Manage Vulnerabilities in ICS Open Source Software

Enhancing ICS Cybersecurity in the Software Development Lifecycle

Key Takeaways

Open Source Software in Industrial Control Systems

The Cybersecurity Requirement for ICS

Managing Vulnerabilities Throughout the Software Development Lifecycle

  • Requirement analysis: It’s imperative to collect, analyze, and identify requirements for the OS, system, and network hardening before developing or choosing a software. With careful requirement analysis, the software developer is able to select proper OSS to fulfill requirements as well as reduce unnecessary security-related maintenance efforts in later phases. For example, civil infrastructure systems must be industrial grade, sustainable, and secure. Therefore, the OSS used in these systems need to be evaluated with regard to functionality, maintenance, and testing costs based on these requirements.
  • Design: To fulfill requirements, it’s vital to choose open source software in the proper category and with the highest security. Here are some tips for vetting OSS in the design phase:
  • Check the current status: The designing purpose and popularity of the OSS should be taken into consideration. The more popular it is, the less likely it goes obsolete or unfixed once a vulnerability is identified.
  • Figure out the maintainer or the sponsor behind the OSS: OSS is often supported by a community, sometimes with influential sponsors. With a prestigious maintainer or resourceful sponsors, the OSS code is likely to have better quality and longevity. For instance, the Civil Infrastructure Platform (CIP) project, supported by the Linux Foundation, provides long-term support (10 years) to the Linux kernel.
  • Version selection: Choose the stable version over the popular version to ensure the reliability that an ICS requires. To that end, a rolling version should be the minimum option for an ICS.
  • Always have a Plan B: After all the factors above are carefully considered, make sure you have a Plan B in place in case an unexpected incident occurs.
  • Implementation/development: In this phase, the key point is to obey the rule of “upstream first.” The project should always share its results with the upstream to ensure that security fixes are integrated in upcoming versions and fulfill the need for long-term maintenance. To maximize the power of OSS, it’s important not to use open source as a closed source. This way, you can avoid wasting resources on the inevitable need to fix code conflicts after merging every new version of the latest OSS release. All users will benefit from the rule of “upstream first,” including the contributors themselves.
  • Testing: Setting up an automated testing system with sufficient test cases can reduce redundant effort. Luckily, there are some automated testing systems available to avoid building a testing system from scratch. For instance, kernelci.org is a community-based, open source distributed test automation system focused on upstream Linux kernel development.5It detects, bisects, reports, and fixes regressions on upstream kernel trees before they even reach the mainline.
  • Maintenance/evolution: In this phase, it is suggested to build a vulnerability scanning tool or framework to track the current status of vulnerabilities in each OSS. In the CIP project, cip-kernel-sec tracks the status of security issues identified by CVE ID in mainline, stable, and other configured branches. With the collaborative power of OSS, effort in the maintenance phase can be largely reduced.

Footnotes