NSA Cybersecurity: Hardware and Firmware Security Guidance

This repository provides content for aiding DoD administrators in verifying systems have applied and enabled mitigations for Spectre and Meltdown. The repository is a companion to a forthcoming Information Assurance Advisory Updated Guidance for Spectre and Meltdown Vulnerabilities Affecting Modern Processors. This advisory will be an update to the previously issued advisory Vulnerabilties Affecting Modern Processors.

https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance

[Last updated in the Summer. I am pretty sure I included a link to this during the early Spectre/Meltdown posts, but can’t find it, and it is a bit more useful beyond Spectre/Meltdown.]

USAF top10 embedded security recommendations

Mark Pomerleau of Defense Systems wrote an article which points out a new US Air Force study on embedded systems security.

http://defensesystems.com/articles/2015/08/27/air-force-embedded-systems-cyber-threat.aspx

“Cyber Vulnerabilities of Embedded Systems on Air and Space Systems”

Click to access AF%20SAB%20embedded%20systems%20cyber.pdf

The study recommends 10 things, and firmware security is on top of that list:

0) Ensure software integrity by employing digital signatures/code signing, and require future systems to cryptographically verify all software/firmware as it is loaded onto embedded devices.
1) Mandate the inclusion of software assurance tools/processes and independent verification and validation using appropriate standards as part of future contracts for all USAF systems. Use best commercial code tools and languages.
2) Employ hardware/software isolation and randomization to reduce embedded cyber risk and improve software agility even for highly-integrated systems.
3) Improve and build USAF cyber skills and capabilities for embedded systems.
4) Adapt Air Force Life Cycle Management Center cyber-resiliency requirements process to embedded systems.
5) Protect design/development information. Implement security procedures sufficiently early that protection against exfiltration and exploitation is consistent with the eventual criticality of the fielded system.
6) Develop situational awareness hardware and analysis tools to establish baseline embedded operational patterns and inform best mitigation strategies.
7) Develop and deploy continuously verifiable software techniques (such as dynamic attestation).
8) Develop and deploy formal-method software assurance tools and processes specific to USAF embedded systems.
9) Work with defense microelectronics agencies to deploy trusted methods compatible with off-shore manufacturing.

If you updated this list to removed the USAF references, most of this advice would directly apply to commercial sector’s embedded OEMs and IoT Makers. However, existing security best practice guidelines and certification programs do NOT have anything on firmware, and they really need to improve their offerings.