Today, Fortress Information Security (Fortress) will make the Asset to Vendor (A2V) Library free to all utility companies. The central library contains information that enables asset owners and suppliers to minimize the time and cost to process and assess the impact of cyber threats.
Fortress worked with more than 2,000 vendors to complete the North American Transmission Forum (NATF) cybersecurity assessment. These assessments consist of 250 questions and was developed and approved by the utility industry. To view materials from the A2V Library, utilities need a valid utility email address and a few registration details to vet the user’s requested access. Once registration is complete, the user will have a “free library card” and can begin to “check out” supply chain risk management content and analysis. The library card will give users access to peruse the vendors and products in the library, including high-level risk data about suppliers. Asset owners will receive 20 free NATF assessments upon providing their list of vendors.
This expansion of the A2V Library comes as the Department of Energy (DOE) is responding to President Biden’s Executive Order 14017 with a special program called the Energy Sector Industrial Base (ESIB). Specifically, the ESIB calls for the DOE to work with industry and “(a)ssess the installed base of digital components in critical energy systems to determine prevalence and prioritize cyber supply chain risks and mitigation actions.” The ESIB program recognizes the importance of the energy sector supply chain to national security in the United States. Fortress is committed to helping make the DOE’s newest program a success.
“The energy industry is a highly connected network where the companies use many of the same vendors and use the same kind of equipment to provide power to millions of Americans,” said Betsy Soehren-Jones, Chief Operating Officer at Fortress. “The best way for us to ensure that one company is secure and has met compliance standards is to give all companies the chance to be secure and compliant. By making the information in the A2V Library accessible for companies to preview, they will be able to determine exactly what kind of information applies to their environment to protect themselves from cyber threats and vulnerabilities.”
The A2V Library gives companies a defined set of tools to overcome security and compliance challenges associated with third-party risk management, all while reducing costs. Additional A2V Library features include:
- Validated product assessments that provide visibility on vulnerabilities, patch history, and security controls.
- Compliance management and audit preparation tools to enable effective documentation to regulatory standards such as North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection standards (CIP), National Defense Authorization Act (NDAA), and Cybersecurity Maturity Model Certification (CMMC).
- Insights into the geopolitical relationships of vendors, their products, and their 4th party suppliers.
- Data-driven risk ranking uses AI and open-source intelligence to determine the criticality and cyber maturity of supplier assets to quickly prioritize vendors into tiers.
- Patented blockchain technology for securely sharing software and hardware (bill of materials) that are analyzed for open-source vulnerabilities, outdated components, and insights into component foreign, ownership control, or influence risk.
- Continuous monitoring of all active vendors and cyber assets on the network, with real-time security alerts when any vendor has an incident or new related vulnerabilities are discovered.
“We’re taking information sharing to a new level,” said Fortress’s Vice President of Strategy and Policy Tobias Whitney. “Fostering a community of like-minded asset owners and vendors to secure critical infrastructure supply chains is a huge undertaking. I was humbled by the opportunity to help facilitate activities to be part of the solution”
The A2V Library was first unveiled to the A2V Governance Committee members during their December meeting in Orlando, FL. The A2V Governance Committee includes:
|Burns & McDonnell
|Florida Power & Light
|Florida Municipal Power Agency
|GE Renewable Energy
|Idaho National Laboratory (INL)
|International Society of Automation (ISA)
|National Renewable Energy Laboratory (NREL)
|Schweitzer Engineering Laboratories
|SERC Reliability Corporation
|Southwestern Power Administration
|Southwest Power Pool
|U.S. Chamber of Commerce
|Western Area Power Administration