CPower High-Level Security

CPower Security Stance High-Level

Security Overview

ANAB
      • CPower is ISO27001:2013 Certified
      • CPower works within only SOC2 compliant Datacenters
      • Networking is done using Palo Alto Next Generation Firewalls with advanced IPS systems
      • 3yrs partnered with a Security Consultancy to ensure we stay within best practices and within the guidelines of the NIST and CIP security frameworks.
      • 24 x 7 Security Operations Center (SOC)
        • Intrusion detection & prevention
        • Virus detection & prevention (EDR)
        • Bi-Weekly security reviews

Users

Password Policy
Mandatory password policies are enforced for all users. Current requirements are the following:

      • Change passwords every 90 days
      • Use a minimum 12 characters
      • Include 3 of 4 of the following: Uppercase, Lowercase, Special characters and/or numbers
      • CPower provides an encrypted, cloud based password manager for each employee, which can also generate secure passwords

Employee Cyber Security
Employee training is performed on current cyber security risks, and evaluations are performed to ensure compliance with our cyber security policies.

User Privilege
Users are provided individual accounts, and individual workstations. ‘Least access’ privilege is enforced across the environment, using a tiered access model. Any elevated access is done via an admin specific account. Access to new assets is actively monitored and reported.

Servers and Workstations

Security Patches
CPower adheres to best practices to deploy patches on a regular basis. Patches are evaluated on a case-by-case basis to evaluate severity, and downtime patching is scheduled accordingly.

Access Security and Anti-Virus
All workstations are secured with BitLocker encryption, monitored with Insight IDR from Rapid7 as well as next generation AI virus protection with live update.

Encryption
CPower utilizes an Oracle database for customer data that is fully encrypted at rest.

Customer Site Equipment Security

Physical security
The CPower CMS (CPower Monitoring System) is secured externally with tamper evident seals. Internally, the Ethernet cable between our data logger and cellular device are secured with RJ45 locks, reducing the ability of a 3rd party to tamper with the connections.

Cellular security
The external IP of our cellular device is an RFC 1918 private IP address. This is not accessible via any public network which makes external connections from non-CPower IP addresses impossible. The secure arrangement with our Mobile Virtual Network Operator (MVNO) ensures the device is connected only via VPN tunnel. A Class B, 10 dot subnet is utilized for IP address space on the cellular modems, and as an additional security element, our MVNO implements a Layer 2 restriction to prevent the cellular modems from communicating with each other.

Meter data
The data logger located in the CMS (CPower Monitoring System) transmits the data it collects to CPower via HTTPS and over our secured cellular network.

CPower Link API
The Link client running in our CMS unit communicates with CPower event dispatch systems over our secure cellular network. It reauthenticates with our systems every 24 hours securing a new, unique 128-bit session key for each 24-hour session. The service itself is HTTPS encrypted in flight and utilizing our secure cellular service and is never exposed to public networks.