Anti-Fragile Security and Post Quantum Crypto Readiness
Posted 03/08/2022 by Eric Sivertson
The world has become in many ways more fragile, and a quick look into recent Supply Chain issues highlights this very well. The global growth of interdependencies and complexities of enterprises has introduced fragility into many cyber-systems. Cybersecurity has been top of mind for years across all markets and industries, but we’ve reached an inflection point. Cyberattacks have continued to grow in velocity and veracity as bad actors find new invasive ways to penetrate systems and take advantage of system fragilities. Because of this, organizations don’t just need to be cyber-secure, they need to be cyber resilient.
When an organization demonstrates cyber resiliency, it has the ability to continuously deliver an intended outcome despite adverse cyberattacks, bringing together areas of information security, business continuity, and overall organizational resilience. The responses are automated, meaning they can react and recover within nanoseconds. To increase cyber resiliency against ransomware, firmware and more security vulnerabilities, businesses should look to solutions like post-quantum (PQ) cryptography to ensure systems are both cyber-secure and resilient to future threats.
The goal of PQ cryptography is to develop cryptographic systems that are secure against quantum and classic computers and can work along with existing communications protocols and networks. With industry predictions eyeing sufficiently large quantum computers to be built within the next decade, many of our current public-key based cryptosystems are in jeopardy. For reference, deployment of our modern public key cryptography infrastructure took more than 10 years and if the quantum computers are about 10 years away then now is the time to ramp up on the quick adoption and rollout of the PQ cryptography solutions.
In our latest Lattice Security Seminar, titled ‘Anti-Fragile Security and Post-Quantum Crypto in FPGAs’, we discussed the challenges, opportunities, and latest programmable logic solutions for cyber resilient anti-fragile security and PQ cryptography.
To build truly cyber resilient systems, many so called ‘secure microcontrollers’ are insufficient against the modern hacker. These microcontrollers are based typically on single core 32-bit architectures, they lack comprehensive resiliency, are static and sequential, and do not identify threats in real time on multiple channels. Further, we currently rely on public key or asymmetric cryptography to secure digital communications across mobile phones, internet commerce, social networks, and cloud computing. But quantum computers that operate more efficiently than our current technologies are threatening all of these legacy protections, driving a need for PQ cryptographic algorithms. Availability of quantum computers will threaten new markets like cryptocurrency that have protections based on public key cryptography.
There is also a growing ‘steal now/decrypt later’ trend in which hackers can steal the key protecting the assets today and decrypt it later using the quantum computers.
Technologies that build on a solid cyber-resilient foundation and enable real-time, reactive multi-channel resiliency that can easily implement these new PQ algorithms will soon be demanded by all market segments. Standards bodies like NIST and ETSI will publish standards for PQ algorithms in the coming few years and compliance to these standards will be mandatory.
FPGAs are a natural fit to implement cyber resilient systems with PQ crypto algorithms enabled in them. At Lattice, we create and drive partnerships and alliances with like-minded industry leaders in the PQ crypto space to advance the threat awareness, advise the community on critical trade-offs, and increase customer engagement. We are also committed to providing solutions that will ensure a smooth and secure migration from the currently widely used cryptosystems to their quantum computing-resistant counterparts that feature interoperability with current communications, protocols, and networks.
For a truly antifragile security system we need to protect the components as they transition through the supply chain. It is one of the most vulnerable pieces of the electronics industry, especially in markets like Automotive and Defense. In a non-resilient system, fraudulent firmware can be loaded onto programmable integrated circuits (ICs) like MCUs, FPGAs, CPUs, etc., before end products are even fully assembled. In systems where there are multiple firmware blocks, only one block needs to be hacked in order to lose control of the entire system. Hackers are not motivated to climb the most thorough wall, but instead aim to attack the weakest link in the system to gain control. Unsecure supply chain provides just that weakest link.
The manufacturing and production stages in a product’s lifecycle currently experience an average level of ransomware attacks. However, they are expected to experience the highest level of ransomware attacks in the future. Securing the part in the manufacturing stage is crucial to securing the network. Lattice SupplyGuard provides trust in vulnerable environments through a programmed configuration bitstream which has been developed, signed, and encrypted by the intended customer. In addition, the parts are locked when leaving the factory and the bad actors are unable to read, write, or program them without an available unlock key to configure assets.
Entrusting systems with the most secure and proper product can give your organization the peace of mind it needs to defend from the hackers of today and future-proof against the tactics of tomorrow. Organizations like ETSI and NIST are actively defining the standards for post-quantum cryptography algorithms while governmental bodies push for regulations. It’s only a matter of time before cyber resiliency is a standard, but implementing it today will ensure your business does not become another cautionary tale.
Once again, if you weren’t able to join the live event, please watch the video of the seminar.
If you have questions about Lattice solutions for helping secure device firmware, submit your query here, and stay tuned for our next security seminar coming next quarter!