Why do we need additional protection and security for utility data streams?
image credit: © Leowolfert | Dreamstime.com
- Apr 29, 2020 1:11 am GMTApr 27, 2020 10:47 pm GMT
- 1435 views
This item is part of the Cybersecurity - Special Issue - 04/2020, click here for more
The decentralization of the energy system is progressing quickly. There’s more solar, more wind, more storage, more micro-grids, and more electric mobility. This creates numerous new opportunities for established and new utility players. The cost of sensors and connectivity (data acquisition) as well as data storage, data governance, and data security is decreasing for both new and existing systems, driven down by innovative technologies like data virtualization. State-of-the art data platform technologies can enable data interoperability that opens up significant new highly secure and trusted value pools. In addition, data processing, analysis, and applications are shifting to devices on the edge of the grid (e.g., for faster processing and decentralized decision-making).
But while opportunities are many, utilities are faced with a serious challenge: the security and reliability of data and devices. As more and more IoT devices like smart meters acquire mission-critical data from the inside and the outside of utilities, these devices need to be part of a trusted ecosystem to ensure security. Threats from compromised devices can include attackers gaining access to the device, attackers listening to communications, injection, modification, or interception of data communications by attackers, or simply the theft of data, and attackers accessing to code handling and analyzing data at the edge side.
The impact of these security threats at devices is very serious, because if source of data is untrusted, data-driven business on top of it loses its foundation: loss of revenue, stolen data, abuse of services, denial of service, piracy of services, device theft or misuse, theft of intellectual property, unauthorized account access, misappropriated personal information, and more. This is why we need extra security. The good news is that there are available defense measures and technologies that can defend utilities very effectively against these security threats.
Protection mechanisms such as cryptographically secure identities and mutual authentication can protect hardware devices. Software applications, such as white-box techniques, can provide the required levels of security, if hardware security is not available. Incoming data can be verified and protected using digital signatures.
Based on new technological advancements, we can do so much more with data today, preserving security, privacy, and regulatory boundaries. Some elements of the data value chain (especially storage) are largely commoditized. Utilities traditionally store their data in proprietary or third-party operated data centers. When regulation allows, more and more data is being moved into the cloud. The security requirements for these environments are well understood and defined. Some utilities also invested significant amounts to build data lakes, a concept that is under pressure now as data virtualization (cheaper, faster, safer) takes over. Driven by increasing efficiency requirements, energy system decentralization, new data-driven energy models—or a combination of all three—securely-stored utility data is increasingly becoming a key business asset.
Being able to move data securely and fluidly throughout an organization and between trusted partners inside or outside of the utility is mission-critical; moreover, securely managing this process is essential. This can be done via new technologies that virtualize data regardless of where it resides—in proprietary datacenters, different cloud environments, or a mixture of both). Virtualization also enables blending data from various sources to create completely new datasets that can be used for new applications. What needs to be added is a secure data governance layer that enables unified access control across virtualized data from distributed data sources. This data governance layer needs to provide fine-grained control at the column and row level in order to support the potentially complex data access and data usage models of downstream stakeholders. In addition, a governed execution environment (secure data service) for data and analytics applications needs to be put into place. This ensures that partners and service providers who utilize these data assets can continue to deliver value to their organizations and customers while maintaining rights of data asset’s owners, compliance with emerging data subject rights legislation, and industry-specific regulations.
What are some practical examples where these new technologies and practices are already implemented? In onshore and offshore wind (as well as solar) artificial intelligence is on the rise and many algorithm providers promise significant improvements. The governed execution environment is the best way to test and evaluate such AI programs over data asset efficiently and securely while protecting rights of all parties involved. The same holds true for distribution grids. Sophisticated planning tools for grids and smart cities are another example of new, data-driven technology. Here, detailed grid data needs to be provided selectively to third parties outside of the utility. In some countries (for instance, Japan), utility data is also used for disaster resilience programs, where timely access to such data by authenticated parties (central government, local municipalities) is critical for the success of first responders. Electric mobility also creates a wealth of new challenges that can be solved elegantly by combining datasets in new and unique ways, e.g., combining grid data with data from plug-in-hybrid or electric cars. All these applications require trusted and secure data interoperability features, that can be provided via advanced data platforms. Data access and processing also needs to be auditable to fulfill regulatory requirements and data monetization (billing) in case utilities start to offer third-party data services for non-regulated business areas.
As the energy sector continues to evolve, it’s clear that legacy approaches to security are no longer enough. Attackers are getting more sophisticated, hacking into devices and causing interruptions or damages. As we have more devices, we also need to reconsider legacy protection approaches and consider additional protection and security for utility data streams. In addition, data needs to be used more extensively as a business asset. This also requires using new technologies that increase security, governance, and trust.