Agencies within the federal government are urging operators of critical infrastructure and organizations that use open-source software to focus more on security.
In the face of increasing threats to critical infrastructure, federal authorities and cybersecurity experts are emphasizing the need for improved security measures when it comes to the use of open-source software (OSS) in operational technology (OT) and industrial control systems (ICS).
Tony Baker, VP and chief product safety and security officer at Rockwell Automation, underscores the value that OSS provides to the industry, while also acknowledging the additional effort and investment required to maintain an open-source software portfolio.
According to Baker, critical infrastructure providers must be vigilant in their approach to OSS, understanding the products they deploy and their purchase locations to facilitate faster incident response. This is a sentiment echoed by Yiyi Miao, chief product officer at OPSWAT, who emphasizes the importance of maintaining an asset inventory for hardware, software, and firmware due to the potential multiple levels of exposure caused by OSS vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA), along with other federal agencies, has issued a call to strengthen the security of OSS used by critical infrastructure providers. The guidance encourages providers and vendors to support the development and maintenance of open-source software, and suggests several key practices to reduce risks associated with OSS.
One of these practices involves vetting and auditing open-source components to detect backdoors or insecure elements. Critical infrastructure owners should prioritize OSS with active maintenance and long-term support (LTS) options, ensuring known vulnerabilities are promptly patched to avoid exploitation through common vulnerabilities and exposures (CVEs).
The guidance also recommends implementing strong supply chain management, promoting funding and sustainability of critical OSS projects, adhering to compliance and regulatory frameworks, and developing internal or graduated support capabilities.
Kevin Kumpf, chief OT/ICS security strategist at Cyolo, notes that modern software development projects rarely lack OSS components. Therefore, it is crucial to maintain software bill of materials (SBOMs) to track OSS components, monitor end-of-life (EOL) statuses, and manage transitive dependencies to reduce cascading failures or breakages in complex cloud-native or ICS environments.
The guidance further advises improving authentication and authorization policies by implementing multifactor authentication, avoiding hard-coded credentials and default passwords, and using accounts that uniquely identify individual users.
In summary, reducing OSS-related risks in OT and ICS sectors requires a combination of proactive security vetting, reliance on actively maintained and supported OSS, robust software supply chain management, investment in OSS sustainability, and adherence to evolving regulatory requirements. This approach mitigates vulnerabilities inherent in open source and enhances the resilience of critical infrastructure systems.
- To mitigate the risks associated with open-source software (OSS) in operational technology (OT) and industrial control systems (ICS), it is recommended that critical infrastructure providers facilitate faster incident response by understanding the products they deploy and their purchase locations, as emphasized by Tony Baker, VP and chief product safety and security officer at Rockwell Automation.
- Yiyi Miao, chief product officer at OPSWAT, has emphasized the importance of maintaining an asset inventory for hardware, software, and firmware due to the potential multiple levels of exposure caused by OSS vulnerabilities, and suggested prioritizing OSS with active maintenance and long-term support (LTS) options to ensure known vulnerabilities are promptly patched.
- In order to reduce risks associated with OSS, the Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance that includes vetting and auditing open-source components to detect backdoors or insecure elements, implementing strong supply chain management, adhering to compliance and regulatory frameworks, and developing internal or graduated support capabilities.
