Date post: | 21-Jan-2015 |
Category: |
Technology |
Upload: | cgi |
View: | 4,096 times |
Download: | 0 times |
© Logica 2012. All rights reserved
Agenda DAY 1: 5 July 2012, Kings Place, London
Session 2: The Security Challenges
1630-1655 Privacy and Data Security Mark Durrant, Logica
1655-1720 Cyber and Infrastructure Security Alex Baxendale, Logica
1720-1740 DCC Update – The Logica Perspective Tara McGeehan, Logica
1740-1745 Closing Remarks Ana Domingues, Logica
1745-1800 Scott Moorhouse (Olympics) Scott Moorhouse
1800-1900 Informal Networking over drinks
Getting Smart! Smart Utilities: Smart Metering - Information Security and Data Protection
Mark Durrant | Information Security & Data Protection Officer
© Logica 2012. All rights reserved
• Technical Specifications have been developed and are to be published
• Government recently completed a consultation on data access and privacy which will be used to develop a framework for access to Smart Meter data
• Data privacy to be built in to the implementation programme – ‘Privacy by Design’
• Mass roll-out to commence in Q4 2014
Smart Metering – Where are we now
© Logica 2012. All rights reserved
Following types of Data will be processed
• Smart Meter ID Number
• Metadata re configuration of meter
• Description of message being transmitted (e.g. meter reading/tamper alert)
• Date and Time Stamp
• Message content (meter readings; alerts; network level information)
Personal Data under the Data Protection Act 1998
“…data which relates to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”.
Smart Meters and Personal Data
© Logica 2012. All rights reserved
Consumer Access
Access Smart Meter Data through:
• In Home Display (IHD)
• HAN (13 months of consumption data)
• Monthly Bills from Supplier
• On line portals provided by the supplier
Supplier System must ensure
• Smart Meter Data is only visible to consumer within the home
• New occupants cannot view previous occupants Smart Meter Data
• Customer has choice as to level of data included in bills
• Suppliers must ensure security of portal and customer data can only be accessed by the account holder
Smart Meters and Personal Data
© Logica 2012. All rights reserved
Supplier Access
There is a balance to be struck between the granularity of data to ensure the consumer benefits against protecting the consumers personal data
The government recommends the framework for Smart Meter Data includes:
• Monthly data an be obtained without consent for billing (monthly data can be used for other purposes provided the consumer can opt out)
• Daily data can be obtained provided the consumer can opt out
• Half-hourly data can be obtained if the customer opts in
• If the Smart Meter Data is to be used for marketing purposes the supplier must obtain explicit consent of the consumer
Smart Meters and Personal Data
© Logica 2012. All rights reserved
Consumer Consent/Objections
Opt in their must be ‘Explicit Consent’ – this is not defined in the DPA
Draft EU Data Protection Regulation states:
• Given expressly
• A freely given and specific and informed indication of the data subjects wishes
• Shown by a statement or by a clear affirmative action (could include a tick box declaration on a website)
• Silence or inactivity should not indicate consent
• Government has proposed ‘Opt In’ consent should be in writing
For ‘Opt Out’
• Customer must be given clear information of what data will be collected and given the clear opportunity to object
• Objection can be made verbally or in writing and supplier will have to maintain records to show how they meet these requirements
Smart Meters and Personal Data
© Logica 2012. All rights reserved
Exceptions to Supplier Access Framework
• Supplier has reasonable suspicion that theft is being committed
• Supplier requires information for the purposes of accurate billing (for example at change of tenancy/change of supplier/change of tariff events)
• To enable the supplier to address customer queries
• Suppliers can access half-hourly data for use in approved trials (provided consumer given clear opportunity to opt out)
• Suppliers can access readings at more frequent intervals for pre-payment customers as top-ups are made, provided this has been explained to the customer
Smart Meters and Personal Data
© Logica 2012. All rights reserved
Third Party Access
Third parties can access Smart Meter Personal Data if:
• Received Direct from the customer
• Consumer has given consent for access via the DCC (third party must be a signatory of the Smart Energy Code (SEC)
Third parties must verify the identity of the individual to confirm the correct person is giving consent to access data
• Where access given by consumer – Third party should check that the person giving access is someone in the household i.e. someone who has access to the meter
• Where access is given via DCC – possible that a customer identification number will be sent to the customer by DCC which the customer forwards to the third party. Once received the third party forwards this to the DCC to complete the process
ICO will regulate Third Party compliance with the DPA
• May refer to SEC Panel any serious or repeated breaches of Data Protection
Smart Meters and Personal Data
© Logica 2012. All rights reserved
Obligations on Data Processors (Comms/Data Providers)
A29 Working Party – Opinion 12/2011
• Possible communications and data processor providers could be data processor only, but if make decisions regarding whether personal data can be disclosed to a third party or can be processed for new purposes then will be acting as a data controller
European Commission Recommendation – 9.03.2012
• Should take all reasonable steps to ensure that data cannot be traced to an individual unless processed in compliance with the DPA principles
• As far as possible, data should be rendered anonymous in such a way that the individual is no longer identifiable before it is processed.
Smart Meters and Personal Data
© Logica 2012. All rights reserved
Key Proposals
Increased Obligations for Processors
• Complex Contractual Obligations
• Maintain Documentation
• Joint and Severable Liability with Data Controller
Data Security Requirements
• Breach Notification ‘without undue delay’
Transborder Data Flows
• Binding Corporate Rules
Consequences of Non-Compliance
Smart Meters and Personal Data
© Logica 2012. All rights reserved
Implications for Smart Metering
Privacy by Design and Default
• Not made accessible to an indefinite number of individuals
• Commission can impose technical standards
• Certification, seals and marks
Privacy Impact Assessments
• Consult with Data Subjects
• Consultation with the supervisory authority
Smart Meters and Personal Data
© Logica 2012. All rights reserved
Key Messages
“Giving consumers informed, meaningful choices about the use of their data is vital to securing their trust”
“it’s vital people understand why access to their data is needed, and the value they get by giving their consent”
Smart Meters and Personal Data
© Logica 2012. All rights reserved
Any Questions?
Smart Meters and Personal Data
Getting Smart! Smart Utilities: Cyber and Infrastructure Security
Alex Baxendale | Security Practice
© Logica 2012. All rights reserved
DSP
CSP
Service
Assets and Impacts (CIA)
Ind. Privacy Privacy
Tariff
System Data?
Meter Readings
Critical Commands
Meter Service
© Logica 2012. All rights reserved
• A number of Threat Sources • With vested interest in compromising
the service • May seek to coerce others
• Various Motivations – Some Shared
Threat Sources
Hackers
Service
users
Consumers
Suppliers
CSP Staff
DSP Staff
Direct Motivation
Intruders
Developers
Threat Agents
A c c i d
e n t a
l v s D
e l i b e r a
t e Natural Disaster Strikes
Kudos
Cut Bills
Organised Crime
Commercial Org
FIS Terrorists Anarchists
Coercion Factors
Journalists
Fraud
Spying
CNI
Attack
Industrial
Espionage
Good Story
CNI
Attack
Industrial
Espionage
© Logica 2012. All rights reserved
Natural Disaster
Threat Vectors
War Dialling
Interface
Abuse
Rogue
instructionsIntrusion
Message
Interception/
tampering
© Logica 2012. All rights reserved
Security Principles
Proportional = Risk based & Fit for Purpose
KISS = Strive for Simplicity
Active Management
Utilise Security
KPI’s No Single Point of
Failure (SPOF)
Apply Strength in Depth
Standards Based Denied by
Default
Least Privilege = Need to have & Need to know Security Architecture i.e. SABSA
Regular Independent
Audit
Clear Governance regime
Controlled Environment
Patch Regularly
Continuous Reassessment and Improvement
Resilient
High TRL
© Logica 2012. All rights reserved
Unique?
• Analogous threats exist in other sectors
• These threats are being managed effectively
• Logica is a leader in these fields
Smart Meters Foundation
High Assurance Systems
Mission Critical
CNI Systems
Secure Commun-ications
Scaled Architectures
Secure Remote Devices
Smart Meters
© Logica 2012. All rights reserved
• Its sensitive (CIA) and challenging
• Trust is fundamental
• Between parties and of consumers!
• Security is ongoing
• Security must be objective, and
• proportional to risk
• Good governance and standards are essential!
• Applying lessons learned is key
Summary
© Logica 2012. All rights reserved
Maintaining the dialogue...
Logica is a business and technology service company, employing 39,000 people. It provides business consulting, systems integration and outsourcing to clients around the world, including many of Europe's largest businesses. Logica creates value for clients by successfully integrating people, business and technology. It is committed to long term collaboration, applying insight to create innovative answers to clients’ business needs. Logica is listed on both the London Stock Exchange and Euronext (Amsterdam) (LSE: LOG; Euronext: LOG). More information is available at www.logica.com. The company is a public company incorporated and domiciled in the UK. The address of its registered office is 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.
Alex Baxendale Security Architect E: [email protected]
Getting Smart! Smart Utilities: DCC Data Services Provider | The Heart of the GB Smart Enabled Energy Market
Tara McGeehan | Director | UK Utilities
© Logica 2012. All rights reserved
The Role of the Data Service Provider
Conventional Meter Owner
Smart Data Processor & Aggregator
Smart Metering System
Operator
Smart Meter Owner
Conventional Data Processor & Aggregator
Conventional Data Retriever
Conventional Meter
Operator
Smart Data Retriever
Consumer
Supplier
© Logica 2012. All rights reserved
WAN HAN
Responsibilities Across the Value Chain
Elec
Gas
IHD
Other devices
Comms Hub
DSP
DCC
CSP
Suppliers
Network Operators
Authorised Third Parties
DCC User Gateway
DSO MDMS
Supplier MDMS
Decision Analytics /
BPM
CS&B
Smart Grid Control
Smart Process
Management
Meter Manufacturers /
Customer Premises Equipment
Asset Funding
Meter Services
(Installation & Provision) (inc Comms
Asset Install)
Comms Networks
/ LAN/WAN
/ Data Carriage
SI Apps Dev Hosting
Access
© Logica 2012. All rights reserved
Enduring Foundation
Q4 2014
Q3 2014
Q2 2014
Q1 2014
Q4 2013
Q3 2013
Q2 2013
Q1 2013
Q4 2012
Q3 2012
Q2 2012
Q1 2012
Q4 2011
DECC SMIP Plan (Published 23/12/11)
Today
Q3 2011
Q2 2011
Dumb rental for SMETS compliant meters on CoS
Service Provider contract Award
Smart rental for SMETS compliant meters on CoS
Go-Live of Enduring Smart Market Arrangements
Service Provider Contract Decision
© Logica 2012. All rights reserved No.
27
Procurement timeline
DCC Service Provider Procurement Timetable
Q4 2011 Q1 2012
PQQ selection
Pre-dialogue (ITPD)
Discussions only
Outline Solutions (ISOS)
Bidder
response &
evaluation
Q2 2012 Q3 2012
Likely down-select
Detailed Solutions (ISDS)
Dialogue, response & evaluation
Q4 2012 Q1 2013
Likely down-select
Final Tender (ITSFT)
Dialogue, response &
evaluation
Q2 2013
Select
preferred
bidders
Award contracts
6
Today
© Logica 2012. All rights reserved
Our Partnership for the Data Service Provider to DCC SAP and QinetiQ
DCC Partnership Video
© Logica 2012. All rights reserved
Maintaining the dialogue...
Logica is a business and technology service company, employing 39,000 people. It provides business consulting, systems integration and outsourcing to clients around the world, including many of Europe's largest businesses. Logica creates value for clients by successfully integrating people, business and technology. It is committed to long term collaboration, applying insight to create innovative answers to clients’ business needs. Logica is listed on both the London Stock Exchange and Euronext (Amsterdam) (LSE: LOG; Euronext: LOG). More information is available at www.logica.com. The company is a public company incorporated and domiciled in the UK. The address of its registered office is 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.
Tara McGeehan Director | UK Utilities M: +44 7899 066 979 E: [email protected]