Empowering Vendors to Secure the Grid

Asset to Vendor Network is a collaboration between utilities and vendors to secure the grid and achieve compliance with NERC CIP standards

NERC CIP-013 requires utilities to proactively assess the cybersecurity posture of their vendors and their products and services

Completing annual cybersecurity risk assessment questionnaires and providing evidentiary documentation for multiple utilities is resource intensive.

Self-attestation (self assessments) may be insufficient and will require validation.

Utilities will pay independent agents such as Fortress to conduct and validate assessments

Assessments will need to be normalized (standardized) and mapped to assessment frameworks.

Launches the Asset to Vendor Network (A2V)

a mutual assistance network for utilities and their vendors to secure the supply chain and comply with NERC CIP standards.

Implementation guidelines from the North American Transmission Forum (NATF) suggests the following:

<p>– Perform Vendor Risk Assessments</p><p>– Implement Product Risk Assessments</p>

– Perform Vendor Risk Assessments

– Implement Product Risk Assessments

<p>– Verifying the integrity and authenticity of software</p><p>– Implement Product Risk Assessments</p>

– Verifying the integrity and authenticity of software

– Implement Product Risk Assessments

<p>– Multiple cybersecurity framework mapping</p><p>– Recurring reviews to identify risks, risk assessment conclusions, and risk mitigations</p>

– Multiple cybersecurity framework mapping

– Recurring reviews to identify risks, risk assessment conclusions, and risk mitigations

A joint venture with Fortress, American Electric Power, and Southern Company

A2V is committed to helping American Electric Power and other leading utilities

Southern Company provides clean, safe, reliable and affordable energy to 9 million customers through their subsidiaries

A2V in the News

Asset to Vendor (A2V) is a collaborative network of utilities and vendors that share risk management information.

A2V Risk Management Information

Risk Assessments

IT/OT vulnerability & patch subscriptions

Increased Security

Reduced turn-times, decisive remediation, on-demand evidence

Significant cost reduction

 

“We already share the risk. Now let’s share the cost.”

How does Fortress A2V work?

Fortress Information Security manages and validates assessments for vendors who join A2V and provides them with a secure link to grant assessment requests from the utilities

A2V Solves Security Challenges

  • Companies have limited resources for security

A2V allows vendors to focus on security, not assessment requests reducing internal cost

  • Risk assessments traditionally take months to produce

A2V ensures up-to-date renewals and instant availability

  • Product solutions are fragmented and expensive

A2V provides a unified solution at reduced cost

  • Vendors retain control of their data

Vendors control who sees their data

  • Product solutions are fragmented and expensive

A2V provides a unified solution at reduced cos

Fortress A2V Benefits

Results and advantages of our partnership

  • Reduced Costs
  • Transparent Process
  • Operational Fourth-Party Vendor Assessments
  • Data Storage
  • Increased Security
  • Insight into Purchasing Intent
  • First Mover Competitive Advantage
  • Demonstrate leadership in securing the grid with joint PR

Fortress A2V Offers You Control Over the Vendor and Product Assessment Process

Vendor Security Risk Assessments and

Product Security Risk Assessments

  • Fortress conducts complete risk assessments on organizations one time to save vendors time and cost of interacting with multiple utilities.
  • Vendors retain control over who the assessments are shared with.

Asset Risk Management

  • Fortress verifies software sources and validates patch integrity in accordance with CIP-010 and CIP-013

Fortress Guardian – Continuous Risk Monitoring

  • Continuous monitoring of both cyber and business-risk.

Remediation

  • Fortress works with you to identify and remediate areas of risk.

Services

  • Human-assisted solutions which deliver significant value leveraging the Fortress Platform technology; for example, recommendations for how best to remediate possible risks across an organization’s critical infrastructure assets.

Fortress Platform – Supply Chain Risk Management Insights

Scalable, Modular System with Customizable Dashboards

  • Built on lightning-fast, modern architecture
  • Has the simplicity of a spreadsheet with all the sophistication and power of an enterprise system
  • Features include workflow management, task assignment, approvals and vendor portal
  • Flexible architecture for integrations and enhancements
  • Robust analytics module included, enabling simple self-service for reporting