An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Oct. 10, 2023

NSA and U.S. Agencies Issue Best Practices for Open Source Software in Operational Technology Environments

FORT MEADE, Md. - The National Security Agency (NSA) is joining U.S. federal partners to release cybersecurity guidance to promote understanding of open source software (OSS) implementation and provide best practices to secure operational technology (OT) and industrial control systems (ICS) environments.

OSS is software with an open license for anyone to view, use, study, or modify, and is distributed with its source code. The diverse way in which OSS can be integrated into OT products can make it difficult to know whether particular software modules, and their associated vulnerabilities, are present and/or exploitable.

Implementation and patching of OSS in OT environments continues to be a challenge due to safety concerns and the potential disruption of critical systems. As the integration of OT and Information Technology (IT) networks increases, the critical infrastructure supporting these networks faces greater exposure to cyber threat campaigns.

The Cybersecurity Information Sheet (CSI) “Improving Security of Open Source Software in Operational Technology and Industrial Control Systems” offers best practices and recommendations for improving OSS security in OT/ICS environments, such as supporting OSS development and maintenance, patch management, authorization and authentication policies, and establishing common frameworks.

The joint cybersecurity guidance also encourages the adoption of “secure-by-design” and “secure-by-default” principles to decrease cybersecurity risk in OT environments.
 
The Cybersecurity and Infrastructure Security Agency (CISA) authored the CSI with contributions from the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and U.S. Department of the Treasury.
 
Read the full report here.
 
Visit our full library for more cybersecurity information and technical guidance.


NSA Media Relations
MediaRelations@nsa.gov
443-634-0721