Any asset connected to the industrial internet of things (IIoT) without proper security is at risk of cyber attack. In addition to causing financial losses or inconvenience, tampering with industrial systems can potentially cause injury or fatalities among workers or members of the public. A safety-critical system cannot be considered truly safe without adequate cyber protection.
Producers of connected cyber-physical systems are moving quickly to build robust protection into their products. But while all would agree that cyber security cannot be left to chance, how can developers know how much security to provide? When is a device secure enough? The publication of IEC 62443 provides a great deal of help. It provides a spectrum of threat models and counter-measures required for each standard defined security level.
This standard has allowed industrial security engineers to discuss a shared figure of merit. As more and more companies are looking for verifiably secure solutions, these types of certifications are becoming customer-defined requirements.
The IEC 62443-4-2 part of the standard defines component-level platform requirements that can be either be enabled or accelerated by configurable hardware such as FPGA based system on chips (SoC)s.
Hardware Security for Life
Given cyber-attacks often try to modify the behavior of a system, it is not possible to have a functionally safe system that is not also cyber-secure. Though it is possible to have a cyber-secure system that is not technically a functional safety system as defined by IEC-61508.
To be sure of considering all potential threats against connected industrial devices, it is helpful to consider the security lifecycle in four stages (figure 1).
Figure 1. Four-stage security lifecycle.
Strong protection is a pre-requisite and – for newly deployed devices – should be as strong as the current technology permits. Hackers will eventually launch a successful attack as the security stance degrades with age so detection is the next stage of the lifecycle. The third stage, resilience, refers to the device’s ability to fallback to a safe operating mode and alert the operator to the situation. The fourth stage makes provision for devices to report back details of security attacks for remediation.
Xilinx® configurable hardware has features to support a complete security life-cycle including a strong hardware root of trust, integrated cryptographic accelerators, physically unique functions (PUFs), integrated secure storage, and key-management functions. In addition, Xilinx IP partners offer FPGA-based security monitors, such as MicroArx, which can enhance detection capabilities and resilience of critical software applications via FPGA based monitoring.
Protecting Embedded Devices
Whatever technologies are used to secure the system, they must be built on a strong foundation. To establish a strong security foundation at the hardware and boot-time software level, Xilinx’s Zynq™ UltraScale™+ system on chips (SoC) provide features including an immutable device identity and boot ROM, anti-tamper functions, integrated secure-key storage in eFuses, and bitstream authentication and encryption for secure hardware loading. The protected boot firmware then enforces a secure boot and execution of the first stage bootloader and will stop the process if it detects the integrity of the software was compromised indicating that tampering has occurred. At the higher levels, only an authenticated digitally signed OS image will be loaded.
Once a system is up and running communications with any other devices should be protected using authenticated communication channels, as well as encryption if protecting the data in-flight is deemed necessary. Xilinx FPGAs feature integrated hardware accelerators for industry-standard encryption algorithms such as RSA-SHA, and AES, to support secure, encrypted communications. Data exchanges with other ICs in the system, such as non-volatile memory (NVM) chips, can also be protected using device-unique keys that are unreadable to the user.
Finally, the system monitoring functions such as measured boot, measured application launches, and use of TPM (Trusted Platform Module) is supported. These links in the chain are all necessary to protect the operation and integrity of each of the devices in the end to end security architecture.
As well as protecting the operational state of the device, these interconnected layers of security features also protect the intellectual property associated with the FPGA hardware design and the SoC software running on it.
Improving Security Best Practice
Since the publication of the international industrial control system security standard IEC 62443, equipment designers are better equipped to understand and implement best security practices for embedded systems.
Recognizing the risks encountered by connecting industrial equipment to the Internet, the Trusted Computing Group (TCG) has set up the Industrial Sub Group to develop relevant security guidance. The Sub Group liaises with the Industrial Internet Consortium (IIC) and (among many contributors) has helped create the IIC’s Industrial Internet Security Framework (IISF), which recognizes the need for higher levels of safety, reliability, and resiliency in IIoT systems, over and above the needs of traditional IT environments.
Xilinx has helped to author IEC 62443, and is an active member of the TCG and IIC including participating in the TCG Industrial Sub Group. Important security functions supported in FPGA SoC silicon and design tools enable users to create industrial control platforms that are compliant to IEC 62443-4-2 and help accelerate their time to market. In addition, new mechanisms are being introduced to enable customer keys and unique device identifiers to be installed securely, within the supply chain. A mapping of some of the important security features identified by IEC 62433-4-2 and how Xilinx supports them is shown in figure 2.
Figure 2. Security features formalized by IEC 62433-4-2 and supported in configurable hardware.
Today’s industrial control systems are facing ever increasing threats from cyber-attacks. An effective security solution must start with the embedded hardware platform. Strong hardware authentication features, and features supporting secure boot, software measurement, and encryption, provide the foundation for minimizing attack surfaces and improving the abilities to attest to the integrity of each device. This knowledge holds the key to keeping industrial systems safe and secure.
For further information on IEC 62433 see Xilinx White Paper WP513 https://www.xilinx.com/support/documentation/white_papers/wp513_iec62443.pdf