More than 80 percent of the most severe tech-related vulnerabilities to critical infrastructure originate from the same 20 software components, a new report out this week from Fortress Information Security finds.
The cybersecurity firm analyzed the software used in 2,233 products from the North American Energy Software Assurance Database and found 9,535 unique vulnerabilities – more than 800 of which are classified as “highly exploitable” for any attacker.
“Third-party components remain a significant vector for the propagation of vulnerabilities, as most software depends on other pieces of software to work,” the report notes. “The three most common ones found in use were the Linux kernel, used in the firmware of many devices; zlib, a compression library; and OpenSSL, a cryptographic library and toolkit that implements the SSL (Secure Sockets Layer) and TLS (Transport Layer Security).”
“Since these components can appear in many products, the risk is that compromising even one of them potentially gives threat actors access to a large number of products,” the report says.
Fortress Information Security found that 82 percent of the most critical vulnerabilities originate from just 20 components, “placing our power grids, pipelines, and communication networks at risk of compromise.”
The report presents a case study on the oil and gas industry, finding that four components were responsible for 99 percent of critical severity vulnerabilities across these products.
“This example demonstrates the trend of a concentrated number of components contributing the vast majority of critical severity vulnerabilities,” the report says. “Fortress also looked at remediation paths for these vulnerabilities and found patches available to address 100% of the critical and high-severity vulnerabilities in these products.”
Another troubling finding in the report says that 90 percent of products contain one or more components with Chinese contributions.
According to the report, frequent issues with component repositories with Chinese contributors included the repository not being actively maintained; no requirements for code review; granting of excessive permissions; and a lack of release branch protections.
“The threats are real, but solutions are available,” the report says. “By working together, we can collectively enhance the security of critical infrastructure software and ensure resilience against an increasingly sophisticated threat landscape.”
