The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and U.S. Department of the Treasury published new guidance today on “Improving Security of Open Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS),” developed in collaboration with industry and government partners through the Joint Cyber Defense Collaborative (JCDC) as part of our 2023 OSS planning initiative. This guidance will promote an improved understanding of and highlight best practices and considerations for the secure use of OSS in OT/ICS environments.
Critical infrastructure organizations using OT/ICS face heightened cybersecurity and safety concerns due to the potentially far-reaching impacts of incidents and associated life safety implications, particularly to connected infrastructure. Applying generally applicable cyber hygiene practices, such as routinely updating software, can be challenging for organizations using OSS in OT and ICS applications.
This guidance is intended to assist both senior leadership and operations personnel at OT/ICS vendors and critical infrastructure entities with better management of risk from OSS use in OT/ICS products, to include software supply chain, and increase resilience using available resources.
“Our JCDC planning effort brought together diverse stakeholders across the cybersecurity ecosystem to understand systemic risks in OSS affecting OT/ICS environments and develop shared, actionable solutions. Our work to produce timely, relevant products is dependent on trusted collaboration with our partners,” said Clayton Romans, CISA Associate Director. “This guidance is another positive outcome of our partnership with the OSS community, industry and interagency partners that contributed their time and effort. We are confident that this ongoing public-private collaboration to support the OSS ecosystem will continue to grow and help further reduce risk to our nation’s critical infrastructure.”
The recommendations provided in the guidance start with the senior leadership level of an organization and cover areas such as:
- Vendor support of OSS development and maintenance, to include participating in OSS and grant programs, partnering with existing OSS Foundations, and supporting the adoption of security tools and best practices in the software development lifecycle.
- Manage vulnerabilities, to include reducing risk exposure by requesting no cost cyber hygiene services and participate in vulnerability coordination by using available guidance and resources.
- Patch management, to include promoting unique understanding of patch deployment process for OT/ICS environments and maintaining a comprehensive updated asset inventory to best identify software and hardware products, as well as open source components in both IT and OT environments.
- Improve authentication and authorization policies, to include using accounts that uniquely and verifiably identify individual users, implementing multifactor authentication, and combining secure-by-default practices with least privilege.
- Establish common framework, to include develop and support an open source program office, support safe and secure open source consumption practices, and maintain a software asset inventory.
The ongoing planning and collaborative effort of the JCDC and CISA supports specific objectives in the National Cyber Strategy to scale public-private collaboration, the Office of National Cyber Director Open-Source Software Security Initiative (OS3I) and complements the CISA Open Source Software Security Roadmap to drive adoption of the most impactful security and development of OSS.
The JCDC OSS planning initiative is part of the 2023 Planning Agenda, which is a forward-looking effort that is bringing together government and the private sector to develop and execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration. To learn more about the JCDC, visit CISA.gov/JCDC.
All organizations are encouraged to review the Joint Fact Sheet and visit CISA’s new webpage, Securing Open Source Software in Operational Technology for more information.
