he Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA) and U.S. Department of the Treasury published new guidance today on “Improving Security of Open Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS),” developed in collaboration with industry and government partners through the Joint Cyber Defense Collaborative (JCDC) as part of the 2023 OSS planning initiative. This guidance will promote an improved understanding of and highlight best practices and considerations for the secure use of OSS in OT/ICS environments.

Critical infrastructure organizations using OT/ICS face heightened cybersecurity and safety concerns due to the potentially far-reaching impacts of incidents and associated life safety implications, particularly to connected infrastructure. Applying generally applicable cyber hygiene practices, such as routinely updating software, can be challenging for organizations using OSS in OT and ICS applications.

This guidance is intended to assist both senior leadership and operations personnel at OT/ICS vendors and critical infrastructure entities with better management of risk from OSS use in OT/ICS products, to include software supply chain, and increase resilience using available resources.

The recommendations provided in the guidance start with the senior leadership level of an organization and cover areas such as:

  • Vendor support of OSS development and maintenance, to include participating in OSS and grant programs, partnering with existing OSS Foundations, and supporting the adoption of security tools and best practices in the software development lifecycle.
  • Manage vulnerabilities, to include reducing risk exposure by requesting no cost cyber hygiene services and participate in vulnerability coordination by using available guidance and resources.
  • Patch management, to include promoting unique understanding of patch deployment process for OT/ICS environments and maintaining a comprehensive updated asset inventory to best identify software and hardware products, as well as open source components in both IT and OT environments.
  • Improve authentication and authorization policies, to include using accounts that uniquely and verifiably identify individual users, implementing multifactor authentication, and combining secure-by-default practices with least privilege.
  • Establish common framework, to include develop and support an open source program office, support safe and secure open source consumption practices, and maintain a software asset inventory.