After the security debacles Log4j and SolarWinds, blind spots such as firmware and supply chains have been better illuminated in IT security circles.
The cyber attacks that led to the compromise of the software provider SolarWinds and the security gap Log4Shell in the Java framework Log4j continue to unsettle the IT security scene. “We can’t wait for the next thing to appear in the wild,” Ramy Houssaini, BNP Paribas’ head of cyber and technology risk in the US, told an online panel on Thursday about the “blind spot”. Firmware in the Security Innovation Network (Sinet) supply chain.
“Move Up Defense Line”
Too many IT managers still relied on a kind of basic trust in hardware, Houssaini said. At the latest with the Internet of Things and the many online devices linked to it, this chain of trust is no longer tenable. In principle, hackers are increasingly targeting firmware as an integrated relay station between hardware and application software. It is a “powerful piece of program code” that is equipped with many permissions and is often based on more or less heavily checked open source components.
The usual software error correction, reinstalling the operating system, “does not work with compromised firmware,” the risk manager pointed out. It is therefore important “to start up the line of defense now”. The supply chains of chips themselves would also have to be included, whereby the “geopolitical perspective” around Taiwan and China, for example, should be considered.
Trusted chip manufacturing
Contrary to what is often portrayed in the media, the state subsidy program for trustworthy chip production works well, said Don Davidson, who keeps an eye on the cyber risks in the supply chain at Synopsys, a US manufacturer of semiconductor design software. Although it is not sufficient for the production of all silicon products, it is sufficient for those state-of-the-art products that are currently also relevant in practice. These are not necessarily the latest developments with structure sizes between 10 and 3 nanometers.
In the past, everyone just wanted to implement IT “quickly and inexpensively,” Davidson recalled in the not so distant past. It is now clear to more decision-makers that IT security must be built into software and hardware (“security by design”). With the devices themselves, however, it is more difficult to share information about security gaps and to plug them. It is now necessary to develop commercial standards for this, since the government alone will not solve this problem.
Mark Hakun, chief officer for cybersecurity at the US Department of Defense, confirmed that the US military has also been reluctant to carry out upgrades and updates “as long as the systems worked”. In the meantime, however, the Pentagon only concludes contracts for IT if support for the entire life cycle of the associated hardware and software as well as patch management is also supplied. End-to-end security is required. It should be borne in mind that chips in aircraft, for example, sometimes work for 40 to 50 years and have to be protected for that long.
Trust no one
When it comes to IT systems, Hakun says it’s essential to know “who developed the firmware.” Pillars for the “zero trust” model would have to be drawn in. The simplest way to describe this is “Don’t trust anyone”. Implicit trust is considered a vulnerability that attackers can exploit for lateral movements and access to sensitive data. Each individual access should therefore require authentication, which the Federal Ministry of the Interior, for example, is striving for in this country.
“Right now, everything is going towards Zero Trust,” said David Beach, who heads Mastercard’s “Security and Intelligence” division. The integrity of all IT components and devices must be guaranteed. According to him, it would be helpful to have a special place to exchange information about attacks and countermeasures within the industry worldwide. At the credit card company itself, the process of onboarding new suppliers and manufacturers has become “more challenging” since Log4j and SolarWinds.
Yuriy Bulygin, founder of the IT security company Eclypsium, which specializes in this area, explained that 25 percent of active exploits for exploiting vulnerabilities are already related to firmware. He advocated Zero Trust when building IT resources and networked devices. Currently, vulnerabilities in Dell laptops are ultimately just as easy to remotely exploit as in Huawei portable computers. The devices would therefore have to be handled, sealed and controlled in the same way, since weak points in the firmware and hardware would also be misused after a few days, for example by crypto coin miners or state hackers.
IT security in firmware and in the supply chain is “not sexy” but fundamental, said Nima Baiati, executive director of Lenovo’s commercial cybersecurity solutions division. Awareness of the topic is growing in the market. This could pay off for founders of start-ups in this area with a “dollar perspective”, since there are fewer competitors here and so there is a greater chance of finding “gold”.