System Firmware

From attackics
Jump to navigation Jump to search
System Firmware
ID T857
Tactic Persistence, Inhibit Response Function
Data Sources Alarm history, Sequential event recorder, Network protocol analysis, Packet capture
Asset Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED, Input/Output Server


System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.

An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers.1

In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries developed malicious firmware for the serial-to-ethernet devices which rendered them inoperable and severed connections between the control center and the substation.2

Procedure Examples

  • The malicious shellcode Triton uses is split into two separate pieces -- inject.bin and imain.bin. The former program is more generic code that handles injecting the payload into the running firmware, while the latter is the payload that actually performs the additional malicious functionality. The payload --imain.bin-- is designed to take a TriStation protocol get main processor diagnostic data command, look for a specially crafted packet body, and perform custom actions on demand. It is able to read and write memory on the safety controller and execute code at an arbitrary address within the firmware. In addition, if the memory address it writes to is within the firmware region, it disables address translation, writes the code at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to make changes to the running firmware in memory. This allows Triton to change how the device operates and would allow for the modification of other actions that the Triton controller might make3


  • Access to device configuration settings should be restricted. IT products should be secured, in the most restrictive mode, on par with ICS operational requirements.4
  • Maintain and patch module firmware, checking to ensure the version and state are as expected. Firmware that requires a cryptographic key will be harder for the adversary to alter.4
  • Be wary of improper modifications before, during, and after system implementation.4
  • Enforcing proper firmware update policies and procedures may help distinguish intended update activity from malicious activity. Require source and data authentication, at a minimum, as part of this process.4
  • Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network. Take care to keep backups and stored data in secure, protected locations.4
  • Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.4
  • Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with. Monitor existing module firmware with applicable assessments to ensure devices are at the expected versions.4
  • Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files.4
  • Limit access to the network and require authentication as a barrier. Test access to field devices from outside the network, to help determine if an adversary could reach them.4