Security & Resilience
- Smart Metering
- Process Control Networks (PCNs)
- Resilience (assets and operations)
- Corporate Security
- Information Leakage & Data Protection
Smart meters are the next generation of electricity and gas meters aiming to revolutionise the way energy consumption information is made available to customers and suppliers. Smart meters are capable of displaying real-time consumption data locally to the consumer via an In-Home-Display (IHD) unit and also send the data to the energy supplier at regular intervals (e.g. half-hourly) via a wide area network connection.
For many organisations, the business case for smart meters relies heavily in the ability to generate benefit from the high volume of energy consumption data in a secure manner. This is an opportunity for a more dynamic and interactive relationship with the customer, acting as an energy service company rather than just a supplier, however a clear strategy is needed to achieve this. As meter readings increase from the current bi-annual cycle to a half-hourly cycle the amount of granular consumption data that will be generated will significantly increase.
Why is it an issue?
- New regulatory framework introduced with specific requirements for the protection of vulnerable customers, controls over remote disconnection, service availability, tariff changes and customer notifications
- From a security point of view, the increased volume of potentially sensitive data stored and transmitted across data networks opens up new avenues for hackers to gain unauthorised access to the consumption data as well as compromise critical commands such as remote supply disconnection
- Privacy concerns have been raised in this space, as large amounts of granular energy consumption data can provide insights into the behavioural patterns of the consumer
- From a data management point of view, data volumes are far beyond the design specification of current billing systems, as meter readings increase from the current bi-annual cycle to a half-hourly cycle.
We have developed a comprehensive smart metering risk map that can help you identify the areas of risk that are applicable to your smart metering programme. Our smart metering experts can assist in the following areas:
|Security & Privacy||Data Management||Process & Control Services|
|Security Risk Assessment||Data Analytics||Project Risk|
|Privacy Impact Assessment||Data Quality Assessment and Remediation||Market Audit / 3rd party assurance|
|Security Design||Data Governance||Revenue Assurance|
|Crypto key management||Data Migration & Integration||Regulatory Compliance|
|Penetration Testing||Operational Controls|
|Supply Chain Assurance|
Find out more about our Smart metering risk services and read our article "Smart metering gets smart".
As Energy and Resources (E&R) companies become more reliant on current IT to support their core production processes, coupled with the threat from unstable geopolitics and cyber terrorism, a proactive approach to IT risk is paramount within their collective systems and PCNs. These PCNs are complex, key to productivity and are often the most mission critical digital asset an E&R company will own.
Why is it an issue?
- The E&R sector is under continuing pressure to reduce costs, increase productivity and ensure efficient use of IT
- The commercial impact from system failure or a security breach is significant and a system compromise could result in environmental damage, personnel injury or ultimately the revocation of licence to operate
- Industry analysis predicts that PCNs will see increased cyber attacks as their inherent weaknesses are known within the public domain. IT and PCN operations are typically separate with little or no collaboration, meaning the protection measures in place for the corporate IT environments have not been utilised to manage the risk to PCNs, therefore leaving them open to attack.
PCNs require specific security frameworks to address the differences with corporate IT environments. We can help E&R organisations to:
- Consider an approach to segregate access to their corporate IT environments from their’ PCNs
- Help initiate mature processes such as patch management and current anti-virus protection
- Manage third parties/vendors
- Establish a security policy that restricts ‘who’ is permitted to access ‘which’ systems within both environments
- Manage potential adverse scenarios through incident management/continuity planning
- Establish current state assessments and develop risk management programmes of these critical systems to confirm that key threats are understood and test the effectiveness of their implemented controls
- Train control engineers and operators through security and awareness programmes.
Most E&R organisations are struggling to improve or maintain the resilience of their critical technology infrastructure and applications. Increasing complexity and data volumes continue to challenge availability and recovery capability. Many organisations in this sector still fail to get the basics right, whilst others strive to improve both the speed and confidence in their recovery process should the worst happen. If IT is critical to your business then technology resilience should be a top priority.
Why is it an issue?
- Increased system complexity and data volumes challenge resilience and recovery capabilities
- Designing and implementing near zero system failure and zero data loss strategies requires careful balancing of availability, resilience and recovery solutions
- Organisations are not necessarily able to conduct adequate fail-over tests to prove resilience or recovery
- Organisations need to meet industry required and system-specific regulatory requirements.
Deloitte combines both industry knowledge and competency expertise to provide an unparalleled breadth and depth of Business Continuity services including:
- Risk and threat intelligence – conducting risk and threat assessments and analysis
- Business impact analysis – using a ‘top-down’ approach to identify mission critical activities and key business processes, determining acceptable recovery timeframes, identifying and mapping interdependencies and undertaking requirements analysis
- Alternative work arrangements – defining requirements, options analysis including technology and property portfolio analysis, sourcing and selection, implementation management and testing of deployed solutions
- Business continuity strategy – creating and implementing cost-effective corporate continuity strategies that meet business priorities and requirements and exploit technology and property portfolios
- Business continuity planning – developing and implementing site, function or process specific procedures and business continuity plans, resource acquisition plans, and ‘integrated’ supply chain continuity planning
- Culture and governance – implementing a governance framework, programme management, organisational roles and responsibilities or operating models, corporate business continuity policies, standards and guiding principles. In addition to building and embedding business resilience culture, awareness programme design and execution, training plans, bespoke learning linked to policies, procedures and response plans.
Our key focus is how best to safeguard an organisation’s people and assets from an ever increasing number of threats. These include physical security threats such as terrorism, espionage, organised crime and activism, and personnel security issues including poor internal security controls and a lack of strong security culture which can leave organisations open to ‘insider threats’ and sabotage by disaffected employees. We have a proven track record of helping organisations establish a structured approach to the governance and implementation of security strategy to enable holistic development of physical personnel and information security across multiple and highly diverse environments.
Why is it an issue?
- Globalisation is a term synonymous with the opportunities and demands of today’s business environment. However, penetrating and operating in new or existing environments is not without risk. How organisations identify and manage that risk is a key success factor.
- The extent of these threats means that security and resilience are increasingly on the boardroom agenda. Corporates also recognise that there are higher levels of geopolitical risk than in the past.
- The security industry has matured requiring CSOs and CISOs to align risk to controls and balance with the demands of the business.
Our Corporate Security services help clients to:
- Understand areas of security synergy in order to create converged functions enabling increased efficiency and effectiveness
- Conduct current state review to enable benchmarking of security structure, policy and process.
- Conduct threat and risk assessments, aligning risk to controls through the identification of strategic, tactical and operational risk
- Assess and identify measures to fulfil regulatory requirements
- Develop complex concept of operation and operational requirements
- Conduct security vulnerability assessments
- Develop Event Security Management Systems (ESMS)
- Conduct security awareness training.
In the current environment of high profile data losses, our E&R clients are actively seeking to understand the extent of their exposure to information leakage and data loss. Particularly Oil & Gas and Mining organisations are becoming more aware of the risk of sharing data within their own organisations in a manner which breaches local data protection and export control requirements. Typical examples of this include geological, seismic and field survey data. Whether our clients’ focus is on internal or external information leakage, our approach to projects of this type is broadly similar and based on four steps outlined below.
We have a wealth of knowledge and experience in helping clients assess and manage the risk being faced. Our experience covers the breadth of issues faced by organisations, including understanding where their sensitive information is, performing detailed security assessments, reviewing third parties and understanding the regulatory environment. This enables us to design comprehensive governance, process and technology control frameworks to reduce the risk.
Why is it an issue?
- High profile security breaches involving sensitive data have created intense publicity and significant regulatory action against those responsible
- Requirement to demonstrate compliance with industry attestations and regulations e.g. PCI DSS, FSA, DPA as well as meet the complex and varied international regulations over personal data covering broad areas such as security, accuracy, retention and international transfers
- Sensitive information e.g. intellectual property is at risk and needs protecting to safeguard profits.
- Requirements gathering - our team works with key stakeholders to identify the highest priority data security and privacy challenges. Participants in the risk assessment requirements gathering step typically include key decision makers and information owners, executive sponsors, project managers, security analysts, and network engineers
- Policy definition - we then build policies that map to the clients’ data priorities based on our pre-defined templates, as well as the organisations’ unique security policies and compliance requirements
- Confidential data monitoring - the next step is the monitoring of the clients’ confidential data, wherever it is stored or used - across endpoint, network and storage systems to evaluate and clearly quantify the organisation’s current level of risk
- Reporting - data loss risk assessment summary - identify areas of very high, high, medium,and low risk of data leakage and benchmark the actual data exposure and loss metrics against industry averages.