"Open-Source to Open Door: Software Emerges as Risk to the Grid"

The extent of the damage caused by the Apache Log4j security flaw is still not fully understood. Open-source code can be found in almost every type of modern technology. It is everywhere throughout the economy, including the energy sector, making it a looming issue for energy cybersecurity. According to Cheri Caddy, a former senior adviser at the Department of Energy (DOE) who is now director of cyber policy and plans at the Office of the National Cyber Director, the DOE is concerned about open-source software as it is used in all types of software development, including Operational Technology (OT) and Information Technology (OT). The Log4j security flaw highlighted some of the most serious concerns. The development team was small, the software was found in almost every industry, and many businesses were unsure if the code was even in their products. The issue, according to experts, is not that open-source software is inherently less secure than proprietary software. A few lines of code can be used to standardize an entire industry, and if that code contains a serious vulnerability, critical infrastructure, including the grid, can be left vulnerable to attacks. It can become an open door for malicious hackers to enter critical systems, especially if utilities are unaware of its existence. According to Virginia Wright, an energy cybersecurity portfolio program manager at Idaho National Laboratory (INL), open-source software is everywhere in the energy sector. Wright manages a DOE grid vulnerability test bed called Cyber Testing for Resilient Industrial Control Systems (CyTRICS). The program, led by INL and run by six DOE labs, seeks out vulnerabilities in the software that runs the power grid. They found open-source software in 100 percent of the investigated systems. When a vulnerability is discovered, the lab contacts grid equipment manufacturers to discuss potential mitigation measures to help patch the bug. This can include publicly disclosed vulnerabilities. Because open-source software is freely available and widely used, vendors may be unaware of the existence of a vulnerability and patch, according to Wright. This article continues to discuss the threat posed by open-source software to energy cybersecurity. 

Energywire reports "Open-Source to Open Door: Software Emerges as Risk to the Grid"