Connect with us

Hi, what are you looking for?



US Government Releases Security Guidance for Open Source Software in OT, ICS

CISA, FBI, NSA, and US Treasury published new guidance on improving the security of open source software in OT and ICS.

Several US government agencies have teamed up to create new cybersecurity guidance for the use of open source software (OSS) in operational technology (OT).

Designed in line with CISA’s Open Source Software Security Roadmap, which was released in September, the new document (PDF) is meant to promote the understanding of OSS and its implementation in industrial control systems (ICS) and other OT environments, and to detail best practices on the secure use of OSS.

Authored by CISA, the FBI, the NSA, and the US Department of Treasury, the guidance provides recommendations on supporting OSS development, patching vulnerabilities, and using the Cross-Sector Cybersecurity Performance Goals (CPGs) for adopting security best practices.

According to the document, security concerns that OSS and OT share with all software systems include the existence of vulnerabilities in libraries and components, lack of commercial support, and insufficient documentation prior to implementation.

“OT systems are too often exposed to cyber threat actors targeting control systems and the critical infrastructure they operate. To counter these threats, the cybersecurity community recommends that defenders and operators keep all OT and IT systems up to date with patches and security updates to address known exploited vulnerabilities,” the guidance reads.

However, applying patches in OT may prove challenging because of the potential impact on other software, and the guidance recommends implementing ‘secure-by-design’ and ‘secure-by-default’ approaches to minimize the risk in OT.

Furthermore, the US agencies note, threat actors may attempt to exploit software updates to target the OT supply chain and replace the legitimate patches with malicious payloads, making transparency and verifiability two highly important supply chain risk management aspects.

“A reliable software supply chain for an OT system with OSS components provides assurance the system will behave as intended at the time of acquisition and that all OSS components have been appropriately vetted prior to use. This is also true for software supply chain information in general,” the US government agencies note.

Advertisement. Scroll to continue reading.

The OT/ICS industry, the agencies say, should provide support to the individuals and groups developing and maintaining key OSS projects, audit and improve their vulnerability management and reporting processes, implement patch deployment processes for OT/ICS environments, improve their authentication and authorization policies, and establish a common framework for using OSS.

The new guidance was published alongside the Securing OSS in OT web page, where organizations can access details on the Joint Cyber Defense Collaborative (JCDC) OSS planning initiative, meant to “support collaboration between the public and private sectors—including the OSS community—to better understand and secure OSS use in OT/ICS, which will strengthen defense against OT/ICS cyber threats”. 

OT/ICS organizations are encouraged to review the new guidance and implement its recommendations.

The new guidance comes one year after the Securing Software Supply Chain Series, three documents providing developers, software suppliers, and customers with guidance on securing the software supply chain.

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Related: CISA Releases New Identity and Access Management Guidance

Related: US Publishes Implementation Plan for National Cybersecurity Strategy

Related: Critical Infrastructure Organizations Urged to Identify Risky Communications Equipment

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).