Fortress creates center for security information on energy suppliers

Vendor library offers means to bolster supply-chain security through data sharing and communication.

A new library designed to be a centralized source of security information and communication for energy company suppliers was announced Tuesday by Fortress Information Security. The Asset to Vendor Library Trust Center is a project of Fortress, American Electric Power and Southern Company, and offers a way for suppliers to connect with their customers and provide information about their supply chain security practices.

The library is a supplier-centered marketplace with the ability to share and update cybersecurity information, as well as provide marketing materials for patrons. Vendors and original equipment manufacturers can control the information they provide their customers, such as security attestations, completed North American Transmission Forum questionnaires, and third-party certifications.

Suppliers can choose how to share their information in the library

Suppliers can choose to share information with everyone in the library or limit access to members who request it. Giving suppliers control over access to their information helps them solve the challenge many suppliers experience of receiving and exchanging security controls questionnaires from multiple prospects or clients. Each is phrased slightly differently but all are essentially the same.

"A lot of these vendors only play in this market," explains Betsy Soehren Jones, COO of Fortress, a provider of cyber risk management solutions for supply chains. "They're frustrated with having to fill out 3,000 copies of the same form and sending it to all their customers."

She added that the library is designed with security in mind. "All the transactions in the library are encrypted," Jones says. "Information flowing from the vendor and requests from customers to the vendor are done in a secure and protected manner."

"There are no analytics happening in the library itself," Jones says. "Once a customer requests something from the library, that transaction goes away. So, there are no records of who is using what part or where a part is installed. It would take an enormous amount of work to use the material in the library for malicious purposes."

Information from 40,000 companies in the library

Capabilities the Trust Center provides users include:

  • Compliance management and audit preparation questionnaires and surveys patterned to meet existing and emerging regulatory standards
  • Data-driven risk ranking that employs AI and open-source intelligence to determine the criticality and cyber maturity of supplier assets
  • Supplier validated product assessments that provide visibility on vulnerabilities, patch history, and security controls
  • Insights into the geopolitical relationships of suppliers, their products, and their fourth-party suppliers
  • Patented blockchain technology for securely sharing software and hardware bills of materials and analyses designed to uncover open-source vulnerabilities, product components, and geopolitical affiliations
  • Continuous monitoring of all active suppliers, their customers, and fourth party vendors

Some 40,000 companies have submitted information to the library, but more information is needed. "The Trust Center and Fortress are positioned to help the industry educate the vendor community on why this is needed and have them deposit their answers in the Trust Center," Jones says. "In the meantime, we understand that utility companies need to make business decisions, so what we will be doing in the interim is provide them with a data-driven reports compiled from open-source sources."

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)