The recent revelation that the smart meters widely used in Spain can be hacked will give more ammunition to opponents to the rollout of devices in homes across Europe.
Independent researchers who tested the security of the Spanish meters were able to find the encryption keys used to scramble information that the meters share with the nation’s power distribution system.
The potential risks to both the consumer and the Spanish power network from malicious hacking attacks have since been the subject of much debate in the country.
The superior technology that will be used in the UK’s smart energy meter rollout means they should not be vulnerable to a similar attack, but the Spanish case renews focus on the issue of information security.
The major industry initiatives underway, including the smart meter rollout, the move to next day switching and the opening up of retail competition in the water industry all pose challenges to stakeholders in terms of data security.
In an increasingly connected world where threats from cyber criminals continue to increase in number and sophistication, information security, assurance, and data protection have become crucial for both public acceptance and effective operation of new initiatives.
Concerns over data protection in countries that have already started installing smart meters on a large scale, for example, have in some cases led to delays and the need for retrospective changes.
Ensuring appropriate controls, policies and procedures around data collection and availability is essential and a “privacy by design” approach is increasingly being adopted in the development of major industry initiatives, including smart meter rollouts.
Such an approach aims to consider and embed privacy issues into the overall design of a programme from the outset.
Given the scale of additional data that will be generated by developments such as smart metering, it is vital to ensure that this information does not fall into the wrong hands and is appropriately protected for processing, storage and transmission.
Encryption issues need to be addressed to ensure data communicated wirelessly or over networks cannot be used to identify consumers or reveal sensitive information. Data protection measures such as access controls and protocols for how long data can be retained and how it should be disposed of are also important issues.
As well as facilitating cost savings for the organisation storing and processing the data, these will identify risks when undertaken in accordance with an effective privacy impact assessment, and therefore will ensure compliance with legislative and regulatory requirements.
Data minimisation, to ensure that the collection, use, disclosure, and retention of personal information is proportionate and no more than necessary, and data anonymisation, to protect individual consumers from the risk of harm following a data breach, are further considerations.
Robust data privacy and protection also increasingly goes hand-in-hand with information security governance, such as compliance with ISO 27001.
Because the primary objective of ISO 27001 is to help establish and maintain an effective information security management system, it can provide a solid foundation for organisations and businesses to build a governance, risk and compliance framework, as well as a way to manage technical security.
The process of working towards ISO 27001 helps organisations understand and manage information risks in a business context. As well as protecting the business from loss or breach of information, it helps organisations take clear, informed and cost-effective decisions on security controls and risk mitigation.
Given ISO 27001 is the primary security standard required by many organisations under Great Britain’s Smart Energy Code, businesses looking to benefit from the smart meter rollout need to ensure they are compliant sooner rather than later. In many circumstances, that does not just apply to main parties who have signed the code but also their third party suppliers.
A well thought out approach to information security governance and data protection will also help utility firms and their suppliers ahead of an important change looming on the horizon in the form of the European General Data Protection Regulation, which is expected to be passed in 2015.
The final details of the new regulation are not yet clear, but there is no doubt that it will represent a step-change in data privacy and protection and will require businesses to be more proactive about how they capture and store data, and how they prevent potential breaches. The regulation is expected to introduce a requirement to notify authorities of any breaches and extend to what might currently be considered minor incidents.
A major concern will be around penalties for compliance failures. While the level has not yet been finalised, it could see fines of up to 5 per cent of global annual turnover, potentially a significant increase from the current £500,000 maximum in the UK.
The new regulation will also place more responsibility on the supply chain, something particularly relevant to those involved in the rollout of smart meters.
Chris MacCallum, information security consultant at Red Island, the information security practice of Gemserv