Analyst briefing session 2 the security challenges

© Logica 2012. All rights reserved

Agenda DAY 1: 5 July 2012, Kings Place, London

Session 2: The Security Challenges

1630-1655 Privacy and Data Security Mark Durrant, Logica

1655-1720 Cyber and Infrastructure Security Alex Baxendale, Logica

1720-1740 DCC Update – The Logica Perspective Tara McGeehan, Logica

1740-1745 Closing Remarks Ana Domingues, Logica

1745-1800 Scott Moorhouse (Olympics) Scott Moorhouse

1800-1900 Informal Networking over drinks

Getting Smart! Smart Utilities: Smart Metering - Information Security and Data Protection

Mark Durrant | Information Security & Data Protection Officer


• Technical Specifications have been developed and are to be published

• Government recently completed a consultation on data access and privacy which will be used to develop a framework for access to Smart Meter data

• Data privacy to be built in to the implementation programme – ‘Privacy by Design’

• Mass roll-out to commence in Q4 2014

Smart Metering – Where are we now


Following types of Data will be processed

• Smart Meter ID Number

• Metadata re configuration of meter

• Description of message being transmitted (e.g. meter reading/tamper alert)

• Date and Time Stamp

• Message content (meter readings; alerts; network level information)

Personal Data under the Data Protection Act 1998

“…data which relates to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”.

Smart Meters and Personal Data


Consumer Access

Access Smart Meter Data through:

• In Home Display (IHD)

• HAN (13 months of consumption data)

• Monthly Bills from Supplier

• On line portals provided by the supplier

Supplier System must ensure

• Smart Meter Data is only visible to consumer within the home

• New occupants cannot view previous occupants Smart Meter Data

• Customer has choice as to level of data included in bills

• Suppliers must ensure security of portal and customer data can only be accessed by the account holder



Supplier Access

There is a balance to be struck between the granularity of data to ensure the consumer benefits against protecting the consumers personal data

The government recommends the framework for Smart Meter Data includes:

• Monthly data an be obtained without consent for billing (monthly data can be used for other purposes provided the consumer can opt out)

• Daily data can be obtained provided the consumer can opt out

• Half-hourly data can be obtained if the customer opts in

• If the Smart Meter Data is to be used for marketing purposes the supplier must obtain explicit consent of the consumer



Consumer Consent/Objections

Opt in their must be ‘Explicit Consent’ – this is not defined in the DPA

Draft EU Data Protection Regulation states:

• Given expressly

• A freely given and specific and informed indication of the data subjects wishes

• Shown by a statement or by a clear affirmative action (could include a tick box declaration on a website)

• Silence or inactivity should not indicate consent

• Government has proposed ‘Opt In’ consent should be in writing

For ‘Opt Out’

• Customer must be given clear information of what data will be collected and given the clear opportunity to object

• Objection can be made verbally or in writing and supplier will have to maintain records to show how they meet these requirements



Exceptions to Supplier Access Framework

• Supplier has reasonable suspicion that theft is being committed

• Supplier requires information for the purposes of accurate billing (for example at change of tenancy/change of supplier/change of tariff events)

• To enable the supplier to address customer queries

• Suppliers can access half-hourly data for use in approved trials (provided consumer given clear opportunity to opt out)

• Suppliers can access readings at more frequent intervals for pre-payment customers as top-ups are made, provided this has been explained to the customer



Third Party Access

Third parties can access Smart Meter Personal Data if:

• Received Direct from the customer

• Consumer has given consent for access via the DCC (third party must be a signatory of the Smart Energy Code (SEC)

Third parties must verify the identity of the individual to confirm the correct person is giving consent to access data

• Where access given by consumer – Third party should check that the person giving access is someone in the household i.e. someone who has access to the meter

• Where access is given via DCC – possible that a customer identification number will be sent to the customer by DCC which the customer forwards to the third party. Once received the third party forwards this to the DCC to complete the process

ICO will regulate Third Party compliance with the DPA

• May refer to SEC Panel any serious or repeated breaches of Data Protection



Obligations on Data Processors (Comms/Data Providers)

A29 Working Party – Opinion 12/2011

• Possible communications and data processor providers could be data processor only, but if make decisions regarding whether personal data can be disclosed to a third party or can be processed for new purposes then will be acting as a data controller

European Commission Recommendation – 9.03.2012

• Should take all reasonable steps to ensure that data cannot be traced to an individual unless processed in compliance with the DPA principles

• As far as possible, data should be rendered anonymous in such a way that the individual is no longer identifiable before it is processed.



Key Proposals

Increased Obligations for Processors

• Complex Contractual Obligations

• Maintain Documentation

• Joint and Severable Liability with Data Controller

Data Security Requirements

• Breach Notification ‘without undue delay’

Transborder Data Flows

• Binding Corporate Rules

Consequences of Non-Compliance



Implications for Smart Metering

Privacy by Design and Default

• Not made accessible to an indefinite number of individuals

• Commission can impose technical standards

• Certification, seals and marks

Privacy Impact Assessments

• Consult with Data Subjects

• Consultation with the supervisory authority



Key Messages

“Giving consumers informed, meaningful choices about the use of their data is vital to securing their trust”

“it’s vital people understand why access to their data is needed, and the value they get by giving their consent”



Any Questions?


Getting Smart! Smart Utilities: Cyber and Infrastructure Security

Alex Baxendale | Security Practice


DSP

CSP

Service

Assets and Impacts (CIA)

Ind. Privacy Privacy

Tariff

System Data?

Meter Readings

Critical Commands

Meter Service


• A number of Threat Sources • With vested interest in compromising

the service • May seek to coerce others

• Various Motivations – Some Shared

Threat Sources

Hackers

Service

users

Consumers

Suppliers

CSP Staff

DSP Staff

Direct Motivation

Intruders

Developers

Threat Agents

A c c i d

e n t a

l v s D

e l i b e r a

t e Natural Disaster Strikes

Kudos

Cut Bills

Organised Crime

Commercial Org

FIS Terrorists Anarchists

Coercion Factors

Journalists

Fraud

Spying

CNI

Attack

Industrial

Espionage

Good Story

CNI

Attack

Industrial

Espionage


Natural Disaster

Threat Vectors

War Dialling

Interface

Abuse

Rogue

instructionsIntrusion

Message

Interception/

tampering


Security Principles

Proportional = Risk based & Fit for Purpose

KISS = Strive for Simplicity

Active Management

Utilise Security

KPI’s No Single Point of

Failure (SPOF)

Apply Strength in Depth

Standards Based Denied by

Default

Least Privilege = Need to have & Need to know Security Architecture i.e. SABSA

Regular Independent

Audit

Clear Governance regime

Controlled Environment

Patch Regularly

Continuous Reassessment and Improvement

Resilient

High TRL


Unique?

• Analogous threats exist in other sectors

• These threats are being managed effectively

• Logica is a leader in these fields

Smart Meters Foundation

High Assurance Systems

Mission Critical

CNI Systems

Secure Commun-ications

Scaled Architectures

Secure Remote Devices

Smart Meters


• Its sensitive (CIA) and challenging

• Trust is fundamental

• Between parties and of consumers!

• Security is ongoing

• Security must be objective, and

• proportional to risk

• Good governance and standards are essential!

• Applying lessons learned is key

Summary


Maintaining the dialogue...

Logica is a business and technology service company, employing 39,000 people. It provides business consulting, systems integration and outsourcing to clients around the world, including many of Europe's largest businesses. Logica creates value for clients by successfully integrating people, business and technology. It is committed to long term collaboration, applying insight to create innovative answers to clients’ business needs. Logica is listed on both the London Stock Exchange and Euronext (Amsterdam) (LSE: LOG; Euronext: LOG). More information is available at www.logica.com. The company is a public company incorporated and domiciled in the UK. The address of its registered office is 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.

Alex Baxendale Security Architect E: [email protected]

http://www.logica.com/

mailto:[email protected]

Getting Smart! Smart Utilities: DCC Data Services Provider | The Heart of the GB Smart Enabled Energy Market

Tara McGeehan | Director | UK Utilities


The Role of the Data Service Provider

Conventional Meter Owner

Smart Data Processor & Aggregator

Smart Metering System

Operator

Smart Meter Owner

Conventional Data Processor & Aggregator

Conventional Data Retriever

Conventional Meter

Operator

Smart Data Retriever

Consumer

Supplier


WAN HAN

Responsibilities Across the Value Chain

Elec

Gas

IHD

Other devices

Comms Hub

DSP

DCC

CSP

Suppliers

Network Operators

Authorised Third Parties

DCC User Gateway

DSO MDMS

Supplier MDMS

Decision Analytics /

BPM

CS&B

Smart Grid Control

Smart Process

Management

Meter Manufacturers /

Customer Premises Equipment

Asset Funding

Meter Services

(Installation & Provision) (inc Comms

Asset Install)

Comms Networks

/ LAN/WAN

/ Data Carriage

SI Apps Dev Hosting

Access


Enduring Foundation

Q4 2014

Q3 2014

Q2 2014

Q1 2014

Q4 2013

Q3 2013

Q2 2013

Q1 2013

Q4 2012

Q3 2012

Q2 2012

Q1 2012

Q4 2011

DECC SMIP Plan (Published 23/12/11)

Today

Q3 2011

Q2 2011

Dumb rental for SMETS compliant meters on CoS

Service Provider contract Award

Smart rental for SMETS compliant meters on CoS

Go-Live of Enduring Smart Market Arrangements

Service Provider Contract Decision

© Logica 2012. All rights reserved No.

27

Procurement timeline

DCC Service Provider Procurement Timetable

Q4 2011 Q1 2012

PQQ selection

Pre-dialogue (ITPD)

Discussions only

Outline Solutions (ISOS)

Bidder

response &

evaluation

Q2 2012 Q3 2012

Likely down-select

Detailed Solutions (ISDS)

Dialogue, response & evaluation

Q4 2012 Q1 2013

Likely down-select

Final Tender (ITSFT)

Dialogue, response &

evaluation

Q2 2013

Select

preferred

bidders

Award contracts

6

Today


Our Partnership for the Data Service Provider to DCC SAP and QinetiQ

DCC Partnership Video

http://www.logica.co.uk/we-are-logica/media-centre/videos/2012/reducing-risk-for-the-data-communications-company/


Maintaining the dialogue...

Logica is a business and technology service company, employing 39,000 people. It provides business consulting, systems integration and outsourcing to clients around the world, including many of Europe's largest businesses. Logica creates value for clients by successfully integrating people, business and technology. It is committed to long term collaboration, applying insight to create innovative answers to clients’ business needs. Logica is listed on both the London Stock Exchange and Euronext (Amsterdam) (LSE: LOG; Euronext: LOG). More information is available at www.logica.com. The company is a public company incorporated and domiciled in the UK. The address of its registered office is 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.

Tara McGeehan Director | UK Utilities M: +44 7899 066 979 E: [email protected]

http://www.logica.com/

mailto:[email protected]

Technology

Analyst briefing session 2 the security challenges