feature article
Subscribe Now

Cyber-Security’s So-So Soup; Cyber-Resiliency Rocks!

In my previous column — Yay! Finally! A Way to Secure the Supply Chain! — we considered a cunning concept from the crafty chaps and chapesses at Lattice Semiconductor. As you may recall, the idea is to use the Lattice SupplyGuard service to pre-load MachXO3D or Mach-NX FPGAs with a lock program and associated cryptographic key, and it is these locked devices that are shipped to the contract manufacturer, whose security may be suspect and whose motives may be “misaligned,” shall we say.

FPGAs can be programmed using a range of mechanisms via a variety of ports, but the lock program shuts them all down. The only way for the contract manufacturer to reprogram one of these FPGAs is to use an encrypted image supplied by the designers of the system, which means the FPGA acts as its own hardware security module (HSM).

Apart from anything else, this means the contract manufacturer cannot overproduce systems using unprogrammed FPGAs because the encrypted image will work only with an FPGA containing the lock program, and such an FPGA is available only from Lattice (via the INTEGRITY Security Services (ISS)-based route discussed in my previous column).

The really clever part is that, in addition to containing the unlock key and the FPGA’s new configuration, this encrypted image also contains an updated version of the lock program along with its own cryptographic key. Furthermore, MachXO3D/NX FPGAs boast a dual-boot capability, which means that while the original lock program is running, after authenticating the new firmware, it loads that firmware into the other boot partition, reauthenticates it to ensure that all is as it should be, and then hands control over to the new program and wipes itself from the device. If anyone attempts to mount a cyberattack — such as cycling the power — while any of this is going on, the device will revert to its original locked program.

High-level depiction of a SupplyGuard-protected supply chain
(Image source: Max Maxfield)

The result is what the folks at Lattice call “Secure Ownership Transfer.” At each stage in the supply chain, the only people who can load a new image into the MachXO3D/NX FPGA — including the guys and gals at an OEM or a maintenance/repair facility — are those who have a suitable encrypted image containing an appropriate cryptographic key. 

The Fall of Cyber Security and the Rise of Cyber-Resiliency

Let’s now assume that the system eventually arrives at the end user’s site, is installed into the network, and starts to perform its allotted tasks in life — and all is as it should be. The problem is that firmware patches and updates will need to be applied to various elements of the system over time, and nefarious forces in the form of hackers and rogue nation states will continuously attempt to break into the system and steal the family jewels, as it were.

Until recently, everyone’s focus has been on what is commonly referred to as cyber-security, the primary role of which is to keep bad actors out in the cold (i.e., on the other side of the firewall). Unfortunately, having great cyber-security can lead to a sense of false complacency along the lines of, “We are totally secure, you can’t get in, so sucks to you!” As a result, the heart of the system is left vulnerable and exposed if any dark forces do manage to breach the defenses.

Two classic examples spring to mind. The first involved the Danish shipping giant A.P. Moller-Maersk. Operating out of 564 offices in 130 countries, Maersk controls almost 20 percent of the world’s shipping capacity. As late as May 2017, if you had asked the IT folks at Maersk as to their ability to fend off cyber-attacks, they would have been extremely bullish as to their cyber-security capabilities. In June 2017, a finance executive in Maersk’s Ukraine operation asked his IT administrators to install an accounting package on a single computer. Sad to relate, this package was infected by a worm called NotPetya, which quickly wriggled its way through the company’s cyber-defenses. Within a matter of hours, Maersk’s worldwide operations were “dead in the water.” (I’m sorry, I couldn’t help myself.)

The second example involved a manufacturing facility owned by the Taiwan Semiconductor Manufacturing Company (TSMC). If you were to travel back through time to the beginning of 2018 and ask the TSMC IT folks at this facility as to their ability to fend off cyber-attacks, they would have smugly pointed out that their manufacturing plants were completely “air gapped” (physically isolated) from the internet and connected only to each other. It was, therefore, an unfortunate happenstance when a well-meaning operator ignored standard operating procedure and connected a new computer to the network before it had been officially sanitized by the IT department. It was even more unfortunate that this machine was infected by the WannaCry ransomware crypto-worm, which immediately went into full-on attack mode, quickly spreading throughout the plant and on to connected factories, eventually compromising more than 10,000 computers and fabrication machines across multiple sites.

Both of these companies boasted cyber-security of the highest caliber but — when their cyber-security failed — it ended up taking both companies weeks to recover and costing them each about $200M.

The problem in both cases was that, although these companies had awesome cyber-security, they had nothing in the way of cyber-resiliency when their cyber-security failed. “But what is cyber-resiliency?” I hear you cry. Well, cyber-resiliency refers to the ability of a system to continuously deliver an intended outcome despite adverse cyber-events such as cyber-attacks. This requires that systems are created in such a way that they are cyber-resilient from the ground (firmware level) up. If a system’s firmware can protect against cyber-attacks, detect cyber-attacks as they happen, and recover from those cyber-attacks while keeping the system functional, then this would be classed as a cyber-resilient system.

I can only imagine your surprise and delight to discover that this is where we close the circle and return to the same MachXO3D/NX FPGAs from Lattice that we used to protect our supply chain. In addition to offering low power, substantial programmable logic resources, and large numbers of input/outputs (I/Os), the flash-based configuration of MachXO3D/NX FPGAs provides “instant-on” capabilities that allow them to be the platform’s first-on, last-off devices. Furthermore, these devices also boast hardware security features that bring NIST-level security to embedded systems, including a NIST-certified Immutable Security Engine that — amongst many other things — enables pre-verified cryptographic functions such as ECDSA, ECIES, AES, SHA, HMAC, TRNG, Unique Secure ID, and public/private key generation.

As defined by NIST SP 800 193, platform firmware resiliency (PFR) involves protection, detection, and recovery. Protection includes protecting the platform’s firmware and critical data from corruption and ensuring the authenticity and integrity of any firmware updates. Detection includes cryptographically detecting corrupted platform firmware and critical data when the system is first powered on, while the system is running, and following any in-system updates. Recovery includes initiating a trusted recovery process and restoring any corrupted platform firmware and critical data to its previous value.

MachXO3D/NX devices fully address cyber-resiliency and PFR requirements by providing features such as their secure dual-boot capability, which means control will be passed to a new encrypted image only after it has been fully authenticated. These devices can also act as the system’s hardware root-of-trust (HRoT). Upon system power-up, the MachXO3D/NX first checks itself to make sure only authenticated firmware is running on it, after which it can check and verify the firmware associated with all of the other devices in the system, refusing to release those devices until it has verified the bona fides of any firmware associated with them.

MachXO3D/NX-based cyber-resiliency solution (Image source: Max Maxfield)

Once the system is up and running, the MachXO3D/NX will continue to maintain cyber-resiliency by protecting, detecting, and recovering itself from malicious attacks. Furthermore, the massively parallel processing capability of its programmable fabric gives the MachXO3D/NX the ability to monitor multiple communications busses and to protect, detect, and recover multiple other platform firmware elements at the same time.

As Eric Sivertson, VP of Security Business at Lattice is fond of saying, “Cyber-attacks are growing in venality, velocity, and veracity.” The bottom line is that all systems are in danger of being attacked and no system is 100% immune from attack. Although traditional cyber-security solutions can defeat many attacks, they become inconsequential once their defenses are breached and the systems they purport to protect are assaulted at their lowest firmware levels. Knowing that a system will be attacked (it’s not a case of if; it’s a case of when), the only option is to enhance existing cyber-security with cyber-resiliency that can protect against firmware attack, detect any ongoing firmware attacks as they happen in real-time, and overcome said attacks by restoring the system to a known-good state.

MachXO3D/NX FPGAs — in conjunction with the Lattice SupplyGuard service and the Lattice Sentry Solutions Stack software and services offering — can secure the supply chain, provide an HRoT, and make the entire system cyber-resilient. I’m extremely happy that designing cyber-secure and cyber-resilient systems isn’t my problem, but if it were, then you can bet your little cotton socks I’d be talking to the folks at Lattice.

Leave a Reply

featured blogs
Aug 1, 2021
https://youtu.be/I0AYf5V_irg Made in Long Ridge Open Space Preserve (camera Carey Guo) Monday: HOT CHIPS 2021 Preview Tuesday: Designed with Cadence Video Series Wednesday: July Update Thursday:... [[ Click on the title to access the full blog on the Cadence Community site. ...
Jul 30, 2021
You can't attack what you can't see, and cloaking technology for devices on Ethernet LANs is merely one of many protection layers implemented in Q-Net Security's Q-Box to protect networked devices and transaction between these devices from cyberattacks. Other security technol...
Jul 29, 2021
Learn why SoC emulation is the next frontier for power system optimization, helping chip designers shift power verification left in the SoC design flow. The post Why Wait Days for Results? The Next Frontier for Power Verification appeared first on From Silicon To Software....
Jul 28, 2021
Here's a sticky problem. What if the entire Earth was instantaneously replaced with an equal volume of closely packed, but uncompressed blueberries?...

featured video

Accelerate Intelligent SLAM with DesignWare ARC EV Processor IP

Sponsored by Synopsys

Simultaneous localization and mapping (SLAM) algorithms build a map and determine location in the map at the same time. But how can you speed up the results? This demo shows how ARC EV processor IP with CNN engine accelerates KudanSLAM algorithms.

Click here for more information about DesignWare ARC EV Processors for Embedded Vision

featured paper

Hyperconnectivity and You: A Roadmap for the Consumer Experience

Sponsored by Cadence Design Systems

Will people’s views about hyperconnectivity and hyperscale computing affect requirements for your next system or IC design? Download the latest Cadence report for how consumers view hyperscale computing’s impact on cars, mobile devices, and health.

Click to read more

featured chalk talk

PolarFire SoC FPGA Family

Sponsored by Mouser Electronics and Microchip

FPGA SoCs can solve numerous problems for IoT designers. Now, with the growing momentum behind RISC-V, there are FPGA SoCs that feature RISC-V cores as well as low-power, high-security, and high-reliability. In this episode of Chalk Talk, Amelia Dalton chats with KK from Microchip Technology about the new PolarFire SoC family that is ideal for demanding IoT endpoint applications.

Click here for more information about Microchip Technology PolarFire® SoC FPGA Icicle Kit