fbpx

Power utilities share cyber security challenges

Collaboration is the answer!

INTRODUCING THE ASSET TO VENDOR NETWORK (A2V)

Asset to Vendor Network Logo

A mutual assistance platform for third party and asset risk management teams

Are you ready for NERC CIP-013? 

Take the CIP-013 Challenge and find out!

What is your plan to address vendor incidents, remote access, vulnerabilities and patch verification? Take the CIP-013 Challenge and find out if you’ll be ready in time.

Level Up Compliance

A2V achieves security beyond compliance

requirements_icon

Access the latest and greatest in emerging industry requirements

information_icon

Receive instant industry information and continuous updates

cost_icon

Reduce costs with our sharing model
50% SAVINGS

A2V is a network of power utilities who benefit from:

  • Shared costs of vendor risk assessments
  • Cyber asset vulnerability patches
  • Solutions to reduce duplication
  • Compliance requirements

Check your preparedness
Take the CIP-013 Challenge!

Select the time estimated for each step in the compliance process and find out whether your program will be ready in time for the July 1, 2020 deadline.

DONE?
BUDGETED TIME
ESTIMATED COMPLETION DATE
ACTIVITY
Step 1: Establish CIP-013 scope and draft "supply chain cyber security risk management plan"
  • Estimate volume for procurements related to medium and high impact BES Cyber Systems.
  • Identify steps your organization will take to "identify and assess cyber security risk."
  • Decide how risk will be assessed (see A2V risk identification and assessment methodology).
REFERENCES:
NERC CIP-013-1 NATF implementation guidance, NATF supplier criteria, EEI model procurement language
Step 2: Establish how you will comply with NERC CIP-010 R1.6, verification of software source/authenticiy and integrity REFERENCES:
NERC CIP-10-3 , CIP-010-3 NATF Software Integrity & Authenticity
Step 3: Get Internal approvals on the plan Coordinate between procurement, supply chain, legal, operations, risk management/compliance, and ensure consistency in scoping CIP-013 products and services and related vendors, RACI diagram or flowchart, system of reocrd, upcoming renewals, installation risk analysis
Step 4: Decide on build versus buy; select partner Partner investigation, competitive bidding, review partner proposals and pricing, compare versus internal costs and capabilites, contracting
Step 5: Implement solution Launch system of record, execute processes, set recurring status meetings for stakeholders
Step 6: Validate effective process Perform internal audits on the process and implement remediations

Asset to Vendor Network

Delivering outcomes in a simple process

risk_icon

Risk Identifications

Utility determines the right level of assessment – for the vendor and the product.

A2V offers risk ranking analytics.

assessment_icon

Assessment Selection

Utility submits the list of vendors requiring assessments.

Assessment Availability and Scheduled or Not Scheduled status is appended with respective dates.

Utility selects which assessments to order-purchasing existing or mastering new.

vendor_icon

Vendor Engagement

Consent to share assessments is obtained by A2V vendors.

For new assessments, A2V works with vendors to complete.

New assessments (Masters) generate royalties of 75%, 65% and 50% on 1st, 2nd and 3rd+ sells, respectively.

Completed assessments are uploaded into the utility’s instance of the Fortress Platform, the A2V compliance system.

A2V Assessment products

How does A2V compare to other assessment products?

Asset to Vendor Network Logo

A2V is aligned to industry guidance for risk identification and assessment methodologies, especially to CIP-013-1.

Why vendor assessments?

NATF points out that “the ERO has endorsed the practice of a Responsible Entity obtaining an independent assessment of the vendor’s production of BES Cyber Systems and/or related services as a means of complying with CIP-013-1.” NATF suggests:

  1. Asking vendors to provide independent assessments.
  2. Evaluating the auditor’s qualifications and cyber security framework used to perform the assessment.
  3. Evaluating the scope and results of the assessment.
  4. Documenting the process, conclusions and mitigating actions.
Assessment Products Comparison
Asset to Vendor Network Logo

Founding utility members ensure the continued relevancy of A2V services to users of industrial control systems (ICS)

American Electric Power

A2V is committed to helping American Electric Power and other leading utilities

A2V in the News

Forbes Logo

NEW PLATFORM AIMS TO HELP PROTECT POWER GRID FROM CYBER THREATS

Organizations of all sizes and across all industries are under siege from cyber threats around the clock. Cybersecurity is a concern for every business, however, not all targets have equal value necessarily. Companies that form…

TD World logo

AEP, FORTRESS COLLABORATE TO SECURE THE U.S. POWER GRID

Fortress Information Security has launched the Asset to Vendor Network for Power Utilities (A2V), a joint venture with American Electric Power.  A2V is designed to address concerns about protecting the U.S. power grid from cyber…

techspective logo

FORTRESS INFORMATION SECURITY STRIVES TO HELP PROTECT CRITICAL INFRASTRUCTURE

Fortress Information Security has launched the Asset to Vendor Network for Power Utilities (A2V), a joint venture with American Electric Power.  A2V is designed to address concerns about protecting the U.S. power grid from cyber…

HOW TO MODERNIZE THE ELECTRIC INDUSTRY

The U.S. electrical grid is old, essential, and under a lot of stress. Plenty of efforts are being made to modernize where we get our energy from, how we transmit it, and – in the event of cyberattacks –  how we secure it…

Request a Demo

Request to speak to a solution specialist or schedule a demonstration.

Asset to Vendor Network Logo

Fortress Information Security
189 S. Orange Ave.
Suite #1950
Orlando, FL 32801

Copyright © 2020 Fortress Information Security. All rights reserved. Privacy Policy