Protecting against firmware supply chain attacks is crucial for all organizations. Firmware supply chain attacks are on the rise, with cybersecurity experts predicting that firmware attacks will be widespread in 2023.
Boris Balacheff, HP Inc.’s chief technologist for system security research and innovation, suggests that companies must take control and understand firmware security. “Access to the firmware level enables attackers to gain persistent control and hide below the device operating system, making them very hard to detect – let alone remove and take back control. Balacheff notes. “Organizations should ensure they understand industry best practices and standards in device hardware and firmware security.”
Why is it important?
Firmware is a low-level code that controls a device’s hardware to enable its proper functioning. An attacker can compromise the firmware to gain control of the device and access sensitive data or take control of critical infrastructure. Firmware supply chain attacks are particularly insidious because they are difficult to detect and can simultaneously compromise multiple devices. They can occur anywhere in the firmware supply chain, from the manufacturer to the end user. Threat actors introduce firmware supply chain threats in various ways, such as through tampered updates or compromised hardware.
Understandably, failing to protect against firmware supply chain attacks can have devastating impacts. These range from data theft and financial losses to disruption of critical infrastructure and loss of life. For example, an attacker can compromise the firmware of a medical device, potentially causing harm to patients. In addition, firmware supply chain attacks can damage an organization’s reputation and erode customer trust.
As organizations invest in security solutions to protect databases, networks, and critical information systems from attacks, they must prioritize firmware security in the supply chain. Firmware supply chain attacks are highly undetectable, unpredictable, and often the most damaging. Therefore, organizations must take appropriate steps to protect against firmware supply chain attacks.
Supply Chain Security begins with you.
Firmware supply chain attacks cannot execute until you introduce devices and machines with compromised firmware into your IT environment. In this regard, understanding firmware security starts at the organizational level. Specifically, organizations should ask the following questions when assessing the risks of firmware security attacks to your business:
- Who are our supply chain vendors?
- Do we have the plan to identify and protect against firmware supply chain attacks?
- Who do we call when a firmware supply chain strikes?
- How do we go about damage control and public relations during a supply chain outage?
- What are the risks of firmware supply chain attacks in terms of financial losses, sensitive data, and organizational reputation?
- Are we covered for damages?
Answering these questions allows you to assess the risks and impacts of potential firmware supply chain attacks. But you should also evaluate the supply chain’s security practices before deploying any new devices in your network. Asking your supply chain the following questions can provide a better understanding of your suppliers’ cybersecurity strategies and inform your choice of the most secure suppliers:
- Do you perform secure code reviews?
- How do you protect data at rest and in motion?
- Do you perform external and internal penetration testing?
- Do you have procedures around who can access our data at the company?
- What is the lifecycle of our data?
- Backups?
- RPO/RTO?
- What is your process for reporting data breaches involving our data?
- What are your security best practices for implementation that we should follow?
- Do you have internal processes and reviews of your vendors who may have access to our data?
Security practices to protect against Supply Chain Attacks
Verify the authenticity of firmware updates.
Organizations must verify the authenticity of firmware updates. It is a best security practice that ensures all firmware updates come from legitimate sources and have not been tampered with. This involves using digital signatures to validate and compare firmware updates with the vendor’s signature. Verifying firmware updates prevents attackers from introducing malware or other malicious code into the firmware.
Regular security audits.
Performing regular security audits helps organizations identify vulnerabilities and potential attack points in their firmware supply chain. The security audits should include a comprehensive assessment of security controls, risk management procedures, and incident response plans. Also, the security audits should check the firmware’s integrity, supply chain security, and authentication of firmware updates to ascertain they are legitimate and from the original vendors.
Use of secure boot processes.
A secure boot process is a critical but often overlooked practice in firmware security. Configuring all machines to start using a secure boot process ensures that they load trusted firmware only. When you enable secure boot processes, they verify the firmware’s integrity and authenticity before loading it to prevent malware installation at the firmware level. You can use hardware-based software-based security measures to configure and enable secure boot processes.
Monitor and perform background checks on supply partners.
Organizations should monitor their supply chain partners for signs of compromise or suspicious activity. Monitoring suppliers’ security practices can help detect and prevent attacks before they occur. For example, organizations can use threat intelligence and other security measures to monitor their suppliers and ensure they comply with security best practices.
Additionally, it is vital to conduct background checks on vendors. Performing due diligence before entering any business arrangement with vendors and suppliers ensures that they have a strong security posture and adhere to best practices.
Some factors to consider when performing background checks include checking their reputation, history of security incidents, and compliance with relevant security standards and regulations.
Implement patch management strategies.
Firmware development and supply is a multi-sectorial process that includes numerous parties, such as manufacturers, developers, vendors, and assembly lines. As a result, patching new vulnerabilities may take several months since the different parties in the complex supply chain may require developing patches for specific components. However, with effective patch management practices, organizations can mitigate emerging vulnerabilities at the firmware level.
Consistent and timely patching protects against zero-days and other exploits that lead to firmware supply chain attacks. Organizations should implement a patch management program to ensure that firmware and other software are updated with the latest security patches.
Regular Vulnerability Assessments.
Frequent vulnerability assessments can help organizations identify weaknesses in the firmware supply chain and take corrective action. Internal security teams or third-party security experts can perform the assessments regularly to identify and mitigate any security weaknesses that threaten firmware security. The experts should include a comprehensive assessment of the implemented security control, compliance with necessary security standards, and firmware integrity.
About Pulsar Security
Pulsar Security is a team of highly trained and qualified ethical hackers whose job is to leverage cybersecurity experience and proprietary tools to help businesses defend against malicious attacks. Pulsar is a Veteran, privately owned business built on vision and trust, whose leadership has extensive military experience enabling it to think strategically and plan beyond the problems at hand. The team leverages offensive experience to offer solutions designed to help analyze and secure businesses of all sizes. Our industry experience and certifications reveal that our engineers have the industry's most esteemed and advanced on the ground experience and cybersecurity credentials.