Officials from the Cybersecurity and Infrastructure Security Agency announced a new initiative to fight firmware vulnerabilities at the RSA Conference Wednesday afternoon.
For years, security personnel have been content to largely ignore the horrors lying beneath the surface of the OS, seeing firmware-based attacks as exotic and high-end. But firmware attacks are on the rise. A Microsoft study found that while only 29% of organizations were budgeted to defend against firmware attacks despite 80% seeing one in the past year.
Thomas Ruoff and Boyden Rohner, methodology branch chief and associate director of the CISA respectively, announced an agency campaign to mitigate what it's calling "vulnerabilities below the operating system," or VBOS.
"In cybersecurity, we spend the majority of our time observing, analyzing, and responding to vulnerabilities in operating systems, and at the application layer," said Rohner. "And yet, there are categories of vulnerabilities lurking beneath the proverbial surface that we aren't dealing with through our vulnerability research efforts and our incident response activities."
The pair shared a chart at RSA showing that the last five years were the only five years on record where new firmware vulnerabilities made up more than 2.5% of the National Vulnerability Database.
The rise in vulnerabilities has come at a time when more run-of-the-mill criminals have access to the firmware space and in particular the Unified Extensible Firmware Interface – or UEFI, said Ruoff.
"What used to be in the realm of the nation-state actors has now become in the realm of the commercial actors, and as a consequence, and we're beginning to see an uptick ," he said.
To tackle vulnerabilities in the UEFI space, the duo proposed a multi-step ideal scenerio to work toward:
- Promote software bills of materials (SBOMS) extending to the firmware level
- Have vendors include the intent of the components of the system
- Produce analysis of code
- Provide public risk scoring
- Reduce purchasing of products that shape up poorly
Software bills of materials list all a product's components and list the components' software dependencies, making it easier to evaluate what announced vulnerabilities affect which devices and programs.
Ruoff and Rohner would like to tie these controls into the recent Biden executive order on cybersecurity, which requires SBOMs for federal purchasing. The administration has said it hopes that the government's buying power will move the market toward more secure products across the board.
But the pair realizes they will not reach that ideal end state overnight.
"We're realistic, we understand that not all code can be examined in detail. This is really tough," Ruoff said. "And so we're not asking to boil the ocean. We're thinking, what is the first set of teacups that we can start taking a Bic lighter?"
Ruoff suggested that the initial focus of the vulnerabilities below the operating system campaign would be on purpose-built, self-contained products like programmable logic controllers.
To reach these goals, Ruoff and Rohner say CISA will begin to convene stakeholders to discuss firmware risks across the various critical infrastructure sectors, increase outreach to infrastructure groups about potential dangers and begin to promote advances in automated code evaluation.
In the interim, they said, buyers should try to get the same information on their own.
"If you start to make a decision" without that information, said Rohner, "you're probably making a faith-based decision and not a risk-based one."