

The DOJ’s semiconductor IP enforcement actions since 2021 consistently demonstrate that the dominant attack vector is not network intrusion or physical facility breach – it is the recruited or self-motivated insider.

In October 2023, Yiwen Wang, an engineer at Applied Materials, was charged with trade secret theft after allegedly removing thousands of files relating to semiconductor manufacturing equipment and forwarding them to CXMT, a Chinese state-backed memory chip manufacturer. The indictment describes a methodical removal of documentation over a period of months, using a personal USB drive and cloud storage to exfiltrate files outside the company’s DLP controls.

ASML has experienced multiple IP theft incidents related to its EUV lithography technology. The civil proceedings initiated in 2023 relate to alleged removal of EUV-related technical data by a former employee. ASML’s EUV machines – which cost in excess of USD 150m each and require two Boeing 747 freighters to ship – cannot be exported to China without Dutch and US government authorisation under the Foreign Direct Product Rule. The technical documentation for these machines has equivalent or greater value to a state actor than the physical hardware.

An effective insider threat programme for a semiconductor fab has five components.

Pre-employment screening to BS 7858 standard at a minimum, with enhanced vetting (references, financial checks, foreign contact declaration) for roles with access to controlled technical documentation. The screening should be repeated at defined intervals – typically two to three years – not conducted only at point of hire.

Anomalous access monitoring across DMS and engineering data repositories. Bulk download of technical documentation outside normal working patterns, access to files outside a role’s functional scope, or repeated access to the same document set from different devices are all indicators that warrant investigation. The monitoring system should generate alerts for human review, not rely on manual inspection.

Foreign contact reporting requirement for all staff with access to controlled technical data. Any approach by a foreign national seeking technical information – including at conferences, through LinkedIn, or via social settings – should be reported to the security function as a matter of course. The FBI’s counterintelligence outreach programme for the semiconductor sector provides specific guidance on what constitutes a reportable approach.

Foreign travel reporting for staff with access to export-controlled technical data. Travel to restricted jurisdictions (particularly China, given current CHIPS Act and BIS context) should require pre-travel authorisation and a post-travel debrief. Device security during the trip follows the NCSC/FBI clean device protocol.

A psychologically safe reporting culture. Insider threat programmes fail when employees fear retaliation for reporting suspicious colleague behaviour or their own inadvertent disclosure. The reporting process should be clearly communicated, and the security function should demonstrate through its response to reports that the process is taken seriously and handled without disproportionate consequence for reporters acting in good faith.

BIS Export Compliance as a Security Function

The Bureau of Industry and Security (BIS) Export Administration Regulations (EAR, 15 CFR Parts 730-774) control semiconductor manufacturing equipment and technical data with national security implications. The October 2022 interim final rule introduced the most significant expansion of semiconductor controls in decades, covering: advanced logic chips (below 16nm or below 18nm with certain gate characteristics); high bandwidth memory chips above defined capacity thresholds; and the manufacturing equipment and software used to produce them.

The Foreign Direct Product Rule (FDPR) extends these controls extraterritorially. Equipment manufactured outside the US using US-origin technology or production equipment falls within EAR jurisdiction. This has direct implications for non-US fab operators with US-origin tools – a Dutch or South Korean fab using Applied Materials or Lam Research deposition equipment is producing goods subject to BIS controls.

Personal criminal liability is the key security implication. Unauthorised export of controlled items or technical data under 15 CFR Part 774 is a federal crime carrying penalties of up to USD 1m per violation and 20 years’ imprisonment under 50 U.S.C. 4819. The criminal risk is not confined to the corporate exporter – individual engineers, managers, and technical staff who facilitate an unauthorised export can be individually prosecuted.

For fab security teams, BIS compliance is not a legal department function alone. The security team should be involved in: access control for foreign national employees whose access to controlled technical data triggers “deemed export” requirements (EAR 15 CFR 734.13 – transferring controlled technology to a foreign national in the US is treated as an export to that person’s home country); pre-travel authorisation for staff travelling to restricted jurisdictions with knowledge of controlled processes; and incident response if a potential violation is identified.

P1 City Context: India and Southeast Asia Fabs

The geography of semiconductor manufacturing expansion is moving toward P1 and P1-adjacent markets.

Mumbai/India: Tata Electronics is developing fab facilities in Dholera (Gujarat) and Morigaon (Assam) with significant government support under the India Semiconductor Mission. TSMC has been in discussions about an India facility. These developments mean the semiconductor security framework that has been standard in Taiwan, South Korea, and the US is increasingly relevant to the India market. Security programmes for India-based fabs will need to address the specific threat environment – including IP theft risk from both domestic competitors and state-aligned actors – alongside the standard insider threat framework.

Jakarta/Indonesia: Indonesia does not currently host advanced logic fab operations, but the country is a significant electronics manufacturing hub with ongoing investment in downstream semiconductor packaging and testing. Security considerations for packaging and test (OSAT) facilities are a subset of the full fab security framework, with the access control and IP protection elements calibrated to the lower but non-trivial IP value of OSAT operations.

Bangkok/Thailand: Thailand hosts a number of major semiconductor packaging and assembly facilities including Western Digital and Seagate HDD operations. These are not advanced logic fabs but carry meaningful IP and maintain supply chain sensitivity that warrants a security programme above a standard commercial manufacturing baseline.

Practical Security Measures for Fab Operators

Three structural measures produce the most security value at a semiconductor fab beyond standard commercial physical security.

Data Loss Prevention (DLP) tooling integrated with the DMS and engineering data environment. DLP should monitor for bulk exports of technical documentation, unauthorised copy to removable media, and file transfer to non-corporate cloud destinations. Alerts should feed into a security incident workflow, not be reviewed retrospectively.

A defined controlled area for documentation related to export-controlled technology. Technical data with BIS control status should be stored in a separately access-controlled area of the DMS, with access tiering that triggers automatic logging. Access to this area should require explicit authorisation, not be granted by default to all engineering staff.

Annual security awareness training specifically addressing IP theft methodology, BIS compliance implications, and the foreign contact reporting requirement. The FBI’s semiconductor sector counterintelligence materials are appropriate as a training foundation.

For the broader IP protection framework covering executive travel and conference environments, see our security for aerospace and defence contractors guide, which addresses the NISPOM and ITAR personal liability framework in detail. For protecting trade secrets during international travel to restricted jurisdictions – including clean device protocol and border inspection procedure – see our protecting trade secrets during international travel guide.

Sources: US Department of Justice Press Release, October 2023 (Yiwen Wang / Applied Materials / CXMT trade secret indictment); ASML civil proceedings, 2023 (EUV lithography trade secret allegations); US CHIPS and Science Act 2022 (P.L. 117-167, USD 52.7bn, guardrail provisions, 10-year China expansion prohibition); BIS Interim Final Rule, October 2022 (advanced computing / semiconductor export controls, FDPR extension); BIS Amendment, October 2023 (loophole closure); 50 U.S.C. 4819 (EAR criminal penalties, USD 1m/violation, 20 years imprisonment); 15 CFR 734.13 (deemed export definition); FBI Counterintelligence Division, Semiconductor Sector Advisory 2022; NCSC/FBI/CISA Business Travel Security Advisory 2023 (clean device protocol); BS 7858:2019 (pre-employment screening); BS EN 50131 (intruder detection, Grade 3); BS 8418:2015 (CCTV monitoring).

James Whitfield is a Senior Security Consultant with experience advising technology sector clients on insider threat programme design, IP protection frameworks, and export compliance security. He advises semiconductor, defence, and advanced manufacturing clients on security programme development.