Más contenido relacionado La actualidad más candente (20) Similar a Analyst briefing session 2 the security challenges (20) Analyst briefing session 2 the security challenges1. Agenda
DAY 1: 5 July 2012, Kings Place, London
Session 2: The Security Challenges
1630-1655 Privacy and Data Security Mark Durrant, Logica
1655-1720 Cyber and Infrastructure Security Alex Baxendale,
Logica
1720-1740 DCC Update – The Logica Perspective Tara McGeehan,
Logica
1740-1745 Closing Remarks Ana Domingues,
Logica
1745-1800 Scott Moorhouse (Olympics) Scott Moorhouse
1800-1900 Informal Networking over drinks
© Logica 2012. All rights reserved
3. Smart Metering – Where are we now
• Technical Specifications have been developed and are to be
published
• Government recently completed a consultation on data access and
privacy which will be used to develop a framework for access to
Smart Meter data
• Data privacy to be built in to the implementation programme –
‘Privacy by Design’
• Mass roll-out to commence in Q4 2014
© Logica 2012. All rights reserved
4. Smart Meters and Personal Data
Following types of Data will be processed
• Smart Meter ID Number
• Metadata re configuration of meter
• Description of message being transmitted (e.g. meter
reading/tamper alert)
• Date and Time Stamp
• Message content (meter readings; alerts; network level
information)
Personal Data under the Data Protection Act 1998
“…data which relates to a living individual who can be identified from
those data, or from those data and other information which is in the
possession of, or is likely to come into the possession of, the data
controller”.
© Logica 2012. All rights reserved
5. Smart Meters and Personal Data
Consumer Access
Access Smart Meter Data through:
• In Home Display (IHD)
• HAN (13 months of consumption data)
• Monthly Bills from Supplier
• On line portals provided by the supplier
Supplier System must ensure
• Smart Meter Data is only visible to consumer within the home
• New occupants cannot view previous occupants Smart Meter Data
• Customer has choice as to level of data included in bills
• Suppliers must ensure security of portal and customer data can
only be accessed by the account holder
© Logica 2012. All rights reserved
6. Smart Meters and Personal Data
Supplier Access
There is a balance to be struck between the granularity of data to
ensure the consumer benefits against protecting the consumers
personal data
The government recommends the framework for Smart Meter Data
includes:
• Monthly data an be obtained without consent for billing (monthly
data can be used for other purposes provided the consumer can
opt out)
• Daily data can be obtained provided the consumer can opt out
• Half-hourly data can be obtained if the customer opts in
• If the Smart Meter Data is to be used for marketing purposes the
supplier must obtain explicit consent of the consumer
© Logica 2012. All rights reserved
7. Smart Meters and Personal Data
Consumer Consent/Objections
Opt in their must be ‘Explicit Consent’ – this is not defined in the DPA
Draft EU Data Protection Regulation states:
• Given expressly
• A freely given and specific and informed indication of the data subjects
wishes
• Shown by a statement or by a clear affirmative action (could include a tick
box declaration on a website)
• Silence or inactivity should not indicate consent
• Government has proposed ‘Opt In’ consent should be in writing
For ‘Opt Out’
• Customer must be given clear information of what data will be collected
and given the clear opportunity to object
• Objection can be made verbally or in writing and supplier will have to
maintain records to show how they meet these requirements
© Logica 2012. All rights reserved
8. Smart Meters and Personal Data
Exceptions to Supplier Access Framework
• Supplier has reasonable suspicion that theft is being committed
• Supplier requires information for the purposes of accurate billing
(for example at change of tenancy/change of supplier/change of
tariff events)
• To enable the supplier to address customer queries
• Suppliers can access half-hourly data for use in approved trials
(provided consumer given clear opportunity to opt out)
• Suppliers can access readings at more frequent intervals for pre-
payment customers as top-ups are made, provided this has been
explained to the customer
© Logica 2012. All rights reserved
9. Smart Meters and Personal Data
Third Party Access
Third parties can access Smart Meter Personal Data if:
• Received Direct from the customer
• Consumer has given consent for access via the DCC (third party must be a
signatory of the Smart Energy Code (SEC)
Third parties must verify the identity of the individual to confirm the correct
person is giving consent to access data
• Where access given by consumer – Third party should check that the
person giving access is someone in the household i.e. someone who has
access to the meter
• Where access is given via DCC – possible that a customer identification
number will be sent to the customer by DCC which the customer forwards
to the third party. Once received the third party forwards this to the DCC to
complete the process
ICO will regulate Third Party compliance with the DPA
• May refer to SEC Panel any serious or repeated breaches of Data Protection
© Logica 2012. All rights reserved
10. Smart Meters and Personal Data
Obligations on Data Processors (Comms/Data Providers)
A29 Working Party – Opinion 12/2011
• Possible communications and data processor providers could be
data processor only, but if make decisions regarding whether
personal data can be disclosed to a third party or can be processed
for new purposes then will be acting as a data controller
European Commission Recommendation – 9.03.2012
• Should take all reasonable steps to ensure that data cannot be
traced to an individual unless processed in compliance with the
DPA principles
• As far as possible, data should be rendered anonymous in such a
way that the individual is no longer identifiable before it is
processed.
© Logica 2012. All rights reserved
11. Smart Meters and Personal Data
Key Proposals
Increased Obligations for Processors
• Complex Contractual Obligations
• Maintain Documentation
• Joint and Severable Liability with Data Controller
Data Security Requirements
• Breach Notification ‘without undue delay’
Transborder Data Flows
• Binding Corporate Rules
Consequences of Non-Compliance
© Logica 2012. All rights reserved
12. Smart Meters and Personal Data
Implications for Smart Metering
Privacy by Design and Default
• Not made accessible to an indefinite number of individuals
• Commission can impose technical standards
• Certification, seals and marks
Privacy Impact Assessments
• Consult with Data Subjects
• Consultation with the supervisory authority
© Logica 2012. All rights reserved
13. Smart Meters and Personal Data
Key Messages
“Giving consumers informed, meaningful choices about the use of their data is
vital to securing their trust”
“it’s vital people understand why access to their data is needed, and the value
they get by giving their consent”
© Logica 2012. All rights reserved
14. Smart Meters and Personal Data
Any Questions?
© Logica 2012. All rights reserved
16. Assets and Impacts (CIA)
Tariff
Ind.
Privacy
Privacy
System
Data?
Meter
Readings
Service
Service
Meter
Critical
Commands
CSP
DSP
© Logica 2012. All rights reserved
17. Threat Sources
• A number of Threat Sources Cut Bills
• With vested interest in compromising
the service Kudos
• May seek to coerce others
• Various Motivations – Some Shared
Natural Disaster Strikes Hackers Consumers Intruders
A c cide ntal v s D eliberate
Direct Motivation
CNI
Attack DSP Staff
Terrorists FIS
Spying
Anarchists
Service
users
Industrial
Fraud Espionage CSP Staff
Organised Crime
Developers
Good Story
Journalists Suppliers
Commercial Org
Coercion Factors Threat Agents
© Logica 2012. All rights reserved
18. Threat Vectors
Natural Disaster
War Dialling
Message
Interception/
tampering
Interface
Abuse
Rogue
instructions
Intrusion
© Logica 2012. All rights reserved
19. Security Principles
Clear Governance regime
Apply
Strength
Controlled
in Depth KISS = Strive for Simplicity
Environment
Proportional = Risk based & Fit for Purpose
Standards Based
Denied by High TRL Utilise
Default Security
No Single Point of
Regular KPI’s
Failure (SPOF)
Independent
Resilient Audit Patch
Least Privilege = Regularly
Need to have &
Need to know Security Architecture i.e. SABSA
Active Management Continuous Reassessment
and Improvement
© Logica 2012. All rights reserved
20. Unique?
Mission • Analogous threats
Critical High exist in other
CNI Assurance
Systems Systems sectors
• These threats are
Secure being managed
Commun- effectively
ications
Smart
Meters Smart Meters
Foundation
• Logica is a leader in
these fields
Scaled Secure
Architectures Remote
Devices
© Logica 2012. All rights reserved
21. Summary
• Its sensitive (CIA) and challenging
• Trust is fundamental
• Between parties and of consumers!
• Security is ongoing
• Security must be objective, and
• proportional to risk
• Good governance and standards are essential!
• Applying lessons learned is key
© Logica 2012. All rights reserved
22. Maintaining the dialogue...
Alex Baxendale
Security Architect
E: alex.baxendale@logica.com
Logica is a business and technology service company, employing 39,000 people. It provides business consulting,
systems integration and outsourcing to clients around the world, including many of Europe's largest businesses.
Logica creates value for clients by successfully integrating people, business and technology. It is committed to long
term collaboration, applying insight to create innovative answers to clients’ business needs.
Logica is listed on both the London Stock Exchange and Euronext (Amsterdam) (LSE: LOG; Euronext: LOG).
More information is available at www.logica.com.
© Logica 2012. All rights reserved
The company is a public company incorporated and domiciled in the UK.
The address of its registered office is 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.
24. The Role of the Data Service Provider
Conventional Smart Data
Meter Owner Processor &
Aggregator
Conventional Supplier Smart Data
Meter Retriever
Operator
Consumer
Conventional Smart
Data Retriever Metering
System
Operator
Conventional Smart Meter
Data Processor Owner
& Aggregator
© Logica 2012. All rights reserved
25. Responsibilities Across the Value Chain
Meter Comms Decision
DSO Smart Grid
Meter Services Networks Analytics /
SI MDMS Control
Manufacturers / Asset (Installation / BPM
& Provision) Apps Dev Access
Customer Premises Funding LAN/WAN Smart
(inc Comms Hosting Supplier
Equipment Asset / Data CS&B Process
Carriage MDMS
Install) Management
Other
devices Suppliers
IHD Comms
DCC User
HAN Hub
WAN Gateway
Network
Operators
Elec
Authorised
CSP DSP Third Parties
Gas
DCC
© Logica 2012. All rights reserved
26. DECC SMIP Plan (Published 23/12/11)
Smart rental for SMETS
compliant meters on CoS
Service Provider Contract
Decision
Service Provider contract
Award
Dumb rental for SMETS Go-Live of Enduring Smart
compliant meters on CoS Market Arrangements
Foundation Enduring
Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
2011 2011 2011 2012 2012 2012 2012 2013 2013 2013 2013 2014 2014 2014 2014
Today
© Logica 2012. All rights reserved
27. DCC Service Provider
Procurement timeline
Procurement Timetable
Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
PQQ selection
Pre-dialogue
(ITPD)
Discussions only
Outline
Solutions
(ISOS)
Likely down-select
Bidder
response &
evaluation
Detailed Solutions (ISDS)
Likely down-select
Dialogue, response & evaluation
Final Tender (ITSFT)
Select
Dialogue, response & preferred
evaluation
bidders
Award contracts
Today
© Logica 2012. All rights reserved
No. 6
28. Our Partnership for the Data Service Provider to DCC
SAP and QinetiQ
DCC Partnership Video
© Logica 2012. All rights reserved
29. Maintaining the dialogue...
Tara McGeehan
Director | UK Utilities
M: +44 7899 066 979
E: tara.mcgeehan@logica.com
Logica is a business and technology service company, employing 39,000 people. It provides business consulting,
systems integration and outsourcing to clients around the world, including many of Europe's largest businesses.
Logica creates value for clients by successfully integrating people, business and technology. It is committed to long
term collaboration, applying insight to create innovative answers to clients’ business needs.
Logica is listed on both the London Stock Exchange and Euronext (Amsterdam) (LSE: LOG; Euronext: LOG).
More information is available at www.logica.com.
© Logica 2012. All rights reserved
The company is a public company incorporated and domiciled in the UK.
The address of its registered office is 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom.