Fortress research finds most US energy software contains code from Russian, Chinese developers

New research from Fortress Information Security shows software makers use a lot of code found on open-source platforms that they know very little about. Using available Software Bills of Materials (SBOMs) for software commonly used by U.S. energy companies, the Fortress research team found more than a thousand components from developers in adversarial nation-states like Russia and China. Additionally, some of the potentially compromised contributions can sit, unpatched, for years before being addressed.

“Our adversaries have the means to nestle into software that we rely on to keep the lights on, our transportation systems moving, and our water running,” Alex Santos, CEO and co-founder of Fortress, said in a media statement. “We need to move fast on programs like the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design initiative, which ensures many software makers will change their ways. We know what we need to do to prevent a dangerous, costly catastrophe, but we need the will to act fast and act now.”

Fortress researchers studied 224 SBOMs. The review of the software used to manage the U.S. power grid produced several troubling results, including 90 percent of the more than 200 software products that Fortress reviewed contained component contributions from developers saying they were from Russia and China. 

In their report titled ‘A Software Supply Chain Dependent on Adversaries,’ the researchers identified that of the 7,918 components reviewed, 13 percent had contributions from Russian and Chinese developers. 

Data also disclosed that the numbers of code contributions from Russia and China are significantly greater than those from other high-risk countries, such as Cuba, Iran, and North Korea. Additionally, software with Russian or Chinese-made code examined by Fortress research is 2.25 times more likely to have vulnerabilities. Perhaps even more troubling, that software is three times more likely to have critical vulnerabilities – the vulnerabilities that are easiest to exploit and more likely to allow damage to hardware.

Approximately 7 percent of all vulnerabilities were critical, the Fortress research disclosed, adding that firmware had the most vulnerabilities with an average of 620 vulnerabilities per product, but operating systems had just as many critical vulnerabilities – with 12 percent being critical. 

Another interesting data insight from the Fortress report was that SBOM analyses showed that vulnerabilities built into the software running critical operations and components lie in wait for longer than four years, without getting attention from vendors, suppliers, or utility providers. The average age of critical vulnerabilities was nearly three years – 952 days.

Researchers have discovered a silver lining in the realm of software patching. By focusing on a small number of components, a significant risk reduction can be achieved. Surprisingly, only ten percent of these components account for a staggering 92 percent of the most critical vulnerabilities. Notably, two components, namely ‘glibc’ and ‘linux_kernal,’ contribute to approximately 40 percent of these potential vulnerabilities.

While underlining that the secure-by-design software will not be here overnight, the Orlando, Florida-headquartered company identified.

Fortress research data also prescribed five ways that Washington could help secure the U.S. power grid. These include universal adoption of SBOM, cybersecurity as a key procurement criterion, clear guidance from the federal government and regulators on best practices, federal government regulation of software development platforms, and adoption of a commercial centralized SBOM repository to make sharing and analysis easy.

The report identified that SBOMs will help make it easier for security analysts to identify bad code. An SBOM would include proprietary code as well as open-source and third-party components. There is widespread agreement among government leaders, company executives, academics, and security experts that SBOMs are desperately needed as threat actors continue aggressive, troubling attacks.

The White House’s Executive Order 14028 mandates government agencies have SBOMs for software they purchase beginning in 2024. CISA has at least five working groups meeting weekly dedicated to developing best practices and standards in key industries. Furthermore, Congress’ decision in 2022 to remove language from the National Defense Authorization Act (NDAA) that would have required software makers to include an SBOM on products offered to federal agencies certainly muddied the picture. Washington must provide clarity on implementation.

The report also outlined that the software development community must ensure secure code contributions on platforms like GitHub and other open-source code repositories. But, “until we have confidence secure by design software that isn’t laced with malicious code, every software product could contain a ticking time bomb. SBOMs provide us with the best tool to find compromised components.” 

The researchers also added industry-wide SBOM repositories such as NAESAD, to provide software supply chain transparency to enable organizations to better remediate vulnerabilities, build resiliency into cyber operations, and reduce cyberattack risks.

In October, Fortress announced that it is now part of the Joint Cyber Defense Collaborative (JCDC), America’s preeminent public-private sector partnership of cybersecurity organizations. The company will share information to help America defend itself against cyber attacks. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.