Federal authorities are trying to strengthen the security of open-source software used by critical infrastructure providers in a bid to improve risk management, particularly across operational technology and industrial control system vendors.
Critical infrastructure providers have faced heightened risks of malicious attack in recent years, both from nation-state threat actors and criminal ransomware groups, the Cybersecurity and Infrastructure Security Agency and other federal agencies said Tuesday in an open-source security guide.
As critical infrastructure providers become more dependent on connected infrastructure, software vulnerabilities and other security risks increase the threat of critical supply chain disruptions that can impact key industries.
The guidance, created alongside the Joint Cyber Defense Collaborative, calls on critical infrastructure providers and vendors to develop key initiatives designed to reduce overall risk, including:
- Vendor support of OSS development and maintenance: Open source software is often developed by unpaid volunteers and organizations like the Open Source Security Foundation, DigitalOcean and NumFocus, which provide resources to help these maintainers continue efforts to maintain critical projects.
- Manage vulnerabilities: Organizations should develop coordinated vulnerability disclosure programs, support vulnerability research and report vulnerabilities to relevant developers.
- Patch management: Organizations should develop comprehensive asset inventories, develop emergency patching procedures and promote patch deployment in OT/ICS environments.
- Improve authentication and authorization policies: Implement multifactor authentication, avoid hard-coded credentials and default passwords and use accounts that uniquely identify individual users.
“As an industry, there is no denying the benefit that OSS provides in delivering value to our customers,” Tony Baker, VP and chief product safety and security officer at Rockwell Automation, said via email.
“However, as vendors, it’s important to understand that it is not without cost, and additional effort and investment is required to successfully sustain the portfolio,” Baker said.
The guide provides a good overview of what open source software is and also helps explain the convergence of information technology and operational technology, Kevin Kumpf, chief OT/ICS security strategist at Cyolo.
“In modern day, non-trivial software development projects, it’s almost impossible to find software without any OSS components,” Kumpf said via email.
It is critical for companies to maintain an asset inventory for hardware, software and firmware since open source software vulnerabilities can cause multiple levels of exposure, according to Yiyi Miao, chief product officer at OPSWAT, a firm that specializes in protecting critical infrastructure providers.
“Some of the OSS vulnerabilities can include the targeting of a specific vendor from, or in, specific countries,” Miao said.
Understanding what products are deployed and where they are purchased from can also be a “critical anchor point for faster incident response,” Miao said.