Fortress File Integrity Assurance (FIA) Solution Enables NERC CIP-007 and CIP-010 Compliance as FBI & CISA Warn of Critical Infrastructure and Utility Threats  

FIA Combats “Volt Typhoon” Dwell Time in Networks 

 

ORLANDO, FL / February 20, 2024 – 

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have clearly warned that U.S. critical infrastructure is under attack. The three federal agencies outlined how “Volt Typhoon,” a group of threat actors working under the direction of the Chinese Communist Party (CCP), pose a serious challenge to operators of transportation, commerce, clean water, and electricity services. 

 

Volt Typhoon exploits online assets that have not been updated with the latest vulnerability patches. Fortress Information Security is working with America’s leading power companies to limit exposure from abroad by ensuring notification of security updates as soon as they are available. Fortress’s File Integrity Assurance (FIA) solution automates patch management and provides a mechanism to verify software identity and integrity prior to installation of a patch helping utilities lessen resources required to monitor patch sources and avoid malicious updates being introduced into utility companies’ assets. 

 

Additionally, FIA is an efficient and cost-effective way to support compliance with Critical Infrastructure Protection 007 & 010 (commonly known as CIP-007 and CIP-010) from the North American Electric Reliability Corporation, the industry-accepted security standards to regulate, enforce, monitor, and manage North America's Bulk Electric System (BES).  

 

“Both CIP-007 and CIP-010 compliance are vital for critical infrastructure companies, and we’ve provided a more cost-efficient means for many companies to meet the standards while still improving the security they desperately need,” said Fortress CEO and co-founder Alex Santos. “If one of America’s adversaries has used software to open a backdoor and get into a network, FIA will help security pros close the door.” 

 

Last year, Fortress researchers looked at the Software Bills of Materials (SBOMs) for more than 200 software products commonly used by US electric companies. 90 percent of that software contained component contributions from developers openly aligned to Russia or China. The study also discovered that Russian or Chinese-made code is 225% more likely to have vulnerabilities and 300% more likely to have critical vulnerabilities – the most dangerous vulnerabilities to systems and data. 

 

“Fortress research has shown that much of the software used by energy companies is NOT secure by design,” said Santos. “We learned from the SolarWinds attack in 2020 that software is an attack vector that America’s adversaries know how to manipulate to get beyond even our best traditional defenses. Volt Typhoon shows us that even smaller utilities, including those that don’t have to meet CIP standards, are being actively targeted by adversaries. Until we have better security products and solutions, all of us need to take extra steps to keep attackers off our routers, VPNs, modems, and software from those who want to lay in wait to attack us.” 

 

In the case of SMB network gear and traditional OT equipment, Fortress has found thorough our SBOM decompositions that the average open-source vulnerability is 1,485 days old. In this type of equipment, which was the target of Volt Typhoon, it is not uncommon for known vulnerabilities to exist in the software that runs critical operations and components for longer than four years without any attention from vendors, suppliers, or utility providers.  

 

FIA provides users an added layer of defense to protect against threat actors using known vulnerable software to get into your system. FIA users are alerted on average within a day of new updates being released. To prevent future watering-hole or malicious redirect style attacks, FIA also validates update authenticity so that download signatures of software updates are accurate and scans for malware in software updates are clean.  

 

For more information on FIA, click here to read about Fortress’s Software Supply Chain Security solutions. 

 

About Fortress 
Securing critical supply chains and cyber assets from evolving threats. 
Fortress. Absolutely Critical. 
https://www.fortressinfosec.com 

 

 

About NAESAD 
North American Energy Software Assurance Database (NAESAD): An industry-wide collaborative database to create and share Software Bills of Materials (SBOM) in products used by utilities across North America. NAESAD is led by several investor-owned utilities (including AEP, Southern, Xcel, and NiSource) and managed by Fortress Information Security to create a comprehensive SBOM library for common vendors and suppliers.