Monitor for firmware changes which may be observable via operational alarms from devices.
Monitor device application logs for firmware changes, although not all devices will produce such logs.
Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.
Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.[1] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.[2] [3] [4]
| Data Component | Name | Channel |
|---|---|---|
| Device Alarm (DC0108) | Operational Databases | None |
| Application Log Content (DC0038) | Application Log | None |
| Network Traffic Content (DC0085) | Network Traffic | None |
| Firmware Modification (DC0004) | Firmware | None |