One of the biggest challenges in supply chain security is being able to understand the security practices of suppliers and vendors and to assess the risks of granting them access to internal networks and client data. Organizations address this by having suppliers and vendors fill out questionnaires or complete security assessments, but items can be missed. And one of those missteps could result in an outage or a data breach.
Fortress Information Security is trying to solve this challenge by providing critical industry operators with up-to-date information about all the partners and suppliers they already work with or would potentially work with. The Asset to Vendor Library Trust Center is a central library of information from vendors and original equipment manufacturers (OEMs), such as security attestations, completed North American Transmission Forum (NATF) questionnaires, and third-party certifications. The platform helps critical industry organizations assess, manage, and address risks associated with vendors, assets, and software in their supply chains.
The idea is to give organizations access to this information without having to send over a questionnaire, and it allows vendors to provide their information once, instead of filling out the assessments over and over again for each partner relationship, says Betsy Soehren-Jones, chief operating officer at Fortress. Asset owners and suppliers can access information of over 40,000 companies and assess the impact of new cyberthreats.
There is interest in this kind of a centralized repository operated by a private entity: Fortress announced a $125 million investment from Goldman Sachs Asset Management on Tuesday to expand its archive of vendor information to include hardware and software bill of materials. The company previously raised $40 million across multiple funding rounds between 2015 and 2020.
“When we put our program together, it dawned on us that the relationships we had, other companies had as well,” Soehren-Jones says of her time at Exelon, one of the largest utility companies in the United States, before joining Fortress earlier this year. “How can we build a central library about the vendors and devices that we are all using?”
Supply Chain Attacks in Critical Industries
Supply chain attacks have been on the rise in recent years, with high-profile incidents such as the SolarWinds breach and the Kaseya attack. The dangers go beyond just IT systems when the supply chain attacks affect critical industries, such as power, energy, oil, gas, and water. The ransomware attack on Colonial Pipeline was not a supply chain attack – but the resulting disruption on gas delivery and supply highlighted just how susceptible critical industries are to attack.
Attackers are increasingly shifting their attention to suppliers instead of targeting organizations directly, the European Union Agency for Cybersecurity said in a report analyzing 24 supply chain attacks last year. Attackers focused on the suppliers’ code in 66% of the reported incidents, and 62% of the attacks exploited the trust of the organization in their suppliers and vendors, the report found. Additionally, 58% of the attacks targeted the suppliers to access customer data – the organization’s data.
“An organisation could be vulnerable to a supply chain attack even when its own defences are quite good,” ENISA said in the report.
Federal authorities and regulators are scrutinizing critical supply chains. The Cybersecurity and Infrastructure Security Agency (CISA) and the North American Electric Reliability Corporation (NERC) have released supply chain cybersecurity guidelines in the past year. However, relying on regulators is not enough because some critical industries – such as solar – are not regulated, Soehren-Jones says. And there is no overlap between different sectors; the rules and standards from electric are different from gas, for example, even though the two sectors depend on each other and likely share the same vendors.
“There are only a few meter companies – we are all probably using the same ones,” Soehren-Jones says.
The Fortress platform bridges the different industry sectors – oil, energy, water, power, and gas -- and gives organizations access to a more comprehensive set of data, Soehren-Jones says. The platform secures 40% of the U.S. power grid, substantial national defense-related assets, and critical manufacturing industries.
Expanding Risk Assessments
With the new investment, Fortress plans to increase the hardware bill of materials and software bill of materials information available in the library. One way is to encourage vendors to provide their own information. Another is to expand in-house lab capabilities to “tear down” each product and generating the bill of materials, Soehren-Jones says. Having the internal service is critical to having a complete set of information about the devices in use, especially since many of the devices critical industries rely on “have already been in the field for 10 years” or longer, she notes. Many of those manufacturers may not even be in business anymore.
Consider the case of a transformer. The in-house lab will look at all of the components that make up the transformer and log them in one place. If the unit has a communicative device inside, the teardown will find it, log it, and share the information with all the industry organizations using the platform. The hardware bill of materials will also be useful for finding out if the same component is being used across other devices.
"If we find out that there's a bad chip somewhere in one device, that chip most likely has been used in a lot of other devices. So not only are we going to be able to identify the manufacturer that it originally came from, but then we're going to also be able to understand the full scope of all of the devices that may have it," says Soehren-Jones.
“The depth and breadth of the Fortress platform are unmatched and we believe there is a meaningful opportunity to accelerate the expansion of the platform into compelling product adjacencies, including software and hardware bill of materials, workflow orchestration, and additional analytics and reporting capabilities,” said Will Chen, managing director within Goldman Sachs Asset Management, in a statement.
The ability to share the information will benefit organizations in two ways: to be able to make purchase decisions as well as to guide incident response activities, Soehren-Jones says. When an issue is identified, organizations have the daunting task of examining every possibility to assess their exposure. Having the bill of materials already in the library means organizations can just work down a list.
The platform will also focus on workflow orchestration, allowing organizations to get information about things that need to be fixed, provide a way to log the changes that were made, and generate an audit trail that can be shown to regulators to prove that the necessary steps were taken, Soehren-Jones says.
“Log4j is the quintessential business case [for software bill of materials],” Soehren-Jones says. “We are still scanning, and it can take up to a year to figure out all places we are impacted.”