CISA and NSA Publish BMC Hardening Guidelines

Written by

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released joint guidance on hardening Baseboard Management Controllers (BMCs).

Published on Wednesday, the document aims to address the overlooked vulnerabilities in BMCs, which can serve as potential entry points for malicious actors seeking to compromise critical infrastructure systems.

Read more on similar attacks: NCSC Warns of Destructive Russian Attacks on Critical Infrastructure

For context, BMCs are essential components embedded in computer hardware that facilitate remote management and control. They operate independently of the operating system and firmware, ensuring seamless control even when the system is powered down. 

However, because of their high privilege level and network accessibility, these devices make them attractive targets for malicious actors.

The joint guidance emphasizes the importance of taking proactive measures to secure and maintain BMCs effectively, adding that many organizations fail to implement even minimum security practices.

These shortcomings could result in BMCs being used by threat actors as entry points for various cyber-attacks, such as turning off security solutions, manipulating data or propagating malicious instructions across the network infrastructure.

To address these concerns, CISA and NSA recommend several key actions. These include protecting BMC credentials, enforcing VLAN separation, hardening configurations and performing routine BMC update checks.

Further, the agencies said organizations should also monitor BMC integrity, move sensitive workloads to hardened devices, use firmware scanning tools periodically and treat unused BMCs as potential security risks.

By following these recommendations, organizations can significantly enhance the security posture of their BMCs and reduce the risk of potential cyber threats.

For more information and detailed recommendations, organizations can refer to the official guidance document released by CISA and the NSA.

The new guidelines come weeks after the UK National Cyber Security Centre (NCSC) and other international security agencies issued a new advisory warning the public against Chinese cyber activity targeting critical national infrastructure networks in the US.

What’s hot on Infosecurity Magazine?