Manage Vulnerabilities in ICS Open Source Software
Enhancing ICS Cybersecurity in the Software Development Lifecycle
Open source software (OSS) is frequently integrated into industrial control systems (ICS) and critical infrastructure as business owners pursue greater interoperability, portability, and interchangeability. While tapping into the benefits of open source software, cybersecurity considerations are imperative, since availability and reliability is paramount for industrial control systems. Ensuring high-quality code in open source software to avoid an increased cyber risk to the ICS becomes a pivotal challenge. Vulnerability management of open source software should be considered and evaluated through the lifecycle of software development, starting as early as possible-to reduce cost and effort in the maintenance phase and to enhance the cybersecurity management that helps avoid system downtime.
Open Source Software in Industrial Control Systems
OSS is ubiquitous nowadays. According to a report by Synopsys Cybersecurity Research Center, OSS is widely adopted across various industries, including the Internet of Things (IoT), cybersecurity, and internet and mobile apps. 1Microsoft, once the largest proprietary software advocate, is now the single largest contributor to open source projects in the world. 2With tech giants such as Facebook, Google, Amazon, and Apple all involved in various open source projects nowadays-contributing to, as well as consuming, millions of lines of open source code daily-the prevalence of open source is evident in today’s technology development.
Besides consumer-grade hardware and software, OSS also proliferates in industrial control systems and critical infrastructure. Linux, the open source operating system (OS) based on Linux kernel, is now a mainstream OS in the industrial space.
For instance, take operational technology (OT) systems. From industrial PCs and programmable logic controllers (PLCs) in the control network at the field level, to the supervisory control and data acquisition (SCADA) and engineering servers in the supervisory network at the mid-level, to application servers in the management network at the top level, a majority of these industrial control devices run Linux OS with open source applications.
OSS provides great interoperability, portability, and interchangeability to ICS, as numerous devices may all come from different vendors in the supply chain with heterogeneous software packages. The “open” nature of OSS allows ICS providers and industrial device suppliers to integrate systems with ease and flexibility while effectively enhancing the efficiency of software development without building things up from scratch.
The Cybersecurity Requirement for ICS
However, the “open” nature of OSS also raises cybersecurity concerns in ICS. After all, the vulnerabilities or cybersecurity issues in the ICS and critical infrastructure may result in far-reaching impacts such as a massive power outage and/or operations failures in the civil infrastructure systems across telecoms, the water supply, wastewater treatment, and railways, to a certain extent. To tackle the cybersecurity threat to ICS, worldwide governments, 3including the National Institute of Standards and Technology (NIST) under the U.S. Federal Government, have strongly recommended that ICS owners comply with certain standards for industrial cybersecurity, such as the ISA/IEC 62443 series of standards.
ISA/IEC 62443–4–1, one of the ISA/IEC 62443 standards, defines a secure development lifecycle for the purpose of developing and maintaining secure products used in industrial automation and control systems. To meet the requirement of security, reliability, and sustainability for an ICS, it is critical to manage the great amount of OSS running in the ICS during the software development lifecycle (SDLC), as part of the product life cycle specified by the ISA/IEC 62443–4–1 standard.
According to a report by NIST, 4the costs to fix software defects in the phase of the post-product release could be 30 times higher than in the phase of software requirements gathering, analysis, and architecture design. The vulnerability of OSS can be significantly reduced if it is considered as early as possible in the SDLC.
Managing Vulnerabilities Throughout the Software Development Lifecycle
In a standard SDLC, there are five phases: requirement analysis, design, implementation, testing, maintenance, and evolution. Here are some guidelines about how to manage OSS in each phase:
- Requirement analysis: It’s imperative to collect, analyze, and identify requirements for the OS, system, and network hardening before developing or choosing a software. With careful requirement analysis, the software developer is able to select proper OSS to fulfill requirements as well as reduce unnecessary security-related maintenance efforts in later phases. For example, civil infrastructure systems must be industrial grade, sustainable, and secure. Therefore, the OSS used in these systems need to be evaluated with regard to functionality, maintenance, and testing costs based on these requirements.
- Design: To fulfill requirements, it’s vital to choose open source software in the proper category and with the highest security. Here are some tips for vetting OSS in the design phase:
- Check the current status: The designing purpose and popularity of the OSS should be taken into consideration. The more popular it is, the less likely it goes obsolete or unfixed once a vulnerability is identified.
- Figure out the maintainer or the sponsor behind the OSS: OSS is often supported by a community, sometimes with influential sponsors. With a prestigious maintainer or resourceful sponsors, the OSS code is likely to have better quality and longevity. For instance, the Civil Infrastructure Platform (CIP) project, supported by the Linux Foundation, provides long-term support (10 years) to the Linux kernel.
- Version selection: Choose the stable version over the popular version to ensure the reliability that an ICS requires. To that end, a rolling version should be the minimum option for an ICS.
- Always have a Plan B: After all the factors above are carefully considered, make sure you have a Plan B in place in case an unexpected incident occurs.
- Implementation/development: In this phase, the key point is to obey the rule of “upstream first.” The project should always share its results with the upstream to ensure that security fixes are integrated in upcoming versions and fulfill the need for long-term maintenance. To maximize the power of OSS, it’s important not to use open source as a closed source. This way, you can avoid wasting resources on the inevitable need to fix code conflicts after merging every new version of the latest OSS release. All users will benefit from the rule of “upstream first,” including the contributors themselves.
- Testing: Setting up an automated testing system with sufficient test cases can reduce redundant effort. Luckily, there are some automated testing systems available to avoid building a testing system from scratch. For instance, kernelci.org is a community-based, open source distributed test automation system focused on upstream Linux kernel development.5It detects, bisects, reports, and fixes regressions on upstream kernel trees before they even reach the mainline.
- Maintenance/evolution: In this phase, it is suggested to build a vulnerability scanning tool or framework to track the current status of vulnerabilities in each OSS. In the CIP project, cip-kernel-sec tracks the status of security issues identified by CVE ID in mainline, stable, and other configured branches. With the collaborative power of OSS, effort in the maintenance phase can be largely reduced.
As indicated by the ISA/IEC 62443 standard that specifies security capabilities for control system components, all industry players-including product suppliers, system integrators, and asset owners-have “shared responsibility” for all phases of the IACS cybersecurity lifecycle (Ristaino, 2016). 6It is important to ensure that products are secure by design and to maintain security over the life of the products, including hardware as well as software. With the proliferation of OSS in ICS, successful management of OSS throughout the SDLC will play an essential role for ICS integrators and vendors in meeting the ISA/IEC 62443 standards to enhance cybersecurity for ICS and ensure availability and reliability.
1Synopsys Cybersecurity Research Center (n.d.) 2019 Open source security and risk analysis.
2Warren, T. (2020, May 18). Microsoft: we were wrong about open source. The Verge.
3Chang, A. (2020, May 27). Public and Private Sectors Join Forces to Protect Industrial Networks From Cyberattacks. Moxa.
4International Society of Automation (2018, September/October). New ISA/IEC 62443 standard specifies security capabilities for control system components. InTech Magazine. https://www.isa.org/intech/201810standards/
5kernelci.org (n.d.). Automated Linux Kernel Testing. Kernel CI. https://kernelci.org/
6Ristaino, A. (2016, May/June). Industrial automation cybersecurity conformity assessments. InTech Magazine. https://www.isa.org/intech/20160602/