The power system is undergoing significant changes in production and consumption of electricity. These changes entail a need for Norwegian power grid companies, outside of Statnett, to take a more active role in the operation of the power grid. For the grid companies to take such an active role, they need access to more information about planned and actual utilization of the grid than they have a right to access today. Because the grid companies in many cases are in a group with power production companies, it is necessary to make sure that the grid companies act neutrally without misusing information that could be market sensitive or share information with unauthorized parties.
On behalf of the Norwegian Energy Regulatory Authority (RME), THEMA and Devoteam have investigated what needs to be put in place to ensure the trust in the power system is upheld, even if the grid companies get access to market sensitive information.
The grid companies are well aware that the access to various types of information should be limited, and they follow ground principles for information security. Power sensitive information has been a focus area for a long time, and in later years, personal data protection has become important. The same attention has not been present when it comes to market sensitive information, and there is therefore no common definition within the sector with regards to what should be classified as market sensitive information. The grid companies are aware that production plans are market sensitive, but our suggestion for a definition shows that other information could also be market sensitive. This could be information that the grid companies receive, but also information that they generate themselves.
A lack of awareness regarding market sensitive information makes it difficult for the grid companies to perform their own risk and vulnerability assessments. The fact that different companies handle market sensitive information differently increases the risk. Differing practices could for example influence access control related to who has a rightful need for information, securing of information, both in storage and transit, logging of activities, training and awareness, ++. Common offices, cantinas and other areas could be an arena for unwanted exchange of information, either purposefully or not.
THEMA and Devoteam recommend setting requirements related to uncovering vulnerabilities, both with regards to unwanted incidents that could lead to vulnerabilities being exploited and requirements on the handling of information that grid companies obtain from external sources or generate themselves.
To protect against unwanted incidents, there should be a requirement to identify and document market sensitive information and rightful users, requirements to have safety instructions and regular risk assessments, requirements to protect against unwanted access, unrightful changes and misuse and a documented purpose for accessing the information, as well as deletion when the purpose has been fulfilled.
The demands related to handling of information includes requiring market sensitive information to not be shared between grid company and market participants, a requirement on rightful need for access to information, ID control of personnel and necessary training.
With regards to cooperation on control centers, THEMA and Devoteam recommend prohibiting grid companies from selling such services to market participants if the grid company is to maintain the right to receive market sensitive information form market participants. All market participants should however be free to voluntarily send the information they themselves see appropriate for the grid companies to receive.
Finally, THEMA and Devoteam recommend a risk-based supervision system with a system perspective. The system perspective includes control and follow-up of the grid companies’ quality and leadership systems, based on requirements for documentation and supplemented with necessary inspections. In this instance, risk-based means to direct supervision and control towards areas where the risk of rule violations is the largest, and where violations can lead to large societal consequences.