{"id":6534,"date":"2024-12-04T16:52:40","date_gmt":"2024-12-04T22:52:40","guid":{"rendered":"https:\/\/www.darkreading.com\/application-security\/compromised-software-code-poses-systemic-risks-to-critical-infrastructure"},"modified":"2024-12-04T16:52:40","modified_gmt":"2024-12-04T22:52:40","slug":"compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/12\/04\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure\/","title":{"rendered":"Compromised Software Code Poses New Systemic Risk to U.S. Critical Infrastructure"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

PRESS RELEASE<\/span><\/span><\/p>\n

ORLANDO, FL <\/span><\/span>\u2014<\/span> December 5, 2024 <\/span><\/span>\u2014 The code that makes up the software now powering U.S. utilities is rife with vulnerabilities, including hundreds that are \u201chighly exploitable,\u201d a new research report released by Fortress Information Security today finds. Researchers studied thousands of products and found troubling risk patterns.<\/span><\/p>\n

The report, <\/span>Beyond the Bill of Materials: The Silent Threat Lurking in Critical Infrastructure Software<\/a><\/span>,<\/span><\/span> also shows that 25 percent of software components and 90 percent of software products contained code from developers in China.<\/span><\/p>\n

Compromised software code can provide threat actors with a \u201cbackdoor\u201d into power grids, oil and gas pipelines, and communication networks. In similar research last year, Fortress discovered that code developed in China was 1.4 times more likely to contain vulnerabilities than code developed elsewhere.<\/span><\/p>\n

\u201cChina is an existential threat to U.S. economic and physical security,\u201d said Alex Santos, CEO of Fortress. \u201cSoftware products with China-born code must be identified and weeded out from our nation\u2019s critical infrastructure. We developed and then examined the Software Bill of Materials (SBOM) for the most widely used products managing the U.S. electric power grid. The next step is to take action to eliminate these systemic risks, and we look forward to working with utilities to do just that.\u201d<\/span><\/p>\n

Using the <\/span>North American Energy Software Assurance Database (NAESAD<\/a><\/span>) to review Software Bills of Materials (SBOMs) for more than 2,000 software products, researchers found:<\/span><\/p>\n

More than 9,000 unique vulnerabilities \u2013 including 855 highly exploitable vulnerabilities that attackers can exploit with minimal effort.<\/span><\/p>\n

Twenty components that account for more than 80% of critical vulnerabilities.<\/span><\/p>\n

3,841 instances of Known Exploited Vulnerabilities (KEVs) across products. KEVs are a subset of vulnerabilities actively exploited by threat actors in the wild.<\/span><\/p>\n

The Most Common Dependencies were 1) The Linux kernel, 2) zlib (a compression library), and 3) OpenSSL (an open-source cryptographic library). <\/span><\/p>\n

“Once again, we found that just a small number of common components, used across hundreds of products, were responsible for the bulk of critical vulnerabilities,\u201d said Bryan Cowan, lead researcher for Fortress. \u201cThese are vulnerabilities that can be detected and software flaws that can be corrected. Addressing those 20 components would make our power plants, oil and gas refineries, and chemical companies much more secure.\u201d<\/span><\/p>\n

Brief Methodology<\/span><\/span><\/p>\n

Fortress created a Software Bill of Materials (SBOM) for each product version using binary analysis. Researchers reviewed the SBOMs stored in NAESAD. Fortress analyzed more than 9,535 unique vulnerabilities identified across 8,758 unique components associated with 2,233 products across 243 vendors. This included information technology (IT) products, used for network management, and operational technology (OT) products, used for business functions. The team used the Exploit Prediction Scoring System (EPSS) as a proxy for exploitability. <\/span><\/p>\n

About Fortress. <\/span><\/span>Securing critical supply chains and cyber assets from evolving threats. <\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

PRESS RELEASE ORLANDO, FL \u2014 December 5, 2024 \u2014 The code<\/p>\n","protected":false},"author":12,"featured_media":6535,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-6534","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure.png?fit=3840%2C2160&ssl=1",3840,2160,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure.png?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure.png?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure.png?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure.png?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure.png?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure.png?fit=2048%2C1152&ssl=1",2048,1152,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure.png?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure.png?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure.png?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/compromised-software-code-poses-new-systemic-risk-to-u-s-critical-infrastructure.png?fit=3840%2C2160&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6534","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6534"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6534\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/6535"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6534"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6534"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6534"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}