Securing Mexico's Semiconductor Future

(In collaboration with Carlos Meneses)

Mexico stands at a strategic inflection point. As global shifts in geopolitics and supply chain resilience push semiconductor companies to diversify operations, Mexico has emerged as a promising hub for investment and relocation. With a robust industrial base, competitive labor market, and geographic proximity to the United States, the country is well-positioned, as stated in a previous article. However, one critical gap could derail its ambition: security — both digital and physical: those are not optional but foundational.

In the current semiconductor value chain, cybersecurity and physical security go hand in hand. Although digital threats, such as ransomware and intellectual property (IP) theft, receive significant attention, physical threats, such as unauthorized access to facilities, insider sabotage, and stolen documents, prototypes, or devices, can be equally damaging. Often, they serve as the initial vector for cyber compromise.

To seize this generational opportunity, Mexico must establish itself not just as an efficient partner, but as a secure one. This requires coordinated action from the government, academic institutions, and businesses to build a national infrastructure of trust, resilience, and protection.

The Semiconductor Ecosystem: High-Value, High-Risk

The semiconductor value chain encompasses multiple stages: chip design, fabrication, packaging, testing, and integration into electronic systems. Each stage introduces unique security risks:

• Design: Risks of IP theft through cyberespionage.
• Manufacturing and Assembly: Exposure of operational technology (OT) to attacks that could compromise product integrity.
• Supply Chain: Insertion of malicious components or unauthorized access during transit and integration.
• Testing and Certification: Vulnerabilities with firmware and software built into hardware products.

The correlation between physical security and cybersecurity is well-documented. For example, an unsecured terminal in a secure facility could easily become exposed to malware. A stolen laptop may contain credentials that grant access to critical systems. A compromised flash drive used by a field technician could bypass firewalls altogether.

Notably, global incidents, such as the theft of trade secrets from chipmakers and the physical tampering of circuit boards in transit, have shown that attackers often exploit physical vulnerabilities rather than launching cyberattacks.

Global Security Benchmarks in the Semiconductor Sector

Countries leading the semiconductor race, such as the United States, Taiwan, South Korea, and members of the European Union, have recognized the need to embed security holistically:

The US CHIPS and Science Act requires companies to demonstrate both digital and operational resilience to qualify for federal incentives. The EU Cyber Resilience Act (CRA) mandates secure-by-design practices across hardware and software, including traceability of physical components. NIST Cybersecurity Framework 2.0 and other standards stress the integration of access control, logging, physical monitoring, and incident response. This  year, NIST and SEMI have released the initial public draft  of  the NIST IR 8546 Cybersecurity Framework Version 2.0 Semiconductor Manufacturing Profile.

Now, investors and international partners expect more than just a good business case. They demand evidence of secure infrastructure, vetted personnel, access control systems, and readiness for incidents.

Mexico’s Position: Strengths and Areas for Growth

Mexico already plays a central role in electronics manufacturing, particularly in sectors like automotive, telecommunications, and consumer devices. In order to expand capabilities to the semiconductor sector, some gaps remain, especially in security:

• Physical Security: Many facilities lack basic controls such as biometric access, surveillance, or tamper-evident packaging for components.
• Cybersecurity Maturity: While some industries have adopted ISO 27001 or NIST standards, broad adoption remains limited.
• Integrated Security Governance: There is often a lack of coordination between physical and digital security teams.

Government, Academia, and Industry: A Tri-Sector Approach

Government: The federal government must develop a National Semiconductor Security Strategy which must include: Physical and cybersecurity regulations aligned with international standards. Certification programs for secure facility design and secure supply chain management. Grants and incentives for companies implementing secure infrastructure.

Some of the previous efforts and current status were discussed in a previous article.

Academia: Universities must prepare the workforce for integrated security roles by: Adding physical security and hardware security to IT and engineering curricula, focusing on both IP respect and protection to what their employers and their clients generate. Developing labs and training centers focused on secure cleanroom operations and access control technologies. Partnering with international bodies to train students on global security protocols.

Recently, there has been much discussion about academia's involvement in design centers, which will generate valuable IP for the market. This IP will likely be used in commercial IP libraries. These centers should adopt cybersecurity standards that are consistent with those used in the design and manufacturing industry.

Industry: Companies operating in or soft-landing in Mexico must:

• Implement physical security controls: surveillance, badge systems, two-factor authentication for access to sensitive areas, and inventory control.
• Adopt digital access management: endpoint protection, encrypted data storage, and secure network segmentation.
• Integrate physical and digital incident response plans.
• Conduct joint cyber-physical risk assessments and red-team exercises.
• Ensure that suppliers, in all their interactions with the company, respect cybersecurity and physical security protocols and, as a matter of preference, adopt their own internal security protocols.

Currently, semiconductor companies in Mexico use the standards of their parent company or those required by their customers in service contracts. However, no matter how many procedures, tools, and frameworks an institution implements, the human factor is the key element and the weakest link in the cybersecurity chain. We are the most frequent entry point for attacks due to a lack of precaution when safeguarding access keys and equipment, as well as not following cybersecurity and physical security procedures.

FUMEC has been collaborating with the United States, NASEM, NIST, and experts from the US semiconductor industry to disseminate the importance of cybersecurity and physical security in the semiconductor industry to representatives of government, industry and academia in Mexico, Costa Rica, and Panama.