Modern, efficient supply chains can create vast economic and social benefits, but they also bring risks. Organizations can sometimes lose control of the software and physical components for the products they provide. This results in increased vulnerability to network intrusions, hacks, and more sophisticated cyberattacks, which puts information, critical infrastructure, and global supply chains at risk. Industries that make up the critical infrastructure sector—electric, oil and gas, waste and water—are more desirable targets. Although many companies in those sectors have robust security and can keep out potential enemies, doing so becomes more difficult when your enemies look like friends. That’s why third parties, usually vendors, are so at risk.

The private sector owns or runs about 85% of US critical infrastructure. Many large corporations and government entities have done an excellent job of protecting themselves from direct cyberattacks. However, there are thousands of small and medium sized enterprises that support the large organizations that manage critical infrastructure. These smaller companies supply products or components as complex as nuclear power generators or mundane as air conditioning systems. Yet, they have access to large critical infrastructure entities even if it is just via the accounting system to submit bills and receive invoice payments. In many cases, these supply chain partners have limited cyber defenses and offer back doors for hackers, criminals, and even nation-states to launch attacks against our nation’s critical assets. These partners are the first place that threat actors look when trying to find a backdoor. They usually don’t have security like a Fortune 500 company because they can’t afford it. Why break in through the front door where all the security is when you can find an unguarded door in the back?

It starts with visibility. Small businesses need to understand where all the building blocks for their products—both from a hardware and a software perspective—come from. Once they have a full blueprint of the foundational components that comprise their solutions, companies can determine risks. Second, it requires industry collaboration. Large businesses share many of the same suppliers. For example, in the energy sector, utilities all work with many of the same several hundred vendors. These organizations must share information, data, and analysis about potential threats and risks they have identified to enable proactive cybersecurity programs. Fortress has a central repository of information—the Asset to Vendor (A2V) Marketplace—that enables asset owners and suppliers to minimize the time and cost to process and assess the impact of cyber threats. Our A2V Library is a unique community for information sharing and collaboration, providing clients with access to more than 40,000 vendors and millions of assets. Going forward, we plan to develop this offering for all critical infrastructure sectors, providing a comprehensive set of tools to overcome supply chain security and compliance challenges associated with third-party risk management, all while reducing costs.

As critical industries increasingly face cybersecurity threats directed toward the supply chains that underlie them, all corners of the federal government and private sector have quickly recognized that securing critical supply chains is a national security issue. In the past few years, authorities such as the Cybersecurity and Infrastructure Security Agency (CISA) and the North American Electric Reliability Corporation (NERC) have released supply chain cybersecurity guidelines. However, companies are dealing with enormous regulatory burdens. US lawmakers and regulators have implemented and are continuing to conceive new supply chain risk management rules that have and will impose very complex requirements for all government suppliers/contractors/grantees. Effective compliance can be time-consuming and costly for companies without a partner that understands both the threat and regulatory environment.

Fortress enables companies to assess, mitigate, and remediate risks associated with vendors, assets, and software in their supply chains. The company’s solution was co-developed with leading electric utilities and has since grown into a consortium tool for the US electric utility industry led by leading anchor customers, comprising five of North America’s ten largest investor-owned utilities. The business is positioned to replicate its success in the utility sector across all critical industries including oil and gas, transportation, waste and wastewater, financial services, and healthcare. Our platform is a software solution that automates supply chain management functions including risk assessments, workflows, data processing data and analytics, continuous monitoring and regulatory reporting. By doing so, we enable government and business leaders to tackle the significant challenge of securing products and solutions built with thousands of components manufactured by companies across dozens of countries.