Full Report
A new report by Fortress Information Security reveals that 90 percent of software products used by critical infrastructure... The post Fortress reports security risks in Chinese software threatening US critical infrastructure appeared first on Industrial Cyber.
Analysis Summary
# Industry News: Widespread Chinese Code in US Critical Infrastructure Software Poses Major Security Risk
## Summary
Fortress Information Security research indicates that 90% of software used across US critical infrastructure contains code developed in China, with 25% of all software components originating from Chinese developers. This widespread reliance carries significant security risks, as previous analysis suggests Chinese-developed code is more prone to vulnerabilities, potentially offering nation-state actors undetected backdoors into essential services like power grids and utilities.
## Key Details
- Date: December 12, 2024 (Publication date)
- Companies Involved: Fortress Information Security (Researcher)
- Category: Market Analysis; Supply Chain Security Risk Assessment
## The Story
Fortress Information Security released a report, "Beyond the Bill of Materials: The Silent Threat Lurking in Critical Infrastructure Software," detailing an extensive analysis of software components used by US critical infrastructure (CI) organizations. The research examined over 9,535 unique vulnerabilities across thousands of components in IT and OT products from 243 vendors. The key findings highlight a dependency funnel: 25% of all software components and 90% of software *products* utilize code developed in China. Furthermore, historical analysis by Fortress suggests that code from Chinese developers is 1.4 times more likely to harbor vulnerabilities compared to code from other regions. This concentration of foreign-sourced code, especially when featuring highly exploitable flaws (assessed using EPSS), creates a systemic risk where sophisticated threat actors could gain access to vital systems.
## Business Impact
### For the Companies Involved
- **Fortress Information Security:** This report serves as a significant marketing and validation exercise, positioning the company as a thought leader in supply chain risk management, particularly concerning geopolitical hardware/software dependencies in the OT sector.
### For Competitors
- Competitors focusing on traditional IT security or less comprehensive SBOM analysis may be disadvantaged unless they can rapidly pivot to address geo-political supply chain risks in their offerings.
### For Customers
- **Critical Infrastructure Operators (Utilities, Energy, Communications):** Face immediate pressure to audit their existing software supply chains, prioritize remediation of high-risk components, and potentially re-evaluate vendor relationships based on geographic code origin. Increased procurement costs targeting verified, low-risk software may follow.
### For the Market
- This news significantly elevates the focus on **Software Bill of Materials (SBOM)** mandates and deep-dive source verification beyond basic vulnerability scanning (CVE detection). It confirms geopolitical risk as a tangible, high-impact vector within the Operational Technology (OT) sector.
## Technical Implications
The analysis utilized binary analysis to generate SBOMs, validating component origins and vulnerability mapping. Researchers specifically leveraged the **Exploit Prediction Scoring System (EPSS)** to prioritize remediation efforts, focusing security spend on components deemed "highly exploitable." This highlights a shift towards **predictive risk modeling** based on component provenance rather than solely relying on historical exploit data.
## Strategic Analysis
- **Market Positioning:** Security vendors offering supply chain transparency, geographic risk assessments, and OT-specific SBOM validation tools are expected to gain significant market traction.
- **Competitive Advantage:** Companies that can provide verifiable assurance regarding the geopolitical origin and inherent risk profile of third-party software components will possess a substantial competitive differentiator.
- **Challenges:** Remediation across operational environments is notoriously slow and expensive. CI operators face the challenge of verifying software integrity without causing operational disruption, necessitating robust, non-intrusive analysis tools.
## Industry Reactions
- **Analyst Opinions:** Analysts will likely frame this as the culmination of warnings regarding supply chain dependency on adversary nations, shifting the discussion from *if* risk exists to quantifying the systemic exposure.
- **Expert Commentary:** Expect continued warnings from security experts emphasizing that traditional perimeter defenses are insufficient against backdoors embedded deep within foundational software layers.
- **Market Response:** Increased scrutiny on procurement processes across the energy and utility sectors, likely leading to RFPs demanding higher tiers of software transparency.
## Future Outlook
- We expect increased regulatory attention, particularly from bodies like CISA and potentially FERC, pushing for stricter requirements regarding the geographic origin disclosure and vetting of software used in critical ICS environments.
- Expect a surge in demand for solutions capable of continuous monitoring and verification of software integrity post-deployment.
## For Security Professionals
Practitioners in CI environments must immediately integrate software provenance into their risk registers. Focus efforts on building detailed SBOMs (if not already done), prioritizing the patching or replacement of components identified as having high EPSS scores originating from flagged regions, and advocating for stricter vendor requirements regarding code integrity and dependency mapping.