How NIST SP800-193 Supports Resiliency

December 27, 2024

Blog

NIST SP800-193 “Platform Firmware Resiliency Guidelines” was designed to encourage and outline resiliency in the IoT.

The term “Internet of Things” or IoT came to be around two decades ago, at the boom of the Internet. At that time, experts envisioned that every system or appliance will be smart and have some internet connectivity that will serve some advanced features. This term was coined mostly to differentiate stand-alone connected devices from more traditional computers and servers, where regular manual servicing was the norm. At those times, cybersecurity was only considered in the scope of computers and servers and was a rarely used or understood concept for other types of equipment. Usability and innovation were getting the focus.

As time passed, more and more types of equipment came on-line, including mobile devices, networking, industrial control, home appliances, and always-on-always-connected PCs. As there was no guidance, each vendor had their way about security or lack thereof. With the rise of connectivity came cybersecurity risks, capable connected devices became target for remote hackers that seek to exploit the capabilities of such devices for their own needs. It could be simply to abuse the connected system, use it as attack vector to a more complicated attack or create bots that will one day unleash a large-scale cyber-attack.

As these connected devices evolve, economy becomes more and more dependent on their functionality and operation. What used to be novelty is now a major pillar of modern society. Infrastructure, utility, households, and government agencies all depend on the correct operation of connected equipment to maintain stable day to day living.

This led the US National Institute for Standards in Technology (NIST) to publish NIST SP800-193 “Platform Firmware Resiliency Guidelines” in May 2018. This publication targets every connected device which runs any sort of firmware. From large and complex servers and all the way to small and embedded controllers. This publication and its principles will be explored here.

NIST SP800-193 (abbreviated ‘193’ from here on) discusses the concept of “Resiliency” i.e. making a system or platform resistant to malfunction due to malicious attacks or spontaneous errors. At the basis of resiliency there are 3 pillars:

Protection is all about ensuring that platform code and data remain in state of integrity. Integrity does not mean it has not been modified but rather that it is in a state that allows correct operation as required by the vendor, user, and infrastructure. For code, this means that a verified, trusted version of the code is running the system. For data, it means that data was only modified by authorized entities and processes.

Detection is the capability of the platform to identify corruption to code and critical data and alert. Detection must be handled by a separate layer since compromised code cannot be trusted to test itself or its relevant data.

Recovery is the capability of the system to return to a correct working state in terms of code and critical data.

When implementing protection, detection and recovery, a system can be trusted to continue operation throughout cyber-attacks and various spontaneous errors.

SP800-193 only covers resiliency of firmware and critical data. It does not cover loss or corruption of other data or any hardware of physical damage to the system.

Protection

Keeping the firmware in a state of integrity allows it to be trusted: used as Root of Trust. The user and infrastructure can rely on the functionality of the firmware to correctly operate the system and verify the authenticity and integrity of other parts of firmware before executing them

Cryptographic Write Protection

Cryptographic write protection allows the platform designer to protect sections of the flash device from erase or program operations. The only way to carry out programs or erase to these sections is via a cryptographic authentication process that requires knowledge of cryptographic keys securely stored in an inaccessible part of the flash device. These keys are unknown to an attacker as they are not present in cleartext in the system. These keys are also designed to be unique per system, preventing wide-spread compromise of systems should a single instance be attacked and broken.

Authenticated Update Mechanism

SP800-193 requires that the system firmware will be updated in a timely manner to patch security vulnerabilities. ‘193 requires that the update will be done via an authenticated update mechanism, ensuring that the update is authentic (true to source) and integral (complete and unmodified). Firmware updates must thus be provided with a signed digest allowing the system to ensure that the update code is genuine, complete, and unmodified.

Detection

SP800-193 requires that the system will detect unauthorized changes to firmware and critical data before it is executed or used. Upon detection the system may initiate a recovery process.

Recovery

Recovery mechanism should restore the platform firmware and critical data to a valid and authorized state when it is detected to have been corrupted.

Summary

NIST SP800-193 outlines the requirements from a system in order to make it resilient to firmware and critical data corruption either by malicious attacks or malfunction. These requirements can only be fulfilled by a dedicated protection layer. Such protection layer is rooted in immutable code that is very difficult to implement.

For more details, contact us at [email protected] or visit our Secure Flash web page.