GS Credit: Data Privacy and Cybersecurity – Above Green

Applicable to:

Cities and Utilities (1–2 points)
Campuses (1 point)
Transit (1 point)

INTENT

To build public confidence in grid modernization by protecting customers’ private electricity usage data and protecting smart grid technologies from threats.

REQUIREMENTS

All Projects

Develop a comprehensive policy on data privacy and cybersecurity. The policy must identify steps to ensure secure network operation and data integrity under future grid modernization.

OPTION 1. Cybersecurity (1 point)

Have in place at least three of the following policies and practices to address cybersecurity threats:

Access control for all physical, wireless, and virtual access points, including physical protections and limited access to substations, routers, servers, firewalls, and bridges
Data encryption
Periodic security audits of access points and potential vulnerabilities
Automatic breach detection
Threat and vulnerability assessment and standard responses in case of breach
Regular security awareness training for employees. The effectiveness of security awareness training must be reviewed at least once a year. Practical exercises may be included in the security awareness training that simulates actual cyber-attacks.

AND/OR

OPTION 2. Data privacy (Cities and Utilities only, 1 point)

Have in place policies and practices that ensure the integrity and confidentiality of data and customer choice in sharing data. Ensure information security at all interfaces, devices, and data operations. Meet at least two of the following measures for data privacy:

Opt-out data-sharing policy for aggregated data that explicitly protects customer privacy and personally identifiable information
Opt-in customer data-sharing agreement for personally identifiable information
Separate communication pathways policy for sending data