The US government has issued guidance on securing open-source software (OSS) in operational technology (OT) critical infrastructure environments.
The joint advisory, published by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and US Department of the Treasury, is designed to help senior leadership and operations personnel at OT and industrial control systems (ICS) better manage risk from OSS use.
The document outlined the heightened consequences of cyber incidents in critical infrastructure organizations due to the associated life-safety implications.
Additionally, the agencies noted that basic cyber hygiene practices, such as updating software in IT systems when a patch is available, due to the potential adverse effects on other dependent software and operational risks.
Patching OSS in these environments is particularly challenging as it is difficult to know whether certain software modules, and their associated vulnerabilities, are present and/or exploitable.
How to Enhance Open-Source Security in Critical Infrastructure
The US government therefore set out a range of recommendations to improve the security of OSS in OT/ICS, advocating a secure-by-design approach:
- Vendor support of OSS development and maintenance. The guidance noted that OSS is often developed and maintained by volunteers. Therefore, every organization using OSS should support this ecosystem by taking steps like participating in OSS and grant programs, partnering with existing OSS foundations and pursuing collaborative efforts, and supporting the adoption of security tools and best practices in the software development lifecycle.
- Manage vulnerabilities. As OSS and OT have unique characteristics, the agencies advised utilizing common vulnerability identifiers to simplify vulnerability management. These include CISA Cyber Hygiene services to enable additional review of organizations’ internet-accessible assets, and vulnerability coordination guidance, such as establishing a Coordinated Vulnerability Disclosure (CVD) program and reporting flaws to the relevant developer.
- Patch management. Restarting an OT system to apply a patch may have large business or operational costs, requiring a unique approach to patch deployment. ICS vendors are encouraged to streamline software development processes with customers, removing the complexity of scheduling maintenance windows. Additionally, OT and ICS organizations should maintain an updated asset inventory and identify vulnerabilities that need to patched based on this information.
- Improve Authentication and Authorization Policies. The guidance noted that these controls can be difficult to correctly implement in OT environments. Authentication and authorization practices can be enhanced through steps such as using accounts that uniquely and verifiably identify individual users, avoiding use of hard-coded credentials, default passwords and weak configurations, and implementing centralized user management solutions.
- Establish a Common Framework. The agencies provided a range of recommendations for establishing a culture that addresses safety and cybersecurity concerns for critical systems. This includes developing and supporting an Open Source Program Office (OSPO) and building a targeted list of OT/ICS-specific requirements that constitutes what makes a product minimally and viably secure.
Protecting US Critical Infrastructure
The guidance forms part of wider efforts of the US government to enhance software supply chain security and strengthening the resiliency of critical national infrastructure, as set out in its National Cybersecurity Strategy published earlier this year.
Clayton Romans, CISA Associate Director, commented: “This guidance is another positive outcome of our partnership with the OSS community, industry and interagency partners that contributed their time and effort. We are confident that this ongoing public-private collaboration to support the OSS ecosystem will continue to grow and help further reduce risk to our nation’s critical infrastructure.”