Threats in the Hardware Supply Chain Can Impact Your Endpoint Infrastructure.

The global technological infrastructure has become increasingly interconnected and interdependent. This has led operational resilience to become a priority for security leaders within organizations. Although companies have made progress in managing software threats, many face challenges due to lack of visibility and insufficient tools to defend against minor threats targeting hardware and firmware, which poses an obstacle to achieving effective resilience.

Supply chain attacks can manifest in various ways, from ransomware groups compromising the infrastructure of suppliers to the manipulation of hardware and firmware. The severity of these attacks lies in their ability to undermine the hardware and firmware foundations of devices, which is often difficult to detect and repair. This means that neither software nor data can be considered completely secure.

Regulatory authorities have begun to take steps to strengthen supply chain security. In the UK, new cybersecurity regulations for the Internet of Things (IoT) have been implemented, and a Cybersecurity and Resilience Bill is being prepared to expand regulation to protect more digital services and supply chains. In the United States, Executive Order 14028 has accelerated the development of software supply chain security requirements for government acquisitions, explicitly including firmware. The European Union is also introducing new cybersecurity requirements throughout the supply chain, starting with software and services through the Networks and Information Systems Directive (NIS2), and extending to devices with the Cyber Resilience Act to ensure that hardware and software are more secure.

A study conducted by HP Wolf Security revealed that 30% of organizations in the UK reported being affected by state-sponsored actors attempting to insert malicious hardware or firmware into PCs or printers, highlighting the need to address the security risks of physical devices.

The consequences of failing to protect the integrity of hardware and firmware in endpoint devices are severe. A successful compromise at these layers can grant attackers unprecedented visibility and control over a device. For years, hardware and firmware have been a target for well-trained threat actors, such as nation-states, providing a stealthy foothold below the operating system. However, as the cost and complexity of attacks on hardware and firmware decrease, this capability is expanding to other malicious actors.

Given the stealthy nature and complexity of firmware threats, real-world examples are less common than those related to operating system-targeted malware. Among the notable cases is LoJax, which in 2018 attacked the UEFI firmware of PCs to survive operating system reinstallations and hard drive replacements on unprotected devices. More recently, the BlackLotus bootkit was designed to evade boot security mechanisms and give attackers full control over the operating system boot process. Other UEFI malware, such as CosmicStrand, can launch attacks before the operating system and security defenses are activated, facilitating persistence and command control over the infected computer.

Companies are also concerned about attempts to manipulate devices in transit, with many expressing a lack of visibility and equipment to detect and stop such threats. Seventy-five percent of organizations in the UK state that they need a method to verify hardware integrity in order to mitigate the risk of device tampering.

To improve the security of hardware and firmware in endpoint devices, certain steps must be followed. Organizations should securely manage firmware configuration throughout the device lifecycle, using digital certificates and public key cryptography. This enables remote management of firmware and eliminates weak password-based authentication. Additionally, manufacturers' factory services should be leveraged to enable robust security configurations from the moment of manufacturing. Implementing platform certificate technology also helps verify the integrity of hardware and firmware after device delivery. Finally, it is important to continuously monitor compliance with the hardware and firmware configuration of devices, a process that should be maintained for the entire time the devices are in use.

In summary, endpoint security depends on a strong supply chain security, starting with ensuring that devices, whether PCs, printers, or any IoT devices, are built and delivered with the appropriate components. Therefore, organizations must increasingly focus on protecting the hardware and firmware foundations of their endpoints, managing, monitoring, and correcting hardware and firmware security throughout the lifecycle of any device in their fleet.