In today’s digital world, organizations can gain significant competitive advantages by applying data analysis to inform new products or services. Furthermore, technologies like 5G and IoT make it easier than ever to connect devices to the Internet to share data. This has led to a virtual tsunami of new data. Research analyst firm Statista forecasts global data creation will hit 180 zettabytes by 2025. The wealth of information captured in this data (credit card numbers, social security numbers, proprietary IP) makes it an attractive target for hackers, and as the amount of data collected and stored in data centers grows, so does the creativity and sophistication of the cyberattacks against them.
Firmware in central processing units (CPUs), graphics processing units (GPUs), storage devices, and networking cards are particularly enticing targets because, as fundamental elements in electronic systems, if they are corrupted it can be that much more difficult to detect. It has long been critical to protect these devices from those wishing to steal data. As a result, in the largest data centers, devices such as these now tend to be well-protected.
Looking for other potential vulnerabilities, malicious hackers are increasingly targeting server components when they attempt to compromise a datacenter. Many common semiconductor components in a server (the embedded controller that regulates boot sequence, fan control, and battery management, for example) can have their firmware compromised or replaced with bogus firmware to gain unauthorized access to data on the server or disrupt normal server operations.
Firmware attacks are particularly insidious as server component firmware loads before the server’s OS is running and any anti-malware software is functional. This makes firmware attacks difficult to find and hard to eliminate once discovered.
However, many companies don’t give firmware security the attention it merits. In a survey of IT and security decision makers commissioned by Microsoft, respondents ranked a firmware breach as being nearly as disruptive as a software or hardware breach yet commit less than a third of their security budgets to protecting firmware.
Enterprises must take firmware security in their datacenters seriously or face the consequences. To that end, IT and security teams should focus on three factors when it comes to firmware security.
Establishing Device Authenticity
A server’s mainboard, workload accelerators, and add-on board enterprises installed after purchase are designed by different vendors and manufactured around the world. The supply chains for these devices are vulnerable, and illegitimate firmware or hardware can be installed on a board at various points during production and testing, where it waits for an unsuspecting customer to install the compromised device in a server. IT teams must ensure that they can verify any hardware they add to a server is performing to specification.
Establishing Code Authenticity
Data theft isn’t the only problem caused by compromised firmware, IP theft can also impact the profitability and reputation of component manufacturers. As mentioned above, semiconductors are often manufactured in one country and packaged in another country before finally being integrated into a system in a third country.
With so many touch points in the supply chain, it becomes easy for an unscrupulous contractor to copy a vendor’s firmware, install it on unauthorized silicon, and then sell the counterfeit part on the gray market. This not only impacts the original vendor’s profits, but it can also damage their reputation if the counterfeit device performs poorly.
Encryption is a well-established method for securing data against unauthorized access, but a new threat to encryption is raising concerns in cybersecurity circles. Properly applied, quantum computing can crack even the most sophisticated encryption technologies.
Most enterprises today use 128- and 256-bit encryption; more than enough to secure data against even the most determined attackers using traditional computing technology. But quantum computing can process data at exponentially faster rates—encryption algorithms that would have taken decades to crack using legacy computing methods can be cracked by quantum computing in days.
Protect Your Firmware With HRoT and Robust Encryption
Thankfully, in 2018, the National Institute of Standards and Technology (NIST) published its SP 800-193 guidelines for Platform Firmware Resiliency. According to NIST, these guidelines provide “security mechanisms for protecting the platform against unauthorized (firmware) changes, detecting unauthorized changes that occur, and recovering from attacks rapidly and securely.”
“Implementers, including Original Equipment Manufacturers (OEMs) and component/device suppliers, can use these guidelines to build stronger security mechanisms into platforms. System administrators, security professionals, and users can use this document to guide procurement strategies and priorities for future systems.”
The NIST SP 800-193 standard promotes the use of a “Hardware Root of Trust (HRoT)” to ensure firmware loaded into server components during the boot process is verified as legitimate before it is activated. The HRoT component is the first component to power-on when a server boots and it contains the cryptographic elements needed to verify its own firmware and the firmware of any component that powers on after the HRoT activates. By adding HRoT capabilities to a server’s embedded controller, enterprises can protect a server during the entire boot process, even before the OS and anti-malware software are loaded and operational.
NIST is also encouraging enterprises to adopt more advanced encryption algorithms. In 2016, NIST launched a contest among leading cryptographers to develop algorithms that could defend against quantum computing-based attacks. Last year the contest concluded with the announcement of four new encryption algorithms that NIST will include in its upcoming post-quantum cryptography standardization project
Cybersecurity is akin to an arms race between those who work to protect computer systems and those who intend to compromise those same systems (the latter include both criminal and state-sponsored hackers). Each side ceaselessly works to counter the other’s advances. Firmware has become the latest battleground in this ongoing struggle, and enterprises that neglect to include firmware in their threat assessments and security plans moving forward do so at their own peril.
About the authorKyle Gaede has been with Microchip Technology for nearly 25 years and is currently a principal manager for the company’s segment group with a focus on data centers. Gaede holds a Bachelor of Science in Electrical Engineering from the University of Texas Austin.