The Internal Configuration Access Port (ICAP), defined by the ICAPE3 primitive, provides the user logic with access to the FPGA configuration interface. The ICAP interface is similar to the SelectMAP interface, although the restrictions on readback for the SelectMAP interface do not apply to the ICAP interface after configuration. You can send a partial bitstream, whether encrypted or unencrypted, or perform readback through the ICAP interface, even if bitstream encryption is used. Unless the designer wires the ICAPE3 primitive to user I/O, this interface does not offer attackers a method for defeating the FPGA AES encryption scheme.
If you are concerned about the security of your design, you should not wire the ICAPE3 interface to the user I/O. Connecting the ICAPE3 clock does not impact security.
Like the other configuration interfaces, the ICAP interface does not provide access to the key register.