New Research Reveals Alarming Vulnerabilities in U.S. Critical Infrastructure Software

A recently published report by Fortress Information Security highlights significant vulnerabilities present in the software systems that are essential for the functioning of critical infrastructure in the United States. This alarming research indicates that up to 90% of software products utilized by these organizations contain code originating from Chinese developers. Given the importance of these systems—ranging from power grids to oil and gas pipelines—such vulnerabilities pose serious risks to national security.

Extent of Vulnerabilities

The report, titled _Beyond the Bill of Materials: The Silent Threat Lurking in Critical Infrastructure Software_, reveals that the code powering U.S. utilities is fraught with security weaknesses, including hundreds labeled as "highly exploitable". The extensive analysis conducted examined over 2,000 software products, bringing to light over 9,000 unique vulnerabilities, among which 855 are highly exploitable with minimal effort required from potential attackers.

Moreover, the study indicated that a mere twenty software components are responsible for more than 80% of these critical vulnerabilities. This alarming concentration implies that addressing just these few weaknesses could significantly bolster the security of vital systems such as power plants and gas refineries.

Methodology Behind the Findings

Researchers utilized the North American Energy Software Assurance Database (NAESAD) to scrutinize the Software Bill of Materials (SBOM) for various products. Using sophisticated binary analysis techniques, Fortress meticulously investigated the SBOMs for over 8,758 unique components linked to 2,233 products across 243 vendors. The analysis relied on the Exploit Prediction Scoring System (EPSS), which served as a metric for exploitability assessment.

During their investigation, the researchers discovered that the most common dependencies included the Linux kernel, zlib (an essential compression library), and OpenSSL, an open-source cryptographic library. These components, prevalent across many products, are integral in understanding the systemic risks associated with software dependency.