T0839 Module Firmware
Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.
This technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. 1
An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: 1
- Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time.
- Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return.
- Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator.
- A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise.
- Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.
| Item | Value |
|---|---|
| ID | T0839 |
| Sub-techniques | |
| Tactics | TA0110, TA0106 |
| Platforms | Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management | All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions. |
| M0947 | Audit | Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service. |
| M0946 | Boot Integrity | Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. 5 Move system’s root of trust to hardware to prevent tampering with the SPI flash memory. 3 Technologies such as Intel Boot Guard can assist with this. 4 |
| M0945 | Code Signing | Devices should verify that firmware has been properly signed by the vendor before allowing installation. |
| M0802 | Communication Authenticity | Protocols used for device management should authenticate all network messages to prevent unauthorized system changes. |
| M0808 | Encrypt Network Traffic | The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware. |
| M0941 | Encrypt Sensitive Information | The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware. |
| M0937 | Filter Network Traffic | Filter for protocols and payloads associated with firmware activation or updating activity. |
| M0804 | Human User Authentication | Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| M0807 | Network Allowlists | Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. 2 |
| M0930 | Network Segmentation | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 2 |
| M0813 | Software Process and Device Authentication | Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0001 | Firmware | Firmware Modification |
| DS0029 | Network Traffic | Network Traffic Content |
| DS0040 | Operational Databases | Device Alarm |
References
-
Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 ↩↩
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩↩
-
ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ↩
-
Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ↩
-
N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ↩
-
Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017. ↩
-
Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015. ↩
-
Intel Security. (2005, July 16). HackingTeam’s UEFI Rootkit Details. Retrieved March 20, 2017. ↩
-
Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017. ↩