Security first: New NIST guidelines on securing BIOS for servers

August 22, 2012
Credit: ©Amy Walters/Shutterstock

The National Institute of Standards and Technology (NIST) is requesting comments on new draft guidelines for securing BIOS systems for server computers. BIOS—Basic Input/output System—is the first major software that runs when a computer starts up. Both obscure and fundamental, the BIOS has become a target for hackers.

Server manufacturers routinely update to fix bugs, patch vulnerabilities or support new hardware. However, while authorized updates to BIOS can improve functionality or security, unauthorized or malicious changes could be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization's systems or disrupt their operations. BIOS attacks are an emerging threat area. In September, 2011, a security company discovered the first malware designed to infect the BIOS, called Mebromi.*

An important mechanism for protecting BIOS in servers is to secure the BIOS update process, guarding against unauthorized BIOS updates. NIST's 2011 publication on BIOS security** provided instructions for protecting BIOS in desktops and laptops. The guidelines focused on the core principles of authenticating updates using digital signatures, BIOS integrity protection and "non-bypassibility" features that ensure that no mechanisms circumvent the BIOS protections.

BIOS Protection Guidelines for Servers addresses BIOS security in the varied architectures used by servers. "While laptop and desktop computers have largely converged on a single architecture for system BIOS, server class systems have a more diverse set of architectures, and more mechanisms for updating or modifying the system BIOS," says author Andrew Regenscheid. In addition, many servers contain service processors that perform a variety of management functions that may include BIOS updates, and this document provides additional security guidelines for service processors.

Servers require more flexibility, according to Regenscheid, because in addition to having different architectures, they are almost always managed remotely. BIOS Protection Guidelines for Servers is written for server developers and information system security professionals responsible for server security, secure boot processes and hardware modules. The draft publication BIOS Protections for , (NIST Special Publication 800-147B), is available at .

Explore further: Dell Delivers New Patch Solution to Simplify Server Updates

More information: NIST requests comments on this draft by Sept. 14, 2012. Please email all comments to

* Information on Mebromi:
** D.A. Cooper, W.T. Polk, A.R. Regenscheid and M.P. Souppaya. BIOS Protection Guidelines (NIST SP 800-147) is available at

Related Stories

How to Protect Your Web Server from Attacks

October 11, 2007

The National Institute of Standards and Technology has released a new publication that provides detailed tips on how to make web servers more resistant to potential attacks. Called “Guidelines on Securing Public Web Servers,” ...

PC BIOS soon to be replaced by UEFI

October 2, 2010

( -- The 25 year old PC BIOS will soon be replaced by UEFI (unified extensible firmware interface) that will enable PC's to boot up in a matter of seconds. In 2011 we will start seeing UEFI dominate new PC's, ...

Build safety into the very beginning of the computer system

April 29, 2011

A new publication from the National Institute of Standards and Technology (NIST) provides guidelines to secure the earliest stages of the computer boot process. Commonly known as the Basic Input/Output System (BIOS), this ...

Protecting computers at start-up: New NIST guidelines

December 21, 2011

A new draft computer security publication from the National Institute of Standards and Technology (NIST) provides guidance for vendors and security professionals as they work to protect personal computers as they start up.

Malware in BIOS stirs concern at Black Hat meet

August 2, 2012

( -- Security researcher Jonathan Brossard has drawn attention to a backdoor espionage problem that is in an ornery class by itself. Presenting his finds at the recent Defcon and Black Hat events, Brossard has shown ...

Recommended for you

The ethics of robot love

November 25, 2015

There was to have been a conference in Malaysia last week called Love and Sex with Robots but it was cancelled. Malaysian police branded it "illegal" and "ridiculous". "There is nothing scientific about sex with robots," ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.