Who Moved My Firmware?

By Tsur Segal, VP Strategic Sales, Radiflow LTD

Each and every component in an ICS (Industrial Control System) utilizes firmware, faulty firmware maintenance may result in critical cyber-risk. Here we discuss the topic and offer a number of simple, yet effective solutions that can be implemented in any industrial facility.

Firmware is essentially the operating system for programmable controllers. Firmware provides the programmable controller with the capabilities of analysis, calculation, memory, logical decision-making, arrays building, events creation, precise PID controlling of field equipment and much more.

A good analogy for understanding the importance of firmware is comparing it to the human heart: without it, a person would not be able to operate; and when it malfunctions, the person would not operate at peak level, and wouldn’t be able to make adequate decisions, both logical and physical.

In the field of data security for ICS and industrial programmable controllers, threats to firmware pose a direct threat to production line operations. Firmware provided by a source other than the original manufacturer presents a risk to production capability, quality and efficiency, and eventually to overall productivity.

Thus, a critical method in attacking a production facility is to inject a fake controller firmware that is identical to the original, except for additional functionality that kicks in at Zero Days, effectively creating a “time bomb”, similar to a sleeper agent waiting for an order to attack. In more sophisticated attacks the fake firmware isn’t even designed to attack the facility, but rather eavesdrop on the facility’s production line processes and report back to whoever paid for the information.

The management of firmware risks in industrial facilities takes place on four levels:

  • Within the supply chain
  • During the facility’s initial commissioning
  • During regular operations and as part of facility upgrades and expansions

Radiflow’s holistic security solution, based on the four levels above, has been proven to reduce facilities cyber-risk levels. In addition, Radiflow’s solution measures and displays the facility’s risk score in real time, and most importantly, provides the customer recommendations for risk reduction.

1. Supply Chain

The supply chain is the initial point of vulnerability in firmware security. Purchasing controllers directly from the manufacturer all but eliminates the possibility of getting “defective” firmware. It is important to install risk-aware procurement procedures focused not only on price but also on eliminating exposure to cyber-disruptions, industrial espionage and other irreparable damages.

In recent years the awareness to supply chain-related threats has increased. Many critical facilities’ procurement procedures require verification of manufacturers’ equipment authenticity declarations, verification of delivery and shipment documents, physical examination of controller circuit boards, and obligating the vendor to provide support from the original equipment manufacturer if needed.

2. Initial Commissioning

The facility’s initial commissioning is an important stage in managing firmware risk. Test-running the ICS controllers requires authenticating all controllers’ firmware. In many cases, internet-downloadable firmware updates are needed, adding exposure and risk.

To prevent initial run-related threats, Radiflow’s solution automatically presents the customer with a list of all of the controller models, including the firmware installed in each model. This verifies that the most up-to-date firmware version is installed on all controllers, without exception.

In addition, Radiflow maintains a vulnerability database for all manufacturers’ controllers, obtained from a multitude of sources includes the Radiflow research team, and presents the customer with those that pertain to their network, along with recommendations for each controller; how to handle updates, which firmware version to update and more.

3. Firmware Management

Firmware management throughout the lifecycle of the facility is the most important element in cyber-securing the facility. Many entrepreneurs have by now realized that risk management eventually saves time and money, by preventing problems down the line. Radiflow’s passive solutions continuously “listen to” and analyze all OT data traffic, in order to detect firmware changes. Additionally, Radiflow proactively compares the customer’s firmware versions to known vulnerabilities for all manufacturers’ controllers, and provides guidance for firmware updating and risk reduction.

Conclusion

Risk management can be roughly divided into two processes: real-time risk management, throughout the lifecycle of the facility, and offline risk management that takes place in prescribed points in time. Firmware version verification is imperative to reducing risk in OT networks, since updates are often not carried out on time or at all, and in many cases not all controllers are updated simultaneously.

More importantly, critical updates due to manufacturers’ published vulnerabilities are very often ignored. The only way to maintain low cyber-risk in OT networks is to install an automatic mechanism for version management, detecting vulnerabilities in current versions, and providing recommendations for firmware updates, throughout the lifecycle of the project.