The US government [2], in collaboration with various agencies, has released new recommendations for the use of open source software (OSS) in critical infrastructure facilities and operational technology (OT) organizations [3]. This guidance aims to promote understanding and best practices for securing OSS in OT and industrial control system (ICS) environments [1].
Description
The US government [2], including the Cybersecurity and Infrastructure Security Agency (CISA) [1] [2] [3] [5] [6], Federal Bureau of Investigation (FBI) [1] [2] [6], National Security Agency (NSA) [1] [2] [3] [4] [6], and US Department of the Treasury [1] [2] [3] [4] [6] [7], has collaborated to publish new recommendations for the use of open source software (OSS) in critical infrastructure facilities and operational technology (OT) organizations [3]. This guidance aims to promote understanding and best practices for securing OSS in OT and ICS environments.
The guidance highlights the challenges of integrating and patching OSS in OT environments [1], as well as the increasing exposure to cyber threats as OT and information technology networks become more integrated [1]. It provides recommendations for improving OSS security [1] [5], including supporting OSS development and maintenance [1] [7], patch management [1] [3] [5] [6], authorization and authentication policies [1], and establishing common frameworks [1] [6]. The guidance encourages the adoption of “secure-by-design” and “secure-by-default” principles to decrease cybersecurity risk in OT environments [1].
To better manage the risks associated with OSS use in OT/ICS environments, the guidance emphasizes the importance of robust authentication processes, regular patch management [3], and the establishment of an open source program office to oversee security and software asset inventory [3]. It is part of the Joint Cyber Defense Collaborative’s (JCDC) efforts to enhance public-private collaboration and aligns with the National Cyber Strategy [6].
All organizations are encouraged to review the Joint Fact Sheet and visit CISA’s webpage for more information on securing open-source software in operational technology [6]. The guidance released by the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies complements CISA’s Open Source Software Security Roadmap and is aimed at senior leadership and operations personnel. It outlines best practices for the secure use of open source software in operational technology (OT) environments [5], recognizing the benefits of open source software in enabling innovation and collaboration [5]. The fact sheet provides recommendations for improving the security of open source software [5], including vendor support [5], vulnerability management [5] [6], patch management [1] [3] [5] [6], authentication and authorization policies [5] [6], and cybersecurity frameworks [5]. CISA has also released a roadmap with four key priorities to secure the open source software ecosystem [5].
CISA [1] [3] [4] [5] [6] [7], the FBI [3] [4] [7], the National Security Agency [1] [2] [3] [4] [6], and the U.S. [1] [4] Department of the Treasury have released guidance on improving the security of open source software (OSS) in operational technology (OT) and industrial control systems (ICS) [4] [6] [7]. The guidance includes the Securing OSS in OT web page [4], which outlines the Joint Cyber Defense Collaborative (JCDC) OSS planning initiative [4] [7]. This initiative aims to enhance collaboration between the public and private sectors [4], including the OSS community [4], to better understand and secure OSS use in OT/ICS [4]. CISA encourages OT/ICS organizations to review the guidance and implement its recommendations [4].
Conclusion
The release of this guidance by the US government and its agencies highlights the importance of securing open source software in OT and ICS environments. By following the recommended best practices, organizations can better protect their critical infrastructure from cyber threats. The emphasis on collaboration and the establishment of an open source program office demonstrates a proactive approach to addressing vulnerabilities and improving overall cybersecurity. It is crucial for organizations to review and implement the guidance to mitigate risks and ensure the secure use of open source software in operational technology.
References
[1] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3552309/nsa-and-us-agencies-issue-best-practices-for-open-source-software-in-operationa/
[2] https://www.infosecurity-magazine.com/news/us-govt-open-source-security/
[3] https://executivegov.com/2023/10/agencies-provide-guidance-on-open-source-software-security/
[4] https://www.waterisac.org/portal/cisa-fbi-nsa-and-treasury-release-guidance-oss-itics-environments
[5] https://fedscoop.com/cisa-releases-new-guidance-on-boosting-open-source-software-security/
[6] https://www.cisa.gov/news-events/news/cisa-government-and-industry-partners-publish-fact-sheet-organizations-using-open-source-software
[7] https://www.assurantcyber.com/blog/cisa-fbi-nsa-and-treasury-release-guidance-oss-itics-environments/