OptiRTC, Inc. Statement on Security
Introduction
The Opti Platform is integrated technology and services that enable stormwater authorities to continuously monitor and adaptively control releases from runoff collection facilities across a watershed:
- Opti Web Gateways provide a managed on-site endpoint to connect sensors, actuators, and other operations technology needed to monitor and control stormwater facility storage.
- Opti Platform Cloud Services support secure operations of Opti Web Gateways and user access to application data.
- Opti Portal is a web application that provides cross-platform user access to real-time operations, remote manual control, and historic performance analysis capabilities.
- Opti Support is a team of civil, environmental, computer, and software engineers capable of supporting all phases of delivery and maintenance of Opti-managed stormwater facilities, and empowered to analyze fleet-wide operations to find root causes quickly.
A central tenet of Opti's value proposition is the ability to trust that Opti-managed facilities will convey water as expected. To achieve this expectation, Opti considers security throughout the design and operations of the Opti Platform.
Design
Our technology automatically controls the timing and release rates of stormwater storage systems to improve water quality, prevent localized flooding, and reduce combined sewer overflows more cost-effectively than and in places traditional approaches cannot fit. To achieve this, we employ a "less is more secure" mentality and intentionally avoid or limit certain conditions in the interest of making our products work securely and reliably. Specifically:
- No unencrypted IP messages - All messages sent between Opti applications over IP-addressed networks are encrypted with standard algorithms.
- No open ports or inbound connections to devices - All field devices, including Opti gateways and API integrations with SCADA systems and 3rd-party sensors, initiate connections to the Opti Platform. No firewall exceptions or static IP addresses are required.
- No local network presence required - Opti gateways can interface with all necessary devices on-site without connecting to customer-managed IP networks.
- No software required - Customers do not have to install or manage software to use the Opti Platform. Users access data via a web browser application, Opti gateways run standalone software managed by Opti, and data storage and compute are provided by Opti's data centers.
- No Remote Desktop - Neither managing water infrastructure or managing cloud servers requires remote administrator access. Built in application logging provides operational visibility into all Opti services.
- No passwords managed by Opti - Single Sign-On provided by Microsoft Azure Active Directory allows customer IT administrators to stay in control of their users' access to stormwater operations.
- No bespoke software - All Opti customers use the same on-site firmware, cloud software, and browser applications. This allows us to isolate problems by comparing behaviors across the fleet, while ensuring all customers benefit from patches and improvements.
- No unpredictable fail-safes - Control hardware is designed and configured to revert to a position consistent with civil designs in the event of prolonged network, power, or sensor trust loss.
- No unlimited communications - Opti employs rate-limiting systems across inbound message channels to limit the impact individual users or sites can have on others' service. Opti Web Gateways are compatible with 3rd party serial gateways that can rate-limit and further segment communications with sensitive electro-mechanical components.
- No moving parts by Opti - Opti does not make sensors, actuators, valves, or pumps: just the software that employs them to optimize stormwater assets. We rely on the 3rd party commercial providers and local partners for physical components. This ensures customers have access to the best flow control devices for their market, including the ones they already own.
- No 3rd-party advertising - Only information from services explicitly authorized by Opti is presented in our web applications.
- Minimal PII required - Only the email addresses of administrators, operators, and alert recipients are required.
Operations
Security starts with design, but must be maintained as the world in which systems exist changes around them. All Opti Platform subscriptions include support from our multi-disciplinary team who work behind-the-scenes to ensure Opti-managed assets manage water effectively every time it rains.
- No unpatched software - Opti servers are configured for automatic OS upgrades from Microsoft and reject connections from computers too old to use modern encryption. Opti patches Opti Web Gateways as new features and component updates are made available by vendors.
- No OTA upgrades during storms - Unless critically necessary, Opti avoids over-the-air (OTA) upgrades to sites managing wet weather.
- No default passwords - All devices are deployed with unique, hardware-backed keys and identifiers to enable secure remote device management.
- No guesswork - Our analyst and customer success teams can help your teams estimate the impacts of using our technology, design new and retrofit installations, educate local authorities on how to incorporate active stormwater controls into regulations, and perform system maintenance.
- No machines in control - Sites are commissioned to ensure that remote manual and local physical overrides always take precedence over automatic controls.
Cloud Environment
Policies and technology regarding the environment all Opti Platform Cloud Services are deployed in.
Private Virtual Networks
All Opti Cloud Services are deployed within service-specific virtual networks that do not expose public IP addresses and deny all inbound connections, even from instances in other Opti Cloud Services. All service-to-service communications occur via enterprise service bus technologies provided by Azure as PaaS. Remote desktop is not enabled in the production environment.
Cloud Redundancy
All Opti Cloud Services are deployed with redundant instances across multiple fault zones within Microsoft Azure data centers for high availability. All data records are replicated into 6 copies across two Azure data centers for availability and durability.
DDoS Protection and Rate Limiting
Opti uses web application gateways that include DDoS protection and enforce usage quotas and rate limits on inbound connections to the Opti Platform Cloud Services.
Third-Party APM
Opti uses a third-party Application Performance Monitoring solution to monitor and consolidate application logs of all of its production services, which provides real-time visibility into service interruptions. Application log data is deleted by default after 14 days.
Hardware-Backed and Auditable Certificate Management
Opti uses cloud-hosted, auditable, FIPS 140-2 Level 2-compliant hardware security modules (HSMs) to store secret key material and the digital certificates end users rely on to establish trusted connections with the Opti Platform.
Repeatable Deployments
All Opti Platform Cloud Services are deployed from binaries created by a standard CI pipeline with a standard deployment script. Build artifacts for each release are maintained for at least 6 months.
System Interconnections
Policies and technology applied to the integration points between web browsers, Opti Web Gateways, Opti Platform Cloud Services, and civil assets.
User Connections to the Opti Platform
All user access to the Opti Platform is to cloud services, and provided over Hypertext Transfer Protocol (HTTP) and Websocket Protocol (WS). No user, including Opti administrators, remotely accesses on-site Opti Gateways: all remote operations are managed via service-to-service application communications.
Encryption of Communications
All user connections to the Opti Platform require encrypted sessions negotiated with TLS 1.2. Opti Web Gateways use device-specific secret keys and RSA to mutually authenticate the servers they communicate with, and encrypt each message according to the DTLS specification with 256-bit ECC keys. Opti Web Gateways encrypt messages with the open-source mbed TLS library supported by ARM.
Civil-Integrated Failsafes
Opti services collect, store, process, and act on information obtained from field sensors and Internet based web services to monitor and improve the function and performance of stormwater facilities. Proper design of associated physical civil infrastructure systems mitigates the extent of impacts due to loss of availability of the Opti services. All Opti control systems are deployed with pre-configured failsafe positions and the ability to independently revert to these positions when disconnected from the cloud for an extended period of time, or when all power sources have failed. Failsafe positions are determined in consultation with the customer during the design phase of product deployment. Customers with physical access to the Opti control panel can also locally set the position of the valve through the Opti control panel at any time.
Management Controls
Opti employs policy and procedure to operate in compliance with our design and operations security requirements.
Security Review and Upgrades
Review - Opti utilizes external third party security auditing services to independently evaluate our security policies, approaches, services, and infrastructure.
We regularly test the encryption of our services via the publicly available services provided by Qualys SSL Labs and endeavor to maintain an Overall Rating of "A" as the requirements for enabling secure connections on the web continue to evolve.
Upgrades in Development Lifecycle - Opti plans and executes changes to the Opti Platform and the Opti Platform Products in Release Cycles. In a Release Cycle planning meeting, product managers and senior engineering managers evaluate all proposed changes and review potential conflicts between the requested changes and the existing experience being delivered by each product. A design document detailing the intended scope is produced from a template, which includes a section about security concerns of the change. Separate reviews may be conducted when a change influences access control systems or involves a new source of information in an alarm or control decision.
Opti uses the Git version control system to track changes to its codebase. Changes to the Opti Platform and any of the Opti Products go through a suite of automated tests and a senior code review before being approved as part of a new feature. Features are tested on an isolated QA environment that runs on identical infrastructure as production prior to merging the features with the production branch. Senior software engineers have the ability to expedite this process to minimize delay in getting critical updates into production.
Risk Assessment and Management
Every Opti employee signs an Employee Confidentiality and Assignments Agreement that binds them to the terms of our data confidentiality policies. Access rights are based on an employee's job function and role. Only limited senior technical staff and IT administrators have access to critical systems.
Physical and Environmental Security at Opti offices
Our offices are secured via physically locked doors. At our corporate offices in Boston, all visitors are logged via a camera system inside the entrance. All company services are hosted in off-site public cloud data centers. No services accepting inbound network connections are hosted on premises. We monitor the availability of our office network and employ multiple WAN providers to maximize uptime.
Mobile Device Management
All employee computers are deployed with cloud-managed MDM software to protect company and customer data. Policies ensure that:
- Host operating system is up-to-date.
- Data is encrypted at rest.
- Devices require passwords after 15 minutes of inactivity.
- Passwords meet minimum length and complexity requirements.
- Anti-malware is running and up-to-date.
Compliance Standards
Data Center Security Compliance
All Opti-created Opti Platform Cloud Services are hosted in Microsoft Azure data centers that meet "a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards including Australia IRAP, UK G-Cloud, and Singapore MTCS." Our provider has "adopted the uniform international code of practice for cloud privacy, ISO/IEC 27018, which governs the processing of personal information by cloud service providers." Furthermore, our provider regularly conducts rigorous third-party audits, such as by the British Standards Institute, to verify adherence to the strict security controls these standards mandate. See https://azure.microsoft.com/en-us/overview/trusted-cloud/compliance/ for more details.
As of the Effective Date, Microsoft is compatible with the EU-US Privacy Shield Framework. For full details see: https://azure.microsoft.com/en-us/blog/microsoft-cloud-is-first-csp-behind-the-privacy-shield/.
This Security Statement was last updated on: January 9, 2024.