Manage Vulnerabilities in ICS Open Source Software

Enhancing ICS Cybersecurity in the Software Development Lifecycle

Key Takeaways

Open source software (OSS) is frequently integrated into industrial control systems (ICS) and critical infrastructure as business owners pursue greater interoperability, portability, and interchangeability. While tapping into the benefits of open source software, cybersecurity considerations are imperative, since availability and reliability is paramount for industrial control systems. Ensuring high-quality code in open source software to avoid an increased cyber risk to the ICS becomes a pivotal challenge. Vulnerability management of open source software should be considered and evaluated through the lifecycle of software development, starting as early as possible-to reduce cost and effort in the maintenance phase and to enhance the cybersecurity management that helps avoid system downtime.

Open Source Software in Industrial Control Systems

OSS is ubiquitous nowadays. According to a report by Synopsys Cybersecurity Research Center, OSS is widely adopted across various industries, including the Internet of Things (IoT), cybersecurity, and internet and mobile apps. 1Microsoft, once the largest proprietary software advocate, is now the single largest contributor to open source projects in the world. 2With tech giants such as Facebook, Google, Amazon, and Apple all involved in various open source projects nowadays-contributing to, as well as consuming, millions of lines of open source code daily-the prevalence of open source is evident in today’s technology development.

Besides consumer-grade hardware and software, OSS also proliferates in industrial control systems and critical infrastructure. Linux, the open source operating system (OS) based on Linux kernel, is now a mainstream OS in the industrial space.

For instance, take operational technology (OT) systems. From industrial PCs and programmable logic controllers (PLCs) in the control network at the field level, to the supervisory control and data acquisition (SCADA) and engineering servers in the supervisory network at the mid-level, to application servers in the management network at the top level, a majority of these industrial control devices run Linux OS with open source applications.

OSS provides great interoperability, portability, and interchangeability to ICS, as numerous devices may all come from different vendors in the supply chain with heterogeneous software packages. The “open” nature of OSS allows ICS providers and industrial device suppliers to integrate systems with ease and flexibility while effectively enhancing the efficiency of software development without building things up from scratch.

The Cybersecurity Requirement for ICS

However, the “open” nature of OSS also raises cybersecurity concerns in ICS. After all, the vulnerabilities or cybersecurity issues in the ICS and critical infrastructure may result in far-reaching impacts such as a massive power outage and/or operations failures in the civil infrastructure systems across telecoms, the water supply, wastewater treatment, and railways, to a certain extent. To tackle the cybersecurity threat to ICS, worldwide governments, 3including the National Institute of Standards and Technology (NIST) under the U.S. Federal Government, have strongly recommended that ICS owners comply with certain standards for industrial cybersecurity, such as the ISA/IEC 62443 series of standards.

ISA/IEC 62443–4–1, one of the ISA/IEC 62443 standards, defines a secure development lifecycle for the purpose of developing and maintaining secure products used in industrial automation and control systems. To meet the requirement of security, reliability, and sustainability for an ICS, it is critical to manage the great amount of OSS running in the ICS during the software development lifecycle (SDLC), as part of the product life cycle specified by the ISA/IEC 62443–4–1 standard.

According to a report by NIST, 4the costs to fix software defects in the phase of the post-product release could be 30 times higher than in the phase of software requirements gathering, analysis, and architecture design. The vulnerability of OSS can be significantly reduced if it is considered as early as possible in the SDLC.

Managing Vulnerabilities Throughout the Software Development Lifecycle

In a standard SDLC, there are five phases: requirement analysis, design, implementation, testing, maintenance, and evolution. Here are some guidelines about how to manage OSS in each phase:

  • Requirement analysis: It’s imperative to collect, analyze, and identify requirements for the OS, system, and network hardening before developing or choosing a software. With careful requirement analysis, the software developer is able to select proper OSS to fulfill requirements as well as reduce unnecessary security-related maintenance efforts in later phases. For example, civil infrastructure systems must be industrial grade, sustainable, and secure. Therefore, the OSS used in these systems need to be evaluated with regard to functionality, maintenance, and testing costs based on these requirements.

As indicated by the ISA/IEC 62443 standard that specifies security capabilities for control system components, all industry players-including product suppliers, system integrators, and asset owners-have “shared responsibility” for all phases of the IACS cybersecurity lifecycle (Ristaino, 2016). 6It is important to ensure that products are secure by design and to maintain security over the life of the products, including hardware as well as software. With the proliferation of OSS in ICS, successful management of OSS throughout the SDLC will play an essential role for ICS integrators and vendors in meeting the ISA/IEC 62443 standards to enhance cybersecurity for ICS and ensure availability and reliability.

Footnotes

1Synopsys Cybersecurity Research Center (n.d.) 2019 Open source security and risk analysis.
https://www.synopsys.com/software-integrity/resources/analyst-reports.html

2Warren, T. (2020, May 18). Microsoft: we were wrong about open source. The Verge.
https://www.theverge.com/2020/5/18/21262103/microsoft-open-source-linux-history-wrong-statement

3Chang, A. (2020, May 27). Public and Private Sectors Join Forces to Protect Industrial Networks From Cyberattacks. Moxa.
https://www.moxa.com/en/literature-library/white-paper-joint-forces-to-protect-industrial-networks

4International Society of Automation (2018, September/October). New ISA/IEC 62443 standard specifies security capabilities for control system components. InTech Magazine. https://www.isa.org/intech/201810standards/

5kernelci.org (n.d.). Automated Linux Kernel Testing. Kernel CI. https://kernelci.org/

6Ristaino, A. (2016, May/June). Industrial automation cybersecurity conformity assessments. InTech Magazine. https://www.isa.org/intech/20160602/

Originally published at https://gca.isa.org.

The International Society of Automation (isa.org) is a non-profit professional association founded in 1945 to create a better world through automation.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store