The SEGRID project has defined five use cases that are exemplary for the gradually evolving system concept of smart grids in Europe. The use cases will be used to identify new cyber-threats and vulnerabilities as well as the gap between available and needed cyber security solutions for smart grids. The SEGRID use cases have been selected considering:

1. the relevance for new business, economic growth, and supporting the introduction of more sustainable and locally generated power, and

2. addition of new functionality and components that inherently will introduce new vulnerabilities and a wider cyber-attack surface.

In this deliverable D1.3 the initial set of security & privacy goals for the SEGRID use cases is defined. This deliverable will be updated later during the SEGRID project by the final report on the security & privacy goals (D1.4).

A security goal is defined as “a specific need to protect a certain interest of a stakeholder”. In this initial stage, the focus of the deliverable has been on drafting security goals based on the traditional information security properties: Confidentiality, Integrity and Availability. These information security properties have been elaborated on and a stepwise approach has been defined.

A privacy goal is defined as “a specific need to protect personal data when it is collected, transferred, processed, and/or stored by a stakeholder”. For the drafting of privacy goals we have assessed the EU Data Protection Directive 95/46/EC [8], the upcoming General Data Protection Regulation (GDPR) [7], and the set of eleven privacy principles for ICT systems as defined in ISO/IEC 29100:2011 [9].

However, since SEGRID is a technical oriented project focused on enhancing the protection of smart grids against cyber-attacks, the eight privacy design strategies defined in [10] better match with this purpose. These privacy design strategies are: Minimise, Hide, Separate, Aggregate, Inform, Control, Enforce, and Demonstrate. Also for drafting privacy goals a stepwise approach has been defined. In three of the SEGRID use cases personal data is collected, transferred, processed and/or stored. This stepwise approach has been applied to draft the initial set of privacy goals for the SEGRID use cases.

To achieve the identified security and privacy goals for the SEGRID use cases, security and privacy protection controls need to be applied. Over the last couple of years, several organisations have establish best practices with security and privacy protection controls and countermeasures for smart metering and smart grids. In order to assist the work in other SEGRID work packages, in particular the gap analysis in WP2, this deliverable presents an overview of the state of the art in security and privacy protection controls for smart metering and smart grids. This state of the art overview contains a brief description of the work performed under Mandate M/490, the sets of security measures for smart grids established by ENISA and Expert Group 2, and the standards ISO/IEC TR 27019:2013 [21], NISTIR 7628 [22] and IEC 62351 [15].

D1.3 – First report on Security & privacy goals