Foreign Adversary Supply Chain Assessment
Provides insight into the foreign affiliations of bulk power system product suppliers
US Executive Order #13920 signed – May 1, 2020
Blocks the installation of bulk-power system (BPS) electric equipment that was designed, developed, manufactured or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries of the United States.
Countries of concern:
A Look into How We Gathered This Information
Provenance Assessment Methodology
Corporate entities are assessed for their association with any national or global watchlists, such as lists from Office of Foreign Assets Controls (OFAC), European Union (EU) Consolidated List, Foreign Agents Registrations, United Nations Consolidated List, and more. A third-party tool is used to perform this scan. Country affiliation with relation to the list is captured.
A corporation’s cyber assets (IP addresses) are identified and geolocated to their affiliated city and country location. These countries in which assets can be found are then compared for global risk matches.
Corporate physical locations are searched using publicly available sources, including but not limited to the vendor website, job board queries (such as a careers page), and other third-party tools. Each country a vendor is located in is then captured. The primary source is the company’s location page. If one does not exist then the careers page is utilized. If there is no additional information on this page, third-party tools are utilized to assess physical presence.
All observable branches of an organization are found using a third-party tool for corporate hierarchy search, including parent, sisters, and subsidiaries. Then, each branch is identified with city and country headquarters location.
Foreign ownership of public corporate entities is assessed from 13D & 13G filings. These filings signify a >5% threshold of ownership and whether the invested entity intends to be a proactive or passive shareholder, respectively. Using this register any ownership information is recorded. Information is then gathered about the significant foreign institutional and individual shareholders. Headquarters/person location is then evaluated. For private companies, the company website and additional third-party tools are assessed for direct ownership, indirect ownership, and major investors. Headquarters locations of these entities are then evaluated.
Merger & Acquisition
The organization’s history of Merger and Acquisition (M&A) activity is scanned through Fortress continuous monitoring database for all. Country of all affiliated parties for M&A activity is included. All results are aggregated, with specific notes for any high-risk country affiliations.
During the process of gathering physical presence, a check for manufacturing and production facilities is conducted. Countries with these facilities are noted for a vendor. The first-source data is gathered from the corporate website. If there is no/limited information about these locations then a search of manufacturing careers is performed on the company and then third party websites. If no manufacturing is confirmed using publicly available tools, then this is noted in the assessment.
Provenance Assessments – available now from the Asset to Vendor Network
While many directives of the Executive Order remain unclear, utilities need to act to become prepared for additional rule-making. Purchased through the A2V Market place, the Fortress Provenance Assessment will provide utilities with an easy and cost-effective solution to assess their vendors and evaluate where they have foreign presence.
The Fortresses Provenance Assessment provides utilities with a review of a manufacturer’s level of foreign influence in the following areas:
Equipment of Concern
The electrical equipment of concern are typically associated with bulk-power system substations, control rooms or power generating stations which may consist of following bulk power system assets:
- Substation transformers
- Current coupling capacitors
- Large generators
- Backup generators
- Substation voltage regulators
- Shunt capacitor equipment
- Automatic circuit re-closers
- Instrument transformers
- Coupling capacity voltage transformers
- Protective relaying
- Metering equipment
- High voltage circuit breakers
- Generation turbines
- Industrial control systems
- Distributed control systems
- Safely instrumented systems
A2V Provenance Assessment provides a breakdown of the areas of concern.
Benefits of the A2V Marketplace
Members of A2V can purchase Provenance Assessments from the A2V marketplace for ½ price
Supply Chain Risk Management isn’t just about VENDORS
Vendors provide Products/Services and those Products and Services require assessment too.
Cybersecurity information for products addressing risk across…
- Inherent product risk
- Vulnerability and patch remediation risk
- Product security risk (controls-based)
- Patch integrity and authenticity validation