In some modern NPP I&C systems, FPGA chips form the basis and logic of various hardware components and systems. In order to maintain a high level of safety and production, FPGA-based I&C systems must be protected from cyber attacks and malicious acts.
The cyber security of digital I&C technologies used in safety and control systems of NPPs is a very important, complex, and challenging problem. In reducing cyber security concerns, RPC Radiy considers all possible vulnerabilities that can appear in the final product, including the design and development process vulnerabilities, and assesses the vulnerabilities according to their criticality and severity. The next step is to identify sufficient and cost-effective countermeasures either to eliminate any potential FPGA vulnerabilities or to reduce them to an acceptable level. RPC Radiy understands the importance of the cyber security assurance problem, since it can be directly related to nuclear safety.
Assurance of cyber-security for FPGA technology is a complex challenge that should include all the parties involved in the life cycle of the FPGA chips and FPGA-based I&C systems; namely the FPGA chip vendor, the I&C system developer, and the user of FPGA-based I&C system.
- The FPGA-chip vendor, during the design, manufacture, packaging, and testing of FPGA chips.
- The I&C system developer, during the development and integration of FPGA electronic design or during the implementation and testing of the electronic design.
- The operator of the I&C system, making changes in the installed I&C system during operation or maintenance activities.
- Use of malicious software tools during the design of the FPGA chip or during the development of the electronic design.
- Use of IP (intellectual property) cores from third-party vendors during the development of the electronic design, either in the form of modules for HDLs or in the form of compiled Net Lists.
- Use of compromised devices during the integration and implementation of the electronic design into the FPGA chip.
- protecting their FPGA-chip design against reverse engineering, copying or modification,
- providing Customers with FPGA electronic design security measures, which can be applied during the development, operation, and maintenance of FPGA-based I&C systems.
An additional problem can arise due to the fact that FPGA chips vendors may not have their own manufacturing capacity. After designing and developing the FPGA chip, the actual chip manufacturing may be outsourced to foundries. These foundries can introduce additional vulnerabilities into FPGA chips by altering the FPGA design during the chip manufacturing process. Hence, traceable and audited processes of manufacturing in foundries play an important role in assuring cyber- security and prevention of vulnerabilities.
Most of the life cycle stages of the FPGA chips and the FPGA-based I&C systems are implemented by the extensive use of software tools. Examples are: designing the printed circuit boards for FPGA chips, developing the FPGA electronic designs, and performing simulations. Hence, developers of software tools for design automation play a key role in assuring cyber-security.
Some of the potential cyber attack modes are listed below.
(1) Black box attack. An adversary feeds all possible input combinations to the FPGA chip and registers the corresponding output states. Such an approach provides the potential to reverse-engineering the FPGA electronic design integrated into the chip. In practice, this type of attack may not be successful in systems with highly-complex logic.
(2) Read-back attack. The attack is based on the potential of reading the FPGA chip configuration, usually, via the JTAG interface used in most FPGAs for debugging and maintenance. Recently, FPGA vendors have improved the protection measures against unauthorized access to chip configuration.
(3) Cloning attack. In Static RAM-type FPGA chips, a configuration file is stored in a non-volatile memory external to the FPGA chip. This may allow the retrieval of bit- streams while loading the configuration in the FPGA, and later to clone the stolen FPGA electronic design. The protection against this threat is encrypting the bit- streams during their transmission from a non-volatile memory to the FPGA chip. Measures have been already implemented in most modern FPGAs to prevent this possibility.
(4) Physical attack against Static RAM-based FPGAs. The objective of such an attack is to obtain information concerning the physical structure of the FPGA chip by studying specific areas in the chip. These attacks usually target parts of the FPGA that are inaccessible through input-output channels. Special instruments based on focused ion beams capable of scanning and reading the FPGA structure can be used for such an attack. However, it is rather difficult to implement the attack due to the complexity of the required instrument.
(5) Side-channel attack. Such an attack is intended to obtain information on the FPGA chips’ performance and physical parameters, such as power consumption, execution time, and electromagnetic fields. By analyzing these signatures, information about the underlying implementation might be exposed. The tasks of collecting and processing of such information are nontrivial. However, there are known complex techniques requiring only several measurements to learn and attack a system.
All the above forms of attacks require a rather difficult and sophisticated data analysis of the indirect information obtained. Therefore, the fact alone that an adversary has obtained such indirect data does not guarantee that the adversary can successfully recover the original FPGA electronic design.
Despite the above challenges, the FPGA technology has certain beneficial properties for assuring cyber security. For example, FPGA-based system operation does not rely on a complex operating system and therefore does not have dormant, unused functionalities that can be attacked. The FPGA chip just works deterministically through the calculations that it was programmed for in the application development process. Furthermore, there are no known viruses and malware for HDL codes, a language which is used for the initial programming of the FPGA during the development process. In addition, the FPGA-based devices have a simple and structured design, therefore their V&V processes will more likely detect the presence of potential malicious designs.
The physical access to the FPGA chips is also strictly controlled. For example, the HDL code is located in a flash memory (on a separate chip) without offering any physical access for modification while in on-line operating mode. Furthermore, FPGA programming and reprogramming can be done only through a special interface. It is impossible to connect common storage media or communication devices that could infect the control logic code, as was the case in the Stuxnet attack.
RPC Radiy pays a lot of attention to the problem of cyber security assurance for FPGA technology as a whole, and for integrated I&C systems in particular, through a set of firm features and solutions called to prevent possible vulnerabilities. I&C systems developed by RPC Radiy are intended for use in a wide range of nuclear and safety process control applications. In many cases, systems are composed of multiple modules, each of which is based on the use of FPGA chips as computational engine. Internal interfaces facilitate dedicated and isolated communication connections between the modules installed within the chassis, while external interfaces of the chassis provide secured and reliable connections to prevent the possibility of unauthorized access. FPGA chips (re)configuration is possible through physically secured interfaces. Software used in such a process, contains password protection features, as well as functions to check the success of the configuration process.