xIoT Firmware Security is Only as Good as its Source

Former Gartner analyst Brad LaPorte discusses the problems, challenges, and intricacies of securing firmware.

In our world of increasingly high demand for tighter and firmer cybersecurity measures, informational and operational technology security development teams are constantly experimenting with new methods to prevent malicious, catastrophic data breaches. We call this world the "Fourth Industrial Revolution," more commonly known as "Industry 4.0". With Industry 4.0 upon us, cybersecurity is becoming increasingly complex for many reasons, but the most pressing concern is the tenacity and resourcefulness of modern cybercriminals. 

Device hardware stores software, so it is equally imperative that hardware stays up to date. However, replacing device hardware is not nearly as convenient and straightforward as replacing software. Software updates typically involve accepting an automated notification without any real thought. On the other hand, hardware replacement is far more tedious and requires some niche expertise that not every device end-user will possess. The good news is we can avoid device hardware replacement complications if we shift our focus to firmware. For the most part, firmware updates can bridge the gap between software and hardware updates.

An Unaddressed Attack Surface

Today, cybercriminals are constantly planning new strategies and tactics to breach even the most state-of-the-art IT security standards. One of the most widely discussed and promising methods IT security experts are currently exploring is increased firmware security visibility and innovation. Even though this technique has proven highly effective, and firms using this threat protection tactic are seeing fewer security breaches annually, firmware security still has its share of problems. Thus far, the most pressing shortcoming with firmware security implementations is supply chain deficiencies. End-users commonly resource components and materials used for firmware innovation from many third-party vendors who are usually not compatible with one another and do not follow synchronous patching cycles. This issue brings about logistical problems and gives rise to additional cybersecurity risks. Poorly planned incompatible firmware component layout, mainly from various suppliers, often leads to other security risks for hackers to breach network perimeters.

Once end-users have resourced and allocated all the necessary equipment to implement into their device hardware, the firmware will, in turn, be composed of scores of different components from dozens of other manufacturers. This has been a general procedure in recent decades, and because of this, most firms have considered it an utterly harmless practice. Once the components are resourced from the manufacturers, IT security end-users will pay almost no attention to the Software Bill of Materials (SBOM) attached to the products. 

The Need For SBOMs

The SBOM is a list of ingredients labeled for a software device component, and the end-user should constantly meticulously scrutinize it. In other words, neglecting this one step is extremely careless of security teams and will often lead to grave consequences. With so many different parts from different vendors coming into one end user, there is almost a complete guarantee for a software breach. There is such a diverse spectrum of components present that one will almost always come with malware embedded within it, leading to firmware-level vulnerabilities. Once this malware-ridden component is integrated with the device firmware, cyber attackers are essentially given an undefended approach to compromise the device. This problem can persist on a system even after a hard-drive replacement or operating system reinstall. These exact instances have occurred on billions of different devices worldwide. These malicious software bugs typically go undetected within the firmware for months and sometimes even years to make matters even more dire. Meaning cyberattacks have an enormous time window to capitalize on these vulnerabilities. It may be too late for security teams to reverse the damage by the time they are discovered.

This inherent hardware crisis has become so formidable over the last thirty years, mainly due to IT teams' unsystematic component resourcing strategies to assemble their device firmware. Teams outsource from so many different vendors to get all the required components. This problem exists because there is not one manufacturer that provides every single required component! This means the vendors also struggle with assisting their clients with vulnerability management after product distribution. This problem only snowballs when IT threat prevention teams do little research to identify the continuity and cohesiveness among the parts they order or even glance at the product BOMs. If threat management teams researched component SBOMs, they would immediately see that allocating components with even harmless software bugs can have devastating consequences. If multiple firmware components, all with benign malware, are ordered and integrated within the same device, their consolidation may lead to malicious consequences. In short, allocating different components for device hardware without doing the necessary homework concerning SBOMs and continuity/compatibility will almost always lead to catastrophe and introduce cybercriminals to new opportunities to compromise device firmware.

When these firmware devices are 'frankensteined' from so many different components from different vendors, serious IT security problems arise. Moreover, this creates countless vulnerabilities for hackers to uncover before device users find them and can begin to do anything about them. Once they are compromised, solutions to patching the vulnerabilities give rise to even more complications.  

Patching Problems

Device component vendors all update their firmware independently. When developing firmware updates, they must be produced methodically in chronological format. The system must enter a temporary standby mode when one step is completed before the next step is initiated. A motivated and semi-skilled cybercriminal could breach into the device server while this standby phase is ongoing, disrupt the firmware update order, and compromise the device this way. 

Component patching procedures come from the vendors' patch cycles, which, as mentioned earlier, are never in sync with one another. The lack of synchronization among vendor patch cycles typically forces firmware vulnerability patching to take 6 to 9 months. Since each vendor follows its patch cycle, even known vulnerabilities cannot be patched until the next firmware update is released. Combine these unorganized patch notifications with the lack of collaboration among component vendors, and patching becomes even more challenging for end-users to seal known security breaches or fully understand how severe newly announced vulns will be. However, in a world where the xIoT(extended Internet of Things) is connected to over 30 billion devices in most ICSs (Industrial Control Systems), we can almost say without complete certainty that the result would be devastating and only grow exponentially with time.

Patching a compromised vulnerability is not a simple, quick process either. Even when a malicious bug is patched, hackers will have already discovered other vulnerabilities within the device firmware (since there are so many) that the patch will have barely slowed down the attack. Furthermore, firmware bugs can quickly disperse among the device and be re-implemented even after being patched. In other words, patching is a tedious, lengthy game of "Whack-a-Mole" against vulnerability breaches and is largely ineffective. 

What Can Be Done?

Now that the spotlight has shown the negative side of firmware supply chains, let's address the elephant in the room — what can be done to fix the problem? Fortunately, many IT consulting firms and solution providers are working on monumental and revolutionary efforts to ensure more substantial visibility within firmware device components. NetRise is one such enterprise. 

NetRise has built a groundbreaking firmware and IoT security platform by approaching network risk management from a different vantage point. NetRise provides one of the first network security platforms to truly appreciate the value and usefulness of the SBOM and analyze it with unmatched expertise. This procedure will exponentially reduce the number of malware-ridden devices within the hardware and lead to far lower threat vulnerability. NetRise also provides outstanding firmware visibility features that can constantly trace clients' devices and servers to monitor network perimeters for potential cyber-attacks. 

To improve network security and lower data breach threat levels, device firmware analysis is the best place to start. If you need help getting started, there is no better partner to work with than NetRise. NetRise offers unrivaled products and features that no competitor can match, with a mission to help clients better understand their cyber vulnerabilities and improve network security.

For more information or support with XIoT security, please reach out to us today.

*Source: Ordr "Rise of the Machines"