The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) recently released a guide to protect Baseboard Management Controllers (BMCs). It states:
Organisations need to take action to secure servers with BMCs. To assist network defenders in this, the NSA and CISA jointly released the Cybersecurity Information Sheet, “Harden Baseboard Management Controllers.”
The guidance includes recommendations and mitigations for network defenders to secure their systems.
The risks associated with the compromise of the BMC have been well understood for many years. At some level, it’s surprising it has taken such a long time for such guidance to be issued. At SoftIron, our secure-by-design approach meant it has been an area of focus for us from the outset.
In fact, as I wrote about in my previous blog post, SoftIron is proud to have received U.S. patent number 11,321,203 “Merged infrastructure for manufacturing and lifecycle management of both hardware and software”. This encompasses the novel baseboard management controller (BMC) SoftIron has pioneered as a key component of modular server architecture.
Unlike most other IT vendors today, SoftIron solely designs and manufactures its own products from the component level up, in-house. This results in a modular hardware and software architecture providing freedom to balance function, performance and value depending on customer requirements and usage models. The BMC is a foundational element that underpins this approach. Using SoftIron’s patented system architecture, the BMC can passively determine the various installed modules, including the motherboard and create an initial device tree. From that point the entire “footprint” of the system configuration is known, enabling the BMC to complete initial and subsequent programming for the entire product. With a superset of device drivers to address different hardware combinations and the ability to access the main driver memory, the BMC can use the hardware footprint to dynamically configure the device driver set prior to main processor activation. This technology is also uniquely capable of addressing some of the CISA CSI guidelines (3-8).
Guideline 3 – Harden Configurations
Consult vendor guides and recommendations for hardening BMCs against unauthorized access and persistent threats. UEFI hardening configuration guidance may apply to many BMC settings.
SoftIron’s patented BMC can autonomously determine the exact hardware and system configuration of the server at any time, especially after upgrades and downgrades. This configuration is comparable to a reference library enabling validation against a set of known good hardware components. The discovered hardware configuration can then be used to create a set of drivers, from a reference driver library, that explicitly matches the discovered hardware. Using this set of validated drivers, the BMC can automatically provide hardened drivers to the server. This can include updating the UEFI firmware directly. Periodically the BMC will request, or automatically receive, driver updates for that configuration. These updates can be provided directly to the BMC via its own independent network or USB connection. These updates will be applied and the system rebooted to further harden the environment.
Guideline 4 – Perform Routine BMC Update Checks
BMC updates are delivered separately from most other software and firmware updates. Establish a routine to conduct monthly or quarterly checks for BMC updates according to the system vendor’s recommendations and scheduled patch releases. Combine BMC update installations with routine server maintenance and scheduled downtime when possible. Note that some servers require a restart after BMC updates, while some can restart the BMC independent of the OS or VMM. BMC updates may be provided via the internet, a local executable, an image stored on removable media, or network file storage.
SoftIron’s patented BMC can routinely check and verify the specific configuration of the server hardware. The check can be scheduled to execute autonomously via the operating system. This includes checks of any sub-component additions or subtractions prior to power-on. The individual hardware configurations of the sub-components are also collected and verified. Using this extensive hardware inventory, the BMC can reference a set of supplied drivers for that hardware configuration. This driver library contains a superset of hardware drivers such that new, up-to-date drivers can be supplied for any new hardware that is discovered. The existing driver set can be updated with the new driver information automatically. If required, the BMC can reboot the server as a result of the driver upgrade.
Guideline 5 – Monitor BMC Integrity
Monitor integrity features for unexpected changes and platform alerts.
As a result of scanning and verification, SoftIron’s patented BMC can verify operating parameters, such as expected supply voltage and associated firmware, against a reference library. The scan data can be compared to a reference configuration stored in a secure local location within the BMC itself. The BMC can thwart certain suspected attacks by preventing a system boot operation in the event of detected variances. Alternatively, it can take other remediation actions, including powering off the server.
Guideline 6 – Move Sensitive Workloads to Hardened Devices
Place sensitive workloads on hardware designed to audit both the BMC firmware and the platform firmware.
SoftIron’s patented BMC can provide the results of autonomous hardware/firmware audits to the main system processor. This allows the system to determine if it is safe to process sensitive loads. Further, the BMC can prevent system reboot if the hardware/firmware fails its audit against a reference configuration.
Guideline 7 – Use Firmware Scanning Tools Periodically
Some modern EDR and platform scanning tools support BMC firmware capture. Establish a schedule to collect and inspect BMC firmware for integrity and unexpected changes. Include firmware audits in comprehensive anti-malware scanning tasks.
Within SoftIron’s patented BMC, the inventory created by the BMC includes the BMC infrastructure itself. As a result, the BMC can compare its operating firmware to a known good copy stored in the firmware reference library.
Guideline 8 – Do Not Ignore BMCs
Treat an unused BMC as if it may one day be activated. Apply patches. Harden credentials. Restrict network access.
SoftIron’s patented BMC can be independently powered from the main system via a USB or Ethernet interface. As such, the BMC can be powered on and updated then powered down periodically. This ensures that during every audit cycle, any BMC components not in use can be individually patched with hardware configurations, associated firmware and hardened configuration updates for their own configuration and corresponding components of the main server.
By augmenting standard BMC function and doing in-house manufacture of all hardware subassemblies, SoftIron provides high assurance levels throughout the complete lifecycle of its products. This allows the continuous self-certification of the provenance of all system components. The BMC can adjust the main system firmware to adapt to new system configurations or thwart attackers. Not only does this produce a wider range of secure products, but it also future-proofs customer hardware by seamlessly accommodating system upgrades.
Learn more about SoftIron’s secure-by-design approach.