A new report by Fortress Information Security reveals that 90 percent of software products used by critical infrastructure organizations contain code developed in China. The software that powers U.S. utilities is filled with vulnerabilities, including many that are ‘highly exploitable.’ Researchers examined thousands of products and identified risk patterns.

The report, ‘Beyond the Bill of Materials: The Silent Threat Lurking in Critical Infrastructure Software,’ also shows that 25 percent of software components and 90 percent of software products contained code from developers in China. Compromised software code can provide threat actors with a ‘backdoor’ into power grids, oil and gas pipelines, and communication networks. In similar research last year, Fortress discovered that code developed in China was 1.4 times more likely to contain vulnerabilities than code developed elsewhere.

Fortress created a Software Bill of Materials (SBOM) for each product version using binary analysis. Researchers reviewed the SBOMs stored in NAESAD. Fortress analyzed more than 9,535 unique vulnerabilities identified across 8,758 unique components associated with 2,233 products across 243 vendors. This included information technology (IT) products, used for network management, and operational technology (OT) products, used for business functions. The team used the Exploit Prediction Scoring System (EPSS) as a proxy for exploitability.

“China is an existential threat to U.S. economic and physical security,” said Alex Santos, CEO of Fortress. “Software products with China-born code must be identified and weeded out from our nation’s critical infrastructure. We developed and then examined the Software Bill of Materials (SBOM) for the most widely used products managing the U.S. electric power grid. The next step is to take action to eliminate these systemic risks, and we look forward to working with utilities to do just that.”

Using the North American Energy Software Assurance Database (NAESAD) to review Software Bills of Materials (SBOMs) for more than 2,000 software products, researchers found:

• More than 9,000 unique vulnerabilities – including 855 highly exploitable vulnerabilities that attackers can exploit with minimal effort.
• Twenty components that account for more than 80% of critical vulnerabilities.
• 3,841 instances of Known Exploited Vulnerabilities (KEVs) across products. KEVs are a subset of vulnerabilities actively exploited by threat actors in the wild.
• The Most Common Dependencies were 1) The Linux kernel, 2) zlib (a compression library), and 3) OpenSSL (an open-source cryptographic library).

“Once again, we found that just a small number of common components, used across hundreds of products, were responsible for the bulk of critical vulnerabilities,” said Bryan Cowan, lead researcher for Fortress. “These are vulnerabilities that can be detected and software flaws that can be corrected. Addressing those 20 components would make our power plants, oil and gas refineries, and chemical companies much more secure.”