Minimizing Risk with FPGAs and Hardware-Based Security 

Conventional data security technology has entered a mode of persistent escalation.

System designers invest heavily in design and validation, while attackers continually uncover, exploit, and share new vulnerabilities. The result is a stream of updates and patches to close known attack methods. To slow the evolution of new threats and protect vulnerable systems from malicious actors, a paradigm shift and a new approach is needed.

Hardware-based cybersecurity using field programmable gate array (FPGA) technology provides stronger, more cost-effective protection for devices used by critical infrastructure, military, and intelligence organizations. Unlike the CPUs that power software firewalls, FPGAs are limited to a finite number of possible states, greatly reducing the scope of potential implementation flaws or vulnerabilities.

Why hardware-based security?

Guarantees and fundamental assurances are rare in cybersecurity. The goal is typically to find the solution that offers the lowest risk of compromise compared to other solutions, with the understanding that the risk will always be greater than zero.

Hardware-based security reduces security risk to the lowest possible level and gives organizations a high degree of confidence that their components cannot perform any functions other than the ones they were designed to perform.

While nothing can eliminate all cybersecurity risk, the addition of hardware security technology can turn previously vulnerable spots into the strongest points in a network and dramatically reduce an organization’s attack surface.

CPUs and firewalls: inherently vulnerable

Modern computing platforms are based on the work of Alan Turing, who proved that even a relatively basic computing device that can iteratively read and write from storage (or memory) can theoretically implement any arbitrarily complex algorithm. The only limitation in the complexity of the states that a Turing Machine can take on is the amount of storage that it has available. Attackers take advantage of this complexity by finding ways to “trick” the Central Processing Unit (CPU) in a computing system to jump outside the bounds of normal execution and start to process new instructions.

A common approach to protect a vulnerable CPU from attack is to implement a network firewall: a filter that monitors external messages and blocks or modifies anything that follows a pattern known to be (or potentially) malicious. Many modern firewalls are built on highly specialized platforms with security-specific features, but despite these advanced features, a firewall that is implemented using a CPU has the effect of simply putting a somewhat less-vulnerable CPU in front of a vulnerable CPU.

FPGAs: controlling the process

An alternative approach to implement security functions is to use a finite state machine or dedicated circuit. This approach lacks the unlimited flexibility of a Turing machine, but it has the benefit of dramatically reducing or eliminating the potential for unintended execution.  A dedicated circuit can still implement very complex logical functions, but unlike a regular CPU it does not rely on iterative execution and random access to central storage or memory.

A practical way to implement complex dedicated circuits in modern systems is to use a field programmable gate array, or FPGA.  An FPGA is programmable in that the circuit that it implements can be updated and replaced through a configuration file. With careful design, the process used to load a new configuration can be isolated from the path of data through the FPGA, resulting in a circuit that cannot be changed during execution.

4secure-cpu-fpgaFPGAs and security   

The use of FPGA technology for advanced networking is not new. There are many examples of networking systems that use FPGAs to offload high-speed, repetitive operations, and there are mature libraries for circuit designs to implement robust network stacks and protocol adapters. However, most conventional FPGA-based systems are designed to maximize performance and ease of configuration over security.

A secure FPGA filter architecture needs to ensure complete isolation of the data path from the configuration process. When designed properly, this approach dramatically changes the attack surface of the resulting system. Access to the protected CPU can now be processed through a dedicated circuit in the FPGA. A properly designed, application-specific filter will ensure that even a vulnerable CPU will never receive malicious content.


Additionally, most modern FPGAs can be configured to only accept a digitally signed configuration file. If the secret key needed to sign a new configuration is external to the admin CPU, then even with access to this segmented processor an attacker can still not change the configuration of the FPGA.

When hardware-based filtering is implemented using this model, organizations can achieve a level of security that far exceeds what a software-based firewall can provide. Rather than adding more layers of software to protect a flawed platform, FPGAs allow organizations to focus on the design of practical circuits that can monitor and enforce strict data and protocol rule sets.

Embedding cybersecurity

One of the most promising applications of FPGA-based security is in the creation of embedded cybersecurity technology to protect industrial control systems and other critical systems.

In recent years, threat actors have developed highly sophisticated tools to attack industrial, military, and governmental operations. Some attacks aim to steal data or infect user workstations, while other, more serious, threats are aimed lower in the network and attempt to disrupt physical processes. A successful low-level attack against a power plant, water system, chemical facility, or other critical infrastructure site could do millions of dollars of damage and put thousands of lives at risk.

As more and more operational technology (OT) devices are connected to networks, the risk of this type of catastrophic breach increases. OT devices are particularly vulnerable to attacks, because they were not designed with security in mind and historically were operated on isolated networks. To manage the risk, critical infrastructure operators have been forced to protect their devices with increasingly complex security solutions. At best, these solutions are difficult and costly to maintain; at worst, they actually create new vulnerabilities due to improper configuration.

ICS network owners are moving toward a new strategy for defending against cyber threats: embedded cybersecurity. Rather than securing their systems by adding new layers of infrastructure and support alongside them, network owners are seeking OT equipment that includes built-in security technology. Systems with integrated security technology can secure themselves without the need for external infrastructure.

XDE Radium: FPGA-based security in action

Owl Cyber Defense is the industry leader in FPGA-based cybersecurity technology, providing miniaturized security modules that can be embedded into host devices or implemented as a stand-alone device with extremely low size, weight, and power demands. Owl’s FPGA-based modules support a wide range of use cases for critical infrastructure, military, and intelligence operations.

XDE Radium is a single-board, hardware-enforced cybersecurity module that delivers low-cost, high-performance device-level and network-level cybersecurity. The module features two FPGAs and either an optical or digital isolator, providing high-assurance, hardware-enforced, one-way flow enforcement and packet filtering for data crossing network or domain boundaries. Unlike a network tap, XDE Radium implements a secure protocol break, so that no routable information is passed between source and destination networks.


XDE Radium use case: remote monitoring 

Sending data from sensors–such as surveillance cameras—within secure networks to remote monitoring centers is an ideal use case for embedded FPGA-based security technology.

Routing data from sensors through an organization’s existing architecture is often time-consuming and complex and creates multiple opportunities for misconfiguration. A simpler, more secure approach is to stream the data directly to the remote monitoring location, using an XDE Radium module to protect the device from inbound threats.

Radium’s hardware-enforced one-way data path ensures that malicious data cannot enter the camera from outside, while whitelisting protects the camera’s outgoing data from unauthorized access.

The ongoing shift toward smart devices, cloud services, and increased connectivity creates both new opportunities and new risks. Hardware-enforced security, based on FPGA technology, represents a fundamental shift in network security technology and offers a path toward truly resilient and secure systems.