2nd Edition

Tracking the trends and news for IT and IT Security

Paul Davis

Fortress research finds most US energy software contains code from Russian, Chinese developers -…

Fortress research finds most US energy software contains code from Russian, Chinese developers -…
Industrial Cyber – Anna Ribeiro
A recent study by Fortress Information Security spotlighted that a substantial amount of software utilized by U.S. energy companies contains code from Russian and Chinese developers.
Adversarial nation-state developers have contributed over a thousand components, forming 13 percent of the 7,918 components examined.
Ultimately, software with Russian or Chinese-made code is 2.25 times more likely to exhibit vulnerabilities and three times more likely to possess critical vulnerabilities, which are easier to exploit.
This data urged the urgent need for enhanced software supply chain security.
Remarkably, only 10% of software components accounted for 92% of the most critical vulnerabilities.
Two components, ‘glibc’ and ‘linux_kernal,’ were found to contribute to around 40% of potential vulnerabilities, highlighting the significant risk reduction that can be achieved by focusing on a small subset of components.
The analyzed data also revealed that critical vulnerabilities within the software frequently remain unaddressed for extended periods, with an average age of nearly three years.
To secure the power grid, Fortress’s recommendations include universal adoption of Software Bills of Materials (SBOMs), prioritizing cybersecurity in procurement, clear guidance from the federal government, regulation of software development platforms, and establishing a commercial centralized SBOM repository.
SBOMs are perceived as crucial tools to pinpoint compromised components and identify secure code contributions.
The White House’s Executive Order 14028 mandates government agencies to have SBOMs for software purchases beginning in 2024.
While efforts like CISA’s working groups and industry-wide SBOM repositories aim to address these critical issues, there remains a need for collective action and enhanced clarity from the government to build resilient cyber operations and diminish cyberattack risks.
Fortress Information Security, through its involvement in America’s Joint Cyber Defense Collaborative (JCDC), aims to bolster the national defense against cyber threats.
Link: https://industrialcyber.co/reports/fortress-research-finds-most-us-energy-software-contains-code-from-russian-chinese-developers/

Categories:

Tags: