IIoT Firmware Visibility – Under the Hood | Episode #99

Waterfall team

Waterfall team

Apple Podcasts Google Podcasts Spotify RSS Icon

Windows and Linux operating systems provide a lot of detail as to what software and versions of the operating system, applications & libraries are installed. Most firmware provides almost nothing – a single firmware version number. Thomas Pace, Co-Founder and CEO of NetRise joins us to look at gaining visibility into industrial device firmware and vulnerabilities.

Listen now or Download for later



SUBSCRIBE

THE INDUSTRIAL SECURITY PODCAST HOSTED BY ANDREW GINTER AND NATE NELSON AVAILABLE EVERYWHERE YOU LISTEN TO PODCASTS​

Go To The Podcast Channel ️

Thomas has spent several years working on industrial control system security at the US Department of Energy, and was previously  global vice president at Cylance where, among other things, he oversaw IIoT embedded firmware engagements for manufacturers and enterprise customers. He co-founded NetRise because he wanted to take his collective experience on risk identification, and automate previous work, by doing firmware analysis at scale.

IIoT Firmware - Podcast #99 - Guest Thomas Pace, CEO and Co-Founder of NetRise
Thomas Pace, CEO and Co-Founder of NetRise

What is IIoT Firmware and Why Does It Matter?

In the episode, Thomas talks about the difference between software and firmware, and how he helped to solve the lack of visibility into the contents of the digital blobs of code and data that power everything from microwave ovens and connected automobile systems, modern medical devices, and to the industrial PLCs and controllers that run our critical infrastructure and advanced manufacturing facilities worldwide. He describes many types of firmware, like IT, OT, medical, industrial, IIoT and IoT — which he collectively calls the Extended Internet of Things (XIoT). Thomas talks about his earlier frustration with a problem: why is it so easy to see the files, processes and software components running on, for example, Geoff’s laptop PC in Accounting, yet impossible to find out what’s running inside the PLC on the factory floor of his company’s automobile manufacturing plant?

“These are the things that are responsible for running our businesses, and yet we can’t tell you what software components are on them, we can’t tell you if there’s weak or default credentials on those devices in any meaningful way at scale.”

Thomas Pace

How does NetRise do it?

Thomas goes on to explain how IIoT firmware can be collected and analyzed at scale.

  1. Firmware is acquired in three major ways:
    • Scraping the internet, or downloaded from public or private vendor website portals
    • Obtained from customer uploads
    • Working directly with device manufacturers
  2. In-depth analysis on the firmware blob, including:
    • The type of operating system (RTOS, embedded linux, etc.)
    • Extracting integrated software components and libraries
    • Examining embedded filesystems
    • Identifying configuration and settings files
    • Detecting credentials (usernames and passwords)
    • Discovering Public and private encryption key pairs and certificates
    • Identifying known hashes (binary patterns)
IIoT Firmware - Podcast #99 - ATMEL Flash EEPROM - Source: Wikipedia
Firmware is often written to devices like this flash EEPROM (Electrically Erasable Programmable Read-Only Memory) [ Source: Wikipedia, CC4.0 Share-Alike ]

Thomas also describes what can be found in NetRise’s library of over 1 million firmware blobs, that make this approach very attractive to customers in government, medical, industrial and critical infrastructure, and even the device manufacturers themselves.

Peering Inside IIoT Firmware

More specifically what Thomas argues that it is a common misconception that you cannot get a view inside IIoT firmware devices. The same or very similar visibility is possible with devices running firmware as you get with laptops, desktops and severs. With the right data, tools, and analysis you can generate a wealth of information, such as:

  • Insights into versions of integrated applications, packages, libraries, and OS kernels
  • Producing Software Bll Of Materials (SBOMs) in industry standard formats
  • List of known vulnerabilities in the embedded software components
  • Private and public key pairs, cryptographic signatures, and certificates
  • Embedded software configurations and settings

“Most people are totally unaware that there is an option to get this kind of visibility and depth of analysis at scale. [ … ] The way you make change is shining a light on problems, giving people access to the data, and then making decisions to reduce that risk over time.”

Thomas Pace

Listen to the episode for all these insights and more.

Previous episodes

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox