Several US government agencies have teamed up to create new cybersecurity guidance for the use of open source software (OSS) in operational technology (OT).
Designed in line with CISA’s Open Source Software Security Roadmap, which was released in September, the new document (PDF) is meant to promote the understanding of OSS and its implementation in industrial control systems (ICS) and other OT environments, and to detail best practices on the secure use of OSS.
Authored by CISA, the FBI, the NSA, and the US Department of Treasury, the guidance provides recommendations on supporting OSS development, patching vulnerabilities, and using the Cross-Sector Cybersecurity Performance Goals (CPGs) for adopting security best practices.
According to the document, security concerns that OSS and OT share with all software systems include the existence of vulnerabilities in libraries and components, lack of commercial support, and insufficient documentation prior to implementation.
“OT systems are too often exposed to cyber threat actors targeting control systems and the critical infrastructure they operate. To counter these threats, the cybersecurity community recommends that defenders and operators keep all OT and IT systems up to date with patches and security updates to address known exploited vulnerabilities,” the guidance reads.
However, applying patches in OT may prove challenging because of the potential impact on other software, and the guidance recommends implementing ‘secure-by-design’ and ‘secure-by-default’ approaches to minimize the risk in OT.
Furthermore, the US agencies note, threat actors may attempt to exploit software updates to target the OT supply chain and replace the legitimate patches with malicious payloads, making transparency and verifiability two highly important supply chain risk management aspects.
“A reliable software supply chain for an OT system with OSS components provides assurance the system will behave as intended at the time of acquisition and that all OSS components have been appropriately vetted prior to use. This is also true for software supply chain information in general,” the US government agencies note.
The OT/ICS industry, the agencies say, should provide support to the individuals and groups developing and maintaining key OSS projects, audit and improve their vulnerability management and reporting processes, implement patch deployment processes for OT/ICS environments, improve their authentication and authorization policies, and establish a common framework for using OSS.
The new guidance was published alongside the Securing OSS in OT web page, where organizations can access details on the Joint Cyber Defense Collaborative (JCDC) OSS planning initiative, meant to “support collaboration between the public and private sectors—including the OSS community—to better understand and secure OSS use in OT/ICS, which will strengthen defense against OT/ICS cyber threats”.
OT/ICS organizations are encouraged to review the new guidance and implement its recommendations.
The new guidance comes one year after the Securing Software Supply Chain Series, three documents providing developers, software suppliers, and customers with guidance on securing the software supply chain.