Security

Avtec’s Patch Management Process

Three times per year, we qualify and include the latest critical and important Microsoft Security Patches for the four main operating systems:

• Windows 10
• Windows Server 2019
• Windows 11
• Windows Server 2022

Here’s what we do once we’ve received a security patch:

• We evaluate the applicability of the patch within our operating environment
• We test the patch to ensure it doesn’t break any feature or required process
• We update the list of approved patches during each Scout release cycle

STIG stands for Security Technical Implementation Guide. STIGs are distributed by the U.S. Department of Defense (DoD) and cover the configurations of an organization’s routers, databases, firewalls, domain name servers and switches.

Implementing STIGs can harden a system and minimize network-based attacks and prevent system access.

Avtec’s STIG Updates Process

Three times per year, we update, apply and verify the following STIGs from the DoD:

• STIG for Windows 10
• STIG for Windows Server 2019
• STIG for Windows 11
• STIG for Windows Server 2022
• STIG for Windows Firewall
• STIG for Windows Defender
• STIG for Microsoft NET 4 framework
• STIG for Microsoft Edge V1R7

As you can see, the Avtec Scout dispatch console’s baseline security hardening is on par with the U.S. Department of Defense’s guidelines.

NERC stands for the North American Electric Reliability Corporation. Each of its Critical Infrastructure Protections (CIPs) guides include requirements for the utilities industry, such as securing remote access.

Avtec’s NERC-CIP Updates Process

Three times per year, Avtec provides robust security documentation of how we adhere to each section and requirement in the following NERC-CIP standards:

• NERC-CIP-005 Electronic Security Perimeter
• NERC-CIP-007 Standard Cyber Security — Systems Security Management
• NERC-CIP-010 Configuration change Management and Vulnerability Assessments

If you’re a utilities provider, the Avtec Scout console provides a dispatch solution with all the security documentation you’ll need to pass security audits.

Our Scout console is compliant with reliability standards developed by the North American Electric Reliability Corporation (NERC) and the security controls of the National Institute of Standards and Technology (NIST) Special Publication 800-53, as well as other industry standards that have been developed over the past 30 years.

Reporting on the status and the operation of each system and application is another standard cybersecurity effort Avtec regularly employs. We do this to properly understand the security profile and needs of our customers. We also track any variables to help support long-term IT health and security.

Avtec’s Security Documentation Process

Avtec documents all our various configurations, including changes in inputs, outputs, uses and environment. Throughout the calendar year, we regularly share the following information as indicators of the Scout console’s security hardening:

• Network Documentation
• Configuration Guides
• NERC-CIP compliance
• Code Signing
• Release Notes

Performing quality-assurance (QA) testing is necessary to ensure all security checks have been addressed. Equally important during this testing phase is evaluating whether a particular security check has a negative effect on the system.

The idea is that the Scout dispatch console has to be secure AND functional.

Most dispatch console vendors don’t do this.

We do.

Avtec’s Internal QA Testing Process

Avtec conducts internal audits of the Scout console’s security configuration prior to each release. These audits ensure the console’s adherence to emerging security requirements. This is a vital step in our system-hardening process, as it demonstrates how well the requirements are being met by the software as well as showing how well the code is operating as intended.

For QA testing purposes, we utilize a number of industry-standard tools including Nessus, a remote security scanning tool that scans for any vulnerabilities that malicious hackers could use to gain access.

Code signing is an operation where a software developer or distributor digitally signs the file being sent out, to assure users that they are receiving software that does what the creator says it will do. The signature acts as proof that the code has not been tampered with or modified from its original form.

Avtec’s Code Signing Process

At Avtec, we sign everything we can with a digital certificate to confirm the integrity and the authenticity of our files.

All Scout installers are digitally signed by Avtec using a code-signing certificate. Additionally, the database checker is digitally signed to avoid false positives from anti-viruses.

Providing digitally signed files provides assurance that the files are from an authentic source and not modified in transit. The digital signatures are applied to executable files, installers and libraries.

Avtec’s Third-Party Security Audit Process

Once per year, usually during the fourth quarter of the year, Avtec employs a qualified, impartial company to conduct a compliance audit to verify the Scout console’s security posture. The verifier’s audits are performed using industry standard tools and test practices.

Any items discovered in the compliance audit are added to our internal security roadmap to be addressed.

For reference, we’ve provided an excerpt from the results summary from our last audit:

• All STIGs assessed were found to be compliant and only contained exceptions where absolutely required for system operation
• No critical or ‘high’ findings when scanning patch compliance with Nessus
• “Based on the testing performed, [we] found the system to be configured to provide as small a potential attack footprint as possible while still maintaining proper functionality. There were very few findings overall, and no high-level findings."