CRITICAL INFRASTRUCTURE. SECURED.
Essential industries are facing more cybersecurity threats emanating from the supply chains that underlie them. As a result, companies on the frontline of critical infrastructure need better data and analytics to understand threats and tools to defend themselves.
Fortress Information Security is a supply chain cybersecurity provider that helps secure 40% of the US power grid and critical assets, as well as enterprises in other sectors such as aerospace and defense, manufacturing, telecoms, pharmaceuticals, transportation, and insurance.
Q: Why are supply chain cyberattacks a growing trend within cybersecurity?
A: Modern, efficient supply chains can create vast economic and social benefits, but they also bring risks. Organizations can sometimes lose control of the software and physical components for the products they provide. This results in increased vulnerability to network intrusions, hacks, and more sophisticated cyberattacks, which puts information, critical infrastructure, and global supply chains at risk. Industries that make up the critical infrastructure sector—electric, oil and gas, waste and water—are more desirable targets. Although many companies in those sectors have robust security and can keep out potential enemies, doing so becomes more difficult when your enemies look like friends. That’s why third parties, usually vendors, are so at risk.
Q: Where are the biggest vulnerabilities in critical infrastructure?
A: The private sector owns or runs about 85% of US critical infrastructure. Many large corporations and government entities have done an excellent job of protecting themselves from direct cyberattacks. However, there are thousands of small and medium sized enterprises that support the large organizations that manage critical infrastructure. These smaller companies supply products or components as complex as nuclear power generators or mundane as air conditioning systems. Yet, they have access to large critical infrastructure entities even if it is just via the accounting system to submit bills and receive invoice payments. In many cases, these supply chain partners have limited cyber defenses and offer back doors for hackers, criminals, and even nation-states to launch attacks against our nation’s critical assets. These partners are the first place that threat actors look when trying to find a backdoor. They usually don’t have security like a Fortune 500 company because they can’t afford it. Why break in through the front door where all the security is when you can find an unguarded door in the back?
Q: How can SMEs make strategic investments for their future operations?
A: It starts with visibility. Small businesses need to understand where all the building blocks for their products—both from a hardware and a software perspective—come from. Once they have a full blueprint of the foundational components that comprise their solutions, companies can determine risks. Second, it requires industry collaboration. Large businesses share many of the same suppliers. For example, in the energy sector, utilities all work with many of the same several hundred vendors. These organizations must share information, data, and analysis about potential threats and risks they have identified to enable proactive cybersecurity programs. Fortress has a central repository of information—the Asset to Vendor (A2V) Marketplace—that enables asset owners and suppliers to minimize the time and cost to process and assess the impact of cyber threats. Our A2V Library is a unique community for information sharing and collaboration, providing clients with access to more than 40,000 vendors and millions of assets. Going forward, we plan to develop this offering for all critical infrastructure sectors, providing a comprehensive set of tools to overcome supply chain security and compliance challenges associated with third-party risk management, all while reducing costs.
Q: How are public and private sector stakeholders addressing national security issues stemming from supply chain vulnerabilities?
A: As critical industries increasingly face cybersecurity threats directed toward the supply chains that underlie them, all corners of the federal government and private sector have quickly recognized that securing critical supply chains is a national security issue. In the past few years, authorities such as the Cybersecurity and Infrastructure Security Agency (CISA) and the North American Electric Reliability Corporation (NERC) have released supply chain cybersecurity guidelines. However, companies are dealing with enormous regulatory burdens. US lawmakers and regulators have implemented and are continuing to conceive new supply chain risk management rules that have and will impose very complex requirements for all government suppliers/contractors/grantees. Effective compliance can be time-consuming and costly for companies without a partner that understands both the threat and regulatory environment.
Q: How does Fortress help organizations fight back and find ways to establish effective control and oversight of their supply chains?
A: Fortress enables companies to assess, mitigate, and remediate risks associated with vendors, assets, and software in their supply chains. The company’s solution was co-developed with leading electric utilities and has since grown into a consortium tool for the US electric utility industry led by leading anchor customers, comprising five of North America’s ten largest investor-owned utilities. The business is positioned to replicate its success in the utility sector across all critical industries including oil and gas, transportation, waste and wastewater, financial services, and healthcare. Our platform is a software solution that automates supply chain management functions including risk assessments, workflows, data processing data and analytics, continuous monitoring and regulatory reporting. By doing so, we enable government and business leaders to tackle the significant challenge of securing products and solutions built with thousands of components manufactured by companies across dozens of countries.
Q: How do you see the cybersecurity industry evolving from here? What risks are on the horizon and how can organizations best prepare for, respond to, and recover from the next line of attacks?
A: The most recent Cybersecurity and Infrastructure Security Agency (CISA) budget cited the need to protect critical software through enhanced security measures as one of the four core reasons for an FY 2023 budget increase of more than $500 million. The spending package represents the growing efforts to address the spate of cyberattacks on key organizations and industries. Looking ahead, we believe critical infrastructure providers and policymakers must outline specific standards that enable developing and reviewing a Software Bill of Materials (SBOM)—a formal, machine-readable inventory of software components and dependencies—to minimize cyber risk among complex supply chains. While many standards and guidelines require varying levels of software security, we believe Fortress is uniquely positioned to work with industry and government to implement a practical standard for preparing and analyzing SBOMs to meet today’s critical infrastructure cybersecurity threats.
About Fortress Information Security
Fortress Information Security secures critical industries from cybersecurity and operational threats stemming from vendors, assets, and software in their supply chains. Fortress is the only end-to-end platform that connects intelligence surrounding vendors, information technology and operational technology assets, and software through a holistic, fit-for-purpose approach. Fortress has also partnered with its customers and suppliers to form the Asset-to-Vendor (A2V) network, which facilitates the secure and seamless exchange of asset information and security intelligence, enabling collaborative workflows to better understand and remediate potential issues. Fortress serves critical industries such as energy, government, aerospace & defense, critical manufacturing, industrial automation, automotive, and healthcare.