This document delineates the security requirements for individuals, utilities, and vendors participating in a three-way relationship that involves the privacy and handling of sensitive data. Specifically this document is aimed at the smart grid environment, and is intended to address the concerns of electric utility customers who want to allow value added service providers to access electric usage data that is in the custody of the customer’s utility. Other three-way data sharing scenarios may also be addressed using this profile, as the roles of the three parties have been abstracted in such a way as to support mapping to different environments.
This document defines a set of security-centric use cases and adapts controls from the Department of Homeland Security Catalog of Control Systems Security (U.S. Department of Homeland Security, 2009). The overall approach is to delineate an overarching pattern through the use cases and subsequently link the three parties to individual security control recommendations on a use case (and sometimes use case step) basis. The use cases are explicitly designed to be modular in nature so as to facilitate combining them in different arrangements to describe differing business models.
The primary audience of this document is organizations that are developing or implementing solutions requiring or providing access to energy-related data associated with one entity but held by a different entity. This document is written at the normal level of utility security experience for system owners, system implementers and security engineers.