Getting your Trinity Audio player ready...
|
The United States is increasingly tightening its cybersecurity measures and is fostering collaborative efforts between crucial agencies. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the U.S. Department of the Treasury have joined forces to provide new guidance. This guidance is aimed at bolstering the security of Open Source Software (OSS) within the Operational Technology (OT) and Industrial Control Systems (ICS). This underscores the critical importance of fortifying the nation’s cyber defences in the face of evolving threats.
This collaborative effort, developed within the Joint Cyber Defence Collaborative (JCDC) framework, is a pivotal part of the 2023 OSS planning initiative. The initiative’s primary objective is to foster a deeper understanding of best practices for securing OSS within OT/ICS environments, paramount to organisations managing critical infrastructure.
Operational Technology (OT) and Industrial Control Systems (ICS) are integral components of critical infrastructure, but they also face severe cybersecurity and safety challenges. These challenges are compounded by the far-reaching consequences of incidents that can impact life safety and the security of connected infrastructure.
For organisations utilising OSS in OT and ICS applications, adhering to conventional cybersecurity hygiene practices, such as routine software updates, can be challenging. In response to these challenges, the published guidance serves as a comprehensive roadmap to help senior leadership and operational personnel at OT/ICS vendors and critical infrastructure entities manage and mitigate risks associated with OSS use, including those within the software supply chain, and to increase overall resilience through the effective use of available resources.
Clayton Romans, Associate Director of CISA, emphasised the significance of collaborative efforts in developing this guidance. He asserted, “Our JCDC planning effort united diverse cybersecurity stakeholders to identify systemic risks in OSS for OT/ICS and create practical solutions. Our ability to deliver timely, relevant products relies on trusted collaboration with partners. We are optimistic that this ongoing public-private collaboration will further enhance the OSS ecosystem and reduce risks to our critical infrastructure.”
The guidance is structured around a series of recommendations that span from senior leadership to operational areas of an organisation. These recommendations cover critical aspects of improving OSS security in OT/ICS environments, addressing issues such as vendor support, vulnerability management, patch management, authentication and authorisation policies, and establishing a common framework for open-source software.
The guidance aligns with the broader National Cyber Strategy’s objectives to promote public-private collaboration. It complements the CISA Open Source Software Security Roadmap, designed to enhance the security and development of OSS.
This forward-looking effort brings together government and private sector entities to create and execute cyber defence plans to achieve specific risk reduction targets while fostering more focused collaboration. The initiative bolsters cybersecurity and enables organisations to navigate the complexities of OSS effectively.
Its holistic approach, encompassing collaboration between government and industry, underscores the importance of addressing cybersecurity concerns in an evolving digital landscape. It is a beacon for organisations managing essential infrastructure, guiding them towards a more secure and resilient future. CISA encourages all organisations to explore the Joint Fact Sheet and CISA’s new webpage, “Securing Open Source Software in Operational Technology,” for detailed insights into this initiative.