A recent research report released by Fortress Information Security has revealed alarming vulnerabilities within the software currently utilized by U.S. utilities. The report, titled “Beyond the Bill of Materials: The Silent Threat Lurking in Critical Infrastructure Software,” highlights the presence of numerous exploitable vulnerabilities within the software code, posing a significant risk to critical infrastructure systems.
According to the findings of the report, researchers discovered that 25 percent of software components and a staggering 90 percent of software products contained code from developers based in China. This has raised concerns about the potential for threat actors to exploit compromised software code as a means of gaining unauthorized access to essential systems such as power grids, oil and gas pipelines, and communication networks.
Fortress CEO, Alex Santos, emphasized the gravity of the situation, describing China as an “existential threat to U.S. economic and physical security.” Santos stressed the importance of identifying and removing software products with code originating from China in order to safeguard the nation’s critical infrastructure. The report also revealed that code developed in China was significantly more likely to contain vulnerabilities compared to code developed in other regions.
By utilizing the North American Energy Software Assurance Database (NAESAD) to analyze Software Bills of Materials (SBOMs) for over 2,000 software products, researchers uncovered disturbing statistics. More than 9,000 unique vulnerabilities were identified, with 855 of them classified as highly exploitable vulnerabilities that could be easily leveraged by attackers. Additionally, researchers found 3,841 instances of Known Exploited Vulnerabilities (KEVs) across various products, highlighting the active exploitation of vulnerabilities by threat actors.
The report pointed out that a small number of common components were responsible for the majority of critical vulnerabilities. Specifically, the Linux kernel, zlib (a compression library), and OpenSSL (an open-source cryptographic library) were cited as the most common dependencies found in the analyzed software products. Addressing these vulnerable components could significantly enhance the security of power plants, oil and gas refineries, and chemical companies.
Fortress employed a rigorous methodology to conduct the research, generating a Software Bill of Materials (SBOM) for each product version through binary analysis. The team reviewed the SBOMs stored in NAESAD, identifying over 9,535 unique vulnerabilities associated with 8,758 components across 2,233 products from 243 vendors. By leveraging the Exploit Prediction Scoring System (EPSS), researchers assessed the exploitability of the identified vulnerabilities.
Overall, the report underscores the critical importance of addressing software vulnerabilities in order to protect essential infrastructure systems from potential cyber threats. Fortress remains committed to securing supply chains and cyber assets to mitigate evolving risks and safeguard national security. The findings of the report serve as a stark reminder of the pressing need for proactive measures to enhance the resilience of critical infrastructure against cyber threats.