Fortress is launching A2V to share technology and information to support security efforts for these vendors. The technology and data basis for A2V were developed in collaboration with AEP and include a substantial library of completed vendor risk assessments that comply with the new regulations. Fortress, an experienced partner with a proven track record in cybersecurity, will operate the A2V platform.Â
This approach to vetting vendors and "listing them as secure" seems to offer a false sense of security. A vendors "trust level" can change from one moment to the next as they become victims of attack and they become the distribution point of malware, which goes unquestioned because they're considered a "trusted entity". Trust in software is not a one-and-done process, it requires extensive, and on-going evaluation (software background check) on each software object (not vendor) to determine the risk level at any moment in time and to take action on those objects which fail to meet a "minimum trustworthiness threshold".
Although A2V may not be a perfect solution, it is the first real attempt I've seen from an electric company to prepare for FERC Order 850 compliance.