A new data classification methodology to enhance utility data security

Classification of data is an important step to strengthen the control of data, define how it is distributed, and who has access to the data. There are established practices among other industries like finance and banking. This paper describes a security framework for classification of data in electric utilities. Presently, data classification is viewed more from Information Security (IS) perspective with limited involvement of business functions. Present approach in utilities does not cover much of the data from Operational Technology (OT) systems. Implementation of Smart Grid increases the complexity of Data Classification with possibilities for dynamic data aggregation through enterprise level system integration. NIST Special Publication 800-60 provides guidelines to arrive at security classification based on broadly classified limited types of utility data. The new approach presented overcomes this limitation by mapping data types to appropriate interface categories based on the guidelines from Smart Grid Interoperability Panel (SGIP) - NISTIR 7628. Case study of a Data Classification exercise carried out for a North American Utility is presented. Some learnings and recommendations for enhancement of the approach are also discussed. A registry tool developed for Data Classification using the new approach is explained.