NERC CIP Compliance Made Easy for the Entire Supply Chain

Choose a fully customizable solution for your Utility

Fortress Platform Enables CIP Automation

Compliance Management

Designed to enable utilities to reduce their O&M spend on compliance through automation, orchestration and predefined workflow templates that can be modified to reflect internal processes.

Implementation

Fortress Platform implementation services are designed to quickly create a centralized, enterprise security management data repository and dashboard.

Integration

A strength of the Fortress Platform is its ability to flexibly ingest various sources of IT and OT data, providing customized views of prioritized event data and alerts.

Security & Compliance Combined

On-premise deployments for high and medium impact BCS Entities. Outsource compliance with the low-impact cloud deployment option for reduced costs.

Compliance Automation Components

Compliance Automation Framework 3

Workflow & Automation

Security nomenclature based on the MITRE ATT&CK Matrix (Q4 2020)
Compliance Workflows – based on NERC CIP Standards and the NERC Evidence Request Tool
Custom workflow integration based on internal policy and procedure language and controls structure

Asset & Vendor Management – CIP-002 Integration

Asset Identification
Asset Classification
Asset Management & Monitoring
CIP-013 Compliance Management
3rd Party Risk Management
Enterprise Vendor Management

Threat Monitoring & Mitigation

Fortress-tailorable workflow allows you to integrate your existing threat mitigation into the tool, enabling you fine-grain control over your identification, reporting and resolution cycles
Respond to threats by assessing inventory to see if the threat is applicable and perform remediation
Known vulnerabilities and threats analyzed against the inventory to determine susceptibility based on CVE/CWE/ICS vulnerability vs asset in inventory and presenting action to be performed

Vulnerability & Patch Management

ICS/OT patch management & governance
- Baseline configuration for each in-scope asset stored in the AM Module
- Ports and services inventories tied to the AM Module
- Known vulnerabilities linked with each asset within the AM Module
- Using the A2V model, patch testing and validation services can be leveraged against other utilities using the same technology footprint for lower costs
Using Scanning or OT management software to determine versions and susceptibility
FP tracks compliance status for the NERC CIP program & remediation efforts

Compliance Management

Presenting Compliance Artifacts in a manner consistent with NERC, FERC and Regions
- Heavy focus on Evidence Request Repository Consistency
- RSAW-based internal assessment reviews
Compliance Performance Activity Dashboard – indicate where possible noncompliance is occurring in real-time
Any compliance risk transfer will be coordinated with NERC and Regions prior to contract execution to maximize transparency in the process
Compliance with CMMC
Compliance with Executive Order and 889b

Access Management

Integration with IDM and other access management platforms
Tracing access rights in relation to CIP Applicable Assets and Compliance Artifacts
Workflow templates designed to ensure access compliance traceability and artifact review activities

FORTRESS IN THE NEWS

Colonial Pipeline led to a cyber order for sector operators. Will JBS lead to more?

Jun 2, 2021 | News, SC Media

Less than a week after the Transportation Security Administration responded to the Colonial Pipeline shutdown with a landmark order for oil and gas pipelines to abide by cybersecurity rules, major food supplier JBS had operations interrupted by its...

Pipeline hack exposes holes in U.S. cyber oversight

May 14, 2021 | E&E News, News

When Colonial Pipeline Co.'s computer files were kidnapped by ransomware attackers last week, the company called the FBI for help. It did not call the top cyber agency at the Department of Homeland Security.

Biden Takes Executive Action to Strengthen National Cybersecurity, Secure Supply Chains

May 14, 2021 | News, Power Magazine

The Biden administration this week issued a new spate of actions to bolster the nation’s cybersecurity, though details of its 100-day plan issued last month to address risks to the U.S. bulk power system (BPS) remain scant.