Heat networks form a core part of critical infrastructure and provide many ways for data to be collected and used. However, does this provide a challenge for cyber threats and privacy? With the UK government’s Energy Bill just released, this article provides a discussion on best practice for network operators and other organisations to follow and prepare for future regulation, from a cybersecurity and data protection perspective.
Background
Heat networks are set to play a key part in the UK’s drive towards Net Zero, with the UK’s Climate Change Committee (CCC) recommending that 20% of the nation’s heat demand will need to come from heat networks if we are to meet our 2050 targets. However, as the growth of heat networks and the diversity of market participants continues to develop, heat networks present both an opportunity for a low-cost, low-carbon solution to community heating, but also provide a target for cyber threat actors and a risk to consumer data collected for their operation. As such, regulation becomes an important and necessary factor to ensure that efficiency benefits are delivered, whilst ensuring consumers are protected.
We discuss how the development of heat networks infrastructure, the rollout of smart heat meters and the data sharing between the various web of organisations involved in deploying heat networks poses both data protection and cybersecurity challenges.
What are the key issues?
A key feature to the rollout of heat networks includes the ability to facilitate both providing consumers with transparency over their consumption and facilitate dynamic pricing and flexibility through the installation of smart heat meters. The Heat Network Metering and Billing Regulations 2014 required the installation of heat meters in all existing premises by September 2022 – and most of these are likely to have been smart heat meters, which can provide up to half-hourly reads of consumption data. However, despite the efficiency benefits that such smart heat meters can bring, customer profiling using consumption data can generate detailed and potentially sensitive customer information at a granular level, which, if not explained to consumers in advance, can decrease trust in the digitalisation of heat networks.
Leveraging the value of this data, technology providers are beginning to offer applications to allow heat network operators to identify consumption trends and improve efficiencies in the supply and pricing of heat and hot water. The increased data sharing posed by these networks – which encompass not only heat network operators, but also potentially connected system operators and application providers – require such systems and devices to be tested, in addition to contractual agreements between the relevant parties to ensure that adequate security and data protection for consumer data are respected.
What is the future of regulation?
In the future, heat networks are likely to be increasingly regulated from a cybersecurity perspective. Currently, Part 8 of the Energy Bill 2023, includes proposals for district and communal heat networks to be regulated by Ofgem. Areas expected to be regulated include information security controls (such as providing requirements for monitoring threats to networks and ensuring the continuity of heat networks) as well as data protection and consumer protection (such as introducing transparency and notification requirements for the installation of smart heat meters).
In fact, Ofgem is currently running a consultation on consumer protection within heat networks regulation, where it is proposing to introduce a variety of controls on heat network providers after the Energy Bill is passed. According to the consultation, these are likely to include introducing further requirements, such as:
- Transparency: Ofgem’s proposals include for “data visualisation” – including to facilitate communication of consumer billing and pricing through a heat interface unit and/or an in-home display (IHD) device connected to the smart heat meter, which can help improve consumer transparency.
- Smart heat meters: Ofgem also proposes making smart heat meters the default option in new heat networks, and phased into existing networks over time.
- Priority Services Register (PSR): Ofgem includes requirements for heat network operators to maintain a PSR, ensuring tailored transparency requirements and support with continuity of supply to those at risk.
In the midst of this upcoming regulation, heat network operators can learn lessons from the electricity market. For example, from a transparency perspective, as appliances and systems connected to heat networks – including boilers, radiators and thermostats, as well as third parties wishing to use data collected on demand and consumption within heat networks – increase in ubiquity, both heat network operators and smart home technology providers will have to devise inventive ways to explain to consumers how their data is being used. Moreover, with respect to PSR data, the heat network industry could take lessons from the electricity and gas industries, such as by avoiding collecting special category personal data – including data around health conditions – where simple questions or descriptions around reasonable adjustments will suffice. This would limit data stored and used both when identifying if residents are vulnerable, and in sharing data with service providers, such as metering agents visiting premises on-site.
In the most viable scenario, assuming an approach similar to electricity and gas networks are followed, Ofgem’s proposals will involve developing licence obligations, or, in a more detailed regulatory approach, codes such as the Smart Energy Code and Retail Energy Code. These obligations are most likely to fall on heat network operators and suppliers, but may also fall more broadly on metering agents and other organisations involved in heat networks. .
Final thoughts
As heat networks step up to take their role in ensuring the UK’s data-driven approach towards Net Zero, the safety of consumer data and critical infrastructure become paramount. As such, the provisions introduced in the Energy Bill act to set the scene for further industry-specific cybersecurity and privacy controls needed to safeguard the integrity of these systems, in the same way as the electricity and gas markets are regulated.
The Energy Bill is still a way off passing, and further, specific, practical security regulation of heat networks is even further in the future. However, advance preparation for these protocols for heat networks – such as by following best practice for device testing and respecting consumer transparency and privacy – will help heat network operators and their supply chains prepare for these controls.