The Cybersecurity and Infrastructure Security Agency (CISA) published new guidance today to improve security and risk management of open source software (OSS) use at operational technology (OT) vendors and critical infrastructure facilities.
“Improving Security of Open Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS),” was developed in collaboration with the FBI, National Security Agency, and the Treasury Department as well as additional government and industry partners through CISA’s Joint Cyber Defense Collaborative (JCDC).
“Critical infrastructure organizations using OT/ICS face heightened cybersecurity and safety concerns due to the potentially far-reaching impacts of incidents and associated life safety implications, particularly to connected infrastructure,” the joint fact sheet reads. “Applying generally applicable cyber hygiene practices, such as routinely updating software, can be challenging for organizations using OSS in OT and ICS applications.”
This guidance – released as part of JCDC’s 2023 OSS planning initiative – is intended to promote an improved understanding of and highlight best practices and considerations for the secure use of OSS in OT/ICS environments.
“Our JCDC planning effort brought together diverse stakeholders across the cybersecurity ecosystem to understand systemic risks in OSS affecting OT/ICS environments and develop shared, actionable solutions,” said CISA Associate Director Clayton Romans.
The agencies new guidance is intended to assist both senior leadership and operations personnel at OT/ICS vendors and critical infrastructure entities with better management of risk from OSS use in OT/ICS products, to include software supply chain, and increase resilience using available resources.
The fact sheet offered more than 15 recommendations, covering areas such as:
- Vendor support of OSS development and maintenance, to include participating in OSS and grant programs, partnering with existing OSS Foundations, and supporting the adoption of security tools and best practices in the software development lifecycle;
- Manage vulnerabilities, to include reducing risk exposure by requesting no-cost cyber hygiene services and participate in vulnerability coordination by using available guidance and resources;
- Patch management, to include promoting unique understanding of patch deployment process for OT/ICS environments and maintaining a comprehensive updated asset inventory to best identify software and hardware products, as well as open source components in both IT and OT environments;
- Improve authentication and authorization policies, to include using accounts that uniquely and verifiably identify individual users, implementing multifactor authentication, and combining secure-by-default practices with least privilege; and
- Establish common framework, to include developing and supporting an open source program office, supporting safe and secure open source consumption practices, and maintaining a software asset inventory.
JCDC’s guidance released today complements CISA’s recently unveiled Open Source Software Security Roadmap, intended to drive adoption of the most impactful security and development of OSS.
The agencies are also calling on organizations to visit CISA’s new webpage, Securing Open Source Software in Operational Technology for more information.
