What is Firmware Signing?
Firmware Signing is a security measure in which Firmware files are provided with a digital signature. Only Firmware that has been cryptographically signed by a trusted party may be installed or executed on a device.
In OT systems, Firmware signing prevents attackers from installing malicious or tampered Firmware on PLCs, RTUs or IIoT devices.
π§ How does Firmware Signing work?
- Hashing β The firmware is cryptographically hashed
- Digital signing β The hash is encrypted using the manufacturerβs private key
- Verification at installation β The system validates the signature using the public key
- Validation failure = blocking β Unsigned or tampered firmware is rejected
- Logging (optional) β Attempts to install unverified firmware can be logged
π Relevance in an OT context
| Component | Application of Firmware Signing |
|---|---|
| PLC | Only firmware signed by the supplier may be loaded |
| HMI / SCADA | Protection against installation of altered or infected firmware |
| IIoT devices | Prevention of supply chain attacks via software integrity |
| Remote IO systems | Firmware updates of field components are only possible after validation |
Firmware Signing is an essential defence mechanism against persistent attacks via the supply chain, physical access or insider sabotage.
β Firmware Signing vs. Secure Boot
| Security layer | Purpose |
|---|---|
| Firmware Signing | Prevents installation of unauthorised firmware |
| Secure Boot | Ensures the system only boots with trusted code |
The two measures work together: signing prevents unwanted installation, Secure Boot prevents unwanted execution.
π CSIR classification
| Label | Reason |
|---|---|
| VSE | Firmware Signing is a system-level technical control at firmware level |
| VSP | Policies, supplier contracts and update procedures support the technology |
| Conformance | IEC 62443-3-3 SR 5.2 requires protection against firmware tampering |
β οΈ Limitations and considerations
- Not all OT equipment supports firmware signing
- Some vendors keep signing proprietary (vendor lock-in)
- Signing keys must be securely managed (key management!)
- A flaw in the signing process = potentially unusable asset after update
π In summary
Firmware Signing safeguards the integrity of Firmware before installation. In OT, this is crucial for protecting field devices against tampering β particularly during vendor updates, remote maintenance or physical access.