Endpoint/Device Security, Critical Infrastructure Security

How one security company plays matchmaker to enable speedy ICS security fixes

Back View of Industrial Engineer Working on Desktop Computer in Bright Office. Screens Show IDE / CAD Software, Implementation of Machine Learning, Neural Networking and Cloud Computing

Unsecured ICS systems of the world unite.

There is increasing scrutiny for systems used in industrial processes by regulators and downstream customers alike. For businesses along the supply chain, that means entire lines of products from certain brands may no longer be usable. And if a small shop cannot use a piece of equipment, that is usually the end of the story.

Why? Because without massive buying power, it is tough to convince a vendor to redesign a widget.

But Fortress Information Security and its customers were able to change that dynamic around 100 times in just the last two months, according to Betsy Jones, chief operating officer at Fortress. She joined the company earlier this year, having previously served as the director of cyber strategy and policy at Exelon, a Fortune 100 in the power mercantile business. There she was responsible for designing and implementing the company’s information and vendor security programs.

At Fortress, she helped arrange meetings between groups of smaller companies and vendors to show the broad appeal of making product changes.

"I am the air traffic controller," said Jones. "I am helping both planes in the air get down onto the ground and then the ones that are on the ground get up. I'm sitting between the purchaser and the supplier and both of them need a set of information from each other in order to move forward with a relationship or keep that relationship going."

That is a true statement for both the meetings Fortress has set up and the company's broader business model. Fortress maintains a database of which industrial products meet what security standards. But since vendors themselves use ICS equipment in their own manufacturing, many both make products in Fortress's dataset and use that dataset to make purchases.

Fortress has a few advantages in setting up these kinds of meetings. One is that vendors who are also their clients already know them. Also, their testing criteria are client-directed and often public standards-based — they do not come off as being exploitative.

"The beautiful part is I didn't make up the test. The industry came up with the test. I'm just here to administrate the ACT or the LSAT and I'm here to tell you where you got questions wrong," she said.

Jones says Fortress has not tracked whether any new sales have occurred based on product improvements — they are not looking to be anything beyond a matchmaker for discussions.

"It's an interesting relationship that I've never seen in business anywhere elsewhere," she said. "Whoever is going to get smacked around for being out of compliance is not the one who produced the product.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.