Data Center Risks and Countermeasures

Infineon / Mitsubishi / Fuji / Semikron / Eupec / IXYS

Data Center Risks and Countermeasures

Posted Date: 2024-01-30

Is your server firmware secure? Better make sure!

Microchip Technology Inc.
Data center business unit manager
Kyle Gaede

In today's digital world, data is king. By applying data analytics to inform new products or services, organizations can gain a significant competitive advantage. In addition, with the support of technologies such as 5G and the Internet of Things, devices can connect to the Internet to share data more easily than ever before. This has triggered an explosion of new data; research and analytics firm Statista predicts that by 2025, the amount of data created globally will reach 180 zettabytes. The wealth of information captured in this data (credit card numbers, social security numbers, proprietary IPs) makes it an attractive target for hackers, and as the amount of data collected and stored in data centers grows, cyberattacks against them innovate. The nature and complexity are also increasing day by day.

Firmware in central processing units (CPUs), graphics processing unit (GPU) storage devices, and network cards are particularly tempting targets because, as fundamental elements of electronic systems, they would be more difficult to detect if compromised. Protecting the data in these devices from theft has long been critical. In fact, in the largest data centers, these devices now tend to be well protected.

In search of other potential vulnerabilities, malicious hackers are increasingly targeting server components when trying to attack data centers. For many common semiconductor components in servers, such as embedded controllers that control the boot sequence, fan control, and battery management, the firmware can be compromised or replaced with fake firmware, allowing hackers to gain unauthorized access to the server. data on the server or interfere with normal server operations.

Firmware attacks are highly stealthy because server component firmware is loaded before the server's operating system is running and before any anti-malware features take effect. This also makes firmware attacks difficult to detect, and even if detected, difficult to neutralize.

However, many companies don’t pay enough attention to firmware security. In a survey of IT and security decision-makers commissioned by Microsoft, respondents believed firmware vulnerabilities were nearly as damaging as software or hardware vulnerabilities, yet less than a third of security budgets were devoted to protecting firmware.

Vulnerabilities are destructive

Security budget percentage

Most vulnerable to cyber threats













Chart source: Microsoft Security Signals, March 2021

Enterprises must take data center firmware security seriously or suffer the consequences. To this end, IT and security teams should focus on three factors when considering firmware security.

Establish device authenticity

Servers' motherboards, workload accelerators, and post-purchase-installed add-on boards are designed and manufactured worldwide by different vendors. The supply chain for these devices is vulnerable, and illegitimate firmware or hardware can be installed onto circuit boards at various stages of production and testing, waiting for unsuspecting customers to install compromised devices in servers. IT teams must ensure that any hardware they add to servers can verify that the new hardware is operating according to specifications.

Establish code authenticity

Data theft isn't the only problem caused by compromised firmware; IP theft can also impact component manufacturers' profitability and reputation. As mentioned earlier, semiconductors are typically manufactured in one country, packaged in another, and finally integrated into a system in a third country.

With so many touch points in the supply chain, unscrupulous contractors can easily copy a vendor's firmware, install it on unauthorized chips, and then sell counterfeit parts on the gray market. Not only does this impact the original supplier's bottom line, it can also damage their reputation if the counterfeit device performs poorly.

Keep data safe

Encryption is a proven method of preventing unauthorized access to data, but new encryption threats are causing concern in the cybersecurity world. If applied correctly, quantum computing can break even the most complex encryption techniques.

Today, most enterprises use 128-bit and 256-bit encryption; such measures are sufficient to protect data from the most determined attackers using traditional computing techniques. However, quantum computing can process data at an exponentially faster rate and may take only days to break encryption algorithms that might take decades to crack using traditional computing methods.

Protect your firmware with HRoT and robust encryption

Thankfully, in 2018, the National Institute of Standards and Technology (NIST) released SP 800-193 guidance for platform firmware resiliency. According to NIST, these guidelines provide “security mechanisms to protect platforms from unauthorized (firmware) changes, detect unauthorized changes when they occur, and recover quickly and securely from attacks. This includes original equipment manufacturers (OEMs) and Implementers, including component/device vendors, can use these guidelines to build stronger security mechanisms within the platform. System administrators, security professionals, and users can use this document to guide procurement strategies and priorities for future systems."

The NIST SP 800-193 standard promotes the use of a "Hardware Root of Trust," or HRoT, to ensure that during the boot process, firmware loaded into server components is verified to be legitimate before activation. The HRoT component is the first component to be powered on when the server boots, and it contains the cryptographic elements required to authenticate its own firmware and the firmware of any components that are powered on after HRoT activation. By adding HRoT capabilities to the server's embedded controller, enterprises can protect the server not only throughout the boot process, but even before the operating system and anti-malware software are loaded and running.

NIST is also encouraging companies to adopt more advanced encryption algorithms. In 2016, NIST held a competition among the best cryptographers to develop algorithms that could withstand attacks based on quantum computing. The competition ended last year, and NIST announced four new encryption algorithms that will be included in its upcoming post-quantum encryption standardization project.

Cybersecurity is an arms race between guardians working to protect computer systems and attackers (including criminals and state-sponsored hackers) intent on compromising those systems. Both sides are constantly resisting each other's attacks. Firmware has become the latest battleground in this ongoing battle, and those businesses that neglect to include firmware in their threat assessments and security plans do so at their own peril.

#Data #Center #Risks #Countermeasures