Technical brochure
TB 892 WG D2.45

Impacts of governance regulations and constraints on EPU sensitive data distribution and location of data storage

The scope of this Technical Brochure (TB) offers guidelines for assessing the impact of governance regulations and constraints on electric power utility (EPU) sensitive data distribution and location of storage in accordance with the approved terms of reference. This TB uses a broad definition of data to include any information such as descriptive information, parametric information, schematics and pictures. Personal information is extremely sensitive because it can be used to influence or coerce authorized personnel to collaborate in accomplishing an attack on EPU’s systems. Critical infrastructure information can be used for unauthorized access to and use of their systems. Sensitive information also includes any information that requires a notification of a breach to a designated authority. The guideline will provide recommendations that identify the relationship between governance response requirements and their dependency on enabling security systems to ensure the confidentiality and integrity of sensitive data. Specifically, this TB addresses regulations that enforce constraints regarding read/write privileges and storage locations. Consideration is also given to local restrictions regarding identification of local national authority, security requirements imposed on sensitive data, local definitions of sensitive data, sensitive data transfer and approved requirements, and sensitive data breach notification requirements.

Members

Convenor (AT)

H. KLIMA

Secretary (US)

D. HOLSTEIN

G. DONDOSSOLA (IT), D. BORDEA (RO)

Corresponding Members

M. VERWORNER (AT), U. KRIEGELSTEIN  (AT), K. SCHWABEL (AT)

The Working Group D2.45 enters a new area of interdisciplinary working. Yet the focus on D2 working groups as well as joint working groups with corresponding study committees is in information and telecommunication technology for electric power utilities (EPUs). That working group leveraged the combination of technical issues and juridical aspects. Due to the development of information and communication technologies (ICT) especially public ICT services, like mobile services and cloud services, tremendous possibilities of data processing and sharing occur. EPUs are entering a new era of information sharing in a borderless environment facilitated by cloud-based services, ubiquitous mobility, and expanding use of personal devices. This borderless behavior is the root issue that has initiated strong governance requirements by local authorities. A good example is European Union’s (EU’s) General Data Protection Regulation (GDPR). In this environment EPU risk assessment teams must adjust the approach to updating security policies, procedures, and organizational directives. They must recognize the unbounded degrees of freedom that blur the security perimeter, and they must gracefully accommodate the increased complexity and scale of managing the security of their data. This requires the ability to leverage user entity and user behavior analytics (EUBA) and identity analytics (IdA) to provide actionable risk-scored results. Thus, the technical and juridical aspect must be seen in one context and work close together. Both influence each other.

Hence, this Technical Brochure (TB) has a technical and a juridical aspect regarding data in EPU.

  • Identify the structure and corresponding demand of information of EPU through a systemic approach
  • Classify the data resulting from the information demand for processed data, administrative data, parametric information, and descriptive information.
  • Evaluate the implementation of several data volumes in EPU, such as data transmission, data location and storage.
  • Assess the legal landscape regarding data transmission, data protection and location of storage of data.
  • Describe the processes and interaction of EPU regarding data transmission and data storage, including mobile solutions in accordance with standards, laws, and regulations.
  • Identify the technical and legal issues related to measures and guidelines to handle the data volumes in EPU. 

EPU are overly complex institutions with a tremendous need of information exchange that generate huge amount of data. The interchange of information is a fundamentally need of any system. Information is a part of a system and if the information fails in any way the system will collapse quickly. Due to the complexity of the system with all its parts, the information within the system as well as the exchange of information with its environment is highly complex as well. One main driver of data volume is the high degree of automation, which is still increasing.

An EPU is a system containing several different units and can be considered from various points of view. One point of view is to have a technical system including several technical units which an EPU needs to perform. These parts are well structured and are usually geographically distributed. The geographically distribution in combination with the automation follows, that the operational technology (IT) business units, operational technology (OT) system operating units, and their telecommunication systems have an increasing need of data processing and data transmission for their business and operational area of responsibility.

But the EPU and the suppliers had to consider a broader range of fields. In the last decades the demand of informatics and telecommunication grew due to an increasing demand of automation in all areas of concerned business organizations. Hence the community, including CIGRE, reacted by identifying needed improvements in informatics and telecommunications technologies. Another fundamental scope are commercial aspects. EPU as well as supplier must operate economically every time.

In this technical brochure a new topic, identified as “governance regulations” is introduced into the broad range of EPU activities. Due to the development of the legal environment all enterprises are concerned including EPU and corresponding suppliers as well.

To read this article subscribe to ELECTRA. Single edition, annual options and CIGRE membership are available. Access to all editions is free for CIGRE members.

Already have an account? Sign in

Subscribe now

D2

Information systems telecommunications and cybersecurity

This Technical Brochure has been created by a Working Group from the CIGRE Information systems telecommunications and cybersecurity Study Committee which is one of CIGRE's 16 domains of work.
D2 provides guidance, shares knowledge, and develops best practices and publications for the application of information technology to the critical and core business systems in the electricity supply chain, including smart meters, asset performance monitoring and management, energy management systems (EMS), internet of things (IoT) and machine learning/ big data.

Learn more
Top of page