report

Blockchain for Electrical Power Energy Systems: PHOENIX H2020

Published in Privacy by

AA

Within PHOENIX, a research project financed by the European Union, partners endeavor to create a system of detecting and mitigating cyber threats that maximizes trust between parties and minimizes access to personal data of consumers.  Blockchain is the perfect tool for doing so, and here is why.

About PHOENIX H2020

PHOENIX H2020 project is a European Union collaborative project with the goal of providing a cyber-shield armour to the European Electrical Power Energy Systems (EPES). The scope of the project is to enable end-to-end protection against potential cyber-attacks by providing an efficient, proactive cyber threats detection and mitigation system that complies with major international quality standards.

Blockchain adoption in EPES use cases

Blockchain technology has been proposed as the backbone technology of the PHOENIX project for storing and sharing cyber threat intelligence. Among others, PHOENIX has the objective to provide at trust between the involved parties (e.g. utilities, customers, etc.), data integrity and immutability, as well as high resource availability while ensuring confidentiality and privacy of personal data. Blockchain technology seems to be the best solution that is able to address all these challenges at the same time. In order to explain the rationale behind the usage of said technology, we will go through a set of questions proposed in this link. Figure 1 summarizes the five questions that, in principle, you should ask to determine whether blockchain is suitable for your use case.

The five key questions for assessing whether blockchain is a fit for a use case. The questions are listed in the text below.

Figure 1: a flowchart of five questions to ask prior to implementation

1) Is there a need for sharing data?

In PHOENIX, data will be produced and shared among different parties. Blockchain enables parties to efficiently write data on a single shared database continuously kept in sync. The distributed nature of the technology, coupled with that mechanism of synchronization, makes blockchain resilient against Denial-of-Service (DoS) attacks and difficult to be compromised. This feature is important in order to enable the efficient and secure exchange of various types of data: cyber threat information, meter data, data regarding permissions, and other operational data.

2) Are there multiple parties involved? Are there differences in the rules that govern interactions between these parties?

As already said, multiple parties are involved in PHOENIX: EPES. Of course, EPES are geographically distributed across the Europe and are governed by different sets of national legislation and regulation. Through the features of authentication and identification, blockchain is able to manage access to data and operations, i.e. defining who can do what inside the system. Blockchain enables the definition of access control rules that specify what kind of operations a participant is allowed to perform.

3) Do the parties sharing data have conflicting incentives that generate a lack of mutual trust?

In the context of the PHOENIX project, EPES that participate in the system may also have possible conflicting incentives from the business point of view (i.e. competing for the customer acquisition). Blockchain technology, through smart contracts and digital signatures, is able to regulate interactions and ensure non-repudiation of data, enabling trust between parties. Smart contracts ensure that data are produced, stored and shared between parties by following specific business rules. In this way, parties are protected against possible threats (i.e. cyberattacks) that may have significant economic impacts.

4) Is there a need for an unchangeable log of records to consolidate trust?

In order to establish trust, immutability and integrity are essential features. Every transaction executed is permanently stored on the system and cannot be modified by parties in order to obtain business advantages. Blockchain, through the usage of access control rules, digital signatures, and hashing of data, is able to guarantee protection against spoofing and tampering attacks.

5) Are processed data compliant with GDPR rules?

When pondering whether to implement blockchain without problems, one should consider whether personal data are processed. In the PHOENIX project, parties manage a huge amount of data, among which there might also be personal data. For example, data belonging to users, sourced from their meters, can be used for profiling purposes. Furthermore, one should also be aware that the use of blockchain is in potential conflict with a core principle of privacy, which is the right to be forgotten. Immutability and transparency, two of blockchain’s own core principles, render personal data within the ledger unmodifiable in perpetuity and accessible to everyone and anyone with the right to access. Therefore, in order to ensure compliance with GDPR rules and principles while implementing blockchain, this kind of data cannot be stored inside the blockchain. Instead, by adopting a privacy-by-design approach throughout the entire project lifecycle, innovative solutions can be designed to combine – in a compliant way – privacy and blockchain.

For more on blockchain, read this article by Alessio Bianchini.

Service involved

Assessment of technology impact on privacy
We help our clients and partners to achieve their business goals while addressing ethics, privacy and cybersecurity concerns in a manner that prevents conflicts, sanctions and loss of money derived by the lack of ethical and legal compliance to national and European applicable regulations. All information technologies must respect human fundamental rights and ensure the rights of people in relation to the protection of their private life, personal data and freedom. The new EU General Data Protection Regulation (GDPR) that replaced the Data Protection Directive in all EU member states on May 2018 introduces many new obligations for companies and a comprehensive set of rights for data subjects, including the right to an effective judicial remedy against a controller or a processor and the right to compensation. Therefore, in addition to being at the receiving end of an enforcement action, data controllers and processors may be subject to court proceedings and have to pay compensation to data subjects for their infringements of the GDPR. Our approach to help our clients to avoid this kind of issues consists of a holistic service composed by the following main components: providing a Data Protection Officer to drive the organization’s legal compliance action; mapping the data processed by the organisation to measure its impact on the ethical principles and legal framework; assessing the cybersecurity mechanisms used by the organisation technologies; conducting an impact assessment for all data processing mechanisms identifying ethical, legal and security risks; making recommendations for the implementation of the organisational and technical means to be compliant with the legal framework while ensuring data confidentiality (preserving authorized restrictions on information access and disclosure, including personal privacy and proprietary information protection), integrity (assurance that data is not modified or deleted in an unauthorized and undetected manner), availability (ensuring there’s timely and reliable access to and use of information) and accountability (supporting non‐repudiation, deterrence, fault isolation, intrusion detection and prevention, and after‐action recovery and legal action).