cru data access paper · 2020. 12. 3. · an coimisiún um rialáil fóntais commission for...

An Coimisiún um Rialáil Fóntais Commission for Regulation of Utilities

0

Information Paper

Reference: CRU20111 Date Published: 12/10/2020 Closing Date: N/A

An Coimisiún um Rialáil Fóntais

Commission for Regulation of Utilities

CRU Data Access Paper

National Smart Metering Programme

www.cru.ie


1

CRU Mission Statement

The CRU’s mission is to protect the public interest in Water, Energy and Energy

Safety.

The CRU is guided by four strategic priorities that sit alongside the core activities we

undertake to deliver on the public interest. These are:

• Deliver sustainable low-carbon solutions with well-regulated markets and

networks

• Ensure compliance and accountability through best regulatory practice

• Develop effective communications to support customers and the regulatory

process

• Foster and maintain a high-performance culture and organisation to achieve

our vision

Further information on the CRU’s role and relevant legislation can be found on the

CRU’s website at www.cru.ie

http://www.cru.ie/


2

Executive Summary This paper sets out the approach, methodology and results of the Data Protection

Impact Assessment (DPIA) and Cyber Security Technical Readiness Assessment of

retail electricity market participants for the National Smart Metering Programme

(NSMP) which were carried out by Gemserv in March 2020 on behalf of the CRU.

Smart meters are the next generation of energy meters, replacing older analogue

meters which, when fully operational, will deliver benefits for consumers, the

environment and the economy. The NSMP involves the nation-wide replacement of

over two million gas and electricity meters over a six-year period. The smart meter

upgrade will transform how consumption is measured, managed and paid for.

The High-Level Design (‘HLD’) for the NSMP was approved in 20141 and this was

revised in 20172 to allow for a phased roll-out over three phases. Phase 1 includes

the initial installation of 250,000 meters over 2019-2020. From 2020, the rate of

installation of smart meters will increase significantly as approximately 500,000

smart meters will be installed in each of the four subsequent years, which covers

Phase 2 and Phase 3. The allocation of smart meters during all three phases will be

across all customers through ESB Networks (ESBN) installation plan.

The CRU has been designated as the Competent Authority for the rollout of the

NSMP under S.I. No. 426 of 20143 which gives effect to Directive 2012/27/EU of the

European Parliament and of the Council of 25 October 2012. This provides the CRU

with the necessary legal provisions to support and rollout the smart metering

programme. Article 19 (b) of S.I. No. 426 of 2014 places a specific obligation on the

CRU to ensure:

1 CER National Smart Metering Programme Smart Metering High Level Design Decision Paper,

CER/14/046 of 14th October 2014 2 Information Paper on the Update on the Smart Meter Upgrade, CER/17/279 of 21st September 2017 3 Statutory Instrument 426 of 2014 http://www.irishstatutebook.ie/eli/2014/si

http://www.irishstatutebook.ie/eli/2014/si


3

“the security of the smart metering systems and data communication, and

the privacy of final customers, is in compliance with relevant European Union

data protection and privacy legislation”.

As such although the CRU is not involved in any processing of customers’ personal

data, the CRU has overall responsibility for overseeing the delivery of the NSMP and

ensuring the programme is developed and implemented in a manner that is

compliant with relevant European Union data protection and privacy legislation in line

with S.I. No. 426 of 2014.”

In 2013, the CRU undertook an interim Privacy Impact Assessment4 of the NSMP

which set out the data protection risks and plans to address those risks. Following

this, the CRU held meetings with market participants and the Data Protection

Commission (DPC) to discuss various data protection challenges, in particular the

appropriate legal grounds for the processing of Interval Data. As a result of these

discussions, in the Information Paper of 20155, the CRU set out its approach that

obtaining the customers’ consent is the preferred grounds on which granular data

from smart meters is processed.

Since then, General Data Protection Regulation 2016 (GDPR)6 entered into force in

Ireland, complemented by the Data Protection Act 2018. Under Article 35 of GDPR

and the DPC’s Guide to Data Protection Impact Assessments7, a DPIA is a

mandatory assessment for any high-risk processing project. A DPIA must be

undertaken prior to the processing of personal data and as early as practical in the

design of processing operations. A DPIA helps to identify and assess data protection

risks and make informed decisions about the acceptability of those risks. The focus

of a DPIA is on the potential harm to the rights and freedoms of individuals and the

data protection compliance requirements.

4 Prior to the entry into force of GDPR in May 2018 a ‘Privacy Impact Assessment’ was a commonly used terms for such an assessment. 5 National Smart Metering Programme on Data Access and Privacy Information Paper 2015 6 Regulation (EU) 2016/679 7 Data Protection Commission's Guide to Data Protection Impact Assessments

https://www.cru.ie/wp-content/uploads/2015/07/CER15139-Data-Access.pdf

https://eur-lex.europa.eu/eli/reg/2016/679/oj

https://www.dataprotection.ie/sites/default/files/uploads/2019-10/Guide%20to%20Data%20Protection%20Impact%20Assessments%20%28DPIAs%29_Oct19_0.pdf


4

In March 2020, Gemserv (on behalf of the CRU) carried out a DPIA on electricity

market participants in line with Phase 1 of the NSMP. The DPIA identified, analysed

and assessed risks under Use Cases relevant to the project. The following nine Use

Cases were identified based on the use of personal data in the business processes,

regulatory requirements and underlying technologies:

• Data Protection Governance and Accountability

• Data Processing Transparency

• Data Processing Purposes and Legal Grounds

• Customer Enrolment

• Smart Meter Connection and Service Commencement

• Smart Meter Data Use

• Data Subjects' Rights

• Data Storage and Security

• Management of Data Breaches

The main stakeholders involved in the NSMP data processing operations are:

• ESBN which provides technical facilitation of smart meter set up,

configuration, energy supply and communication of market messages with

energy suppliers;

• Energy suppliers that supply energy to customers by offering smart meter

services;

• Service providers that will be contracted to supply a range of services to

ESBN and energy suppliers.

The DPIA assessed how customers targeted for Phase 1 smart meter replacement

will be identified and contacted to facilitate new and proactive customer enrolment,

manage customer appointments and installation, as well as customer feedback and

complaints. The personal data in question relates to meter data, contact data,

photos, customer feedback and complaints.

Overall, two-thirds of suppliers whose customer numbers equate to approximately

90% of market share, provided detailed responses. One-third of suppliers, whose

customer numbers equate to approximately 10% of market share provided


5

responses which Gemserv considered to be inadequate. The Network Operator

(ESBN) provided a detailed response with supporting evidence.

In addition to the DPIA, the CRU requires assurance that both ESBN and suppliers

are upgrading their IT systems in adherence to security requirements which are in-

line with best practice internationally.

Taking this into account, Gemserv commenced an assessment of the approach to

information/cyber security being implemented by both ESBN and suppliers. This was

also carried out in March 2020. The objective of this assessment was to establish the

current degree of maturity surrounding the implementation of information security

practices within relevant organisations. Questions sought to establish the current

approach against the requirements of the following:

1. National Information Security (NIS) Compliance Guidelines for Operators of

Essential Services published by the Department of Communications, Climate

Action & Environment dated January 2019; and

2. Best Available Techniques Reference Document for the cyber-security and

privacy of the 10 minimum functional requirements of the Smart Metering

Systems published by the European Commission.

The Cyber Security Technical Readiness Assessment did not highlight any

significant concerns with the security of the smart metering infrastructure or security

approach being deployed by market participants. Gemserv noted a difference in the

quality of responses to the information/cyber security questionnaires; the Network

Operators response was considered comprehensive with supporting evidence while

some suppliers did not provide the same level of detail. Gemserv also noted that in

their view the suppliers (large and small) were overly confident in their responses as

some did not provide maturity ratings, support evidence or direct answers to some

questions.

It is important to highlight that the DPIA and Cyber Security Technical Readiness

Assessment are only one element of the overall readiness assessments which are

being conducted as part of the delivery of the programme. A more in-depth


6

assessment of individual supplier readiness to complete the Version 13 software

update is being examined in parallel by Gemserv on behalf of the Retail Market

Design Service (RMDS)8. Version 13 is the next suite of market changes which will

be implemented in December 2020, this system upgrade will enable the provision of

smart services such as time of use tariffs to Irish customers. The assurance process

requires market participants undertake two Self-Assessment phases. Both of these

consist of completing a comprehensive participant questionnaire with supporting

evidence. Phase 1 assessments are used to gauge awareness and readiness (early

in the assurance process); Phase 2 assessments are completed (later in the

assurance process), to assess capability for implementation. Phase 1 was

completed in Q4 2019 and the assessment report was approved by CRU in Q1

2020. Phase 2 assessment commenced in Q2 2020; the CRU approved the report in

July 2020. The next stage of the assurance process will be the Inter Participant

Testing (IPT)9 Stage. IPT for Market Participants will begin in October 2020. The

CRU will consider the outcome of this exercise before giving final approval for the

Version 13 update in December 2020.

Although the DPIA and the Cyber Security Technical Readiness Assessment have

uncovered some challenges, the exercises raise awareness among market

participants of their obligations in line with the NSMP.10 The CRU will continue to

engage with the Network Operator, suppliers, stakeholders, the National Cyber

Security Centre (NSCS) and the DPC based on the results of the assessments.

The CRU will continue to consider the data protection implications of the NSMP as it

evolves and moves into the next stages. Maintaining and protecting the privacy of final

customers will remain a key consideration in future policy development and

assessments will continue to be based on best practice. In that context, the DPIA

8 The Retail Market Design Service (RMDS) is the “ringfenced” function within ESB Networks responsible for all aspects of the retail electricity market design on behalf of the Commission for Regulation of Utilities. 9 IPT is an exercise to gain assurance that the New Supplier can correctly operate the key scenarios

that it will meet in the Market using its declared systems, business processes and operational staff within normal, operational conditions.


7

should be considered a living document and will be updated in future if necessary.

The CRU has overall responsibility for overseeing the delivery of the NSMP and

ensuring the programme is developed and implemented. This sets the context for

this programme level assessment and does not remove or dilute the responsibility of

market participants to ensure their own compliance with data protection and cyber

security requirements.

The DPC is the Irish supervisory authority responsible for monitoring the application

of GDPR and is the national competent authority responsible for safeguarding data

protection rights. Separately, the NCSC is an operational arm of the Department of

Communications, Climate Action and Environment that provides enhanced services

to government agencies and critical infrastructure providers to assist them in

defending against cyber-borne threats. The NCSC is also designated as the national

competent authority for the EU Network and Information Security Directive (NISD)11.

Market participants must satisfy themselves that they have met the requirements of

the DPC and NCSC. In this regard ESBN and suppliers will also conduct their own

DPIAs of their approach to the technical delivery of the NSMP.

11 EU Network and Information Security Directive

https://www.ncsc.gov.ie/pdfs/NISD.pdf


8

Public Impact Statement

Smart meters are the next generation of energy meters, replacing older analogue

meters which, when fully operational, will deliver benefits for consumers, the

environment and the economy. The National Smart Metering Programme (NSMP)

involves the nation-wide replacement of over two million gas and electricity meters

over a six-year period. The smart meter upgrade will transform how consumption is

measured, managed and paid for.

The new systems and processes will provide customers with more accurate bills and

better and more accessible information about energy use. This upgrade in services

will involve a step change in the amount of energy consumption data that will be

available to customers, energy network companies and suppliers.

Currently, suppliers are provided with an actual meter read (usually 4 actual meter

reads a year) or estimated meter reading(s) every two months and bill their customer

on that basis. Suppliers and ESB Networks already hold some types of customers

personal data such as names, address and meter identification numbers but smart

metering systems will allow for the automatic transfer of electricity consumption data,

ranging from providing traditional bimonthly reads to reporting half-hourly consumption

every day depending on the customer’s choice. This infrastructure will provide greater

flexibility to customers in how they understand and manage their own consumption.

In addition, depending on the amount of data the consumers agree to share with

their suppliers, these systems will enable other smart services like various Time of

Use Tariffs or Smart Pay as You Go, offering a smart alternative to day & night

meters and traditional Pay as You Go meters. Consumers will also have access to

their detailed energy consumption information. This information as well as new

services will provide consumers with the ability to better understand and manage

their energy use, which in turn could lead to them reducing their overall energy

consumption and thereby saving money on bills and reducing carbon emissions.

The CRU has an oversight role to ensure that the programme is designed and

developed in a way that is complaint with data privacy.


9

The CRU engaged Gemserv, a technical consultancy with expertise in the energy

sector, to carry out a Data Protection Impact Assessment (DPIA) and a Cyber

Security Technical Readiness Assessment for the NSMP. This involved assessing

the readiness of market participants such as ESB Networks and electricity suppliers

who will use the data collected from smart meters to operate in the market and offer

services to customers. The Gemserv assessment was completed to provide

assurance that the personal data collected from smart meters is being managed and

processed lawfully in a manner which both protects energy consumers and enables

them to benefit from the national investment in the smart metering infrastructure

upgrade. The Cyber Security Technical Readiness Assessment is being carried out

to ensure that a sufficiently high level of protection is being implied to minimise the

risk of a cyber-attack or unauthorised access to personal data via the smart meter.

This is being assessed to ensure that market participants are upgrading their IT

systems in line with European security requirements and international best practice

to minimise this risk.

This paper outlines the approach, methodology and results of these assessments. A

DPIA is a living document and can be updated. The CRU will consider repeating the

exercise at the next stages of the NSMP to ensure appropriate levels of security and

protection are implemented to maintain the privacy of final customers.

This programme level assessment does not remove or dilute the responsibility of

market participants to ensure their own compliance with data protection and cyber

security requirements. It is important to highlight that the DPIA and Cyber Security

Technical Readiness Assessment are only one element of the overall readiness

assessments which are being conducted as part of the delivery of the programme. A

more in-depth assessment of individual supplier readiness to complete the Version 13

software update to enable smart services is being examined in parallel by Gemserv on

behalf of the Retail Market Design Service (RMDS)12. Version 13 is a retail market

release (system updates) which will enable the provision of Smart Services such as

12 The Retail Market Design Service (RMDS) is the “ringfenced” function within ESB Networks responsible for all aspects of the retail electricity market design on behalf of the Commission for Regulation of Utilities


10

Time of Use Tariffs in January 2021. The CRU will consider the outcome of this

exercise before giving final approval for the Version 13 update in December 2020.


11

Table of Contents

1 Introduction .................................................................................................................... 16

1.1 Purpose of this paper .............................................................................................. 16

1.2 Structure of this paper ............................................................................................ 18

2 Data Protection .............................................................................................................. 19

2.1 Background ............................................................................................................. 19

2.2 Data Protection Legal Context ................................................................................ 21

2.3 Data Protection Impact Assessment ...................................................................... 23

2.4 Approach Taken ...................................................................................................... 26

2.5 Overview of Market Participants’ Reponses .......................................................... 31

3 Cyber Security ................................................................................................................ 40

3.1 Background ............................................................................................................. 40

3.1.1 NIS Compliance Guidelines for Operators of Essential Services ......................... 40

3.1.2 Best available information ................................................................................... 41

3.2 Assessment Approach ............................................................................................ 42

3.3 Programme Overview .............................................................................................. 42

3.4 Cyber Security Technical Readiness ..................................................................... 43

3.4.1 Risk summary and Recommendations ................................................................ 44

4 Next Steps ...................................................................................................................... 50

A Appendix: Data Protection Requirements ................................................................... 51

B Appendix CRU Decisions .............................................................................................. 53

C Appendix Cyber Security Assessment Approach ....................................................... 54

D Appendix Cyber Security Maturity Levels Summary .................................................. 67

E Appendix International Practice ................................................................................... 78


12

Glossary of Terms and Abbreviations

Abbreviation or Term Definition or Meaning

Actor means a logical component of Smart Metering system on which personal data can reside.

Control means any measure or action that modifies Risk (e.g. any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages Risk).

Data Controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processing, Processing

means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Processor means a natural or legal person, public authority, agency or other body which, alone or jointly with others, processes personal data on behalf of the data controller.

Data Protection Act, DPA

means national regulation adopted in the Republic of Ireland in 2018 to complement General Data Protection Regulation requirements.

Data Protection by Default

means that service settings must be automatically data protection friendly.

Data Protection by Design

means embedding data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This will help to ensure better and more cost-effective protection for individual data privacy.


13

Data Protection Commission, DPC

an independent public authority established in the Republic of Ireland and responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing.

Data Protection Officer, DPO

means a person with expert knowledge of Data Protection law and practices who advises the Data Controller or Data Processor with the GDPR and monitors internal compliance of the organisation.

Distribution System means the transport of electricity on high-voltage, medium-voltage and low-voltage distribution systems with a view to its delivery to customers but does not include supply.

Distribution System Operator, DSO

means a natural or legal person responsible for operating, ensuring the maintenance of and, if necessary, developing the distribution system in a given area and, where applicable, its interconnections with other systems and for ensuring the long-term ability of the system to meet reasonable demands for the distribution of electricity.

General Data Protection Regulation, GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC

Level of Identification means an estimation of how easy it is to identify data subjects with the available data processed by the business process.

Likelihood means an estimation of the possibility for a risk to occur. It essentially depends on the level of exploitable vulnerabilities and on the level of capabilities of the risk sources to exploit them.

Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Prejudicial Effect means an estimation of how much damage would be caused by all the potential impacts of a Threat with


14

reference to the GDPR Requirements applied to each Primary Asset associated to the Threat.

Primary Asset means a set of one or more pieces of personal data allocated on a specific Actor i.e. on a logical component of the Smart Metering project.

Risk means a hypothetical scenario that describes the Likelihood that a potential Threat that affects directly or indirectly personal data has to occur, and the Severity of the impact that such Threat, if realised, would have on the rights and freedom of natural persons.

Risk Assessment means a process consisting of three steps/levels: (i) risk identification, (ii) risk analysis, and (iii) risk evaluation.

Risk Source means a potential originator of Risks.

Risk Source Capability

means an estimation of the capacity of Risk Sources to exploit vulnerabilities of Supporting Assets by keeping into account all factors that contribute to such capacity (skills, available time, financial resources, proximity to system, motivation, feeling of impunity, etc.).

Risk Treatment means a Risk modification process that involves selecting and implementing one or more treatment options. Once a Risk Treatment has been implemented, it becomes a Control, or it modifies existing Controls.

Scenario means a possible sequence of interactions within a Use Case i.e. one of the possible routes in the description of a sequence of steps that compose a Use Case. A Scenario is described as a sequence of activity steps, each of them involving an activity performed by an Actor or other component, or an interaction between components.

Severity means an estimation of the magnitude of potential impacts on the individuals’ privacy and data protection. It essentially depends on the Level of Identification of the Personal Data and Prejudicial Effect of the potential impacts.

Smart Services this includes Time of Use tariffs and smart Pay-As-You-Go.


15

Smart Metering System

means an electronic system that can measure energy consumption, adding more information than a conventional meter, and can transmit and receive data using a form of electronic communication.

Supporting Asset means a physical component, upon which, an Actor – a logical component where qualified sets of Personal Data reside, is reliable.

Threat means an event / incident which could cause damage on personal data or the data subject.

Use Case means a specification of a set of actions performed by a system, which yields an observable result that is, typically, a value for one or more Actors or other component of the system. A Use Case description includes primary Scenario of a Use Case that allows achieving the Use Case goal, and one or more alternative Scenarios covering different routes that may lead to achieving the goal or not.

Version 13 is a retail market release package (system updates) to enable the provision of Smart Services.

Vulnerability means a weakness that can be exploited by one or more Threats.


16

1 Introduction

1.1 Purpose of this paper

This paper outlines the approach, methodology and results of the Data Protection

Impact Assessment and Cyber Security Technical Readiness Assessment of Retail

Electricity Market Participants for the National Smart Metering Programme (NSMP)

carried out by Gemserv in March 2020.

Any large-scale, transformative project will involve elements of testing the readiness

of participants involved. These are prudent exercises to conduct for the Smart Meter

Upgrade in order to;

1. Ensure the meters, communications solution, the Meter Data Management

System and Head-End are operating securely in order to make data available

to the market;

2. Ensure that electricity suppliers are ready to be able to absorb data from

ESBN, and;

3. Ensure that suppliers are ready to make smart services available to electricity

customers.

The Smart Meter Upgrade project requires technical upgrades to the back-office

systems of both ESBN and suppliers to absorb and process smart meter data. The

secure installation of smart meters and the upgrade to backend IT systems is

significant in order to transmit and process an increased volume of data from the

smart meters. Moreover, suppliers will be required to implement changes to billing

systems in order to offer new products and services such as time-of-use tariffs to

customers. The necessary changes to billing systems to enable this are likely to be

technically complex.

In October 2019, in line with best practice , the CRU engaged Gemserv (technical

consultants) to carry out a programme level technical readiness assurance

assessment on all electricity market participants in line with Phase 1 (2019 – 2020)

of the programme in line with Phase 1 (2019 – 2020). The scope of this work

consisted of Gemserv carrying out a DPIA and a Cyber Security Technical


17

Readiness. The purpose of this work was to inform the CRU of market participants’

readiness to deliver Phase 1 in compliance with data protection requirements.

It should be noted that the Data Protection Commission (DPC) is the national

competent authority responsible for safeguarding data protection rights. Accordingly,

the DPC is the Irish supervisory authority responsible for monitoring the application of

GDPR. Separately, the National Cyber Security Centre (NCSC) is an operational arm

of the Department of Communications, Climate Action and Environment that provides

enhanced services to government agencies and critical infrastructure providers to

assist them in defending against cyber-borne threats. The NCSC is also designated as

the national competent authority for the EU Network and Information Security Directive

(NISD)13. The programme level assessment does not remove or dilute the

responsibility of market participants to ensure their own compliance with Data

Protection and Cyber Security requirements. In this regard, market participants must

be capable of satisfying the requirements of the DPC and the NCSC. As such, ESBN

and suppliers will also conduct their own DPIAs of their approach to the technical

delivery of the NSMP.

The DPIA and Cyber Security Technical Readiness assessment are only one

element of the overall readiness assessments which are being conducted as part of

the delivery of the programme. A more in-depth assessment of individual supplier

readiness to complete the Version 13 software update is being examined in parallel

by Gemserv on behalf of the Retail Market Design Service (RMDS)14. Version 13 is

the next suite of market changes which will be implemented in December 2020, this

system upgrade will enable the provision of smart services such as time of use tariffs

to Irish customers. The assurance process requires Market Participants undertake

two Self-Assessment phases. Both of these consist of completing a comprehensive

participant questionnaire with supporting evidence. Phase 1 assessments are used

to gauge awareness and readiness (early in the assurance process); Phase 2

13 EU Network and Information Security Directive 14 The Retail Market Design Service (RMDS) is the “ringfenced” function within ESB Networks responsible for all aspects of the retail electricity market design on behalf of the Commission for Regulation of Utilities

https://www.ncsc.gov.ie/pdfs/NISD.pdf


18

assessments are completed (later in the assurance process), to assess capability for

implementation. Phase 1 was completed in Q4 2019 and the assessment report was

approved by CRU in Q1 2020. Phase 2 assessment commenced in Q2 2020; the

CRU approved the report in July 2020. The next stage of the assurance process will

be the Inter Participant Testing (IPT)15 Stage. IPT for Market Participants will begin in

October 2020. The CRU will consider the outcome of this exercise before giving final

approval for the Version 13 update in December 2020.

1.2 Structure of this paper

Section 2 provides a background on data protection, an overview of the DPIA

methodology used and the key risks and recommendations identified;

Section 3 provides an overview of the approach taken to the Cyber Security

Assessment and outlines the key risks and recommendations identified;

Section 4 outlines next steps.

15 IPT is an exercise to gain assurance that the New Supplier can correctly operate the key scenarios

that it will meet in the Market using its declared systems, business processes and operational staff within normal, operational conditions.


19

2 Data Protection

2.1 Background

Since 2012, the CRU has been working closely with market participants and has

engaged with the Data Protection Commission (‘DPC’) to design the technical and

organisational implementation of the NSMP and to address data protection and

security concerns.

In the Decision on the National Rollout of Electricity and Gas Smart Metering16, the

CRU outlined that detailed consumption data is personal data belonging to

customers. This triggered the necessity to ensure that data controllers obtaining

detailed information on consumption data (‘Interval Data’) would process it in

accordance with data protection principles and the applicable legislation.

In 2013, the CRU established a Data Protection group and undertook an interim

Privacy Impact Assessment17 which set out the data protection risks and plans to

address those risks. Following this, the CRU held numerous meetings with market

participants and the DPC to discuss various data protection challenges, in particular

the appropriate legal grounds for the processing of Interval Data. As a result of these

discussions, in the Information Paper of 2015, the CRU set out the risks of the

Privacy Impact Assessment and the CRU’s response. The 2015 paper also set out

the CRU’s approach at the time, that obtaining the customers’ consent is the

preferred grounds on which granular data from smart meters is processed18.

The CRU also adopted the following guiding principles for privacy and data

protection:

• There should be a persistent and enduring right for customers to change their

minds in terms of Interval Data readings by energy suppliers;

16 Decision on the National Rollout of Electricity and Gas Smart Metering 2012 17 Prior to the entry into force of GDPR in May 2018 a ‘Privacy Impact Assessment’ was a commonly used term for such an assessment. 18 This sentence was updated on 12 October 2020.

https://www.cru.ie/wp-content/uploads/2012/07/cer12092.pdf


20

• The choices available to customers need to be transparent, simple and

straightforward;

• Text or conditions in customer contracts need to be clear and transparent

about who data is to be shared with.

Moreover, the CRU committed to ensuring the following for the NSMP:

• Data protection by design and default is embedded into the programme;

• Data minimisation principles are respected;

• Customers are made aware of available choices (in terms of the granularity of

data collection) that will be available, what benefits these choices will offer,

and how these choices can be made (and changed);

• Customers will be able to obtain their personal data in a commonly used and

structured format;

• Customers will have the right not to be subject to a measure based on

profiling where it legally or significantly affects them.

In line with the aforementioned approach, the CRU and market participants agreed

on the NSMP High Level Design (‘HLD’) which supports the flow of Interval Data at

half hourly granularity each day, whereby the smart meters capture and return

Interval Data to ESBN via an Automated Meter Infrastructure (‘AMI’); then ESBN

forward the data to the energy suppliers on a daily basis; and finally, suppliers

process the Interval Data for customer services, such as Time of Use (‘ToU’)

billing19, Pay as You Go (‘PAYG’) balance calculation, historical consumption and

cost purposes. Additionally, the CRU approved that instead of a central AMI

approach, suppliers will use their own infrastructure and will be in charge of providing

ToU band and tariff rate information, historical consumption and cost data, as well as

PAYG balance to customers. The HLD also set out requirements for ToU tariffs,

presentation of customer's energy usage information, and facilitation and provision of

PAYG services.

19 ToU billing will offer consumers the ability to use electricity at cheaper times.


21

In 2017 the delivery plan on HLD was revised to reduce the technical complexity

associated with delivering all of the functionality of the HLD at the same time by

delivering the necessary IT upgrades and market changes required to cater for smart

metering over 3 phases:

Phase 1 (2019 – 2020) consists of the following milestones:

• Procurement of AMI, communications and deployment services;

• Delivery and facilitation of 250,000 smart electricity meters;

• Completion of system, business and market changes to allow 30-minute

Interval Data to flow to suppliers via the Market Systems following the Market

Schema Release;

• Offering of smart services such as time-of-use tariffs, smart bills, access to

historical consumption information, etc.

Phase 2 (2021 – 2022) foresees delivering the following:

• Delivery and facilitation of additional 1 million smart meters;

• Provision of smart prepayment (PAYG) services to customers, including

remote disconnection and reconnection of supply.

Phase 3 (2023 – 2024) will deliver:

• Roll out of additional 1 million smart meters;

• Facilitation of customer access to the real-time data via the Home Area

Network (HAN);

• Availability of gas smart services made available by facilitating the pairing of

the electricity meter with the gas meter.

2.2 Data Protection Legal Context

The CRU has been designated as the Competent Authority for the rollout of the

NSMP. S.I. No. 426 of 2014 which gives effect to Directive 2012/27/EU of the

European Parliament and of the Council of 25 October 2012, provides the CRU with

the necessary legal provisions to support and rollout the smart metering programme.

One of the provisions sets out an obligation on the CRU to ensure that:


22

19. (b) the security of the smart metering systems and data communication, and the

privacy of final customers, is in compliance with relevant European Union data

protection and privacy legislation.

Under Article 35 of the General Data Protection Regulation (GDPR), implemented in

Ireland by the Data Protection Act 201820, and as stated in the Data Protection

Commission’s Guide to Data Protection Impact Assessments, DPIAs are mandatory

for any high-risk processing project. A DPIA must be undertaken prior to the

processing of personal data and as early as practical in the design of processing

operations. Although the CRU is not involved in any processing of customers’

personal data, the CRU has overall responsibility for overseeing the delivery of the

NSMP and ensuring the programme is developed and implemented in a manner that

is compliant with relevant European Union data protection and privacy legislation21.” .

ESB Networks is required to collect, process and validate metering data in its role as

a licenced Distribution System Operator22. Energy suppliers require this metering

data to bill customers and to meet their contractual obligations. Energy suppliers are

additionally obliged to comply with the Codes of Practice set out under the CRU

Supplier Handbook23.

In addition, the European Union (EU) published a comprehensive update of its

energy policy framework; the Clean Energy for All Europeans Package (CEP). The

CEP contains eight legislative acts, aimed at enabling the EU to transition to cleaner

energy and facilitating a 40% reduction in greenhouse gas emission levels by 2030

compared to 1990. The eight legislative acts within the CEP cover a range of actors

and stakeholders in the energy sector including Member States, regulatory agencies,

network operators and market participants. It is recognised that smart meters will be

a key enabler in allowing customers to avail of the measures in the CEP.

20 Regulation (EU) 2016/679 21 Statutory Instrument 426 of 2014 http://www.irishstatutebook.ie/eli/2014/si 22 Refer to Condition 9 Provision of Metering and Data Services ESB Networks DSO Licence 23 CRU Supplier Handbook 2019

http://www.irishstatutebook.ie/eli/2014/si

https://www.esbnetworks.ie/docs/default-source/publications/distribution-system-operator-license-(dso).pdf?sfvrsn=f35f33f0_4

https://www.cru.ie/wp-content/uploads/2019/11/CRU19139-Electricity-and-Gas-Suppliers-Handbook-2019-Decision-Paper-.pdf


23

Smart Meters are capable of measuring a customer’s electricity import and export

and can provide customers with accurate information about their energy usage

throughout the day. This will enable customers to be more aware of their energy

consumption, make informed decisions about energy saving practices and avail of

new products and services which facilitate shifting energy consumption to times of

the day when electricity is cheaper.

The CRU has recently published a Call for Evidence on Active Consumers & Jointly

Acting Active Consumers under the Clean Energy Package and a Call for Evidence

on Energy Communities under the Clean Energy Package. These papers aim to

establish a regulatory framework to enable customers to be more active in the

energy market.

2.3 Data Protection Impact Assessment

A DPIA helps to identify and assess data protection risks and make informed

decisions about their acceptability of those risks. The focus of a DPIA is on the

potential harm to the rights and freedoms of individuals and the data protection

compliance requirements.

The DPIA identified, analysed and assessed risks under Use Cases relevant to the

project. The following nine Use Cases were identified based on the use of personal

data in the business processes, regulatory requirements and underlying

technologies:

• Data Protection Governance and Accountability

• Data Processing Transparency

• Data Processing Purposes and Legal Grounds

• Customer Enrolment

• Smart Meter Connection and Service Commencement

• Smart Meter Data Use

• Data Subjects' Rights

• Data Storage and Security

• Management of Data Breaches

https://gaeilge.cru.ie/wp-content/uploads/2020/08/CRU20098-Call-for-Evidence-on-Active-Consumers-and-Jointly-Acting-Active-Consumers-under-the-Clean-Energy-Package-.pdf

https://gaeilge.cru.ie/wp-content/uploads/2020/08/CRU20098-Call-for-Evidence-on-Active-Consumers-and-Jointly-Acting-Active-Consumers-under-the-Clean-Energy-Package-.pdf

https://www.cru.ie/wp-content/uploads/2020/08/CRU20099-Call-for-Evidence-on-Energy-Communities-under-the-Clean-Energy-Package-002.pdf

https://www.cru.ie/wp-content/uploads/2020/08/CRU20099-Call-for-Evidence-on-Energy-Communities-under-the-Clean-Energy-Package-002.pdf


24

The main stakeholders involved in the NSMP data processing operations are:

• ESBN that provide technical facilitation of smart meter set up, configuration,

energy supply and communication of market messages with energy suppliers;

• Energy suppliers that supply energy to customers by offering smart meter

services;

• Service providers that will be contracted to supply a range of services to

ESBN and energy suppliers.

The NSMP envisages the following data processing framework:

1. The project will start with the installation of smart meters at customer

premises. ESBN together with contractors will undertake these activities

which will trigger the processing of customer contact details and smart meter

data. Energy suppliers will be involved in referring customers willing to have

smart meters to ESBN and will receive the follow up information required for

the activation of smart meter services.

2. The project will introduce the processing of Interval Data. This processing will

be undertaken by means of market messages from ESBN to energy suppliers

or vice versa depending on the business operation. Market messages will

include the following identifiers: MPRN, Meter ID, Meter Category, Serial

Number, Meter Register Sequence, Timeslot, Register Type, Read Type,

Read Date, Read Reason, Metering Interval, Reading Value, Interval Period

Timestamp, Interval Status, DUoS Billing Frequency Code, DUoS Billing

Cycle.

The processing of Interval Data will function in the following order:

• Smart meters, installed at customer premises, will capture Interval Data at half

hourly granularity each day.

• Smart meters will communicate this data to ESBN via an Automated Meter

Infrastructure (‘AMI’).


25

• ESBN will forward the Interval Data to energy suppliers on a daily basis, if

customers opt-in24 for such service. Otherwise the register reads will be

provided on a bi-monthly basis.

• Suppliers will be able to use this data to process it for customer services, such

as Time of Use (‘ToU’) billing, Pay as You Go (‘PAYG’) balance calculation,

historical consumption, cost and other purposes by using their own

infrastructure.

• ESBN will only facilitate supplier access to interval data where a customer has

subscribed to the relevant Time-of-Use tariff. Information stored on the smart

meter can only be accessed if the correct encryption keys are possessed by

the party seeking to access it. Further information on the protections and

approach ESBN will implement is provided in its DPIA which is available here.

The DPIA assessed how customers targeted for Phase 1 smart meter replacement

will be identified and contacted to facilitate new and proactive customer enrolment,

manage customer appointments and installation, as well as customer feedback and

complaints. The personal data in question relates to meter data, contact data,

photos, customer feedback and complaints. The DPIA also assessed market

participants’ readiness for all the steps above, taking into account the practices

already in place in the other EU-27 countries and the UK. In developing its approach

to data protection and the smart metering solution design, the CRU has continued to

monitor developments in other countries in smart metering in particular in European

Member States. Further details are provided in Appendix E.

24 Prior to the introduction of the GDPR in 2018 the NSMP envisage an ‘opt-out’ approach for interval

data. The programme has since adapted an ‘opt-in’ approach for interval data and this is reflected in the policy framework.

https://www.esbnetworks.ie/existing-connection/meters-readings/smart-meter-upgrade/data-protection-impact-assessments


26

2.4 Approach Taken

The structure of the DPIA was undertaken using the Smart Grid Task Force DPIA

Template25 along with the DPIA requirements stemming from the DPC26 and

European Data Protection Board27 (‘EDPB’) guidance on DPIAs.

The flowchart below presents the overview of the DPIA workflow applied for this

project.

At Stage 1: Initiation the scope of the DPIA is determined and the project attributes

relevant for data protection and security are identified. The market participants and

their dedicated teams who were expected to provide relevant information in

response to the Data Protection Readiness Assessment Questionnaire and

25 Smart Grid Task Force Expert Group 2 Data Protection Impact Assessment Template for Smart Grid and Smart Metering systems v. 2 of 13th September 2018 https://ec.europa.eu/energy/sites/ener/files/documents/dpia_for_publication_2018.pdf 26 Data Protection Commission Guide to Data Protection Impact Assessments (DPIAs), October 2019 27 European Data Protection Board Guidelines WP 248 rev.01 “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679, 4 October 2017

Stage 1: Initiation

1.1 Scope Definition

1.2 Pre-assessment

1.3 Engagement with Stakeholders

Stage 2: Analysis of Use Cases

2.1 Characterisation

of Use Cases

2.2 Characterisation of Primary Assets

Stage 3: Assessment of Risks

3.1 Assessment of Threats and Risks

3.2 Assesment of Severity

3.3 Assessment of Likelihood

3.4 Assessment of Final Risk Level

Stage 4: Management of Risks and Final

Resolution

4.1 Characterisation of

Risk Treatment Requirements

4.2 Characterisation of

Suggested Controls

4.3 Final Resolution

https://ec.europa.eu/energy/sites/ener/files/documents/dpia_for_publication_2018.pdf


27

Information Security Assessment Questionnaire were identified. The Market

Participant’s responses to these questionnaires were assessed for the purpose of

composing the DPIA.

A pre-assessment check to evidence a mandatory requirement for conducting a

DPIA was performed, in accordance with the documentation referenced above. From

this assessment, it was established that the project raises high risks to the rights and

freedoms of customers and requires a DPIA. More specifically, the NSMP involves:

• the use of new technologies which are likely to result in high risks to the rights

and freedoms of customers;

• an automated decision making, including profiling (to the extent relevant to

energy suppliers intending to use such technologies);

• profiling of vulnerable individuals to target marketing at them (to the extent

relevant to suppliers intending to use such technologies);

• use of profiling or algorithmic means as an element to determine access to

services or that results in legal or similar significant effects (to the extent

relevant to suppliers intending to use such technologies);

• a systematic monitoring of customer behaviour;

• combining, linking or cross-referencing separate datasets where such linking

significantly contributes to or is used for profiling or behavioural analysis of

customers (to the extent relevant to suppliers intending to use such

technologies);

• processing at a large scale;

• processing of sensitive category or highly sensitive data, including detailed

household consumption data; and

• processing that prevents customers from using a service or a contract.

At Stage 2: Analysis of Use Cases, nine Use Cases representing the use of

personal information or organisational and technical requirements for such use in

business operations relevant to the NSMP were identified. Use Cases classification


28

relies on the methodology provided in Smart Grid Coordination Group First Set of

Standards28.

At Stage 3: Assessment of Risks was carried out considering the latest available

threat landscape information from the European Union Agency for Cyber Security

(ENISA), in particular the ENISA Threat Taxonomy29, Threats affecting qualified sets

of personal data and data processing were identified. The Threats were presented

with risk sources, altogether indicating risks for each Use Case and their data

assets. The risk levels were assigned by weighting the severity of impact the threat

category would have on the rights and freedoms of individuals and the likelihood of

these threats becoming real. Depending on the risk level, risk priorities have been

calculated and assigned following the scale below:

28 CEN-CENELEC-ETSI Smart Grid Coordination Group First Set of Standards, November 2012 29 https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view

1. Risks with a maximum/significant Severity and Likelihood: these risks must

be absolutely avoided or reduced by implementing controls that reduce both

their Severity and their Likelihood. Ideally, care should even be taken to

ensure that they are treated by independent controls of prevention (actions

taken prior to a damaging event), protection (actions taken during a damaging

event) and recovery (actions taken after a damaging event).

2. Risks with a maximum/significant/moderate Severity but a

negligible/limited/moderate Likelihood: these risks must be avoided or reduced

by implementing controls that reduce both their Severity and their Likelihood.

Emphasis must be placed on preventive controls. These risks can be taken, but only

if it is shown that it is not possible to reduce their Severity and if their Likelihood is

negligible.

3. Risks with a negligible/limited Severity but a maximum/significant/moderate

Likelihood and risks with a negligible/limited/moderate Severity but a

https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view

https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view


29

maximum/significant Likelihood: these risks must be reduced by implementing

controls that reduce their Likelihood. Emphasis must be placed on recovery

controls. These risks can be taken, but only if it is shown that it is not possible to

reduce their Likelihood and if their Severity is negligible.

4. Risks with a negligible/limited Severity and Likelihood: it should be possible to

take these risks, especially since the treatment of other risks should also lead to

their treatment.


30

Which can be translated as the heat map hereafter:

Severity

5 –

Maximum 2 2 2 1 1

4 –

Significant 2 2 2 1 1

3 –

Moderate 2 2 2 3 3

2 – Limited 4 4 3 3 3

1 –

Negligible 4 4 3 3 3

1 –

Negligible

2 –

Limited

3 –

Moderate

4 –

Significant

5 -

Maximum

Likelihood

At Stage 4: Management of Risks and Final Resolution, suggested controls are

identified in order to inform solutions to address the risks. The final part of the DPIA

consists of recording the ‘risk treatment’ and its justification. The risk treatment may

be one of the following:

Risk Mitigation: The risk has been mitigated by identifying and introducing

additional appropriate controls, thereby reducing the risk to acceptable levels;

Risk Managed (accepted): The risk is accepted as it is, without any further action.

Risk Transferred (shared): The risk is shared with a third party, including a market

participant, which can manage the risk more effectively and thereby reduce the risk

to acceptable levels.


31

Risk Avoidance: It is decided not to proceed with the project.

2.5 Overview of Market Participants’ Reponses

The Data Protection Readiness Assessment Questionnaire was provided to market

participants on the 10 December 2019. Organisations were requested to complete

and return the Data Protection Questionnaire with supporting evidence by the 17

January 2020. Some of the answers to the Information Security Assessment

Questionnaire were also used to complete the DPIA. Gemserv carried out the

technical assessment in March 2020.

Overall, two-thirds of suppliers whose customer numbers equate to approximately

90% of market share, provided detailed responses. One-third of suppliers, whose

customer numbers equate to approximately 10% of market share provided

responses which Gemserv considered to be inadequate. The Network Operator

(ESBN) provided a detailed response with supporting evidence. The Gemserv

assessment was carried out by analysing the responses received.

A Data Protection Impact Assessment is a living document and can be updated. The

CRU will consider repeating the exercise at the next stage of the NSMP. A summary

of the key risks identified by analysing responses to the questionnaires are detailed

below:

ID Risk Description Priority Recommendations CRU Response

CRU-

001-

RSK-DP-

013

Smart Meter

installation is

undertaken

2 Ensuring that clear

instructions are defined

and followed by installers

with respect to them

contacting customers,

approaching them onsite

and taking photos for

auditing and validation.

Risk Transferred:

Networks must ensure

clear instructions are

provided to installers.


32

CRU-

001-

RSK-DP-

014

Customer

feedback and

complaints

2 Ensuring that the

customer contacting with

respect to their feedback

and surveys is carried

out in line with their

expectations; making

sure that customers are

informed about the

transfer of their

complaints/requests to

ESBN for resolution.

Risk Transferred:

Networks and

Suppliers must

manage

complaints/requests

through their existing

customer complaint

procedures which are

approved by the CRU.

CRU-

001-

RSK-DP-

016

Integration with

the AMI and Smart

Meter

reconfiguration

2 Prior to the NSMP roll

out, defining legal

grounds for this

processing operation and

taking appropriate

measures to establish

them as per GDPR or

DPA requirements, and

informing customers

about the Interval Data

collection and

processing.

Risk Transferred:

Networks and

Suppliers must collect

and process data as

per GDPR/DPA

requirements.

Suppliers will be

required to capture the

customer’s

agreement30 to process

their Interval Data.

The CRU will consider

a national campaign to

inform customers of

smart meters and the

services available.

30 The Suppliers’ obligation to capture their customers’ agreement is separate to any obligation the Supplier

may have arising from the GDPR or the Data Protection Acts 1988 to 2018. Suppliers must satisfy themselves

that they have a legal basis for processing customers’ personal data under Article 6(1) of the GDPR. A previous

version of this document referred to the Suppliers’ requirement to capture customers’ ‘consent’ to process

Interval Data. That amendment and this footnote have been added to clarify the intended meaning of this

requirement.


33

CRU-

001-

RSK-DP-

017

Smart meter

technical

communication

feasibility

assessment

2 Ensuring that legal

grounds for this

processing operation, as

well as the data

exchange with energy

suppliers are defined and

established as per GDPR

or DPA requirements.

Risk Transferred:

Networks and

Suppliers must collect

and process data as

per GDPR/DPA

requirements.

CRU-

001-

RSK-DP-

018

Service tariff

offerings and

customer choice

of Smart Meter

Services


grounds for customer

services contract

enrolment or update are

defined and established

as per GDPR or DPA

requirements.

Ensuring that customers

are provided with a clear

and comprehensive

information about the

types of available

services and what impact

on the protection of their

private life the choice for

services will have due to

the processing of Interval

Data.

Risk Transferred:

Suppliers will be


customer’s

agreement31 to process

their Interval Data.

Suppliers must ensure

that legal grounds for

customer services

contract enrolment are

defined and

established as per

GDPR or DPA

requirements.

The CRU will consider

a national campaign to

inform customers of

smart meters and the

services available.

CRU-

001-

RSK-DP-

019

Interval Data

reads and

transmission to

energy suppliers

1 Ensuring that required

legal grounds for

customer data

processing are defined

Risk Transferred:

Suppliers will be


customer’s agreement

31 IBID


34

and established as per

GDPR or DPA

requirements. For the

European Data

Protection Board (EDPB,

former Article 29 Group),

energy suppliers can

only access energy

consumption data that is

more than daily, such as

half-hourly data (interval

data), when they have

collected prior

customer’s consent as

defined by the GDPR.

This position has been

enforced in the UK, in

France and in

Netherlands.

32 prior to receipt and

processing of Interval

Data. Suppliers will

also be required to

update their Terms &

Conditions for the

product i.e. an interval

tariff.


that legal grounds are

defined for each new

data processing

purpose.

CRU-

001-

RSK-DP-

020

Smart Meter Data

accuracy

2 Ensuring that data quality

obligations are

respected.

Risk Transferred:

ESBN will hold the

main responsibility for

the accuracy of data

under its requirement

to manage the network

and comply with the

DSO licence. All smart

meters will be

Measuring Instruments

Directive (MID) certified

ensuring that the data

recorded on them is an

accurate reflection of

32 IBID


35

the energy usage in the

household.

It will be the

responsibility of

Suppliers to notify

ESBN of changes to

customer details and

report any issues or

data inconsistencies

through market

messages as per BAU.

CRU-

001-

RSK-DP-

022

Consumption

calculation, billing

and settlements

Consumption

analysis,

determination of

future pricing and

tariffs

Customer profiling

and personalised

offerings

Energy theft or

fraud prevention

and investigation


ground for relevant

processing operations

are established as per

GDPR and DPA

requirements, the

personal data is used

only for defined purposes

and, where necessary to

deviate from primary

purposes, additional

safeguards are adopted.

Risk Transferred: ESB

Networks is required to

collect, process and

validate metering data

in its role as a licenced

Distribution System

Operator. Energy

suppliers require this

metering data to bill

customers and to meet

their contractual

obligations. Suppliers

are equally obliged

under their licences to

comply with the Codes

of Practice under the

CRU Supplier

Handbook.

CRU-

001-

RSK-DP-

023

Service providers

are involved in the

data processing

2 Ensuring that adequate

data processing

agreements and defined

instructions to service

providers are in place

and enforced.

Risk Transferred:

ESBN has entered into

Framework

Agreements with

service providers.

These agreements


36

establish Data

Controller - Data

Processor relationship

and set forth data

processing instructions

for outsourced

providers. Networks

and Suppliers are

expected to ensure that

legal grounds for each

new data processing

purpose are defined.

CRU-

001-

RSK-DP-

024

Customers are

able to submit

data subjects'

requests

Internal policies

establish response

procedures

Customers are

provided access to

personal data

(including Interval

Data) in a user-

friendly format

2 Implementing customer

access to the HDF

considering appropriate

security measures for

customer authentication,

data transmission and

interoperable format

among market

participants.

Risk Transferred:

Suppliers have

procedures in place for

the response to data

subjects’ requests as

per BAU.


appropriate security

measures are in place.

CRU-

001-

RSK-DP-

025

The data is stored

on company

assets

2 Reviewing service

providers’ information

security governance

when the data is not

stored on premises.

Risk Transferred:

Suppliers will be

expected to review

service providers’

information security

governance when the

data is not stored on

premises.


37

CRU-

001-

RSK-DP-

026

Company assets

and data flows are

mapped, and the

physical location

of data is recorded

2 Requiring energy

suppliers to implement all

adequate safeguards if

using third-party

suppliers, such as

requiring suppliers to

have servers physically

located in the EEA,

implementing Standard

Contractual Clauses or

relying on suppliers

located in a country

deemed adequate by the

European Commission.

Considering the recent

CJEU decision

invalidating the EU-U.S.

Privacy Shield, personal

data should not be

transferred to the U.S.

without an assessment

on whether the recipient

falls under U.S. mass

surveillance laws.

Risk Transferred:

Majority of suppliers

have mapped their

data flows and store

data on their own on-

premise servers.


adequate safeguards

are in place if using

third party suppliers.

CRU-

001-

RSK-DP-

027

Internal policies

and procedures

ensure strong risk

management,

information

security and

resilience of the

data

2 Implementing encryption

for data at rest as a

default security measure.

Systemising annual

audits of third parties.

Implementing

pseudonymisation of

records and databases

as often as feasible in

order to reduce the risk

Risk Transferred:

Networks and

Suppliers are expected

to carry out individual

DPIAs.

Networks and


strong risk

management and

information security

measures are in place.


38

induced from highly

identifiable records.

CRU-

001-

RSK-DP-

028

Data is stored only

for the relevant

retention periods

2 Implementing data

destruction and retention

policies with retention

periods proportionate to

the purposes respectful

of the data minimisation

principle.

Risk Transferred:

Networks and

Suppliers have data

retention polices in

place as per BAU.

CRU-

001-

RSK-DP-

029

Data is backed-up

regularly and

incident recovery

plans are in place

2 Implementing automatic

backup processes and

regular testing of incident

recovery plans.

Risk Mitigated:

Networks and

Suppliers have

automatic back-up

systems in place as per

BAU.

CRU-

001-

RSK-DP-

030

Smart Meter Data

from the meter to

ESBN is

transferred in a

secured manner


for data at rest as a

default security measure.

Risk Transferred:

Networks must ensure

that data is transferred

in a secure manner.

CRU-

001-

RSK-DP-

031

Smart Meter Data

from ESBN to

energy suppliers is

transferred in a

secured manner


for data sent by ESBN to

energy suppliers.

Risk Transferred:

ESBN must ensure that

data sent to energy

suppliers is transferred

in a secure manner.

CRU-

001-

RSK-DP-

032

Incident detection

measures are

implemented

across all systems

and the network is

protected and

monitored against

unauthorised

access

2 Requiring market

participants through

contractual

arrangements to

implement incident

detection measures

across all systems and

protect and monitor their

Risk Transferred:

Networks and



DPIAs.

Networks and


appropriate measures


39

network against

unauthorised access

are put in place to

ensure all systems are

protected against

unauthorised access.

CRU-

001-

RSK-DP-

033

Internal policies

establishing

potential incident

discovery,

investigation,

assessment and

mitigation

2 Requiring market


contractual

arrangements to

implement internal

policies establishing

potential incident

discovery, investigation,

assessment and

mitigation.

Risk Transferred:

Networks and



DPIAs.

Networks and


appropriate internal

policies are in place.

CRU-

001-

RSK-DP-

034

Internal policies

establishing

notification

procedures to

competent public

bodies,

controllers, data

subjects and other

relevant

stakeholders

2 Requiring market


contractual

arrangements to

implement internal

policies establishing

notification procedures to

competent public bodies,

controllers, data subjects

and other relevant

stakeholders.

Risk Transferred:

Networks and



DPIAs.

Networks and


robust notification

procedures are in

place.


40

3 Cyber Security

3.1 Background

The technical readiness assurance for the NSMP included an assessment of the

approach to information/cyber security being implement by both ESBN and

suppliers. The information/cyber security assessment aimed to establish the current

degree of maturity surrounding the implementation of information security practices

within relevant organisations. Questions sought to establish the current approach

against the requirements of the following:

1. NIS Compliance Guidelines for Operators of Essential Services published by

the Department of Communications, Climate Action & Environment dated

January 2019; and

2. Best Available Techniques Reference Document for the cyber-security and

privacy of the 10 minimum functional requirements of the Smart Metering

Systems published by the European Commission.

3.1.1 NIS Compliance Guidelines for Operators of Essential Services

On 6th July 2016, the European Union formally adopted Directive (EU) 2016/1148

concerning measures for a high common level of security of network and information

systems across the Union (the NIS Directive). The main objective of the NIS

Directive is to ensure that there is a common high-level security of network and

information systems across Member States and as such, it requires Member States

to take several significant measures regarding cyber security. The Directive was

formally transposed into Irish legislation under the European Union (Measures for a

High Common Level of Security of Network and Information Systems) Regulation

2018 (S.I. 360 of 20182) (the ‘NIS Regulations’) on 18th Sept 2018. As noted above,

the NCSC is the national competent authority for the purposes of this Directive.

In January 2019, the NCSC published guidelines for Operators of Essential Services

(OES) to assist them in complying with the Regulations. Although the CRU accepts


41

that only a subset of market participants have been designated as an OES33 the

compliance guidelines established by the NCSC provide a common ‘best practice’

framework against which the readiness of the NSMP can be established.

The CRU considers that applying this standard to all market participants sets a very

high bar for assessment. Given the potential harm from a cyber attack this was

considered prudent and most respondents performed well when assessed on this

basis.

3.1.2 Best available information

The European Commission Recommendation 2012/148/EU on preparations for the

roll-out of smart metering systems states that, “in order to mitigate the risks on

personal data and security, Member States, in collaboration with industry, the

Commission and other stakeholders, should support the determination of best

available techniques for each common minimum functional requirement listed in

point 42 of the Recommendation”.

The Commission Recommendation of 9 March 2012 on preparations for the roll-out

of smart metering systems (number 2012/148/EU), defines a set of minimum

functional requirements that every smart metering system should fulfil, taking into

consideration aspects regarding:

• The customer

• The metering operator

• The commercial aspects of the energy supply

• Security and data protection

• Distributed generation

The readiness assessment has matched each applicable best technique to the

relevant compliance guideline for NIS as described in the assessment approach

section.

33 Energy suppliers who own and operate power plants have been designated as operators of essential services.


42

3.2 Assessment Approach

The assessment questionnaires combined the guidelines for OES detailed by the

NCSC and the relevant techniques identified by Recommendation 2012/148/EU. Not

all NIS Guidelines have associated techniques. The guidelines and techniques

selected are detailed in Appendix C.

In responding to questions asking the market participant to detail how they are

implementing a guideline; respondents were requested to complete their evaluation of

how effectively the guideline is currently implemented as detailed below:

Maturity

(please select the most representative)

RAG Rating

Fully in place (>85% - 100%)

Largely in place (>50% - 85%)

Partially in place (>15% - 50%)

Not in place (0-15%)

In completing their response participants were asked to substantiate the response by

providing supporting evidence. Both the questionnaires and the supporting evidence

were uploaded by the participant to an organisation specific secure workplace on

Gemserv’s Huddle document repository.

In preparation of the assessment, Gemserv identified the market participants who

were expected to provide relevant information in response to the Information Security

Assessment Questionnaire. Responses were received from the network operator

(ESBN) and suppliers.

3.3 Programme Overview

The responses from market participants were analysed and a collective rating

assigned where there was more than one participant in a category. As there was


43

only one network participant the rating for network is unadjusted from the

participants submission.

The information/cyber security assessment did not highlight any significant concerns

with the security of the smart metering infrastructure or security approach being

deployed by market participants. In compiling the overview of responses, more

specifically Gemserv noted that:

• The response for network operator (ESBN) was comprehensive with

supporting evidence to substantiate the ratings. The rating summary for the

network operator reflects the increased complexity of cyber security

operations and provides confidence in the accuracy of the ratings.

• The responses for large suppliers were summarised. Most large suppliers

provided supporting evidence and the majority indicating ‘Fully in place’ for all

questions. Several large suppliers failed to provide maturity ratings or failed to

answer all questions which has impacted the overall rating.

• The responses for small suppliers were summarised across all small

suppliers. Most small suppliers did not provide comprehensive supporting

evidence with their responses which present a challenge for in depth analysis

by Gemserv.

More broadly, Gemserv noted that in their view the suppliers (large and small) were

overly confident in their responses as some did not provide maturity ratings, support

evidence or direct answers to some questions.

An overview of the maturity levels identified for network, large suppliers and small

suppliers is outlined in Appendix D.

3.4 Cyber Security Technical Readiness

This section identifies key risks and recommendations surrounding the cyber security

technical readiness of market participants in the NSMP. The risks are based on

trends seen across all responses and consideration of the evidence supplied to

support questionnaire responses. It should be noted that the information/cyber

security assessment, unlike the DPIA does not include a part similar to Stage 4 of


44

the DPIA where a risk treatment and justification is applied. However, the CRU

would recommend that market participants adhere to information/cyber security

requirements in line with best practice internationally.

In assigning a risk rating for an identified risk the following risk matrix has been

utilised:

3.4.1 Risk summary and Recommendations

ID Risk Risk

Rating

Recommendations

CRU

-CS-

001

A clear understanding of the

technical readiness of market

participants cannot be fully

ascertained due to incomplete

responses and variance in the

quality of responses

The assessment of cyber security

readiness should be a standard annual

compliance assessment. This will increase

familiarity with cyber security practice

across those participants who lack

dedicated cyber security resource, provide

increasingly accurate responses and

provide a higher level of confidence in the

cyber security stance of the programme.

CRU

-CS-

002

The lack of detail and supporting

evidence leads to over-

confidence in the readiness of

market participants to address

Recommend a post assessment meeting

with each participant to include:


45

cyber security issues within the

NSMP

a) Briefing on NIS Guidelines (if to be

adopted as a best practice)

b) Expectation on responses, detail

and supporting evidence

c) Debrief on current submission

d) Validation of responses for those

participants who failed to provide

adequate detail for the technical

readiness. Recommendation for

this includes:

i. Annual assessment utilising

existing questionnaires as

standard component of

market assurance. As

questionnaires are already

prepared this would not

result in significant

additional overhead.

ii. The use of onsite

assessment in year 2 to

validate practice where

responses continue to be

sub-standard. This is best

solution to uncertainty in

the maturity of cyber

security practice.

CRU

-CS-

003

Lack of access to cyber security

expertise and resource creates

disparity in the cyber security

capability amongst market

participants leading to lack of

This disparity was not necessarily due to

size of the organisation or its role in the

NSMP i.e. some small suppliers are able to

call upon substantial capability and

expertise from Group resource whereas

several large suppliers clearly struggled

with the technical readiness assessment.


46

confidence amongst peer

organisations and regulators

This issue is influenced by overall shortage

of cyber security skills across the EU (and

globally), budgetary concerns and lack of

understanding of the complexities of

securing operations against rapidly

evolving cyber threats. Recommendations

include:

a) Adopting the NIS Guidelines as a

best practice standard for the

NSMP. This will provide a common

understanding of cyber security

controls and implementation.

b) Promoting industry knowledge

sharing particularly in relation to

threats, vulnerabilities and control

implementation. This could be done

via an NSMP cyber security

steering group or committee that

works to promote cyber security

across the programme and assists

those organisations lacking

capability in accessing expertise.

CRU

-CS-

004

Responsibility for cyber security is

outsourced to external service

providers resulting in a lack of

clarity within some market

participants as to how their

services are secured

Reinforce that the responsibility for cyber

security resides with the market participant

and although the technical implementation

of cyber security controls can be

outsourced the organisation remains

responsible for establishing policy and

ensuring compliance with legal and

regulatory requirements.

If cyber security is to be included in

standard market assurance practice it is

recommended that market participants are

required to have clear policy for cyber


47

security and how it manages external

providers.

CRU

-CS-

005

There is substantial variance in

how market participants manage

external parties and the supply

chain, leading to the risk of the

supply chain compromising cyber

controls within the programme

Require reporting as part of ongoing

market assurance to establish that security

of the supply chain is implemented across

the programme. Examples used in similar

scenarios include:

a) Requiring external parties to attest

to a recognised standard such as

ISO27001 or the NIST suite of

controls

b) Third party audit and assessment

programmes

CRU

-CS-

006

Lack of effective cyber security

risk management leading to

undetected threats and

vulnerabilities compromising the

integrity of the programme

Any further compliance programmes

should require disclosure of how threats

are analysed and how identified risks are

mitigated. Although this information was

requested only a few participants provided

evidence as to how risk is managed.

Recommend that any failure to provide

satisfactory evidence prompts an onsite

validation assessment.

CRU

-CS-

007

Data at rest is not adequately

protected leading to increased

risk of compromise

The provision of encryption as a protective

control for data at rest can be problematic

for many organisations. Issues include:

a) Substantial cost overhead for both

implementation and maintenance

b) Performance of information

systems. When data is stored in

encrypted format speed of access

to the data is impacted. For many


48

organisations the lack of encryption

of data at rest is outweighed by the

performance gained from not using

encryption.

Requiring the use of cryptography to

secure data at rest presents significant

challenge to the industry in terms of

implementation, management and

subsequent performance. A more realistic

solution is to take a risk-based approach

and utilise other controls to ensure data is

secure. This will require:

a) Detailed threat and risk analysis of

data at rest with evidence provided

for assurance

b) Robust access control to data

tables

c) Network controls to prevent access

to stored data from outside the

network boundary

d) Personnel screening for those with

privileged access to data

repositories, particularly for roles

such as Data Base Administrators

with access to bulk data

CRU

-CS-

008

A lack of general awareness

training for cyber security leads to

increased vulnerability to the

programme from both external

and internal threat sources

Even though larger organisations possess

greater access to training resources there

is more that organisations could do to

extend training beyond informing personnel

of internal policy. This should include

awareness of how individuals within

organisation are targeted. Very few

successful cyber attacks are ‘brute force’


49

and the majority rely on exploiting an

authenticated user within the organisation.

Ongoing assurance should confirm that

organisations include aspects of cyber

security such as:

a) Recognising email attacks such a

‘phishing’

b) Recognising how attackers use

social engineering to target

individuals who possess the access

credentials they require to facilitate

an attack

c) The importance of reporting

suspected incidents


50

4 Next Steps

Although the DPIA and the Cyber Security Technical Readiness assessment have

uncovered some challenges, the exercises raise awareness among market

participants of their obligations in line with the NSMP. The CRU will continue to

engage with the network operator, suppliers, stakeholders, the NCSC and the DPC

based on the results of these assessments.

As noted above, a more in-depth assessment of individual supplier readiness is being

examined in parallel by Gemserv on behalf of the RMDS to assess the readiness of

suppliers to implement Version 13 changes34. This parallel assessment is ongoing,

with market participants entering the test phase in October 2020. The CRU approves

the assurance reports for the Version 13 assessment and will be asked to give final

approval to allow the ‘go-live’ of Version 13 in December 2020.

The CRU will continue to consider the data protection implications of the NSMP as it

evolves and moves into the next stages. Maintaining and protecting the privacy of final

customers will remain a key consideration in future policy development and

assessments will continue to be based on best practice. In that context, the

programme DPIA should be considered a living document and will be updated in

future if necessary.

34 Version 13 is a retail market release (system updates) which will enable the provision of Smart

Services in January 2021.


51

A Appendix: Data Protection Requirements

Reference Provisions

GDPR Article 5 The Principles relating to processing of Personal Data have been

fulfilled:

• Purpose Limitation

• Data minimisation

• Storage Limitation

• Integrity and confidentiality

• Data is accurate and kept up to date

GDPR Article 6 The processing is based on Lawfulness conditions provided by GDPR

DPA Section 41 The purposes of Processing may be changed for prevention,

investigation and detection of criminal offences

GDPR Article 7 Where the processing is based on consent, it is possible to

demonstrate that the data subject has consented to processing of his

or her personal data

GDPR Article 9 Processing of special categories of personal data is performed

adopting all the measures provided by GDPR

GDPR Articles 13, 14 The controller provided information to the data subject

GDPR Article 15 The right of access by the data subject is guaranteed

GDPR Article 16 The right to rectification is guaranteed

GDPR Article 17 The right to erasure is guaranteed

GDPR Article 18 The right to restriction of processing is guaranteed

GDPR Article 19 Has ever been sent to the recipients of the personal data a notification

when the data subject requested a rectification, erasure or restriction

of processing? Is a procedure available?

GDPR Article 20 The right of data portability is guaranteed

GDPR Article 21 The right to object to a processing is guaranteed

GDPR Article 22 The right to object to a decision based solely on automated


52

processing including profiling (if applicable)

GDPR Article 25 Principles of data protection by design and data protection by default

are applied

GDPR Article 26 An agreement with eventual joint controllers is established

GDPR Article 28 The processor has been appointed and provides guarantees to

implement appropriate technical and organisational measures and

ensure the protection of the rights of the data subjects

GDPR Article 29 Anybody in charge of the processing is acting under instructions of the

controller

GDPR Article 30 Records of processing activities are provided

GDPR Article 32 Security measures have been adopted

GDPR Articles 33, 34 Procedures have been adopted for dealing with data breaches and

notification of breaches to DPA or to the affected individuals (if

applicable)

GDPR Article 35 A pre-existing Data Protection Impact Assessment had already been

done

GDPR Article 36 A Prior Consultation already took place

GDPR Article 37 A DPO has been appointed

GDPR Article 40 Data Controller or Data Processor abides to a Code of Conduct

GDPR Article 42 Data Controller or Data Processor has received certification

GDPR Articles 44-49 Transfer of personal data outside the EU is performed accordingly to

the GDPR provisions


53

B Appendix CRU Decisions

Ref. No Document Name

CER/14/046 CER National Smart Metering Programme Smart Metering High Level

Design

CER/15/054 CER National Smart Metering Programme Smart Pay As You Go

CER/15/139 CER National Smart Metering Programme Information Paper on Data

Access & Privacy

CER/15/270 CER National Smart Metering Programme Rolling out New Services:

Time-of-Use Tariffs

CER/16/124 CER National Smart Metering Programme Regulating the Transition

Activities of Market Participants

CER/16/125 CER National Smart Metering Programme Empowering & Protecting

Customers

CRU/18/084 Smart Meter Upgrade Standard Smart Tariff Proposed Guideline

CRU/18/233 Smart Meter Upgrade Customer-Led Transition to Time-of-Use

CRU/19/083 Smart Meter Upgrade Smart Meter Allocation

CRU/19/112 Smart Meter Upgrade Allocation of the Residual Error and Profile

Removal


54

C Appendix Cyber Security Assessment Approach

The assessment questionnaires combined the guidelines for OES detailed by the

NCSC and the relevant techniques identified by Recommendation 2012/148/EU. Not

all NIS Guidelines have associated techniques. The guidelines and techniques

selected are detailed below.

NIS Compliance Guideline 10 Functional Requirements

Techniques

ID.AM-1: An up to date record of the physical and virtual

devices and systems which underpins the delivery

and/or support of each essential service is maintained.

ID.AM-2: An up to date record of the software

(information system, database, databus, applications,

middleware etc) which underpins the delivery and/or

support of each essential service is maintained.

ID.AM-3: Organisational communication and data flows

are mapped

ID.AM-4: External information systems are catalogued

ID.AM-5: Resources (e.g., hardware, devices, data, time,

personnel, and software) are prioritized based on their

classification, criticality, and business value

ID.AM-6: Cybersecurity roles and responsibilities for the

entire workforce and third-party stakeholders (e.g.,

suppliers, customers, partners) are established

ID.BE-1: The organisation’s role in the supply chain is

identified and communicated


55

ID.BE-2: The organisation’s place in critical infrastructure

and its industry sector is identified and communicated

ID.BE-3: Priorities for organisational mission, objectives,

and activities are established and communicated

ID.BE-4: Dependencies and critical functions for delivery

of critical services are established

ID.BE-5: Resilience requirements to support delivery of

critical services are established.

ID.GV-1: Organisational cybersecurity policy is defined,

documented and communicated.

ID.GV-2: Cybersecurity roles and responsibilities are

coordinated and aligned with internal roles and external

partners.

ID.GV-3:Legal and regulatory requirements regarding

cybersecurity obligations are understood and managed.

ID.GV-4:Governance and risk management processes

address cybersecurity risks, and ensure their ongoing

adequacy and effectiveness.

ID.RA-1: Asset vulnerabilities are identified and

documented.

ID.RA-2: Cyber threat (strategic, operational and tactical)

and vulnerability information is received from information

sharing forums and sources.

ID.RA-3: Threats, both internal and external, are

identified and documented.

ID.RA-4: Potential business impacts and likelihoods are

identified and documented.


56

ID.RA-5: Threats, vulnerabilities, likelihoods, and

impacts are used to determine risk. Risk assessments

are dynamic and are updated in light of system or service

changes, or changes to the threat environment.

ID.RA-6: Risk responses are identified, prioritised and

documented.

ID.RM-1: Risk management processes are established,

documented, managed, agreed to by organisational

stakeholders.

ID.RM-2: Organisational risk tolerance is determined,

clearly expressed and documented.

ID.RM-3: Determination of risk tolerance is informed by

the organisational role in critical infrastructure and sector

specific risk analysis and is documented.

ID.SC-1: Cyber supply chain risk management

processes are identified, established, assessed,

managed, and agreed to by organisational stakeholders

ID.SC-2: Suppliers and third-party partners of

information systems, components, and services are

identified, prioritised, and assessed using a cyber supply

chain risk assessment process

ID.SC-3: Contracts with suppliers and third-party

partners are used to implement appropriate measures

designed to meet the objectives of an organisation’s

cybersecurity program and Cyber Supply Chain Risk

Management Plan.

ID.SC-4: Suppliers and third-party partners are routinely

assessed using audits, test results, or other forms of


57

evaluations to confirm they are meeting their contractual

obligations.

ID.SC-5: Response and recovery planning and testing

are conducted with suppliers and third-party providers

PR.AC-1: Identities and credentials are issued,

managed, verified, revoked, for the end to end joiners,

movers and leavers lifecycle.

9.1.1 - Username/password or

PIN

9.1.2 - One-time password

9.1.3 - 2 factor authentication

9.1.4 - Pre-shared secrets and

TLS with client certificates

10.1.5 - Dial in Whitelisting

10.1.6 - LDAP

10.1.7 - TACACS+


(OTP)

PR.AC-2: Physical access to assets is managed and

protected.

9.3.2 - Switches

9.5.2 - Private location

10.1.12 - Read Only Interface

PR.AC-3: Remote access is managed and documented. 9.1.1 - Username/password or

PIN






10.1.7 - TACACS+


10.1.7 - TACACS+


58

PR.AC-4: Access permissions and authorisations are

managed, incorporating the principles of least privilege

and separation of duties, and periodically revalidated.


PIN





10.1.6 - LDAP


10.1.6 - LDAP

10.1.7 - TACACS+

PR.AC-5: Network integrity is protected (e.g., network

segregation, network segmentation)

10.1.8 - Firewall

10.1.9 - IDS/IPS

11.1.1 - Network segregation

PR.AC-6: Only individually authenticated and authorised

users can connect to or access the organisation's

networks or information systems.


PIN





9.6.1 - (Processor) hardening


10.1.6 - LDAP

10.1.7 - TACACS+

PR.AC-7: Users, devices, and other assets are

authenticated (e.g., single-factor, multi-factor)

commensurate with the risk of the access (e.g.,

privileged (admin, root) accounts typically require strong

authentication.


PIN





11.1.5 - Multi-factor

authentication

11.1.7 - Whitelisting


59

PR.AT-1: All users are informed and trained on cyber

security policies and relevant procedures, with periodic

updates.

PR.AT-2: Privileged users understand their roles and

responsibilities.

PR.AT-3: Third-party stakeholders (e.g., suppliers,

customers, partners) understand their roles and

responsibilities.

PR.AT-4: Senior executives understand their roles and

responsibilities.

PR.AT-5: Physical and cybersecurity personnel

understand their roles and responsibilities.

PR.DS-1: Data-at-rest is protected 9.2.2 - AES-GCM

9.2.1 - AES-CBC

9.2.2 - AES-CCM

9.2.3 - AES-CMAC

9.2.4 - AES-CTR

9.2.5 - AES-ECB

9.2.6 - SHA1

9.2.7 - SHA2

9.2.8 - ECDH

9.2.9 - ECDSA

9.5.2 - Private location


60

PR.DS-2: Data-in-transit is protected 9.2.2 - AES-GCM

9.2.1 - AES-CBC

9.2.2 - AES-CCM

9.2.3 - AES-CMAC

9.2.4 - AES-CTR

9.2.5 - AES-ECB

9.2.6 - SHA1

9.2.7 - SHA2

9.2.8 - ECDH

9.2.9 - ECDSA

9.5.1 - Unique keys

9.5.3 - DLMS secure transport

9.5.5 - TLS secure transport

9.5.6 - End-to-End Signing

10.1.1 - ZigBee Smart Energy

Profile

10.1.2 - CMS

10.1.3 - M-Bus

10.1.4 - DLMS

PR.DS-3: Assets are formally managed throughout

removal, transfers, and disposition

PR.DS-4: Adequate capacity to ensure availability is

maintained.

PR.DS-5: Protections against data leaks and data loss

are implemented.

PR.DS-6: Integrity checking mechanisms are used to

verify software, firmware, and information integrity.

9.5.6 - End-to-End Signing

9.5.7 - Switching commands

validated against the grid code

(Grid Sensitive Operation)

PR.DS-7: The development and testing environment(s)

are separate from the production environment.


61

PR.DS-8: Integrity checking mechanisms are used to

verify hardware integrity

9.5.7 - Switching commands

validated against the grid code

(Grid Sensitive Operation)

9.6.1 - (Processor) hardening

PR.SP-1: A baseline configuration of information

technology/industrial control systems is created and

maintained incorporating security principles (e.g.

concept of least functionality)

PR.SP-2: A System Development Life Cycle to manage

systems is implemented with embedded security

touchpoints.

PR.SP-3: Configuration change control processes are in

place

PR.SP-4: Backups of information are conducted,

maintained, and tested

PR.SP-5: Policy and regulations regarding the physical

operating environment for organisational assets are met

PR.SP-6: Data is destroyed according to defined policy.

PR.SP-7: Protection processes are continuously

improved.

PR.SP-8: Effectiveness of protection technologies is

shared with appropriate parties.

PR.SP-9: Response plans (Incident Response and

Business Continuity) and recovery plans (Incident

Recovery and Disaster Recovery) are in place and

managed

PR.SP-10: Response and recovery plans are tested


62

PR.SP-11: Cybersecurity is included in human resources

practices (e.g., deprovisioning, personnel screening)

PR.SP-12: A vulnerability management plan is

developed and implemented to remediate vulnerabilities

in a timely manner, commensurate with the risk.

PR.MA-1: Maintenance and repair of organisational

assets are performed and logged, with approved and

controlled tools.

11.1.2 - Firmware update

PR.MA-2: Remote maintenance of organisational assets

is approved, logged, and performed in a manner that

prevents unauthorised access.

PR.PT-1: Audit/log records are determined,

documented, implemented, and reviewed in accordance

with policy

PR.PT-2: Removable (thumb drive etc) and mobile

(smartphone, laptop etc) media is protected and its use

restricted according to policy.

PR.PT-3: The principle of least functionality is

incorporated by configuring systems to provide only

essential capabilities

9.4.1 - Application specific

protocols

PR.PT-4: Communications and control networks are

protected from unauthorised traffic, unauthorised access

and the security mechanisms are periodically tested.

9.4.1 - Application specific

protocols

9.5.3 - DLMS secure transport

10.1.8 - Firewall

11.1.8 - VPN

11.1.9 - Manufacturer –

customer key exchange

11.1.10 - PKI


63

PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot

swap) are implemented to achieve resilience

requirements in normal and adverse situations

10.1.8 - Firewall

DE.AE-1: A baseline of network operations and expected

data flows for users and systems is established and

managed

10.1.9 - IDS/IPS

11.1.4 - SIEM

DE.AE-2: Detected events are analysed to understand

attack targets and methods

10.1.9 - IDS/IPS

11.1.4 - SIEM

DE.AE-3: Event data are collected and correlated from

multiple sources and sensors

DE.AE-4: Impact of events is determined.

DE.AE-5: Incident alert thresholds are established.

DE.CM-1: The network is monitored to detect potential

cybersecurity events.

10.1.9 - IDS/IPS

DE.CM-2: The physical environment is monitored to

detect potential cybersecurity events.

9.3.3 - Seals and other tamper

evident techniques

DE.CM-3: Personnel activity is monitored to detect

potential cybersecurity events

10.1.9 - IDS/IPS

DE.CM-4: Malicious code is detected 10.1.9 - IDS/IPS

DE.CM-5: Unauthorized mobile code is detected 10.1.9 - IDS/IPS

DE.CM-6: External service provider activity is monitored

to detect potential cybersecurity events

10.1.8 - Firewall

10.1.9 - IDS/IPS

DE.CM-7: Monitoring for unauthorized personnel,

connections, devices, and software is performed

10.1.8 - Firewall

10.1.9 - IDS/IPS

DE.CM-8: Vulnerability scans are performed


64

DE.DP-1: Roles and responsibilities for detection are

well defined to ensure accountability

DE.DP-2: Detection activities comply with all applicable

requirements

DE.DP-3: Detection processes are periodically tested

against ‘real world’ scenarios.

DE.DP-4: Event detection information is communicated

to appropriate stakeholders.

DE.DP-5: Detection processes are continuously

improved.

RS.RP-1: Response plan is executed during a

cybersecurity event with an actual or potential adverse

impact.

RS.CO-1: Personnel know their roles and order of

operations when a response is needed

RS.CO-2: Incidents are reported in line with established

criteria, consistent with legal and regulatory

requirements.

RS.CO-3: Information is shared consistent with response

plans

RS.CO-4: Coordination with stakeholders occurs

consistent with response plans

RS.CO-5: Voluntary information sharing occurs with

external stakeholders to achieve broader cybersecurity

situational awareness


65

RS.AN-1: Notifications from detection systems are

investigated

10.1.8 - Firewall

10.1.9 - IDS/IPS

RS.AN-2: The impact of the incident is understood

RS.AN-3: Forensics are performed

RS.AN-4: Incidents are categorized consistent with

response plans

RS.AN-5: Processes are established to receive, analyse

and respond to vulnerabilities disclosed to the

Organisation from internal and external sources (e.g.

internal testing, security bulletins, or security

researchers)

RS.MI-1: Incidents are contained

RS.MI-2: Incidents are mitigated

RS.MI-3: Newly identified vulnerabilities are remediated,

mitigated or documented as accepted risks, in line with

organisational risk tolerance.

RS.IM-1: Response plans incorporate lessons learned

RS.IM-1: Response strategies are updated

RC.RP-1: Recovery plan is executed during or after a

cybersecurity response.

RC.IM-1: Recovery plans incorporate lessons learned

RC.IM-2: Recovery strategies are updated

RC.CO-1: Public relations are managed

RC.CO-2: Reputational impacts are assessed and

addressed.


66

RC.CO-3: Recovery activities are communicated to

internal and external stakeholders as well as executive

and management teams


67

D Appendix Cyber Security Maturity Levels Summary

A summary overview of the maturity levels identified for network, large suppliers and

small suppliers as part of the Cyber Security risk assessment is outlined below.

Guideline Network Large

supplier

Small supplier

ID.AM-1: An up to date record of the physical

and virtual devices and systems which

underpins the delivery and/or support of each

essential service is maintained.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

ID.AM-2: An up to date record of the software

(information system, database, databus,

applications, middleware etc) which underpins

the delivery and/or support of each essential

service is maintained.

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Largely in

place (>50% -

85%)

ID.AM-3: Organisational communication and

data flows are mapped

Fully in place

(>85% -

100%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

ID.AM-4: External information systems are

catalogued

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

ID.AM-5: Resources (e.g., hardware, devices,

data, time, personnel, and software) are

prioritised based on their classification,

criticality, and business value

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

ID.AM-6: Cybersecurity roles and

responsibilities for the entire workforce and

third-party stakeholders (e.g., suppliers,

customers, partners) are established

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

ID.BE-1: The organisation’s role in the supply

chain is identified and communicated

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)


68

ID.BE-2: The organisation’s place in critical

infrastructure and its industry sector is

identified and communicated

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

ID.BE-3: Priorities for organisational mission,

objectives, and activities are established and

communicated

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

ID.BE-4: Dependencies and critical functions

for delivery of critical services are established

Fully in place

(>85% -

100%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

ID.BE-5: Resilience requirements to support

delivery of critical services are established.

Fully in place

(>85% -

100%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

ID.GV-1: Organisational cybersecurity policy is

defined, documented and communicated.

Fully in place

(>85% -

100%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

ID.GV-2: Cybersecurity roles and

responsibilities are coordinated and aligned

with internal roles and external partners.

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

ID.GV-3:Legal and regulatory requirements

regarding cybersecurity obligations are

understood and managed.

Fully in place

(>85% -

100%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

ID.GV-4:Governance and risk management

processes address cybersecurity risks, and

ensure their ongoing adequacy and

effectiveness.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

ID.RA-1: Asset vulnerabilities are identified and

documented.

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

ID.RA-2: Cyber threat (strategic, operational

and tactical) and vulnerability information is

received from information sharing forums and

sources.

Fully in place

(>85% -

100%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

ID.RA-3: Threats, both internal and external, Largely in Largely in Largely in


69

are identified and documented. place (>50% -

85%)

place (>50%

- 85%)

place (>50% -

85%)

ID.RA-4: Potential business impacts and

likelihoods are identified and documented.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

ID.RA-5: Threats, vulnerabilities, likelihoods,

and impacts are used to determine risk. Risk

assessments are dynamic and are updated in

light of system or service changes, or changes

to the threat environment.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

ID.RA-6: Risk responses are identified,

prioritised and documented.

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

ID.RM-1: Risk management processes are

established, documented, managed, agreed to

by organisational stakeholders.

Fully in place

(>85% -

100%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

ID.RM-2: Organisational risk tolerance is

determined, clearly expressed and

documented.

Fully in place

(>85% -

100%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

ID.RM-3: Determination of risk tolerance is

informed by the organisational role in critical

infrastructure and sector specific risk analysis

and is documented.

Fully in place

(>85% -

100%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

ID.SC-1: Cyber supply chain risk management

processes are identified, established,

assessed, managed, and agreed to by

organisational stakeholders

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

ID.SC-2: Suppliers and third-party partners of

information systems, components, and

services are identified, prioritised, and

assessed using a cyber supply chain risk

assessment process

Fully in place

(>85% -

100%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

ID.SC-3: Contracts with suppliers and third-

party partners are used to implement

Fully in place

(>85% -

Largely in

place (>50%

Fully in place

(>85% -


70

appropriate measures designed to meet the

objectives of an organisation’s cybersecurity

program and Cyber Supply Chain Risk

Management Plan.

100%) - 85%) 100%)

ID.SC-4: Suppliers and third-party partners are

routinely assessed using audits, test results, or

other forms of evaluations to confirm they are

meeting their contractual obligations.

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

SC-5: Response and recovery planning and

testing are conducted with suppliers and third-

party providers

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

PR.AC-1: Identities and credentials are issued,

managed, verified, revoked, for the end to end

joiners, movers and leavers lifecycle.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.AC-2: Physical access to assets is

managed and protected

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.AC-3: Remote access is managed and

documented.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.AC-4: Access permissions and

authorisations are managed, incorporating the

principles of least privilege and separation of

duties, and periodically revalidated.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.AC-5: Network integrity is protected (e.g.,

network segregation, network segmentation)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.AC-6: Only individually authenticated and

authorised users can connect to or access the

organisation's networks or information

systems.

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

PR.AC-7: Users, devices, and other assets are

authenticated (e.g., single-factor, multi-factor)

commensurate with the risk of the access (e.g.,

Largely in

place (>50% -

Largely in

place (>50%

Fully in place

(>85% -


71

privileged (admin, root) accounts typically

require strong authentication

85%) - 85%) 100%)

PR.AT-1: All users are informed and trained on

cyber security policies and relevant

procedures, with periodic updates.

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Fully in place

(>85% -

100%)

PR.AT-2: Privileged users understand their

roles and responsibilities.

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.AT-3: Third-party stakeholders (e.g.,

suppliers, customers, partners) understand

their roles and responsibilities.

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Largely in

place (>50% -

85%)

PR.AT-4: Senior executives understand their

roles and responsibilities.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.AT-5: Physical and cybersecurity personnel

understand their roles and responsibilities.

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.DS-1: Data-at-rest is protected Partially in

place (>15% -

50%)

Partially in

place (>15%

- 50%)

Partially in

place (>15% -

50%)

PR.DS-2: Data-in-transit is protected Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Largely in

place (>50% -

85%)

PR.DS-3: Assets are formally managed

throughout removal, transfers, and disposition

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.DS-4: Adequate capacity to ensure

availability is maintained.

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.DS-5: Protections against data leaks and

data loss are implemented

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

PR.DS-6: Integrity checking mechanisms are Largely in Largely in Largely in


72

used to verify software, firmware, and

information integrity.

place (>50% -

85%)

place (>50%

- 85%)

place (>50% -

85%)

PR.DS-7: The development and testing

environment(s) are separate from the

production environment

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.DS-8: Integrity checking mechanisms are

used to verify hardware integrity

Fully in place

(>85% -

100%)

Partially in

place (>15%

- 50%)

Partially in

place (>15% -

50%)

PR.SP-1: A baseline configuration of

information technology/industrial control

systems is created and maintained

incorporating security principles (e.g. concept

of least functionality)

Fully in place

(>85% -

100%)

Partially in

place (>15%

- 50%)

Partially in

place (>15% -

50%)

PR.SP-2: A System Development Life Cycle to

manage systems is implemented with

embedded security touchpoints.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.SP-3: Configuration change control

processes are in place

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.SP-4: Backups of information are

conducted, maintained, and tested

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.SP-5: Policy and regulations regarding the

physical operating environment for

organisational assets are met

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.SP-6: Data is destroyed according to

defined policy

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.SP-7: Protection processes are

continuously improved.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.SP-8: Effectiveness of protection

technologies is shared with appropriate parties.

Fully in place

(>85% -

Fully in place

(>85% -

Fully in place

(>85% -


73

100%) 100%) 100%)

PR.SP-9: Response plans (Incident Response

and Business Continuity) and recovery plans

(Incident Recovery and Disaster Recovery) are

in place and managed

Partially in

place (>15% -

50%)

Partially in

place (>15%

- 50%)

Partially in

place (>15% -

50%)

PR.SP-10: Response and recovery plans are

tested

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Largely in

place (>50% -

85%)

PR.SP-11: Cybersecurity is included in human

resources practices (e.g., deprovisioning,

personnel screening)

Not in place

(0-15%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

PR.SP-12: A vulnerability management plan is

developed and implemented to remediate

vulnerabilities in a timely manner,

commensurate with the risk.

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

PR.MA-1: Maintenance and repair of

organisational assets are performed and

logged, with approved and controlled tools.

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.MA-2: Remote maintenance of

organisational assets is approved, logged, and

performed in a manner that prevents

unauthorised access.

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.PT-1: Audit/log records are determined,

documented, implemented, and reviewed in

accordance with policy

Not in place

(0-15%)

Not in place

(0-15%)

Not in place

(0-15%)

PR.PT-2: Removable (thumb drive etc) and

mobile (smartphone, laptop etc) media is

protected and its use restricted according to

policy

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.PT-3: The principle of least functionality is

incorporated by configuring systems to provide

only essential capabilities

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

PR.PT-4: Communications and control Largely in Largely in Largely in


74

networks are protected from unauthorised

traffic, unauthorised access and the security

mechanisms are periodically tested.

place (>50% -

85%)

place (>50%

- 85%)

place (>50% -

85%)

PR.PT-5: Mechanisms (e.g., failsafe, load

balancing, hot swap) are implemented to

achieve resilience requirements in normal and

adverse situations

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

DE.AE-1: A baseline of network operations and

expected data flows for users and systems is

established and managed

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

DE.AE-2: Detected events are analysed to

understand attack targets and methods

Partially in

place (>15% -

50%)

Partially in

place (>15%

- 50%)

Partially in

place (>15% -

50%)

DE.AE-3: Event data are collected and

correlated from multiple sources and sensors

Partially in

place (>15% -

50%)

Partially in

place (>15%

- 50%)

Partially in

place (>15% -

50%)

DE.AE-4: Impact of events is determined Partially in

place (>15% -

50%)

Partially in

place (>15%

- 50%)

Partially in

place (>15% -

50%)

DE.AE-5: Incident alert thresholds are

established.

Partially in

place (>15% -

50%)

Partially in

place (>15%

- 50%)

Partially in

place (>15% -

50%)

DE.CM-1: The network is monitored to detect

potential cybersecurity events.

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

DE.CM-2: The physical environment is

monitored to detect potential cybersecurity

events.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

DE.CM-3: Personnel activity is monitored to

detect potential cybersecurity events

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

DE.CM-4: Malicious code is detected Fully in place

(>85% -

Fully in place

(>85% -

Fully in place

(>85% -


75

100%) 100%) 100%)

DE.CM-5: Unauthorized mobile code is

detected

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

DE.CM-6: External service provider activity is

monitored to detect potential cybersecurity

events

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

DE.CM-7: Monitoring for unauthorized

personnel, connections, devices, and software

is performed

Partially in

place (>15% -

50%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

DE.CM-8: Vulnerability scans are performed Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

DE.DP-1: Roles and responsibilities for

detection are well defined to ensure

accountability

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

DE.DP-2: Detection activities comply with all

applicable requirements

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

DE.DP-3: Detection processes are periodically

tested against ‘real world’ scenarios.

Partially in

place (>15% -

50%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

DE.DP-4: Event detection information is

communicated to appropriate stakeholders

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

DE.DP-5: Detection processes are

continuously improved

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RS.RP-1: Response plan is executed during a

cybersecurity event with an actual or potential

adverse impact

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

RS.CO-1: Personnel know their roles and order

of operations when a response is needed

Fully in place

(>85% -

Fully in place

(>85% -

Fully in place

(>85% -


76

100%) 100%) 100%)

RS.CO-2: Incidents are reported in line with

established criteria, consistent with legal and

regulatory requirements.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RS.CO-3: Information is shared consistent with

response plans

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RS.CO-4: Coordination with stakeholders

occurs consistent with response plans

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RS.CO-5: Voluntary information sharing occurs

with external stakeholders to achieve broader

cybersecurity situational awareness

Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

RS.AN-1: Notifications from detection systems

are investigated

Partially in

place (>15% -

50%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

RS.AN-2: The impact of the incident is

understood

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RS.AN-3: Forensics are performed Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RS.AN-4: Incidents are categorized consistent

with response plans

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RS.AN-5: Processes are established to

receive, analyse and respond to vulnerabilities

disclosed to the Organisation from internal and

external sources (e.g. internal testing, security

bulletins, or security researchers)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RS.MI-1: Incidents are contained Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)


77

RS.MI-2: Incidents are mitigated Largely in

place (>50% -

85%)

Largely in

place (>50%

- 85%)

Largely in

place (>50% -

85%)

RS.MI-3: Newly identified vulnerabilities are

remediated, mitigated or documented as

accepted risks, in line with organisational risk

tolerance.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RS.IM-1: Response plans incorporate lessons

learned

Partially in

place (>15% -

50%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RS.IM-2: Response strategies are updated Partially in

place (>15% -

50%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RC.RP-1: Recovery plan is executed during or

after a cybersecurity response.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RC.IM-1: Recovery plans incorporate lessons

learned

Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RC.IM-2: Recovery strategies are updated Largely in

place (>50% -

85%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RC.CO-1: Public relations are managed Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RC.CO-2: Reputational impacts are assessed

and addressed.

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

RC.CO-3: Recovery activities are

communicated to internal and external

stakeholders as well as executive and

management teams

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)

Fully in place

(>85% -

100%)


78

E Appendix International Practice

In developing its approach to data protection and the smart metering solution design,

the CRU has continued to monitor developments in other countries in smart metering

in particular in European Member States. The European Commission issued a

“COMMISSION STAFF WORKING DOCUMENT/ Country fiches for electricity smart

metering35” in 2014, providing an overview of the method of the Smart Meters by the

Member States. Below are a few examples:


79

Estonia: Smart metering was deployed in Estonia by 2017 to all customers

(~700,000), and a central data hub is already in use. According to the national

Electricity Market Act and Natural Gas Act all smart meters were to be installed by 1st

of January 2017, and 1st of January 2020 for electricity and gas, respectively. The

deployment is mandatory for all consumers (for gas if consumption is higher than 750

m³/year). A central data hub, administered by Elering as an independent transmission

system operator, is in operation:

• To manage the central exchange of electricity metering data between market

participants;

• To support the process of changing electricity suppliers in the market;

• To archive the metering data of electricity consumption.

The Estonian Data Hub system is a software/hardware solution managed by the DSO.

User access to the Estonian Data Hub is granted to grid operators, open suppliers and

line operators operating in Estonia. Market participants are encoded, as well as


80

measuring points measuring electricity flows between participants. Encoding defines

the market participants’ rights, as well as the supply chains.

Through the data hub web portal, all parties have access to their own consumption

volume measurement data (remotely readable in one-hour increments). The data hub

system ensures principles of equal treatment. The network operator must ensure

measurement, collection, control and accuracy of measurement data.

• Advanced consumer services in The Netherlands: By the end of 2017, smart

metering systems have been rolled out (on the basis of the original timeline

2015 – 2020) to over 50 % of all users. Only 11 % of the users have declined

the smart meter, while 2 % asked to deactivate the communication. The roll-

out is mandatory with opt-out option. In the Netherlands, the DSOs are

responsible for the roll out and communication with the smart meter.

Germany: Putting a high emphasis36 on standardisation and security, the German

smart metering approach is based on two major components: Smart Meters, and

Smart Meter Gateways (SMGWs), whereby the combination of both is referred to as

Smart Metering System (“Intelligentes Messsystem”). In Germany, starting in 2017,

large consumers with average annual consumption in excess of 10,000 kWh were

required to install smart meters. This threshold will be lowered to 6,000 kWh in 2020,

which applies to approximately 15% of electricity consumers. According to the German

Metering Point Operation Law (“Messstellenbetriebsgesetz”, MsbG) the installation of

SMGWs follows a stepwise roll-out plan, ultimately making it compulsory for

consumers above 6000 kWh/year, or for consumers with renewable feed-in above

7kW peak. For consumers falling below these thresholds, the SMGW is optional and,

hence, also the option to automatically communicate. The grace period between 2017

and 2020 allow grid operators and third parties to learn from early adopters and

mitigate any issues realised during the initial large consumer rollout.

Smart Meter Gateways: SMGWs act as intermediary between the following three

network areas through which they are:


81

• Connected to other devices and stakeholders:

• Home Area Network (HAN): This network area is for the communication

between the SMGW and Controllable Local Systems (CLSs) such as

controllable devices or EMSs.

• Local Metrological Network (LMN): This network area is for the

communication between the SMGW and Smart Meters.

• Wide Area Network (WAN): This network area is for the communication

between the SMGW, the associated EMPs and the SMGW Administrator.

SMGW Administrators are defined as trustworthy entities that are able to manage the

encrypted and authenticated transport channels the SMGW uses to communicate with

endpoints in the above network areas. Relying on a public key infrastructure (PKI)

operated by the German Federal Office for Information Security (“Bundesamt für

Sicherheit in der Informationstechnik”, BSI).

10 data-privacy safeguards in Germany37: The commissioners for data privacy for the

Federation and the Länder have set out specific requirements around smart metering.

The draft legislation that is now on the table fully meets all of these requirements:

• Without explicit approval by the consumer, all data-gathering and use is

restricted to the bare minimum required for the energy system to work.

• The intervals at which the meter is read have been designed to be long

enough to prevent any conclusions being drawn about user habits.

• No data will be transmitted unless it has been anonymised, pseudonymised,

or aggregated.

• Data will be processed in situ, right on the consumer’s premises.

• Energy data will be passed on to as few parties as possible.

• It will be mandatory for data to be deleted within specified time periods

(Without prejudice to the applicable metering and calibration rules, all

personal metering data must be deleted as soon as storage of this data is no

longer required for the purpose for which it has been supplied)


82

• Consumers will be able to monitor and verify all communications and

processing steps at all time.

• It will be easy for consumers to enforce their right to object and to data being

deleted or corrected.

• Consumers will still be able to choose the tariff that suits them best. The new

law will not limit end consumers’ right to select a tariff of their own choice.

• Smart meters cannot be accessed freely by outsiders. Access is regulated by

means of clearly defined profiles.

cru data access paper · 2020. 12. 3. · an coimisiún um rialáil fóntais commission for...

Documents