Securing Open Source Software in Operational Technology

JCDC Open Source Software Initiative 

As highlighted in CISA’s Open Source Software (OSS) Security Roadmap, OSS is an integral component of modern software supply chains and is prevalent across the federal government and U.S. critical infrastructure. Accordingly, CISA’s Joint Cyber Defense Collaborative (JCDC) initiated a collaborative planning effort to support the awareness, security, and cyber resiliency of OSS in critical infrastructure operational technology (OT) and industrial control systems (ICS). 

This effort is one of the priority initiatives within the JCDC 2023 Planning Agenda, which consists of contributions from JCDC participants, including representatives from the OSS community. It also complements CISA’s broader efforts to support a more secure-by-design and resilient OSS ecosystem. 

Goals and Objectives 

The JCDC OSS planning initiative is oriented around three major goals, which collectively, will support small- and medium-sized ICS vendors and critical infrastructure owner/operators in conducting adequate risk management of adversarial activity targeting OSS in OT and ICS products. Through this initiative, organizations will be enabled to better defend their networks, action threat- and vulnerability-related information, and collaborate with relevant partners to manage incidents. 

The three primary goals of this initiative include: 

1. Understand OSS use in OT/ICS. JCDC will support and contribute to ongoing efforts to understand OSS use across OT and ICS to determine which are the critical OSS libraries and where there are key dependencies for national critical infrastructure. 
2. Secure OSS use in OT/ICS. JCDC will provide resources that support the secure use and maintenance of OSS components in OT/ICS products. 
3. Defend against cyber threats to OT/ICS. JCDC will improve public-private collaboration to identify, manage, and respond to cyber vulnerabilities, risks, or incidents impacting national critical infrastructure.