90% of Software Contains Components from Leading Nation-State Adversaries and is 3 Times Likely to Contain Critical Vulnerabilities.

Software Is the New Frontline for Utilities.


New research from Fortress Information Security shows software makers use a lot of code found on open-source platforms that they know very little about. Using available Software Bills of Materials (SBOMs) for software commonly used by U.S. energy companies, the Fortress research team found more than a thousand components coming from developers in adversarial nation-states like Russia and China. Additionally, some of the potentially compromised contributions can sit, unpatched, for years before being addressed.

Fortress experts evaluated the company’s industry-leading catalog of SBOMs – the North American Energy Software Assurance Database (NAESAD) – to reveal grave concerns about software supply chain vulnerabilities that could mirror the monetary, brand and reputational impacts of Log4j and SolarWinds. The Fortress researchers detailed their findings in a new report, A Software Supply Chain Dependent on Adversaries.

“Our adversaries have the means to nestle into software that we rely on to keep the lights on, our transportation systems moving, and our water running,” said Alex Santos, CEO and co-founder of Fortress. “We need to move fast on programs like the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design initiative, which ensures many software makers will change their ways. We know what we need to do to prevent a dangerous, costly catastrophe, but we need the will to act fast and act now.”

Researchers studied 224 SBOMs. The review of the software used to manage the U.S. power grid produced several troubling results:

  • 90 percent of the more than 200 software products that Fortress reviewed contained component contributions from developers saying they were from Russia and China. Of the 7,918 components reviewed, 13 percent had contributions from Russian and Chinese developers.
  • The numbers of code contributions from Russia and China are significantly greater than those from other high-risk countries, such as Cuba, Iran, and North Korea.
  • Software with Russian or Chinese-made code examined by Fortress research is 2.25 times more likely to have vulnerabilities. Perhaps even more troubling, that software is three times more likely to have critical vulnerabilities – the vulnerabilities that are easiest to exploit and more likely to allow damage to hardware.
  • Approximately 7% of all vulnerabilities were critical. Firmware had the most vulnerabilities with an average of 620 vulnerabilities per product, but operating systems had just as many critical vulnerabilities – with 12% being critical.
SBOM analyses by Fortress researchers showed that vulnerabilities built into the software running critical operations and components lie in wait for longer than four years – without getting attention from vendors, suppliers, or utility providers. The average age of critical vulnerabilities was nearly three years – 952 days.

If there is a silver lining, researchers found there was a large risk reduction from patching a small number of components. Just ten percent of components are responsible for 92 percent of the most critical vulnerabilities. Two components, glibc and linux_kernal, were responsible for around 40 percent of these potential vulnerabilities.

Unfortunately, secure-by-design software will not be here overnight. White we wait, Fortress suggests five ways that Washington could help secure the U.S. power grid:

  1. Universal adoption of SBOM.

    SBOMs will help make it easier for security analysts to identify bad code. An SBOM would include proprietary code as well as open-source and third-party components. There is widespread agreement among government leaders, company executives, academics, and security experts that SBOMs are desperately needed as threat actors continue aggressive, troubling attacks.
  2. Cybersecurity as a key procurement criterion.

    The White House’s Executive Order 14028 mandates government agencies have SBOMs for software they purchase beginning in 2024. CISA has at least five working groups meeting weekly dedicated to developing best practices and standards in key industries.
  3. Clear Guidance from the Federal Government and Regulators on Best Practices

    Congress’s decision in 2022 to remove language from the National Defense Authorization Act (NDAA) that would have required software makers to include an SBOM on products offered to federal agencies certainly muddied the picture. Washington must provide clarity on implementation.
  4. Federal Government Regulation of Software Development Platforms

    The software development community needs to ensure code contributions on platforms like GitHub and other open-source code repositories are secure.
  5. Adopt a Commercial Centralized SBOM Repository to make sharing and analysis easy

    But, until we have confidence secure by design software that isn’t laced with malicious code, every software product could contain a ticking time bomb. SBOMs provide us with the best tool to find compromised components. Industry-wide SBOM repositories such as NAESAD, provide software supply chain transparency to enable organizations to better remediate vulnerabilities, build resiliency into cyber operations, and reduce cyberattack risk.
About Fortress Information Security

Fortress secures North America's power and defense supply chains from cyberattacks on operational and critical enterprise technologies. Fortress' proprietary technology platform orchestrates North America's most advanced cyber supply chain risk management and vulnerability management programs. Fortress operates the Asset to Vendor network, which gives critical operators confidence that the products and services they obtain from others are cyber-safe. Fortress is a Goldman Sachs Portfolio Company.


North American Energy Software Assurance Database (NAESAD): An industry-wide collaborative database to create and share Software Bills of Materials (SBOM) in products used by utilities across North America.  NAESAD is led by several investor-owned utilities (including AEP, Southern, Xcel, and NiSource) and managed by Fortress Information Security to create a comprehensive SBOM library for common vendors and suppliers.