AgendaDAY 1: 5 July 2012, Kings Place, London                      Session 2: The Security Challenges                     ...
Getting Smart!Smart Utilities:Smart Metering - Information Security and Data ProtectionMark Durrant | Information Security...
Smart Metering – Where are we now• Technical Specifications have been developed and are to be   published• Government rece...
Smart Meters and Personal DataFollowing types of Data will be processed• Smart Meter ID Number• Metadata re configuration ...
Smart Meters and Personal DataConsumer AccessAccess Smart Meter Data through:• In Home Display (IHD)• HAN (13 months of co...
Smart Meters and Personal DataSupplier AccessThere is a balance to be struck between the granularity of data toensure the ...
Smart Meters and Personal DataConsumer Consent/ObjectionsOpt in their must be ‘Explicit Consent’ – this is not defined in ...
Smart Meters and Personal DataExceptions to Supplier Access Framework• Supplier has reasonable suspicion that theft is bei...
Smart Meters and Personal DataThird Party AccessThird parties can access Smart Meter Personal Data if:• Received Direct fr...
Smart Meters and Personal DataObligations on Data Processors (Comms/Data Providers)A29 Working Party – Opinion 12/2011• Po...
Smart Meters and Personal DataKey ProposalsIncreased Obligations for Processors• Complex Contractual Obligations• Maintain...
Smart Meters and Personal DataImplications for Smart MeteringPrivacy by Design and Default• Not made accessible to an inde...
Smart Meters and Personal DataKey Messages“Giving consumers informed, meaningful choices about the use of their data isvit...
Smart Meters and Personal Data                                     Any Questions?© Logica 2012. All rights reserved
Getting Smart!Smart Utilities:Cyber and Infrastructure SecurityAlex Baxendale | Security Practice
Assets and Impacts (CIA)                                                           Tariff                                 ...
Threat Sources• A number of Threat Sources                                                           Cut Bills   • With ve...
Threat Vectors                                     Natural Disaster          War Dialling                                 ...
Security Principles                                       Clear Governance regime        Apply      Strength              ...
Unique?                       Mission                                • Analogous threats                        Critical  ...
Summary• Its sensitive (CIA) and challenging• Trust is fundamental   • Between parties and of consumers!• Security is ongo...
Maintaining the dialogue...                                              Alex Baxendale                                   ...
Getting Smart!Smart Utilities:DCC Data Services Provider |The Heart of the GB Smart Enabled Energy MarketTara McGeehan | D...
The Role of the Data Service Provider                            Conventional              Smart Data                     ...
Responsibilities Across the Value Chain                                          Meter        Comms                       ...
DECC SMIP Plan (Published 23/12/11)                                                    Smart rental for SMETS             ...
DCC Service ProviderProcurement timeline   Procurement Timetable        Q4 2011               Q1 2012                Q2 20...
Our Partnership for the Data Service Provider to DCCSAP and QinetiQ   DCC Partnership Video© Logica 2012. All rights reser...
Maintaining the dialogue...                                              Tara McGeehan                                    ...
Upcoming SlideShare
Loading in …5
×

Analyst briefing session 2 the security challenges

4,576 views
4,425 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,576
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Analyst briefing session 2 the security challenges

  1. 1. AgendaDAY 1: 5 July 2012, Kings Place, London Session 2: The Security Challenges 1630-1655 Privacy and Data Security Mark Durrant, Logica 1655-1720 Cyber and Infrastructure Security Alex Baxendale, Logica 1720-1740 DCC Update – The Logica Perspective Tara McGeehan, Logica 1740-1745 Closing Remarks Ana Domingues, Logica 1745-1800 Scott Moorhouse (Olympics) Scott Moorhouse 1800-1900 Informal Networking over drinks© Logica 2012. All rights reserved
  2. 2. Getting Smart!Smart Utilities:Smart Metering - Information Security and Data ProtectionMark Durrant | Information Security & Data Protection Officer
  3. 3. Smart Metering – Where are we now• Technical Specifications have been developed and are to be published• Government recently completed a consultation on data access and privacy which will be used to develop a framework for access to Smart Meter data• Data privacy to be built in to the implementation programme – ‘Privacy by Design’• Mass roll-out to commence in Q4 2014© Logica 2012. All rights reserved
  4. 4. Smart Meters and Personal DataFollowing types of Data will be processed• Smart Meter ID Number• Metadata re configuration of meter• Description of message being transmitted (e.g. meter reading/tamper alert)• Date and Time Stamp• Message content (meter readings; alerts; network level information)Personal Data under the Data Protection Act 1998“…data which relates to a living individual who can be identified fromthose data, or from those data and other information which is in thepossession of, or is likely to come into the possession of, the datacontroller”.© Logica 2012. All rights reserved
  5. 5. Smart Meters and Personal DataConsumer AccessAccess Smart Meter Data through:• In Home Display (IHD)• HAN (13 months of consumption data)• Monthly Bills from Supplier• On line portals provided by the supplierSupplier System must ensure• Smart Meter Data is only visible to consumer within the home• New occupants cannot view previous occupants Smart Meter Data• Customer has choice as to level of data included in bills• Suppliers must ensure security of portal and customer data can only be accessed by the account holder© Logica 2012. All rights reserved
  6. 6. Smart Meters and Personal DataSupplier AccessThere is a balance to be struck between the granularity of data toensure the consumer benefits against protecting the consumerspersonal dataThe government recommends the framework for Smart Meter Dataincludes:• Monthly data an be obtained without consent for billing (monthly data can be used for other purposes provided the consumer can opt out)• Daily data can be obtained provided the consumer can opt out• Half-hourly data can be obtained if the customer opts in• If the Smart Meter Data is to be used for marketing purposes the supplier must obtain explicit consent of the consumer© Logica 2012. All rights reserved
  7. 7. Smart Meters and Personal DataConsumer Consent/ObjectionsOpt in their must be ‘Explicit Consent’ – this is not defined in the DPADraft EU Data Protection Regulation states:• Given expressly• A freely given and specific and informed indication of the data subjects wishes• Shown by a statement or by a clear affirmative action (could include a tick box declaration on a website)• Silence or inactivity should not indicate consent• Government has proposed ‘Opt In’ consent should be in writingFor ‘Opt Out’• Customer must be given clear information of what data will be collected and given the clear opportunity to object• Objection can be made verbally or in writing and supplier will have to maintain records to show how they meet these requirements© Logica 2012. All rights reserved
  8. 8. Smart Meters and Personal DataExceptions to Supplier Access Framework• Supplier has reasonable suspicion that theft is being committed• Supplier requires information for the purposes of accurate billing (for example at change of tenancy/change of supplier/change of tariff events)• To enable the supplier to address customer queries• Suppliers can access half-hourly data for use in approved trials (provided consumer given clear opportunity to opt out)• Suppliers can access readings at more frequent intervals for pre- payment customers as top-ups are made, provided this has been explained to the customer© Logica 2012. All rights reserved
  9. 9. Smart Meters and Personal DataThird Party AccessThird parties can access Smart Meter Personal Data if:• Received Direct from the customer• Consumer has given consent for access via the DCC (third party must be a signatory of the Smart Energy Code (SEC)Third parties must verify the identity of the individual to confirm the correctperson is giving consent to access data• Where access given by consumer – Third party should check that the person giving access is someone in the household i.e. someone who has access to the meter• Where access is given via DCC – possible that a customer identification number will be sent to the customer by DCC which the customer forwards to the third party. Once received the third party forwards this to the DCC to complete the processICO will regulate Third Party compliance with the DPA• May refer to SEC Panel any serious or repeated breaches of Data Protection© Logica 2012. All rights reserved
  10. 10. Smart Meters and Personal DataObligations on Data Processors (Comms/Data Providers)A29 Working Party – Opinion 12/2011• Possible communications and data processor providers could be data processor only, but if make decisions regarding whether personal data can be disclosed to a third party or can be processed for new purposes then will be acting as a data controllerEuropean Commission Recommendation – 9.03.2012• Should take all reasonable steps to ensure that data cannot be traced to an individual unless processed in compliance with the DPA principles• As far as possible, data should be rendered anonymous in such a way that the individual is no longer identifiable before it is processed.© Logica 2012. All rights reserved
  11. 11. Smart Meters and Personal DataKey ProposalsIncreased Obligations for Processors• Complex Contractual Obligations• Maintain Documentation• Joint and Severable Liability with Data ControllerData Security Requirements• Breach Notification ‘without undue delay’Transborder Data Flows• Binding Corporate RulesConsequences of Non-Compliance© Logica 2012. All rights reserved
  12. 12. Smart Meters and Personal DataImplications for Smart MeteringPrivacy by Design and Default• Not made accessible to an indefinite number of individuals• Commission can impose technical standards• Certification, seals and marksPrivacy Impact Assessments• Consult with Data Subjects• Consultation with the supervisory authority© Logica 2012. All rights reserved
  13. 13. Smart Meters and Personal DataKey Messages“Giving consumers informed, meaningful choices about the use of their data isvital to securing their trust”“it’s vital people understand why access to their data is needed, and the valuethey get by giving their consent”© Logica 2012. All rights reserved
  14. 14. Smart Meters and Personal Data Any Questions?© Logica 2012. All rights reserved
  15. 15. Getting Smart!Smart Utilities:Cyber and Infrastructure SecurityAlex Baxendale | Security Practice
  16. 16. Assets and Impacts (CIA) Tariff Ind. Privacy Privacy System Data? Meter Readings Service Service Meter Critical Commands CSP DSP© Logica 2012. All rights reserved
  17. 17. Threat Sources• A number of Threat Sources Cut Bills • With vested interest in compromising the service Kudos • May seek to coerce others• Various Motivations – Some Shared Natural Disaster Strikes Hackers Consumers Intruders A c cide ntal v s D eliberate Direct Motivation CNI Attack DSP Staff Terrorists FIS Spying Anarchists Service users Industrial Fraud Espionage CSP Staff Organised Crime Developers Good StoryJournalists Suppliers Commercial Org Coercion Factors Threat Agents© Logica 2012. All rights reserved
  18. 18. Threat Vectors Natural Disaster War Dialling Message Interception/ tampering Interface Abuse Rogue instructions Intrusion© Logica 2012. All rights reserved
  19. 19. Security Principles Clear Governance regime Apply Strength Controlled in Depth KISS = Strive for Simplicity Environment Proportional = Risk based & Fit for Purpose Standards Based Denied by High TRL Utilise Default Security No Single Point of Regular KPI’s Failure (SPOF) Independent Resilient Audit Patch Least Privilege = Regularly Need to have & Need to know Security Architecture i.e. SABSA Active Management Continuous Reassessment and Improvement© Logica 2012. All rights reserved
  20. 20. Unique? Mission • Analogous threats Critical High exist in other CNI Assurance Systems Systems sectors • These threats are Secure being managed Commun- effectively ications Smart Meters Smart Meters Foundation • Logica is a leader in these fields Scaled Secure Architectures Remote Devices© Logica 2012. All rights reserved
  21. 21. Summary• Its sensitive (CIA) and challenging• Trust is fundamental • Between parties and of consumers!• Security is ongoing• Security must be objective, and • proportional to risk• Good governance and standards are essential!• Applying lessons learned is key© Logica 2012. All rights reserved
  22. 22. Maintaining the dialogue... Alex Baxendale Security Architect E: alex.baxendale@logica.com Logica is a business and technology service company, employing 39,000 people. It provides business consulting, systems integration and outsourcing to clients around the world, including many of Europes largest businesses. Logica creates value for clients by successfully integrating people, business and technology. It is committed to long term collaboration, applying insight to create innovative answers to clients’ business needs. Logica is listed on both the London Stock Exchange and Euronext (Amsterdam) (LSE: LOG; Euronext: LOG). More information is available at www.logica.com.© Logica 2012. All rights reserved The company is a public company incorporated and domiciled in the UK. The address of its registered office is 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.
  23. 23. Getting Smart!Smart Utilities:DCC Data Services Provider |The Heart of the GB Smart Enabled Energy MarketTara McGeehan | Director | UK Utilities
  24. 24. The Role of the Data Service Provider Conventional Smart Data Meter Owner Processor & Aggregator Conventional Supplier Smart Data Meter Retriever Operator Consumer Conventional Smart Data Retriever Metering System Operator Conventional Smart Meter Data Processor Owner & Aggregator© Logica 2012. All rights reserved
  25. 25. Responsibilities Across the Value Chain Meter Comms Decision DSO Smart Grid Meter Services Networks Analytics / SI MDMS Control Manufacturers / Asset (Installation / BPM & Provision) Apps Dev AccessCustomer Premises Funding LAN/WAN Smart (inc Comms Hosting Supplier Equipment Asset / Data CS&B Process Carriage MDMS Install) Management Other devices Suppliers IHD Comms DCC User HAN Hub WAN Gateway Network Operators Elec Authorised CSP DSP Third Parties Gas DCC © Logica 2012. All rights reserved
  26. 26. DECC SMIP Plan (Published 23/12/11) Smart rental for SMETS compliant meters on CoS Service Provider Contract Decision Service Provider contract Award Dumb rental for SMETS Go-Live of Enduring Smart compliant meters on CoS Market Arrangements Foundation Enduring Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 2011 2011 2011 2012 2012 2012 2012 2013 2013 2013 2013 2014 2014 2014 2014 Today© Logica 2012. All rights reserved
  27. 27. DCC Service ProviderProcurement timeline Procurement Timetable Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 PQQ selection Pre-dialogue (ITPD) Discussions only Outline Solutions (ISOS) Likely down-select Bidder response & evaluation Detailed Solutions (ISDS) Likely down-select Dialogue, response & evaluation Final Tender (ITSFT) Select Dialogue, response & preferred evaluation bidders Award contracts Today© Logica 2012. All rights reserved No. 6
  28. 28. Our Partnership for the Data Service Provider to DCCSAP and QinetiQ DCC Partnership Video© Logica 2012. All rights reserved
  29. 29. Maintaining the dialogue... Tara McGeehan Director | UK Utilities M: +44 7899 066 979 E: tara.mcgeehan@logica.com Logica is a business and technology service company, employing 39,000 people. It provides business consulting, systems integration and outsourcing to clients around the world, including many of Europes largest businesses. Logica creates value for clients by successfully integrating people, business and technology. It is committed to long term collaboration, applying insight to create innovative answers to clients’ business needs. Logica is listed on both the London Stock Exchange and Euronext (Amsterdam) (LSE: LOG; Euronext: LOG). More information is available at www.logica.com.© Logica 2012. All rights reserved The company is a public company incorporated and domiciled in the UK. The address of its registered office is 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.

×