Focus on Russia/Instrumentation & control
How to build an FPGA-based I&C3 July 2012
Field-programmable gate array (FPGA)-based instrumentation and control (I&C) systems have been developed and applied in aerospace and process industries since the 1990s. Although the use of FPGAs in nuclear power plants (NPPs) have lagged behind, they are now catching up. The FPGA design process and its resistance to cyber attack is discussed.
Physically, a FPGA is a semiconductor-based complex programmable device which can be configured to perform a custom-required function. It includes two entities: an FPGA chip, which is a piece of hardware that can be qualified against hardware qualification testing requirements, and the electronic design of the FPGA, represented by a set of instructions in hardware description language (HDL) that can be verified against functional requirements.
Due to its design simplicity and transparency, FPGA technology can be utilized both in I&C modernization projects of existing NPPs and in I&C designs for new NPPs. Simplicity and transparency can also be beneficial in the design, development, implementation, and operation processes. For example, the safety function applications implemented by FPGAs are executed without running any system software or operating systems. This reduces the vulnerability of the digital I&C system to cyber attacks or malicious acts (see also below). Also, simplicity gives faster and more deterministic performance; that is, the capability of executing logic functions and control algorithms in a parallel mode provides fast response times with known and fixed time delays. Similarly, the transparent and simple FPGA design allows a reduction in the complexity of the verification and validation (V&V) and implementation processes, therefore making the end product more reliable and error-free. Also, separation of FPGA functions can provide isolation between safety and non-safety systems maintaining functional independence.
Two important additional issues are licensing and obsolescence. The licensing process of FPGA-based safety systems may be easier, due to the simplicity and transparency of system architecture and its design process. Evidence of meeting licensing requirements, such as independence, separation, redundancy and diversity, can be provided in an easier and more convincing way. FPGA-based applications are more resilient to obsolescence due to the portability of the HDL code between different versions of FPGA chips produced by the same or different manufacturers (Table 1).
RPC Radiy has used its FPGA-based platform in I&C modernization projects at various nuclear power plants for a wide range of safety and control functions and systems, such as reactor trip system, reactor power control and limitation system, engineered safety features actuation system, rod control system, nuclear island control system, and turbine island control system (see also box, below).
The above applications represent large-scale modernization projects; however, the technology can provide solutions for an even larger variety of applications, such as ‘pin-to-pin’ replacement of obsolete circuit board components, reverse engineering, emulation of functions performed by obsolete computers, replacement of components and sub-systems, and building full I&C systems or diverse back-up systems in new NPP designs. FPGAs can implement any safety and control functions that are typical in existing NPPs or in any new designs, therefore providing a technology-neutral implementation tool.
Development and V&V processes
The electronic design development and V&V processes are two important processes in the lifecycle of FPGA-based I&C systems. The development process can be further divided into the design phase and the implementation phase. The final result of these two phases is FPGA electronic design integration. V&V supports the whole development process and is applied to the output of each development step with appropriate checks, comparisons, and analysis.
Before starting FPGA electronic design development, the following documents are prepared and reviewed:
- Technical Requirement Specification (TRS). This document describes the overall objectives of the system development as determined by the technical, functional, customer, and commercial goals and requirements.
- Safety Requirements Specification (SRS). This document identifies all safety-related requirements imposed of the final system, including requirements from appropriate nuclear standards and basic safety standards, such as IEC 61508, and from the specific safety requirements of the given application.
- System Architecture Description (SAD) provides an overview of the intended system architecture and allocates specific requirements to the various subsystems, such as hardware, application logic and diagnostic logic.
The above high-level documents are reviewed and approved before considering the subsystem or component levels.
The initial and the most critical phase of the overall development process is the design process, which includes a preliminary (or architectural) design and detailed design. The preliminary design defines all functional blocks (performing functions such as voting or simple mathematical operations), their interfaces and connections, and other information required in the next phase. At this step, such criteria as reliability, design traceability, and design verifiability are defined. The output of the preliminary design process is the textual or graphical description (diagrams) of design partitioning and other design requirements. Upon completion of this design activity, a design review is performed, which may result in creating a modified design partitioning or correction of the initial requirements.
The detailed design phase refines the preliminary design and translates it into an FPGA electronic design description. The detailed design should implement the functions of the FPGA electronic design. The form of design inputs typically used to implement detailed design are HDL coding (such as VHDL or Verilog) and schematic representation.
The detailed design phase is finished by elaborating the FPGA electronic design components (collections of files that comprise the design and perform certain checks) and by creating the register transfer level (RTL) model synthesis by means of logic gates. In the RTL model, the circuit’s behaviour is defined by the flow of data between hardware registers, and the logical operations performed on that data flow.
One of the safety-related features connected with detailed design development is the application of coding rules, such as:
- avoidance of asynchronous logic
- support of error detection and correction mechanisms
- clocks and loops
- description of final state machines
- naming convention and coding style.
These rules may support and assure different safety aspects of the design.
For the verification of detailed design outputs, functional simulation and static analysis techniques may be used.
Implementation and integration
The next important phase is implementation, which comprises logic synthesis, placement and routing, and bit-stream generation. The appropriate procedures of V&V are connected with each activity of the implementation phase.
The first step of the FPGA electronic design implementation is the logic synthesis of the FPGA electronic design. During this process, the synthesizer transforms the RTL model of FPGA electronic design into gate- or cell-level schemes (the ‘Net List’). Most synthesizers generate both the FPGA-independent schematic representation of the RTL model, as well as the schematic representation for the specific FPGA chip in question. The result of the logic synthesis is the creation of text or graphics files. The synthesizer may apply different kinds of optimizations which could be defined in terms of design constraints such as usage of chip resources, design compilation time, chip power consumption, and runtime. Design constraints can affect the following attributes of the FPGA electronic design:
- logic synthesis
- timing characteristics
- chip pin assignment and adjustment
- topology of FPGA electronic design in the FPGA chip.
Handling of design constraints must be part of the overall quality procedures. To support the development of such procedures, guides and recommendations of FPGA vendors could be followed, but the design team’s comprehensive understanding of the effect of each constraint is still required.
The verification process at this level consists of gate-level simulation, which is technology-dependent, in contrast with functional simulation. During gate-level simulation, timing characteristics of the FPGA electronic design are performed based on assumed gate and routing delays.
After the logic synthesis, the FPGA electronic design placement and routing is carried out. It is a tool-driven process that determines where registers and gates in the Net List will be placed within an FPGA chip. This process also determines the connection paths between design elements. The resulting design connectivity is defined by the ‘Floor Plan’. The generated Floor Plan can be verified by timing simulation.
The last step of the implementation phase is bit-stream generation. The output of this phase is the configuration file, which can be implemented in the FPGA chip. It contains all the data required to configure the FPGA chip. The verification of the configuration file is conducted after the electronic design is integrated into the FPGA chip.
During the FPGA electronic design integration phase, the configuration files, which have been derived in the previous step, are downloaded to the FPGA chip. Special hardware, such as configuration interfaces (that is, JTAG) are required to download the configuration file into the FPGA chip. Some FPGA chips and their associated tools provide automatic checking of integration correctness.
For the integration testing, the FPGA chip, which now has the integrated electronic design, is installed on the board for which it was developed. The inputs of the board are connected to a special test bench, which feeds them with input signals in accordance with testing stimuli. The outputs of the board are connected to a data acquisition system which collects the response of the board on input stimuli. Output signals (response) are analyzed in accordance with pass/fail criteria.
In some modern nuclear power plant I&C systems, FPGA chips form the basis and logic of various hardware components and systems. In order to maintain a high level of safety and production, FPGA-based I&C systems must be protected from cyber attacks and/or malicious acts.
Assurance of cyber-security for FPGA technology is a complex challenge that should include all the parties involved in the life cycle of the FPGA chips and FPGA-based I&C systems, namely the FPGA chip vendor, the I&C system developer, and the user of FPGA-based I&C system.
A comprehensive analysis of cyber-security considers both the development process and the operation of the integrated I&C system. Cyber-security vulnerabilities can be introduced by:
- The FPGA-chip vendor, during the design, manufacture, packaging, and testing of FPGA chips
- The I&C system developer, during the development and integration of FPGA electronic design or during the implementation and testing of the electronic design
- The operator of the I&C system, making changes in the operating I&C system during operation or maintenance activities.
The following factors can lead to intended or unintended introduction of vulnerabilities into a FPGA-based I&C system:
- Use of malicious software tools during the design of the FPGA chip or during the development of the electronic design
- Use of IP (intellectual property) cores from third-party vendors during the development of the electronic design, either in the form of modules for HDLs or in the form of compiled Net Lists
- Use of compromised devices during the integration and implementation of the electronic design into the FPGA chip.
FPGA chip vendors can reduce vulnerabilities by:
- protecting their FPGA-chip design against reverse engineering, copying or modification
- providing customers with FPGA electronic design security measures, which can be applied during the development, operation, and maintenance of FPGA-based I&C systems.
An additional problem can arise due to the fact that FPGA-chips vendors may not have their own manufacturing capacity. After designing and developing the FPGA chip, the actual chip manufacturing may be outsourced to foundries. These foundries can introduce additional vulnerabilities into FPGA chips by altering the FPGA design during the chip manufacturing process. Hence, traceable and audited processes of manufacturing in foundries play an important role in assuring cyber-security and prevention of vulnerabilities.
Most of the life cycle stages of the FPGA chips and the FPGA-based I&C systems are implemented by the extensive use of software tools. Examples are: designing the printed circuit boards for FPGA chips, developing the FPGA electronic designs, and performing simulations. Hence, developers of software tools for design automation play a key role in assuring cyber-security.
Some of the potential cyber attack modes are listed below.
(1) Black box attack. An adversary feeds all possible input combinations to the FPGA chip and registers the corresponding output states. Such an approach provides the potential to reverse-engineering the FPGA electronic design integrated into the chip. In practice, this type of attack may not be successful in systems with highly-complex logic.
(2) Read-back attack. The attack is based on the potential of reading the FPGA chip configuration, usually via the JTAG interface used in most FPGAs for debugging and maintenance. Recently, FPGA vendors have improved the protection measures against unauthorized access to chip configuration.
(3) Cloning attack. In SRAM FPGA chips, a configuration file is stored in a non-volatile memory external to the FPGA chip. This may allow the retrieval of bit-streams while loading the configuration in the FPGA, and later to clone the stolen FPGA electronic design. The protection against this threat is encrypting bit-streams during their transmission from a non-volatile memory to the FPGA chip. Measures have been already implemented in most modern FPGAs to prevent this possibility.
(4) Physical attack against SRAM-based FPGAs. The objective of such an attack is to obtain information concerning the physical structure of the FPGA chip by studying specific areas in the chip. These attacks usually target parts of the FPGA that are inaccessible through input-output channels. Special instruments based on focused ion beams capable of reading the FPGA structure can be used for such an attack. However, it is rather difficult to implement the attack due to the complexity of the required instrument.
(5) Side-channel attack. Such an attack is intended to obtain information on the FPGA chips’ performance and physical parameters, such as power consumption, execution time, and electromagnetic fields. By analyzing these signatures, information about the underlying implementation might be exposed. The tasks of collecting and processing of such information are nontrivial. However, there are known complex techniques requiring only several measurements to attack a system.
All the above forms of attacks require a rather difficult and sophisticated data analysis of the indirect information obtained. Therefore, the fact alone that an adversary has obtained such data does not guarantee the successful recovery of the original FPGA electronic design.
Despite the above challenges, the FPGA technology has certain beneficial properties for assuring cyber security. For example, FPGA-based system operation does not rely on a complex operating system and therefore does not have dormant, unused functionalities that can be attacked. The FPGA chip just works deterministically through the calculations that it was programmed for in the application development process.
Furthermore, there are no known viruses and malware for HDL code, a language which is used for the initial programming of the FPGA during the development process. In addition, the FPGA-based devices have a simple and structured design, therefore their V&V processes will more likely detect the presence of potential malicious designs. The physical access to the FPGA chips is also strictly controlled. For example, the HDL code is located in a flash memory (on a separate chip) without offering any physical access for modification while in on-line operating mode. Furthermore, FPGA programming and reprogramming can be done only through a special interface. It is impossible to connect common storage media or communication devices that could infect the control logic code, as was the case in the Stuxnet attack (see also NEI magazine November 2010, pp22-3).
This paper is based on several conference papers written by the same authors: A. Andrashov et al, Verification of FPGA-based NPP I&C systems: General Approach and Techniques, Proceedings of the 19th International Conference on Nuclear Engineering (ICONE19), May 16-19, 2011, Chiba, Japan
A. Andrashov et al, Innovative Approach to Implementation of FPGA-based NPP Instrumentation and Control Systems, Proceedings of ICI2011 (ISOFIC, CSEPC, ISSNP 2011) Conference, August 21-25, 2011, Daejeon, Korea
|The Radiy FPGA-based I&C platform|
Founded in 1954, Radiy first produced electronics and television broadcasting and transmission equipment for the Soviet Union, before moving into space launching systems in the 1980s. Its first nuclear power plant work, producing replacement hardware and control systems in the 1990s, led it to develop its first generation FPGA-based devices.
In 2002 it developed the FPGA-based platform called RadICS. This platform is a set of general-purpose building blocks that can be configured and used to implement application-specific functions and systems. The RadICS platform is composed of various standardized modules, each based on the use of FPGA chips as computational engines. Over the past 15 years RPC Radiy has designed, manufactured, and supplied FPGA-based digital I&C systems and components for more than 70 safety-critical applications in operating nuclear power plants.
The basic configuration for the RadICS platform consists of an instrument rack containing the logic module and the diagnostic module, plus up to 14 other I/O modules and fibre-optic communication modules. Logic modules gather input data from input modules, execute user-specified logic, and update the value driving the output modules. Diagnostic modules gather diagnostic and general health information from all I/O modules and the logic module. The I/O modules provide interfaces with field devices (for example, sensors, transmitters, actuators). The functionality of each module is driven by the logic implemented in the onboard FPGA(s).