Protect, Detect, and Recover – How to Make Your System Cyber Resilient
Posted 06/16/2022 by Eric Sivertson, Mamta Gupta
Lattice’s latest security seminar, during which we were joined by our partner AMI focused on cybersecurity topics for firmware and supply chain protection in the compute and datacenter applications. If you missed the live event, you can watch a recording of the “Cyber Resiliency for Firmware Protections & Supply Chain Security” seminar here, or read on to explore some of the highlights.
Today’s global supply chain has become a very fragile and brittle environment as the venality, velocity, and veracity of cyberattacks have significantly increased in recent years. The most common threat people may be familiar with is ransomware attacks that lock businesses out of their systems until ransom demands are met. A 2021 Cyber Resilient Organization Study found that 61% of respondents paid a ransom in a ransomware attack. That metric underscores the importance for companies not to just be cybersecure, but also to be cyber resilient so they can quickly respond to attacks as they happen.
Cybersecurity provides the foundation for cyber resiliency to be built upon. Platform Firmware Resilience (PFR) is a specific domain form of cyber resilience related to compute. In other words, PFR is a system that compute systems rely on to be able to actively protect and keep themselves running and functional to a very high degree while under attack.
During the seminar, we spent some time highlighting how emerging security standards such as NIST 800-193 PFR Guidelines and Trusted Computing Group’s Guidelines for Cyber Resilient Technologies (CyRes) are shaping how solutions are being built to help ensure systems are protected. The guidelines boil down to three key functions required for a system to be cyber resilient: protect, detect, and recover. As shown in the below image, these functions all work together to secure a system through all stages of a cyberattack.
Most organizations understand the need to have a strong protection foundation for all key firmware components, but where many fall short is with the detect and recover functions. With so many vulnerable firmware components found throughout systems, there needs to be a way to dynamically monitor them across multiple channels, with the ability to configure response as the threats arise. The Lattice Sentry™ Solution stack enables a real-time dynamic monitoring ability as an out-of-the-box solution for PFR. Other predominantly microcontroller based solutions lack this real-time monitoring capability and make for less secure solutions because of the microseconds they take to respond.
The cycle of these three functions is at the heart of cyber resiliency/PFR, and you need a strong hardware root of trust (HRoT) for the functions to operate so you know your system can be trusted to begin with. Lattice MachXO3D™ and Lattice Mach™-NX FPGAs are CyRes compliant hardware roots of trust. They contain dedicated security engines hardened in silicon that can be proven and verified, as well as tested via immutable unique IDs.
In the seminar, we also explored how the Lattice SupplyGuard™ service reduces the “exposure surface” to ransomware throughout different stages of supply lines using lock key and protection code to provide a continuous protected bubble whereby low value attack vectors are protected at the same robust level of security as high value vectors.
Our ecosystem partner AMI presented “AMI’s Platform Root of Trust Solution: Tektagon™ XFR,” a jointly developed, host-silicon, CPU-agnostic solution with Lattice.
AMI reiterated how the growing sophistication of the cyberthreat matrix requires systems to meet PFR standards and went over how Tektagon XFR delivers continuous runtime monitoring for the protection of platforms.
As a collaborative solution with Lattice, Tektagon XFR utilizes Lattice FPGAs to provide an independent HRoT with maximum design flexibility for customers. Individually, both the Lattice Sentry solution stack and AMI Tektagon XFR are capable of delivering PFR. However, if a customer only has the Sentry solution stack, they will have to do their own orchestration firmware customization, as well as baseboard management controller (BMC) firmware and BIOS customization. And, if they only have AMI’s Tektagon XFR, they will have to do customization logic themselves. As a joint solution, the overall design enables advanced PFR and flexibility, offloading some of the heavy lifting to help reduce time to market and offering full security to best fit the needs of customer platform designs.
Other key features of Tektagon XFR include secure firmware updates of recovery images and DC-SCM module implementation capability. Motherboard designs in servers are increasingly adopting DC-SCM designs vs. traditional monolithic designs to be able to innovate CPU/memory solutions separately from solutions related to security and controls.
Once again, if you weren’t able to join the live event, please watch the video of the seminar.
If you have questions about Lattice solutions for helping secure device firmware, submit your query here, and stay tuned for our next security seminar coming next quarter!