US security agencies focus on improving security of open source software in OT, ICS environments
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and U.S. Department of the Treasury released Tuesday new guidance for senior leadership and operations personnel at operational technology (OT) vendors and critical infrastructure facilities. This fact sheet will assist with better management of risk from open source software (OSS) use in OT products and increase resilience using available resources.
Titled, ‘Improving Security of Open Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS),’ the fact sheet has been developed in collaboration with industry and government partners through the Joint Cyber Defense Collaborative (JCDC) as part of the 2023 OSS planning initiative. The guidance will promote an improved understanding of and highlight best practices and considerations for the secure use of OSS in OT/ICS environments.
The fact sheet aims to promote the understanding of OSS and its implementation in OT and ICS environments and highlight best practices and considerations for the secure use of OSS in OT. “While several resources and recommendations within this fact sheet are best suited for execution by the vendor or the critical infrastructure owner, collaboration across parties will result in less friction for operator workflows and promote a safer, more reliable system and provision of National Critical Functions,” it added.
The ongoing planning and collaborative effort of CISA and its JCDC initiative supports specific objectives in the National Cyber Strategy to scale public-private collaboration, the Office of National Cyber Director Open-Source Software Security Initiative (OS3I) and complements the CISA Open Source Software Security Roadmap to drive adoption of the ‘most impactful’ security and development of OSS.
The JCDC OSS planning initiative is part of the 2023 Planning Agenda, which is a forward-looking effort that is bringing together government and the private sector to develop and execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration
This year, CISA’s JCDC initiated a collaborative planning effort to support the awareness, security, and cyber resiliency of OSS in critical infrastructure OT. This effort is one of the priority initiatives within the JCDC 2023 Planning Agenda, which consists of contributions from JCDC participants, including industry partners and representatives from OSS foundations.
Consistent with JCDC’s approach to bringing together public and private partners in development of joint cyber defense plans, this fact sheet benefitted from input by industry contributors, including Accenture, Claroty, Dragos, Fortinet, Google, Honeywell, Microsoft, Nozomi Networks, NumFOCUS, OpenSSF / Linux Foundation, Rockwell Automation, Rust Foundation, Schneider Electric, Schweitzer Engineering Laboratories, Siemens, and Xylem.
“Organizations can reference the Securing Open Source Software in Operational Technology web page for an overview of the OSS planning initiative, goals, and additional deliverables,” the fact sheet identified. “CISA recognizes the benefits of open source software in enabling software developers to work at an accelerated pace and fostering significant innovation and collaboration. With these benefits in mind, this planning effort complements the CISA Open Source Software Security Roadmap, which defines how CISA will work to enable the secure use and development of open source software, both within and outside of the federal government.”
“Our JCDC planning effort brought together diverse stakeholders across the cybersecurity ecosystem to understand systemic risks in OSS affecting OT/ICS environments and develop shared, actionable solutions,” Clayton Romans, CISA’s associate director, said in a media statement. “Our work to produce timely, relevant products is dependent on trusted collaboration with our partners. This guidance is another positive outcome of our partnership with the OSS community, industry and interagency partners that contributed their time and effort.”
Romans added that, “we are confident that this ongoing public-private collaboration to support the OSS ecosystem will continue to grow and help further reduce risk to our nation’s critical infrastructure.”
The fact sheet provides recommendations for improving the security of OSS in OT/ICS, starting at the senior leadership level of an organization. Best practice resources are also provided as considerations when addressing cybersecurity concerns pertaining to OSS in OT devices and ICS environments.
The document encourages “organizations to review the National Institute of Standards and Technology (NIST) Guide to ICS Security for further guidance. The OT/ICS industry is encouraged to apply the below tools and best practices to address general problems surrounding the use of OSS, as well as to actively participate in instances where there are unique needs for these solutions,” it added.
The recommendations provided in the guidance start with the senior leadership level of an organization and cover areas, such as vendor support of OSS development and maintenance, to include participating in OSS and grant programs, partnering with existing OSS Foundations, and supporting the adoption of security tools and best practices in the software development lifecycle. It also includes managing vulnerabilities, reducing risk exposure by requesting no-cost cyber hygiene services, and participating in vulnerability coordination by using available guidance and resources.
The document also covers patch management, including promoting a ‘unique’ understanding of the patch deployment process for OT/ICS environments and maintaining a comprehensive updated asset inventory to best identify software and hardware products, as well as open source components in both IT and OT environments.
It also improves authentication and authorization policies, including using accounts that uniquely and verifiably identify individual users, implementing multi-factor authentication (MFA), and combining secure-by-default practices with least privilege.
Within ICS, authentication and authorization practices can improve by using accounts that uniquely and verifiably identify individual users. For instance, OT products that leverage service accounts should use role-based access control (RBAC) or a similar approach. Avoiding the use of hard-coded credentials, default passwords, and weak configurations, and implementing MFA (when applicable). It also suggests using centralized user management solutions (e.g., Lightweight Directory Access Protocol [LDAP], Active Directory [AD]), which can streamline account management and improve traceability. This should be weighted against availability requirements.
The fact sheet also recommends establishing a common framework, to develop and support an open source program office, support safe and secure open source consumption practices, and maintain a software asset inventory. CISA has developed a performance-based checklist of key organizational cybersecurity goals, which are applicable to mixed IT/ICS network environments. Developed from NIST’s Cybersecurity Framework (CSF), the CISA Cross-Sector Cybersecurity Performance Goals (CPGs) describe network segmentation, vulnerability patching, and software assurance goals organizations should strive to meet, irrespective of OSS involvement in a given system.
In August, CISA released the JCDC remote monitoring and management (RMM) Cyber Defense Plan that provides a roadmap to address systemic risks. Providing a roadmap to address systemic risks by advancing the security and resilience of the RMM ecosystem, the plan covers RMM vendors, managed service providers (MSPs), managed security service providers (MSSPs), small and medium-sized businesses (SMBs), and critical infrastructure operators.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
