One of ElectraLink’s key strategies for the next few years is to increase data transparency and accessibility in the energy market. However, we are aiming to achieve this is an environment of heightened risks and concerns about data and system security. There have been some high-profile data breaches dominating the news, many occurring in sectors which would not be considered a target. These breaches have affected productivity, caused financial and reputational damage, put customers at risk and damaged trust in organisations’ security systems. ElectraLink has reviewed these incidents closely to understand what lessons we can learn. We, along with our partners, monitor and test our systems to ensure we maintain a positive security stance and continue to achieve, while seeking to improve on, our goals of increasing data transparency and accessibility for the energy market.
Security systems
ElectraLink’s data transfer and storage frameworks are designed with security as a key principle. Infrastructure and systems meet rigorous requirements set out in architecture development, and all third parties we work with need to have systems that meet set standards. Encryption, penetration testing, identity management and access control are a few of the controls in place, with an increasing focus on other enhanced measures.
Recently, we have had further engagement with Amazon Web Services (AWS) to support our new programmes, and throughout we have worked closely with our providers to ensure systems meet our standards. As a leader in cloud technology, AWS’ infrastructure security and resilience contributed to our decision to use their services. For example, AWS’s AES-256 is one of the world’s most secure encryption technologies with a proven track record.
Auditing and assurance are also integral steps to demonstrate the quality of our security systems. The ISO27001 accreditation ElectraLink holds pertains to managing information security, and our annual audit – last completed in November 2021 – provides evidence of the high standard of our security protocols to protect our systems.
Our suppliers and third parties are contractually required to mirror the strength of all the practices we engage in to protect the data we hold and transfer for the industry. We work closely with our partners to test the physical performance of our adjoining systems, but also to assess whether the comparative security cultures in their organisations match our own.
The first line of defence
We recognise that awareness is the first step towards mitigating attacks or incidents. ElectraLink’s data security protocols primarily rest with our people’s proactive behaviours which reduce and identify potential data breaches and near misses of unauthorised access to our systems. We undertake security awareness training for all staff and contractors, and regularly remind our people to be conscious of phishing attacks through unidentifiable links, attachments, sites and communications, including by phone. We also promote confidentiality in everything we do.
Our IT division follows thorough processes for onboarding and offboarding staff members’ technology and password management. To match our detailed device management activities, we also have multi-factor authentication (MFA) across business devices to prevent unauthorised access or in case of loss or theft of devices.
We actively follow the principle of least privilege access – which means the minimum level of access/user rights is provided to fulfil a task. This is an important foundation of how we maintain data security compliance. Externally, particularly when collaborating with other organisations in ways that require us to share industry data, we have safeguards in place to protect personal data and where possible use pseudonymisation or anonymisation.
As well as complying with the law, maintaining our own standards and meeting those of industry best practice, it is the trust our customers and industry stakeholders place in us which prioritises our commitment to protecting the data we hold, whilst striving to make the energy market more transparent, accessible and ready to tackle new challenges.
Democratising energy market data
As a diligent and upstanding company, we adhere to the principles of The UK General Data Protection Regulation (GDPR) to ensure we comply with processing and protection of data and systems to reduce any potential incidents or breaches.
More specifically, the Data Transfer Service (DTS), which ElectraLink has been operating for over 20 years, has data protection obligations outlined in the DTS Agreement (DTSA), which prescribes the terms of how ElectraLink and third parties must store and share data.
Within the provisions of the GDPR and the DTSA, since 2013 ElectraLink has been authorised to maintain copies of and analyse all the data transferred over the DTS. The DTSA’s governance arrangements combined with our security measures ensure we protect every energy user’s personal information, and allow us to pursue our efforts to open the energy market to innovation and new solutions.
We have previously echoed the call from the Energy Data Taskforce to increase data transparency as a key step to enable market transformation and innovation and achieve Net Zero through data-driven solutions. One of our steps towards this includes the launch of our Open Data webpage which has some of the market insights we provide to the government, energy companies and citizen representatives. Another is the development of EMPRIS – a platform for the market to easily identify market trends using raw data.
Democratising energy market data is necessary for the industry to meet Net Zero, improve services for consumers and businesses, and prepare the energy system for increasing decentralisation of generation and rising demand from electric transport, both public and private. Thanks to the provisions of the DTSA and the GDPR, and ElectraLink’s extensive security measures and expertise in data analysis, we have seen the success in our steps on this strategic path.
Words by Kulwinder Johal, Head of Information Security