Digital vulnerabilities are being discovered at an alarming pace, so the call for a unified response to secure our technological infrastructure is more important than ever. This week, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and U.S. Department of the Treasury released guidance on Improving Security of Open Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS) to assist with better management of risk from OSS use in OT/ICS and increase resilience when using available resources. The OpenSSF supports this effort, and our support underscores the crucial need to bolster the security of OSS, especially within the realms of OT and ICS.
Improving Security of OSS in OT / ICS Fact Sheet
Potential cyberattacks are continually threatening critical infrastructure where OT/ICS components are frequently implemented. OSS plays a central role in the OT/ICS ecosystem. The implications of breaches and vulnerabilities are vast, stretching beyond mere financial losses to potentially affecting human lives, especially where connected infrastructure is involved. OSS resides in everything from satellites to cars, medical devices to ships, and water or electricity distribution systems. This reality amplifies the necessity for a thorough and comprehensive approach to cybersecurity in OT and ICS, emphasizing the nuanced challenges presented by OSS.
The guidance from CISA and partners aims to promote the understanding and implementation of OSS in OT/ICS environments. The guidance highlights best practices and approaches organizations can take to secure OSS in OT/ICS. Implementing these recommendations start with the leadership level of organizations to begin improving the security of OSS in OT/ICS.
CISA, FBI, NSA, and the Department of the Treasury encourages OT and ICS providers to apply the tools and best practices defined in the guidance to address issues surrounding the use of OSS. They also called on the OT/ICS industry to actively participate in instances where there are unique needs for these solutions. Notable recommendations include:
Enhancing Vendor Support
The OpenSSF echoes the importance of supporting individuals and groups that develop and maintain critical open source projects. Every organization using OSS should support the OSS ecosystem and help elevate the security baseline through participation in maintaining OSS as digital public goods.
OSS packages that have an essential role in OT/ICS should consider applying for grant funding from programs like the Alpha-Omega Project that support adding security contributors or maintainers to OSS projects. These security-focused resources systematically find new, as-yet-undiscovered vulnerabilities in OSS code to improve software supply chain security.
OT and ICS providers should partner with existing open source foundations, like the OpenSSF, to pursue collaborative, community-led efforts to enhance the security of OSS packages bundled into their critical infrastructure systems.
Vendors and maintainers should also adopt existing tooling that measures security parameters of OSS projects and best practice guides for software development:
- OpenSSF Scorecard checks that OSS projects are using current best practices to test for security vulnerabilities before production releases and export provenance metadata to support end-to-end trust in the project’s supply chain.
- Follow the recommendations in the OpenSSF Best Practices Working Group’s Concise Guide for Developing More Secure Software.
Effective Vulnerability & Patch Management
Organizations are encouraged to reduce risk exposure by actively implementing vulnerability management, including vulnerable device detection, response, and vulnerability coordination. OT and ICS providers should consider adopting the OpenVEX specification, designed to be minimal, compliant, interoperable, and embeddable implementation of the Vulnerability Exploitability Exchange (VEX) format.
Fixing vulnerabilities leads to a patch management process, so understanding the unique patch deployment process within OT/ICS environments is important. A comprehensive, regularly updated asset inventory can significantly aid in identifying both proprietary and open source components across diverse environments. Software Bill of Materials (SBOMs) can provide an inventory of what is in use, making it easier to determine whether an OT or ICS device is affected by a vulnerability based on the enumerated list of OSS packages within that system. Vulnerability Exploitability eXchange (VEX) provides more information on whether a specific vulnerability impacts a product and, if affected, whether remedial actions are needed. OpenVEX is designed to meet the requirements defined by the CISA SBOM and VEX Efforts. As vulnerabilities become more prevalent in critical infrastructure, directly affecting IT and ICS, those providers must also produce SBOMs. OpenVEX complements SBOMs to help inform users of a software product about the applicability of one or more vulnerability findings.
Better Authentication and Authorization Policies
With cyber-attacks becoming increasingly sophisticated, better protective controls such as adopting multi-factor authentication (MFA) and secure-by-default approaches are mandatory. Secure source code management plays an important role in OT and ICS because often the upstream code base is modified to drastifcally reduce its size or superfluous functions given the hardware restrictions in OT and ICS devices. This makes source code management extremely important for OT and ICS providers, to ensure proveneance. This guide on Source Code Management Platform Configuration Best Practices may help organizations better manage and protect their critical infrastructure source code if they are using a code management platform.
Establishing a Common OSS Consumption Framework
Organizations with both IT and OT environments can establish a Common OSS Consumption Framework for consuming OSS across their infrastructure. Recommendations to build this framework include setting up Open Source Program Offices (OSPOs) and fostering safe and secure OSS consumption practices. Examples from the OpenSSF include:
- Adopt the Open Source Consumption Manifesto (OSCM) which encourages software organizations to take responsibility for their consumption of open source software (OSS) by focusing on activities with the greatest impact and providing a roadmap to implement supply chain security (SCS) best practices.
- Implement Supply-chain Levels for Software Artifacts (SLSA) which provides a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure.
- Utilize the Secure Supply Chain Consumption Framework (S2C2F) which is a security assurance and risk reduction process-oriented framework that is focused on securing how developers consume OSS.
OT and ICS organizations contributing OSS to the community should also adopt software signing capabilities like Sigstore to ensure the integrity of updates, network communications, and software distribution across environments. In conjunction, using access transparency logs and identity-based signing can provide auditable and tamper-resistant logging, allowing OT/ICS systems to verify the authenticity of software updates and patches.
Organizations providing or implementing OT/ICS components should embrace these recommendations and best practices as described in the CISA, FBI, NSA, and Department of the Treasury Fact Sheet (pdf). This guidance, developed collaboratively between public and private industry, is a step forward in safeguarding our critical infrastructure and ensuring a safer digital ecosystem for all. The OpenSSF firmly believes in the strength of partnership. The security of OSS, which are digital public goods, is a shared accountability across public sector, private sector and the community. Consider joining the OpenSSF community in our Slack channel to join the conversation and contribute to our shared mission.