Automated Firmware Analysis for Electric Grid and Building Automation Systems
Daniel Quinlan | Lawrence Livermore National Lab
Software is increasingly being integrated into hardware devices. Most software vendors define a process that includes certificate signing; however, the software (firmware) is routinely updated without any direct validation steps to check its integrity. Software integrated into critical devices is often of unknown origin and is assembled by the vendor using 3rd party libraries for which the source code is unavailable (a supply chain risk). The research team will add additional binary analysis tools to this projects evolving collection to demonstrate:
- How to mitigate risks specific to supply chain management of software embedded within critical infrastructure (both power substations and building automation systems) and evaluate firmware for both known specific vulnerabilities and arbitrary unknown vulnerabilities.
- How to test the firmware on devices, which form critical components of the electric grid and building automation system infrastructure.
- How firmware analysis can be added to existing security assessments and best practices. The research team's work addresses a growing problem specific to supply chain integrity for modern devices that are increasingly controlled by software on the device in place of mechanical mechanisms. Ultimately, the team will demonstrate how to mitigate the risk of a cyber-attack from firmware upgrades to both critical electric grid infrastructure and building automation systems.
Technology has been developed within the Department of Energy (DOE) for static and dynamic analysis of software. This includes both binary executables and source code. The research team has developed specific tools for the analysis of binary executables, which support a range of common instruction set architectures (ISAs). The team will demonstrate how to use these tools to define a process that will mitigate security vulnerabilities in the common maintenance steps that currently update firmware within critical device infrastructure. An increasing number of devices within both building automation and power substations combine hardware and software running directly on the hardware (firmware). The research team has developed tools and an ability to build custom tools that can perform analysis on such firmware. Static analysis can identify properties of the software executables that hold for a broad range of inputs while dynamic analysis can define behavior of specific inputs—sometimes with greater precision. Both technologies are essential and can be used together. The research team developed our technologies using Lawrence Livermore National Laboratory (LLNL)’s ROSE software analysis framework, an open-source framework specifically supporting the development of custom analysis tools. This enables the team to make tools available for both vendors and end users, thus improving future processes to make firmware on critical device infrastructure more secure for Department of Defense (DoD).
This project will demonstrate a new technology and a process for applying this technology to mitigate cyber risk within the context of facility maintenance and protection within DoD base electrical substations and building automation systems (BASs). The research team will define an automated process for risk and vulnerability analysis of firmware upgrades. The team will work with emerging efforts to centralize the analysis of firmware to provide tools to assess vulnerabilities in firmware and directly assess risks across DoD. This will directly result in improved supply chain integrity for mission-critical energy delivery systems and mitigate time lost to cyber-attacks. The research team expect to tailor the process to the requirements of the facility management of electrical substations and provide DoD with enhanced security of its base electrical facilities. This work will be replicable to all facilities that have electrical substations with similar firmware-controlled devices. The team's novel approach represents a second line of defense beyond the vendors’ testing, and it will identify vulnerable firmware on critical systems. The costs of these enhanced processes are offset by reduced risk of economic and mission impact from a compromised electrical system.