feature article
Subscribe Now

Cyber-Security’s So-So Soup; Cyber-Resiliency Rocks!

In my previous column — Yay! Finally! A Way to Secure the Supply Chain! — we considered a cunning concept from the crafty chaps and chapesses at Lattice Semiconductor. As you may recall, the idea is to use the Lattice SupplyGuard service to pre-load MachXO3D or Mach-NX FPGAs with a lock program and associated cryptographic key, and it is these locked devices that are shipped to the contract manufacturer, whose security may be suspect and whose motives may be “misaligned,” shall we say.

FPGAs can be programmed using a range of mechanisms via a variety of ports, but the lock program shuts them all down. The only way for the contract manufacturer to reprogram one of these FPGAs is to use an encrypted image supplied by the designers of the system, which means the FPGA acts as its own hardware security module (HSM).

Apart from anything else, this means the contract manufacturer cannot overproduce systems using unprogrammed FPGAs because the encrypted image will work only with an FPGA containing the lock program, and such an FPGA is available only from Lattice (via the INTEGRITY Security Services (ISS)-based route discussed in my previous column).

The really clever part is that, in addition to containing the unlock key and the FPGA’s new configuration, this encrypted image also contains an updated version of the lock program along with its own cryptographic key. Furthermore, MachXO3D/NX FPGAs boast a dual-boot capability, which means that while the original lock program is running, after authenticating the new firmware, it loads that firmware into the other boot partition, reauthenticates it to ensure that all is as it should be, and then hands control over to the new program and wipes itself from the device. If anyone attempts to mount a cyberattack — such as cycling the power — while any of this is going on, the device will revert to its original locked program.

High-level depiction of a SupplyGuard-protected supply chain
(Image source: Max Maxfield)

The result is what the folks at Lattice call “Secure Ownership Transfer.” At each stage in the supply chain, the only people who can load a new image into the MachXO3D/NX FPGA — including the guys and gals at an OEM or a maintenance/repair facility — are those who have a suitable encrypted image containing an appropriate cryptographic key. 

The Fall of Cyber Security and the Rise of Cyber-Resiliency

Let’s now assume that the system eventually arrives at the end user’s site, is installed into the network, and starts to perform its allotted tasks in life — and all is as it should be. The problem is that firmware patches and updates will need to be applied to various elements of the system over time, and nefarious forces in the form of hackers and rogue nation states will continuously attempt to break into the system and steal the family jewels, as it were.

Until recently, everyone’s focus has been on what is commonly referred to as cyber-security, the primary role of which is to keep bad actors out in the cold (i.e., on the other side of the firewall). Unfortunately, having great cyber-security can lead to a sense of false complacency along the lines of, “We are totally secure, you can’t get in, so sucks to you!” As a result, the heart of the system is left vulnerable and exposed if any dark forces do manage to breach the defenses.

Two classic examples spring to mind. The first involved the Danish shipping giant A.P. Moller-Maersk. Operating out of 564 offices in 130 countries, Maersk controls almost 20 percent of the world’s shipping capacity. As late as May 2017, if you had asked the IT folks at Maersk as to their ability to fend off cyber-attacks, they would have been extremely bullish as to their cyber-security capabilities. In June 2017, a finance executive in Maersk’s Ukraine operation asked his IT administrators to install an accounting package on a single computer. Sad to relate, this package was infected by a worm called NotPetya, which quickly wriggled its way through the company’s cyber-defenses. Within a matter of hours, Maersk’s worldwide operations were “dead in the water.” (I’m sorry, I couldn’t help myself.)

The second example involved a manufacturing facility owned by the Taiwan Semiconductor Manufacturing Company (TSMC). If you were to travel back through time to the beginning of 2018 and ask the TSMC IT folks at this facility as to their ability to fend off cyber-attacks, they would have smugly pointed out that their manufacturing plants were completely “air gapped” (physically isolated) from the internet and connected only to each other. It was, therefore, an unfortunate happenstance when a well-meaning operator ignored standard operating procedure and connected a new computer to the network before it had been officially sanitized by the IT department. It was even more unfortunate that this machine was infected by the WannaCry ransomware crypto-worm, which immediately went into full-on attack mode, quickly spreading throughout the plant and on to connected factories, eventually compromising more than 10,000 computers and fabrication machines across multiple sites.

Both of these companies boasted cyber-security of the highest caliber but — when their cyber-security failed — it ended up taking both companies weeks to recover and costing them each about $200M.

The problem in both cases was that, although these companies had awesome cyber-security, they had nothing in the way of cyber-resiliency when their cyber-security failed. “But what is cyber-resiliency?” I hear you cry. Well, cyber-resiliency refers to the ability of a system to continuously deliver an intended outcome despite adverse cyber-events such as cyber-attacks. This requires that systems are created in such a way that they are cyber-resilient from the ground (firmware level) up. If a system’s firmware can protect against cyber-attacks, detect cyber-attacks as they happen, and recover from those cyber-attacks while keeping the system functional, then this would be classed as a cyber-resilient system.

I can only imagine your surprise and delight to discover that this is where we close the circle and return to the same MachXO3D/NX FPGAs from Lattice that we used to protect our supply chain. In addition to offering low power, substantial programmable logic resources, and large numbers of input/outputs (I/Os), the flash-based configuration of MachXO3D/NX FPGAs provides “instant-on” capabilities that allow them to be the platform’s first-on, last-off devices. Furthermore, these devices also boast hardware security features that bring NIST-level security to embedded systems, including a NIST-certified Immutable Security Engine that — amongst many other things — enables pre-verified cryptographic functions such as ECDSA, ECIES, AES, SHA, HMAC, TRNG, Unique Secure ID, and public/private key generation.

As defined by NIST SP 800 193, platform firmware resiliency (PFR) involves protection, detection, and recovery. Protection includes protecting the platform’s firmware and critical data from corruption and ensuring the authenticity and integrity of any firmware updates. Detection includes cryptographically detecting corrupted platform firmware and critical data when the system is first powered on, while the system is running, and following any in-system updates. Recovery includes initiating a trusted recovery process and restoring any corrupted platform firmware and critical data to its previous value.

MachXO3D/NX devices fully address cyber-resiliency and PFR requirements by providing features such as their secure dual-boot capability, which means control will be passed to a new encrypted image only after it has been fully authenticated. These devices can also act as the system’s hardware root-of-trust (HRoT). Upon system power-up, the MachXO3D/NX first checks itself to make sure only authenticated firmware is running on it, after which it can check and verify the firmware associated with all of the other devices in the system, refusing to release those devices until it has verified the bona fides of any firmware associated with them.

MachXO3D/NX-based cyber-resiliency solution (Image source: Max Maxfield)

Once the system is up and running, the MachXO3D/NX will continue to maintain cyber-resiliency by protecting, detecting, and recovering itself from malicious attacks. Furthermore, the massively parallel processing capability of its programmable fabric gives the MachXO3D/NX the ability to monitor multiple communications busses and to protect, detect, and recover multiple other platform firmware elements at the same time.

As Eric Sivertson, VP of Security Business at Lattice is fond of saying, “Cyber-attacks are growing in venality, velocity, and veracity.” The bottom line is that all systems are in danger of being attacked and no system is 100% immune from attack. Although traditional cyber-security solutions can defeat many attacks, they become inconsequential once their defenses are breached and the systems they purport to protect are assaulted at their lowest firmware levels. Knowing that a system will be attacked (it’s not a case of if; it’s a case of when), the only option is to enhance existing cyber-security with cyber-resiliency that can protect against firmware attack, detect any ongoing firmware attacks as they happen in real-time, and overcome said attacks by restoring the system to a known-good state.

MachXO3D/NX FPGAs — in conjunction with the Lattice SupplyGuard service and the Lattice Sentry Solutions Stack software and services offering — can secure the supply chain, provide an HRoT, and make the entire system cyber-resilient. I’m extremely happy that designing cyber-secure and cyber-resilient systems isn’t my problem, but if it were, then you can bet your little cotton socks I’d be talking to the folks at Lattice.

Leave a Reply

featured blogs
May 24, 2022
Today is going to be my monthly update. This normally runs on the last Friday of the month, but that's a Cadence Global Recharge Day, so we will all be off. For various other reasons, I need to... ...
May 20, 2022
I'm very happy with my new OMTech 40W CO2 laser engraver/cutter, but only because the folks from Makers Local 256 helped me get it up and running....
May 19, 2022
Learn about the AI chip design breakthroughs and case studies discussed at SNUG Silicon Valley 2022, including autonomous PPA optimization using DSO.ai. The post Key Highlights from SNUG 2022: AI Is Fast Forwarding Chip Design appeared first on From Silicon To Software....
May 12, 2022
By Shelly Stalnaker Every year, the editors of Elektronik in Germany compile a list of the most interesting and innovative… ...

featured video

Synopsys PPA(V) Voltage Optimization

Sponsored by Synopsys

Performance-per-watt has emerged as one of the highest priorities in design quality, leading to a shift in technology focus and design power optimization methodologies. Variable operating voltage possess high potential in optimizing performance-per-watt results but requires a signoff accurate and efficient methodology to explore. Synopsys Fusion Design Platform™, uniquely built on a singular RTL-to-GDSII data model, delivers a full-flow voltage optimization and closure methodology to achieve the best performance-per-watt results for the most demanding semiconductor segments.

Learn More

featured paper

Introducing new dynamic features for exterior automotive lights with DLP® technology

Sponsored by Texas Instruments

Exterior lighting, primarily used to illuminate ground areas near the vehicle door, can now be transformed into a projection system used for both vehicle communication and unique styling features. A small lighting module that utilizes automotive-grade digital micromirror devices, such as the DLP2021-Q1 or DLP3021-Q1, can display an endless number of patterns in any color imaginable as well as communicate warnings and alerts to drivers and other vehicles.

Click to read more

featured chalk talk

Just 1-Wire to Power and Operate I2C or SPI Endpoints

Sponsored by Mouser Electronics and Analog Devices

If you are working on a connection or IO constrained design, a one wire solution could be a great way for you to power and operate your I2C or SPI endpoints. In this episode of Chalk Talk, Amelia Dalton chats with Scott Jones from Maxim Integrated about the DS28E18 communications bridge: a one wire solution that can help you address a variety of system level challenges including protocol conversion, wiring limitations, and communication distance concerns.

Click here for more information about the Maxim Integrated DS28E18EVKIT Evaluation System