Critical Infrastructure Security, Governance, Risk and Compliance

Fortress expanding SBOM and HBOM resources with nine-figure Goldman investment

Stock prices whiz by on a ticker near the Goldman Sachs booth on the floor of the New York Stock Exchange in 2010 in New York. (Photo by Chris Hondros/Getty Images)

Industrial security firm Fortress announced Tuesday a $125 million investment from Goldman Sachs, which the company says will be used in large part to expand its archive of vendor information to include hardware and software bills of materials (HBOM and SBOM).

While the company plans to use the money on multiple projects, including user experience, chief operating officer Betsy Soehren-Jones told SC Media that the biggest project was expanding their bills of materials libraries, made necessary after a year of supply chain issues like Log4j.

"We needed research and development capital to be able to really put that project on warp speed, just given the incidences that we see that are happening right now, to be able to effectively give our customer base in critical infrastructure exactly what they need to be able to respond to those incidences much quicker," said Jones.

Fortress, formed in 2015, hosts the A2V (Asset-to-Vendor) Network, industry-centered databases of the security practices potential suppliers and other vendors use. The network offers information on products and vendor networks that might store client data.

Fortress currently claims to serve 40% of the American electric grid.

A "trust-but-verify" service for bill of materials

The expansion would increase the HBOM and SBOM information in the A2V Network, both in terms of the completeness of the current records and the processing of new companies. Fortress plans to do this in two ways: accepting vendor attestations to products and providing an in-house auditing service to create a third-party bill of materials. That "trust-but-verify" service can be used for vendors who do not provide their own data, vendors whose data may be suspect or components already in use built by vendors who have since gone out of business.

"If we find out that there's a bad chip somewhere in one device, that chip most likely has been used in a lot of other devices. So not only are we going to be able to identify the manufacturer that it originally came from, but then we're going to also be able to understand the full scope of all of the devices that may have it," said Soehren-Jones.

In March, Fortress announced its A2V Library would be free to all power utilities.

In a statement, Will Chen, managing director within Goldman Sachs Asset Management, told reporters his firm was looking forward to playing a role in the broadening of the dataset.

“The depth and breadth of the Fortress platform are unmatched and we believe there is a meaningful opportunity to accelerate the expansion of the platform into compelling product adjacencies, including software and hardware bill of materials, workflow orchestration, and additional analytics and reporting capabilities,” he said.

Soehren-Jones said Fortress was looking forward to Goldman's expertise as much as the funding.

"What Goldman is now able to do for not just for Fortress, but also for the industry, is really give us good expertise of those industries that have come before," she said. "So if you think about the financial industry, you know, they're probably a little ahead of critical infrastructure when it comes to building their big cyber programs."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.