The semiconductor industry in India is fabless, not fabulous, meaning that while designs are conceived within the country, the actual manufacturing of chips occurs overseas. While PSMC and Tata Electronic have their roadmap for building a fab in India by 2026, till then, Indian companies rely on TSCM and others for building semiconductor chips that were designed in India. Which creates a security issue within the supply chain of the semiconductor industry.

To explain the possible risks in the semiconductor supply chain and how to protect from them, Shashwath TR, the CEO and founder of Mindgrove Technologies spoke with AIM. “When I send our design to a foundry, I am trusting them with the intellectual property,” said Shashwath.

Founded in 2021, Mindgrove Technologies is a Chennai based semiconductor company focusing on the design and production of Systems on Chips (SoCs). The fabless startup secured $2.32 million in seed funding last year from investors led by Sequoia Capital India (now Peak XV Partners).

In May, the company unveiled India’s inaugural commercial high-performance SoC (system on chip) dubbed Secure IoT, which would be in production by next year. “When it does go into production, that is the revenue generating thing for us,” added Shashwath. 

Secure IoT’s production is based on MPW (Multi-Project Wafer). This enables cost-effective prototyping and low-volume production, reducing the cost of a full prototyping wafer run to 10% or even 5% of the initial price.

Moreover, the company also has plans for releasing a prototype for its Vision SoC by next year, or another 18 months. 

But There is a Bigger Issue

When it comes to manufacturing chips outside India, trust is foundational. But it is also the first point of vulnerability in the supply chain. Foundries like TSMC assure clients that they will not misuse or replicate the designs, but the risk cannot be entirely eliminated.

Two primary risks emerge when outsourcing semiconductor manufacturing: design theft and malicious tampering. While the former requires advanced state-level capabilities, the latter could be more subtle, involving the insertion of backdoors or other vulnerabilities into the chip design.

“As far as stealing the design is concerned, it’s really hard to do—it takes a state actor,” Shashwath emphasised, underscoring the sophisticated level of expertise required to extract a chip design post-manufacture. 

Even with the guarantees provided by foundries like TSMC, the potential for tampering remains. This concern is mitigated through rigorous verification processes, including non-functional verification, silicon validation, and extensive testing. A more subtle risk lies in the potential for unauthorised modifications during the manufacturing process. 

“Somebody in the middle of the supply chain could add something into the design, making it insecure,” Shashwath said. To mitigate this, companies must implement rigorous verification processes, including functional and non-functional tests, to ensure that the final product aligns with the original design and is free of tampering. “We can measure the power output from different things in simulation and then see if they match in real life,” Shashwath noted, highlighting the meticulous checks in place to ensure chip integrity.

Despite these precautions, the semiconductor industry has yet to experience a proven attack at the silicon level. However, the potential for such an attack exists. “There are usually three or four papers a year talking about these possibilities,” Shashwath remarked, highlighting the ongoing research into theoretical vulnerabilities.

The risk does not end at the foundry

Once a chip is manufactured, the One-Time Programmable (OTP) memory, which stores critical cryptographic keys, remains unprogrammed until the packaging stage. This introduces another layer of vulnerability—if compromised, it could render the entire chip insecure. 

Shashwath explained, “An insecure root key can be provisioned on that chip, which makes the entire chip insecure.”

To counter this, companies like Mindgrove Technologies employ multiple strategies, including the ability to disable compromised keys via updates. “We have space for four root keys inside the chip. If any root key is known to be compromised, we can write an OT update to the chip, which will disable that key,” Shashwath shared, illustrating a proactive approach to potential threats.

In such a complex landscape, the role of government regulations and industry standards becomes crucial. Agencies like the RBI or Ministry of External Affairs or Ministry of Defense in India often prescribe specific security measures for chips used in sensitive applications. These measures are not only about protecting the chip itself but ensuring that the entire supply chain remains secure. 

“There is a long consultation process of what kind of regulations you need,” Shashwath mentioned, acknowledging the collaborative effort required across the ecosystem.

Read: What’s Stopping India’s Semiconductor Mission

Much More is Needed

While companies like Mindgrove Technologies are pioneering in securing their products, Shashwath admits that the broader challenge lies in creating a consensus across the industry. “The ecosystem has to agree on what to do,” he said, reflecting the shared responsibility of all stakeholders in the semiconductor supply chain.

“Everybody who’s making systems on chip will be working on this, especially if they have some kind of relationship with the government or security-focused applications,” Shashwath explained that every company such as Netrasemi, Sima, or even AMD, Intel, Qualcomm, everyone is concerned about this. 

As India looks to the future, the establishment of a domestic fab by PSMC and Tata Electronics is a significant step toward reducing reliance on foreign foundries. “When it comes, it’ll be great. We hope to be able to use a wholly indigenous supply chain,” Shashwath remarked, expressing optimism about the potential for a more secure and self-reliant semiconductor industry in India.

However, he remains realistic about India’s current capabilities when asked about building something like NVIDIA. “We have to learn to walk before we can run, before we can fly,” Shashwath observed, highlighting the importance of focusing on consumer appliances, electronics, and smart devices before venturing into more complex areas like supercomputing.