Part 4 in our Cyber Security for Utilities blog series.
Open Source Software (OSS) is ubiquitous, yet some utilities remain cautious. But, instead of avoiding OSS altogether, it is important to understand its benefits. This article will explore the advantages of OSS as well as its challenges before outlining what GE Digital Grid Software is doing to manage and mitigate risks for its utility customers.
First, a definition. Open source software is software code developed by the community for the community. Anyone can study, modify and share OSS — for any purpose. Your average computer users probably aren’t aware of what software is OSS and what isn’t. Yet, you may well already be benefitting. Popular open source projects include the Linux Operating System, Mozilla Firefox and Google Chrome. There’s likely OSS in the device you’re using to read this too.
Coders and developers use OSS as a jumping off point for their own solutions. They access OSS repositories to find the software or code they need to provide the basic building blocks of their solution or improve the design or functionality of their own projects. Unlike closed source, which is owned by, and therefore typically only visible to, the company selling the software, open source users can license OSS for free or a nominal charge. Depending on the license, they may even be able to completely customize it.
In a 2021 survey by Red Hat, 90% of IT leaders were using enterprise OSS. The next section of this article explores why.
Red Hat’s “The State of Enterprise Open Source” found IT leaders rely on OSS for:
From our perspective, working in the utility space, enterprise OSS lets us focus on problems impacting the grid directly. Instead of building out the basic features any IT/OT system requires (e.g. web servers, databases, metrics & monitoring), we can instead spend more development cycles innovating to meet the needs that are unique to our industry such as addressing renewables penetration or digitization of the mobile workforce.
That said, we know that some utilities are apprehensive about OSS. Since the software is developed, reviewed and critiqued by community members, there can be concerns about the suitability of OSS solutions for critical infrastructure needs.
In its guidelines on OSS, NERC cautions, "open-source projects differ widely in their assumptions regarding the technical capabilities of their users, the thoroughness of documentation, and the level of support from the developer community.”
There have also been OSS attacks and repository abuse. Most recently, developers and automated systems at more than 35 technology companies were tricked into using the wrong OSS libraries. The bad actors configured defaults to prefer external libraries over internal ones.
Some, therefore, might suggest that open source is less secure. Yet, OSS proponents see value in having the code seen and used by so many.
Instead of trusting the software is being validated and debugged by one manufacturer, the OSS community knows that people are reviewing and evaluating that code regularly.
Operational risk from OSS can be managed and mitigated by an experienced partner, such as GE Digital Grid Software. We offer the right technical capabilities, thorough documentation and developer support, so that utilities can feel confident deploying Digital Energy solutions that include OSS.
Our OSS Security strategy embodies OSS best practices. To start, our Digital Energy product build pipelines only pull from a secured, internal repository that includes vetting of OSS being used. Our criteria for OSS usage are based on industry standards such as ISO/ IEC 20243 Open Trusted Technology Provider Standard (O-TTPS) and the Linux Foundation’s Core Infrastructure Initiative’s Best Practices.
We look proactively for policy violations and investigate before proceeding with usage. Additionally, OSS code is scanned on a nightly basis for new vulnerabilities. Our continuous scanning post release also helps us keep up with any newly published issues which would prompt a Digital Energy product update.
GE Digital is also investing time and effort into interoperability. We don’t want one Digital Energy product using OSS A.5 while another uses OSS A.2 – they should both use the same, patched version – A.5 if that’s the latest. For those utilities using multiple Digital Energy products, this hopefully translates to fewer components and versions to track for risk.
Finally, some utilities have expressed concerns over where they turn to get “break/fix” support for OSS components included in a GE Digital Energy solution. That’s simple – we support the solution we sell and the software therein, whether it’s GE Digital proprietary code or OSS.
With an increasing amount of attacks leveraging software supply chains, and therefore increased scrutiny in this area, even the US government has taken a stand on the need for transparency around software components for critical infrastructure.
President Biden’s May cybersecurity executive order called for a software bill of materials (SBOM) for third party open source or proprietary software used throughout the government’s supply chain.
Our OSS DevOps process should easily enable this kind of transparency, as it can track which OSS and version is used in each GE product version, so we can quickly assess which customer systems and GE product versions are impacted in the event of an OSS security incident or vulnerability.
OSS offers many advantages to utilities as they look to evolve quickly and adapt to new pressures on the energy environment. The important thing is to work with a vendor that has a sound open source security strategy like the one you’ll find here at GE Digital.
Interested in cyber security? Read the other blogs in this series:
Supply Chain Network Under Attack: Securing Your Cyber
The Delicate Balancing Act in Meeting Cyber Security Challenges
Addressing the Human Element in Cybersecurity
GE has been working in telecom environments for over 25 years and with utilities for more than 70 years. We understand these critical industries, understand where they’re vulnerable, and can identify how they can be secured.
Benefit from real-time cyber security solutions custom built for your environment.