System Firmware

System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.

An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. [1]

ID: T0857
Sub-techniques:  No sub-techniques
Platforms: Field Controller/RTU/PLC/IED, Input/Output Server, Safety Instrumented System/Protection Relay
Version: 1.1
Created: 21 May 2020
Last Modified: 26 September 2022

Procedure Examples

ID Name Description
G0034 Sandworm Team

In the Ukraine 2015 Incident, Sandworm Team developed and used malicious firmware to render communication devices inoperable. [2]

S1009 Triton

Triton is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. [3]


ID Mitigation Description
M0801 Access Management

All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.

M0947 Audit

Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.

M0946 Boot Integrity

Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. [4]Move system's root of trust to hardware to prevent tampering with the SPI flash memory. [5]Technologies such as Intel Boot Guard can assist with this. [6]

M0945 Code Signing

Devices should verify that firmware has been properly signed by the vendor before allowing installation.

M0802 Communication Authenticity

Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.

M0808 Encrypt Network Traffic

The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.

M0941 Encrypt Sensitive Information

The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.

M0937 Filter Network Traffic

Filter for protocols and payloads associated with firmware activation or updating activity.

M0804 Human User Authentication

Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.

M0807 Network Allowlists

Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. [7]

M0930 Network Segmentation

Segment operational network and systems to restrict access to critical system functions to predetermined management systems. [7]

M0813 Software Process and Device Authentication

Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.

M0951 Update Software

Patch the BIOS and EFI as necessary.


ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor device application logs for firmware changes, although not all devices will produce such logs.

DS0001 Firmware Firmware Modification

Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.[8] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.[9] [10] [11]

DS0029 Network Traffic Network Traffic Content

Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.

DS0040 Operational Databases Device Alarm

Monitor for firmware changes which may be observable via operational alarms from devices.