Compromised Software Code Poses New Systemic Risk to U.S. Critical Infrastructure

Compromised Software Code Poses New Systemic Risk to U.S. Critical Infrastructure

December 9, 2024 at 02:19PM

A new report by Fortress Information Security reveals significant vulnerabilities in software powering U.S. utilities, with hundreds highly exploitable. 25% of components used are from Chinese developers, posing security risks. The report emphasizes the need to identify and eliminate compromised code to safeguard critical infrastructure from potential attacks.

### Meeting Takeaways: Fortress Information Security Press Release (December 5, 2024)

**Key Findings:**
1. **Vulnerabilities Identified**:
– Over 9,000 unique vulnerabilities in U.S. utility software.
– 855 highly exploitable vulnerabilities that attackers can easily exploit.
– 20 specific components contribute to more than 80% of critical vulnerabilities.

2. **Source of Vulnerabilities**:
– 25% of software components and 90% of products contain code from developers in China.
– Code from China is 1.4 times more likely to have vulnerabilities compared to code from other regions.

3. **Critical Risks**:
– Compromised software code can enable threat actors to access power grids, oil and gas pipelines, and communication networks.

4. **Common Vulnerabilities**:
– Instances of Known Exploited Vulnerabilities (KEVs) total 3,841 across products.
– The most common dependencies with significant vulnerability risks include:
– Linux Kernel
– zlib (compression library)
– OpenSSL (cryptographic library)

**Methodology Overview**:
– Fortress analyzed the Software Bill of Materials (SBOM) for over 2,000 software products using binary analysis.
– Research involved identifying 9,535 unique vulnerabilities associated with 8,758 components across multiple vendors.
– The Exploit Prediction Scoring System (EPSS) helped assess exploitability.

**Call to Action**:
– Fortress CEO Alex Santos emphasized the need to identify and remove software products with vulnerabilities linked to China from critical infrastructure to enhance national security.
– Further collaboration with utilities is encouraged to mitigate systemic risks associated with these vulnerabilities.

**Company Mission**:
– Fortress is focused on securing critical supply chains and cyber assets against evolving threats.

Full Article