Over the past several years, CISA, the Cybersecurity and Infrastructure Security Agency, has released a steady stream of guidance encouraging software manufacturers to adopt Secure by Design principles, reducing customer risk by prioritizing security throughout the product development process. This is particularly critical for the operational technology (OT) sector, where vulnerabilities in industrial control systems and other critical infrastructure can have severe consequences.
Though the pressure is on software manufacturers, buyers of software also have a large role to play in ensuring that their mission-critical OT systems are resilient against cyber attacks. CISA calls this “Secure by Demand,” and one of the key tenets for software buyers is ensuring that an organization’s software manufacturers have a plan to eliminate memory safety vulnerabilities.
Why Is CISA Putting the Spotlight on Memory Safety Vulnerabilities?
Memory safety vulnerabilities are one of the most common software vulnerabilities and are consistently ranked among the most dangerous software weaknesses. Recent high-profile attacks, such as the Volt Typhoon campaign targeting critical infrastructure, have demonstrated the real-world impact of these vulnerabilities.
For example, in 2021, programmable logic controllers were found to be vulnerable to a memory corruption flaw that could allow remote code execution, potentially disrupting critical industrial processes. Addressing such vulnerabilities is a key priority for CISA, as they pose a significant risk to the security and reliability of OT systems.
What to Ask Software Manufacturers About Their Memory Safety Roadmap
CISA released guidance on “The Case for Memory Safe Roadmaps,” which strongly urges software manufacturers to publish a memory safety roadmap by January 1, 2026 for existing products written in memory-unsafe languages. The deadline provides a clear timeline for software buyers to engage with their suppliers and initiate conversations on if and how memory safety is being adequately addressed.
There are several key areas to consider when building and evaluating a memory safety roadmap.
1.Vulnerability Assessments: Suppliers should have a process for identifying and prioritizing memory-based vulnerabilities within their existing product portfolio. Using a Software Bill of Materials (SBOM) is an ideal starting place for identifying vulnerabilities within software — especially when a software supply chain involves multiple parties including open source authors — and determining what products have the most memory-based vulnerabilities to address.
2.Remediation Strategies: Once vulnerabilities are identified, manufacturers should prioritize systems that have both high exposure to memory vulnerabilities and high potential consequences from an attack. Discuss the supplier’s plans to address identified vulnerabilities in existing code bases, including their approach to rewriting legacy code in memory-safe languages like Rust. Since code rewrites may not be practical, talk with suppliers about implementing proactive solutions like Load-time Function Randomization (LFR), which provides an effective protection layer for existing systems.
3.Product Lifecycle Planning: Understand how a supplier is integrating memory safety considerations into their product roadmap, particularly for new products or those undergoing major architectural changes. Both instances are opportunities to write in a memory-safe language for new systems or components and to deploy software memory protection for existing code.
4.Collaboration and Communication: Evaluate a supplier’s willingness to engage in ongoing collaboration and communication regarding memory safety efforts, including regular updates and transparency around progress.
Software Buyers and Manufacturers Working Together for More Secure Software
The path to memory safety requires planning and buy-in from software buyers and manufacturers, but leaving critical systems vulnerable to memory-based attacks isn’t an option in today’s threat landscape.
By incorporating these collaborative and proactive steps, software buyers and manufacturers can work together to meet CISA’s memory safety mandate and enhance the overall security and resilience of critical OT systems.