OATI Expert Addresses Cybersecurity Concerns and Exposes Cloud Computing Myths

There has been a big move towards cloud computing. According to Forbes, the 2020 revenue of public cloud services worldwide is expected to double that of the 2016 revenue. In addition, Gartner reported that over 50 percent of global enterprises utilizing the Cloud will incorporate an all-in cloud strategy by 2021.  

However, this trend has also indirectly furthered public misconceptions and anxieties, such as cost benefits compared to delivered systems and the Cloud’s vulnerability to cyberattacks. At the 23rd annual LDC Gas Forums – Northeast event in Boston, Massachusetts, OATI Deputy Chief Information Security Officer Jerrod Montoya offered his expertise on cybersecurity concerns and myths surrounding the Cloud.

Delivered Systems vs. Cloud Computing
Some may argue that delivered systems offer similar benefits for a similar price. However, delivered systems have hidden costs including hardware replacements, necessary upgrades, and hiring IT personnel. Cloud computing requires a low initial investment, which only increases to accommodate system use. In addition, IT departments can add or subtract capacity flexibly based on user demand, and cloud computing provides a variety of services without long procurement or certification processes.

“Based on the upfront or recurring costs, it sometimes looks like it’s more expensive to have a Cloud-based system,” Mr. Montoya said, “but, when you peel back the layers, you see that you can save up to 55 percent based on an eight-year total cost of ownership (TCO).”  
Energy Industry a Target to Cybersecurity Threats
The biggest concern for the Cloud today is security. Mr. Montoya said that, as you expand out into the Cloud, you increase your attack surface and create vulnerabilities (click here for our blog on furthering your understanding of attack surface areas).

“The threats are abundant, and the energy industry is a target,” he said.

In April, natural gas and propane company Energy Transfer Partners’ electronic data interchange (EDI) was cyberattacked and briefly shut down. In 2015, a Ukrainian utility suffered from a successful cyber-attack that brought down its power grid.  Most recently, in March 2018, US- CERT issued an alert (TA18-074A) warning of Russian cyber actors seeking to compromise the energy sector. “With so many threats, it is important for critical infrastructure companies to remain on high alert,” Mr. Montoya said.

Mr. Montoya also noted that if your password is “1234,” you have a bigger problems to worry about. It is vital to learn from others’ mistakes and take care of the low hanging fruit.

“You can’t prevent cyberattacks; you have to be prepared for them,” Mr. Montoya said. “You can reduce risk, but you cannot eliminate it. The best thing you can do is get informed and take action.”

Addressing Threats by Limiting Exposure
Third-party audits are a solution when considering cybersecurity threats and choosing the right vendor. The process includes an auditor reviewing risk mitigation controls and whether a company complies with the auditing standard. In March, OATI completed its sixth audit of OATI webCARES WebTrust for Certification Authorities, which assured that we are adhering to security and process control best practices to our users.

For those concerned about supply-chain attacks, you can limit your exposure to these attacks by choosing a vendor that controls the entire technology stack. Software-as-a-Service (SaaS) providers, like OATI, control the entire Cloud stack in house.

The Benefits of a Cloud
Mr. Montoya noted that the OATI Cloud is unique for its control over infrastructure. As opposed to “public Cloud” solutions, the OATI Cloud does not sell data to advertisers, undergoes frequent testing and annual audits, and ensures customer data is secured when using our solutions and services.

One OATI gas solution is webTrader™ Gas, which procures, sells, manages and monitors gas supply and positions for LDCs and trading entities’ power plants. The Quick Scheduler display shows audit, credit risk, and gas purchase/sales data.

OATI webPipeline™ is a NAESB-certified solution for pipeline management. This web-based system includes cycled nominations, confirmations, EDI data sets, forecast demand management, and more.

Spreading knowledge on cybersecurity is important to OATI. Recently, Mr. Montoya visited with high school students to talk about operational risks and defenses against cyberattacks. Click here to read our blog about the educational experience.