PRESS RELEASE
ORLANDO, Fla., Feb. 23, 2024 /PRNewswire/ — The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) have clearly warned that critical US infrastructure is under attack. The three federal agencies highlighted how “Volt Typhoon”, a group of criminals operating under the direction of the Chinese Communist Party (CCP), poses a serious challenge to operators of transportation, commerce, clean water and electric utilities .
Volt Typhoon exploits online resources that have not been updated with the latest vulnerability patches. Fortress information security is working with major U.S. power companies to limit exposure from abroad by ensuring notification of security updates as they become available. Fortress’ File Integrity Assurance (FIA) solution automates patch management and provides a mechanism to verify the identity and integrity of software before installing a patch, helping utilities reduce the resources needed to monitor sources patches and prevent malicious updates from being introduced to utility company assets.
Additionally, FIA is an efficient and cost-effective way to support compliance with the North American Electric Reliability Corporation’s Critical Infrastructure Protection 007 and 010 (commonly known as CIP-007 and CIP-010), the industry-accepted safety standards to regulate, apply, monitor and manage the North American Bulk Electric System (BES).
“Both CIP-007 and CIP-010 compliance are vital for critical infrastructure companies, and we have provided many companies with a more cost-effective means of meeting the standards while improving the security they desperately need,” said CEO and co-founder Alex Santos. “If one of America’s adversaries used software to open a backdoor and enter a network, the FIA will help security professionals close the door.”
Last year, Fortress researchers examined software bills of materials (SBOM) for more than 200 software products commonly used by U.S. electric utilities. 90% of that software contained component contributions from developers openly aligned with Russia or China. The study also found that code produced in Russia or China is 225% more likely to have vulnerabilities and 300% more likely to have critical vulnerabilities – the most dangerous vulnerabilities for systems and data.
“Fortress research has shown that much of the software used by energy companies is NOT secure by design,” Santos said. “We learned from the SolarWinds attack in 2020 that software is an attack vector that America’s adversaries know how to manipulate to get past even our best traditional defenses. Volt Typhoon shows us that even the smallest utilities, including those that don’t have to meet standard CIP requirements, they are actively being targeted by adversaries. Until we have better security products and solutions, we all need to take additional measures to keep attackers away from our routers, VPNs, modems, and software from those who want lie in wait to attack us.”
In the case of SMB networking equipment and traditional OT equipment, Fortress found through our SBOM breakdowns that the average open source vulnerability dates back 1,485 days. In this type of equipment, which was the target of Volt Typhoon, it is not uncommon for known vulnerabilities to exist in software running critical operations and components for more than four years without any attention from vendors, suppliers or utility providers.
FIA provides users with an additional layer of defense to protect themselves from threat actors using known vulnerable software to enter the system. FIA users are notified on average within one day of the release of new updates. To prevent future watering-hole or malicious redirect attacks, FIA also validates the authenticity of updates so that download signatures of software updates are accurate and scans for malware in software updates are clean.
For more information on the FIA, Click here to read about Fortress’ software supply chain security solutions.
About Fortezza
Protect critical supply chains and cyber assets from evolving threats.
Fortress. Absolutely critical.
https://www.fortressinfosec.com