THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
With the continuing evolution of Smart Meters and the need for ever more data, companies are finding that they need to protect information that didn’t need protected before. Whether the utility provider is using data analytics to provide energy insights to their customers or using the information in new ways in order to provide value to a potential client, it comes down to IT Security to come up with ways to protect that data. While big data, smart meters, or other networked sensors provide a vast amount of data, the use of the cloud and “Big Data Analytics” has the ability to provide insight into the end consumer’s behavior and how they use their utility services. It is from this combination of sources and the ability to correlate the data in a meaningful manner that cyber criminals are finding weaknesses in how the data is protected. It is up to the utility or the support services provider to protect that data. Protecting the Undefined Much of the data that is collected and correlated through analysis are being done by organizations that may not have been responsible for this type of data in the past. For a large number of utilities and service providers, this is new territory that they are banking on to provide their customers information that will help to benefit their business. Part of the challenge is identifying what is considered Personally Identifiable Information (PII) and what should be taken to protect that data. Defining the limitations or the extent that those protections should be implemented will help businesses allocate resources that will be needed in protecting that information. Since this has not been an area of focus for any specific regulatory requirement, the implementation of current IT Security industry best practices have helped to fill this gap. PII Defined The following definitions and information is what is “normally” thought of as PII. But due to the nature of, and the type of data that is collected from utility customers, this data provides only a small part of the overall picture of the end consumer.
Typical Datasets Some typical datasets that are collected or that is used as part of the analysis process may be any of the following:
While these are not typical for use as PII, they can be used in conjunction with other publicly available data to provide targeted and detailed information about the end consumer that would not be available otherwise. This information does not identify one particular individual, but a whole category of individuals. But if the attacker knew a small piece of the information about a particular target, they would be able to collect additional information in order to create the “bigger picture” of who they are going to target. Example?? Business Benefit v. Data Protection When utilities collect data on end consumers, it is used to help the utility provide better services to the customer or to help with the overall effectiveness of the grid network and energy resource delivery. What these information providers are finding is that it is becoming ever more important to protect data that they have collected and are conducting analysis against. While the end consumer is driving this demand, utilities and support service providers are finding that they have to comply with this requirement as well. Securing the Data When a utility obtains data points on consumers, it is usually stored in large data repositories and this is where data can be readily accessed. This data pool is used to perform analysis against and can be accessed by a number of entities. This is especially true if the company employs a third-party service provider that will use the data to provide detailed information for use by the utility. This data repository is also where security controls can be implemented that helps to protect the information and its integrity within the data sets that are used for analysis. Encrypting the data at rest and in transit and only using secure and proven methods of transmission and storage is one of the ways in which this data can be secured. Preventing or restricting access to this data can also be helpful in preventing the loss or the leakage of this sensitive data. Also, there is a growing use of the various cloud services to provide the processing and storage capacity that is needed for these large data pools of information. Adhering to an established IT Security standard may provide some guidance on how to handle this information Compliance & Regulation
In North America there are two main compliance certifications that are becoming important for utilities and support services providers to follow, or at least to adhere to. These are:
While these compliance standards don’t directly describe or require specific requirements for the use and storage of the type of data that is collected by utility service providers, they do provide industry best practices for how to store and transmit sensitive data. Protecting the Consumer Utilities and support service providers have an obligation to protect the data that is collected and used or stored by the organization. Whether the data is stored in the cloud or used by a third-party for running analysis against, it is important for the company to take the needed steps to make sure that the information does not fall into the wrong hands. Utilities and support service providers can do the following:
Summary While companies have the ability to transform data that they get from diverse sensors, meters, and network nodes into actionable data, businesses that use this information have an obligation to keep the data safe and secure. With data that seems to be just noise in the background, it can be used in conjunction with other information to provide a more inclusive picture of a customer, or a potential cyber victim. The amount of electrical usage, or the times in which that usage is recorded and all this can be put together in order to form a more complete profile of a potential target. Knowing this information may provide the business an advantage against a competitor, it can also pose a risk if that information is not protected. Special Mentions A special thanks to Robert Smith who can be reached at his website TheDataScienceGuy for helping to review and critique this article.
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|