“In developing these principles, the United States is issuing a collective call to action for ICS suppliers and end users across the globe to support and adopt the principles. The principles characterize the best practices that are exhibited today by cybersecurity leaders in the energy industry and can help to create shared expectations that ripple throughout the supply chain, informing and lifting manufacturers and owners and operators with less mature supply chain risk management efforts.” - DOE Cybersecurity Principles Document
Introduction
Third-party and supply chain attacks are becoming more prevalent. This is increasingly apparent to energy sector organizations who own and operate critical infrastructure and manage thousands of vendors in their ecosystem. With the accelerated shift to clean energy, decarbonization goals, asset digitization, and new technologies, many new vendors are quickly entering their ecosystems, introducing additional cyber risk.
With respect to product security, products and systems may contain many components and subcomponents which can be sourced from various suppliers and from open-source repositories. As the components are integrated into complex systems in IT/OT/IoT environments, there are multiple layers of suppliers, components, software, etc., that all carry their own set of risks. Cyber threats facing the electric grid are continuing to grow and have reached an all-time high.
The Department of Energy’s Supply Chain Cybersecurity Principles
On June 18, 2024, the Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) released new Supply Chain Cybersecurity Principles developed in collaboration with the leading ICS manufacturers, asset owners, and the Idaho National Laboratory. These principles establish best practices for cybersecurity through the supply chain. The principles are viewed from two perspectives – both the supplier and end user.
Several prominent critical infrastructure manufacturers who serve the energy sector have expressed support for the principles and these manufacturers include GE Vernova, Schneider Electric, Hitachi Energy, Schweitzer Engineering Laboratories and Siemen Energy to name a few.
Fortress Enables Adoption of Supply Chain Cybersecurity Principles
Fortress is a trusted advisor and partner for many energy companies and utilities across North America. Throughout the years, Fortress has created purpose-built solutions to tackle complex problems around managing cybersecurity supply chain risk. Fortress solutions leverage the DOE’s supply chain cybersecurity principles to address many of the industry concerns around software transparency and trust, proactive vulnerability management, third-party risk, and regulatory compliance.
Impact-Driven Risk Management
Supply Chain Cybersecurity Principle: Embed consideration of impacts, specifically including those in your own upstream supply chains, throughout the entire systems engineering lifecycle, seeking to manage risks to functions that are aided by digital technologies.
How can Fortress Help?
Within the Fortress Platform, we can establish inherent risk profiles for your vendors by understanding the technologies, connectivity, access, type of services, and scope of engagement. By considering the impact a vendor may present to your organization, you can apply better security risk management techniques. Additionally, through our AI Monitoring Solution, Fortress can monitor your suppliers for supply chain risks and service disruptions or other threat intelligence.
Framework-Informed Defenses
Supply Chain Cybersecurity Principle: Incorporate appropriate principles and practices from recognized cybersecurity frameworks into the design of your organization’s defenses of its critical functions, infrastructure, and information.
How can Fortress Help?
Not only should asset owners incorporate appropriate principles and practices from recognized cybersecurity frameworks, but you should also ensure that your suppliers follow the same frameworks. Fortress’ vendor control assessments help identify, assess, and remediate cybersecurity risks as they relate to commonly used cybersecurity frameworks, such as NIST CSF, ISO27001, SOC2 and NATF.
Cybersecurity Fundamentals
Supply Chain Cybersecurity Principle: Follow relevant domain-specific regulations and international standards and consider secure and cyber-informed engineering and design principles, to employ products and services in a secure manner, taking into account accumulated technical and security debt.
How can Fortress Help?
Fortress offers a comprehensive set of solutions around Cybersecurity Supply Chain Risk Management (C-SCRM) and provides the risk data in a single-pane-of-glass within the Fortress Platform. Fortress streamlines operations by offering a stack of solutions centrally, in one place, provided by one vendor. Fortress also offers a File Integrity Assurance (FIA) solution that helps eliminate security debt by tracking and managing security patches and verifying the software’s integrity and authenticity.
Secure Development and Implementation
Supply Chain Cybersecurity Principle: Engage with suppliers to understand the security features and controls of their offering to ensure they are adequate for your intended purpose or identify necessary compensating controls.
How can Fortress Help?
Fortress offers product security assessments, standard vendor controls assessments, and data-driven product assessments which allow us to understand security features and controls that the vendor deploys as well as products you may be procuring.
Transparency & Trust Building
Supply Chain Cybersecurity Principle: Include contractual language for those terms, conditions, and testing requirements that will influence your security outcomes, and which you are able and willing to enforce.
Fortress supports our customers with Software Bill of Materials (SBOM) and Hardware Bill of Materials (HBOM) generation, analysis, and reporting. This provides the utmost amount of transparency into the products you may be procuring while establishing a level of trust with your supplier.
Fortress provides contractual reviews that assist our customers with inserting specific cybersecurity terms and conditions and reviewing security supplements to ensure desired security objectives are contained within contracts with vendors.
Implementation Guidance
Supply Chain Cybersecurity Principle: Develop and maintain appropriately secure operating environments, following suppliers’ hardening and secure implementation guidance.
How can Fortress Help?
Fortress offers both data-driven product assessments and product security questionnaires which target how devices can be appropriately secured within our customers environments, while in alignment with the supplier’s hardening and implementation guidance. As an additional layer to ensure secure configuration, our vulnerability management module can then go out and scan these connected devices to ensure the proper levels of security hardening has been applied.
Lifecycle Support & Management
Supply Chain Cybersecurity Principle: Conduct business planning and provide resources to acquire, maintain (including patch management and fixes recommended by the supplier), and replace equipment through its lifecycle, considering continued availability of supplier technical support.
How can Fortress Help?
Fortress offers a File Integrity Assurance (FIA) solution that helps track and manage security patches and verify the software’s integrity and authenticity.
Fortress provides contractual reviews that assist our customers with inserting specific cybersecurity terms and conditions and reviewing security supplements to ensure desired security objectives are contained within contracts with vendors.
Proactive Vulnerability Management
Supply Chain Cybersecurity Principle: Maintain a risk-informed vulnerability management process that aligns with the supplier’s published process for responsible disclosure of vulnerabilities discovered through use of their products.
How can Fortress Help?
Fortress offers a comprehensive vulnerability management solution for OT, IT, and IoT devices, that allows for context-based prioritization, increased collaboration and accountability via an action center, dashboards, reporting, and workflows that provide metrics to demonstrate value asset inventory centralization.
Fortress AI Monitoring tracks vendors and products for released vulnerabilities that can be proactively identified and addressed, ensuring efficient mitigation of cyber risks.
Proactive Incident Response
Supply Chain Cybersecurity Principle: Proactively coordinate supplier support during response to incidents involving their products or services.
How can Fortress Help?
Once supplier incidents are identified, the Fortress Platform can assist with response actions via managing communications using our vendor portal, or by initiating campaigns to understand the breadth and depth of incidents affecting your suppliers or how they may in turn affect their supply chain.
Business & Operational Resilience
Supply Chain Cybersecurity Principle: Continually improve your organization and its practices by adaptation from observations, insights, and lessons learned from ongoing operations, supplier experiences, and incident response.
How can Fortress Help?
Fortress is a trusted advisor and partner for many energy companies and utilities across North America. Being a trusted advisor and lending support to our customer’s C-SCRM, procurement, and TPRM business units, we continually help to mature and improve organization practices and continue to learn from industry trends and best practices.
Fortress holds an annual Critical Infrastructure Security Consortium with representatives across critical infrastructure where we meet to discuss the latest industry risks and provide forum for industry SMEs to collaborate.