Smart meters and smart grid infrastructure have been deployed in many of the world’s electric distribution grids. They promise energy conservation, better grid management for utilities, electricity crime reduction, and a host of value-added services for customers. To deliver on this promise, they need to collect granular electric usage data and make this available to the stakeholders who need it. This has created consumer privacy concerns which are being addressed with security and governance programs, like Microsoft Information Protection and Azure Purview, and with regulation including the government. The ability to protect and govern smart meter data is critical to addressing customer privacy. It’s also critical to making the data available to realize the return on investment in terms of environment, security, savings, and enhanced services to consumers.

Smart grid data contains private datum

Smart meter data is personally identifiable information( PII ). Information potentially available through the smart grid includes 😛 TAGEND

NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Table 5-1. Information Potentially Available Through the Smart Grid.

Figure 1: Information potentially available through the smart grid. 1

This gives rise to a range of privacy concerns from personal data exposure for embarrassment or extortion, determination of behavior patterns for unwanted marketing, by crooks that are likely to be casing a premises or seeking to exploit children, or inappropriate uses by government.

Depending on the granularity and character of data collected, smart meter data can be disaggregated to uncover private info 😛 TAGEND

NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Figure 5-2. Using Hidden Markov Models to Produce an Appliance Disaggregation.

Figure 2: Using hidden Markov modelings to produce an appliance disaggregation. 2

Electric meter data was generally not a focus of privacy concern prior to smart meters. With smart-alecky meters, there is the potential for the data to be near real-time and with a frequency and granularity not previously available. The potential value of smart-alecky meter data for demand management programs, day of use pricing, outage handling, grid optimization, energy crime reduction, unlocking the value of smart metropolis, and other uses increases as does the frequency and granularity of the data.

Utilities and other stakeholders it is necessary do a privacy impact assessment( PIA ) for the use of this data. Part of this process is to set out the controls that will be used to govern the data.

Many of the same regulations and standards that cover PII in general apply to smart meter information. These include General Data Protection Regulation( GDPR ), California Consumer Privacy Act, Canada’s Personal Information Protection and Electronic Documents Act( PIPEDA ), Brazil’s General Data Protection Act( LGPD ), and many other established and emerging privacy regimes. A geographic summary of privacy regulations is provided by the global law firm DLA Piper.

Which is why i PII from smart meters located?

Smart meter data is in the meters themselves and the backhaul infrastructure, potentially passing through range extenders, connected grid routers on its way to the head end. From here it is made available to the utility departments and other organizations as permitted in databases and data reservoirs to derive value from the data.

Conceptual Reference Diagram for Smart Grid Information Networks. Ref NIST Special Publication 1108R2, Figure 3-2.

Figure 3: Conceptual reference diagram for smart-alecky grid information networks. 3

With the range of stakeholders that need access to the data, there will be a variety of technologies and architectures that must be governed. Broadly, there will be PII in structured resources like SQL or SAP S/ 4HANA databases, and unstructured like desktop application files and email or data storehouses like Azure Blob, Data Lake Storage, or Amazon S3.

The data should be governed during its full lifecycle from collect through to secure auditable disposal–both inside the utility’s environment and outside as third parties access the data used for permitted uses.

Protect and governing PII from smart-alecky meters

The Microsoft Information Protection and Governance framework protects and governs Microsoft 365 data, including desktop applications, email, on-premises storehouses, and with Microsoft Cloud App Security, both in our own- and third-party clouds and on Windows 10 endpoints like laptops.

Most impactful for smart-alecky meter data, we now have Azure Purview( now in preview) for structured and unstructured data outside of Microsoft 365, such as in databases, data lakes, SAP, and a range of other environments where smart meter data is stored and used to extract value.

Microsoft Information Protection and Governance framework.

Figure 4: Microsoft Information Protection and Governance.

To properly protect and govern PII in smart-alecky grid data, we need to identify and inventory this data across our cloud and on-premises environment. We need to protect this data with durable security policies that stay with the data throughout its lifecycle. We need to implement Data Loss Prevention( DLP) to keep the information from traveling to places it should not go and we need to dispose of data when it’s no longer needed for business intents. The omission should be permanent and auditable.

Microsoft Information Protection as part of Microsoft 365 provides the tools to know your data, protect your data, and avoid data loss. It provides users with a native experience in their documents and emails, providing automation to recognize PII and either recommend the user apply a sensitivity label with the option to override this suggestion with auditable justification to enforce the application of the label.

Microsoft Information Protection provides real time assistance to users with a native experience while they work. Users receive suggestions and can automatically label data or override the suggestion with auditable justification if configured by the administrator.

Figure 5: Microsoft Information Protection offer real-time assistance to users with a native experience while they work.

The sensitivity label can enforce encryption, scoping the document to be ingested only by the intended organisation, teams, or individuals. It can enforce watermarking, disable cut and paste, and a range of other security policies for the life of the document, even when it leaves the sender’s environment.

PII such as credit card numbers can be recognized as out-of-box sensitive datum characters and then be tuned to reduce false positives. Custom sensitive info kinds can be informed by keywords, keyword dictionaries, or regular expressions which are particularly useful for recognizing utility report numbers or smart-alecky meter numbers. Machine learning can be used to recognize records by utilizing trainable classifiers to reason over a sample of relevant documents to recognize documents that are like these.

Sensitive data been determined, inventoried, and protected as it is created, in the cloud with Microsoft Cloud App Security( MCAS) or with on-premises resources use the Azure Information Protection( AIP) scanner.

These sensitivity labels and sensitive information forms can trigger DLP policies across email, desktop applications, SharePoint sites, OneDrive, Windows 10 machines, Teams, and third-party clouds. The policies are managed with a unified experience across Office 365, cloud, on-premises, and endpoint locations.

Data loss prevention policies can be triggered by sensitivity labels or sensitive information types. These policies can be administered for email, SharePoint, OneDrive, Teams, endpoints, on premises repositories and third party clouds from a single admin interface.

Figure 6: Selections of locations to apply policy.

Files and emails can be labelled with retention labels as well as sensitivity labels. Like sensitivity labels in Microsoft Information Protection, they can be applied manually or in an automated behavior based on out-of-box, custom knowledge types, or machine learning with trainable classifiers.

Retention labels can enforce auditable retention, deletion and disposition review of documents and emails in the Microsoft 365 tenant.

Figure 7: Records management.

Retention labels can enforce auditable retention, deletion, and disposition review of documents and emails in the Microsoft 365 tenant.

This can facilitate compliance with privacy regulations, but likewise regulations that require retention for discovery purposes such as utility boards or Freedom of Information( FOI) requests.

Visualization and reporting for sensitive data, including smart-alecky meter PII as well as the retention labels and policies applied, are set forth in the conformity portal so that sensitive data can be inventoried, overseen, and reported on.

Azure Purview

Azure Purview is a merged data governance service that helps you manage and govern your on-premises, multi-cloud, and software as a service( SaaS) data. We’ll focus on PII data discovery in this post.

Azure Purview Data Map captures metadata across a wide range of data sources and file characters with automated data discovery and sensitive data classification. Azure Purview widens our knowledge protection and governance abilities beyond Microsoft 365.

Among the broad list of data sources, you’ll be able to scan SQL databases, Azure Blob Storage, Azure Data Lake Storage, Azure Cosmos DB, AWS S3 pails, Oracle databases, SAP ECC, and SAP S/ 4HANA.

Azure Purview creates a data map for a broad list of sources including but not limited to SQL databases, Azure Blob Storage, Azure Data Lake Storage, Azure Cosmos DB, AWS S3 buckets, Oracle databases, SAP ECC, and SAP S/4HANA.

Figure 8: Metadata map.

The data in these sources can be classified and labeled by out-of-box and custom sensitive info kinds, including those defined for smart grid PII.

The data in the sources connected to Azure Purview can be classified and labelled by out of the box and custom sensitive information types, including those defined for smart grid PII.

Figure 9: Microsoft Azure Purview classification rules.

The sensitive info characters and sensitivity labels are made available to Azure Purview from the Microsoft 365 Compliance Center, the same place the Microsoft Information Protection rules are managed, creating a consolidated experience for the administrators.

The sensitive information types and sensitivity labels are made available to Azure Purview from the Microsoft 365 Compliance Center, the same place the Microsoft Information Protection rules are managed, creating a unified experience for the administrators.

Figure 10: How to edit label sensitivity.

Custom classifications and regulations to identify custom sensitive data characters or keywords can be created in the Azure Purview answer.

Azure Purview provides reporting that shows where sensitive data such as PII is located across an organization’s data estate. Sensitivity labels with security policy can be applied to this data. The storehouses where sensitive data is located can have additional security added or the data can be removed from locations where it does not belong.

Azure Purview provides reporting that shows where sensitive data such as PII is located across an organization’s data estate. Sensitivity labels with security policy can be applied to this data.

Figure 11: Azure Purview appear the places where sensitive data exists.

Azure Purview can confirm that the Data Privacy Impact Assessment( DPIA) and controls undertaken by individual organizations around sensitive smart-alecky grid data are being enforced. This reporting can provide evidence to a regulator that an organization’s commitments to security and privacy that enabled the use of customer’s private data have been upheld.

Azure Purview does not move or store customer data outside of the geographic region in which it is deployed so data residency requirements can be met.

In addition to helping protect sensitive data, Microsoft also offers agentless, security monitoring for industrial control system( ICS) and operational technology( OT) networks to rapidly detect and respond to anomalous or unauthorized activities in control networks. Azure Defender for IoT integrates with existing security operations center( SOC) tools( like Azure Sentinel, Splunk, IBM QRadar, and ServiceNow ), is broadly deployed in production across power distribution and generation websites worldwide, and is available for both on-premises and cloud-connected environments.

Microsoft 365 Information Protection and Governance and Azure Purview together provide tools to protect and govern smart-alecky meter data and other sensitive data for utilities. The more effectively we can implement protection and governance of this data, the more we can make use of it and derive value for the ratepayers who have invested in the smart grid.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Likewise, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Table 5-1.

2NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2.

3NIST Special Publication 1108 R2.

The post Privacy compliance for smart meter infrastructure with Microsoft Information Protection and Azure Purview appeared first on Microsoft Security .

Read more: microsoft.com