Blog

Supply Chain and Firmware Security Take Center Stage in 2024 NDAA

Every year, Congress passes the National Defense Authorization Act (NDAA), which sets the budget and defines key policy priorities for the U.S. Department of Defense (DoD). This legislation plays a crucial role in shaping the defense priorities and resources of the country, ensuring the readiness and capabilities of the military, and providing oversight for defense-related activities. 

The Senate’s NDAA for Fiscal Year 2024, filed on Tuesday July 11th, makes it abundantly clear that supply chain and firmware security are key areas of concern for the federal government. Both of these tightly related topics were individually called out as “Items of Special Interest” in the report accompanying the Senate’s Fiscal 2024 NDAA. These topics were highlighted both due to the immediacy of the risks facing the DoD as well as the advancements in security tools available to address those risks. Naturally, this noted improvement in supply chain and firmware security tools is a point of pride for many of us at Eclypsium who have dedicated years of research and development in the pursuit of this goal.

And while the NDAA is naturally focused on the needs of the DoD, it also serves as a bellwether both for other branches of government and the private sector. All organizations depend on reliable technology supply chains and the integrity of the IT and OT equipment that they produce. And likewise, organizations of all types have suffered supply chain and hardware and firmware-level attacks from a range of threat actors including state-sponsored APT groups and ransomware operators.

The NDAA calls out the following under the section titled “Cybersecurity of firmware in information and operational technology.” 

Operating systems, kernel, firmware, and application software in information technology (IT) and operational technology (OT) infrastructure, systems, and networks, including weapons systems and control systems, are vulnerable to cyber attacks via accesses including supply chains, internet operations, human-enabled operations, and radio-frequency apertures. The National Security Agency (NSA) pioneered the development of formal methods for mathematically proving software integrity, but scaling limitations prevented widespread adoption…

The committee is concerned that malicious cyber actors are increasingly targeting the kernel and firmware in IT and OT infrastructure, which constitutes a vast and largely undefended attack vector… The committee is aware of the development and maturation of commercial technology for monitoring, protecting, and alerting of intrusion attempts on the infrastructure kernel layer and firmware.

The committee directs the Department of Defense Chief Information Officer (CIO) to provide a briefing to the congressional defense committees, not later than March 1, 2024, on the cybersecurity of firmware in information and operational technology. The briefing should include:

(1) Trends in and severity of threats against IT and OT firmware;

(2) The ability of leading commercial firmware security technology to prevent, detect, and remediate firmware threats and attacks mounted through supply chain and remote operations;

(3) The capabilities and value of commercial development of secure micro-kernel and hypervisor capabilities using formal methods that:

(a) Provide secure isolation and separation of virtual machines;

(b) Prevent lateral movement, remote code execution, and privilege escalation;

(c) Block malicious action through whitelist policy enforcement;

(d) Enforce least functionality and policy enforcement that maintain kernel and firmware integrity;

(e) Protect against firmware and side-channel attacks; and

(f) Would enhance the security of cloud computing operations;

(4) A plan for the Department to address the threat by exploiting available technologies and products.

The report clearly calls out that the firmware layer is actively under attack and remains severely under-protected. Additionally, there are several paths for attackers to target the firmware layer including within the supply chain itself and via external attacks against devices after they are deployed. This is precisely why Eclypsium approaches device risk and integrity as a continuous process that spans all levels of the technology supply chain as well as the ongoing operational security across the lifecycle of IT assets.

The report also calls out that one of the historical limitations of firmware security is that it was hard to scale, but commercial security technologies have evolved that can help. This is in a nutshell what Eclypsium does. Simple, automated scans can mathematically verify the integrity of all critical firmware, integrated code, and physical components, identify vulnerabilities and weaknesses, and monitor for signs of threats. These are highly specialized capabilities that are not present in other security tools but had to be invented. For example, since firmware-level threats can subvert the operating system above it, Eclypsium needed to develop multiple methods to see into the lowest levels of a device without trusting information from the OS. 

Key Take-Aways

The fact that this made it into the NDAA says much about the level of concern. Whether you work with the US DoD or not, there are some key points to remember:

  • Firmware is just one of the embedded components in the complex technology supply chain that organizations depend upon.
  • There are significant gaps when it comes to the detection of supply chain vulnerabilities. Supply chain vulnerabilities can be buried deep within devices and out of sight of traditional scans. They can be on server components, networking equipment, and OT gear that don’t support traditional security agents. 
  • Dedicated supply chain security platforms like Eclypsium specialize in delivering coverage for this broad collection of assets and combining deep visibility and insight while ensuring the availability and uptime of critical assets.