OATI Security Star: Manifesto
Building an effective program to protect critical solutions in a high-impact industry takes more than simple review and implementation of published best practices. The OATI Security Star approach is to dedicate time and effort into doing good security first, which is based on the particular circumstances of our environment and bringing value to our customers.
OATI Security Star shines bright in six key areas:
1. Full-Stack Control of Infrastructure, Platform, and Software/Hardware
Unlike other cloud service providers, OATI controls infrastructure, platform, and software across dual Data Centers wholly operated by OATI. This significant investment in resources is especially impressive when considering OATI’s newest Data Center is a self-sustaining microgrid. The next-generation Microgrid Technology Center ensures customers using OATI software do not need to be concerned with whether OATI is running diesel backup generators (though we do anyway).
Controlling the physical resources supporting our mission-critical applications offers the ability for highly trained OATI staff to diagnose and resolve issues in a far shorter time than other providers who outsource parts of their service.
2. Root Certificate Authority
Secure access is paramount when dealing with a mission-critical system. That’s why OATI requires the use of webCARES Digital Certificates when accessing OATI software. The centralized certificate management console for designated Security Officers includes features for issuance, management, and revocation of certificates.
OATI webCARES is the only NAESB ACA to enforce authentication (username, password, and client side Digital Certificate) during the secure login process and during the complete certificate management process (certificate issuance, delivery, renewals, and revocation). Requiring this level of authentication provides heightened assurance that certificates are only delivered to, or revoked by, designated webCARES Security Officers.
In keeping with OATI’s longstanding commitment to full stack control, all of the Public Key Infrastructure (PKI) resides within the OATI Data Centers. OATI creates and manages Digital Certificates from its own Root Certificate Authority (CA) that is authorized by the North American Energy Standards Board (NAESB) to provide certificate services to the energy industry. OATI is one of only two such entities authorized by NAESB.
3. Change Management
Redundancy and verification run through the veins of OATI. Leveraging decades of experience in developing new software, OATI employs a rigorous change verification process that includes testing by multiple independent reviewers across multiple teams and also approval from the customer prior to application in the production environment.
The OATI change management philosophy stretches beyond just software development. Each technical specification and other important document requires signatures from multiple people—up to the executive level—before being fully disseminated to intended recipients. This tight control helps protect against the leak of important information and to make sure information is accurate.
4. Role-Based Security
Separation of duties ensures access is based on role and need help avoid any mishaps. Access is granted after proper training and a full background check are completed. These role-based restrictions, along with the concept of granting access based on need, represent a standard practice across OATI. Cross-department and inter-department separation of duties are the norm and play a big part in keeping systems secure.
5. Resilient Physical Security
OATI physical security is based on a layered approach that combines multiple choke points to prevent unauthorized access. This begins with a security perimeter fence surrounding both Data Centers and is followed by multiple checkpoints upon entry. Badge access based on role within the organization, or status as a guest, is required to enter through turnstiles and also for subsequent movement throughout the building.
The OATI campus and internal office areas are monitored 24x7x365 by video surveillance. After-hours access is limited to those with biometric authentication in addition to standard badge access.
6. Robust Compliance
OATI solutions have earned strong reputations for security and reliability in the energy industry. This strength is founded upon continuous commitment to the industry through voluntary compliance with standards established for industry participants.
OATI annual examinations now include SOC-1 (formerly SAS 70), North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), National Institute of Standards and Technology (NIST), WebTrust for CAs, CA/B Forum Baseline Requirements, and NAESB Wholesale Electric Quadrant-012 (WEQ) PKI standards.
With daily cyber-attacks against utilities nationwide, top-level security can no longer be viewed as a mere “check-the-box” requirement. It is a strategic need that all utilities need to address. OATI Security Star combines more than twenty years of security leadership and excellence into a robust set of technology, processes, and controls that help ensure the protection of the North American energy industry.