Diedrik Kuypers is co-founder and head of IT at EnergieID. Within the REScoopVPP project, he oversees the setup of the COFYbox cloud and tells us more about the challenges of data management & security.
You’re an IT specialist, what is your role in the REScoopVPP project and why is data so important?
REScoopVPP aims at building tools for energy cooperatives to better monitor and use renewable energy using the consumption flexibility of their members. My role is to monitor the implementation of the digital tools needed to make this happen!
There are many services we can provide with more data. In RescoopVPP, we help users monitor their consumption, we help them consume at time of production and finally we also support them providing services to the grid. These are all key services in these challenging times in order to move away from fossil fuels, not only for climate reasons, but nowadays also for economic reasons!
It looks like more and more companies are asking for private data. Why would energy companies now also look for more private data?
All the services I’ve mentioned require different types of information, either related to energy production: “Do you have solar panels?”, “How big?”, “What’s your home location to anticipate weather conditions?”; or to energy consumption: “Do you have flexible devices like heat pumps, EVs or even a battery”, ”What are your usage preferences or habits?”, etc. All this energy data is personal data according to the GDPR and needs to be properly protected.
This private data may have some market value, could you monetize this information to make your business model more profitable?
Well, our cooperative members are expecting quite the opposite! And we value a lot the trust they put into their local energy cooperative. So our goal is to preserve this relationship and use private data exclusively for our own services.
What are the main challenges of securing this private data?
You may think about data management in terms of confidentiality, integrity and security:
- First, the confidentiality of data is fundamental. That’s why data is encrypted and we’ve implemented a role-based access control (RBAC) which defines tailored permissions for administrators or other workers. We’ve run a security assessment to test some situations where security could be put at risk.
- Then, as data is our raw material, the quality of the service will depend on maintaining the integrity of data, for example, device logs are available to administrators on the cloud in order to monitor changes made.
- Finally, we should make sure that data is available each time we need it to deliver the service, while respecting the first principle. That’s a challenging aspect when you work with home devices as there is a long way between the equipment and the service provider and all the links of the chain need to work together: smart plug or clumps, local Wi-Fi, the COFYbox itself and finally the Cloud.
Do you use open source software to provide your services?
We use AND we develop open source software! The operating system and local control services on our home gateways are open source, along with the forecasting algorithms we develop. But open source also comes with some limitations. For example, the home automation system on a COFYbox device is an open source software package called Home Assistant and it runs on Linux. So far so good, all open source! However, in order to manage all these COFYbox devices we useBalena, an IoT-management solution to build, deploy and manage Linux devices. That’s a paid service, supported by Balena engineers.
What are your next steps in implementing data management and security policy?
It's important to understand that a security assessment isn't a one-time job. In fact it's a continuous activity. At this very moment the development team is updating all the software that runs on the COFYbox cloud to improve security vulnerabilities and to ensure data is better protected. That involves quite some work, but they’ll do this several times a year.
Furthermore we would like to extend our audit logs to track changes or actions occurring in COFYbox portal and community tools. And last, but not least, we are looking into supporting fine-grained access control (FGAC), allowing varying degrees of access to sensitive data. That way one individual may be given access to real-time consumption data, while another can only access daily or monthly aggregates.
For more information, have a look at our deliverable D6.4 – Information management and security