The agencies and businesses that make up the backbone of our critical infrastructure have a larger bullseye on their backs than an average company. When it comes to the electric utility providers that manage the power grid, the exposure to risk is exacerbated by the fact that much of the equipment, software, and services come from a limited set of vendors. Fortress Information Security just launched the Asset to Vendor (A2V) Network to mitigate these risks and improve the security posture of the power grid.
The Federal Energy Regulatory Commission (FERC) recognizes the unique threats posed to the power grid and understands that it’s crucial to address these challenges and protect the critical infrastructure. FERC has issued requirements for standardized risk assessments and mandated that electric utility providers prioritize supply chain vendors based on their relative risk. The problem is that many of the 3,000 or so electric providers are small, regional companies that don’t have the budget or resources to do this effectively on their own.
The A2V Network was launched as a joint venture between Fortress and AEP (American Electric Power) to address this challenge and help all electric utility companies collaborate to comply with the FERC regulations and improve protection of the critical infrastructure more efficiently and effectively. Organizations that join the A2V Network will be able to purchase completed vendor assessments for significantly less than it would cost them to conduct a redundant assessment of their own, and participating companies can also contribute completed assessments to build out the A2V Network library.
Reluctance to Share
I had an opportunity to chat with Alex Santos, CEO of Fortress, about the A2V Network and some of the challenges it addresses. He described the supply chain like streets in a community. Just as each person is responsible of their own home and property, but share the roads and pay taxes to share the burden and ensure the roads are taken care of, each company is responsible for itself, but they share risk exposure from the supply chain and it makes sense to collaborate and share the burden to mitigate the risk and secure the critical infrastructure.
I asked Santos for his thoughts on why businesses in general—not just electric power providers—seem so reluctant to engage in this sort of sharing and collaborative effort. The two main issues, according to Santos are that some information is very proprietary, and some information is not very good. Companies want to maintain the privacy of intellectual property and sensitive information. In some cases, there is a competitive advantage associated and sharing it is just bad for business. In other instances, organizations are reluctant to engage in sharing information because what they receive is not useful. If the information is not properly vetted and curated to ensure it is correct and relevant, it creates more problems than it solves.
Santos explained that the A2V Network strives to address both of those challenges. The A2V Network takes information about supply chain risk assessments and provides a platform to easily share it while anonymizing it and protecting the privacy of proprietary data. Part of what the A2V Network also does is to validate the information and make it actionable.
Santos was especially grateful for having AEP as a partner for the launch of the A2V Network. He noted that even though there are 3,000 electric utility providers, only about 150 of those are large enough to be regulated by the North American Electric Reliability Corporation (NERC)—and that the top 15 largest deliver power for 75% of consumers. That leaves nearly 2,900 companies that must comply with the FERC regulation but lack the resources to do it effectively on their own.
He said that having AEP on board is huge because any new movement or initiative requires a first big company to get the ball rolling. AEP showed leadership in taking that initiative and having a company with the size and prestige of AEP involved creates a snowball effect that will entice other electric utility providers to jump on board.
The more companies get involved, the more momentum the A2V Network will have and the greater value it will provide to every participating organization. That, in turn, will attract more companies. It becomes a self-feeding cycle of momentum that will ultimately lead to a more secure critical infrastructure.