Minimizing Risk with FPGAs and Hardware-Based Security

Minimizing Risk with FPGAs and Hardware-Based Security


Conventional data security technology has entered a mode of persistent escalation. System designers invest heavily in design and validation, while attackers continually uncover, exploit, and share new vulnerabilities. The result is a stream of updates and patches to close known attack methods.   

In order to slow the evolution of new threats and protect vulnerable systems from malicious actors, a paradigm shift and a new approach is needed. Hardware-based security, using field-programmable gate array (FGPA) technology, provides a viable long-term solution for securing critical systems against network-based attacks.   

Why hardware-based security? 

Guarantees and fundamental assurances are rare in cybersecurity. The goal is typically to find the solution that offers the lowest risk of compromise compared to other solutions, with the understanding that the risk will always be greater than zero. 

Hardware-based security reduces security risk to the lowest possible level, and gives organizations a high degree of confidence that their components cannot perform any functions other than the ones they were designed to perform.  

While nothing can eliminate all cybersecurity risk, the addition of hardware security technology can turn previously vulnerable spots into the strongest points in a network, and dramatically reduce an organization’s attack surface. 

CPUs and firewalls 

Modern computing platforms are based on the work of Alan Turing, who proved that even a relatively basic computing device that can iteratively read and write from storage (or memory) can theoretically implement any arbitrarily complex algorithm.  The only limitation in the complexity of the states that a Turing Machine can take on is the amount of storage that it has available. Attackers take advantage of this complexity by finding ways to “trick” the Central Processing Unit (CPU) in a computing system to jump outside the bounds of normal execution and start to process new instructions.   

A common approach to protect a vulnerable CPU from attack is to implement a network firewall: a filter that monitors external messages and blocks or modifies anything that follows a pattern known to be (or potentially) malicious. Many modern firewalls are built on highly specialized platforms with security-specific features, but despite these advanced features, a firewall that is implemented using a CPU has the effect of simply putting a somewhat less-vulnerable CPU in front of a vulnerable CPU.   

FPGAs: controlling the process

An alternative approach to implement security functions is to use a finite state machine or dedicated circuit. This approach lacks the unlimited flexibility of a Turing machine, but it has the benefit of dramatically reducing or eliminating the potential for unintended execution.  A dedicated circuit can still implement very complex logical functions, but unlike a regular CPU it does not rely on iterative execution and random access to central storage or memory.   

A practical way to implement complex dedicated circuits in modern systems is to use a Field Programmable Gate Array, or FPGA.  An FPGA is programmable in that the circuit that it implements can be updated and replaced through a configuration file.  With careful design, the process used to load a new configuration can be isolated from the path of data through the FPGA, resulting in a circuit that cannot be changed during execution.    

FPGAs and security 

The use of FPGA technology for advanced networking is not new.  There are many examples of networking systems that use FPGAs to offload high-speed, repetitive operations, and there are mature libraries for circuit designs to implement robust network stacks and protocol adapters.  However, most conventional FPGA-based systems are designed to maximize performance and ease of configuration over security.   

A secure FPGA filter architecture needs to ensure complete isolation of the data path from the configuration process.  When designed properly, this approach dramatically changes the attack surface of the resulting system.  Access to the protected CPU can now be processed through a dedicated circuit in the FPGA.  A properly designed, application-specific filter will ensure that even a vulnerable CPU will never receive malicious content.   

Rather than adding more layers of software to protect a flawed software platform, FPGAs allow organizations to focus on the design of practical circuits that can monitor and enforce strict data and protocol rule sets.   

The long history of persistent vulnerabilities found in industrial and critical infrastructure equipment has demonstrated that despite advances in software development, critical vulnerabilities continue to threaten the safety and operational efficiency of plants and facilities.   

Hardware-based security techniques introduce a fundamental shift in network security technology and offers a path toward truly resilient and secure systems.  When deployed using a secure hardware architecture and advanced, modular filter development, this technology can provide application-specific protection.  To learn more about hardware-based cybersecurity with FPGA technology, check our XDE Embedded Cybersecurity Modules Brochure. 

Cross Domain Solution Assessment & Authorization: Part 2 – Acronyms, Assessments, and Everything in Between

In our previous post, we discussed the purpose and goals of Assessment & Authorization (A&A) processes for various technologies, specifically with regard to U.S. Government testin...
June 30, 2021

Reliable Cybersecurity for Oil and Gas Pipelines

No one wants to repeat the week-long Colonial Pipeline shutdown, or—even worse—see a critical infrastructure cyber attack that manages to infiltrate a pipeline’s operational technol...
June 28, 2021

Air-Gapped Networks and Data Diodes

An air gap is the ultimate cybersecurity measure: a physical separation between a secure  network and any other computer or network. The purpose of an air gap is to eliminate any poss...
June 7, 2021