The largest problem with open source solutions is that there is generally no vetting process for much of the open source communities in terms of cybersecurity efficacy. For example, the Equifax hack was as a result of an open source java component being used in a framework that afforded attackers to exfiltrate consumer PII. I recently read that over 1,000 downloads per day occur in the software development space for open source modules. If we think of all of the vulnerabilities that occur in the open source ‘object library’ and software component space, and organizations are downloading well over 350,000 open source objects that are compiled into code, the software framework is, from a cybersecurity perspective, weak and not sustainable.
The draft implementation guide (NISTIR 8183A) for the Cybersecurity Framework (CSF) Manufacturing Profile Low Security Level has been developed for managing cybersecurity risk for manufacturers and takes a look at this issue, in particular. More specifically, the NISTIR 8183A is aligned with manufacturing sector goals and industry best practices and other variations will probably surface for other important sectors.
As a note, the NISTIR 8183A guide provides general implementation guidance (Volume 1) and example proof-of-concept solutions demonstrating how currently available open-source and commercial off-the-shelf (COTS) products can be implemented in manufacturing environments to satisfy the requirements in the Cybersecurity Framework (CSF) Manufacturing Profile Low Security Level. Example proof-of-concept solutions with measured network, device, and operational performance impacts for a process-based manufacturing environment (Volume 2) and a discrete-based manufacturing environment (Volume 3) are included in the guide. Depending on factors like size, sophistication, risk tolerance, and threat landscape, manufacturers should make their own determinations about the breadth of the proof-of-concept solutions they may voluntarily implement.
The CSF Manufacturing Profile (NISTIR 8183) can be used as a roadmap for managing cybersecurity risk for manufacturers and is aligned with manufacturing sector goals and industry best practices. It provides a voluntary, risk-based approach for managing cybersecurity activities and cyber risk to manufacturing systems. The Manufacturing Profile is meant to complement but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing.
Links: Draft NISTIR 8183A Volume 1 – General Implementation Guidance
Draft NISTIR 8183A Volume 2 – Process-based Manufacturing System Use Case
Draft NISTIR 8183A Volume 3 – Discrete-based Manufacturing System Use Case