A new solution to prevent “Supply Chain Attacks” and ensure the integrity of the firmware/software installed in OT / Critical environments

It was in November 2014 when we published this entry in which we explained how the APT Dragonfly had been able to:

1. Access the firmware download areas of the companies Mesa Imaging (supplier of cameras used for guided vehicle vision in industrial environments), eWon and MB Connect (suppliers of solutions for remote access and remote maintenance of industrial environments).
2. Modify the legitimate software/firmware (mainly drivers) and the certificates issued by the manufacturers, including a malicious malware (a Trojan in particular) in the firmware.
3. Provide users with access to this “modified” firmware, so that the infection was carried out through the download and installation of said illegitimate firmware.

The cunning of the APT group, together with, probably, the absence of procedures and systems that would allow comparing the original Hash function provided by the manufacturer with the one that would be obtained after downloading the firmware, caused different companies in the pharmaceutical, food, beverage and water sectors to be infected.

This type of attack, known as “Supply Chain Attack”, is becoming more common. In fact, in the latest report published by ENISA (ENISA Landscape 2018), this type of threat is mentioned on several occasions.

With the aim of preventing this type of attack, the founder of Tofino Eric Byres, in collaboration with the DHS (Department of Homeland Security) has created a new company called Adolus that has developed a solution called FACT (Framework for Analysis and Coordinated Trust).

How Does FACT Work?

In summary, FACT works like this:

1. Manufacturers that develop software or devices that contain firmware/software subscribe to the aDolus service (through the FACT solution).
2. Companies (end users) that use this software/devices can validate new software patches and updates before installing them on critical equipment.

The following figure, accessible here, summarizes how FACT works.

A) Vendors create a Digital Fingerprint

The manufacturers certified by Adolus create a “digital fingerprint” of the legitimate software/firmware they have developed. The transfer of this “digital fingerprint” is carried out through an encrypted communication to the Adolus server.

B) FACT verifies the authenticity of the firmware/software

Within FACT, the authenticity of the files sent is verified and saved in what is called “Trust Repository”.

From the Trust Repository, we proceed to analyze and understand in depth the sub-components of the software and whether it contains vulnerabilities.

C) The “Asset Owner” checks the integrity of the firmware/software they want to install.

Within FACT, the user downloads the firmware/software that they want to incorporate/update in their critical or production environment in the usual way (DVD, download, ISO, etc.).
With the downloaded firmware/software, they access FACT and, with the client tool, create their own “digital fingerprinting” of said firmware/software.

D) FACT carries out the comparison between both Digital Fingerprints

FACT compares the manufacturer’s digital fingerprint (located in the Trust Repository) with the digital fingerprinting generated by the user.
If they match, the software/firmware is legitimate, otherwise, it has been modified or altered. In addition, FACT provides a score of the degree of security of the firmware/software, providing an analysis of the main vulnerabilities found.

Do You Want to See an Example?

Below, we can see an example of how this flow is carried out in Adolus.

1. A user has to update the firmware of a Rockwell PLC. They are provided with this file “PN-85386.bin” for this purpose. Is it reliable?

2. In FACT it is observed that the file has a certificate issued by the manufacturer.

3. In the following case, it is observed that the firmware that is to be analyzed is composed of sub-modules that contain specific vulnerabilities, and its installation is not recommended.

Without a doubt, consulting/engineering firms have an excellent solution to ensure that the software/firmware that is deployed in critical environments has not been manipulated. In parallel, it is absolutely necessary to have a control model in which specific policies and procedures have been designed and written that standardize the way of working when it is necessary to update or incorporate new software/firmware in OT environments.