Diversity for security: case assessment for FPGA-based safety-critical systems

. Industrial safety critical instrumentation and control systems (I&Cs) are facing more with information (in general and cyber, in particular) security threats and attacks. The application of programmable logic, first of all, field programmable gate arrays (FPGA) in critical systems causes specific safety deficits. Security assessment techniques for such systems are based on heuristic knowledges and the expert judgment. Main challenge is how to take into account features of FPGA technology for safety critical I&Cs including systems in which are applied diversity approach to minimize risks of common cause failure. Such systems are called multi-version (MV) systems. The goal of the paper is in description of the technique and tool for case-based security assessment of MV FPGA-based I&Cs.


Four challenges for I&C safety assessment and assurance
Industrial safety critical instrumentation and control systems (I&Cs) such as reactor trip systems, on-board aviation systems, railway blocking and signaling systems, etc. are facing more with information (in general and cyber, in particular) security threats and attacks.It concerns most sensitive in point of view safety nuclear domain [1].Nowadays there is a gap in understanding how to assess safety of industrial I&Cs considering the following: -firstly, the security issues; security related threats are more and more challengeable for safety critical application.As a result security informed safety conception is intensively developed the last years, in particular for NPP I&Cs [2]; -secondly, the features of FPGA technology and FPGA-based systems as a specific target for intruders.Security aspects for FPGA design and implementation are analyzed in [3][4][5].These works allow to systemize different vulnerabilities and threats, and better to understand which of them should be taken into account to assure security; -thirdly, an application of diversity approach as a mean of minimizing common cause failure risks.In this case two (or more) channels are used in different combinations for obtaining the needed functionality and ensuring of required level of safety.Techniques of development and safety assessment of FPGA-based multi-version industrial systems (MVI&Cs) are researched in [6][7][8].However, it is required to analyze influence and features of diversity application in point of view security; -fourthly, using of case-based proved paradigm.Really, to assure trustworthiness of security assessment for such extremely complex systems, more formalized (and independent in sense of expert errors and uncertainties) techniques are required.

Researched domains. Goal of the paper
The paper represents research results in the domains of safety, security, diversity and FPGA with representation of methodology of cybersecurity assessment based on cases.The figure 1 shows research fields and the targeted area encircled by red line.Additionally, dashed line describes area of case-based approach application to assessment of safety and security.Another research aspect is providing effective risk mitigation strategy by use of countermeasures (see Figure 2 where area of countermeasures for FPGA-based MV I&C systems is encircled by red as well, and dashed line describes area of case-based approach application to choice and prove effectiveness of countermeasures).Thus, goal of the paper is to suggest technique and tool for case-based security assessment of FPGA-based MVI&Cs.Structure of the paper is following.

Countermeasures
Second section describes normative base (ISO, IEC and IAEA standards), classification and analysis of application of diffrent diversity kinds for safety and security assessment and assurance for FPGA-based I&Cs.
Third section is dedicated to case development and descridiscusses an example of ASAC application for security analysis and assessment.
The last section concludes the paper and presents directions of future researches.

Diversity for safety and security of FPGA-based I&Cs
Diversity is a part of more general principle D3 (Defensein-Depth&Diversity) [8] applied to provide trusted, faultand intrusion-tolerant design and operation of I&Cs.Defense-in-Depth is a horizontal/sequential echelon of defense, diversity is a vertical/parallel part of once [11].

Diversity related standards for safety and security
There are a lot of international standards and national guides containing requirements for implementation and assessment of diversity.There are standards for other critical domains where diversity as an approach is postulated or requirements to its application are described.For example, requirements to diversity for automotive systems are determined by standard IEC 26262.This standard contains requirements regarding application of software and hardware diversity for on-board vehicle systems.
Generally, the standards are not enough detailed to make all necessary decisions concerning diversity: type of diversity selection and combining, process and product diversity volume assessing and grounding, etc.It is very importanty that they do not take into account two issues : -features of FPGA technology what complicates their application and -security issues for safety assessment.

Comparison of diversity for SW-and FPGAbased I&Cs
FPGA-based technology provides new possibilities for implementation of diversity principle and additional options [7,8].The features of FPGA technology increase a number of diversity kinds and enlarge a set of possible diversity-oriented decisions.General diversity classification scheme was presented by "cube of diversity" with three coordinates: "stage of the life cycle" -"level of project decisions" and "type of version redundancy" [8].Using this classification we can analyse safety and security issues for FPGA-based systems and traditional SW-based I&Cs, first of all, for NPPs.  1 .Di ver si t y at t r i bu t es an d cor r esp on d en t FNI& Cs ver si on r ed u n d an cy k i n d s.

DIVERSITY ATTRIBUTES (NUREG-CR/ 7007:2009) KINDS OF VERSION REDUNDANCY ( FPGA-BASED I& Ss) Design Diver sity of electr onic elem ents ( EE)
Di f f er en t t ech n ol ogi es Di f f er en t m an u f act u r er s of EEs; Di f f er en t t ech n ol ogi es of EEs p r od u ct i on Di f f er en t ap p r oach es wi t h i n a t ech n ol ogy Di f f er en t t ech n ol ogi es of EEs p r od u ct i on Di f f er en t ar ch i t ect u r es wit h i n a t ech n ol ogy Di f f er en t f am i li es of EEs Equipm ent M anufacturer Diver sity of electr onic elem ents ( EE) Di f f er en t m an u f act u r er s of f u n d am en t al l y d i f f er en t equ i p m en t d esi gn s Di f f er en t m an u f act u r er s of EEs Sam e m an u f act u r er of f u n d am en t al l y d i f f er en t equ i p m en t d esi gn s Di f f er en t f am i li es of EEs Di f f er en t m an u f act u r er s of sam e equ i p m en t d esi gn Di f f er en t m an u f act u r er s of EEs Sam e m an u f act u r er of d i ff er en t ver si on s of t h e sam e equ i p m en t d esi gn Di f f er en t EEs of t h e sam e f am i l y Logic Processing Equipm ent Diversity of project developm ent languages Di f f er en t logi c p r ocessi n g ar ch i t ect u r es Di f f er en t logi c p r ocessi n g ver si on s i n sam e ar ch i t ect u r e Di f f er en t com p on en t i n t egr at i on ar ch i t ect u r es Joi n t u se of gr ap h i cal sch em e l an gu age an d h ar d war e d escr i p t i on l an gu age ( HDL) Com bin ation of couples of diver se CASEtools and HDLs Di f f er en t t i m i n g or or d er of execu t i on Di f f er en t CASE t ool s con f igu r at i on s Di f f er en t r u n t i m e en vi r on m en t s Di f f er en t CASE t ool s Di f f er en t f u n ct i on al r ep r esen t at i on s Di f f er en t HDLs

Diversity and security
Table 2 shows results of research on diversity attributes from NUREG-CR/7007 which could be applied to mitigate CCF in diverse SW-and HW/FPGA-based systems with the same vulnerabilities in both versions.Different vulnerabilities in both versions have four grades: VH -very high, H -high, M -medium, L -low.
Gradation is based on risk reduction after appliance of a certain diversity attribute.In this case diversity is considered as a countermeasure for elimination of harmful consequences after successful attacks.

Diversity as a countermeasure
Table 3 summarizes some attacks on FPGA-based I&Cs and results of security assessment using IMECA-analysis [2,8].Countermeasures are employed to thwart such tampering attacks.The table contains countermeasures strategies which could be applied as a requirements from Regulatory Guide 5.71:2010 (Cyber Security Programs For Nuclear Facilities, U.S. NRC) to eliminate the attack causes and, moreover, FPGA-based MV I&Cs diversity kind and its attributes as a countermeasures.
Thus diversity of FPGA-based MV I&Cs is reviewed as a countermeasure and mitigation strategy for ensuring of security and safety of systems.Criticality matrix (see Fig. 3) shows how application of different FPGA-based I&Cs diversity kinds and its attributes will decrease the level of overall risk.

Advanced security assurance case
The idea of cybersecurity case for evaluation of security of MV I&Cs lays in appliying of Advanced Security Assurance Case ASAC proposed by [9]   DRAKON was used as a graphical modeling language for representation of cybersecurity case based on ASAC.It was developed from former USSR space program Buran (analogue of Space Shuttle).DRAKON, stands for "friendly algorithmic language that provides clarity."Initially DRAKON was developed for capturing requirements and building software that controls spacecraft [10].As a language of requirements modeling was chosen IDEF0 notation.Notation IDEF0 allows to show the steps of the evaluation unambiguously (in the form of a directed graph), for each step to determine the evaluated property and evidences necessary for the evaluation, the subjects of assessment, and standards.
If the assessment is subject to a complex (composite) requirement, so each step (or block of IDEF0-diagram) can be decomposed for a detailed description of sub-properties evaluation procedure.

Building of ASAC
The result of the analysis of requirements of assurance class "Vulnerability analysis" AVA_VAN.3 from International Standard ISO/IEC 15408 is presented in the form of ontological graph (see Fig. 4).The graph accurately and unambiguously (in the accepted notation) describes the subject area (i.e.basic notions/concepts and relations between them).It contains diversity requirements for ensuring of cybersecurity of I&Cs (as countermeasures, Table 3) marked in light-blue fillings.
Completeness of scope of assessment is ensured by using ontological graphs of two kinds of object-oriented and process-oriented ontology.Requirements of assurance class "Vulnerability analysis" AVA_VAN.3 from IEC 15408 are depicted in form of properties (Fig. 5), evidences (Fig. 6) and corresponding actions of an

Conclusions
The paper describes cybersecurity assurance technique of multi-version FPGA-based I&Cs.Requirements profile is formulated using the best practices from the following international regulations.The paper summarizes research results on using of security informed safety assessment of FPGA-based MV I&Cs by development of security case based on ASAC.This case considers requirements from Common Criteria and added requirements for diversity as a countermeasure and CCF risk reduction strategy.Security assurance case tends to reducing of uncertainty of safety assessment taking into account influence of security (cybersecurity) to safety.
It is characterized by introduction of technique of decision making, which is easy to scale, modify, it's in compliance with standards requirements to the Future steps of research and development will be connected with creation integrative intsrumentation tool to assess secuirty and safety at the all life cycle stages considering features of FPGA-based industrial I&Cs where application of diversity is defined by standard requirements.Other direction of future work is concerned to improve and completely assure computer-based implementation of ASAC-based technique.

Figure 1 .
Figure 1.Targeted area of research
Di f f er en t d at a f l ow ar ch it ect u r es Joi n t u se of gr ap h i cal sch em e l an gu age an d HDL Function Diver sity of CASE-tools Di f f er en t u n d er ly i n g m ech an i sm s t o accom p l i sh saf et y f u n ct i on Com bin ation of couples of diver se CASE t ools an d SSs Di f f er en t p u r p ose, f u n ct ion , con t r ol l ogi c, or act u at ion m ean s of sam e u n d er l y i n g m ech an i sm Di f f er en t SSs Di f f er en t r esp on se t i m e scal eLife-Cycle Diver sity of CASE-toolsDi f f er en t d esi gn com p an i esCom bi n at i on of cou p l es of d i ver se CASEt ool s an d HDLs Di f f er en t m an agem en t t eam s wi t h i n t h e sam e com p an y Com b i n at i on of d i v er se CASE-t ool s an d HDLs Di f f er en t d esi gn er s, en gi n eer s, an d / or p r ogr am m er s Di f f er en t HDLs Di f f er en t i m p l em en t at i on / val i d at i on t eam sSignalDiver sity of CASE-tools, Diver sity of schem e specification ( SS) Di f f er en t r eact or or p r ocess p ar am et er s sen sed by d i f f er en t p h y si cal ef f ect Com bin ation of couples of diver se CASE t ools an d SSs Di f f er en t r eact or or p r ocess p ar am et er s sen sed by t h e sam e p h y si cal ef f ect The sam e pr ocess par am eter sensed by a differ ent r edundant set of si m il ar sen sor sLogicDiver sity of CASE-tools, Diver sity of schem e specification ( SS)Di f f er en t al gor i t h m s, l ogic, an d p r ogr am ar ch i t ect u r e

P 0 -Figure 4 .
Figure 4. Ontological model in form of graph.

Figure 5 .
Figure 5. Properties of ASAC represented in tabular form.

Figure 6 .
Figure 6.Evidences of ASAC represented in tabular form.

Figure 7 .
Figure 7. Actions of ASAC represented in tabular form.

Table 1
summarizes variety of diversity attributes from NUREG-CR/7007:2009 for NPP I&Cs and their accordance with kinds of version redundancy of FPGAbased systems.

Table 2 .
Diversity attributes as a countermeasure.
Fig.7) as results of ontological analysis of diversity requirements for secure I&Cs (marked with blue and dark-blue) and represented in established ASAC form on figure.