Orlando security company finds 90% of U.S. critical infrastructure software rely on code from China

This browser does not support the video element.

ORLANDO, Fla. — The U.S. Department of Energy reports just last year, the country saw at least five cyber-attacks to our power grids from Washington state to here on the East Coast.

WATCH CHANNEL 9 EYEWITNESS NEWS

Florida alone was the site of two of those cyber-attacks. Data shows Orange County was hit by a “cyber event” in April 2023, just two months after there was reported vandalism to a power facility in the county.

Making matters worse, there are new concerns about hacking.

Read: Bounced email leads to accusations of lawbreaking, political firestorm in Orange County

An Orlando-based company is warning that something nearly all our energy sources rely on is at risk.

The phone you’re scrolling on, the plane you’re flying on, the power to your house--all relies on software. And that software is made up of code. It works sort of like building blocks.

But anyone, even our foreign adversaries, can contribute their “block” or code to build that final software product.

Read: Rescue efforts underway for woman who may have fallen into sinkhole while looking for cat

They can contribute their “block” to the pile such as sites like GitHub, a developer platform where software developers from all over the globe can contribute code.

Fortress Information Security calls these bits of code a silent threat to the country’s critical infrastructure.

“That silent threat is all of those little compulsive components inside your software that that are lurking there. You may not have know about. You don’t know that they’re a problem, but they can be used to attack and infiltrate our systems,” said Bryan Cowan.

Cowan is a product manager at Fortress Information Security. This year, the company expanded their research—analyzing more than 2,000 software products that the country’s power grid, oil lines, and communication and other critical infrastructure rely on.

Read: Woman pleads guilty to deadly wedding night golf cart crash

They found 90 percent of these products rely on code components from Chinese developers.

“We know China is not our friends,” Cowan said. “We know that attackers are always looking for new ways into our systems. You know, as we have gotten better at protecting the front door, they’re trying to come in the side door. So that’s what these kinds of components help them do is say, hey, maybe I can’t get directly in, but if i can compromise one of these software components and that’s distributed to a lot of different systems, then i have lots of opportunities to try to get through.”

And if the code is compromised, hackers can use it to hold critical infrastructure at ransom.

Cowan said they found more than 9,000 vulnerabilities in the products. Majority of those tie back to just 20 pieces of code.

Read: Celebrity Equinox sails from Port Canaveral for the first time

“We know these problems are solvable. It takes some effort, some resources to be able to say if you’re you’re making the software needed to be doing everything that you can to prevent things from getting into things into your software to begin with,” Cowan said.

This research is a follow-up to what the company came out with last year.

This year, the company expanded its research to products beyond utilities-- but also gas, aerospace, and defense.

With that, the company says they did find more foreign influence with software.

Cowan said they are releasing this information publicly to spread awareness of the threats.

Click here to download our free news, weather and smart TV apps. And click here to stream Channel 9 Eyewitness News live.