CISA, the FBI, the NSA, and the Department of the Treasury have joined forces to release comprehensive guidance on improving the security of open-source software (OSS) for operational technology (OT) and industrial control systems (ICS). The guidance aims to provide recommendations for supporting OSS development and maintenance, managing and patching vulnerabilities in OT/ICS environments, and adopting key cybersecurity best practices using the Cross-Sector Cybersecurity Performance Goals (CPGs) as a common framework.
This guidance, which emerged from a public-private partnership, was developed in consultation with several industry leaders, including Accenture, Claroty, Dragos, Fortinet, Google, Honeywell, Microsoft, Nozomi Networks, NumFOCUS, the OpenSSF / Linux Foundation, Rockwell Automation, the Rust Foundation, Schneider Electric, Schweitzer Engineering Laboratories, Siemens, and Xylem. These stakeholders contributed their vast experience in information technology, operational technology, industrial control systems, cybersecurity, software design, and risk management.
One of the guiding principles of the recommendations is to prioritize safety. This is crucial because any incident involving an ICS can have physical, real-world consequences that may result in unsafe conditions. To address this concern, the guidance emphasizes the importance of implementing graceful degradation and fail-safe designs. Fail-safe designs ensure that if a system fails, it does so in a safe condition rather than a dangerous one.
The document also highlights the differences between IT and OT and acknowledges that applying common best practices for securing IT systems to OT systems is not always straightforward. For example, patching, which is considered a fundamental best practice in IT, becomes more complex when it comes to OT systems due to their intricate dependencies, legacy systems, and the criticality of system availability. The recommendations recognize the convergence between OT and IT, especially in the context of open-source software.
CISA and its partners recommend embracing secure-by-design and secure-by-default development practices, which can be challenging, particularly in the case of open-source software. Integrating open-source software into OT products in various ways can make it difficult to identify potential vulnerabilities. Additionally, the stringent uptime requirements for OT environments can hinder the timely application of patches and the inclusion of new variables into production environments.
To effectively manage open-source risks, the guidance focuses on transparency and verifiability. Transparency involves asset management transparency, knowing what software each asset contains (using a Software Bill of Materials), understanding the supplier’s process for updating firmware and software, and verifying the authenticity of software and its developers. Verifiability encompasses user identity and access restrictions, data integrity, ensuring software functions as specified, and overall system security.
The industry has responded positively to these OT open-source security guidelines. Avishai Avivi, CISO at SafeBreach, commended CISA and its partners for their initiatives. He believes that the fact sheet offers an open and supportive approach to OSS in OT and ICS. The guidelines aim to improve the security reputation of open-source software, which has historically been viewed negatively due to concerns about freely accessible source code, potential vulnerabilities, long-term support, untracked dependencies, and licensing risks.
Avivi identifies two critical security advantages of open-source software. First, vulnerabilities are more easily detected, reported, and remediated due to the accessibility of the source code. Second, it is more challenging for malicious actors to sneak in bad code. The fact sheet not only allows but also recommends that vendors actively support OSS initiatives. This support enables rapid patching of security vulnerabilities and ensures that OT/ICS considerations are incorporated into the design and releases of OSS tools and libraries.
The guidelines also reflect the widespread adoption of open-source software. Tom Marsland, VP of Technology at Cloud Range and Board Chairman of VetSec, states that open-source software forms the foundation of many major products. With estimates suggesting that Free and Open Source Software makes up 70-90% of any modern software solution, collaboration between the U.S. Federal Government and industry partners is crucial for enhancing OSS security. Vulnerabilities like Log4shell and the recent HTTP/2 Rapid Reset vulnerability highlight the urgent need for a quick response and a collective effort to secure open-source software and make the internet and software safer for all.
In conclusion, the joint release of comprehensive guidance on improving the security of OSS for OT and ICS systems demonstrates the commitment of government agencies and industry stakeholders to address the unique cybersecurity challenges in these domains. By prioritizing safety, acknowledging the differences between IT and OT, promoting secure-by-design practices, and emphasizing transparency and verifiability, this guidance aims to enhance the security of open-source software and its role in critical infrastructure. The positive reception from industry experts underscores the importance of collaboration and a pragmatic approach to cybersecurity in our rapidly evolving digital landscape.