This article was written by Sue Poremba on November 17, 2022. It features ThreatModeler CTO John Steven, which is bolded below.
Critical Infrastructure’s Open Source Problem
Open source has a security problem, and that could have real-world impact when it affects critical infrastructure.
According to research from Synopsis, 78% of code in codebases is open source, and 81% of the codebases have at least one vulnerability. That number goes up to 88% when the code sits untouched with no feature updates for two years.
Open source code plays a vital role in computing and the internet, and it plays a major role in the connectivity of critical infrastructure. Many segments of critical infrastructure, like the electric grid or water systems, are also woefully out of date, making them part of that critical infrastructure segment riddled with outdated and unchecked code.
“Open source software is a part of all software development, whether it’s operational technology (OT) or IT. It’s just ubiquitous in everything now,” Cheri Caddy, director of cyber policy and plans at the Office of the National Cyber Director, told Energy Wire. When there is a vulnerability anywhere in the open source supply chain and it is exploited, it can create serious problems for any industry. When it happens in critical infrastructure, it could cause chaos among affected users at best or turn into a life-or-death situation at worst.
How Open Source Becomes a Risk
While the open source community does have a reputation for rapidly finding and fixing issues because there are more eyes on the code, that same ability to see the code can make things easier for potential attackers, said Mike Parkin, senior technical engineer at Vulcan Cyber, in an email interview.
“Fixing old hardware with new software can often have mixed results,” said Parkin. “While it can certainly help keep older technology relevant and extend its life, it can also introduce new software vulnerabilities.”
Open source adds risk due to the continuous integration and continuous delivery (CI/CD) pipeline. “While production environments are hardened and well-monitored, CI/CD pipelines draw substantially less security attention,” said John Steven, CTO at ThreatModeler, in an email interview. “Attacks on open source and artifact repositories are external to the organization and therefore are not subject to that enterprise’s monitoring and control.”
Injecting malware or exploiting a vulnerability through an organization’s CI/CD pipeline actions or into open source software is significantly easier than successfully attacking production without drawing notice, Steven added. “In fact, many CI/CD environments have little to no logging on what code developers have executed as part of build, package and deploy phases.”
Protecting Critical Infrastructure From Open Source Risk
Critical infrastructure suffers more acutely from the most common problem: Lack of bandwidth and expertise, according to Steven. Supply chain use reflects the challenge of using older technologies with less automation and audit. As critical infrastructure lifts and shifts to the cloud, even if they’re only doing it from an infrastructure-as-a-service perspective, developers and security teams are fast-forwarding to considerably more hardened network and identity models, said Steven.
“The remaining challenge is, do they have the bandwidth (or the budget) to acquire staff and expertise to accomplish this lift without giving security the short shrift?” said Steven.
The government also recognizes both the importance and the difficulties of protecting critical infrastructure from open source vulnerabilities, and is attempting to address it with legislation; the Senate recently passed the bipartisan Securing Open Source Software Act.
“This bill will direct CISA to develop a risk framework to evaluate how open source code is used by the federal government,” ZDNet reported. The Act isn’t going to reinvent the approach to open source security, but it will require those organizations within the critical infrastructure segment to have more diligence and oversight of the threats lurking in open source software before a worst-case scenario occurs.