Election Security Spotlight – Hardware, Software, and Firmware

What it is:

Hardware, software, and firmware are the three core components that make up present-day computers and systems. Hardware includes the physical components of a computer system, which may wear out over time and require replacement. Software includes sets of instructions that allow a variety of inputs from the user. Firmware is a specific type (or subset) of software that is designed to act as the intermediary between the software and hardware or for the operation of single-purpose embedded systems, such as printers or routers. End users typically have limited interaction with firmware and it is modified infrequently. Examples of these core components include:

  • Hardware: Computer Processing Units (CPU), Random Access Memory (RAM), and Hard Drives (HDD)
  • Software: Internet browsers, operating systems (OS), and antivirus
  • Firmware: Basic Input/Output System (BIOS) and Extensible Firmware Interface (EFI)

Why does it matter:

Hardware, software, and firmware each have a role in the information technology (IT) that election officials use. In an election ecosystem, the physical voting machine is the hardware, the ballot programming application is the software, and barcode readers likely run on firmware. This is important to understand from a procurement perspective as election officials seek to obtain new equipment. Different components may be developed and manufactured by a variety of providers and then packaged by a single vendor. This has an impact on the need to conduct adequate supply chain risk management.

The differences between hardware, software, and firmware are important for patching and vulnerability management. As a physical component, hardware vulnerabilities are difficult to remediate without complete replacement, though some can be mitigated through firmware updates. In the past, firmware was difficult to update as it typically resided on read-only memory. While updates are now more common, they have a relatively high risk of impacting functionality, so manufacturers are reluctant to provide them frequently. Software vulnerabilities are typically the easiest to remediate, traditionally through regular security updates. Software vulnerabilities remain the primary vector cyber threat actors use to exploit systems, making the software the most important system component to monitor and update with routine and ad hoc security patches.

Lastly, vendor end-of-support impacts hardware, software, and firmware differently. In some cases, end-of-support software may become unusable due to other dependencies, whereas end-of-support firmware will likely continue to operate as designed. Even after vulnerabilities are identified, the vendor will not issue a security notice or patch, but physical and software mitigations are sometimes available to secure end-of-support software and firmware. Meanwhile, as hardware approaches end-of-support, replacement parts have limited availability. For all components, support or troubleshooting is no longer provided at end-of-support.

What you can do:

Differences between hardware, software, and firmware require election officials to consider security holistically. Officials must plan for updates and obsolescence. Before any mitigations can be put in place, election offices must conduct an inventory of all of the hardware and software assets they are responsible for as outlined in CIS Controls 1 and 2. CIS encourages election offices to have their IT personnel routinely review and verify their inventory and ensure software and firmware are updated with the latest security patches and that hardware is functioning properly. The EI-ISAC Monthly Cybersecurity Advisory Summary highlights critical security patches for commonly used software throughout the previous month and can be used as a checklist to ensure systems are patched.

When procuring new equipment, election officials should consider the need to assess the supply chain both for the equipment as whole and for each component to ensure that unexpected vulnerabilities and modifications are not introduced. Best Practice 23 from CIS’s “Guide for Ensuring Security in Election Technology Procurements” provides valuable guidance for addressing supply chain concerns. Additionally, election officials should review the National Counterintelligence and Security Center’s “13 Elements of an Effective SCRM Program,” which provides recommendations on process auditability, security requirements, and risk mitigation.

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].