Global IT infrastructure has become increasingly interconnected and interdependent. As a result, operational resilience has continued to climb up CISOs’ agendas. While organizations have matured their handling of software threats, many are struggling with poor visibility and inadequate tools to defend against lower-level threats targeting hardware and firmware, which is proving to be a barrier to resilience.
Supply chain attacks can come in many forms, from ransomware groups compromising suppliers’ infrastructure, to tampering with hardware and firmware. Beyond disruption, the reason why these attacks are so damaging is because they undermine the hardware and firmware foundations of devices, often in ways that are difficult to detect and fix, meaning that software and data cannot be trusted to be secure.
Principal Threat Researcher in the HP Security Lab.
Regulators have begun to move to strengthen supply chain security. The UK has implemented new IOT cybersecurity regulations and is drafting a Cyber Security and Resilience Bill to “expand the remit of regulation to protect more digital services and supply chains”. In the US, Executive Order 14028 accelerated the development of software supply chain security requirements for government procurement, explicitly including firmware. The EU is introducing new cyber security requirements at every stage of the supply chain, starting with software and services with the Network and Information Systems (NIS2) directive, and extending to devices themselves with the Cyber Resilience Act to ensure safer hardware and software.
A survey from HP Wolf Security found that 30% of UK organizations say that they or others they know have been impacted by state-sponsored actors trying to insert malicious hardware or firmware into PCs or printers, highlighting the need to address physical device security risks.
Hardware and firmware attacks have major ramifications
The impact of failing to protect the integrity of endpoint hardware and firmware is high. A successful compromise at these lower layers can hand attackers unparalleled visibility and control over a device. The attack surface exposed by hardware and firmware has been a target for skilled and well-resourced threat actors like nation-states for years, offering a stealthy foothold below the operating system (OS). But as the cost and skill of attacking hardware and firmware falls, this capability is trickling down into the hands of other bad actors.
Given the stealthy nature and complexity of firmware threats, real-world examples are not as frequent as malware targeting the OS. Examples like LoJax, in 2018, targeted PC UEFI firmware to survive OS reinstalls and hard drive replacements on devices lacking protection. More recently, the BlackLotus UEFI bootkit was designed to bypass boot security mechanisms and give attackers full control over the OS boot process. Other UEFI malware such as CosmicStrand can launch before the OS and security defenses, allowing attackers to maintain persistence and facilitate command-and-control over the infected computer.
Firms are also concerned about attempts to tamper with devices in transit, with many reporting being blind and unequipped to detect and stop such threats. 75% of UK organizations say they need a way to verify hardware integrity to mitigate the threat of device tampering.
Maturing the approach to endpoint hardware and firmware security
In recent years, IT teams have gotten better at managing and monitoring the software security configuration of devices, and are improving their ability to track software provenance and supply chain assurance. Now, it’s time to bring the same level of maturity to managing and monitoring hardware and firmware security across the entire lifespan of endpoint devices.
Organizations can start by taking the following steps:
- Securely manage firmware configuration throughout the lifecycle of a device, using digital certificates and public-key cryptography. By doing so, administrators can begin managing firmware remotely and eliminate weak password-based authentication.
- Make use of vendor factory services to enable robust hardware and firmware security configurations right from the factory
- Adopt Platform Certificate technology to verify hardware and firmware integrity once devices have been delivered
- Monitor ongoing compliance of device hardware and firmware configuration across your fleet of devices – this is a continuous process that should be in place as long as devices are in use.
Ultimately, endpoint security depends on strong supply chain security, which starts with the assurance that devices, whether PCs, printers, or any form of IoT, are built and delivered with the intended components. This is why organizations should increasingly focus on securing the hardware and firmware foundations of their endpoints, by managing, monitoring and remediating hardware and firmware security throughout the lifetime of any device in their fleet.
We’ve featured the best online cybersecurity course.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:
Leave a comment