October 11, 2023 at 10:07AM
Several US government agencies, including CISA, the FBI, the NSA, and the US Department of Treasury, have released new cybersecurity guidance for using open source software (OSS) in operational technology (OT). The guidance aims to promote understanding and best practices for implementing OSS in industrial control systems and other OT environments, addressing vulnerabilities, patching, and supply chain risks.
The meeting notes highlight the collaboration of several US government agencies to create new cybersecurity guidance for the use of open source software (OSS) in operational technology (OT). The guidance is intended to promote understanding, implementation, and best practices for secure use of OSS in industrial control systems (ICS) and other OT environments.
The guidance, authored by CISA, the FBI, the NSA, and the US Department of Treasury, focuses on recommendations for supporting OSS development, patching vulnerabilities, and using Cross-Sector Cybersecurity Performance Goals (CPGs) to adopt security best practices. The document emphasizes the security concerns shared by OSS and OT systems, such as vulnerabilities in libraries and components, lack of commercial support, and insufficient documentation prior to implementation.
To address threats to OT systems, the guidance suggests keeping all OT and IT systems up to date with patches and security updates. However, applying patches in OT may present challenges due to potential impacts on other software. The guidance recommends implementing ‘secure-by-design’ and ‘secure-by-default’ approaches to minimize risks in OT.
The US agencies also highlight the importance of transparency and verifiability in supply chain risk management, as threat actors may exploit software updates to target the OT supply chain and replace legitimate patches with malicious payloads. They stress the need for a reliable software supply chain for OT systems with OSS components to ensure proper vetting and acquisition of OSS.
In addition, the agencies suggest that the OT/ICS industry should support OSS projects, enhance vulnerability management and reporting processes, implement patch deployment processes, improve authentication and authorization policies, and establish a common framework for using OSS.
The new guidance was published alongside the Securing OSS in OT web page, which provides details on the Joint Cyber Defense Collaborative (JCDC) OSS planning initiative. The initiative aims to enhance collaboration between the public and private sectors, including the OSS community, to strengthen defense against OT/ICS cyber threats.
OT/ICS organizations are encouraged to review the new guidance and implement the recommendations. This guidance follows the previous release of the Securing Software Supply Chain Series, which provided guidance on securing the software supply chain for developers, software suppliers, and customers.
Related resources mentioned in the meeting notes include the CISA identity and access management guidance, the US implementation plan for national cybersecurity strategy, and the urging of critical infrastructure organizations to identify risky communications equipment.