File Integrity Assurance
Preventing Supply Chain Attacks
in Compliance with CIP-010-3 & CIP-013
File Integrity Assurance
Validated and stored in an immutable blockchain ledger using SHA-256 and delivered over TLS encryption from software source to distribution channel
- Chain of Custody/Tracking
- Immutability (Distributed solution)
- End to End secure delivery
- Secure Credential Management
- C.O.T.S. Sources
- Open Source
- Linux Repository processing
- Operations Friendly
- Firmware Analysis
IN THE NEWS
SUPPLY CHAIN ATTACKS
2020 - Kwampirs ICS Supply Chain Attack
2020 - Ripple20 Vulnerability
2020 - GoldenSpy Malware
2020 - CryptoAPI Vulnerability
2020 - HiSilicon/Xiongmai Backdoor
Software Supply Chain attacks are an efficient way for attackers to bypass traditional defenses and compromise large numbers of users and applications
Designed in response to
NATF implementation guidance to CIP-010-3>
High Impact BES Cyber Systems
Medium Impact BES Cyber Systems
Note: Implementation does not require the Responsibility Entity to renegotiate or abrogate existing contracts (including ammendments to master agreements and purchase orders). Additionally, the following issues are beyond the scope of Part 1.6: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract
Prior to a change that deviates from the existing baseline configuration associated with baseline items in Parts 1.1.1, 1.1.2 and 1.1.5, and when the method to do so is available to the Responsibility Entity from the software source:
An example of evidence may include, but is not limited to a change request record that demonstrates the verification of identity of the software source and integrity of the software was performed prior the the baseline change or a process which documents the mechanisms in place that would automatically ensure the identity of the software source and integrity of the software.
R1...The plan(s) shall include:...
R1.2 One or more process(es) used in procuring BES Cyber Systems that addresses the following as applicable...
1.2.5 Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System; and
CIP-010-3 and CIP-013-1 require that utilities have a process in place for verifying the source of the file and for validating the integrity of the file.
Fortress validates software products by monitoring the software vendor source and software for authenticity and integrity consistent with the requirements in CIP 010-3-1. Sections 1.6.1. and 1.6.2.
Designed for Turnkey CIP Compliance
The FIA interface provides full self-service capabilities and access to our team of experienced security analysts. Full audit details are available for all software sources and files validated this way for easy CIP compliance.
Products are reviewed daily
to check for changes
The integrity and security characteristics of all software files are validated by validating code signatures, comparing cryptographic hashes, and analyzing files for malicious functionality using proprietary and industry-leading capabilities for malicious code prevention.
Software sources are validated by verifying domain threat intelligence, Secure Socket Layer (SSL)/Transport Layer Security (TLS) Public Key Infrastructure (PKI) for identity validation and indications of Domain Name System (DNS) compromise.