Open-source software is everywhere — and open-source software security is currently top of mind. While no detailed accounting is available regarding the amount of OSS within OT/ICS environments, the use of OSS in these environments is ubiquitous.
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and U.S. Department of Treasury provided guidance on how OT/ICS environments can improve the security of their OSS implementations. That joint announcement followed CISA's Joint Cyber Defense Collaborative (JCDC) statement that it will provide resources that support the secure use and maintenance of OSS components in OT/ICS products. CISA also recently closed its comment period regarding its search for insights into the prevalence of OSS in OT/ICS environments and potential long-term OSS security solutions. These efforts remain in their early stages.
Of course, open source provides significant benefits. For instance, open source in OT/ICS environments does provide interoperability, portability, faster time-to-market for products, and even lower development costs. However, OSS does introduce security risks if equipment providers and end-user organizations don't manage their OSS properly. Examples include the lack of transparency in using open source by OT/ICS equipment makers and the amount of OSS tools deployed by end users. Without SBOMs and accurate and up-to-date inventory, it's impossible for operations teams to quickly and accurately locate at-risk software packages when new vulnerabilities emerge.
Harman Singh, director at cybersecurity services firm Cyphere, agrees that using open source software in OT/ICS environments can bring many benefits, but managing open source in these environments differs from managing it in traditional IT environments.
Ben Kendall, security consultant at NCC Group, notes several challenges regarding open-source software in OT environments compared to IT environments, especially regarding network traffic security. "Industrial protocols were often designed in an era where security was rarely considered. OT networks are notoriously fragile, and many could be rendered inoperable if something as basic as a TCP port scan were performed," says Kendall.
That means scanning to identify OSS in place can be costly if not done correctly, with extra attention paid to verifying when to test and what systems to test, Kendall explains.
"A flood of packets hitting a piece of equipment expecting just a few for its next instructions could possibly produce a denial-of-service condition or unexpected process behavior. Any mistakes could be remarkably costly. Automated testing is a great time saver, but when it comes to something like industrial control systems—where an operational error could mean the destruction of expensive equipment or the loss of lives—it's best to be careful," he says.
"A flood of packets hitting a piece of equipment expecting just a few for its next instructions could possibly produce a denial-of-service condition or unexpected process behavior. Any mistakes could be remarkably costly."
— Ben Kendall, NCC Group
While CISA has released a roadmap to help secure the open-source ecosystem, the roadmap is more aspirational than something OT/ICS operators can put to use today. The roadmap includes four primary goals:
Collaborate with the OSS community regarding security,
Understand OSS prevalence in OT/ICS,
Reduce OSS risks to the federal government
Strengthen the OSS ecosystem
While those goals are being reached, OT/ICS operators' strategies to protect their systems must consider OSS. And because of the need for uninterrupted real-time operations, strict regulatory demands, and the criticality of these systems.
Cyphere's Singh advises strategies should be implemented to manage open source in OT/ICS effectively:
Inventory and tracking: Maintain a comprehensive inventory of all open-source components used in OT systems. Regularly update this inventory to track vulnerabilities and patch management.
Risk assessment: Conduct thorough risk assessments to understand the potential impact of open-source components on OT systems. Identify critical components and prioritize their security.
Vendor management: When using OT systems that incorporate OSS, establish clear guidelines and criteria for selecting vendors. Ensure they have a strong commitment to security, timely updates, and ongoing support.
Patch management: Establish a robust process to monitor and apply security patches for open-source components. Prioritize patches based on their criticality and impact on OT systems.
Security testing: Implement regular security testing and code reviews to identify any vulnerabilities or weaknesses in the open-source software. This can include static and dynamic analysis, penetration testing, and code audits.
Community involvement: Engage with the open-source community and actively contribute to it. By participating in the community, you can stay updated on the latest security vulnerabilities, patches, and best practices.
Training and awareness: Provide training and awareness programs for OT staff to educate them about the risks and best practices associated with open-source software. This can help them understand the importance of security and encourage responsible usage. Overall, effective management of open source in OT environments requires a proactive and comprehensive approach.
The federal government's recent focus on OSS security in OT/ICS environments shows how serious of an issue OSS security has become. Hopefully, the renewed push for secure coding practices within OSS and SBOMs, as well as CISA's efforts to harden the open-source ecosystem — and the efforts OT/ICS operators take themselves to improve the security of their OSS — will pay off in the months and years ahead and help create a more secure and defendable critical infrastructure.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.