The US government is supplying guidance on securing open-source software in operational technology critical infrastructure environments.
According to InfoSecurity, the US government therefore set out a range of recommendations to improve the security of OSS in OT/ICS, advocating a secure-by-design approach:
- Vendor support of OSS development and maintenance. The guidance noted that OSS is often developed and maintained by volunteers. Therefore, every organization using OSS should support this ecosystem by taking steps like participating in OSS and grant programs, partnering with existing OSS foundations and pursuing collaborative efforts, and supporting the adoption of security tools and best practices in the software development lifecycle.
- Manage vulnerabilities. As OSS and OT have unique characteristics, the agencies advised utilizing common vulnerability identifiers to simplify vulnerability management. These include CISA Cyber Hygiene services to enable additional review of organizations’ internet-accessible assets, and vulnerability coordination guidance, such as establishing a Coordinated Vulnerability Disclosure (CVD) program and reporting flaws to the relevant developer.
- Patch management. Restarting an OT system to apply a patch may have large business or operational costs, requiring a unique approach to patch deployment. ICS vendors are encouraged to streamline software development processes with customers, removing the complexity of scheduling maintenance windows. Additionally, OT and ICS organizations should maintain an updated asset inventory and identify vulnerabilities that need to patched based on this information.
- Improve Authentication and Authorization Policies. The guidance noted that these controls can be difficult to correctly implement in OT environments. Authentication and authorization practices can be enhanced through steps such as using accounts that uniquely and verifiably identify individual users, avoiding use of hard-coded credentials, default passwords and weak configurations, and implementing centralized user management solutions.
- Establish a Common Framework. The agencies provided a range of recommendations for establishing a culture that addresses safety and cybersecurity concerns for critical systems. This includes developing and supporting an Open Source Program Office (OSPO) and building a targeted list of OT/ICS-specific requirements that constitutes what makes a product minimally and viably secure.