Analyzing Software Supply Chain Security Risks in Industrial Control System Protocols: An OpenSSF Scorecard Approach

With a significant annual increase in software supply chain attacks over the past three years, concerns arise regarding the vulnerability of Industrial Control Systems (ICS) environments, especially given the growing use of open-source protocols’ implementations. Therefore, it is essential to assess the software supply chain security risks associated with these protocols. This study investigates the prevalent software supply chain security risks in open source protocol implementations used in ICS, compares software supply chain security risks between ICS and non-ICS protocols, evaluates assessed protocols’ strengths and weaknesses in terms of software supply chain security risks, and identifies opportunities to enhance their security. Using the Open Source Security Foundation (OpenSSF) Scorecard, the study analyzes nine ICS and five non-ICS protocols, highlighting strengths, weaknesses, and potential improvements. The study also identifies opportunities to enhance protocol and software supply chain security.