The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the U.S. Department of the Treasury, has issued vital guidance aimed at enhancing the security of open source software (OSS) within operational technology (OT) and industrial control systems (ICS). This guidance is closely aligned with CISA’s recently unveiled Open Source Security Roadmap and offers recommendations to organizations operating within the OT/ICS domain.
Furthermore, the guidance covers several critical areas, including supporting OSS development and maintenance, effective management and patching of vulnerabilities within OT/ICS environments, and the adoption of Cross-Sector Cybersecurity Performance Goals (CPGs) as a common framework for implementing key cybersecurity best practices related to OSS. These recommendations are particularly pertinent given the growing importance of OSS in critical infrastructure systems.
In conjunction with the guidance, CISA has introduced a dedicated web page, “Securing OSS in OT,” providing detailed insights into the Joint Cyber Defense Collaborative (JCDC) OSS planning initiative.
This initiative is a priority within the JCDC 2023 Planning Agenda and aims to foster collaboration between the public and private sectors, including the OSS community. By better understanding and securing the use of OSS in OT/ICS, the initiative intends to fortify defenses against the rising cyber threats targeting these vital sectors.
CISA urges all OT/ICS organizations to carefully review this guidance and actively implement its recommendations. In doing so, organizations can contribute to the enhancement of the security and resilience of critical infrastructure, an essential component of safeguarding national security and economic stability.