Tackling growing threats to cyber security is no easy task in today’s hyperconnected world as the entire network infrastructure is now more vulnerable to attacks.
Security threats to hardware and embedded systems are a growing concern as the number of Internet of Things (IoT) devices continues to expand exponentially. As security risks, exposure and costs to remedy the damage rise, it is more critical than ever to effectively safeguard network infrastructure and information systems. The challenge is to determine the right level of security combined with the optimum proactive protection methods, given the frequency and the number of threat types and the broadening spectrum of increasingly complex installed networked devices.
No industry is immune to network hacks and cyber attacks inflict hefty costs on businesses. In its Q3 2015 report*, analyst Cybersecurity Ventures estimated that the worldwide cyber security market will grow from $77billion in 2015 to $170bn by 2020.
Software security alone is not adequate to protect against known threats. Proven to be more effective is a layered technology approach that combines cyber security methods – such as hardware root-of-trust, security for data-in-motion, data-in-use and data-at-rest – with cryptography and software protection. This increased level of protection is critical to implement the highest security.
At the heart of this layered solution are today’s advanced architecture SoC FPGAs, which can be used to implement a scalable security scheme that extends all the way down to the hardware root of trust at the IC level. Along with SoC FPGAs, a number of other component technologies and support elements are essential to secure hardware, enforce design security, and lock down data security. These include:
• Key storage using a physically unclonable function (PUF)
• Advanced crypto accelerators
• Differential power analysis (DPA) resistance pass-through patent license
• Secure bitstream
• Tamper detection and response, for example, active mesh and zeroisation
• Prevent copying, cloning or reverse engineering
• Licensed patent protected DPA resistance, independently certified
• NIST certified crypto accelerators
• Secure supply chain
FPGAs make up a secure foundation
Establishing a system root-of-trust is fundamental to any security scheme intended to protect critical data from attacks. To become the root-of-trust of systems, it is essential that FPGAs are highly secure, with licensed, patented and certified DPA protection. This not only ensures that the design IP is protected from copying and reverse engineering, but also provides supply chain assurance that the FPGA is authentic. It is also important that SoC FPGAs provide authentication against the parameters certified by the device certificate, as well as proving knowledge of the unique device secret key. This technique provides the best assurance available that the device being programmed is free from supply chain counterfeiting issues.
FPGAs that have encrypted bitstreams, multiple key storage elements, licensed DPA countermeasures, secured flash memory and anti tamper features and which incorporate a PUF provide the necessary ingredients for protecting today’s user-accessible networked hardware products.
But protecting IP is only one aspect of cyber security; it also must prevent product reverse engineering. To secure an FPGA-based design, the configuration bit streams need to be encrypted and protected. Devices must be able to identify unauthorised access and tampering and also zeroise (reset all values to zero) themselves when tampering is detected to significantly reduce the chances of a successful attack. Even better, FPGAs that have licensed DPA countermeasures ensure powerful resistance against harmful DPA key-extraction attacks, protecting data-in-use. In addition, special security Lock-Bit features can be used to define ‘security barriers’ so that certain system capabilities can only be used when authorised.
According to the US Department of Defense, the best approach for achieving information assurance (IA) in highly networked environments is to use a defence-in-depth solution that places multiple layers of security throughout a system. Consequently, the best hardware solutions offer multiple layers of IA and cryptographic technology support to secure data-at-rest, data-in-motion and data-in-use in software applications, FPGAs and SoC designs.
Layered security solution components
Storage is a key element in protecting data-at-rest. Only high-reliability secure SSDs can provide a total data-at-rest solution for demanding embedded computing. Highly secure SSDs must protect sensitive data from threats while mitigating the vulnerabilities inherent in storage media. Therefore, ruggedized SSDs with hardware-based encryption and loss prevention are mandates for optimum information assurance.
Our increasingly connected world relies on Ethernet for most of the global wide-area network (WAN) infrastructure. Ethernet for network communications opens new options for data-in-motion security because it operates at Layer 2 (L2) with its own encryption protocol defined in the IEEE 802.1AE MACsec standard. Secured Ethernet connectivity demands L2 security encryption due to the direct correlation between the strength of the security solution and the layer at which security is implemented. Security solutions are available that enable flow-based IEEE 802.1AE MACsec security encryption end-to-end over any network, including multi-operator and cloud-based networks, independent of the network’s awareness of security protocols. These state-of-the-art PHYs offer 128/256bit AES encryption to meet evolving cyber threats.
* Software cryptography
Multiple layers of cryptography are used to effectively secure data-at-rest, data-in-motion, and data-in-use. For example, software cryptography can mitigate a security vulnerability that can occur if the crypto key is extracted from static or runtime memory. New innovative, software-based technologies provide a beneficial key-hiding solution that protects passwords and crypto keys with broad algorithm and platform support.
* Timing and synchronisation
Securing synchronous timing is vital to protecting critical communications infrastructure, particularly when organizations rely on publicly available time servers acting as sources of Coordinated Universal Time (UTC). For that reason, robust end-to-end timing solutions that generate, distribute, and apply precise time to maintain a comprehensive and secure timing infrastructure are imperative.
* Security services
Independent labs sponsored by component suppliers offer developers an experienced resource for embedded systems security. Employing security and systems analysts, as well as cryptologists and hardware and software engineers, these centres offer valuable cross-vertical expertise to help companies plan protection, assess risks, evaluate black box designs, perform security engineering and much more.
Trusted solutions need built-in security
Using its industry-leading SoC FPGAs as the cornerstone of an effective layered security solution, Microsemi’s comprehensive security portfolio gives customers the proven technologies needed to thwart any number of cyber threats. Specifically engineered to secure embedded systems from silicon to software, and already adopted by US federal organisations and commercial entities in applications requiring robust protections, Microsemi products include solutions for system trust, securing data-in-motion, data-in-use and data-at-rest, cryptography and software protection, as well as customization capabilities to tailor products for unique requirements.
Making cyber security a priority for embedded systems is now a necessity. Microsemi solutions and services safeguard critical program information and technology using an advanced multi-layered technology approach that makes robust embedded systems security achievable.
Microsemi offers a comprehensive portfolio of semiconductor and system solutions for communications, defence and security, aerospace and industrial markets. Products include high performance and radiation hardened analogue mixed signal integrated circuits, FPGAs, SoCs and ASICs; power management products; timing and synchronisation devices and precise time solutions, setting the world’s standard for time; voice processing devices; RF solutions; discrete components; security technologies and scalable anti-tamper products; Ethernet solutions; Power-over-Ethernet ICs and midspans; as well as custom design capabilities and services. Microsemi, headquartered in Aliso Viejo, California, has approximately 3600 employees globally.