Manage Open-Source Components via Secure Product Development Lifecycle in Industrial Control System

Nowadays, open-source components are becoming the essential components in industrial control systems and critical infrastructure. ICS uses more commercial off-the-shelf (COTS) software, and open-source projects implement hardware and more industrial protocols. Thus, it's a key challenge to keep high code quality in various open-source components to avoid an exploit or flaw, which may cause harm to the systems that have not been updated in time. However, availability is paramount for ICS, which means the vulnerability factor of open-source components should be considered and evaluated in the design phase to reduce the amount of the patch update in the maintenance phase. In this paper, SZ Lin will introduce how to manage open-source components via a secure product development lifecycle, such as selecting the secure sources of open-source components. Also, he will share his experiences in tracking vulnerabilities and patching open-source components to manage vulnerabilities of open-source components holistically in ICS.