Analyst briefing session 2 the security challenges

Agenda
DAY 1: 5 July 2012, Kings Place, London
Session 2: The Security Challenges
1630-1655 Privacy and Data Security Mark Durrant, Logica
1655-1720 Cyber and Infrastructure Security Alex Baxendale,
Logica
1720-1740 DCC Update – The Logica Perspective Tara McGeehan,
Logica
1740-1745 Closing Remarks Ana Domingues,
Logica
1745-1800 Scott Moorhouse (Olympics) Scott Moorhouse

1800-1900 Informal Networking over drinks

© Logica 2012. All rights reserved

Getting Smart!

Smart Utilities:
Smart Metering - Information Security and Data Protection

Mark Durrant | Information Security & Data Protection Officer

Smart Metering – Where are we now

• Technical Specifications have been developed and are to be
published

• Government recently completed a consultation on data access and
privacy which will be used to develop a framework for access to
Smart Meter data

• Data privacy to be built in to the implementation programme –
‘Privacy by Design’

• Mass roll-out to commence in Q4 2014


Smart Meters and Personal Data

Following types of Data will be processed
• Smart Meter ID Number
• Metadata re configuration of meter
• Description of message being transmitted (e.g. meter
reading/tamper alert)
• Date and Time Stamp
• Message content (meter readings; alerts; network level
information)

Personal Data under the Data Protection Act 1998

“…data which relates to a living individual who can be identified from
those data, or from those data and other information which is in the
possession of, or is likely to come into the possession of, the data
controller”.



Consumer Access

Access Smart Meter Data through:
• In Home Display (IHD)
• HAN (13 months of consumption data)
• Monthly Bills from Supplier
• On line portals provided by the supplier

Supplier System must ensure
• Smart Meter Data is only visible to consumer within the home
• New occupants cannot view previous occupants Smart Meter Data
• Customer has choice as to level of data included in bills
• Suppliers must ensure security of portal and customer data can
only be accessed by the account holder



Supplier Access

There is a balance to be struck between the granularity of data to
ensure the consumer benefits against protecting the consumers
personal data

The government recommends the framework for Smart Meter Data
includes:
• Monthly data an be obtained without consent for billing (monthly
data can be used for other purposes provided the consumer can
opt out)
• Daily data can be obtained provided the consumer can opt out
• Half-hourly data can be obtained if the customer opts in

• If the Smart Meter Data is to be used for marketing purposes the
supplier must obtain explicit consent of the consumer



Consumer Consent/Objections

Opt in their must be ‘Explicit Consent’ – this is not defined in the DPA
Draft EU Data Protection Regulation states:
• Given expressly
• A freely given and specific and informed indication of the data subjects
wishes
• Shown by a statement or by a clear affirmative action (could include a tick
box declaration on a website)
• Silence or inactivity should not indicate consent
• Government has proposed ‘Opt In’ consent should be in writing

For ‘Opt Out’
• Customer must be given clear information of what data will be collected
and given the clear opportunity to object
• Objection can be made verbally or in writing and supplier will have to
maintain records to show how they meet these requirements



Exceptions to Supplier Access Framework

• Supplier has reasonable suspicion that theft is being committed
• Supplier requires information for the purposes of accurate billing
(for example at change of tenancy/change of supplier/change of
tariff events)
• To enable the supplier to address customer queries
• Suppliers can access half-hourly data for use in approved trials
(provided consumer given clear opportunity to opt out)
• Suppliers can access readings at more frequent intervals for pre-
payment customers as top-ups are made, provided this has been
explained to the customer


Third Party Access

Third parties can access Smart Meter Personal Data if:
• Received Direct from the customer
• Consumer has given consent for access via the DCC (third party must be a
signatory of the Smart Energy Code (SEC)

Third parties must verify the identity of the individual to confirm the correct
person is giving consent to access data
• Where access given by consumer – Third party should check that the
person giving access is someone in the household i.e. someone who has
access to the meter
• Where access is given via DCC – possible that a customer identification
number will be sent to the customer by DCC which the customer forwards
to the third party. Once received the third party forwards this to the DCC to
complete the process

ICO will regulate Third Party compliance with the DPA
• May refer to SEC Panel any serious or repeated breaches of Data Protection



Obligations on Data Processors (Comms/Data Providers)

A29 Working Party – Opinion 12/2011

• Possible communications and data processor providers could be
data processor only, but if make decisions regarding whether
personal data can be disclosed to a third party or can be processed
for new purposes then will be acting as a data controller

European Commission Recommendation – 9.03.2012

• Should take all reasonable steps to ensure that data cannot be
traced to an individual unless processed in compliance with the
DPA principles
• As far as possible, data should be rendered anonymous in such a
way that the individual is no longer identifiable before it is
processed.


Key Proposals

Increased Obligations for Processors
• Complex Contractual Obligations
• Maintain Documentation
• Joint and Severable Liability with Data Controller

Data Security Requirements
• Breach Notification ‘without undue delay’

Transborder Data Flows
• Binding Corporate Rules

Consequences of Non-Compliance



Implications for Smart Metering

Privacy by Design and Default
• Not made accessible to an indefinite number of individuals
• Commission can impose technical standards
• Certification, seals and marks

Privacy Impact Assessments
• Consult with Data Subjects
• Consultation with the supervisory authority



Key Messages

“Giving consumers informed, meaningful choices about the use of their data is
vital to securing their trust”

“it’s vital people understand why access to their data is needed, and the value
they get by giving their consent”



Any Questions?


Getting Smart!

Smart Utilities:
Cyber and Infrastructure Security

Alex Baxendale | Security Practice

Assets and Impacts (CIA)

Tariff

Ind.
Privacy
Privacy

System
Data?
Meter
Readings

Service
Service
Meter

Critical
Commands
CSP

DSP


Threat Sources
• A number of Threat Sources Cut Bills
• With vested interest in compromising
the service Kudos
• May seek to coerce others
• Various Motivations – Some Shared

Natural Disaster Strikes Hackers Consumers Intruders

A c cide ntal v s D eliberate
Direct Motivation
CNI
Attack DSP Staff

Terrorists FIS
Spying
Anarchists
Service
users
Industrial
Fraud Espionage CSP Staff

Organised Crime
Developers

Good Story

Journalists Suppliers
Commercial Org

Coercion Factors Threat Agents


Threat Vectors
Natural Disaster

War Dialling
Message
Interception/
tampering
Interface
Abuse

Rogue
instructions
Intrusion


Security Principles

Clear Governance regime
Apply
Strength
Controlled
in Depth KISS = Strive for Simplicity
Environment

Proportional = Risk based & Fit for Purpose
Standards Based
Denied by High TRL Utilise
Default Security
No Single Point of
Regular KPI’s
Failure (SPOF)
Independent
Resilient Audit Patch
Least Privilege = Regularly
Need to have &
Need to know Security Architecture i.e. SABSA

Active Management Continuous Reassessment
and Improvement

Unique?

Mission • Analogous threats
Critical High exist in other
CNI Assurance
Systems Systems sectors
• These threats are
Secure being managed
Commun- effectively
ications
Smart
Meters Smart Meters
Foundation
• Logica is a leader in
these fields

Scaled Secure
Architectures Remote
Devices


Summary

• Its sensitive (CIA) and challenging
• Trust is fundamental
• Between parties and of consumers!
• Security is ongoing

• Security must be objective, and
• proportional to risk
• Good governance and standards are essential!
• Applying lessons learned is key


Maintaining the dialogue...

Alex Baxendale
Security Architect

E: alex.baxendale@logica.com

Logica is a business and technology service company, employing 39,000 people. It provides business consulting,
systems integration and outsourcing to clients around the world, including many of Europe's largest businesses.
Logica creates value for clients by successfully integrating people, business and technology. It is committed to long
term collaboration, applying insight to create innovative answers to clients’ business needs.

Logica is listed on both the London Stock Exchange and Euronext (Amsterdam) (LSE: LOG; Euronext: LOG).
More information is available at www.logica.com.
The company is a public company incorporated and domiciled in the UK.
The address of its registered office is 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.

Getting Smart!

Smart Utilities:
DCC Data Services Provider |
The Heart of the GB Smart Enabled Energy Market
Tara McGeehan | Director | UK Utilities

The Role of the Data Service Provider
Conventional Smart Data
Meter Owner Processor &
Aggregator

Conventional Supplier Smart Data
Meter Retriever
Operator

Consumer

Conventional Smart
Data Retriever Metering
System
Operator

Conventional Smart Meter
Data Processor Owner
& Aggregator


Responsibilities Across the Value Chain
Meter Comms Decision
DSO Smart Grid
Meter Services Networks Analytics /
SI MDMS Control
Manufacturers / Asset (Installation / BPM
& Provision) Apps Dev Access
Customer Premises Funding LAN/WAN Smart
(inc Comms Hosting Supplier
Equipment Asset / Data CS&B Process
Carriage MDMS
Install) Management

Other
devices Suppliers

IHD Comms
DCC User
HAN Hub
WAN Gateway
Network
Operators

Elec
Authorised
CSP DSP Third Parties

Gas
DCC


DECC SMIP Plan (Published 23/12/11)

Smart rental for SMETS
compliant meters on CoS

Service Provider Contract
Decision

Service Provider contract
Award
Dumb rental for SMETS Go-Live of Enduring Smart
compliant meters on CoS Market Arrangements

Foundation Enduring
Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2011 2011 2011 2012 2012 2012 2012 2013 2013 2013 2013 2014 2014 2014 2014

Today

DCC Service Provider
Procurement timeline
Procurement Timetable

Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013

PQQ selection

Pre-dialogue
(ITPD)
Discussions only

Outline
Solutions
(ISOS)
Likely down-select
Bidder
response &
evaluation

Detailed Solutions (ISDS)
Likely down-select
Dialogue, response & evaluation

Final Tender (ITSFT)
Select
Dialogue, response & preferred
evaluation
bidders

Award contracts
Today
No. 6

Our Partnership for the Data Service Provider to DCC
SAP and QinetiQ

DCC Partnership Video


Maintaining the dialogue...

Tara McGeehan
Director | UK Utilities

M: +44 7899 066 979
E: tara.mcgeehan@logica.com

Logica is a business and technology service company, employing 39,000 people. It provides business consulting,
systems integration and outsourcing to clients around the world, including many of Europe's largest businesses.
Logica creates value for clients by successfully integrating people, business and technology. It is committed to long
term collaboration, applying insight to create innovative answers to clients’ business needs.

Logica is listed on both the London Stock Exchange and Euronext (Amsterdam) (LSE: LOG; Euronext: LOG).
More information is available at www.logica.com.
The company is a public company incorporated and domiciled in the UK.
The address of its registered office is 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.

Analyst briefing session 2 the security challenges

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Analyst briefing session 2 the security challenges

Ähnlich wie Analyst briefing session 2 the security challenges (20)

Mehr von CGI

Mehr von CGI (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Analyst briefing session 2 the security challenges