Joint Guidance Report – Hardening Baseboard Management Controllers (BMCs)

WaterISAC regularly provides awareness of recent CISA reporting. While direct relevance to your utility/organization on the details of each report may vary, activity alerts, advisories, and information like this are practical for general awareness and greater understanding of active threats and adversary capabilities.

Yesterday, CISA and the National Security Agency (NSA) released a Cybersecurity Information Sheet (CSI), highlighting threats to Baseboard Management Controller (BMC) implementations and detailing actions organizations can use to harden them.

This report is most useful to systems administrators for understanding the interest malicious actors have in exploiting firmware that has not been maintained. This CSI discusses BMC operation, its functions, the risks of not keeping them updated, and recommended actions to harden them. Members are encouraged to share this guidance document with system administrators or other contracted technology service providers to address the potential risks highlighted in this report. Access the report at CISA.