Government entities urge Original Technology/Industrial Control System providers to strengthen open-source security measures

Government entities urge Original Technology/Industrial Control System providers to strengthen open-source security measures

The Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies have joined forces to release an open-source security guide aimed at bolstering the security of software used by critical infrastructure providers. The guide, created in collaboration with the Joint Cyber Defense Collaborative, emphasizes several initiatives that focus on improving open source software (OSS) security.

According to Kevin Kumpf, chief OT/ICS security strategist at Cyolo, the guide provides a comprehensive overview of OSS and explains the convergence of information technology and operational technology. One of the central roles in these efforts is played by the Open Source Security Foundation (OpenSSF). Key tools from OpenSSF, such as the Security Scorecard and Criticality Score, automate the assessment of open source project security risks.

The OpenSSF's Alpha-Omega Fund, launched in 2022 with backing from Microsoft, Google, Amazon, and Citi, invests millions to improve security in critical open source projects, including those foundational to critical infrastructure like the Linux Kernel and OpenSSL.

Another important aspect is the management of known exploited vulnerabilities. CISA maintains a living list of actively exploited vulnerabilities (KEV Catalog) that pose significant risks. Binding Operational Directive (BOD) 22-01 mandates federal agencies to remediate these vulnerabilities promptly, and the guide encourages all organizations, including critical infrastructure providers, to adopt timely vulnerability management practices based on this catalog.

CISA has also partnered with the NSA to release technical guidance that helps owners and operators of critical infrastructure create detailed inventories of OT assets, develop taxonomies, and build modern defensible architectures. This foundational step improves identification of risks, vulnerability management, and incident response in critical infrastructure environments.

Baseline cybersecurity best practices, tailored for sectors such as healthcare but generally applicable for protecting against common and impactful threats relevant to critical infrastructure, are also promoted through the guide. Long-term support for open source software in enterprise and critical infrastructure contexts is gaining emphasis, as it helps ensure predictable security updates and minimized vulnerabilities over time.

Yiyi Miao, chief product officer at OPSWAT, highlights the importance of understanding the geographical origin of the deployed products for effective incident response. Maintaining an asset inventory for hardware, software, and firmware is crucial due to OSS vulnerabilities causing multiple levels of exposure. Improving authentication and authorization policies is also recommended, including the implementation of multifactor authentication, avoiding hard-coded credentials and default passwords, and using accounts that uniquely identify individual users.

Tony Baker, VP and chief product safety and security officer at Rockwell Automation, states that open source software provides value to customers, but requires additional effort and investment to sustain the portfolio. Understanding what products are deployed and where they are purchased from can be a "critical anchor point for faster incident response."

In summary, the initiatives outlined in the CISA's open-source security guide focus on improving open source security through automated risk assessment, targeted funding for critical projects, mandated vulnerability remediation, enhanced visibility and inventory of critical assets, baseline cybersecurity architecture and controls, and operational sustainability for long-term resilience. These measures integrate technical, operational, and policy measures for securing open source software foundational to critical infrastructure providers.

1. The Open Source Security Foundation's Security Scorecard and Criticality Score tools provide automation for assessing open source project security risks, playing a crucial role in the initiatives that focus on improving open source software security.
2. The Alpha-Omega Fund, launched by the Open Source Security Foundation with backing from major tech companies like Microsoft, Google, Amazon, and Citi, invests millions to improve security in critical open source projects, a key aspect of these efforts.
3. CISA's Living list of actively exploited vulnerabilities (KEV Catalog) serves as a significant resource, mandating federal agencies to remediate these vulnerabilities promptly and encouraging all organizations to adopt timely vulnerability management practices based on this catalog.
4. The collaboration between CISA and the NSA has resulted in technical guidance that assists critical infrastructure operators in creating detailed inventories of OT assets, improving identification of risks, vulnerability management, and incident response in critical infrastructure environments.
5. Baseline cybersecurity best practices, tailored for sectors such as healthcare but applicable to critical infrastructure protection, are promoted through the guide, along with long-term support for open source software in enterprise and critical infrastructure contexts, which helps ensure predictable security updates and minimized vulnerabilities.

Read also: