cru data access paper · 2020. 12. 3. · an coimisiún um rialáil fóntais commission for...
TRANSCRIPT
![Page 1: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/1.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
0
Information Paper
Reference: CRU20111 Date Published: 12/10/2020 Closing Date: N/A
An Coimisiún um Rialáil Fóntais
Commission for Regulation of Utilities
CRU Data Access Paper
National Smart Metering Programme
www.cru.ie
![Page 2: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/2.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
1
CRU Mission Statement
The CRU’s mission is to protect the public interest in Water, Energy and Energy
Safety.
The CRU is guided by four strategic priorities that sit alongside the core activities we
undertake to deliver on the public interest. These are:
• Deliver sustainable low-carbon solutions with well-regulated markets and
networks
• Ensure compliance and accountability through best regulatory practice
• Develop effective communications to support customers and the regulatory
process
• Foster and maintain a high-performance culture and organisation to achieve
our vision
Further information on the CRU’s role and relevant legislation can be found on the
CRU’s website at www.cru.ie
![Page 3: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/3.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
2
Executive Summary This paper sets out the approach, methodology and results of the Data Protection
Impact Assessment (DPIA) and Cyber Security Technical Readiness Assessment of
retail electricity market participants for the National Smart Metering Programme
(NSMP) which were carried out by Gemserv in March 2020 on behalf of the CRU.
Smart meters are the next generation of energy meters, replacing older analogue
meters which, when fully operational, will deliver benefits for consumers, the
environment and the economy. The NSMP involves the nation-wide replacement of
over two million gas and electricity meters over a six-year period. The smart meter
upgrade will transform how consumption is measured, managed and paid for.
The High-Level Design (‘HLD’) for the NSMP was approved in 20141 and this was
revised in 20172 to allow for a phased roll-out over three phases. Phase 1 includes
the initial installation of 250,000 meters over 2019-2020. From 2020, the rate of
installation of smart meters will increase significantly as approximately 500,000
smart meters will be installed in each of the four subsequent years, which covers
Phase 2 and Phase 3. The allocation of smart meters during all three phases will be
across all customers through ESB Networks (ESBN) installation plan.
The CRU has been designated as the Competent Authority for the rollout of the
NSMP under S.I. No. 426 of 20143 which gives effect to Directive 2012/27/EU of the
European Parliament and of the Council of 25 October 2012. This provides the CRU
with the necessary legal provisions to support and rollout the smart metering
programme. Article 19 (b) of S.I. No. 426 of 2014 places a specific obligation on the
CRU to ensure:
1 CER National Smart Metering Programme Smart Metering High Level Design Decision Paper,
CER/14/046 of 14th October 2014 2 Information Paper on the Update on the Smart Meter Upgrade, CER/17/279 of 21st September 2017 3 Statutory Instrument 426 of 2014 http://www.irishstatutebook.ie/eli/2014/si
![Page 4: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/4.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
3
“the security of the smart metering systems and data communication, and
the privacy of final customers, is in compliance with relevant European Union
data protection and privacy legislation”.
As such although the CRU is not involved in any processing of customers’ personal
data, the CRU has overall responsibility for overseeing the delivery of the NSMP and
ensuring the programme is developed and implemented in a manner that is
compliant with relevant European Union data protection and privacy legislation in line
with S.I. No. 426 of 2014.”
In 2013, the CRU undertook an interim Privacy Impact Assessment4 of the NSMP
which set out the data protection risks and plans to address those risks. Following
this, the CRU held meetings with market participants and the Data Protection
Commission (DPC) to discuss various data protection challenges, in particular the
appropriate legal grounds for the processing of Interval Data. As a result of these
discussions, in the Information Paper of 20155, the CRU set out its approach that
obtaining the customers’ consent is the preferred grounds on which granular data
from smart meters is processed.
Since then, General Data Protection Regulation 2016 (GDPR)6 entered into force in
Ireland, complemented by the Data Protection Act 2018. Under Article 35 of GDPR
and the DPC’s Guide to Data Protection Impact Assessments7, a DPIA is a
mandatory assessment for any high-risk processing project. A DPIA must be
undertaken prior to the processing of personal data and as early as practical in the
design of processing operations. A DPIA helps to identify and assess data protection
risks and make informed decisions about the acceptability of those risks. The focus
of a DPIA is on the potential harm to the rights and freedoms of individuals and the
data protection compliance requirements.
4 Prior to the entry into force of GDPR in May 2018 a ‘Privacy Impact Assessment’ was a commonly used terms for such an assessment. 5 National Smart Metering Programme on Data Access and Privacy Information Paper 2015 6 Regulation (EU) 2016/679 7 Data Protection Commission's Guide to Data Protection Impact Assessments
![Page 5: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/5.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
4
In March 2020, Gemserv (on behalf of the CRU) carried out a DPIA on electricity
market participants in line with Phase 1 of the NSMP. The DPIA identified, analysed
and assessed risks under Use Cases relevant to the project. The following nine Use
Cases were identified based on the use of personal data in the business processes,
regulatory requirements and underlying technologies:
• Data Protection Governance and Accountability
• Data Processing Transparency
• Data Processing Purposes and Legal Grounds
• Customer Enrolment
• Smart Meter Connection and Service Commencement
• Smart Meter Data Use
• Data Subjects' Rights
• Data Storage and Security
• Management of Data Breaches
The main stakeholders involved in the NSMP data processing operations are:
• ESBN which provides technical facilitation of smart meter set up,
configuration, energy supply and communication of market messages with
energy suppliers;
• Energy suppliers that supply energy to customers by offering smart meter
services;
• Service providers that will be contracted to supply a range of services to
ESBN and energy suppliers.
The DPIA assessed how customers targeted for Phase 1 smart meter replacement
will be identified and contacted to facilitate new and proactive customer enrolment,
manage customer appointments and installation, as well as customer feedback and
complaints. The personal data in question relates to meter data, contact data,
photos, customer feedback and complaints.
Overall, two-thirds of suppliers whose customer numbers equate to approximately
90% of market share, provided detailed responses. One-third of suppliers, whose
customer numbers equate to approximately 10% of market share provided
![Page 6: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/6.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
5
responses which Gemserv considered to be inadequate. The Network Operator
(ESBN) provided a detailed response with supporting evidence.
In addition to the DPIA, the CRU requires assurance that both ESBN and suppliers
are upgrading their IT systems in adherence to security requirements which are in-
line with best practice internationally.
Taking this into account, Gemserv commenced an assessment of the approach to
information/cyber security being implemented by both ESBN and suppliers. This was
also carried out in March 2020. The objective of this assessment was to establish the
current degree of maturity surrounding the implementation of information security
practices within relevant organisations. Questions sought to establish the current
approach against the requirements of the following:
1. National Information Security (NIS) Compliance Guidelines for Operators of
Essential Services published by the Department of Communications, Climate
Action & Environment dated January 2019; and
2. Best Available Techniques Reference Document for the cyber-security and
privacy of the 10 minimum functional requirements of the Smart Metering
Systems published by the European Commission.
The Cyber Security Technical Readiness Assessment did not highlight any
significant concerns with the security of the smart metering infrastructure or security
approach being deployed by market participants. Gemserv noted a difference in the
quality of responses to the information/cyber security questionnaires; the Network
Operators response was considered comprehensive with supporting evidence while
some suppliers did not provide the same level of detail. Gemserv also noted that in
their view the suppliers (large and small) were overly confident in their responses as
some did not provide maturity ratings, support evidence or direct answers to some
questions.
It is important to highlight that the DPIA and Cyber Security Technical Readiness
Assessment are only one element of the overall readiness assessments which are
being conducted as part of the delivery of the programme. A more in-depth
![Page 7: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/7.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
6
assessment of individual supplier readiness to complete the Version 13 software
update is being examined in parallel by Gemserv on behalf of the Retail Market
Design Service (RMDS)8. Version 13 is the next suite of market changes which will
be implemented in December 2020, this system upgrade will enable the provision of
smart services such as time of use tariffs to Irish customers. The assurance process
requires market participants undertake two Self-Assessment phases. Both of these
consist of completing a comprehensive participant questionnaire with supporting
evidence. Phase 1 assessments are used to gauge awareness and readiness (early
in the assurance process); Phase 2 assessments are completed (later in the
assurance process), to assess capability for implementation. Phase 1 was
completed in Q4 2019 and the assessment report was approved by CRU in Q1
2020. Phase 2 assessment commenced in Q2 2020; the CRU approved the report in
July 2020. The next stage of the assurance process will be the Inter Participant
Testing (IPT)9 Stage. IPT for Market Participants will begin in October 2020. The
CRU will consider the outcome of this exercise before giving final approval for the
Version 13 update in December 2020.
Although the DPIA and the Cyber Security Technical Readiness Assessment have
uncovered some challenges, the exercises raise awareness among market
participants of their obligations in line with the NSMP.10 The CRU will continue to
engage with the Network Operator, suppliers, stakeholders, the National Cyber
Security Centre (NSCS) and the DPC based on the results of the assessments.
The CRU will continue to consider the data protection implications of the NSMP as it
evolves and moves into the next stages. Maintaining and protecting the privacy of final
customers will remain a key consideration in future policy development and
assessments will continue to be based on best practice. In that context, the DPIA
8 The Retail Market Design Service (RMDS) is the “ringfenced” function within ESB Networks responsible for all aspects of the retail electricity market design on behalf of the Commission for Regulation of Utilities. 9 IPT is an exercise to gain assurance that the New Supplier can correctly operate the key scenarios
that it will meet in the Market using its declared systems, business processes and operational staff within normal, operational conditions.
![Page 8: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/8.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
7
should be considered a living document and will be updated in future if necessary.
The CRU has overall responsibility for overseeing the delivery of the NSMP and
ensuring the programme is developed and implemented. This sets the context for
this programme level assessment and does not remove or dilute the responsibility of
market participants to ensure their own compliance with data protection and cyber
security requirements.
The DPC is the Irish supervisory authority responsible for monitoring the application
of GDPR and is the national competent authority responsible for safeguarding data
protection rights. Separately, the NCSC is an operational arm of the Department of
Communications, Climate Action and Environment that provides enhanced services
to government agencies and critical infrastructure providers to assist them in
defending against cyber-borne threats. The NCSC is also designated as the national
competent authority for the EU Network and Information Security Directive (NISD)11.
Market participants must satisfy themselves that they have met the requirements of
the DPC and NCSC. In this regard ESBN and suppliers will also conduct their own
DPIAs of their approach to the technical delivery of the NSMP.
11 EU Network and Information Security Directive
![Page 9: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/9.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
8
Public Impact Statement
Smart meters are the next generation of energy meters, replacing older analogue
meters which, when fully operational, will deliver benefits for consumers, the
environment and the economy. The National Smart Metering Programme (NSMP)
involves the nation-wide replacement of over two million gas and electricity meters
over a six-year period. The smart meter upgrade will transform how consumption is
measured, managed and paid for.
The new systems and processes will provide customers with more accurate bills and
better and more accessible information about energy use. This upgrade in services
will involve a step change in the amount of energy consumption data that will be
available to customers, energy network companies and suppliers.
Currently, suppliers are provided with an actual meter read (usually 4 actual meter
reads a year) or estimated meter reading(s) every two months and bill their customer
on that basis. Suppliers and ESB Networks already hold some types of customers
personal data such as names, address and meter identification numbers but smart
metering systems will allow for the automatic transfer of electricity consumption data,
ranging from providing traditional bimonthly reads to reporting half-hourly consumption
every day depending on the customer’s choice. This infrastructure will provide greater
flexibility to customers in how they understand and manage their own consumption.
In addition, depending on the amount of data the consumers agree to share with
their suppliers, these systems will enable other smart services like various Time of
Use Tariffs or Smart Pay as You Go, offering a smart alternative to day & night
meters and traditional Pay as You Go meters. Consumers will also have access to
their detailed energy consumption information. This information as well as new
services will provide consumers with the ability to better understand and manage
their energy use, which in turn could lead to them reducing their overall energy
consumption and thereby saving money on bills and reducing carbon emissions.
The CRU has an oversight role to ensure that the programme is designed and
developed in a way that is complaint with data privacy.
![Page 10: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/10.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
9
The CRU engaged Gemserv, a technical consultancy with expertise in the energy
sector, to carry out a Data Protection Impact Assessment (DPIA) and a Cyber
Security Technical Readiness Assessment for the NSMP. This involved assessing
the readiness of market participants such as ESB Networks and electricity suppliers
who will use the data collected from smart meters to operate in the market and offer
services to customers. The Gemserv assessment was completed to provide
assurance that the personal data collected from smart meters is being managed and
processed lawfully in a manner which both protects energy consumers and enables
them to benefit from the national investment in the smart metering infrastructure
upgrade. The Cyber Security Technical Readiness Assessment is being carried out
to ensure that a sufficiently high level of protection is being implied to minimise the
risk of a cyber-attack or unauthorised access to personal data via the smart meter.
This is being assessed to ensure that market participants are upgrading their IT
systems in line with European security requirements and international best practice
to minimise this risk.
This paper outlines the approach, methodology and results of these assessments. A
DPIA is a living document and can be updated. The CRU will consider repeating the
exercise at the next stages of the NSMP to ensure appropriate levels of security and
protection are implemented to maintain the privacy of final customers.
This programme level assessment does not remove or dilute the responsibility of
market participants to ensure their own compliance with data protection and cyber
security requirements. It is important to highlight that the DPIA and Cyber Security
Technical Readiness Assessment are only one element of the overall readiness
assessments which are being conducted as part of the delivery of the programme. A
more in-depth assessment of individual supplier readiness to complete the Version 13
software update to enable smart services is being examined in parallel by Gemserv on
behalf of the Retail Market Design Service (RMDS)12. Version 13 is a retail market
release (system updates) which will enable the provision of Smart Services such as
12 The Retail Market Design Service (RMDS) is the “ringfenced” function within ESB Networks responsible for all aspects of the retail electricity market design on behalf of the Commission for Regulation of Utilities
![Page 11: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/11.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
10
Time of Use Tariffs in January 2021. The CRU will consider the outcome of this
exercise before giving final approval for the Version 13 update in December 2020.
![Page 12: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/12.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
11
Table of Contents
1 Introduction .................................................................................................................... 16
1.1 Purpose of this paper .............................................................................................. 16
1.2 Structure of this paper ............................................................................................ 18
2 Data Protection .............................................................................................................. 19
2.1 Background ............................................................................................................. 19
2.2 Data Protection Legal Context ................................................................................ 21
2.3 Data Protection Impact Assessment ...................................................................... 23
2.4 Approach Taken ...................................................................................................... 26
2.5 Overview of Market Participants’ Reponses .......................................................... 31
3 Cyber Security ................................................................................................................ 40
3.1 Background ............................................................................................................. 40
3.1.1 NIS Compliance Guidelines for Operators of Essential Services ......................... 40
3.1.2 Best available information ................................................................................... 41
3.2 Assessment Approach ............................................................................................ 42
3.3 Programme Overview .............................................................................................. 42
3.4 Cyber Security Technical Readiness ..................................................................... 43
3.4.1 Risk summary and Recommendations ................................................................ 44
4 Next Steps ...................................................................................................................... 50
A Appendix: Data Protection Requirements ................................................................... 51
B Appendix CRU Decisions .............................................................................................. 53
C Appendix Cyber Security Assessment Approach ....................................................... 54
D Appendix Cyber Security Maturity Levels Summary .................................................. 67
E Appendix International Practice ................................................................................... 78
![Page 13: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/13.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
12
Glossary of Terms and Abbreviations
Abbreviation or Term Definition or Meaning
Actor means a logical component of Smart Metering system on which personal data can reside.
Control means any measure or action that modifies Risk (e.g. any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages Risk).
Data Controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processing, Processing
means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Processor means a natural or legal person, public authority, agency or other body which, alone or jointly with others, processes personal data on behalf of the data controller.
Data Protection Act, DPA
means national regulation adopted in the Republic of Ireland in 2018 to complement General Data Protection Regulation requirements.
Data Protection by Default
means that service settings must be automatically data protection friendly.
Data Protection by Design
means embedding data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This will help to ensure better and more cost-effective protection for individual data privacy.
![Page 14: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/14.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
13
Data Protection Commission, DPC
an independent public authority established in the Republic of Ireland and responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing.
Data Protection Officer, DPO
means a person with expert knowledge of Data Protection law and practices who advises the Data Controller or Data Processor with the GDPR and monitors internal compliance of the organisation.
Distribution System means the transport of electricity on high-voltage, medium-voltage and low-voltage distribution systems with a view to its delivery to customers but does not include supply.
Distribution System Operator, DSO
means a natural or legal person responsible for operating, ensuring the maintenance of and, if necessary, developing the distribution system in a given area and, where applicable, its interconnections with other systems and for ensuring the long-term ability of the system to meet reasonable demands for the distribution of electricity.
General Data Protection Regulation, GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC
Level of Identification means an estimation of how easy it is to identify data subjects with the available data processed by the business process.
Likelihood means an estimation of the possibility for a risk to occur. It essentially depends on the level of exploitable vulnerabilities and on the level of capabilities of the risk sources to exploit them.
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Prejudicial Effect means an estimation of how much damage would be caused by all the potential impacts of a Threat with
![Page 15: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/15.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
14
reference to the GDPR Requirements applied to each Primary Asset associated to the Threat.
Primary Asset means a set of one or more pieces of personal data allocated on a specific Actor i.e. on a logical component of the Smart Metering project.
Risk means a hypothetical scenario that describes the Likelihood that a potential Threat that affects directly or indirectly personal data has to occur, and the Severity of the impact that such Threat, if realised, would have on the rights and freedom of natural persons.
Risk Assessment means a process consisting of three steps/levels: (i) risk identification, (ii) risk analysis, and (iii) risk evaluation.
Risk Source means a potential originator of Risks.
Risk Source Capability
means an estimation of the capacity of Risk Sources to exploit vulnerabilities of Supporting Assets by keeping into account all factors that contribute to such capacity (skills, available time, financial resources, proximity to system, motivation, feeling of impunity, etc.).
Risk Treatment means a Risk modification process that involves selecting and implementing one or more treatment options. Once a Risk Treatment has been implemented, it becomes a Control, or it modifies existing Controls.
Scenario means a possible sequence of interactions within a Use Case i.e. one of the possible routes in the description of a sequence of steps that compose a Use Case. A Scenario is described as a sequence of activity steps, each of them involving an activity performed by an Actor or other component, or an interaction between components.
Severity means an estimation of the magnitude of potential impacts on the individuals’ privacy and data protection. It essentially depends on the Level of Identification of the Personal Data and Prejudicial Effect of the potential impacts.
Smart Services this includes Time of Use tariffs and smart Pay-As-You-Go.
![Page 16: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/16.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
15
Smart Metering System
means an electronic system that can measure energy consumption, adding more information than a conventional meter, and can transmit and receive data using a form of electronic communication.
Supporting Asset means a physical component, upon which, an Actor – a logical component where qualified sets of Personal Data reside, is reliable.
Threat means an event / incident which could cause damage on personal data or the data subject.
Use Case means a specification of a set of actions performed by a system, which yields an observable result that is, typically, a value for one or more Actors or other component of the system. A Use Case description includes primary Scenario of a Use Case that allows achieving the Use Case goal, and one or more alternative Scenarios covering different routes that may lead to achieving the goal or not.
Version 13 is a retail market release package (system updates) to enable the provision of Smart Services.
Vulnerability means a weakness that can be exploited by one or more Threats.
![Page 17: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/17.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
16
1 Introduction
1.1 Purpose of this paper
This paper outlines the approach, methodology and results of the Data Protection
Impact Assessment and Cyber Security Technical Readiness Assessment of Retail
Electricity Market Participants for the National Smart Metering Programme (NSMP)
carried out by Gemserv in March 2020.
Any large-scale, transformative project will involve elements of testing the readiness
of participants involved. These are prudent exercises to conduct for the Smart Meter
Upgrade in order to;
1. Ensure the meters, communications solution, the Meter Data Management
System and Head-End are operating securely in order to make data available
to the market;
2. Ensure that electricity suppliers are ready to be able to absorb data from
ESBN, and;
3. Ensure that suppliers are ready to make smart services available to electricity
customers.
The Smart Meter Upgrade project requires technical upgrades to the back-office
systems of both ESBN and suppliers to absorb and process smart meter data. The
secure installation of smart meters and the upgrade to backend IT systems is
significant in order to transmit and process an increased volume of data from the
smart meters. Moreover, suppliers will be required to implement changes to billing
systems in order to offer new products and services such as time-of-use tariffs to
customers. The necessary changes to billing systems to enable this are likely to be
technically complex.
In October 2019, in line with best practice , the CRU engaged Gemserv (technical
consultants) to carry out a programme level technical readiness assurance
assessment on all electricity market participants in line with Phase 1 (2019 – 2020)
of the programme in line with Phase 1 (2019 – 2020). The scope of this work
consisted of Gemserv carrying out a DPIA and a Cyber Security Technical
![Page 18: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/18.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
17
Readiness. The purpose of this work was to inform the CRU of market participants’
readiness to deliver Phase 1 in compliance with data protection requirements.
It should be noted that the Data Protection Commission (DPC) is the national
competent authority responsible for safeguarding data protection rights. Accordingly,
the DPC is the Irish supervisory authority responsible for monitoring the application of
GDPR. Separately, the National Cyber Security Centre (NCSC) is an operational arm
of the Department of Communications, Climate Action and Environment that provides
enhanced services to government agencies and critical infrastructure providers to
assist them in defending against cyber-borne threats. The NCSC is also designated as
the national competent authority for the EU Network and Information Security Directive
(NISD)13. The programme level assessment does not remove or dilute the
responsibility of market participants to ensure their own compliance with Data
Protection and Cyber Security requirements. In this regard, market participants must
be capable of satisfying the requirements of the DPC and the NCSC. As such, ESBN
and suppliers will also conduct their own DPIAs of their approach to the technical
delivery of the NSMP.
The DPIA and Cyber Security Technical Readiness assessment are only one
element of the overall readiness assessments which are being conducted as part of
the delivery of the programme. A more in-depth assessment of individual supplier
readiness to complete the Version 13 software update is being examined in parallel
by Gemserv on behalf of the Retail Market Design Service (RMDS)14. Version 13 is
the next suite of market changes which will be implemented in December 2020, this
system upgrade will enable the provision of smart services such as time of use tariffs
to Irish customers. The assurance process requires Market Participants undertake
two Self-Assessment phases. Both of these consist of completing a comprehensive
participant questionnaire with supporting evidence. Phase 1 assessments are used
to gauge awareness and readiness (early in the assurance process); Phase 2
13 EU Network and Information Security Directive 14 The Retail Market Design Service (RMDS) is the “ringfenced” function within ESB Networks responsible for all aspects of the retail electricity market design on behalf of the Commission for Regulation of Utilities
![Page 19: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/19.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
18
assessments are completed (later in the assurance process), to assess capability for
implementation. Phase 1 was completed in Q4 2019 and the assessment report was
approved by CRU in Q1 2020. Phase 2 assessment commenced in Q2 2020; the
CRU approved the report in July 2020. The next stage of the assurance process will
be the Inter Participant Testing (IPT)15 Stage. IPT for Market Participants will begin in
October 2020. The CRU will consider the outcome of this exercise before giving final
approval for the Version 13 update in December 2020.
1.2 Structure of this paper
Section 2 provides a background on data protection, an overview of the DPIA
methodology used and the key risks and recommendations identified;
Section 3 provides an overview of the approach taken to the Cyber Security
Assessment and outlines the key risks and recommendations identified;
Section 4 outlines next steps.
15 IPT is an exercise to gain assurance that the New Supplier can correctly operate the key scenarios
that it will meet in the Market using its declared systems, business processes and operational staff within normal, operational conditions.
![Page 20: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/20.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
19
2 Data Protection
2.1 Background
Since 2012, the CRU has been working closely with market participants and has
engaged with the Data Protection Commission (‘DPC’) to design the technical and
organisational implementation of the NSMP and to address data protection and
security concerns.
In the Decision on the National Rollout of Electricity and Gas Smart Metering16, the
CRU outlined that detailed consumption data is personal data belonging to
customers. This triggered the necessity to ensure that data controllers obtaining
detailed information on consumption data (‘Interval Data’) would process it in
accordance with data protection principles and the applicable legislation.
In 2013, the CRU established a Data Protection group and undertook an interim
Privacy Impact Assessment17 which set out the data protection risks and plans to
address those risks. Following this, the CRU held numerous meetings with market
participants and the DPC to discuss various data protection challenges, in particular
the appropriate legal grounds for the processing of Interval Data. As a result of these
discussions, in the Information Paper of 2015, the CRU set out the risks of the
Privacy Impact Assessment and the CRU’s response. The 2015 paper also set out
the CRU’s approach at the time, that obtaining the customers’ consent is the
preferred grounds on which granular data from smart meters is processed18.
The CRU also adopted the following guiding principles for privacy and data
protection:
• There should be a persistent and enduring right for customers to change their
minds in terms of Interval Data readings by energy suppliers;
16 Decision on the National Rollout of Electricity and Gas Smart Metering 2012 17 Prior to the entry into force of GDPR in May 2018 a ‘Privacy Impact Assessment’ was a commonly used term for such an assessment. 18 This sentence was updated on 12 October 2020.
![Page 21: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/21.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
20
• The choices available to customers need to be transparent, simple and
straightforward;
• Text or conditions in customer contracts need to be clear and transparent
about who data is to be shared with.
Moreover, the CRU committed to ensuring the following for the NSMP:
• Data protection by design and default is embedded into the programme;
• Data minimisation principles are respected;
• Customers are made aware of available choices (in terms of the granularity of
data collection) that will be available, what benefits these choices will offer,
and how these choices can be made (and changed);
• Customers will be able to obtain their personal data in a commonly used and
structured format;
• Customers will have the right not to be subject to a measure based on
profiling where it legally or significantly affects them.
In line with the aforementioned approach, the CRU and market participants agreed
on the NSMP High Level Design (‘HLD’) which supports the flow of Interval Data at
half hourly granularity each day, whereby the smart meters capture and return
Interval Data to ESBN via an Automated Meter Infrastructure (‘AMI’); then ESBN
forward the data to the energy suppliers on a daily basis; and finally, suppliers
process the Interval Data for customer services, such as Time of Use (‘ToU’)
billing19, Pay as You Go (‘PAYG’) balance calculation, historical consumption and
cost purposes. Additionally, the CRU approved that instead of a central AMI
approach, suppliers will use their own infrastructure and will be in charge of providing
ToU band and tariff rate information, historical consumption and cost data, as well as
PAYG balance to customers. The HLD also set out requirements for ToU tariffs,
presentation of customer's energy usage information, and facilitation and provision of
PAYG services.
19 ToU billing will offer consumers the ability to use electricity at cheaper times.
![Page 22: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/22.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
21
In 2017 the delivery plan on HLD was revised to reduce the technical complexity
associated with delivering all of the functionality of the HLD at the same time by
delivering the necessary IT upgrades and market changes required to cater for smart
metering over 3 phases:
Phase 1 (2019 – 2020) consists of the following milestones:
• Procurement of AMI, communications and deployment services;
• Delivery and facilitation of 250,000 smart electricity meters;
• Completion of system, business and market changes to allow 30-minute
Interval Data to flow to suppliers via the Market Systems following the Market
Schema Release;
• Offering of smart services such as time-of-use tariffs, smart bills, access to
historical consumption information, etc.
Phase 2 (2021 – 2022) foresees delivering the following:
• Delivery and facilitation of additional 1 million smart meters;
• Provision of smart prepayment (PAYG) services to customers, including
remote disconnection and reconnection of supply.
Phase 3 (2023 – 2024) will deliver:
• Roll out of additional 1 million smart meters;
• Facilitation of customer access to the real-time data via the Home Area
Network (HAN);
• Availability of gas smart services made available by facilitating the pairing of
the electricity meter with the gas meter.
2.2 Data Protection Legal Context
The CRU has been designated as the Competent Authority for the rollout of the
NSMP. S.I. No. 426 of 2014 which gives effect to Directive 2012/27/EU of the
European Parliament and of the Council of 25 October 2012, provides the CRU with
the necessary legal provisions to support and rollout the smart metering programme.
One of the provisions sets out an obligation on the CRU to ensure that:
![Page 23: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/23.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
22
19. (b) the security of the smart metering systems and data communication, and the
privacy of final customers, is in compliance with relevant European Union data
protection and privacy legislation.
Under Article 35 of the General Data Protection Regulation (GDPR), implemented in
Ireland by the Data Protection Act 201820, and as stated in the Data Protection
Commission’s Guide to Data Protection Impact Assessments, DPIAs are mandatory
for any high-risk processing project. A DPIA must be undertaken prior to the
processing of personal data and as early as practical in the design of processing
operations. Although the CRU is not involved in any processing of customers’
personal data, the CRU has overall responsibility for overseeing the delivery of the
NSMP and ensuring the programme is developed and implemented in a manner that
is compliant with relevant European Union data protection and privacy legislation21.” .
ESB Networks is required to collect, process and validate metering data in its role as
a licenced Distribution System Operator22. Energy suppliers require this metering
data to bill customers and to meet their contractual obligations. Energy suppliers are
additionally obliged to comply with the Codes of Practice set out under the CRU
Supplier Handbook23.
In addition, the European Union (EU) published a comprehensive update of its
energy policy framework; the Clean Energy for All Europeans Package (CEP). The
CEP contains eight legislative acts, aimed at enabling the EU to transition to cleaner
energy and facilitating a 40% reduction in greenhouse gas emission levels by 2030
compared to 1990. The eight legislative acts within the CEP cover a range of actors
and stakeholders in the energy sector including Member States, regulatory agencies,
network operators and market participants. It is recognised that smart meters will be
a key enabler in allowing customers to avail of the measures in the CEP.
20 Regulation (EU) 2016/679 21 Statutory Instrument 426 of 2014 http://www.irishstatutebook.ie/eli/2014/si 22 Refer to Condition 9 Provision of Metering and Data Services ESB Networks DSO Licence 23 CRU Supplier Handbook 2019
![Page 24: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/24.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
23
Smart Meters are capable of measuring a customer’s electricity import and export
and can provide customers with accurate information about their energy usage
throughout the day. This will enable customers to be more aware of their energy
consumption, make informed decisions about energy saving practices and avail of
new products and services which facilitate shifting energy consumption to times of
the day when electricity is cheaper.
The CRU has recently published a Call for Evidence on Active Consumers & Jointly
Acting Active Consumers under the Clean Energy Package and a Call for Evidence
on Energy Communities under the Clean Energy Package. These papers aim to
establish a regulatory framework to enable customers to be more active in the
energy market.
2.3 Data Protection Impact Assessment
A DPIA helps to identify and assess data protection risks and make informed
decisions about their acceptability of those risks. The focus of a DPIA is on the
potential harm to the rights and freedoms of individuals and the data protection
compliance requirements.
The DPIA identified, analysed and assessed risks under Use Cases relevant to the
project. The following nine Use Cases were identified based on the use of personal
data in the business processes, regulatory requirements and underlying
technologies:
• Data Protection Governance and Accountability
• Data Processing Transparency
• Data Processing Purposes and Legal Grounds
• Customer Enrolment
• Smart Meter Connection and Service Commencement
• Smart Meter Data Use
• Data Subjects' Rights
• Data Storage and Security
• Management of Data Breaches
![Page 25: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/25.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
24
The main stakeholders involved in the NSMP data processing operations are:
• ESBN that provide technical facilitation of smart meter set up, configuration,
energy supply and communication of market messages with energy suppliers;
• Energy suppliers that supply energy to customers by offering smart meter
services;
• Service providers that will be contracted to supply a range of services to
ESBN and energy suppliers.
The NSMP envisages the following data processing framework:
1. The project will start with the installation of smart meters at customer
premises. ESBN together with contractors will undertake these activities
which will trigger the processing of customer contact details and smart meter
data. Energy suppliers will be involved in referring customers willing to have
smart meters to ESBN and will receive the follow up information required for
the activation of smart meter services.
2. The project will introduce the processing of Interval Data. This processing will
be undertaken by means of market messages from ESBN to energy suppliers
or vice versa depending on the business operation. Market messages will
include the following identifiers: MPRN, Meter ID, Meter Category, Serial
Number, Meter Register Sequence, Timeslot, Register Type, Read Type,
Read Date, Read Reason, Metering Interval, Reading Value, Interval Period
Timestamp, Interval Status, DUoS Billing Frequency Code, DUoS Billing
Cycle.
The processing of Interval Data will function in the following order:
• Smart meters, installed at customer premises, will capture Interval Data at half
hourly granularity each day.
• Smart meters will communicate this data to ESBN via an Automated Meter
Infrastructure (‘AMI’).
![Page 26: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/26.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
25
• ESBN will forward the Interval Data to energy suppliers on a daily basis, if
customers opt-in24 for such service. Otherwise the register reads will be
provided on a bi-monthly basis.
• Suppliers will be able to use this data to process it for customer services, such
as Time of Use (‘ToU’) billing, Pay as You Go (‘PAYG’) balance calculation,
historical consumption, cost and other purposes by using their own
infrastructure.
• ESBN will only facilitate supplier access to interval data where a customer has
subscribed to the relevant Time-of-Use tariff. Information stored on the smart
meter can only be accessed if the correct encryption keys are possessed by
the party seeking to access it. Further information on the protections and
approach ESBN will implement is provided in its DPIA which is available here.
The DPIA assessed how customers targeted for Phase 1 smart meter replacement
will be identified and contacted to facilitate new and proactive customer enrolment,
manage customer appointments and installation, as well as customer feedback and
complaints. The personal data in question relates to meter data, contact data,
photos, customer feedback and complaints. The DPIA also assessed market
participants’ readiness for all the steps above, taking into account the practices
already in place in the other EU-27 countries and the UK. In developing its approach
to data protection and the smart metering solution design, the CRU has continued to
monitor developments in other countries in smart metering in particular in European
Member States. Further details are provided in Appendix E.
24 Prior to the introduction of the GDPR in 2018 the NSMP envisage an ‘opt-out’ approach for interval
data. The programme has since adapted an ‘opt-in’ approach for interval data and this is reflected in the policy framework.
![Page 27: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/27.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
26
2.4 Approach Taken
The structure of the DPIA was undertaken using the Smart Grid Task Force DPIA
Template25 along with the DPIA requirements stemming from the DPC26 and
European Data Protection Board27 (‘EDPB’) guidance on DPIAs.
The flowchart below presents the overview of the DPIA workflow applied for this
project.
At Stage 1: Initiation the scope of the DPIA is determined and the project attributes
relevant for data protection and security are identified. The market participants and
their dedicated teams who were expected to provide relevant information in
response to the Data Protection Readiness Assessment Questionnaire and
25 Smart Grid Task Force Expert Group 2 Data Protection Impact Assessment Template for Smart Grid and Smart Metering systems v. 2 of 13th September 2018 https://ec.europa.eu/energy/sites/ener/files/documents/dpia_for_publication_2018.pdf 26 Data Protection Commission Guide to Data Protection Impact Assessments (DPIAs), October 2019 27 European Data Protection Board Guidelines WP 248 rev.01 “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679, 4 October 2017
Stage 1: Initiation
1.1 Scope Definition
1.2 Pre-assessment
1.3 Engagement with Stakeholders
Stage 2: Analysis of Use Cases
2.1 Characterisation
of Use Cases
2.2 Characterisation of Primary Assets
Stage 3: Assessment of Risks
3.1 Assessment of Threats and Risks
3.2 Assesment of Severity
3.3 Assessment of Likelihood
3.4 Assessment of Final Risk Level
Stage 4: Management of Risks and Final
Resolution
4.1 Characterisation of
Risk Treatment Requirements
4.2 Characterisation of
Suggested Controls
4.3 Final Resolution
![Page 28: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/28.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
27
Information Security Assessment Questionnaire were identified. The Market
Participant’s responses to these questionnaires were assessed for the purpose of
composing the DPIA.
A pre-assessment check to evidence a mandatory requirement for conducting a
DPIA was performed, in accordance with the documentation referenced above. From
this assessment, it was established that the project raises high risks to the rights and
freedoms of customers and requires a DPIA. More specifically, the NSMP involves:
• the use of new technologies which are likely to result in high risks to the rights
and freedoms of customers;
• an automated decision making, including profiling (to the extent relevant to
energy suppliers intending to use such technologies);
• profiling of vulnerable individuals to target marketing at them (to the extent
relevant to suppliers intending to use such technologies);
• use of profiling or algorithmic means as an element to determine access to
services or that results in legal or similar significant effects (to the extent
relevant to suppliers intending to use such technologies);
• a systematic monitoring of customer behaviour;
• combining, linking or cross-referencing separate datasets where such linking
significantly contributes to or is used for profiling or behavioural analysis of
customers (to the extent relevant to suppliers intending to use such
technologies);
• processing at a large scale;
• processing of sensitive category or highly sensitive data, including detailed
household consumption data; and
• processing that prevents customers from using a service or a contract.
At Stage 2: Analysis of Use Cases, nine Use Cases representing the use of
personal information or organisational and technical requirements for such use in
business operations relevant to the NSMP were identified. Use Cases classification
![Page 29: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/29.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
28
relies on the methodology provided in Smart Grid Coordination Group First Set of
Standards28.
At Stage 3: Assessment of Risks was carried out considering the latest available
threat landscape information from the European Union Agency for Cyber Security
(ENISA), in particular the ENISA Threat Taxonomy29, Threats affecting qualified sets
of personal data and data processing were identified. The Threats were presented
with risk sources, altogether indicating risks for each Use Case and their data
assets. The risk levels were assigned by weighting the severity of impact the threat
category would have on the rights and freedoms of individuals and the likelihood of
these threats becoming real. Depending on the risk level, risk priorities have been
calculated and assigned following the scale below:
28 CEN-CENELEC-ETSI Smart Grid Coordination Group First Set of Standards, November 2012 29 https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view
1. Risks with a maximum/significant Severity and Likelihood: these risks must
be absolutely avoided or reduced by implementing controls that reduce both
their Severity and their Likelihood. Ideally, care should even be taken to
ensure that they are treated by independent controls of prevention (actions
taken prior to a damaging event), protection (actions taken during a damaging
event) and recovery (actions taken after a damaging event).
2. Risks with a maximum/significant/moderate Severity but a
negligible/limited/moderate Likelihood: these risks must be avoided or reduced
by implementing controls that reduce both their Severity and their Likelihood.
Emphasis must be placed on preventive controls. These risks can be taken, but only
if it is shown that it is not possible to reduce their Severity and if their Likelihood is
negligible.
3. Risks with a negligible/limited Severity but a maximum/significant/moderate
Likelihood and risks with a negligible/limited/moderate Severity but a
![Page 30: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/30.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
29
maximum/significant Likelihood: these risks must be reduced by implementing
controls that reduce their Likelihood. Emphasis must be placed on recovery
controls. These risks can be taken, but only if it is shown that it is not possible to
reduce their Likelihood and if their Severity is negligible.
4. Risks with a negligible/limited Severity and Likelihood: it should be possible to
take these risks, especially since the treatment of other risks should also lead to
their treatment.
![Page 31: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/31.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
30
Which can be translated as the heat map hereafter:
Severity
5 –
Maximum 2 2 2 1 1
4 –
Significant 2 2 2 1 1
3 –
Moderate 2 2 2 3 3
2 – Limited 4 4 3 3 3
1 –
Negligible 4 4 3 3 3
1 –
Negligible
2 –
Limited
3 –
Moderate
4 –
Significant
5 -
Maximum
Likelihood
At Stage 4: Management of Risks and Final Resolution, suggested controls are
identified in order to inform solutions to address the risks. The final part of the DPIA
consists of recording the ‘risk treatment’ and its justification. The risk treatment may
be one of the following:
Risk Mitigation: The risk has been mitigated by identifying and introducing
additional appropriate controls, thereby reducing the risk to acceptable levels;
Risk Managed (accepted): The risk is accepted as it is, without any further action.
Risk Transferred (shared): The risk is shared with a third party, including a market
participant, which can manage the risk more effectively and thereby reduce the risk
to acceptable levels.
![Page 32: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/32.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
31
Risk Avoidance: It is decided not to proceed with the project.
2.5 Overview of Market Participants’ Reponses
The Data Protection Readiness Assessment Questionnaire was provided to market
participants on the 10 December 2019. Organisations were requested to complete
and return the Data Protection Questionnaire with supporting evidence by the 17
January 2020. Some of the answers to the Information Security Assessment
Questionnaire were also used to complete the DPIA. Gemserv carried out the
technical assessment in March 2020.
Overall, two-thirds of suppliers whose customer numbers equate to approximately
90% of market share, provided detailed responses. One-third of suppliers, whose
customer numbers equate to approximately 10% of market share provided
responses which Gemserv considered to be inadequate. The Network Operator
(ESBN) provided a detailed response with supporting evidence. The Gemserv
assessment was carried out by analysing the responses received.
A Data Protection Impact Assessment is a living document and can be updated. The
CRU will consider repeating the exercise at the next stage of the NSMP. A summary
of the key risks identified by analysing responses to the questionnaires are detailed
below:
ID Risk Description Priority Recommendations CRU Response
CRU-
001-
RSK-DP-
013
Smart Meter
installation is
undertaken
2 Ensuring that clear
instructions are defined
and followed by installers
with respect to them
contacting customers,
approaching them onsite
and taking photos for
auditing and validation.
Risk Transferred:
Networks must ensure
clear instructions are
provided to installers.
![Page 33: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/33.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
32
CRU-
001-
RSK-DP-
014
Customer
feedback and
complaints
2 Ensuring that the
customer contacting with
respect to their feedback
and surveys is carried
out in line with their
expectations; making
sure that customers are
informed about the
transfer of their
complaints/requests to
ESBN for resolution.
Risk Transferred:
Networks and
Suppliers must
manage
complaints/requests
through their existing
customer complaint
procedures which are
approved by the CRU.
CRU-
001-
RSK-DP-
016
Integration with
the AMI and Smart
Meter
reconfiguration
2 Prior to the NSMP roll
out, defining legal
grounds for this
processing operation and
taking appropriate
measures to establish
them as per GDPR or
DPA requirements, and
informing customers
about the Interval Data
collection and
processing.
Risk Transferred:
Networks and
Suppliers must collect
and process data as
per GDPR/DPA
requirements.
Suppliers will be
required to capture the
customer’s
agreement30 to process
their Interval Data.
The CRU will consider
a national campaign to
inform customers of
smart meters and the
services available.
30 The Suppliers’ obligation to capture their customers’ agreement is separate to any obligation the Supplier
may have arising from the GDPR or the Data Protection Acts 1988 to 2018. Suppliers must satisfy themselves
that they have a legal basis for processing customers’ personal data under Article 6(1) of the GDPR. A previous
version of this document referred to the Suppliers’ requirement to capture customers’ ‘consent’ to process
Interval Data. That amendment and this footnote have been added to clarify the intended meaning of this
requirement.
![Page 34: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/34.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
33
CRU-
001-
RSK-DP-
017
Smart meter
technical
communication
feasibility
assessment
2 Ensuring that legal
grounds for this
processing operation, as
well as the data
exchange with energy
suppliers are defined and
established as per GDPR
or DPA requirements.
Risk Transferred:
Networks and
Suppliers must collect
and process data as
per GDPR/DPA
requirements.
CRU-
001-
RSK-DP-
018
Service tariff
offerings and
customer choice
of Smart Meter
Services
1 Ensuring that legal
grounds for customer
services contract
enrolment or update are
defined and established
as per GDPR or DPA
requirements.
Ensuring that customers
are provided with a clear
and comprehensive
information about the
types of available
services and what impact
on the protection of their
private life the choice for
services will have due to
the processing of Interval
Data.
Risk Transferred:
Suppliers will be
required to capture the
customer’s
agreement31 to process
their Interval Data.
Suppliers must ensure
that legal grounds for
customer services
contract enrolment are
defined and
established as per
GDPR or DPA
requirements.
The CRU will consider
a national campaign to
inform customers of
smart meters and the
services available.
CRU-
001-
RSK-DP-
019
Interval Data
reads and
transmission to
energy suppliers
1 Ensuring that required
legal grounds for
customer data
processing are defined
Risk Transferred:
Suppliers will be
required to capture the
customer’s agreement
31 IBID
![Page 35: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/35.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
34
and established as per
GDPR or DPA
requirements. For the
European Data
Protection Board (EDPB,
former Article 29 Group),
energy suppliers can
only access energy
consumption data that is
more than daily, such as
half-hourly data (interval
data), when they have
collected prior
customer’s consent as
defined by the GDPR.
This position has been
enforced in the UK, in
France and in
Netherlands.
32 prior to receipt and
processing of Interval
Data. Suppliers will
also be required to
update their Terms &
Conditions for the
product i.e. an interval
tariff.
Suppliers must ensure
that legal grounds are
defined for each new
data processing
purpose.
CRU-
001-
RSK-DP-
020
Smart Meter Data
accuracy
2 Ensuring that data quality
obligations are
respected.
Risk Transferred:
ESBN will hold the
main responsibility for
the accuracy of data
under its requirement
to manage the network
and comply with the
DSO licence. All smart
meters will be
Measuring Instruments
Directive (MID) certified
ensuring that the data
recorded on them is an
accurate reflection of
32 IBID
![Page 36: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/36.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
35
the energy usage in the
household.
It will be the
responsibility of
Suppliers to notify
ESBN of changes to
customer details and
report any issues or
data inconsistencies
through market
messages as per BAU.
CRU-
001-
RSK-DP-
022
Consumption
calculation, billing
and settlements
Consumption
analysis,
determination of
future pricing and
tariffs
Customer profiling
and personalised
offerings
Energy theft or
fraud prevention
and investigation
2 Ensuring that legal
ground for relevant
processing operations
are established as per
GDPR and DPA
requirements, the
personal data is used
only for defined purposes
and, where necessary to
deviate from primary
purposes, additional
safeguards are adopted.
Risk Transferred: ESB
Networks is required to
collect, process and
validate metering data
in its role as a licenced
Distribution System
Operator. Energy
suppliers require this
metering data to bill
customers and to meet
their contractual
obligations. Suppliers
are equally obliged
under their licences to
comply with the Codes
of Practice under the
CRU Supplier
Handbook.
CRU-
001-
RSK-DP-
023
Service providers
are involved in the
data processing
2 Ensuring that adequate
data processing
agreements and defined
instructions to service
providers are in place
and enforced.
Risk Transferred:
ESBN has entered into
Framework
Agreements with
service providers.
These agreements
![Page 37: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/37.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
36
establish Data
Controller - Data
Processor relationship
and set forth data
processing instructions
for outsourced
providers. Networks
and Suppliers are
expected to ensure that
legal grounds for each
new data processing
purpose are defined.
CRU-
001-
RSK-DP-
024
Customers are
able to submit
data subjects'
requests
Internal policies
establish response
procedures
Customers are
provided access to
personal data
(including Interval
Data) in a user-
friendly format
2 Implementing customer
access to the HDF
considering appropriate
security measures for
customer authentication,
data transmission and
interoperable format
among market
participants.
Risk Transferred:
Suppliers have
procedures in place for
the response to data
subjects’ requests as
per BAU.
Suppliers must ensure
appropriate security
measures are in place.
CRU-
001-
RSK-DP-
025
The data is stored
on company
assets
2 Reviewing service
providers’ information
security governance
when the data is not
stored on premises.
Risk Transferred:
Suppliers will be
expected to review
service providers’
information security
governance when the
data is not stored on
premises.
![Page 38: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/38.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
37
CRU-
001-
RSK-DP-
026
Company assets
and data flows are
mapped, and the
physical location
of data is recorded
2 Requiring energy
suppliers to implement all
adequate safeguards if
using third-party
suppliers, such as
requiring suppliers to
have servers physically
located in the EEA,
implementing Standard
Contractual Clauses or
relying on suppliers
located in a country
deemed adequate by the
European Commission.
Considering the recent
CJEU decision
invalidating the EU-U.S.
Privacy Shield, personal
data should not be
transferred to the U.S.
without an assessment
on whether the recipient
falls under U.S. mass
surveillance laws.
Risk Transferred:
Majority of suppliers
have mapped their
data flows and store
data on their own on-
premise servers.
Suppliers must ensure
adequate safeguards
are in place if using
third party suppliers.
CRU-
001-
RSK-DP-
027
Internal policies
and procedures
ensure strong risk
management,
information
security and
resilience of the
data
2 Implementing encryption
for data at rest as a
default security measure.
Systemising annual
audits of third parties.
Implementing
pseudonymisation of
records and databases
as often as feasible in
order to reduce the risk
Risk Transferred:
Networks and
Suppliers are expected
to carry out individual
DPIAs.
Networks and
Suppliers must ensure
strong risk
management and
information security
measures are in place.
![Page 39: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/39.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
38
induced from highly
identifiable records.
CRU-
001-
RSK-DP-
028
Data is stored only
for the relevant
retention periods
2 Implementing data
destruction and retention
policies with retention
periods proportionate to
the purposes respectful
of the data minimisation
principle.
Risk Transferred:
Networks and
Suppliers have data
retention polices in
place as per BAU.
CRU-
001-
RSK-DP-
029
Data is backed-up
regularly and
incident recovery
plans are in place
2 Implementing automatic
backup processes and
regular testing of incident
recovery plans.
Risk Mitigated:
Networks and
Suppliers have
automatic back-up
systems in place as per
BAU.
CRU-
001-
RSK-DP-
030
Smart Meter Data
from the meter to
ESBN is
transferred in a
secured manner
2 Implementing encryption
for data at rest as a
default security measure.
Risk Transferred:
Networks must ensure
that data is transferred
in a secure manner.
CRU-
001-
RSK-DP-
031
Smart Meter Data
from ESBN to
energy suppliers is
transferred in a
secured manner
2 Implementing encryption
for data sent by ESBN to
energy suppliers.
Risk Transferred:
ESBN must ensure that
data sent to energy
suppliers is transferred
in a secure manner.
CRU-
001-
RSK-DP-
032
Incident detection
measures are
implemented
across all systems
and the network is
protected and
monitored against
unauthorised
access
2 Requiring market
participants through
contractual
arrangements to
implement incident
detection measures
across all systems and
protect and monitor their
Risk Transferred:
Networks and
Suppliers are expected
to carry out individual
DPIAs.
Networks and
Suppliers must ensure
appropriate measures
![Page 40: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/40.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
39
network against
unauthorised access
are put in place to
ensure all systems are
protected against
unauthorised access.
CRU-
001-
RSK-DP-
033
Internal policies
establishing
potential incident
discovery,
investigation,
assessment and
mitigation
2 Requiring market
participants through
contractual
arrangements to
implement internal
policies establishing
potential incident
discovery, investigation,
assessment and
mitigation.
Risk Transferred:
Networks and
Suppliers are expected
to carry out individual
DPIAs.
Networks and
Suppliers must ensure
appropriate internal
policies are in place.
CRU-
001-
RSK-DP-
034
Internal policies
establishing
notification
procedures to
competent public
bodies,
controllers, data
subjects and other
relevant
stakeholders
2 Requiring market
participants through
contractual
arrangements to
implement internal
policies establishing
notification procedures to
competent public bodies,
controllers, data subjects
and other relevant
stakeholders.
Risk Transferred:
Networks and
Suppliers are expected
to carry out individual
DPIAs.
Networks and
Suppliers must ensure
robust notification
procedures are in
place.
![Page 41: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/41.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
40
3 Cyber Security
3.1 Background
The technical readiness assurance for the NSMP included an assessment of the
approach to information/cyber security being implement by both ESBN and
suppliers. The information/cyber security assessment aimed to establish the current
degree of maturity surrounding the implementation of information security practices
within relevant organisations. Questions sought to establish the current approach
against the requirements of the following:
1. NIS Compliance Guidelines for Operators of Essential Services published by
the Department of Communications, Climate Action & Environment dated
January 2019; and
2. Best Available Techniques Reference Document for the cyber-security and
privacy of the 10 minimum functional requirements of the Smart Metering
Systems published by the European Commission.
3.1.1 NIS Compliance Guidelines for Operators of Essential Services
On 6th July 2016, the European Union formally adopted Directive (EU) 2016/1148
concerning measures for a high common level of security of network and information
systems across the Union (the NIS Directive). The main objective of the NIS
Directive is to ensure that there is a common high-level security of network and
information systems across Member States and as such, it requires Member States
to take several significant measures regarding cyber security. The Directive was
formally transposed into Irish legislation under the European Union (Measures for a
High Common Level of Security of Network and Information Systems) Regulation
2018 (S.I. 360 of 20182) (the ‘NIS Regulations’) on 18th Sept 2018. As noted above,
the NCSC is the national competent authority for the purposes of this Directive.
In January 2019, the NCSC published guidelines for Operators of Essential Services
(OES) to assist them in complying with the Regulations. Although the CRU accepts
![Page 42: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/42.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
41
that only a subset of market participants have been designated as an OES33 the
compliance guidelines established by the NCSC provide a common ‘best practice’
framework against which the readiness of the NSMP can be established.
The CRU considers that applying this standard to all market participants sets a very
high bar for assessment. Given the potential harm from a cyber attack this was
considered prudent and most respondents performed well when assessed on this
basis.
3.1.2 Best available information
The European Commission Recommendation 2012/148/EU on preparations for the
roll-out of smart metering systems states that, “in order to mitigate the risks on
personal data and security, Member States, in collaboration with industry, the
Commission and other stakeholders, should support the determination of best
available techniques for each common minimum functional requirement listed in
point 42 of the Recommendation”.
The Commission Recommendation of 9 March 2012 on preparations for the roll-out
of smart metering systems (number 2012/148/EU), defines a set of minimum
functional requirements that every smart metering system should fulfil, taking into
consideration aspects regarding:
• The customer
• The metering operator
• The commercial aspects of the energy supply
• Security and data protection
• Distributed generation
The readiness assessment has matched each applicable best technique to the
relevant compliance guideline for NIS as described in the assessment approach
section.
33 Energy suppliers who own and operate power plants have been designated as operators of essential services.
![Page 43: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/43.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
42
3.2 Assessment Approach
The assessment questionnaires combined the guidelines for OES detailed by the
NCSC and the relevant techniques identified by Recommendation 2012/148/EU. Not
all NIS Guidelines have associated techniques. The guidelines and techniques
selected are detailed in Appendix C.
In responding to questions asking the market participant to detail how they are
implementing a guideline; respondents were requested to complete their evaluation of
how effectively the guideline is currently implemented as detailed below:
Maturity
(please select the most representative)
RAG Rating
Fully in place (>85% - 100%)
Largely in place (>50% - 85%)
Partially in place (>15% - 50%)
Not in place (0-15%)
In completing their response participants were asked to substantiate the response by
providing supporting evidence. Both the questionnaires and the supporting evidence
were uploaded by the participant to an organisation specific secure workplace on
Gemserv’s Huddle document repository.
In preparation of the assessment, Gemserv identified the market participants who
were expected to provide relevant information in response to the Information Security
Assessment Questionnaire. Responses were received from the network operator
(ESBN) and suppliers.
3.3 Programme Overview
The responses from market participants were analysed and a collective rating
assigned where there was more than one participant in a category. As there was
![Page 44: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/44.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
43
only one network participant the rating for network is unadjusted from the
participants submission.
The information/cyber security assessment did not highlight any significant concerns
with the security of the smart metering infrastructure or security approach being
deployed by market participants. In compiling the overview of responses, more
specifically Gemserv noted that:
• The response for network operator (ESBN) was comprehensive with
supporting evidence to substantiate the ratings. The rating summary for the
network operator reflects the increased complexity of cyber security
operations and provides confidence in the accuracy of the ratings.
• The responses for large suppliers were summarised. Most large suppliers
provided supporting evidence and the majority indicating ‘Fully in place’ for all
questions. Several large suppliers failed to provide maturity ratings or failed to
answer all questions which has impacted the overall rating.
• The responses for small suppliers were summarised across all small
suppliers. Most small suppliers did not provide comprehensive supporting
evidence with their responses which present a challenge for in depth analysis
by Gemserv.
More broadly, Gemserv noted that in their view the suppliers (large and small) were
overly confident in their responses as some did not provide maturity ratings, support
evidence or direct answers to some questions.
An overview of the maturity levels identified for network, large suppliers and small
suppliers is outlined in Appendix D.
3.4 Cyber Security Technical Readiness
This section identifies key risks and recommendations surrounding the cyber security
technical readiness of market participants in the NSMP. The risks are based on
trends seen across all responses and consideration of the evidence supplied to
support questionnaire responses. It should be noted that the information/cyber
security assessment, unlike the DPIA does not include a part similar to Stage 4 of
![Page 45: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/45.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
44
the DPIA where a risk treatment and justification is applied. However, the CRU
would recommend that market participants adhere to information/cyber security
requirements in line with best practice internationally.
In assigning a risk rating for an identified risk the following risk matrix has been
utilised:
3.4.1 Risk summary and Recommendations
ID Risk Risk
Rating
Recommendations
CRU
-CS-
001
A clear understanding of the
technical readiness of market
participants cannot be fully
ascertained due to incomplete
responses and variance in the
quality of responses
The assessment of cyber security
readiness should be a standard annual
compliance assessment. This will increase
familiarity with cyber security practice
across those participants who lack
dedicated cyber security resource, provide
increasingly accurate responses and
provide a higher level of confidence in the
cyber security stance of the programme.
CRU
-CS-
002
The lack of detail and supporting
evidence leads to over-
confidence in the readiness of
market participants to address
Recommend a post assessment meeting
with each participant to include:
![Page 46: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/46.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
45
cyber security issues within the
NSMP
a) Briefing on NIS Guidelines (if to be
adopted as a best practice)
b) Expectation on responses, detail
and supporting evidence
c) Debrief on current submission
d) Validation of responses for those
participants who failed to provide
adequate detail for the technical
readiness. Recommendation for
this includes:
i. Annual assessment utilising
existing questionnaires as
standard component of
market assurance. As
questionnaires are already
prepared this would not
result in significant
additional overhead.
ii. The use of onsite
assessment in year 2 to
validate practice where
responses continue to be
sub-standard. This is best
solution to uncertainty in
the maturity of cyber
security practice.
CRU
-CS-
003
Lack of access to cyber security
expertise and resource creates
disparity in the cyber security
capability amongst market
participants leading to lack of
This disparity was not necessarily due to
size of the organisation or its role in the
NSMP i.e. some small suppliers are able to
call upon substantial capability and
expertise from Group resource whereas
several large suppliers clearly struggled
with the technical readiness assessment.
![Page 47: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/47.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
46
confidence amongst peer
organisations and regulators
This issue is influenced by overall shortage
of cyber security skills across the EU (and
globally), budgetary concerns and lack of
understanding of the complexities of
securing operations against rapidly
evolving cyber threats. Recommendations
include:
a) Adopting the NIS Guidelines as a
best practice standard for the
NSMP. This will provide a common
understanding of cyber security
controls and implementation.
b) Promoting industry knowledge
sharing particularly in relation to
threats, vulnerabilities and control
implementation. This could be done
via an NSMP cyber security
steering group or committee that
works to promote cyber security
across the programme and assists
those organisations lacking
capability in accessing expertise.
CRU
-CS-
004
Responsibility for cyber security is
outsourced to external service
providers resulting in a lack of
clarity within some market
participants as to how their
services are secured
Reinforce that the responsibility for cyber
security resides with the market participant
and although the technical implementation
of cyber security controls can be
outsourced the organisation remains
responsible for establishing policy and
ensuring compliance with legal and
regulatory requirements.
If cyber security is to be included in
standard market assurance practice it is
recommended that market participants are
required to have clear policy for cyber
![Page 48: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/48.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
47
security and how it manages external
providers.
CRU
-CS-
005
There is substantial variance in
how market participants manage
external parties and the supply
chain, leading to the risk of the
supply chain compromising cyber
controls within the programme
Require reporting as part of ongoing
market assurance to establish that security
of the supply chain is implemented across
the programme. Examples used in similar
scenarios include:
a) Requiring external parties to attest
to a recognised standard such as
ISO27001 or the NIST suite of
controls
b) Third party audit and assessment
programmes
CRU
-CS-
006
Lack of effective cyber security
risk management leading to
undetected threats and
vulnerabilities compromising the
integrity of the programme
Any further compliance programmes
should require disclosure of how threats
are analysed and how identified risks are
mitigated. Although this information was
requested only a few participants provided
evidence as to how risk is managed.
Recommend that any failure to provide
satisfactory evidence prompts an onsite
validation assessment.
CRU
-CS-
007
Data at rest is not adequately
protected leading to increased
risk of compromise
The provision of encryption as a protective
control for data at rest can be problematic
for many organisations. Issues include:
a) Substantial cost overhead for both
implementation and maintenance
b) Performance of information
systems. When data is stored in
encrypted format speed of access
to the data is impacted. For many
![Page 49: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/49.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
48
organisations the lack of encryption
of data at rest is outweighed by the
performance gained from not using
encryption.
Requiring the use of cryptography to
secure data at rest presents significant
challenge to the industry in terms of
implementation, management and
subsequent performance. A more realistic
solution is to take a risk-based approach
and utilise other controls to ensure data is
secure. This will require:
a) Detailed threat and risk analysis of
data at rest with evidence provided
for assurance
b) Robust access control to data
tables
c) Network controls to prevent access
to stored data from outside the
network boundary
d) Personnel screening for those with
privileged access to data
repositories, particularly for roles
such as Data Base Administrators
with access to bulk data
CRU
-CS-
008
A lack of general awareness
training for cyber security leads to
increased vulnerability to the
programme from both external
and internal threat sources
Even though larger organisations possess
greater access to training resources there
is more that organisations could do to
extend training beyond informing personnel
of internal policy. This should include
awareness of how individuals within
organisation are targeted. Very few
successful cyber attacks are ‘brute force’
![Page 50: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/50.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
49
and the majority rely on exploiting an
authenticated user within the organisation.
Ongoing assurance should confirm that
organisations include aspects of cyber
security such as:
a) Recognising email attacks such a
‘phishing’
b) Recognising how attackers use
social engineering to target
individuals who possess the access
credentials they require to facilitate
an attack
c) The importance of reporting
suspected incidents
![Page 51: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/51.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
50
4 Next Steps
Although the DPIA and the Cyber Security Technical Readiness assessment have
uncovered some challenges, the exercises raise awareness among market
participants of their obligations in line with the NSMP. The CRU will continue to
engage with the network operator, suppliers, stakeholders, the NCSC and the DPC
based on the results of these assessments.
As noted above, a more in-depth assessment of individual supplier readiness is being
examined in parallel by Gemserv on behalf of the RMDS to assess the readiness of
suppliers to implement Version 13 changes34. This parallel assessment is ongoing,
with market participants entering the test phase in October 2020. The CRU approves
the assurance reports for the Version 13 assessment and will be asked to give final
approval to allow the ‘go-live’ of Version 13 in December 2020.
The CRU will continue to consider the data protection implications of the NSMP as it
evolves and moves into the next stages. Maintaining and protecting the privacy of final
customers will remain a key consideration in future policy development and
assessments will continue to be based on best practice. In that context, the
programme DPIA should be considered a living document and will be updated in
future if necessary.
34 Version 13 is a retail market release (system updates) which will enable the provision of Smart
Services in January 2021.
![Page 52: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/52.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
51
A Appendix: Data Protection Requirements
Reference Provisions
GDPR Article 5 The Principles relating to processing of Personal Data have been
fulfilled:
• Purpose Limitation
• Data minimisation
• Storage Limitation
• Integrity and confidentiality
• Data is accurate and kept up to date
GDPR Article 6 The processing is based on Lawfulness conditions provided by GDPR
DPA Section 41 The purposes of Processing may be changed for prevention,
investigation and detection of criminal offences
GDPR Article 7 Where the processing is based on consent, it is possible to
demonstrate that the data subject has consented to processing of his
or her personal data
GDPR Article 9 Processing of special categories of personal data is performed
adopting all the measures provided by GDPR
GDPR Articles 13, 14 The controller provided information to the data subject
GDPR Article 15 The right of access by the data subject is guaranteed
GDPR Article 16 The right to rectification is guaranteed
GDPR Article 17 The right to erasure is guaranteed
GDPR Article 18 The right to restriction of processing is guaranteed
GDPR Article 19 Has ever been sent to the recipients of the personal data a notification
when the data subject requested a rectification, erasure or restriction
of processing? Is a procedure available?
GDPR Article 20 The right of data portability is guaranteed
GDPR Article 21 The right to object to a processing is guaranteed
GDPR Article 22 The right to object to a decision based solely on automated
![Page 53: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/53.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
52
processing including profiling (if applicable)
GDPR Article 25 Principles of data protection by design and data protection by default
are applied
GDPR Article 26 An agreement with eventual joint controllers is established
GDPR Article 28 The processor has been appointed and provides guarantees to
implement appropriate technical and organisational measures and
ensure the protection of the rights of the data subjects
GDPR Article 29 Anybody in charge of the processing is acting under instructions of the
controller
GDPR Article 30 Records of processing activities are provided
GDPR Article 32 Security measures have been adopted
GDPR Articles 33, 34 Procedures have been adopted for dealing with data breaches and
notification of breaches to DPA or to the affected individuals (if
applicable)
GDPR Article 35 A pre-existing Data Protection Impact Assessment had already been
done
GDPR Article 36 A Prior Consultation already took place
GDPR Article 37 A DPO has been appointed
GDPR Article 40 Data Controller or Data Processor abides to a Code of Conduct
GDPR Article 42 Data Controller or Data Processor has received certification
GDPR Articles 44-49 Transfer of personal data outside the EU is performed accordingly to
the GDPR provisions
![Page 54: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/54.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
53
B Appendix CRU Decisions
Ref. No Document Name
CER/14/046 CER National Smart Metering Programme Smart Metering High Level
Design
CER/15/054 CER National Smart Metering Programme Smart Pay As You Go
CER/15/139 CER National Smart Metering Programme Information Paper on Data
Access & Privacy
CER/15/270 CER National Smart Metering Programme Rolling out New Services:
Time-of-Use Tariffs
CER/16/124 CER National Smart Metering Programme Regulating the Transition
Activities of Market Participants
CER/16/125 CER National Smart Metering Programme Empowering & Protecting
Customers
CRU/18/084 Smart Meter Upgrade Standard Smart Tariff Proposed Guideline
CRU/18/233 Smart Meter Upgrade Customer-Led Transition to Time-of-Use
CRU/19/083 Smart Meter Upgrade Smart Meter Allocation
CRU/19/112 Smart Meter Upgrade Allocation of the Residual Error and Profile
Removal
![Page 55: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/55.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
54
C Appendix Cyber Security Assessment Approach
The assessment questionnaires combined the guidelines for OES detailed by the
NCSC and the relevant techniques identified by Recommendation 2012/148/EU. Not
all NIS Guidelines have associated techniques. The guidelines and techniques
selected are detailed below.
NIS Compliance Guideline 10 Functional Requirements
Techniques
ID.AM-1: An up to date record of the physical and virtual
devices and systems which underpins the delivery
and/or support of each essential service is maintained.
ID.AM-2: An up to date record of the software
(information system, database, databus, applications,
middleware etc) which underpins the delivery and/or
support of each essential service is maintained.
ID.AM-3: Organisational communication and data flows
are mapped
ID.AM-4: External information systems are catalogued
ID.AM-5: Resources (e.g., hardware, devices, data, time,
personnel, and software) are prioritized based on their
classification, criticality, and business value
ID.AM-6: Cybersecurity roles and responsibilities for the
entire workforce and third-party stakeholders (e.g.,
suppliers, customers, partners) are established
ID.BE-1: The organisation’s role in the supply chain is
identified and communicated
![Page 56: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/56.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
55
ID.BE-2: The organisation’s place in critical infrastructure
and its industry sector is identified and communicated
ID.BE-3: Priorities for organisational mission, objectives,
and activities are established and communicated
ID.BE-4: Dependencies and critical functions for delivery
of critical services are established
ID.BE-5: Resilience requirements to support delivery of
critical services are established.
ID.GV-1: Organisational cybersecurity policy is defined,
documented and communicated.
ID.GV-2: Cybersecurity roles and responsibilities are
coordinated and aligned with internal roles and external
partners.
ID.GV-3:Legal and regulatory requirements regarding
cybersecurity obligations are understood and managed.
ID.GV-4:Governance and risk management processes
address cybersecurity risks, and ensure their ongoing
adequacy and effectiveness.
ID.RA-1: Asset vulnerabilities are identified and
documented.
ID.RA-2: Cyber threat (strategic, operational and tactical)
and vulnerability information is received from information
sharing forums and sources.
ID.RA-3: Threats, both internal and external, are
identified and documented.
ID.RA-4: Potential business impacts and likelihoods are
identified and documented.
![Page 57: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/57.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
56
ID.RA-5: Threats, vulnerabilities, likelihoods, and
impacts are used to determine risk. Risk assessments
are dynamic and are updated in light of system or service
changes, or changes to the threat environment.
ID.RA-6: Risk responses are identified, prioritised and
documented.
ID.RM-1: Risk management processes are established,
documented, managed, agreed to by organisational
stakeholders.
ID.RM-2: Organisational risk tolerance is determined,
clearly expressed and documented.
ID.RM-3: Determination of risk tolerance is informed by
the organisational role in critical infrastructure and sector
specific risk analysis and is documented.
ID.SC-1: Cyber supply chain risk management
processes are identified, established, assessed,
managed, and agreed to by organisational stakeholders
ID.SC-2: Suppliers and third-party partners of
information systems, components, and services are
identified, prioritised, and assessed using a cyber supply
chain risk assessment process
ID.SC-3: Contracts with suppliers and third-party
partners are used to implement appropriate measures
designed to meet the objectives of an organisation’s
cybersecurity program and Cyber Supply Chain Risk
Management Plan.
ID.SC-4: Suppliers and third-party partners are routinely
assessed using audits, test results, or other forms of
![Page 58: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/58.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
57
evaluations to confirm they are meeting their contractual
obligations.
ID.SC-5: Response and recovery planning and testing
are conducted with suppliers and third-party providers
PR.AC-1: Identities and credentials are issued,
managed, verified, revoked, for the end to end joiners,
movers and leavers lifecycle.
9.1.1 - Username/password or
PIN
9.1.2 - One-time password
9.1.3 - 2 factor authentication
9.1.4 - Pre-shared secrets and
TLS with client certificates
10.1.5 - Dial in Whitelisting
10.1.6 - LDAP
10.1.7 - TACACS+
11.1.6 - One-time password
(OTP)
PR.AC-2: Physical access to assets is managed and
protected.
9.3.2 - Switches
9.5.2 - Private location
10.1.12 - Read Only Interface
PR.AC-3: Remote access is managed and documented. 9.1.1 - Username/password or
PIN
9.1.2 - One-time password
9.1.3 - 2 factor authentication
9.1.4 - Pre-shared secrets and
TLS with client certificates
10.1.5 - Dial in Whitelisting
10.1.7 - TACACS+
10.1.5 - Dial in Whitelisting
10.1.7 - TACACS+
![Page 59: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/59.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
58
PR.AC-4: Access permissions and authorisations are
managed, incorporating the principles of least privilege
and separation of duties, and periodically revalidated.
9.1.1 - Username/password or
PIN
9.1.2 - One-time password
9.1.3 - 2 factor authentication
9.1.4 - Pre-shared secrets and
TLS with client certificates
10.1.6 - LDAP
10.1.5 - Dial in Whitelisting
10.1.6 - LDAP
10.1.7 - TACACS+
PR.AC-5: Network integrity is protected (e.g., network
segregation, network segmentation)
10.1.8 - Firewall
10.1.9 - IDS/IPS
11.1.1 - Network segregation
PR.AC-6: Only individually authenticated and authorised
users can connect to or access the organisation's
networks or information systems.
9.1.1 - Username/password or
PIN
9.1.2 - One-time password
9.1.3 - 2 factor authentication
9.1.4 - Pre-shared secrets and
TLS with client certificates
9.6.1 - (Processor) hardening
10.1.5 - Dial in Whitelisting
10.1.6 - LDAP
10.1.7 - TACACS+
PR.AC-7: Users, devices, and other assets are
authenticated (e.g., single-factor, multi-factor)
commensurate with the risk of the access (e.g.,
privileged (admin, root) accounts typically require strong
authentication.
9.1.1 - Username/password or
PIN
9.1.2 - One-time password
9.1.3 - 2 factor authentication
9.1.4 - Pre-shared secrets and
TLS with client certificates
11.1.5 - Multi-factor
authentication
11.1.7 - Whitelisting
![Page 60: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/60.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
59
PR.AT-1: All users are informed and trained on cyber
security policies and relevant procedures, with periodic
updates.
PR.AT-2: Privileged users understand their roles and
responsibilities.
PR.AT-3: Third-party stakeholders (e.g., suppliers,
customers, partners) understand their roles and
responsibilities.
PR.AT-4: Senior executives understand their roles and
responsibilities.
PR.AT-5: Physical and cybersecurity personnel
understand their roles and responsibilities.
PR.DS-1: Data-at-rest is protected 9.2.2 - AES-GCM
9.2.1 - AES-CBC
9.2.2 - AES-CCM
9.2.3 - AES-CMAC
9.2.4 - AES-CTR
9.2.5 - AES-ECB
9.2.6 - SHA1
9.2.7 - SHA2
9.2.8 - ECDH
9.2.9 - ECDSA
9.5.2 - Private location
![Page 61: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/61.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
60
PR.DS-2: Data-in-transit is protected 9.2.2 - AES-GCM
9.2.1 - AES-CBC
9.2.2 - AES-CCM
9.2.3 - AES-CMAC
9.2.4 - AES-CTR
9.2.5 - AES-ECB
9.2.6 - SHA1
9.2.7 - SHA2
9.2.8 - ECDH
9.2.9 - ECDSA
9.5.1 - Unique keys
9.5.3 - DLMS secure transport
9.5.5 - TLS secure transport
9.5.6 - End-to-End Signing
10.1.1 - ZigBee Smart Energy
Profile
10.1.2 - CMS
10.1.3 - M-Bus
10.1.4 - DLMS
PR.DS-3: Assets are formally managed throughout
removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is
maintained.
PR.DS-5: Protections against data leaks and data loss
are implemented.
PR.DS-6: Integrity checking mechanisms are used to
verify software, firmware, and information integrity.
9.5.6 - End-to-End Signing
9.5.7 - Switching commands
validated against the grid code
(Grid Sensitive Operation)
PR.DS-7: The development and testing environment(s)
are separate from the production environment.
![Page 62: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/62.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
61
PR.DS-8: Integrity checking mechanisms are used to
verify hardware integrity
9.5.7 - Switching commands
validated against the grid code
(Grid Sensitive Operation)
9.6.1 - (Processor) hardening
PR.SP-1: A baseline configuration of information
technology/industrial control systems is created and
maintained incorporating security principles (e.g.
concept of least functionality)
PR.SP-2: A System Development Life Cycle to manage
systems is implemented with embedded security
touchpoints.
PR.SP-3: Configuration change control processes are in
place
PR.SP-4: Backups of information are conducted,
maintained, and tested
PR.SP-5: Policy and regulations regarding the physical
operating environment for organisational assets are met
PR.SP-6: Data is destroyed according to defined policy.
PR.SP-7: Protection processes are continuously
improved.
PR.SP-8: Effectiveness of protection technologies is
shared with appropriate parties.
PR.SP-9: Response plans (Incident Response and
Business Continuity) and recovery plans (Incident
Recovery and Disaster Recovery) are in place and
managed
PR.SP-10: Response and recovery plans are tested
![Page 63: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/63.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
62
PR.SP-11: Cybersecurity is included in human resources
practices (e.g., deprovisioning, personnel screening)
PR.SP-12: A vulnerability management plan is
developed and implemented to remediate vulnerabilities
in a timely manner, commensurate with the risk.
PR.MA-1: Maintenance and repair of organisational
assets are performed and logged, with approved and
controlled tools.
11.1.2 - Firmware update
PR.MA-2: Remote maintenance of organisational assets
is approved, logged, and performed in a manner that
prevents unauthorised access.
PR.PT-1: Audit/log records are determined,
documented, implemented, and reviewed in accordance
with policy
PR.PT-2: Removable (thumb drive etc) and mobile
(smartphone, laptop etc) media is protected and its use
restricted according to policy.
PR.PT-3: The principle of least functionality is
incorporated by configuring systems to provide only
essential capabilities
9.4.1 - Application specific
protocols
PR.PT-4: Communications and control networks are
protected from unauthorised traffic, unauthorised access
and the security mechanisms are periodically tested.
9.4.1 - Application specific
protocols
9.5.3 - DLMS secure transport
10.1.8 - Firewall
11.1.8 - VPN
11.1.9 - Manufacturer –
customer key exchange
11.1.10 - PKI
![Page 64: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/64.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
63
PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot
swap) are implemented to achieve resilience
requirements in normal and adverse situations
10.1.8 - Firewall
DE.AE-1: A baseline of network operations and expected
data flows for users and systems is established and
managed
10.1.9 - IDS/IPS
11.1.4 - SIEM
DE.AE-2: Detected events are analysed to understand
attack targets and methods
10.1.9 - IDS/IPS
11.1.4 - SIEM
DE.AE-3: Event data are collected and correlated from
multiple sources and sensors
DE.AE-4: Impact of events is determined.
DE.AE-5: Incident alert thresholds are established.
DE.CM-1: The network is monitored to detect potential
cybersecurity events.
10.1.9 - IDS/IPS
DE.CM-2: The physical environment is monitored to
detect potential cybersecurity events.
9.3.3 - Seals and other tamper
evident techniques
DE.CM-3: Personnel activity is monitored to detect
potential cybersecurity events
10.1.9 - IDS/IPS
DE.CM-4: Malicious code is detected 10.1.9 - IDS/IPS
DE.CM-5: Unauthorized mobile code is detected 10.1.9 - IDS/IPS
DE.CM-6: External service provider activity is monitored
to detect potential cybersecurity events
10.1.8 - Firewall
10.1.9 - IDS/IPS
DE.CM-7: Monitoring for unauthorized personnel,
connections, devices, and software is performed
10.1.8 - Firewall
10.1.9 - IDS/IPS
DE.CM-8: Vulnerability scans are performed
![Page 65: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/65.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
64
DE.DP-1: Roles and responsibilities for detection are
well defined to ensure accountability
DE.DP-2: Detection activities comply with all applicable
requirements
DE.DP-3: Detection processes are periodically tested
against ‘real world’ scenarios.
DE.DP-4: Event detection information is communicated
to appropriate stakeholders.
DE.DP-5: Detection processes are continuously
improved.
RS.RP-1: Response plan is executed during a
cybersecurity event with an actual or potential adverse
impact.
RS.CO-1: Personnel know their roles and order of
operations when a response is needed
RS.CO-2: Incidents are reported in line with established
criteria, consistent with legal and regulatory
requirements.
RS.CO-3: Information is shared consistent with response
plans
RS.CO-4: Coordination with stakeholders occurs
consistent with response plans
RS.CO-5: Voluntary information sharing occurs with
external stakeholders to achieve broader cybersecurity
situational awareness
![Page 66: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/66.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
65
RS.AN-1: Notifications from detection systems are
investigated
10.1.8 - Firewall
10.1.9 - IDS/IPS
RS.AN-2: The impact of the incident is understood
RS.AN-3: Forensics are performed
RS.AN-4: Incidents are categorized consistent with
response plans
RS.AN-5: Processes are established to receive, analyse
and respond to vulnerabilities disclosed to the
Organisation from internal and external sources (e.g.
internal testing, security bulletins, or security
researchers)
RS.MI-1: Incidents are contained
RS.MI-2: Incidents are mitigated
RS.MI-3: Newly identified vulnerabilities are remediated,
mitigated or documented as accepted risks, in line with
organisational risk tolerance.
RS.IM-1: Response plans incorporate lessons learned
RS.IM-1: Response strategies are updated
RC.RP-1: Recovery plan is executed during or after a
cybersecurity response.
RC.IM-1: Recovery plans incorporate lessons learned
RC.IM-2: Recovery strategies are updated
RC.CO-1: Public relations are managed
RC.CO-2: Reputational impacts are assessed and
addressed.
![Page 67: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/67.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
66
RC.CO-3: Recovery activities are communicated to
internal and external stakeholders as well as executive
and management teams
![Page 68: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/68.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
67
D Appendix Cyber Security Maturity Levels Summary
A summary overview of the maturity levels identified for network, large suppliers and
small suppliers as part of the Cyber Security risk assessment is outlined below.
Guideline Network Large
supplier
Small supplier
ID.AM-1: An up to date record of the physical
and virtual devices and systems which
underpins the delivery and/or support of each
essential service is maintained.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
ID.AM-2: An up to date record of the software
(information system, database, databus,
applications, middleware etc) which underpins
the delivery and/or support of each essential
service is maintained.
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Largely in
place (>50% -
85%)
ID.AM-3: Organisational communication and
data flows are mapped
Fully in place
(>85% -
100%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
ID.AM-4: External information systems are
catalogued
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
ID.AM-5: Resources (e.g., hardware, devices,
data, time, personnel, and software) are
prioritised based on their classification,
criticality, and business value
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
ID.AM-6: Cybersecurity roles and
responsibilities for the entire workforce and
third-party stakeholders (e.g., suppliers,
customers, partners) are established
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
ID.BE-1: The organisation’s role in the supply
chain is identified and communicated
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
![Page 69: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/69.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
68
ID.BE-2: The organisation’s place in critical
infrastructure and its industry sector is
identified and communicated
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
ID.BE-3: Priorities for organisational mission,
objectives, and activities are established and
communicated
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
ID.BE-4: Dependencies and critical functions
for delivery of critical services are established
Fully in place
(>85% -
100%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
ID.BE-5: Resilience requirements to support
delivery of critical services are established.
Fully in place
(>85% -
100%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
ID.GV-1: Organisational cybersecurity policy is
defined, documented and communicated.
Fully in place
(>85% -
100%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
ID.GV-2: Cybersecurity roles and
responsibilities are coordinated and aligned
with internal roles and external partners.
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
ID.GV-3:Legal and regulatory requirements
regarding cybersecurity obligations are
understood and managed.
Fully in place
(>85% -
100%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
ID.GV-4:Governance and risk management
processes address cybersecurity risks, and
ensure their ongoing adequacy and
effectiveness.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
ID.RA-1: Asset vulnerabilities are identified and
documented.
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
ID.RA-2: Cyber threat (strategic, operational
and tactical) and vulnerability information is
received from information sharing forums and
sources.
Fully in place
(>85% -
100%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
ID.RA-3: Threats, both internal and external, Largely in Largely in Largely in
![Page 70: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/70.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
69
are identified and documented. place (>50% -
85%)
place (>50%
- 85%)
place (>50% -
85%)
ID.RA-4: Potential business impacts and
likelihoods are identified and documented.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
ID.RA-5: Threats, vulnerabilities, likelihoods,
and impacts are used to determine risk. Risk
assessments are dynamic and are updated in
light of system or service changes, or changes
to the threat environment.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
ID.RA-6: Risk responses are identified,
prioritised and documented.
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
ID.RM-1: Risk management processes are
established, documented, managed, agreed to
by organisational stakeholders.
Fully in place
(>85% -
100%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
ID.RM-2: Organisational risk tolerance is
determined, clearly expressed and
documented.
Fully in place
(>85% -
100%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
ID.RM-3: Determination of risk tolerance is
informed by the organisational role in critical
infrastructure and sector specific risk analysis
and is documented.
Fully in place
(>85% -
100%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
ID.SC-1: Cyber supply chain risk management
processes are identified, established,
assessed, managed, and agreed to by
organisational stakeholders
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
ID.SC-2: Suppliers and third-party partners of
information systems, components, and
services are identified, prioritised, and
assessed using a cyber supply chain risk
assessment process
Fully in place
(>85% -
100%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
ID.SC-3: Contracts with suppliers and third-
party partners are used to implement
Fully in place
(>85% -
Largely in
place (>50%
Fully in place
(>85% -
![Page 71: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/71.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
70
appropriate measures designed to meet the
objectives of an organisation’s cybersecurity
program and Cyber Supply Chain Risk
Management Plan.
100%) - 85%) 100%)
ID.SC-4: Suppliers and third-party partners are
routinely assessed using audits, test results, or
other forms of evaluations to confirm they are
meeting their contractual obligations.
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
SC-5: Response and recovery planning and
testing are conducted with suppliers and third-
party providers
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
PR.AC-1: Identities and credentials are issued,
managed, verified, revoked, for the end to end
joiners, movers and leavers lifecycle.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.AC-2: Physical access to assets is
managed and protected
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.AC-3: Remote access is managed and
documented.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.AC-4: Access permissions and
authorisations are managed, incorporating the
principles of least privilege and separation of
duties, and periodically revalidated.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.AC-5: Network integrity is protected (e.g.,
network segregation, network segmentation)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.AC-6: Only individually authenticated and
authorised users can connect to or access the
organisation's networks or information
systems.
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
PR.AC-7: Users, devices, and other assets are
authenticated (e.g., single-factor, multi-factor)
commensurate with the risk of the access (e.g.,
Largely in
place (>50% -
Largely in
place (>50%
Fully in place
(>85% -
![Page 72: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/72.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
71
privileged (admin, root) accounts typically
require strong authentication
85%) - 85%) 100%)
PR.AT-1: All users are informed and trained on
cyber security policies and relevant
procedures, with periodic updates.
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Fully in place
(>85% -
100%)
PR.AT-2: Privileged users understand their
roles and responsibilities.
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.AT-3: Third-party stakeholders (e.g.,
suppliers, customers, partners) understand
their roles and responsibilities.
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Largely in
place (>50% -
85%)
PR.AT-4: Senior executives understand their
roles and responsibilities.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.AT-5: Physical and cybersecurity personnel
understand their roles and responsibilities.
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.DS-1: Data-at-rest is protected Partially in
place (>15% -
50%)
Partially in
place (>15%
- 50%)
Partially in
place (>15% -
50%)
PR.DS-2: Data-in-transit is protected Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Largely in
place (>50% -
85%)
PR.DS-3: Assets are formally managed
throughout removal, transfers, and disposition
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.DS-4: Adequate capacity to ensure
availability is maintained.
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.DS-5: Protections against data leaks and
data loss are implemented
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
PR.DS-6: Integrity checking mechanisms are Largely in Largely in Largely in
![Page 73: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/73.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
72
used to verify software, firmware, and
information integrity.
place (>50% -
85%)
place (>50%
- 85%)
place (>50% -
85%)
PR.DS-7: The development and testing
environment(s) are separate from the
production environment
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.DS-8: Integrity checking mechanisms are
used to verify hardware integrity
Fully in place
(>85% -
100%)
Partially in
place (>15%
- 50%)
Partially in
place (>15% -
50%)
PR.SP-1: A baseline configuration of
information technology/industrial control
systems is created and maintained
incorporating security principles (e.g. concept
of least functionality)
Fully in place
(>85% -
100%)
Partially in
place (>15%
- 50%)
Partially in
place (>15% -
50%)
PR.SP-2: A System Development Life Cycle to
manage systems is implemented with
embedded security touchpoints.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.SP-3: Configuration change control
processes are in place
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.SP-4: Backups of information are
conducted, maintained, and tested
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.SP-5: Policy and regulations regarding the
physical operating environment for
organisational assets are met
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.SP-6: Data is destroyed according to
defined policy
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.SP-7: Protection processes are
continuously improved.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.SP-8: Effectiveness of protection
technologies is shared with appropriate parties.
Fully in place
(>85% -
Fully in place
(>85% -
Fully in place
(>85% -
![Page 74: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/74.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
73
100%) 100%) 100%)
PR.SP-9: Response plans (Incident Response
and Business Continuity) and recovery plans
(Incident Recovery and Disaster Recovery) are
in place and managed
Partially in
place (>15% -
50%)
Partially in
place (>15%
- 50%)
Partially in
place (>15% -
50%)
PR.SP-10: Response and recovery plans are
tested
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Largely in
place (>50% -
85%)
PR.SP-11: Cybersecurity is included in human
resources practices (e.g., deprovisioning,
personnel screening)
Not in place
(0-15%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
PR.SP-12: A vulnerability management plan is
developed and implemented to remediate
vulnerabilities in a timely manner,
commensurate with the risk.
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
PR.MA-1: Maintenance and repair of
organisational assets are performed and
logged, with approved and controlled tools.
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.MA-2: Remote maintenance of
organisational assets is approved, logged, and
performed in a manner that prevents
unauthorised access.
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.PT-1: Audit/log records are determined,
documented, implemented, and reviewed in
accordance with policy
Not in place
(0-15%)
Not in place
(0-15%)
Not in place
(0-15%)
PR.PT-2: Removable (thumb drive etc) and
mobile (smartphone, laptop etc) media is
protected and its use restricted according to
policy
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.PT-3: The principle of least functionality is
incorporated by configuring systems to provide
only essential capabilities
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
PR.PT-4: Communications and control Largely in Largely in Largely in
![Page 75: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/75.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
74
networks are protected from unauthorised
traffic, unauthorised access and the security
mechanisms are periodically tested.
place (>50% -
85%)
place (>50%
- 85%)
place (>50% -
85%)
PR.PT-5: Mechanisms (e.g., failsafe, load
balancing, hot swap) are implemented to
achieve resilience requirements in normal and
adverse situations
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
DE.AE-1: A baseline of network operations and
expected data flows for users and systems is
established and managed
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
DE.AE-2: Detected events are analysed to
understand attack targets and methods
Partially in
place (>15% -
50%)
Partially in
place (>15%
- 50%)
Partially in
place (>15% -
50%)
DE.AE-3: Event data are collected and
correlated from multiple sources and sensors
Partially in
place (>15% -
50%)
Partially in
place (>15%
- 50%)
Partially in
place (>15% -
50%)
DE.AE-4: Impact of events is determined Partially in
place (>15% -
50%)
Partially in
place (>15%
- 50%)
Partially in
place (>15% -
50%)
DE.AE-5: Incident alert thresholds are
established.
Partially in
place (>15% -
50%)
Partially in
place (>15%
- 50%)
Partially in
place (>15% -
50%)
DE.CM-1: The network is monitored to detect
potential cybersecurity events.
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
DE.CM-2: The physical environment is
monitored to detect potential cybersecurity
events.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
DE.CM-3: Personnel activity is monitored to
detect potential cybersecurity events
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
DE.CM-4: Malicious code is detected Fully in place
(>85% -
Fully in place
(>85% -
Fully in place
(>85% -
![Page 76: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/76.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
75
100%) 100%) 100%)
DE.CM-5: Unauthorized mobile code is
detected
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
DE.CM-6: External service provider activity is
monitored to detect potential cybersecurity
events
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
DE.CM-7: Monitoring for unauthorized
personnel, connections, devices, and software
is performed
Partially in
place (>15% -
50%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
DE.CM-8: Vulnerability scans are performed Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
DE.DP-1: Roles and responsibilities for
detection are well defined to ensure
accountability
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
DE.DP-2: Detection activities comply with all
applicable requirements
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
DE.DP-3: Detection processes are periodically
tested against ‘real world’ scenarios.
Partially in
place (>15% -
50%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
DE.DP-4: Event detection information is
communicated to appropriate stakeholders
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
DE.DP-5: Detection processes are
continuously improved
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RS.RP-1: Response plan is executed during a
cybersecurity event with an actual or potential
adverse impact
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
RS.CO-1: Personnel know their roles and order
of operations when a response is needed
Fully in place
(>85% -
Fully in place
(>85% -
Fully in place
(>85% -
![Page 77: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/77.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
76
100%) 100%) 100%)
RS.CO-2: Incidents are reported in line with
established criteria, consistent with legal and
regulatory requirements.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RS.CO-3: Information is shared consistent with
response plans
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RS.CO-4: Coordination with stakeholders
occurs consistent with response plans
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RS.CO-5: Voluntary information sharing occurs
with external stakeholders to achieve broader
cybersecurity situational awareness
Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
RS.AN-1: Notifications from detection systems
are investigated
Partially in
place (>15% -
50%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
RS.AN-2: The impact of the incident is
understood
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RS.AN-3: Forensics are performed Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RS.AN-4: Incidents are categorized consistent
with response plans
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RS.AN-5: Processes are established to
receive, analyse and respond to vulnerabilities
disclosed to the Organisation from internal and
external sources (e.g. internal testing, security
bulletins, or security researchers)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RS.MI-1: Incidents are contained Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
![Page 78: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/78.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
77
RS.MI-2: Incidents are mitigated Largely in
place (>50% -
85%)
Largely in
place (>50%
- 85%)
Largely in
place (>50% -
85%)
RS.MI-3: Newly identified vulnerabilities are
remediated, mitigated or documented as
accepted risks, in line with organisational risk
tolerance.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RS.IM-1: Response plans incorporate lessons
learned
Partially in
place (>15% -
50%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RS.IM-2: Response strategies are updated Partially in
place (>15% -
50%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RC.RP-1: Recovery plan is executed during or
after a cybersecurity response.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RC.IM-1: Recovery plans incorporate lessons
learned
Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RC.IM-2: Recovery strategies are updated Largely in
place (>50% -
85%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RC.CO-1: Public relations are managed Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RC.CO-2: Reputational impacts are assessed
and addressed.
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
RC.CO-3: Recovery activities are
communicated to internal and external
stakeholders as well as executive and
management teams
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
Fully in place
(>85% -
100%)
![Page 79: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/79.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
78
E Appendix International Practice
In developing its approach to data protection and the smart metering solution design,
the CRU has continued to monitor developments in other countries in smart metering
in particular in European Member States. The European Commission issued a
“COMMISSION STAFF WORKING DOCUMENT/ Country fiches for electricity smart
metering35” in 2014, providing an overview of the method of the Smart Meters by the
Member States. Below are a few examples:
![Page 80: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/80.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
79
Estonia: Smart metering was deployed in Estonia by 2017 to all customers
(~700,000), and a central data hub is already in use. According to the national
Electricity Market Act and Natural Gas Act all smart meters were to be installed by 1st
of January 2017, and 1st of January 2020 for electricity and gas, respectively. The
deployment is mandatory for all consumers (for gas if consumption is higher than 750
m³/year). A central data hub, administered by Elering as an independent transmission
system operator, is in operation:
• To manage the central exchange of electricity metering data between market
participants;
• To support the process of changing electricity suppliers in the market;
• To archive the metering data of electricity consumption.
The Estonian Data Hub system is a software/hardware solution managed by the DSO.
User access to the Estonian Data Hub is granted to grid operators, open suppliers and
line operators operating in Estonia. Market participants are encoded, as well as
![Page 81: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/81.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
80
measuring points measuring electricity flows between participants. Encoding defines
the market participants’ rights, as well as the supply chains.
Through the data hub web portal, all parties have access to their own consumption
volume measurement data (remotely readable in one-hour increments). The data hub
system ensures principles of equal treatment. The network operator must ensure
measurement, collection, control and accuracy of measurement data.
• Advanced consumer services in The Netherlands: By the end of 2017, smart
metering systems have been rolled out (on the basis of the original timeline
2015 – 2020) to over 50 % of all users. Only 11 % of the users have declined
the smart meter, while 2 % asked to deactivate the communication. The roll-
out is mandatory with opt-out option. In the Netherlands, the DSOs are
responsible for the roll out and communication with the smart meter.
Germany: Putting a high emphasis36 on standardisation and security, the German
smart metering approach is based on two major components: Smart Meters, and
Smart Meter Gateways (SMGWs), whereby the combination of both is referred to as
Smart Metering System (“Intelligentes Messsystem”). In Germany, starting in 2017,
large consumers with average annual consumption in excess of 10,000 kWh were
required to install smart meters. This threshold will be lowered to 6,000 kWh in 2020,
which applies to approximately 15% of electricity consumers. According to the German
Metering Point Operation Law (“Messstellenbetriebsgesetz”, MsbG) the installation of
SMGWs follows a stepwise roll-out plan, ultimately making it compulsory for
consumers above 6000 kWh/year, or for consumers with renewable feed-in above
7kW peak. For consumers falling below these thresholds, the SMGW is optional and,
hence, also the option to automatically communicate. The grace period between 2017
and 2020 allow grid operators and third parties to learn from early adopters and
mitigate any issues realised during the initial large consumer rollout.
Smart Meter Gateways: SMGWs act as intermediary between the following three
network areas through which they are:
![Page 82: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/82.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
81
• Connected to other devices and stakeholders:
• Home Area Network (HAN): This network area is for the communication
between the SMGW and Controllable Local Systems (CLSs) such as
controllable devices or EMSs.
• Local Metrological Network (LMN): This network area is for the
communication between the SMGW and Smart Meters.
• Wide Area Network (WAN): This network area is for the communication
between the SMGW, the associated EMPs and the SMGW Administrator.
SMGW Administrators are defined as trustworthy entities that are able to manage the
encrypted and authenticated transport channels the SMGW uses to communicate with
endpoints in the above network areas. Relying on a public key infrastructure (PKI)
operated by the German Federal Office for Information Security (“Bundesamt für
Sicherheit in der Informationstechnik”, BSI).
10 data-privacy safeguards in Germany37: The commissioners for data privacy for the
Federation and the Länder have set out specific requirements around smart metering.
The draft legislation that is now on the table fully meets all of these requirements:
• Without explicit approval by the consumer, all data-gathering and use is
restricted to the bare minimum required for the energy system to work.
• The intervals at which the meter is read have been designed to be long
enough to prevent any conclusions being drawn about user habits.
• No data will be transmitted unless it has been anonymised, pseudonymised,
or aggregated.
• Data will be processed in situ, right on the consumer’s premises.
• Energy data will be passed on to as few parties as possible.
• It will be mandatory for data to be deleted within specified time periods
(Without prejudice to the applicable metering and calibration rules, all
personal metering data must be deleted as soon as storage of this data is no
longer required for the purpose for which it has been supplied)
![Page 83: CRU Data Access Paper · 2020. 12. 3. · An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities 0 Information Paper Reference: CRU20111 Date Published: 12/10/2020](https://reader035.vdocuments.net/reader035/viewer/2022071405/60faf2a5c86a76382e276a13/html5/thumbnails/83.jpg)
An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities
82
• Consumers will be able to monitor and verify all communications and
processing steps at all time.
• It will be easy for consumers to enforce their right to object and to data being
deleted or corrected.
• Consumers will still be able to choose the tariff that suits them best. The new
law will not limit end consumers’ right to select a tariff of their own choice.
• Smart meters cannot be accessed freely by outsiders. Access is regulated by
means of clearly defined profiles.