Impacts of governance regulations and constraints on EPU sensitive data distribution and location of data storage

The Working Group D2.45 enters a new area of interdisciplinary working. Yet the focus on D2 working groups as well as joint working groups with corresponding study committees is in information and telecommunication technology for electric power utilities (EPUs). That working group leveraged the combination of technical issues and juridical aspects. Due to the development of information and communication technologies (ICT) especially public ICT services, like mobile services and cloud services, tremendous possibilities of data processing and sharing occur. EPUs are entering a new era of information sharing in a borderless environment facilitated by cloud-based services, ubiquitous mobility, and expanding use of personal devices. This borderless behavior is the root issue that has initiated strong governance requirements by local authorities. A good example is European Union’s (EU’s) General Data Protection Regulation (GDPR). In this environment EPU risk assessment teams must adjust the approach to updating security policies, procedures, and organizational directives. They must recognize the unbounded degrees of freedom that blur the security perimeter, and they must gracefully accommodate the increased complexity and scale of managing the security of their data. This requires the ability to leverage user entity and user behavior analytics (EUBA) and identity analytics (IdA) to provide actionable risk-scored results. Thus, the technical and juridical aspect must be seen in one context and work close together. Both influence each other.

Hence, this Technical Brochure (TB) has a technical and a juridical aspect regarding data in EPU.

• Identify the structure and corresponding demand of information of EPU through a systemic approach
• Classify the data resulting from the information demand for processed data, administrative data, parametric information, and descriptive information.
• Evaluate the implementation of several data volumes in EPU, such as data transmission, data location and storage.
• Assess the legal landscape regarding data transmission, data protection and location of storage of data.
• Describe the processes and interaction of EPU regarding data transmission and data storage, including mobile solutions in accordance with standards, laws, and regulations.
• Identify the technical and legal issues related to measures and guidelines to handle the data volumes in EPU. 

EPU are overly complex institutions with a tremendous need of information exchange that generate huge amount of data. The interchange of information is a fundamentally need of any system. Information is a part of a system and if the information fails in any way the system will collapse quickly. Due to the complexity of the system with all its parts, the information within the system as well as the exchange of information with its environment is highly complex as well. One main driver of data volume is the high degree of automation, which is still increasing.

An EPU is a system containing several different units and can be considered from various points of view. One point of view is to have a technical system including several technical units which an EPU needs to perform. These parts are well structured and are usually geographically distributed. The geographically distribution in combination with the automation follows, that the operational technology (IT) business units, operational technology (OT) system operating units, and their telecommunication systems have an increasing need of data processing and data transmission for their business and operational area of responsibility.

But the EPU and the suppliers had to consider a broader range of fields. In the last decades the demand of informatics and telecommunication grew due to an increasing demand of automation in all areas of concerned business organizations. Hence the community, including CIGRE, reacted by identifying needed improvements in informatics and telecommunications technologies. Another fundamental scope are commercial aspects. EPU as well as supplier must operate economically every time.

In this technical brochure a new topic, identified as “governance regulations” is introduced into the broad range of EPU activities. Due to the development of the legal environment all enterprises are concerned including EPU and corresponding suppliers as well.