Manage Vulnerabilities in ICS Open Source Software

Enhancing ICS Cybersecurity in the Software Development Lifecycle

Key Takeaways

Open source software (OSS) is frequently integrated into industrial control systems (ICS) and critical infrastructure as business owners pursue greater interoperability, portability, and interchangeability. While tapping into the benefits of open source software, cybersecurity considerations are imperative, since availability and reliability is paramount for industrial control systems. Ensuring high-quality code in open source software to avoid an increased cyber risk to the ICS becomes a pivotal challenge. Vulnerability management of open source software should be considered and evaluated through the lifecycle of software development, starting as early as possible-to reduce cost and effort in the maintenance phase and to enhance the cybersecurity management that helps avoid system downtime.

Open Source Software in Industrial Control Systems

OSS is ubiquitous nowadays. According to a report by Synopsys Cybersecurity Research Center, OSS is widely adopted across various industries, including the Internet of Things (IoT), cybersecurity, and internet and mobile apps. 1Microsoft, once the largest proprietary software advocate, is now the single largest contributor to open source projects in the world. 2With tech giants such as Facebook, Google, Amazon, and Apple all involved in various open source projects nowadays-contributing to, as well as consuming, millions of lines of open source code daily-the prevalence of open source is evident in today’s technology development.

The Cybersecurity Requirement for ICS

However, the “open” nature of OSS also raises cybersecurity concerns in ICS. After all, the vulnerabilities or cybersecurity issues in the ICS and critical infrastructure may result in far-reaching impacts such as a massive power outage and/or operations failures in the civil infrastructure systems across telecoms, the water supply, wastewater treatment, and railways, to a certain extent. To tackle the cybersecurity threat to ICS, worldwide governments, 3including the National Institute of Standards and Technology (NIST) under the U.S. Federal Government, have strongly recommended that ICS owners comply with certain standards for industrial cybersecurity, such as the ISA/IEC 62443 series of standards.

Managing Vulnerabilities Throughout the Software Development Lifecycle

In a standard SDLC, there are five phases: requirement analysis, design, implementation, testing, maintenance, and evolution. Here are some guidelines about how to manage OSS in each phase:

  • Design: To fulfill requirements, it’s vital to choose open source software in the proper category and with the highest security. Here are some tips for vetting OSS in the design phase:
  • Check the current status: The designing purpose and popularity of the OSS should be taken into consideration. The more popular it is, the less likely it goes obsolete or unfixed once a vulnerability is identified.
  • Figure out the maintainer or the sponsor behind the OSS: OSS is often supported by a community, sometimes with influential sponsors. With a prestigious maintainer or resourceful sponsors, the OSS code is likely to have better quality and longevity. For instance, the Civil Infrastructure Platform (CIP) project, supported by the Linux Foundation, provides long-term support (10 years) to the Linux kernel.
  • Version selection: Choose the stable version over the popular version to ensure the reliability that an ICS requires. To that end, a rolling version should be the minimum option for an ICS.
  • Always have a Plan B: After all the factors above are carefully considered, make sure you have a Plan B in place in case an unexpected incident occurs.
  • Implementation/development: In this phase, the key point is to obey the rule of “upstream first.” The project should always share its results with the upstream to ensure that security fixes are integrated in upcoming versions and fulfill the need for long-term maintenance. To maximize the power of OSS, it’s important not to use open source as a closed source. This way, you can avoid wasting resources on the inevitable need to fix code conflicts after merging every new version of the latest OSS release. All users will benefit from the rule of “upstream first,” including the contributors themselves.
  • Testing: Setting up an automated testing system with sufficient test cases can reduce redundant effort. Luckily, there are some automated testing systems available to avoid building a testing system from scratch. For instance, kernelci.org is a community-based, open source distributed test automation system focused on upstream Linux kernel development.5It detects, bisects, reports, and fixes regressions on upstream kernel trees before they even reach the mainline.
  • Maintenance/evolution: In this phase, it is suggested to build a vulnerability scanning tool or framework to track the current status of vulnerabilities in each OSS. In the CIP project, cip-kernel-sec tracks the status of security issues identified by CVE ID in mainline, stable, and other configured branches. With the collaborative power of OSS, effort in the maintenance phase can be largely reduced.

Footnotes

1Synopsys Cybersecurity Research Center (n.d.) 2019 Open source security and risk analysis.
https://www.synopsys.com/software-integrity/resources/analyst-reports.html

The International Society of Automation (isa.org) is a non-profit professional association founded in 1945 to create a better world through automation.