The worst computer vulnerability in recent years was in a ubiquitous piece of open-source software a bug that was as simple to exploit as it was difficult to patch.
The Apache Log4j security flaw opened the door to millions of computers, but the extent of the damage still isnt fully understood. Nearly a year later, federal officials and Congress are still discussing how to avoid another potential disaster.
Open source, which is code that is open to everyone to use or edit, can be found in nearly every type of modern technology. It has served as the backbone of the internet, and is pervasive throughout the economy including in the energy sector.
That makes it a looming issue for energy cybersecurity.
Of course, [the Energy Department] is concerned about open-source software, said Cheri Caddy, a former senior adviser at DOE who is currently director of cyber policy and plans at the Office of the National Cyber Director. Open-source software is a part of all software development, whether its [operational technology] or IT. Its just ubiquitous in everything now.
The Log4j security lapse highlighted some of the key concerns: The development team was small, the software was found in nearly every industry, and many companies were unsure if they even had the code in their products.
The problem, experts say, is not that open source is inherently less secure than proprietary software. Its not. But a few lines of code can be adopted throughout an entire industry.
When those few lines contain a serious vulnerability, that can be a problem for critical infrastructure, including the grid. It can become an open door that allows malicious hackers to walk into critical systems especially when utilities arent aware that the door even exists.
In the energy sector, open-source software is everywhere, said Virginia Wright, an energy cybersecurity portfolio program manager at Idaho National Laboratory (INL).
Wright manages a DOE grid vulnerability testing bed called Cyber Testing for Resilient Industrial Control Systems (CyTRICS). The program, run by six DOE labs and led by INL, ferrets out vulnerabilities in the software that runs the power grid.
One hundred percent of the systems that we have looked at have contained open-source software, Wright said.
CyTRICS works on a voluntary basis with some of the biggest grid equipment manufacturers, like Hitachi Energy and Schweitzer Engineering Laboratories. Once a vulnerability is found, the lab reaches out to the manufacturers with potential mitigation measures to help patch the bug.
Sometimes that includes publicly known vulnerabilities. Because open-source software is freely available and widely used, vendors may not be aware that a vulnerability and patch even exist, Wright said.
Wright said that the labs have seen grid equipment vendors selling older versions of their products with known vulnerabilities and fixes. Some of that software is even updated in those vendors own systems, and their customers are buying it with all of the vulnerabilities attached, Wright said.
To avoid software with vulnerabilities, utilities need to employ a pretty rigorous evaluation and testing process on their own, she said.
The bipartisan infrastructure bill codifies and places the CyTRICS program under the Cyber Sense program. By September of next year, DOE aims to analyze around 10 percent of critical components in energy systems and expand the programs voluntary partnerships to cover around 15 percent of market share, according to DOEs two-year performance goal.
DOE also launched a pilot program for an energy-focused software bill of materials, which is similar to the food industrys ingredient label. Such a label, experts say, can increase visibility into the software that runs critical infrastructure.
Congress also has begun to take further action. Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio) the chair and ranking member, respectively, of the Senate Homeland Security and Governmental Affairs Committee have moved forward legislation that would direct the Cybersecurity and Infrastructure Security Agency to study ways to mitigate risks in critical infrastructure that uses open-source software.
The transparency of open-source software means that malicious hackers can look at the source code to find new vulnerabilities, said Keith Lunden, manager of cyber physical threat analysis at cybersecurity firm Mandiant.
However, its a two-way street. Cybersecurity researchers have the same access, so they can identify and fix those vulnerabilities before malicious hackers have a chance to exploit them, Lunden said.
And unlike proprietary software, open-source software doesnt have a shelf life. Vendors will eventually stop supporting a software product; the same isnt true for open-source. For industrial systems that are designed to operate for decades, that longevity is key.
With open-source software, the community has access to the source, and they can independently develop patches indefinitely, which can be an important factor for OT security, Lunden said.
At least thats the idea.
The flexibility of open source can mean that its constantly branching into new code: Individuals and companies may adapt it for their use, potentially creating new vulnerabilities.
Thomas Pace, co-founder of cybersecurity firm NetRise and a former DOE contractor in industrial control security, said he knows of a major telecommunications vendor that will take open-source software and rewrite portions of the code.
That just then introduces a different set of problems, right? Because now you have to maintain your own code versus the whole community maintaining the code, he said. Is that better, is that worse? Thats a debate.
An open-source bug can also mean widespread risk. In 2014, hackers took advantage of a massive vulnerability in an open-source encryption program called OpenSSL.
But the incident, called Heartbleed, was a single vulnerability. Once the bug is fixed, the onus is on vendors and owners to patch their system. If, instead, each software vendor created their own version of OpenSSL, there would be multiple vulnerabilities in each version.
So its about a trade-off, said Wright.
The discovery of the Log4j vulnerability prompted the White House to hold an open-source software security summit last January. The meeting which included top U.S. cyber experts, agency officials and open-source leaders like the Linux Foundation aimed to improve federal and private collaboration so the software would be more secure.
In the months since, the Cybersecurity and Infrastructure Security Agency has promoted the use of a software bill of materials as a step to secure open-source software. CISA also plans to work with the open-source security community to identify commonly used code in critical infrastructure, in an effort to better understand where collaboration can take place.
But the agency highlighted that it can be a challenge to work with an open-source community when, by definition, its open to anyone. While there are some foundations that promote open-source development, software is often developed by small teams or single individuals.
In the meantime, CISA, the National Security Agency and Office of the Director of National Intelligence released best practices for open source developers to better secure their code.
As for the Log4j vulnerability, significant risk remains, according to a report this year from the Department of Homeland Securitys Cyber Safety Review Board.
The board, created by executive order in 2021, found that systems using the vulnerable Log4j version would be a major issue for perhaps a decade or longer.
The report concludes that the vulnerability did not lead to significant cyberattacks to critical infrastructure.
But NetRises Pace called that an impossible statement, and even the report notes that its not so cut-and-dried.
While cybersecurity vendors were able to provide some anecdotal evidence of exploitation, no authoritative source exists to understand exploitation trends across geographies, industries, or ecosystems. Many organizations do not even collect information on specific Log4j exploitation, and reporting is still largely voluntary, the board wrote in the report.
In short, organizations themselves sometimes arent aware that they have been targeted by malicious hackers. There is no list of where the Log4j software is installed.
The report also highlights the security risks unique to the thinly-resourced, volunteer-based open source community. It calls for centralized resources to help developers ensure their code is created to the latest security standards.
Just as the software industry has enabled the democratization of software programming the ability for anyone to generate software with little or no formal training we must also democratize security by banking security by default into the platforms used to generate, build, deploy, and manage software at scale, the report concludes.
Excerpt from:
Open source to open door: Software emerges as risk to the grid - E&E News
- Calls to Ban Open Source are Misguided and Dangerous - The New Stack - June 26th, 2024
- Delving the Risks and Rewards of the Open-Source Ecosystem - InformationWeek - June 26th, 2024
- Enhancing security through collaboration with the open-source community - Help Net Security - June 18th, 2024
- It's time to face the open source security problem - ITPro - June 18th, 2024
- Mistral AI just launched 'Codestral', its own competitor to Code Llama and GitHub Copilot and it's fluent in over 80 ... - ITPro - June 2nd, 2024
- Open-source cybersecurity could derail the internet as we know it - Quartz - May 15th, 2024
- Developer Experience Influenced by Open Source Culture - InfoQ.com - May 15th, 2024
- BLint: Open-source tool to check the security properties of your executables - Help Net Security - May 15th, 2024
- Modular Open-Sources Mojo: The Programming Language that Turns Python into a Beast - MarkTechPost - April 2nd, 2024
- Meet the 21-Year-Old Creator of Devika, the Indian Open Source Devin Alternative - Analytics India Magazine - April 2nd, 2024
- Is Open Source Under Threat or Primed to Go to the Next Level? - The New Stack - March 13th, 2024
- Where is Technology Headed in 2024? - Open Source For You - March 13th, 2024
- A Detailed Conversation on Open-Source AI Frameworks for MLOps Workflows and Projects - AiThority - March 5th, 2024
- Everything you need to know about GitHub's new push protection changes - ITPro - March 5th, 2024
- StarCoder 2 is a code-generating AI that runs on most GPUs - TechCrunch - March 5th, 2024
- Is the future of open source software at risk due to protestware? - Tech Xplore - February 25th, 2024
- Google unveils new family of open-source AI models called Gemma to take on Meta and othersdeciding open-source AI aint so bad after all - Fortune - February 25th, 2024
- Jim Zemlin and the Linux Foundation share not-so-secret open-source sauce - ZDNet - February 25th, 2024
- Open source vs closed source AI: What's the difference and why does it matter? - Euronews - February 25th, 2024
- Biden administration to debate whether all AI systems should be open-source or closed - Firstpost - February 25th, 2024
- Some Linkerd service mesh users will soon have to pay - TechTarget - February 25th, 2024
- A lone developer just open sourced a tool that could bring an end to Nvidia's AI hegemony AMD financed it for ... - TechRadar - February 25th, 2024
- Scoping Out the Software-Defined Vehicle: The Benefits of OTA Updates & Open Source - Embedded Computing Design - February 25th, 2024
- The importance and limitations of open source AI models - TechTarget - February 9th, 2024
- 15+ Popular Python IDEs in 2024: Choosing The Best One - Simplilearn - February 9th, 2024
- Balancing Innovation and Security: The Open-Source Conundrum - BNN Breaking - February 9th, 2024
- VCs and startups love open-source AI models but how will they make money? - Sifted - February 9th, 2024
- How better and cheaper software could save millions of dollars while improving Canada's health-care system - The Conversation Indonesia - February 9th, 2024
- Best of 2023: Are We Witnessing the End of Open Source? - DevOps.com - December 28th, 2023
- What comes after open source? Bruce Perens is working on it - The Register - December 28th, 2023
- 200 GB of GTA 5 source code is about to get leaked, making it an open source: Report - Sportskeeda - December 28th, 2023
- Never was so much owed by so many to so few - a look at the unheralded heroes of the open source world - TechRadar - December 28th, 2023
- Rockstar hit with another cyberattack, leaked GTA 5 source code reveal cancelled DLC plans - Times of India - December 28th, 2023
- What is open source software? - Android Police - December 20th, 2023
- Feds Warn Health Sector to Watch for Open-Source Threats - BankInfoSecurity.com - December 11th, 2023
- OpenTofu: Open-source alternative to Terraform - Help Net Security - December 11th, 2023
- AWS exec: 'Our understanding of open source has started to change' - The Register - December 11th, 2023
- Mark Jelic Rings in 40 Years Since the TEC-1 Launch with a New, Open Source, Upgraded TEC-1G SBC - Hackster.io - December 11th, 2023
- AI's future could be 'open-source' or closed. Tech giants are divided as they lobby regulators - Tech Xplore - December 11th, 2023
- Cyber Security Today, Nov. 24, 2023 A warning to tighten security on Kubernetes containers, and more - IT World Canada - November 25th, 2023
- This AI Paper Proposes ML-BENCH: A Novel Artificial Intelligence Approach Developed to Assess the Effectiveness of LLMs in Leveraging Existing... - November 25th, 2023
- Generative AI is a genuine breakthrough unlike most fads in tech: Zerodha CTO Kailash Nadh on the current waves in tech - The Hindu - October 27th, 2023
- Meet RedPajama: An AI Project to Create Fully Open-Source Large Language Models Beginning with the Release of a 1.2 Trillion Token Dataset -... - April 25th, 2023
- Hashtag Trending Apr.24th- Cybersecurity workers burnout; Code generated by ChatGPT and Googles Bard not very secure; Execs would want a robot to make... - April 25th, 2023
- This AI Project Brings Doodles to Life with Animation and Releases Annotated Dataset of Amateur Drawings - MarkTechPost - April 17th, 2023
- EU shares best practices with Ukrainian law enforcers on Open Source Intelligence and Criminal Analysis to - EIN News - April 8th, 2023
- 'I've never seen anything like this:' One of China's most popular apps has the ability to spy on its users, say experts - CNN - April 8th, 2023
- With Just ~20 Lines of Python Code, You can Do Retrieval Augmented GPT Based QA Using This Open Source Repository Called PrimeQA - MarkTechPost - March 5th, 2023
- Daily Crunch: Hundreds of Salesforce workers laid off in January just discovered they were out of work today - TechCrunch - February 7th, 2023
- Unlocking the power of Open AI: how to automate information extraction - The Hindu - February 7th, 2023
- Is composable business most essential technology trend to meet challenges of 2023 and beyond? - ComputerWeekly.com - January 30th, 2023
- Open Definition & Meaning | Dictionary.com - January 22nd, 2023
- 529 Synonyms & Antonyms of OPEN - Merriam-Webster - January 22nd, 2023
- Open Definition & Meaning - Merriam-Webster - January 22nd, 2023
- Can Wazuh Become The Worlds Largest Open Source Cybersecurity Platform And IPO Without VC Funding? - Forbes - January 6th, 2023
- 8 Free/Open Source Code Review Tools for 2022 - SoftwareSuggest - December 28th, 2022
- Finding the next Log4j OpenSSFs Brian Behlendorf on pivoting to a risk-centred view of open source development - The Daily Swig - December 28th, 2022
- Nithin Kamath says FOSS is the 'pillar' on which Zerodha has been built. What is it? - Business Today - December 28th, 2022
- How Dogeliens Will Take Over the Metaverse Like Bitcoin and Stellar Took Over the Crypto World. - newsbtc.com - December 28th, 2022
- Intrinsic Buys Open Robotics' Commercial Arm, But Leaves ROS and Gazebo with the Foundation - Hackster.io - December 20th, 2022
- Open-source code is everywhere; GitHub expands security tools to help ... - December 20th, 2022
- Security Of Enterprise Code: What Companies Using Open-Source Software Should Know About Binary Code Verification - Forbes - December 20th, 2022
- Open Source - Apple Developer - December 12th, 2022
- Your Code of Conduct | Open Source Guides - December 12th, 2022
- Code of Conduct | Meta Open Source - Facebook - December 12th, 2022
- From the creator of Homebrew, Tea raises $8.9M to build a protocol that helps open source developers get paid - TechCrunch - December 12th, 2022
- Consortium of Japan partners successfully promote domestic production and cost reduction for 5G core technology, the basis for next-generation... - November 25th, 2022
- GitHub Vulnerability Allows Hackers to Hijack Thousands of Popular Open-Source Packages - CPO Magazine - November 17th, 2022
- GitHubs Octoverse report finds 97% of apps use open source software - VentureBeat - November 17th, 2022
- Microsoft sued for open-source piracy through GitHub Copilot - BleepingComputer - November 7th, 2022
- The White House Memorandum on Securing the Software Supply Chain: What It Means for Your Organization - Security Boulevard - November 7th, 2022
- First Timers Only - Get involved in Open Source and commit code to your ... - October 23rd, 2022
- List of free and open-source software packages - Wikipedia - October 23rd, 2022
- What is open source? - Red Hat - October 23rd, 2022
- Introducing Triton: Open-Source GPU Programming for Neural Networks - October 23rd, 2022
- Comparison of open-source and closed-source software - October 23rd, 2022
- Java 19 Brings New Patterns to Open Source Programming Language - October 23rd, 2022
- API series - OctoML: ML APIs need to take a lesson from their ancestors - ComputerWeekly.com - October 23rd, 2022
- Benefits of working with open source data quality solutions - TechRepublic - October 15th, 2022
- Microsoft's GitHub Copilot AI is making rapid progress. Here's how its human leader thinks about it - CNBC - October 15th, 2022