Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/453394
14 | 30th January - 5th February 2015 | utILIty WeeK Policy & Regulation Market view T he recent revelation that the smart meters widely used in Spain can be hacked will give more ammunition to opponents to the rollout of devices in homes across Europe. Independent researchers who tested the security of the Spanish meters were able to find the encryption keys used to scramble information that the meters share with the nation's power distribution system. The potential risks to both the consumer and the Spanish power network from mali- cious hacking attacks have since been the subject of much debate in the country. The superior technology that will be used in the UK's smart energy meter rollout means they should not be vulnerable to a similar attack, but the Spanish case renews focus on the issue of information security. The major industry initiatives underway, including the smart meter rollout, the move to next day switching and the opening up of retail competition in the water industry all pose challenges to stakeholders in terms of data security. In an increasingly connected world where threats from cyber criminals continue to increase in number and sophistication, information security, assurance, and data protection have become crucial for both pub- lic acceptance and effective operation of new initiatives. Concerns over data protection in coun- tries that have already started installing smart meters on a large scale, for example, have in some cases led to delays and the need for retrospective changes. Ensuring appropriate controls, poli- cies and procedures around data collection and availability is essential and a "privacy by design" approach is increasingly being adopted in the development of major indus- try initiatives, including smart meter rollouts. Such an approach aims to consider and embed privacy issues into the overall design of a programme from the outset. Given the scale of additional data that will be generated by developments such as smart metering, it is vital to ensure that this information does not fall into the wrong hands and is appropriately protected for pro- cessing, storage and transmission. Encryption issues need to be addressed to ensure data communicated wirelessly or over networks cannot be used to identify consum- ers or reveal sensitive information. Data pro- tection measures such as access controls and protocols for how long data can be retained and how it should be disposed of are also important issues. As well as facilitating cost savings for the organisation storing and processing the data, these will identify risks when under- taken in accordance with an effective pri- vacy impact assessment, and therefore will ensure compliance with legislative and regu- latory requirements. Data minimisation, to ensure that the collection, use, disclosure, and retention of personal information is proportionate and no more than necessary, and data anonymi- sation, to protect individual consumers from the risk of harm following a data breach, are further considerations. Robust data privacy and protection also increasingly goes hand-in-hand with infor- mation security governance, such as compli- ance with ISO 27001. Because the primary objective of ISO 27001 is to help establish and maintain an effective information security management system, it can provide a solid foundation for organisations and businesses to build a gov- ernance, risk and compliance framework, as well as a way to manage technical security. The process of working towards ISO 27001 helps organisations understand and man- age information risks in a business context. As well as protecting the business from loss or breach of information, it helps organisa- tions take clear, informed and cost-effective decisions on security controls and risk mitigation. Given ISO 27001 is the primary security standard required by many organisations under Great Britain's Smart Energy Code, businesses looking to benefit from the smart meter rollout need to ensure they are com- pliant sooner rather than later. In many cir- cumstances, that does not just apply to main parties who have signed the code but also their third party suppliers. A well thought out approach to informa- tion security governance and data protection will also help utility firms and their suppli- ers ahead of an important change looming on the horizon in the form of the European General Data Protection Regulation, which is expected to be passed in 2015. The final details of the new regulation are not yet clear, but there is no doubt that it will represent a step-change in data privacy and protection and will require businesses to be more proactive about how they capture and store data, and how they prevent potential breaches. The regulation is expected to intro- duce a requirement to notify authorities of any breaches and extend to what might cur- rently be considered minor incidents. A major concern will be around penalties for compliance failures. While the level has not yet been finalised, it could see fines of up to 5 per cent of global annual turnover, potentially a significant increase from the current £500,000 maximum in the UK. The new regulation will also place more responsibility on the supply chain, some- thing particularly relevant to those involved in the rollout of smart meters. Chris MacCallum, information security consultant at Red Island, the information security practice of Gemserv Get real on data protection The success of smart metering relies on effective information security and data protection, yet clarity on best practice and compliance in the UK is questionable, says Chris MacCallum. Key points • There are still issues to resolve around information security ahead of the UK's national smart meter roll out. • A "privacy by design" approach is required. • Participants in the smart metering system must make sure they are compliant with ISO 27001. This includes third party sup- pliers. • 2015 will see finalisation of the European General Data Protection Regulation, which may include a potential penalty for non- compliance of 5 per cent of global annual turnover.