Boris Balacheff, Chief Technologist for Security Research and Innovation, HP Inc. Security Lab
September 13, 2024
5 Min Read
Source: NicoElNino via Alamy Stock Photo
COMMENTARY
Operational resilience is becoming a watchword of IT and business leaders, and for good reason. Global IT infrastructure is now highly interconnected and interdependent and must be resilient to all manner of threats. But one of the most overlooked cybersecurity risks — and a blind spot highlighted in a recent HP Wolf Security survey — is the challenge of mitigating hardware and firmware threats. Hardware supply chain security does not end with devices being delivered. It extends through the entire lifetime of devices being used in the infrastructure and even beyond, when repurposed from one owner to the next.
Disruptions to the hardware supply chain can take many forms: from physical supply chain disruptions by ransomware groups to tampering with hardware or firmware to deploy stealthy and persistent malicious implants at any stage of the device's lifetime. These attacks undermine the hardware and firmware foundations of devices upon which all software runs, making it critical that organizations are equipped with endpoints designed from the ground up to be resilient to such threats.
Governments have started to act to strengthen supply chain security. In 2021, US Executive Order 14028 accelerated the development of software supply chain security requirements for government procurement, with firmware explicitly in scope. The European Union (EU) is introducing new cybersecurity requirements at every stage of the supply chain, starting with software and services, with the Network and Information Systems (NIS2) directive, and extending to devices themselves with the Cyber Resilience Act to ensure safer hardware and software. Many other countries are active in this space, such as the UK with its new Internet of Things (IoT) cybersecurity regulations, and the Cyber Security and Resilience Bill to “expand the remit of regulation to protect more digital services and supply chains.”
Meanwhile, organizations are grappling with hardware and firmware threats. Thirty-five percent of organizations say that they or others they know have been affected by state-sponsored actors trying to insert malicious hardware or firmware into PCs or printers. Amid this regulatory backdrop and growing concerns over supply chain attacks, organizations must consider a new approach to physical device security.
The Impact of Attacks on Hardware and Firmware Integrity
The consequences of failing to protect endpoint hardware and firmware integrity are severe. Attackers who successfully compromise devices at the firmware or hardware layer can gain unparalleled visibility and control. The attack surface exposed by lower layers of the technology stack have been a target for some time for skilled and well-resourced threat actors, like nation-states, because they enable a stealthy foothold below the operating system. These offensive capabilities can quickly find their way into the hands of other bad actors. Compromises at the hardware or firmware level are persistent, providing attackers with a high level of control over everything on the system. They're hard to detect and remediate with current security tools that typically focus on OS and software layers.
Given the stealthy nature and sophistication of firmware threats, real-world examples are not as frequent as malware targeting the OS. Examples like LoJax, in 2018, targeted PC UEFI firmware to survive OS reinstalls and hard drive replacements on most devices, which didn't have state-of-the-art protection. More recently, the BlackLotus UEFI bootkit was designed to bypass boot security mechanisms and give attackers full control over the OS boot process. Other UEFI malware, such as CosmicStrand, can launch before the OS and security defenses, allowing attackers to maintain persistence and facilitate command-and-control over the infected computer.
Organizations are also concerned about attempts to tamper with devices in transit, with many reporting being blind and unequipped to detect and stop such threats. Seventy-seven percent of organizations say they need a way to verify hardware integrity to mitigate the threat of device tampering.
Bringing Security Maturity to Endpoint Hardware and Firmware
As a community, we have matured our processes to manage and monitor software security configuration over the life of a device, and we are improving our ability to track software provenance and supply chain assurance. It's time to bring the same levels of maturity to the management and monitoring of hardware and firmware security, throughout the entire lifetime of endpoint devices. Because devices, as long as they are in use, constitute the hardware supply chain for an organization.
The technical capabilities to enable this across devices have not been available broadly, because it all must start with security by design from the hardware up. This is an area that we have been investing in for more than two decades, and today, the foundations are in place. Organizations should start actively adopting the capabilities available from manufacturers and devices for security and resilience, to proactively take control of hardware and firmware security management across their devices' life cycle.
There are four key steps organizations can take to proactively manage device hardware and firmware security:
Securely manage firmware configuration throughout the life cycle of a device, using digital certificates and public-key cryptography. This enables administrators to manage firmware remotely and eliminate weak password-based authentication.
Take advantage of vendor factory services to enable robust hardware and firmware security configurations right from the factory.
Adopt platform certificate technology to verify hardware and firmware integrity once devices have been delivered.
Monitor ongoing compliance of device hardware and firmware configuration across your fleet of devices — this is a continuous process that should be in place as long as devices are in use by the organization.
System security relies on strong supply chain security, which starts with the assurance that devices, whether PCs, printers, or any form of IoT, are built and delivered with the intended components. This is why organizations should increasingly focus on developing secure hardware and firmware foundations, enabling them to manage, monitor and remediate hardware and firmware security throughout the lifetime of any device in their fleet.