Why FPGAs are critical to navigating evolving security requirements

According to IBM’s 2023 Cost of a Data Breach Report, the global average cost of a data breach reached $4.45 million in 2023, a record-high for the report and a 15% rise over the past three years. Furthermore, detection and escalation costs jumped 42% during the same span, representing the highest portion of breach costs and indicating a shift towards more complex breach investigations.

Eric Sivertson, Lattice Semiconductor VP of Security Business further explores.

The urgency for cyber resilience is rising as threats accelerate in volume and velocity across a widened attack surface. In response, the global cybersecurity regulatory landscape is rapidly evolving with several new requirements slated to come into effect. Notable oncoming regulations include: 

• CNSA 2.0 Timeline: to ensure protection against a cryptanalytically relevant quantum computer, the US National Security Agency released its Commercial National Security Algorithm Suite 2.0 (CSNA 2.0) timeline that outlines future requirements for post-quantum cryptography (PQC) migration. The future regulations will require all national security system owners, operators, and vendors to transition to PQC algorithms for new software and firmware by 2025, with all deployed software and firmware transitioned by 2030
• Security and Exchange Commission (SEC) Cybersecurity Disclosure Requirements: enacted in July 2023, the new SEC regulations require US publicly traded companies to disclose cybersecurity incidents within four business days of determining the incident's materiality. Additionally, the rules mandate annual reporting on cybersecurity risk management, strategy, and governance. These regulations raise the stakes for developing cyber resilience and aim to increase transparency and accountability for cybersecurity practices amongst public companies
• European Union Cyber Resilience Act (CRA): approved by the European Parliament in March 2024, the EU CRA aims to bolster cybersecurity standards for hardware and software products sold within European countries. It introduces mandatory cybersecurity requirements for manufacturers, focusing on secure product development lifecycles, vulnerability management, and incident reporting. This regulation aims to ensure that organisations placing products on the EU market prioritise security throughout the product lifecycle and take responsibility for addressing vulnerabilities. After the CRA goes into effect, organisations will have a grace period of 36 months to implement or fulfill the requirements. They must also report any actively exploited vulnerability within 24 hours of detection
• European Union Digital Operational Resilience Act (DORA): coming into effect in January 2025, the EU’s DORA initiative focuses on the operational resilience of critical infrastructure providers in sectors like energy, finance, transportation, and waste management. It mandates these entities to identify and report cyber threats, implement risk management plans, and conduct regular incident response testing

In addition, there are several stringent industry standards like NIST’s 800-193 Platform Firmware Guidelines that must be considered. This surge in new regulations and standards is intended to help organisations address critical vulnerabilities and build resilience while remaining accountable for data breaches. However, keeping pace with the evolving regulatory environment is a challenging undertaking for developers with complex design processes and legacy infrastructure. Leveraging Field Programmable Gate Array (FPGA) technology will be key for organisations to effectively protect systems from sophisticated attacks and stay compliant with new requirements. 

Flexibility, reprogrammability, and built-in security features

FPGAs are inherently flexible solutions, which enables them to be continually reprogrammed and retrofitted to align with evolving regulations and standards without the need for removal from host devices. In turn, developers can efficiently facilitate new security updates to FPGA-based architectures free of implementing all-new tape outs and device switch-outs. This flexibility also means that FPGAs have lifetime longevity, often uncommon among other types of semiconductors, for added cost savings.

Some FPGAs additionally offer built-in security features such as encryption and authentication mechanisms that help safeguard data during processing. By incorporating low power FPGAs into data processing infrastructure, organisations can better strengthen their data security posture and mitigate severe risk. This will be critical for defending against ransomware attacks that target high-value unstructured data, helping organizations to prevent, detect, and respond to major data breaches and ensure compliance with constantly evolving government regulations.

Hardware root of trust and platform firmware resilience

The inherent flexibility of FPGAs makes them an ideal solution for real-time hardware root of trust (HRoT) devices – delivering enhanced zero trust authentication protection of server platforms and other connected device applications to secure an organisation’s end-to-end attack surface. FPGA-powered HRoT devices can be tailored to specific security needs, allowing developers to implement additional security features like encryptions for the configuration of data. This flexibility empowers designers to create a more robust HRoT environment suited to the unique security requirements of their applications.

Unlike traditional processors where firmware resides in software memory, FPGAs store configuration data in a separate, tamper-evident hardware component that makes it physically challenging to access and modify the firmware directly. They also contain dedicated security engines hardened in silicon with secure, immutable unique IDs to ensure that the system’s core functions and components can be verified as genuine and unaltered, mitigating the risk of unauthorised access or malicious tampering. 

In addition, FPGAs provide Platform Firmware Resilience (PFR) functionality that enables organisations to combat attacks in real time by proactively monitoring data traffic for present malware. When a malware attack is detected, the FPGA can load a golden image of the authorised firmware, override the unauthorised version, and facilitate quick recovery actions. This helps alleviate in-system firmware attack vulnerabilities by providing efficient protection, detection, and response capabilities.

Crypto agility for PQC migration 

NIST’s first set of standardised PQC algorithms, initially announced in 2022, are expected to be finalised this year with more to follow. Adopting these algorithms across physical and Cloud-based security environments is imperative to preparing for a post-quantum future. Because of their flexible nature, FPGAs serve as ‘crypto agile’ solutions that will be essential for transitioning to PQC standards as part of the CSNA 2.0 timeline.

With innate programmability and parallel processing functions, they can streamline over-the-air firmware updates that enable developers to proactively refine embedded hardware with PQC algorithms and patch PKI vulnerabilities within existing systems. This allows organisations to conduct efficient in-field updates to implement PQC algorithms as they mature, incorporate new cryptography securely, and address bugs in already-released algorithms. 

As the cybersecurity landscape continues to evolve, FPGAs are poised to play a pivotal role in navigating this complex environment. Their unique capabilities directly align with the demands of emerging regulations that prioritise flexibility and resilience. In a world where security threats are constantly changing, FPGAs offer a powerful and adaptable solution for building secure systems that comply with evolving regulatory frameworks.