Industry-Wide Initiative Powered by Fortress Information Security Focuses on Delivering Software Bill of Materials for Every Critical Energy Technology

Orlando, FL

The U.S. utilities industry is banding together to help suppliers identify and remediate vulnerabilities in software managing mission-critical applications for the U.S. energy industry. Several investor-owned utilities -- including American Electric Power and Avangrid – today partnered with Fortress Information Security (Fortress) to launch the North America Energy Supply Assurance Database (NAESAD) at the 2023 DistribuTECH Conference. NAESAD will provide the energy industry with a comprehensive Software Bill of Materials (SBOM) repository for every vendor.

Over the past several years, SolarWinds and Log4J vulnerabilities have highlighted the need to have a fundamental accounting for every software component used within the energy industry.

“The challenges for utilities and their supply chain partners are significant, but there is a clear path to mitigating critical risks,” said Alex Santos, CEO of Fortress, the supply chain cybersecurity leader for critical infrastructure. “Industry players must collaborate – from the smallest supplier to the largest utility. The SBOM for every critical product needs to be carefully analyzed to reveal, prioritize, and eliminate the vulnerabilities that pose the greatest threat to the U.S. energy industry.”

SBOMs provide the recipe of proprietary and open-source ingredients in software that run critical infrastructure technologies. SBOMs provide actionable information to purchasers so they can make informed decisions about software and help improve the security of applications. While many standards and guidelines require varying levels of software security, an effectively prepared and analyzed SBOM can be invaluable in meeting tomorrow's critical infrastructure application cybersecurity challenges.

NAESAD will securely aggregate SBOMs for every utility industry vendor. In close collaboration with forward-looking software providers, the repository will enable utilities to identify, triage, and remediate the most impactful and destructive risks. NAESAD is following the private-public partnership blueprint developed by the Cyberspace Solarium Commission.

Today’s NAESAD launch comes as regulators, policymakers, and utilities focus more on SBOMs. A triad of SBOM regulations and recommendations from The Cybersecurity and Infrastructure Security Agency (CISA), The National Institute of Standards & Technology (NIST), The Office of Management and Budget (OMB), and a Presidential Executive Order has laid the groundwork for new SBOM requirements for companies that work with the U.S. Department of Energy, U.S. Department of Homeland Security, and other organizations responsible for U.S. critical infrastructure. Additional SBOM requirements for utilities and other critical industries are expected over the next year.

More details about how to join NAESAD and share SBOMs with utility partners can be found at

About Fortress Information Security

Fortress secures North America's power and defense supply chains from cyberattacks on operational and critical enterprise technologies. Fortress' proprietary technology platform orchestrates North America's most advanced cyber supply chain risk management and vulnerability management programs. Fortress operates the Asset to Vendor Network and the North American Energy Software Assurance Database, which give critical operators confidence that the products, services, and software they obtain from others are cyber-safe. Fortress is a Goldman Sachs portfolio Company.