Firmware is low-level software embedded in hardware that enables systems and devices to function properly and is commonly found in ICS environments. Adversaries may modify firmware on a system or device by installing malicious or vulnerable versions that enable them to achieve objectives such as Persistence, Impair Process Control, and Inhibit Response Function.
Adversaries may modify system and device firmware by using the built-in firmware update functionality which may support local or remote installation. The malicious or vulnerable firmware may be delivered via Replication Through Removable Media, Supply Chain Compromise, or Remote Services. Once installed, the malicious or vulnerable firmware could be used to provide Rootkit and Hooking functionality, Exploitation for Privilege Escalation, or Denial of Service.[1]
| ID | Asset |
|---|---|
| A0017 | Distributed Control System (DCS) Controller |
| A0018 | Programmable Automation Controller (PAC) |
| A0003 | Programmable Logic Controller (PLC) |
| A0010 | Safety Controller |
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management |
All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions. |
| M0947 | Audit |
Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service. |
| M0946 | Boot Integrity |
Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology.[2] Move system's root of trust to hardware to prevent tampering with the SPI flash memory.[3] Technologies such as Intel Boot Guard can assist with this.[4] |
| M0945 | Code Signing |
Devices should verify that firmware has been properly signed by the vendor before allowing installation. |
| M0802 | Communication Authenticity |
Protocols used for device management should authenticate all network messages to prevent unauthorized system changes. |
| M0808 | Encrypt Network Traffic |
The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware. |
| M0941 | Encrypt Sensitive Information |
The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware. |
| M0937 | Filter Network Traffic |
Filter for protocols and payloads associated with firmware activation or updating activity. |
| M0804 | Human User Authentication |
Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| M0807 | Network Allowlists |
Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.[5] |
| M0930 | Network Segmentation |
Segment operational network and systems to restrict access to critical system functions to predetermined management systems.[5] |
| M0813 | Software Process and Device Authentication |
Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0904 | Detection of Firmware Modification | AN2047 |
Monitor for firmware changes which may be observable via operational alarms from devices. Monitor device application logs for firmware changes, although not all devices will produce such logs. Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes. Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.[6] Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.[7][8][9] |