CISA, the Cybersecurity and Infrastructure Security Agency, has been actively promoting the adoption of Secure by Design principles by software manufacturers to enhance security in operational technology (OT) systems. One of the key focus areas highlighted by CISA is the importance of addressing memory safety vulnerabilities in software products, especially within the OT sector where critical infrastructure is at risk of cyber attacks.
Memory safety vulnerabilities have been identified as common and high-risk weaknesses in software. Recent cyber attacks such as the Volt Typhoon campaign targeting critical infrastructure have underscored the severity of these vulnerabilities. In fact, in 2021, a memory corruption flaw in programmable logic controllers was discovered, potentially allowing remote code execution and disrupting industrial processes. Given the significant impact that memory vulnerabilities can have on the security and reliability of OT systems, CISA has emphasized the need for software buyers to be proactive in addressing these risks.
To assist software buyers in engaging with their suppliers on memory safety, CISA has issued guidance on the importance of memory safety roadmaps. The agency recommends that software manufacturers develop and publish memory safety roadmaps by January 1, 2026, for existing products written in memory-unsafe languages. This deadline provides a clear timeline for discussions between buyers and suppliers regarding the mitigation of memory-based vulnerabilities.
When interacting with software manufacturers, there are several key areas that software buyers should consider in evaluating memory safety roadmaps. These include vulnerability assessments, remediation strategies, product lifecycle planning, and collaboration and communication efforts.
In terms of vulnerability assessments, suppliers should have processes in place to identify and prioritize memory-based vulnerabilities within their product portfolio. Utilizing a Software Bill of Materials (SBOM) can aid in this process, especially when dealing with software supply chains involving multiple parties. Once vulnerabilities are identified, manufacturers should formulate remediation strategies, focusing on high-exposure systems with high potential consequences from attacks. Discussions with suppliers should cover plans for addressing vulnerabilities, including potentially rewriting legacy code in memory-safe languages like Rust.
Moreover, understanding how suppliers integrate memory safety considerations into their product lifecycle planning is crucial. New products or those undergoing architectural changes present opportunities to incorporate memory-safe languages and deploy software memory protection. Effective collaboration and communication between buyers and suppliers are essential for sustained memory safety efforts, including regular updates and progress transparency.
By working together, software buyers and manufacturers can align with CISA’s memory safety mandate and strengthen the security and resilience of critical OT systems. Proactive engagement on memory safety issues is vital in today’s threat landscape, ensuring that critical systems are protected against memory-based attacks.