The Overlooked Risks of Open-Source Software in Industrial Security

Open-source software (OSS) has become an indispensable component in many industrial environments. Just last year, 95% of companies said they increased or maintained their use of OSS. According to the Linux Foundation, 70-80% of all code in any modern solution has been directly plucked from OSS solutions,.

Cost-efficiency, flexibility, and expansive development community make OSS an attractive option for many organizations looking to innovate while managing budgets. It’s also a boon for anyone looking for transparency over pure performance. However, these apparent strengths can mask significant risks, particularly when OSS is used in critical infrastructure without sufficient oversight.

Finding a way to turn OSS from a liability into an advantage is crucial—all while retaining the key advantages it has over its proprietary counterparts. Let’s take a look at how this could be done.

Why Open-Source Software in Industrial Settings?

The industrial sector, often constrained by tight budgets and an increasing need for technological adaptability, finds open-source software particularly alluring. It’s all about increasing the margins, and sometimes, even the loftiest promises of profits from proprietary software companies aren’t enough. But, are costs all there is to it? Not quite, as a couple of other factors play a role here:

• Aside from cost-saving advantages, OSS offers the ability to customize and tailor solutions to specific needs.
• Due to the open nature of OSS, all users have access to a broad community of developers who contribute enhancements and bug fixes.
• The lack of reliance on official support and the potential for quick iteration and customization makes OSS a highly attractive proposition for many industrial companies.

However, these benefits come with hidden dangers that are often overlooked. The inherent openness and distributed nature of OSS, while creating a rich environment for innovation, can also expose industrial systems to substantial security vulnerabilities.

Vulnerabilities of Open-Source Tools

The transparency of open-source software, where anyone can view, modify, and contribute to the codebase, is a double-edged sword. On one hand, it allows developers worldwide to improve and debug software, ostensibly making it more robust.

On the other hand, the very availability of the source code means that malicious actors also have an open invitation to study, identify, and exploit weaknesses. In particular, they rely on:

• Injection of malicious code: Attackers contribute code with hidden vulnerabilities or malicious logic to popular OSS projects. Once accepted, these changes can go unnoticed and impact all users, allowing for data theft, unauthorized access, or resource hijacking.
• Dependency confusion: By uploading malicious packages with the same names as popular internal dependencies to public package repositories, attackers trick people into downloading their versions, injecting malware into the supply chain.
• Typosquatting and repo-jacking: This technique makes it possible to create packages or repositories with names similar to legitimate OSS projects, relying on mistyping URLs or package names. It’s common in package managers like npm or PyPI, where a single typo can lead to the installation of compromised software.
• Malicious forking: Attackers fork popular OSS projects, modify them with malicious code, and attempt to distribute them as trusted versions. This is particularly dangerous when users are unaware of the fork’s origins or source, potentially introducing backdoors or trojans.
• Unpatched vulnerabilities: Since OSS is open to everyone, attackers actively search for unpatched vulnerabilities within widely used projects. Once discovered, these vulnerabilities can be exploited until they are publicly patched, which is often delayed if the project lacks dedicated security resources.

To make things even more alarming, many open-source projects are maintained by small teams or even individual contributors, who may lack the resources to promptly address vulnerabilities, leaving critical components unpatched for extended periods.

This presents the question—is the “open” part of open source really a benefit?

Misplaced Trust: Open-Source Doesn’t Mean Secure

A common misconception in the industry is that open-source software is inherently secure simply because it is open. The “many eyes” theory suggests that with more developers examining the code, vulnerabilities are more likely to be found and fixed. Using OSS is sometimes not even logical—many decision-makers agree with its use ideologically, often shunning superior solutions because of their disdain for proprietary solutions.

Furthermore, OSS projects suffer from an imbalance between users and contributors. Most industrial companies adopt these tools without actively participating in their development or maintenance. Even if the contributor base is small, there’s always the risk of a group hijacking the project and turning it into protestware for their own personal reasons.

This creates a scenario where organizations blindly place trust in software with minimal due diligence, assuming that someone else is handling security. Unfortunately, it also leads to the adoption of vulnerable software components, increasing the risk profile of critical infrastructure.

Real-World Consequences of OSS Vulnerabilities in Industry

The repercussions of using vulnerable OSS in industrial environments are not hypothetical—they are already a reality.

A recent example is the Log4j vulnerability, which affected numerous industrial applications reliant on this popular logging library. Its widespread use meant that when the flaw was discovered, critical infrastructure worldwide was suddenly vulnerable to attack. Similarly, around a decade ago, the Heartbleed vulnerability in OpenSSL demonstrated how a flaw in a widely used open-source library could compromise the security of ICS systems across the globe.

Also, the Ripple20 family contains 19 different vulnerabilities. Widely used in energy, water, and manufacturing sectors, the discovered vulnerabilities provided attackers with entry points to take control of industrial devices, potentially enabling sabotage and data leaks. Many of the impacted devices were mission-critical, making patching complex and disruptive. The consequences of such breaches can be devastating—ranging from production halts and financial losses to safety hazards that put human lives at risk.

Attackers have increasingly targeted ICS environments, recognizing that outdated and insecure OSS components can provide a gateway to disrupt operations, steal data, or even cause physical damage.

The Challenge of Maintenance and Patching

Maintaining open-source components within industrial systems poses unique challenges. Unlike consumer software, industrial environments often cannot afford frequent system downtime for updates and patches.

Compatibility concerns also arise, as newer versions of OSS components may not integrate smoothly with existing industrial control systems.

The result is a backlog of unpatched software, which, over time, becomes a ticking time bomb. Almost certainly, the inability to apply timely updates leaves systems vulnerable to exploits that could have been easily mitigated. Likewise, this challenge is compounded by the resource constraints that industrial operators face, often lacking dedicated cybersecurity personnel who can continuously monitor and update OSS components.

Strategies to Secure Industrial Systems Using OSS

The first step to secure industrial systems involves securing all networks on the premises, as well as adhering to the latest Wi-Fi standards and constantly reviewing existing measures.

Non-critical aspects of a facility are an attack vector and should also be treated with appropriate priority. Something as simple as an employee falling for a social engineering attack in the break room can have calamitous consequences.

That’s why, for organizations that choose to use OSS in critical systems, a proactive approach to security is non-negotiable. Regular audits are essential to assess the security posture of open-source components and identify potential risks before they can be exploited.

It’s also important to establish a vetting process for OSS components, examining their maintenance history, community support, and reported vulnerabilities. Be wary of geopolitical events and how they may impact the community of contributors. Even the Linux Foundation was forced to make a hard decision and part ways with its Russian maintainers.

Another important consideration is that industrial organizations should actively engage with OSS communities, contributing to projects that they depend on. This not only helps improve the security of those tools but also gives organizations early visibility into potential vulnerabilities and fixes.

Conclusion

Open-source software offers significant advantages, from cost savings to enhanced flexibility. However, its use in industrial settings must be tempered with caution. The risks are real, and the consequences of overlooking these vulnerabilities can be severe.

To harness the benefits of OSS while safeguarding critical infrastructure, organizations must adopt a vigilant approach—one that involves rigorous vetting, timely maintenance, active community engagement, and a cultural commitment to cybersecurity.