"Critical Infrastructure's Open-Source Problem"
According to Synopsis research, 78 percent of code in codebases is open-source. Of the codebases, 81 percent have at least one vulnerability. When the code is left untouched for two years with no feature updates, that figure rises to 88 percent. Open-source code is critical in computing, the Internet, and the connectivity of critical infrastructure. Many critical infrastructure segments, such as the electric grid and water systems, are also outdated, making them riddled with out-of-date and unchecked code. Open-source software is used in Operational Technology (OT) and Information Technology (IT). It is everywhere now, says Cheri Caddy, director of cyber policy and planning at the Office of the National Cyber Director. When a vulnerability in the open-source supply chain is exploited, it can cause major issues for any industry. When this occurs in critical infrastructure, it has the potential to cause chaos among affected users. Although the open-source community has a reputation for quickly discovering and fixing bugs due to more eyes being on the code, that same ability to see the code can make things easier for potential attackers, according to Mike Parkin, senior technical engineer at Vulcan Cyber. According to Parkin, repairing old hardware with new software can often yield mixed results. While it can help to keep older technology relevant and extend its life, it can also introduce new software vulnerabilities. Because of the Continuous Integration and Continuous Delivery (CI/CD) pipeline, open-source introduces risk. While production environments are hardened and monitored, CI/CD pipelines receive far less security attention, according to John Steven, CTO of ThreatModeler. Attacks on open-source and artifact repositories are external to the organization and, thus, are not monitored or controlled by that enterprise. This article continues to discuss how open-source code poses a risk to security and the protection of critical infrastructure from this risk.
Security Boulevard reports "Critical Infrastructure's Open-Source Problem"