File Integrity Assurance Handshake

File Integrity Assurance

Preventing Supply Chain Attacks
in Compliance with CIP-010-3 & CIP-013

FIA Panel Laptop
File Integrity Assurance

Validated and stored in an immutable blockchain ledger using SHA-256 and delivered over TLS encryption from software source to distribution channel

  • Chain of Custody/Tracking
  • Immutability (Distributed solution)
  • End to End secure delivery
  • Secure Credential Management
  • C.O.T.S. Sources
  • Open Source
  • Linux Repository processing
  • Operations Friendly
  • Firmware Analysis
FIA Progression FIA Progression Arrows

IN THE NEWS

SUPPLY CHAIN ATTACKS

Supply Chain Map

2020 - Kwampirs ICS Supply Chain Attack

2020 - Ripple20 Vulnerability

2020 - GoldenSpy Malware

2020 - CryptoAPI Vulnerability

2020 - HiSilicon/Xiongmai Backdoor

Software Supply Chain attacks are an efficient way for attackers to bypass traditional defenses and compromise large numbers of users and applications

Designed in response to

NATF implementation guidance to CIP-010-3

CIP-010-3 - Cyber Security - Configuration Change Management and Vulnerability Assessments
CIP-010-3 Table R1 - Configuration Change Management
Part
Applicable Systems
Requirements
Measures
1.6

High Impact BES Cyber Systems

Medium Impact BES Cyber Systems

Note: Implementation does not require the Responsibility Entity to renegotiate or abrogate existing contracts (including ammendments to master agreements and purchase orders). Additionally, the following issues are beyond the scope of Part 1.6: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract

Prior to a change that deviates from the existing baseline configuration associated with baseline items in Parts 1.1.1, 1.1.2 and 1.1.5, and when the method to do so is available to the Responsibility Entity from the software source:

1.6.1.
Verify the identity of the software source; and
1.6.2.
Verify the integrity of the software obtained from the software source.

An example of evidence may include, but is not limited to a change request record that demonstrates the verification of identity of the software source and integrity of the software was performed prior the the baseline change or a process which documents the mechanisms in place that would automatically ensure the identity of the software source and integrity of the software.

CIP-013-1 - Cyber Security - Supply Chain Risk Management

R1...The plan(s) shall include:...
R1.2 One or more process(es) used in procuring BES Cyber Systems that addresses the following as applicable...
1.2.5 Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System; and

CIP-010-3 and CIP-013-1 require that utilities have a process in place for verifying the source of the file and for validating the integrity of the file.

Fortress validates software products by monitoring the software vendor source and software for authenticity and integrity consistent with the requirements in CIP 010-3-1. Sections 1.6.1. and 1.6.2.

FIA Interface

Designed for Turnkey CIP Compliance

The FIA interface provides full self-service capabilities and access to our team of experienced security analysts. Full audit details are available for all software sources and files validated this way for easy CIP compliance.

Products are reviewed daily
to check for changes

The integrity and security characteristics of all software files are validated by validating code signatures, comparing cryptographic hashes, and analyzing files for malicious functionality using proprietary and industry-leading capabilities for malicious code prevention.

Software sources are validated by verifying domain threat intelligence, Secure Socket Layer (SSL)/Transport Layer Security (TLS) Public Key Infrastructure (PKI) for identity validation and indications of Domain Name System (DNS) compromise.

Available On-Prem and in the Cloud

Server Comparison Table

ASSET TO VENDOR
NETWORK

We love to help, contact us today.

Request a Demo

Request to speak to a solution specialist or schedule a demonstration.