SASCrypt IP Kit is a valuable tool to experience a deep “hands-on” wire-speed cryptography applied to real-time traffic. This technology is a step forward to face the challenge of securing OT traffic providing extremely low latency and jitter-free solution. It can be used to secure control oriented real time traffic (IEC 62351-6), Ethernet based field-buses* (Ethercat, Profinet, etc.) or TSN Scheduled Traffic*.

*: The current release of the Kit supports IEC 62351-6 Layer-2 messages (GOOSE and SMV).

SASCrypt IP is a VHDL described IP core for FPGAs able to process bidirectionally Ethernet traffic a data flow. Ciphering/deciphering and authenticating operations are applied to the selected traffic, while the remaining messages are bypassed transparently. A flexible AES-GCM engine with different implementation options available depending of the required data throughput vs resources is integrated within the IP.

This wire speed IP is aware of the secure frame format defined for each protocol. This kit embeds the IP personality for IEC 62351-6, SASCrypt IP, that defined strict real-time traffic used in the Substation Automation Systems and in new Smart Grid premises. As an example, it protects GOOSE and Sample-Measured-Values (SMV) frames used to communicate critical equipment within these premises like Merging Units or IEDs.

The Kit is composed of two SMARTmpsoc bricks as shown in the following figure. Both boards are linked through a 1 GbE Ethernet link used to communicate using secure and non-secure traffic. The additional Ethernet links are used to monitor the Ethernet traffic and to integrate other devices like external traffic generators.

 

The internal block diagram of the designs implemented in each board is depicted in the following figure. The PS section hosts a Linux System that communicates with the FPGA section (PL) internally through a standard Ethernet GMAC (GMAC0). The SASCrypt IP is implemented in the PL section is attached to that GMAC and it processes all the security by hardware and transparently to the applications running on the CPUs. This IP is 1588-aware, therefor it runs Transparent Clock (TC) operation in order apply the required timing corrections to ensure the nano-second range synchronization required in new generation field-buses (Profinet IRT, TSN, 1588-aware Ethernet networks, etc…).

The IP also communicates with the PS section through a dedicated AXI4 interface. A dedicated driver links the Key management protocols with the Key registers of the IP. As an example, this security mechanisms have been standardized for the Electric Sector under IEC 62351-9: “Cyber security Key management for Power System Equipment”. This protocols details the AKM and SKM processes with the PKI and KDC servers required to handle the enrollment of the equipment in the grid and to communicate hte complex Key scheme defined for the sector. SoC-e provides a full IEC 62351-9 stack supporting TPM ICs to automate AKM and SKM independently of the complexity of the network.

Order information:

  • Reference: SAScrypt Kit 10.8
  • Material included: 2x SMARTmpsoc modules, 2x SMARTcarrier boards, 2x Power Supplies, 4x SFP 10/100/1000Base-T copper, 2x USB cable, 1x Ethernet link cable
  • Price: 4.250 Euro (VAT and shipping costs not included)

In order to receive more information about this product please contact directly with SoC-e Sales Team  at: info@soce-old.siropeprojects.com