Examining dependency trends and threat pathways to bolster software resilience in critical sectors

 

In today’s cyber landscape, the North American Energy Software Assurance Database (NAESAD) revealed numerous vulnerabilities in critical infrastructure software. Fortress and partners analyzed over 9,500 vulnerabilities across 2,233 products from 243 vendors, finding that 82% of critical vulnerabilities come from just 20 components, risking power grids, pipelines, and networks.

9% of these vulnerabilities are easily exploitable, and 90% of critical infrastructure products contain code from Chinese contributors, a growing cyber adversary.

The research identified 3,841 known exploited vulnerabilities, showing many products remain unpatched. The risks are concentrated but solvable. Critical infrastructure must act now to protect systems. By focusing on proactive remediation, organizations can significantly reduce exposure by addressing these critical components. The vulnerabilities are known. The threats are real. The time to act is now.

The research underscores the need for enhanced software supply chain security. Aggregating SBOMs creates a catalog of critical infrastructure products for security and compliance, including procurement, risk management, and regulatory compliance. NAESAD allows organizations to assess security pre-purchase, monitor vendor policy adherence, manage vulnerabilities in real time, and meet regulatory mandates. With increasing regulatory focus, NAESAD offers a proactive approach to safeguarding essential software ecosystems.