Lattice Blog


Implementing Industrial Cybersecurity Trends and Standards in FPGAs

Implementing Industrial Cybersecurity Trends and Standards in FPGAs
Posted 12/20/2021 by Eric Sivertson

Posted in

Our latest Lattice Security Seminar focused on cybersecurity implementations and topics in Industrial settings, titled “Industrial Cyber Security Trends and Standards in FPGAs”. We were joined by our wonderful partners Perseus Information Security Consulting and Dekra Labs. If you missed the live event, you can watch a recording of the seminar here, or read on to explore some of the highlights.

Security Trends Impacting Industrial Systems

The “Industry 4.0” era represents the merger between the IT and the OT worlds and the migration to the cloud, as embodied in the Software Defined Networks (SDN) concept, which is impacting all aspects of the connected world. As a result, endpoints that were traditionally closed to internet access are now online and “discoverable” – which can lead to increased vulnerability and fertile ground for what we call the “three Vs” of the new cyberattack terrain, one marked by a heightened venality, velocity, and veracity of attacks.

SDN, by its nature, advocates open interfaces and a rich ecosystem, but this can introduce the potential of new security threats. While a lot of focus has been placed on securing the data path, it is critical to have a more holistic approach, taking into consideration that security threats at the platform level can have catastrophic implications on the integrity of the network and on sensitive, proprietary data contained within systems. With Industry 4.0, Industrial sensor to edge-to-cloud architectures will rapidly evolve in this new SDN environment and security at all levels will be paramount to product integrity. Lattice provides protection all the way from the factory floor to the cloud, and FPGAs are ideal for this function given their low-latency and parallel compute qualities. This provides valuable benefits for robotics, machine vision, and motor control in mission-critical real time operations and for Communications components such as private 5G and in-house networks and safety and security systems (e.g., connected HD cameras).

Another key point discussed during this seminar was the concept of cyber resiliency. In an increasingly sophisticated threat environment, organizations must take steps not only to secure their systems against cyber threats, but also to make their systems resilient enough to mitigate an attack in real-time and maintain the integrity of their firmware automatically. It is becoming a question of not only security, but business continuity and overall organizational strength.

Firmware vulnerabilities can be exploited by bad actors and expose organizations to different security issues, including data theft, data corruption, unauthorized hardware modification, equipment hijacking, product cloning, ransomware, and design theft. And as we noted during the seminar, MCU-based protection systems are not sufficient. In fact, a recent report from Gartner Group states that 70 percent of organizations without a firmware protection plan will be hacked. These firmware vulnerabilities exist throughout the product lifecycle, impacting individual components as they move through today’s rapidly changing and increasingly unpredictable global electronics supply chain -- from initial component manufacturing and shipment to a contract manufacturer, to system integration and on through the device’s entire operating life in the field.

We’ve all seen news reports of ransomware plaguing all sorts of systems from hospitals to Industrial giants. We devoted a portion of the seminar to exploring how the Lattice SupplyGuard™ service reduces the “exposure surface” to ransomware. It’s useful to think of supply chain security as the “tip of the iceberg” and what the various actors in the supply chain – asset owners, integrators, device suppliers, etc. – see is perhaps only 20 percent of the problem. SupplyGuard melts the portion of the iceberg that lies beneath the surface through the use of “locked parts” and secure keys to unlock them. We used the Zombie Zero hack to illustrate this point and how SupplyGuard has the net effect of lowering the costs of providing adequate product security and significantly raising the costs and effort that a potential hacker would incur.

Lattice Solves Industrial Security Challenges

Firmware security is also becoming a compliance issue – and failure to comply will make it impossible or very difficult to conduct business in an increasingly globally-connected setting. For instance, standards bodies such as NIST, the Trusted Computing Group, and SAE are recommending platform firmware resiliency (NIST 800-193) and “cyber physical system security” (SAE G32).

With the evolving standards environment in mind, the Lattice Automate solution stack enables several critical Industrial automation applications, including sensor bridging, collision avoidance, and programmable logic controllers. Our partners, Deniz Kaya from Perseus Information Security Consulting and Beat Kreuter from Dekra Labs both brilliantly described the importance of compliance with a discussion of another standard specific to industrial settings – IEC 62443, which pertains to the product lifecycle of Industrial Automation and Control Systems (IACS). IEC 62443 applies to all the supply chain actors identified above and sets forth product and process requirements that serve to simplify the risk assessment process. Deniz described how the five steps in this process are used to calculate the “Cyber Risk Reduction Factor” (CRRF) and its importance in a manufacturing setting. Beat followed with an explanation of the IECEE, which is the IEC’s conformity assessment system, and the IECEE CB (Certification Body) certification process. Beat underlined the impact of the IECEE by describing its work as the most successful security scheme worldwide and as key to a secure global trading system. In summary, a scenario using IEC 62443 as a base with Lattice cyber resiliency tools on top would represent the current cutting edge in firmware security.

Once again, if you weren’t able to join the live event, please watch the video of the seminar.

If you have questions about Lattice solutions for helping secure device firmware, submit your query here, and stay tuned for our next security seminar coming next quarter!