A Goldman Sachs private equity business is taking a stake in critical industry cybersecurity firm Fortress Information Security. The $125 million investment underscores a heightened awareness of supply chain vulnerabilities within the investor community.
Fortress, which announced the investment from Goldman Sachs Asset Management Private Equity on April 19, said it also highlights a wider interest in the Asset-to-Vendor (A2V) network. The A2V network is a consortium tool the company co-developed with major North American investor-owned utilities to address cybersecurity and operational threats stemming from vendors, assets, and software in their supply chains.
“This is the place where, if I am working with a vendor and I issue that vendor this industry assessment, this is where that vendor can store the answers to that assessment,” explained Betsy Soehren-Jones, a former utility executive who recently joined Fortress as its chief operations officer (COO). “All utilities can go and grab the information and start to look at it. The best way to think about it is truly a library. Fortress has built the infrastructure for a central library—a central repository of information that is based on the industry assessment,” she said.
An Urgently Needed Capital Infusion
Fortress was founded in 2015 by Peter Kassabov and Alex Santos as a “fit-for-purpose solution” for critical industries to assess, manage, and address risks associated with vendors, assets, and software in their supply chains. The company says its platform today secures 40% of the U.S. power grid, but it also serves national defense-related assets and critical manufacturing industries.
Fortress said the “capital infusion” will empower the company to “accelerate the execution” of its vision of resilient supply chains. It comes at a crucial time, noted Kassabov, a Fortress co-founder who serves as the firm’s executive chairman. “We started Fortress because we recognized major supply chain vulnerabilities in our country’s most critical industries. Many recent high-profile breaches have spawned a new wave of regulatory action in the U.S. that will likely expand for the foreseeable future,” he noted.
A Brief Recap of Supply Chain Cybersecurity Regulatory Actions
U.S. efforts to tackle supply chain cybersecurity vulnerabilities have gained steam since May 2020, when President Trump issued Executive Order (E.O.) 13920, which amounted to a sweeping ban on transactions by U.S. persons for electric equipment sourced abroad if the U.S. government determines they pose undue security risks.
In December 2020, the Department of Energy (DOE) issued a “Prohibition Order” that prohibited the acquisition, importation, transfer, or installation of specified bulk-power system electric equipment from the Peoples Republic of China, which directly serves Critical Defense Facilities. However, the Biden administration suspended E.O. 13920 and the Prohibition Order for 90 days in January 2021, and ultimately revoked the prohibition order in April 2021. President Biden in February 2021 instead issued E.O. 14107, directing the DOE to identify and make recommendations to address risks in the supply chain for high-capacity batteries and, within one year, to review and make recommendations to improve supply chains for the energy sector industrial base.
The DOE released its deep-dive assessment on Feb. 22, 2022, declaring supply chain risks extend to all digital components in the U.S. energy system, including firmware, software, virtual platforms, and services, as well as data. “Cyber supply chain risks for legacy systems will continue to be a priority concern requiring active and more holistic management and mitigation,” the assessment concluded. “However, as new technologies are introduced—in the form of renewables and distributed energy systems—and operational efficiencies—through increasing use of virtual platforms and the application of artificial intelligence/machine learning—are increasingly pursued, a strategic opportunity exists to ensure that the supply chains for these digital assets are developed with cybersecurity in mind.”
In the assessment, the DOE laid out key priorities to identify, prioritize, and address cyber supply chain risks in digital components in energy systems. These include the Energy Cyber Sense Program, a voluntary Congressionally funded program to test the cybersecurity of products and technologies intended for use in the energy sector, including bulk power system (BPS)–related industrial control system (ICS) and operational technology (OT) technologies. The DOE also heralded its Cyber Testing for Resilient Industrial Control Systems (CyTRICS), a program for cybersecurity vulnerability testing and digital subcomponent enumeration for OT and ICS. In addition, the DOE is this year slated to establish a two-year pilot program within the national labs to identify new classes of vulnerabilities.
As significant are January 2021–launched efforts by CyTRICS, the Department of Homeland Security (DHS), the national labs, industry, and academic partners to demonstrate digital subcomponent discovery, sharing, and analysis to illuminate risks associated with sub-tier suppliers—under a so-called software and hardware bill of materials proof of concept. In October 2021, the DOE and the National Renewable Energy Laboratory launched the Clean Energy Cybersecurity Accelerator (CECA) to provide a third-party environment with “world-class” testing facilities for asset owners of all sizes and types to develop and deploy renewable, modern grid technologies that are not only cost-competitive but also demonstrate the highest level of security by design.
Separate efforts to tackle BPS supply chain risks by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corp. (NERC) are also making notable progress. In July 2021, FERC and NERC staff issued a joint white paper describing the major supply chain-related cybersecurity events and the key actions electric industry stakeholders and vendors should take to secure systems. And in January, FERC directed NERC to develop and submit new or modified Critical Infrastructure Protection (CIP) reliability standards by requiring internal network security monitoring (INSM) for high- and medium-impact bulk electric system cyber systems.
Meanwhile, the National Institute of Standards and Technology (NIST) is also working to update its standard-based solutions. In late 2021, NIST issued a second draft to its special publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. This March, NIST sought public input on improving the NIST cybersecurity framework.
Finally, as part of a broader effort that seeks to provide transparency to investors, the Securities and Exchange Commission (SEC) in March proposed mandatory cybersecurity disclosures by public companies. If adopted, these mandates seek to provide investors a deeper look into public companies’ cybersecurity risk, governance, and incident reporting practices. A final rule could take effect sometime between late 2022 and mid-2023, industry observers have suggested.
Increasingly Costly Implications from Threats
Investors are taking note of these actions, as well as keeping an eye on the financial implications from cyberattacks. Since December 2016, when the first cyberattack against an electric power grid was confirmed in Ukraine, several more worrying incidents have occurred. In December 2017, a cyberattack on a safety-instrumented system halted pipeline operations at Saudi Aramco, one of the world’s largest oil companies. In December 2020, a Russian software supply chain operation against the U.S.-based information technology (IT) firm SolarWinds was exposed. It affected about 18,000 customers worldwide, including enterprise networks across all levels of government, critical infrastructure entities, and other private sector organizations.
In May 2021, the Colonial Pipeline Co., the largest fuel pipeline in the U.S., was the victim of a ransomware attack that led to shortages across the East Coast. And in November 2021, Vestas, the world’s largest manufacturer of wind turbines, suffered a ransomware attack that forced the company to shut down IT systems across multiple business units and locations. “In these and many other cases, improvements in the cybersecurity supply chain for digital components may have prevented or limited the compromise of energy sector systems impacted by these attacks,” the DOE found in February.
While the power sector is working with the federal government, industry recognized after the SolarWinds attack that “there was an incredible need to establish a way to exchange information related to software bill of materials,” Soehren-Jones told POWER on April 15. Industry’s key concerns were related to sourcing the enormous cyber talent it would need and costs it would incur to respond with agility to the growing array of threats. The A2V network responded to that need, she said.
“It’s actually in two parts. So the first is, if an application developer were to give us their base set of software bill of materials, we can actually take that application, reverse engineer it, and compare and contrast. So it’s a validation methodology for code, number one, and then the second piece of it is the ingestion tool itself.”
The investment from Goldman was needed to “put all of that on warp speed,” said Soehren-Jones. “Fortress had started to build the initial technology, the initial R&D,” including the ability to perform the “reverse engineering.” The second part—the actual platform for the ingestion—is expected to be available in May. “We really needed an investment injection to be able to take all of that and actually get it out to market and get it out to market pretty quick,” she noted.
Asked whether there is an advantage to private industry running its own vendor library—as opposed to relying on government-led efforts—Soehren-Jones pointed to timely response. “We’re able to pivot pretty quick based on what we’re seeing coming back from our customers, and what is happening really in the world,” including in the regulatory space, which often involves several agencies, she said. “We can do this based on what’s right for industry,” she said.
For Goldman Sachs, the return is a priority. According to Will Chen, managing director within Goldman Sachs Asset Management, the investment will scale Fortress’s A2V network, which currently already provides “significant value” to critical infrastructure suppliers and customers. “The depth and breadth of the Fortress platform are unmatched and we believe there is a meaningful opportunity to accelerate the expansion of the platform into compelling product adjacencies, including software and hardware bill of materials, workflow orchestration, and additional analytics and reporting capabilities,” he said.