Any asset connected to the industrial internet of things (IIoT) without proper security is at risk of cyber-attack. In addition to causing financial losses or inconvenience, tampering with industrial systems can potentially cause injury or fatalities among workers or members of the public, writes Wesley Skeffington, Xilinx Inc. A safety-critical system cannot be considered truly safe without adequate cyber protection.
Producers of connected cyber-physical systems are moving quickly to build robust protection into their products. But while all would agree that cyber security cannot be left to chance, how can developers know how much security to provide? What proportion of the system’s costs can be allocated to cyber-security counter-measures? And how does one answer the question, “Is this device secure enough?”?
These questions have been challenging for security engineers to answer and justify against a standard. This has changed since the publication of IEC 62443, which provides: 1. A spectrum of threat models, and 2. Counter-measures required for each standard defined security level.
This standard has allowed industrial security engineers to discuss a shared figure of merit. As more and more companies are looking for verifiably secure solutions, these types of certifications are becoming customer-defined requirements.
The IEC 62443-4-2 part of the standard defines component-level platform requirements that can either be enabled or accelerated by configurable hardware such as FPGA based system on chips (SoC).
Industrial Cybersecurity and Safety
Cyber-security impacts all aspects of a system including the safety systems. This attack vector was demonstrated in the attack on Schneider Electric’s Triconix Safety systems – https://www.reuters.com/article/us-schneider-cyber-attack/schneider-electric-says-bug-in-its-technology-exploited-in-hack-idUSKBN1F7228, which fortunately was not successful, but did raise the awareness of safety-systems as cyber targets.
Given cyber-attacks often try to modify the behaviour of a system, it is not possible to have a functionally safe system that is not also cyber-secure. Though it is possible to have a cyber-secure system that is not technically a functional safety system as defined by IEC-61508.
Protection and Reaction
The embedded controllers in the operational technology (OT) domain cannot simply leverage the standard IT security solutions. Whereas IT systems prioritizes confidentiality, availability is the top priority for OT equipment. Availability begins with the capabilities of the hardware.
Hardware Security for Life
To be sure of considering all potential threats against connected industrial devices, it is helpful to consider the security lifecycle in four stages (figure 1).
Figure 1. Four-stage security lifecycle.
Strong protection is a pre-requisite and – for newly deployed devices – should be as strong as the current technology permits. Several layers of protection comprising both hardware and software, and covering boot-time and runtime operations, should be put in place to provide defence in depth.
However, device designers must assume hackers will eventually launch a successful attack as the security stance degrades with age. Hence detection is the next stage of the lifecycle and comprises looking for any unintended or unauthorized changes to the system using secure attestation and measurement technologies.
The third stage, resilience, refers to the device’s ability to fall-back to a safe operating mode and alert the operator to the situation. This is important to allow industrial systems to continue working after an attack, either for safety reasons or simply to avoid downtime costs.
The fourth stage makes provision for devices to report back details of security attacks. Remediation then becomes possible, including applying security patches and generally improving the security stance of similar fielded systems.
Xilinx® configurable hardware has features to support a complete security life-cycle including a strong hardware root of trust, integrated cryptographic accelerators, physically unique functions (PUFs), integrated secure storage, and key-management functions. In addition, Xilinx IP partners offer FPGA-based security monitors, such as MicroArx, which can enhance detection capabilities and resilience of critical software applications via FPGA based monitoring.
Protecting Embedded Devices
Whatever technologies are used to secure the system, they must be built on a strong foundation. This begins with the embedded platform chain of trust, as described in 2011 by Ukil, Sen & Koilakonda and described in figure 2.
Figure 2. security begins with the hardware root of trust.
To establish a strong security foundation at the hardware and boot-time software level, Xilinx’s Zynq™ UltraScale™+ system on chips (SoC) provide features including an immutable device identity and boot ROM, anti-tamper functions, integrated secure-key storage in eFuses, and bitstream authentication and encryption for secure hardware loading. The protected boot firmware then enforces a secure boot and execution of the first stage bootloader and will stop the process if it detects the integrity of the software was compromised indicating that tampering has occurred. At the higher levels, only an authenticated digitally signed OS image will be loaded.
Once a system is up and running communications with any other devices should be protected using authenticated communication channels, as well as encryption if protecting the data in-flight is deemed necessary. Xilinx FPGAs feature integrated hardware accelerators for industry-standard encryption algorithms such as RSA-SHA, and AES, to support secure, encrypted communications. Data exchanges with other ICs in the system, such as non-volatile memory (NVM) chips, can also be protected using device-unique keys that are unreadable to the user.
Finally, the system monitoring functions such as measured boot, measured application launches, and use of TPM (Trusted Platform Module) is supported. These links in the chain are all necessary to protect the operation and integrity of each of the devices in the end to end security architecture.
As well as protecting the operational state of the device, these interconnected layers of security features also protect the intellectual property associated with the FPGA hardware design and the SoC software running on it.
Improving Security Best Practice
Since the publication of the international industrial control system security standard IEC 62443, equipment designers are better equipped to understand and implement best security practices for embedded systems. Organizations such as the Trusted Computing Group (TCG) and the Industrial Internet Consortium’s (IIC) are also working effectively to formalize IIoT-security practices.
Recognizing the risks encountered by connecting industrial equipment to the Internet, The TCG has setup the Industrial Sub Group to develop relevant security guidance. The Sub Group liaises with the IIC and (among many contributors) has helped create the IIC’s Industrial Internet Security Framework (IISF), which recognizes the need for higher levels of safety, reliability, and resiliency in IIoT systems, over and above the needs of traditional IT environments.
Xilinx has helped to author IEC 62443, and is an active member of the TCG and IIC including participating in the TCG Industrial Sub Group. Important security functions supported in FPGA SoC silicon and design tools enable users to create industrial control platforms that are compliant to IEC 62443-4-2 and help accelerate their time to market. In addition, new mechanisms are being introduced to enable customer keys and unique device identifiers to be installed securely, within the supply chain. A mapping of some of the important security features identified by IEC 62433-4-2 and how Xilinx supports them is shown in figure 3.
Figure 3. Security features formalized by IEC 62433-4-2 and supported in configurable hardware.
Today’s industrial control systems are facing ever increasing threats from cyber-attacks. An effective security solution must start with the embedded hardware platform. Strong hardware authentication features, and features supporting secure boot, software measurement, and encryption, provide the foundation for minimizing attack surfaces and improving the abilities to attest to the integrity of each device. This knowledge holds the key to keeping industrial systems safe and secure.