By John Cammalleri, VP of Commercial Channel, HP Canada
Operational resilience is becoming a watchword of IT and business leaders, and for good reason. Global IT infrastructure is now highly interconnected and interdependent and must be resilient to all manner of threats. But one of the most overlooked cybersecurity risks – and a blindspot highlighted in a recent HP Wolf Security survey – is the challenge of mitigating hardware and firmware threats. Hardware supply chain security does not end with devices being delivered. It extends through the entire lifetime of devices being used in the infrastructure and even beyond, when repurposed from one owner to the next.
Disruptions to the hardware supply chain can take many forms: from physical supply chain disruptions by ransomware groups, to tampering with hardware or firmware to deploy stealthy and persistent malicious implants at any stage of the device’s lifetime. These attacks undermine the hardware and firmware foundations of devices upon which all software runs, making it critical that organizations are equipped with endpoints designed from the ground up to be resilient to such threats.
Governments have started to act to strengthen supply chain security. Last year, the Minister of Transport established the National Supply Chain Office to ensure the country’s supply chains are resilient and efficient, as well as mitigate impacts from disruptions. Not only does strengthening Canada’s transportation supply chains ensure goods can get to Canadians and global markets safely, but it also helps make life more affordable to grow the economy.
Meanwhile, organizations are grappling with hardware and firmware threats. 32% of Canadian organizations say that they or others they know have been impacted by state-sponsored actors trying to insert malicious hardware or firmware into PCs or printers compared to 35% globally. Amid this regulatory backdrop and growing concerns over supply chain attacks, organizations must consider a new approach to physical device security.
The impact of attacks on hardware and firmware integrity
The consequences of failing to protect endpoint hardware and firmware integrity are severe. Attackers who successfully compromise devices at the firmware or hardware layer can gain unparalleled visibility and control. The attack surface exposed by lower layers of the technology stack have been a target for some time for skilled and well-resourced threat actors, like nation-states, because they enable a stealthy foothold below the operating system (OS). These offensive capabilities can quickly find their way into the hands of other bad actors. Compromises at the hardware or firmware level are persistent, providing attackers with a high level of control over everything on the system. They’re hard to detect and remediate with current security tools which typically focus on OS and software layers.
Given the stealthy nature and sophistication of firmware threats, real-world examples are not as frequent as malware targeting the OS. Recent research shows that Canadian businesses now pay more than $1 million in ransomware attacks, emerging in various forms as a booming industry. The Canadian Communications Security Establishment (CSE) has identified firmware threats targeting critical infrastructure, with incidents involving tampered devices aiming to disrupt communication networks. What’s more, Canadian enterprises in both the private and public sector have reported cases where firmware vulnerabilities in their endpoint devices were exploited to gain unauthorized access to data, including London Drugs, The Financial Transactions and Reports Analysis Centre of Canadaand Global Affairs Canada. These examples underscore the importance of robust hardware and firmware security measures.
Organizations are also concerned about attempts to tamper with devices in transit, with many reporting being blind and unequipped to detect and stop such threats. 74% of Canadian organizations say that say they need a way to verify hardware integrity to mitigate the threat of device tampering compared to the global average of 77%.
To ensure hardware and firmware remain secure, it is important to choose technology providers and suppliers that can be trusted with their design, development and manufacturing processes, but also to seek out and use state-of-the-art technology that can help verify, manage and monitor device integrity across the lifecycle of the device – from factory to end-of-life or redeployment.
Bringing security maturity to endpoint hardware and firmware
As a community, we have matured our processes to manage and monitor software security configuration over the life of a device, and we are improving our ability to track software provenance and supply chain assurance. It’s time to bring the same levels of maturity to the management and monitoring of hardware and firmware security, throughout the entire lifetime of endpoint devices. Because devices, as long as they are in use, constitute the hardware supply chain for an organization.
The technical capabilities to enable this across devices have not been available broadly, because it all must start with security by design from the hardware up. This is an area that we have been investing in for over two decades, and today, the foundations are in place. Organizations should start actively adopting the capabilities available from manufacturers and devices for security and resilience, to proactively take control of hardware and firmware security management across their devices’ lifecycle.
There are four key steps that organizations can take to proactively manage device hardware and firmware security:
• Securely manage firmware configuration throughout the lifecycle of a device, using digital certificates and public-key cryptography. This enables administrators to manage firmware remotely and eliminate weak password-based authentication.
• Take advantage of vendor factory services to enable robust hardware and firmware security configurations right from the factory.
• Adopt Platform Certificate technology to verify hardware and firmware integrity once devices have been delivered.
• Monitor ongoing compliance of device hardware and firmware configuration across your fleet of devices – this is a continuous process that should be in place as long asdevices are in use by the organization.
System security relies on strong supply chain security, which starts with the assurance that devices, whether PCs, printers, or any form of IoT, are built and delivered with the intended components. This is why organizations should increasingly focus on developing secure hardware and firmware foundations, enabling them to manage, monitor and remediate hardware and firmware security throughout the lifetime of any device in their fleet.