Improving security for open-source ICS software.

CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the US Department of the Treasury have released guidance on improving the security of open-source software for operational technology and industrial control systems. The guidance provides recommendations for “supporting OSS development and maintenance, managing and patching vulnerabilities in OT/ICS environments, and using the Cross-Sector Cybersecurity Performance Goals (CPGs) as a common framework for adopting key cybersecurity best practices in relation to OSS.”

Guidelines developed in consultation with the private sector.

The guidance emerged from a public-private partnership. CISA consulted Accenture, Claroty, Dragos, Fortinet, Google, Honeywell, Microsoft, Nozomi Networks, NumFOCUS, the OpenSSF / Linux Foundation, Rockwell Automation, the Rust Foundation, Schneider Electric, Schweitzer Engineering Laboratories, Siemens, and Xylem. These stakeholders brought wide experience in information technology, operational technology, industrial control systems, cybersecurity, software design, and risk management.

Making safety a priority.

The guidance, sensibly, makes “safety a priority.” That’s entirely reasonable given the potential for an ICS incident to have kinetic effects that could induce unsafe conditions. Should a system come under attack, graceful degradation, for example, is one realistic option, as are fail-safe designs. “Fail-safe” doesn’t mean “safe from failure.” Rather it means that, if a system fails, it fails into a safe condition as opposed to a dangerous one.

IT and OT overlap, but their security can't be considered interchangeable.

The document also notes some of the ways IT differs from OT. Common best-practices that have evolved to help secure IT can’t always be applied mechanically or unproblematically to OT systems. Consider patching. Keeping patches up-to-date is always one of the first best practices recommended. Even with IT systems it’s not always quite so straightforward. With OT systems, involving as they do even more complex dependencies, interaction with more legacy systems, and the overarching importance of availability, it’s a much more difficult proposition. And, as the recommendations say, there’s also a convergence between OT and IT proper, especially with respect to open source software.

Insofar as it’s possible, CISA and its partners recommend always following secure-by-design and secure-by-default development practices. These can be challenging, especially when open source software is used. “The diverse way [open-source software] can be integrated into OT products can make it difficult to know whether certain software modules, and their associated vulnerabilities, are present and/or exploitable. Additional challenges include an overall minimized opportunity to patch and increased aversion to new variables added into production environments because of the often stringent uptime requirements for OT environments.”

CISA and its partners organize their high-level recommendations for managing open-source risk under two heads: transparency and verifiability.

Transparency and verifiability as the keys to open source security for OT.

Transparency includes:

1. What assets an organization owns and operates–this is asset management transparency.
2. What software each software asset contains (and here a Software Bill of Materials can be helpful).
3. The supplier’s process for updating firmware and software.
4. Ensuring that the software an organization's assets are running is in fact the software that the developer wrote, and that the developer who wrote the software is the intended developer–the one who’s supposed to have written it.

Verifiability, which CISA describes as “the ability to confirm the authenticity of information and data related to systems,” includes:

1. Users’ identity and access restrictions.
2. Data integrity—”the accuracy and validity of data throughout its lifecycle.”
3. Ensuring that software is functioning as specified.
4. And, of course, overall system security.

OT open source security guidelines recieve favorable industry reviews.

Avishai Avivi, CISO, SafeBreach, wrote to say, "I am a big fan of CISA and its initiatives," Avivi wrote. "This latest fact sheet released by CISA, FBI, NSA, and the Department of Treasury is yet another welcomed initiative as it relates to the use of Open Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS). The route this fact sheet takes is notably open and supportive of OSS."

One thing the guidelines might do is help redress the low security repute in which open source software is held. "Traditionally, when it comes to cybersecurity, OSS has been viewed negatively. There were multiple arguments noting that the source code is freely accessible, which means malicious actors can analyze this code and find vulnerabilities. Note that breaches involving a company's source code are typically a concern. Other arguments include concern about long-term support of the OSS, untracked dependencies, and even potential licensing risks. Some companies adopt OSS code libraries and effectively close them down into a somewhat proprietary implementation of these libraries. This practice tends to result in greater cybersecurity risk. These proprietary implementations get patched slower than the original OSS libraries."

Avivi sees two important security advantages to open source software. "The fact that the source code to OSS libraries is, in fact, open to all provides two important advantages:

• "Vulnerabilities are more easily detected, reported, and remediated
• "It is much harder for malicious actors to sneak in bad code

"CISA recognizes that OSS has become a much-needed component of all modern computer systems - IT and OT/ICS. With that, the Fact sheet goes beyond stating it is okay to use OSS; it recommends that Vendors actively support OSS initiatives. By following this recommendation, OT/ICS vendors can ensure rapid patching of security vulnerabilities and include OT/ICS considerations in the design and releases of some of these OSS tools and libraries. With this release, CISA continues demonstrating the benefits of public and private sector collaboration and bringing a pragmatic approach to enhancing cybersecurity throughout the critical infrastructure ecosystem."

The guidelines are also a recognition of how pervasive open source software has become. Tom Marsland, VP of Technology, Cloud Range, and Board Chairman of VetSec, wrote, "Open source software is the backbone of many major products. In fact, according to Jason Perlow of the Linux Foundation, it is estimated that Free and Open Source Software constitutes some 70-90% of any given piece of modern software solutions. It is refreshing to see the U.S. Federal Government not only speaking with one voice, but embracing industry partners such as Google, Microsoft, Honeywell, Rockwell Automation, and non-profits such as the OpenSSF / Linux Foundation to publish the fact sheet on this important subject. Vulnerabilities like Log4shell and more recently, the HTTP/2 Rapid Reset vulnerability highlight a need for quick response and a need to promote the securing of open source software. Only by working together, collaboratively, we can make the internet and software a safer place for all."